#!/usr/bin/perl -T # Path info paranoia- $ENV{'PATH'} = "/bin:/usr/bin:/usr/local/bin"; $ENV{'IFS'} = ""; # unbuffered output $| = 1; use CGI qw(:all); # import all of the CGI methods into the current # namespace. While this makes life easier on very # small programs, I don't recommend doing it for larger # programs. Note that this code is relatively difficult # to read, maintain, and reuse. See other programs at # http://www.interhack.net/people/cmcurtin/perl/ # for examples of how to write good CGI programs that # are strict-OK, and less prone to using naughty things # like global variables. # JUST TO BE CLEAR: This is an example of how some # things can be done, but I don't recommend doing this, # for the sake of maintainability and reusability. # Others are free to disagree. :-) print "Content-type: text/html\n\n"; # we're using CGI.pm which has methods # to do this for us, but we're still # doing the HTTP header by hand. This # sort of thing can be avoided by being # familiar with the modules that you're # using, and knowing just what they can # do. if (! $ENV{CONTENT_LENGTH} > 0) { # CONTENT_LENGTH is an environment variable in CGI programs. Again, CGI.pm # has a method for getting us this information, but we're not using it. # How naughty of us. # # Pay attention, this is cool. Send back the HTML, since that means # it's an original hit, not a submission. Make the thing submit the # form to itself. print < Snake Oil Gauge

Snake Oil Gauge

Welcome to the Snake Oil Gauge! The form below will take you through a series of questions that you can answer about your crypto product. After submitting the form, you will get back a numeric value between 0 and 100. The lower the number, the better your crypto sounds. If your number is heading up toward the high end of the scale, it just might be time to change your snake oil!

Also be sure to see the About the Snake Oil Gauge page for appropriate disclaimer information.

Is the plaintext written to disk?
Is anything written to disk (such as temp files, or original cleartext) overwritten, instead of just being "deleted"?
Does the operating system support "swapping" or "virtual memory"?
Is the operating system multiuser?
Have the algorithm(s) been disclosed publicly?
Are technotes available on the implementation?
Is the source code available?
Has the algorithm been modified in this implementation?
Are the keys generated on the fly by the user?
Do all of the possible keys have an equal possibility of being chosen?
Are passphrases from the users hashed (as opposed to being used directly)?
Is the product generally exportable from the US?

