On Thu, 2 Sep 2010 07:20:51 -0700 (PDT), Pubkeybreaker wrote:
>> Ari's arguments might not have been expressed in the best of ways (to
>> put it mildly) but he is correct in that you can not trust the
>> cryptography of a closed source application.
>
> Oh??? Has RSA Security made its code open source? I'm sure
> that you can/would/should trust BSAFE for example, even though it is
> not open source.
>
> Would you not trust closed-source NIST certified FIPS-140 compliant
> code?
The open source argument that OS guarantees code safety and proper
implementation is ********. It doesn't.
What it does is allows for peer review, code audit possibilities,
public timelining, version specifics, public participation by
suggestion, ideas and added code, and an assortment of other peeks
under the (code's) covers unavailable with closed source development.
What's is best (open v.s. closed) is subject to the product being
delivered in this case encryption, email clientele and the suggestion
of privacy by Trulymail. There are only two choices and there is no
doubt in my mind that when encryption is involved, open source
projects offer more to and for the general public and to and for the
those developers who offer their products free or not to said public.
Why?
Mainly because developers cannot be trusted. Open source at least
kicks open the possibility of review.
The best of all worlds is closed source development with entirely
competent, trusted individuals which is why the highest level of
cryptographic development for the USGov, DoD, DHS and the intertwined
military-intelligence Agencies happens behind closed doors. Among
their experts and their contracted experts.
Why does this work? Because they will cut your gonads off and stuff
them in your mouth while you see your body getting dumped into the
Potomac whilst suffocating your last breaths.
On Thu, 2 Sep 2010 07:48:21 -0700 (PDT), Pubkeybreaker wrote:
> I trust Microsoft's crypto library (the one who wrote it is a
> colleague and co-author of mine) and would know how to use it.
>
> By your own admission, Trulymail has ZERO crypto knowledge.
> How can anyone trust you to USE Microsoft's library in the correct
> way?
This insurmountable fact cannot be overcome but Trulymail just doesn't
seem to get it. The further they go into this thread, the worse it
becomes for them. It's like watching Jesus hold the hammer and nails
and shouting "Sir, can I have another" all Marine like.
> If you want your code vetted Trulymail; you can hire me at
> $400.00/hr. And I do have both the required software and crypto
> background.
Now here is where the final and unresolvable problem lies for
Trulymail. After watching him/them/whomever he/they/it might be, I
have zero confidence that Trulymail would have the inherent knowledge
and capability to assess the work you would do much less your
credentials to do so.
I'm talking from experience here 2002. It took me to 2003-4 to sort
all of these business matters out and more than a few mistakes along
the way.
Trulymail has been in business since 2008 and look what they have to
show for it in terms of understanding their technologies and backing
their proclamations.
I don't hold much hope, sadly, none at all at this point.
Does it really matter once you get past 2048? 4096 in private key use
is slower than molasses without a truly(mail) lol discernible,
practical increase in security.
On Thu, 02 Sep 2010 15:52:59 GMT, nemo_outis wrote:
> Which is precisely why open-source crypto code is largely
> pointless in terms of a thorough review. The unqualified
> can't do it, and the qualified won't do it.
>
> Not without a fee. In which case, the source might just as
> well be closed.
Not going to argue that open source isn't regularly audited but I can
tell you for an absolute fact that a great deal of open source code is
thoroughly vetted, torn apart and studied by folks with big nasty
attitudes, hyooge computers and nearly limitless budgets and
personnel.
Because they don't call /nemo the nimrod/ up and tell him doesn't
belie the fact that those nasty folks et al are very, very interested
in open source code. Some of that knowledge creeps back to the
developers. Some of the developers are nasty attitude types.
> Moreover, when you're finished your review, why the hell
> should a potential new user place any trust in the quality,
> competence and thoroughness of your review? You (or the
> company that hired you) will be asking the users to "trust"
> you - why should they?
> Why indeed? After all, even if your credentials are
> impressive, your honesty unimpeachable, and your fame
> widespread (and are they?) you're a hired gun with a clear
> conflict of interest. He who pays the piper calls the tune -
> or at least that's a legitimate worry for a potential new
> user. Hell, that question arises even with independent
> certified labs doing FIPS evaluations.
I love how you flip the trust model whichever way it suits your
argument.
You can't trust any code you don't write yourself.
