First poster gets it wrong
> This is the main problem of security through obfuscation.. as there are no external checks for security, security tend to be sloppy at best.
Possibly, but not necessarily. Of course, "roll your own cryptosystem" is to be avoided as a sign of the typical cowboy coder stance.
> If you start shouting "open source" as a mantra, please consider that if everyone knows what you are doing, someone will eventually crack your public system, and chances are he won't tell you....
Possibly, but not necessarily. If everyone knows that I keep my rare pr0n in bank safe 12 at location X, there will still be nobody who can get at it.
> So companies should probably use public and secure algorithms and then, not tell anyone witch ones they are using. That is secure... but illegal (as you must say you are using XXX open source code..)
It's not "illegal", it's breach of contract. And then again, you may just add "contains OpenSSL code licensed by the Apache software foundation", which is sufficient.
The larger problem being of course, that your _code_ is the LEAST problematic aspect of keeping your system secure (how do you "crack" my AES implementation? fat chance here),.