In message <20020226091914.C691@snowdrop.l8s.co.uk>, David Laight writes:

>> 
>> Re-read my post: sometimes an open-source or openly-documented interface
>> is not preferable.  Hell, sometimes, it's not even legal if you want
>> customers like the NSA, banks, or overseas governments to buy it.
>
>Eh?  Do they still believe in security by obscurity?
>I guess it gives them a warm fuzzy feeling :-)

I can't speak for banks, but I'm quite certain that's not true for NSA 
or (for the cases I'm familiar with) for overseas government.  Remember 
that NSA released a security-enhanced version of Linux -- they have a 
fair number of open source projects going on.  The export issue used to 
be because of the crypto export rules -- but these days, I believe it's 
*easier* to export open source crypto code, since you can point to a 
Web site somewhere as evidence that it's widely available. 

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com