Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

[News] OpenSSL Very Safe, The Register Plays Dumb

  • Subject: [News] OpenSSL Very Safe, The Register Plays Dumb
  • From: Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx>
  • Date: Sun, 07 Mar 2010 00:34:25 +0000
  • Followup-to: comp.os.linux.advocacy
  • Newsgroups: comp.os.linux.advocacy
  • User-agent: KNode/4.3.1
Hash: SHA1

Ok, Be Afraid if Someone's Got a Voltmeter Hooked to Your CPU

,----[ Quote ]
| Boy, do I hate it when a FLOSS project is 
| given a hard time unfairly. I was this 
| morning greeted with news from many places 
| that OpenSSL, one of the most common FLOSS 
| software libraries used for cryptography, was 
| somehow "severely vulnerable".
| I had a hunch what was going on. I quickly 
| downloaded a copy of the academic paper that 
| was cited as the sole source for the story 
| and read it. As I feared, OpenSSL was getting 
| some bad press unfairly. One must really read 
| this academic computer science article in the 
| context it was written; most commenting about 
| this paper probably did not.
| First of all, I don't claim to be an expert 
| on cryptography, and I think my knowledge 
| level to opine on this subject remains 
| limited to a little blog post like this and 
| nothing more. Between college and graduate 
| school, I worked as a system administrator 
| focusing on network security. While a 
| computer science graduate student, I did take 
| two cryptography courses, two theory of 
| computation courses, and one class on 
| complexity theory0. So, when compared to the 
| general population I probably am an expert, 
| but compared to people who actually work in 
| cryptography regularly, I'm clearly a novice. 
| However, I suspect many who have hitherto 
| opined about this academic article to declare 
| this "severe vulnerability" have even less 
| knowledge than I do on the subject.



Open Source Software Institute Announces Release of Updated OpenSSL FIPS Object

,----[ Quote ]
| This most recent validated OpenSSL FIPS Object Module is based on version
| 0.9.8 of the OpenSSL cryptographic library and is freely available for
| download through the OSSI website (oss-institute.org). Updated versions of
| OpenSSL FIPS Object Module Security Policy and User Guide will be available
| for download through the OSSI website (oss-institute.org) and may be used and
| reproduced without restriction.


All systems go for validation of updated OpenSSL module

,----[ Quote ]
| Weathersby says the OSSI has reason to believe the complaints came from
| proprietary vendors hoping to initiate a FUD campaign that would create doubt
| in the minds of government agencies who were considering using OpenSSL as a
| data exchange solution.


,----[ Quote ]
| "After a long and arduous journey that included a suspended validation last
| year .. OpenSSL has regained its FIPS 140-2 validation"
| "We called it the FUD campaign," he says. "There were all kinds of
| complaints sent to the CMVP including one about 'Commie code.' .. Silly or
| no, each complaint that's filed really slows down the process."
| "the ones they did see often contained redacted, or blacked-out, data about
| who had filed the complaint .. in some cases, proprietary software vendors
| were lodging the complaints.


FCC ignores more than 100 years of wisdom

,----[ Quote ]
| In 1883 French cryptographer Auguste Kerckhoffs published a set of six
| design principles for military encryption systems. The second of these
| principles is generally known today under the observation that security
| through obscurity is not security. The Federal Communications Commission
| (FCC) seems not to have read the history books or to be aware of how its
|  sister federal agencies develop security standards....


The FCC, FOSS, and software radios: a mixed bag

,----[ Quote ]
| After studying the new rules -- published in the Federal Register last month
| and taking effect today -- the SFLC concluded that the laws are not
| FOSS-restrictive because they "apply to hardware manufacturers who distribute
| SDR devices, regardless if they use FOSS in them or not." And the Center says
| that since the rules specifically mention the GNU/Linux operating system, the
| FCC is actually acknowledging the importance of open source.

Version: GnuPG v1.4.9 (GNU/Linux)


[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index