On Wed, 22 Nov 2017 21:03:43 -0500, Paul wrote:

As for key storage, note that you cannot search for
xxxxx-xxxxx-xxxxx-xxxxx-xxxxx in a registry search. Like,
if you had the key in hand, and you were trying to verify
it was stored in the registry. It's actually in an encoded
form. It's not encrypted, just encoded. That is intended to
make it hard to search for. People have written the (trivial)
algo to convert that registry key back into the 25 letters.
So when you use a MagicJellyBean or whatever, it has a
copy of the algo to do the extract. The details of the
algo were posted, so you could eventually track it
down if you're curious. It was just a dumb thing for
MS to do, but it fits into their general approach of
how to design stuff.

I think you just described the concept known as "security through
obscurity". Obfuscation is one of its hallmarks, and MS uses the
approach in many ways.

https://en.wikipedia.org/wiki/Securi...ough_obscurity

"In security engineering, security through obscurity (or security by
obscurity) is the reliance on the secrecy of the design or
implementation as the main method of providing security for a system or
component of a system. A system or component relying on obscurity may
have theoretical or actual security vulnerabilities, but its owners or
designers believe that if the flaws are not known, that will be
sufficient to prevent a successful attack. Security experts have
rejected this view as far back as 1851, and advise that obscurity should
never be the only security mechanism."

Now, contrast that with "security by design".

https://en.wikipedia.org/wiki/Secure_by_design
"Secure by design, in software engineering, means that the software has
been designed from the ground up to be secure. Malicious practices are
taken for granted and care is taken to minimize impact when a security
vulnerability is discovered or on invalid user input."