Ed Felten posted about an amusing development in Holland. The Dutch spent US $2 billion — if you’re European, a billion’s a milliard — developing a proximity card billing system for their public transit. These Dutch OV Chipkaart cards come in two flavors: disposable paper, and more permanent plastic.

Amusingly, the disposable cards use no cryptography and are not checked against a central system, which means they can be trivially rewound to “fully funded” status. It’s the plastic cards, however, that are hilarious. They use crypto — with a proprietary algorithm and a 48-bit key. It’s a one-two joygasm of idiocy, and the algorithm was promptly deduced then broken by researchers.

Modern cryptography is governed by a 19th century principle called Kerckhoffs’ law, which states that a key should be the only secret about a cryptosystem, while its design remains fully open. Put differently, unless you’re the NSA, you’re not smart enough to invent a cryptosystem and assure yourself it’s any good without submitting it for review by the public crypto community.

Speculation soon began on Perry Metzger’s cryptography mailing list as to the cause of the Dutch transgression, and I opined that:

I’m beginning to suspect that more often than not, this nonsense is a result of market forces rather than idiot technologists. In my experience, senior decision-maker types outside of the computer industry (and even within it, but perhaps a tad less so) are sufficiently non-technical as to never have heard of Kerckhoffs’ principle, and to disbelieve it when they do, since it opposes their intuition of what makes for secure systems. Various companies — or departments — then emerge peddling their home-grown crypto and trumpeting the fact that it’s proprietary as a feature, commonly going hand in hand with stupidly large key sizes.

Some number of these muppets approached me over the last couple of years offering to donate a free license for their excellent products. I used to be more polite about it, but nowadays I ask that they Google the famous Gutmann Sound Wave Therapy and mail me afterwards.

I’ve never heard back.

In 2003, you see, Peter Gutmann analyzed the security of various Linux VPN solutions, and found more problems than he could count. Though employing an unsettling mental image (be warned), the last paragraph of his analysis had me chuckling ever since. Five years later, I coined the term Gutmann Sound Wave Therapy to refer to this particular form of programmer edification. Quoth Perry Metzger:

I hope that the term “Gutmann Soundwave Therapy” spreads widely within our field as a way of ridiculing the desire to invent your own crypto algorithms and protocols. When it gets to the point where salesmen are vaguely aware of the phrase and fear it, we will know we have done our job successfully.

I would have let it end there, but Hayden Stainsby took up his brush and easel — and immortalized the term in a device every software company should acquire. Click on the image for the hi-res version. For your closing dose of irony, note Kerckhoffs was Dutch.