But when assessing who to trust, since you have no other choice but to
trust somebody, you going to pick the company which hides its entire
development, code and all or the one that at least oipens it kimono
and is auditing and reviewing?
Well, people being people have a tendency to trust those companies
that at least make the appearance of respectability whether that
respectability is warranted or not.
Hence, open source, paying for code auditing, etc.
But, again, you knew that...or did you?
> Moreover, the folks at whom TrulyMail is targeted probably
> don't give a flying **** about code reviews even if they were
> done by crypto luminaries like Bruce Schneier. The response
> of an ordinary person to this is likely to be, "Bruce Who?"
> No, the company would likely get better marketing results
> using a frothy endorsement from a chesty blonde bimbo.
The issue isn't sales, nice diversion but Oh sorry, the issue is does
their product meet the standards they themselves claim that it does.
It doesn't and/or they have not allowed any possible way to see that
it might. It won't so their level of credibility is all shot to hell.
If they were selling a replacement to Notepad, who cares? When you are
selling privacy and cryptography and making assertions that you meet
those goals, it makes a hell of a lot of difference.
Ask some poor bloke in Iran who just got his nuts chopped off because
his Trulymail farted into plaintext with the words "assassinate Ali
Khamenei". Far fetched? Who knows who might trust these jokers.
Email privacy and secure commo can be about life and death. Don't ever
forget it.
On Sep 2, 6:03*pm, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
> The best of all worlds is closed source development with entirely
> competent, trusted individuals which is why the highest level of
> cryptographic development for the USGov, DoD, DHS and the intertwined
> military-intelligence Agencies happens behind closed doors. Among
> their experts and their contracted experts.
On Sep 2, 6:27*pm, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
> On Thu, 02 Sep 2010 17:13:19 +0100, Mark Murray wrote:
> >http://msdn.microsoft.com/en-us/libr...8VS.85%29.aspx
>
> > Pubkeybreaker,
>
> > Look carefully at the "PROV_*RSA*_AES".
>
> > AES has the keysizes you mention, but RSA can quite easily have
> > 4096 bits.
>
> Does it really matter once you get past 2048? 4096 in private key use
> is slower than molasses without a truly(mail) lol discernible,
> practical increase in security.
On Sep 2, 6:03*pm, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
> On Thu, 2 Sep 2010 07:20:51 -0700 (PDT), Pubkeybreaker wrote:
> <snip>
> > Oh??? * Has RSA Security made its code open source? *I'm sure
> > that you can/would/should trust BSAFE for example, even though it is
> > not open source.
>
> > Would you not trust closed-source NIST certified FIPS-140 compliant
> > code?
>
> The open source argument that OS guarantees code safety and proper
> implementation is ********. It doesn't.
Which doesn't answer my question.
>
> What it does is allows for peer review, code audit possibilities,
> public timelining, version specifics, public participation by
> suggestion, ideas and added code, and an assortment of other peeks
> under the (code's) covers unavailable with closed source development.
The key word is "allow". OTOH, a company such as RSA Security has a
vested interest in making sure of the correctness of their code --->
They want to
stay in business.
Don't you trust RSA to write correct crypto code???
Please note that cryptography never CREATES trust. All it does is
shift it
from place to place or person to person. The difficulty is knowing
WHO you
can trust.,
>
> What's is best (open v.s. closed) is subject to the product being
> delivered in this case encryption, email clientele and the suggestion
> of privacy by Trulymail. There are only two choices and there is no
> doubt in my mind that when encryption is involved, open source
> projects offer more to and for the general public and to and for the
> those developers who offer their products free or not to said public.
>
> Why?
>
> Mainly because developers cannot be trusted. Open source at least
> kicks open the possibility of review.
As I said, you need to know WHO to trust. Let's have a show of
hands...
How many here do not trust the experts at Entrust, Certicom, RSA
Security,
NTRU, etc. to write correct crypto code????
>
> The best of all worlds is closed source development with entirely
> competent, trusted individuals
Do you think that the experts at the above companies are not to be
trusted?
Or that they are not competent?
>which is why the highest level of
> cryptographic development for the USGov, DoD, DHS and the intertwined
> military-intelligence Agencies happens behind closed doors. Among
> their experts and their contracted experts.
Yep. And some of those contracted experts come from companies
like Entrust etc.
