I have encountered my fair share of in-house RC4 implementations from the 90s. Every single one of them was vulnerable in some way. They suffered from all kinds of issues: improper IV initialisation, predictable keystreams, and even partial leakage of plaintext into ciphertext. RC4's deceptively simple specification made it enticing to implement, giving developers a false sense of confidence and security.

As another example, Microsoft Outlook 2003 infamously used CRC32 to "hash" the personal folder (.PST) passwords: <https://www.nirsoft.net/articles/pst_password_bug.html>. Naturally, it was trivial to find a CRC32 checksum collision and open someone else's PST.

Thankfully, the industry has come a long way since then. These days, rolling your own cipher is, quite rightly, considered a red flag!

90's crypto was interesting. They would just use naked RSA and block ciphers. Usually, the team would have one guy who was "smart about crypto" and he was just left to do his thing and after passing functional tests, it was accepted into the product. There was so much fun stuff to break as was it fun to try to prevent people from breaking your stuff.

Why waste 2 seconds of my time making your website have a splash screen?

I know this would be less fun, but given that the key space was only 36^4, why not just run the actual decryption functionality in QText? Like, even if it takes 1 second to decrypt, spin up 32 cores and wait a day. They allude to the idea that checking the key derivation is faster, but I wonder by how much.

(of course, it’s still interesting to read about 90s encryption, so I appreciate that they did it the fun way)

Love this article. Brings back memories of such a simpler time spending way too much time doing exactly this with IDA pro and Bochs (my favorite tool at the time for these sorts of projects). Bochs plus custom plugins equaled some amazing capabilities for real-time dynamic analysis of DOS, bootcode, and other low-level applications.