C Matthew Curtin

Last modified: Sat May 31 21:11:03 EDT 1997 EOD exit 0; } $NS = 0; # "not sure" counter # the following line is a good example of why importing CGI methods # into the current namespace makes the code more difficult to follow. # there's no way to remind us that param() is actually a method from # the CGI.pm module. If we explicitly wrote # foreach $key($cgi->param) # (after declaring $cgi as a CGI object ;-) the code might be a bit # easier to follow. Also, note that we'll get namespace clashes in # cases that we have multiple CGI objects, as might very well happen in # larger programs. (And, don't forget that programs that start out # small tend to get bigger. So don't get into the habit of doing what's # quick and easy... might come back to bite you later.) foreach $key(param) { $good{$key} = param("$key"); # print "key $key is $good{$key}
\n"; #debug $NS++ if ($good{$key} eq "Not Sure"); if ($NS >= 4) { &PrintError("maybe you better go find answers to all of your 'not sure' responses? or..."); } }#foreach #check required fields if ( ($good{E1} eq "") # Yikes, global %good! || ($good{E2} eq "") || ($good{E3} eq "") || ($good{E4} eq "") || ($good{A1} eq "") || ($good{A2} eq "") || ($good{A3} eq "") || ($good{A4} eq "") || ($good{K1} eq "") # || ($good{K2} eq "") || ($good{K3} eq "") || ($good{K4} eq "") || ($good{EX1} eq "")) { &PrintError("incomplete checklist [all checkboxes must be filled]"); exit; } # detaint passed, check checklist now $flag = 100; # total up all the "good" button values and set this to # something reasonably low # may need to do some fudging to get a sane value within range # add flags if negative rating, substract for good ratings #E1 plaintext written to disk? ($flag += 3) if ($good{E1} eq "Yes"); # global $flag! ($flag -= 3) if ($good{E1} eq "No"); ($flag -= 5) if ($good{E1} eq "Not Sure"); #E2 - if written to disk- deleted by overwrite? ($flag -= 3) if (($good{E2} eq "Yes") && ($good{E1} eq "Yes")); ($flag += 3) if (($good{E2} eq "No") && ($good{E1} eq "Yes")); ($flag += 5) if (($good{E2} eq "Not Sure") && ($good{E1} eq "Yes")); ($flag += 0) if ($good{E2} eq "Not Applicable"); #E3 Swap to file? ($flag += 5) if ($good{E3} eq "Yes"); ($flag -= 5) if ($good{E3} eq "No"); ($flag += 5) if ($good{E3} eq "Not Sure"); #E4 multiuser env? ($flag += 5) if ($good{E4} eq "Yes"); ($flag -= 5) if ($good{E4} eq "No"); ########################################### #A1 algorithm disclosed? ($flag -= 5) if ($good{A1} eq "Yes"); ($flag += 5) if ($good{A1} eq "No"); ($flag += 5) if ($good{A1} eq "Not Sure"); #A2 technotes avail? ($flag -= 3) if ($good{A2} eq "Yes"); ($flag += 3) if ($good{A2} eq "No"); ($flag += 3) if ($good{A2} eq "Not Sure"); #A3 source code avil? ($flag -= 10) if ($good{A3} eq "Yes"); ($flag += 10) if ($good{A3} eq "No"); ($flag += 10) if ($good{A3} eq "Not Sure"); #A4 alogoritm is a "modification" ($flag += 7) if ($good{A4} eq "Yes"); ($flag += 0) if ($good{A4} eq "No"); ($flag += 5) if ($good{A4} eq "Not Sure"); ########################################### #K1 user generated keys? ($flag -= 7) if ($good{K1} eq "Yes"); ($flag += 7) if ($good{K1} eq "No"); #K2 key length excessive? #($flag += 7) if ($good{K2} eq "Yes"); #($flag -= 7) if ($good{K2} eq "No"); #($flag += 7) if ($good{K2} eq "Not Sure"); #K3 keys of equal probability used ? ($flag -= 10) if ($good{K3} eq "Yes"); ($flag += 10) if ($good{K3} eq "No"); ($flag += 10) if ($good{K3} eq "Not Sure"); ($flag += 0) if ($good{K3} eq "Not Applicable"); #K4 pasphrases hashed? ($flag -= 10) if ($good{K4} eq "Yes"); ($flag += 10) if ($good{K4} eq "No"); ($flag += 10) if ($good{K4} eq "Not Sure"); ($flag += 0) if ($good{K4} eq "Not Applicable"); ########################################### #EX1 exportable from US? ($flag += 30) if ($good{EX1} eq "Yes"); ($flag -= 10) if ($good{EX1} eq "No"); #print "$NS\n"; $flag = ($flag/2); #get some sane value $rating = "It's a keeper!" # we're declaring this on the fly... as a global. if ($flag < 25); $rating = "Deserving of further investigation" if (($flag >= 25) && ($flag < 50)); $rating = "Answer some o' them 'not sure' questions...you may have a winner" if (($flag >= 25) && ($flag < 50) && ($NS >= 3)); $rating = "Pretty oily" if (($flag >= 50) && ($flag < 75)); $rating = "A bit weak in the knees, fill in some more details and try again?" if (($flag >= 50) && ($flag < 75) && ($NS >= 3)); $rating = "Slippery and slimey -- Time for a Snake Oil Change!" if ($flag >= 75); ########################################### #Spit out results print << "EOH"; Snake_oil analysis

Snake-Oil analysis

Oil Gauge: 0-100: O=best (lowest number of warning flags)
100=worst (highest number of warning flags)

Oil Gauge reads: $flag

Survey says... $rating

Do not use this checklist as the sole method of rating crypto/security products! Also be sure to see the About the Snake Oil Gauge page for appropriate disclaimer information.

Snake-Oil FAQ | perl | cmcurtin | interhack EOH exit; ########################################### # Notice that this little routine is good; it is a routine that # accomplishes a specific task, printing errors. It takes the # error to to display as an argument, rather than relying on a # global value. The end result is that this routine can be pasted # into any program, and used easily, simply by calling it with an # argument containing the error you want to display as a scalar. sub PrintError { my $reason = @_; print << "EOH"; Error

Error

Sorry, $reason

...go back and try again? EOH exit; }