>
> Why does this work? Because they will cut your gonads off and stuff
> them in your mouth while you see your body getting dumped into the
> Potomac whilst suffocating your last breaths.
On Thu, 2 Sep 2010 16:00:39 -0700 (PDT), Pubkeybreaker wrote:
> On Sep 2, 6:27*pm, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
>> On Thu, 02 Sep 2010 17:13:19 +0100, Mark Murray wrote:
>>>http://msdn.microsoft.com/en-us/libr...8VS.85%29.aspx
>>
>>> Pubkeybreaker,
>>
>>> Look carefully at the "PROV_*RSA*_AES".
>>
>>> AES has the keysizes you mention, but RSA can quite easily have
>>> 4096 bits.
>>
>> Does it really matter once you get past 2048? 4096 in private key use
>> is slower than molasses without a truly(mail) lol discernible,
>> practical increase in security.
>
> Uh..... Who do you think you are talking with???
>
> I know this better than (almost) anyone else.
On Thu, 2 Sep 2010 15:57:50 -0700 (PDT), Pubkeybreaker wrote:
> On Sep 2, 6:03*pm, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
>
>> The best of all worlds is closed source development with entirely
>> competent, trusted individuals which is why the highest level of
>> cryptographic development for the USGov, DoD, DHS and the intertwined
>> military-intelligence Agencies happens behind closed doors. Among
>> their experts and their contracted experts.
>
> And what do you think it is that I do?
Pick your nose?
Why don't you tell us then we won't have to guess?
On Thu, 2 Sep 2010 16:27:09 -0700 (PDT), Pubkeybreaker wrote:
> On Sep 2, 6:03*pm, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
>> On Thu, 2 Sep 2010 07:20:51 -0700 (PDT), Pubkeybreaker wrote:
>
>> <snip>
>>> Oh??? * Has RSA Security made its code open source? *I'm sure
>>> that you can/would/should trust BSAFE for example, even though it is
>>> not open source.
>>
>>> Would you not trust closed-source NIST certified FIPS-140 compliant
>>> code?
>>
>> The open source argument that OS guarantees code safety and proper
>> implementation is ********. It doesn't.
>
> Which doesn't answer my question.
>
>>
>> What it does is allows for peer review, code audit possibilities,
>> public timelining, version specifics, public participation by
>> suggestion, ideas and added code, and an assortment of other peeks
>> under the (code's) covers unavailable with closed source development.
>
> The key word is "allow". OTOH, a company such as RSA Security has a
> vested interest in making sure of the correctness of their code --->
> They want to
> stay in business.
>
> Don't you trust RSA to write correct crypto code???
As much as I do most, yes.
> Please note that cryptography never CREATES trust. All it does is
> shift it
> from place to place or person to person. The difficulty is knowing
> WHO you
> can trust.,
Obviously, just as I posted.
>> The best of all worlds is closed source development with entirely
>> competent, trusted individuals
>
> Do you think that the experts at the above companies are not to be
> trusted?
> Or that they are not competent?
I didn't find any of them necessarily untrustworthy.
>>which is why the highest level of
>> cryptographic development for the USGov, DoD, DHS and the intertwined
>> military-intelligence Agencies happens behind closed doors. Among
>> their experts and their contracted experts.
>
> Yep. And some of those contracted experts come from companies
> like Entrust etc.
???????????
>> Why does this work? Because they will cut your gonads off and stuff
>> them in your mouth while you see your body getting dumped into the
>> Potomac whilst suffocating your last breaths.
>
> This last bit is nonsense.
On Thu, 2 Sep 2010 19:29:09 -0400, Ari Silverstein wrote:
> On Thu, 2 Sep 2010 15:57:50 -0700 (PDT), Pubkeybreaker wrote:
>
>> On Sep 2, 6:03*pm, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
>>
>>> The best of all worlds is closed source development with entirely
>>> competent, trusted individuals which is why the highest level of
>>> cryptographic development for the USGov, DoD, DHS and the intertwined
>>> military-intelligence Agencies happens behind closed doors. Among
>>> their experts and their contracted experts.
>>
>> And what do you think it is that I do?
>
> Pick your nose?
>
> Why don't you tell us then we won't have to guess?
"Mark Murray" <w.h.oami@example.com> wrote in message
news:4c7fcd1f$0$2516$db0fefd9@news.zen.co.uk...
