"If you're encrypting a file, then the obvious, elegant thing to do is to use position in the file as your counter. But then the moment you encrypt two files using the same key, you're screwed: you've just committed the equivalent of reusing a one-time pad."

"If "don't overfill a buffer" is an easy prescription that cost industry $4+bn USD, it's hard to imagine how unlikely it is people can avoid screwing up "don't reuse anything"."

For example, Office binary formats' RC4 encryption did almost everything right (ok, they did reuse the salt/IV on saves, but that is an implementation problem easily fixed and has been in Office 2007), except that they decided to use it block by block starting RC4 over each time. They did mix in a block number into the key, but here is the major mistake they made in the Word/Excel version: They decided to always start it at zero at the beginning of each stream, and did not mix in the name of the stream! Can you say keystream reuse?

I got all this by just reading the public Office file format docs. For example:

http://msdn.microsoft.com/en-us/library/dd946845%28v=office.12%29.aspx

Challenge: Reading the docs, can you find all the places where the block number is reset to zero causing keystream reuse (even PowerPoint have them!)?