> On 09/02/10 15:48, Pubkeybreaker wrote:
>> If you want your code vetted, you can hire me at $400.00/hr. And I
>> do have both the required software and crypto background.
>
> Based on the above RSA detail missed, are you really worth $400 an hour?
Yes, he really is. He is a world renowned, world recognised, undeniably
brilliant public key researcher with extensive experience in the research
department of RSA Security. If anything $400/hour is not enough for his
level of capability.
This is from someone who has been at odds with him on multiple occassions. I
obviously have great respect for him, and more than once I have recommended
him to my clients.
"TrulyMail Support" <support@trulymail.com> wrote in message
news:4028bb9e-8e87-47e2-b159-8a847c2b8822@u31g2000pru.googlegroups.com...
Lets start at the very beginning, which algorithms do you use exactly?
You've said you use PROV_RSA_AES, but that is just the provider, not the
algorithms.
The problem you are experiencing is that you tick so many checkboxes for
snake oil. You have no experience in cryptography, you have repeatedly
avoided saying what algorithm is used, you have repeatedly stated you won't
disclose the workings, you rely on having experience in a field largely
unrelated to claim security, you have demonstrated a lack of understanding
of the competition (PGP, contrary to your statements, has offered 4096-bit
keys for at least a decade). These are just the very beginning of what needs
to be fixed. When I said you need at least another 10 years in cryptography
before you're ready to release a product I wasn't kidding.
Joe
"Joseph Ashwood" <ashwood@msn.com> wrote in
news:zO%fo.98423$lS1.1998@newsfe12.iad:
> Yes, he really is. He is a world renowned, world
> recognised, undeniably brilliant public key researcher with
> extensive experience in the research department of RSA
> Security. If anything $400/hour is not enough for his level
> of capability.
On Thu, 2 Sep 2010 22:29:02 -0700, Joseph Ashwood wrote:
> "Mark Murray" <w.h.oami@example.com> wrote in message
> news:4c7fcd1f$0$2516$db0fefd9@news.zen.co.uk...
>> On 09/02/10 15:48, Pubkeybreaker wrote:
>
>>> If you want your code vetted, you can hire me at $400.00/hr. And I
>>> do have both the required software and crypto background.
>>
>> Based on the above RSA detail missed, are you really worth $400 an hour?
>
> Yes, he really is. He is a world renowned, world recognised, undeniably
> brilliant public key researcher with extensive experience in the research
> department of RSA Security. If anything $400/hour is not enough for his
> level of capability.
>
> This is from someone who has been at odds with him on multiple occassions. I
> obviously have great respect for him, and more than once I have recommended
> him to my clients.
>
> He is absolutely worth $400 an hour.
> Joe
Damn, Joe, he'd better get $400/hr to pay you for this extra-glorious
endorsement. :)
I kid.
But you might give him a few lessons in following Usenet conversations
(who replied to whom) and using a newsreader, dumping Google Groups.
I don't kid.
--
´Looking Above and Beyond the Ramp: A Study of Buffalo Students˙
Attitudes toward Alternative Modes of Transportation"
On Fri, 03 Sep 2010 05:56:36 GMT, nemo_outis wrote:
> "Joseph Ashwood" <ashwood@msn.com> wrote in
> news:zO%fo.98423$lS1.1998@newsfe12.iad:
>
>> Yes, he really is. He is a world renowned, world
>> recognised, undeniably brilliant public key researcher with
>> extensive experience in the research department of RSA
>> Security. If anything $400/hour is not enough for his level
>> of capability.
>
> Yep, everyone knows Bob Silverman's rep.
>
> Regards,
http://preview.tinyurl.com/24ts27e
--
´Looking Above and Beyond the Ramp: A Study of Buffalo Students˙
Attitudes toward Alternative Modes of Transportation"
Ari Silverstein <AriSilverstein@yahoo.com> wrote in
news:8eanqpFpu6U1@mid.individual.net:
> Not going to argue that open source isn't regularly audited
> but I can tell you for an absolute fact that a great deal
> of open source code is thoroughly vetted, torn apart and
> studied by folks with big nasty attitudes, hyooge computers
> and nearly limitless budgets and personnel.
Who the hell cares if the NSA and such examine open-source
crypto code. If they don't disclose their results it may as
well not have happened as far as anyone else is concerned.
> You can't trust any code you don't write yourself.
You can't trust crypto code you wrote yourself either!
Not unless you are among a handful of experts - less, likely
much less, than one in a million!
>> Moreover, the folks at whom TrulyMail is targeted probably
>> don't give a flying **** about code reviews even if they
>> were done by crypto luminaries like Bruce Schneier. The
>> response of an ordinary person to this is likely to be,
>> "Bruce Who?" No, the company would likely get better
>> marketing results using a frothy endorsement from a chesty
>> blonde bimbo.
>
> The issue isn't sales, nice diversion but Oh sorry, the
> issue is does their product meet the standards they
> themselves claim that it does. It doesn't and/or they have
> not allowed any possible way to see that it might. It won't
> so their level of credibility is all shot to hell.
No, the issue ISN'T whether their product meets the standards
they claim for it. The question is only whether the company
can instil suffient trust in the user, by whatever means, that
he adopts and uses their program.
And that is a marketing problem, NOT a technical cryptography
one. It is your pig-headedness that causes you to completely
misperceive the issue.
The company doesn't have to convince techies and security
asficonados - it only has to convince its potential user base.
By whatever means. That may irk you, but that's the way it
is.
And so such a company - even if it is honest and on the up and
up - needn't invest much effort in trying to convince techies.
As I said before, techies aren't the target market for such a
program.
It's about gaining users' trust - *target* users. And the
plain fact, however annoying it may be to you as an
incompetent, and also to others who are crypto-competent, is
that there are, in general, easier and more effective ways of
gaining that trust than ringing source code endorsements by
experts whom the public doesn't know from Adam (even if those
experts have zillions of scholarly publications and are well-
regarded by their colleagues).
> Email privacy and secure commo can be about life and death.
> Don't ever forget it.
No, the thick-witted jackass, they aren't. Nobody but a fool
would use something like TrulyMail for matters that could get
him in serious trouble, let alone killed. Ordinary folks use
such programs for ordinary purposes like getting a bit better
email privacy - not for leaking nuclear secrets to al Qaeda.
Anyone not a fool who has serious needs takes serious
precautions (isolated cases of Darwin-award morons to the
contrary notwithstanding)
On 02/09/2010 22:26, Pubkeybreaker wrote:
> I miised no detail. I quote what was written:
>
> "PROV_RSA_AES"
>
> This is a bunch of acronyms that have been run together and connected
> by underscores. It is not RSA, I can read, Apparently, you can't.
I googled the documentation of that service.
<quote>
The PROV_RSA_AES provider type supports both digital signatures and data
encryption. It is considered a general purpose cryptographic service
provider (CSP). The RSA public key algorithm is used for all public key
operations.
</quote>
What am I missing?
M
--
Mark "No Nickname" Murray
Notable nebbish, extreme generalist.
On Thu, 2 Sep 2010 22:40:14 -0700, Joseph Ashwood wrote:
> "TrulyMail Support" <support@trulymail.com> wrote in message
> news:4028bb9e-8e87-47e2-b159-8a847c2b8822@u31g2000pru.googlegroups.com...
>
> Lets start at the very beginning, which algorithms do you use exactly?
> You've said you use PROV_RSA_AES, but that is just the provider, not the
> algorithms.
>
> The problem you are experiencing is that you tick so many checkboxes for
> snake oil. You have no experience in cryptography, you have repeatedly
> avoided saying what algorithm is used, you have repeatedly stated you won't
> disclose the workings, you rely on having experience in a field largely
> unrelated to claim security, you have demonstrated a lack of understanding
> of the competition (PGP, contrary to your statements, has offered 4096-bit
> keys for at least a decade). These are just the very beginning of what needs
> to be fixed. When I said you need at least another 10 years in cryptography
> before you're ready to release a product I wasn't kidding.
> Joe
Joe, I wouldn't expect a response from Trulymail, maybe I will be
wrong. If Trulymail responds, there are only two outcomes. More
self-inflicted ruination and heaping amounts of self-inflicted
ruination.
Sitting back and reading once again Trulymail's posts, I firmly
believe that they have created a very simplistic product without a
clue of the critical issues that are inherent in software that
involves cryptography and security much less the irreversibly
dangerous consequences of failure.
Cite: Trulymail showed up on Usenet in the first place.
This doesn't make them any less culpable for their snake oil. It only
buys them a low level of rapidly fleeting sympathy.
Reply With Quote
Bookmarks