-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ok, Be Afraid if Someone's Got a Voltmeter Hooked to Your CPU
,----[ Quote ]
| Boy, do I hate it when a FLOSS project is
| given a hard time unfairly. I was this
| morning greeted with news from many places
| that OpenSSL, one of the most common FLOSS
| software libraries used for cryptography, was
| somehow "severely vulnerable".
|
| I had a hunch what was going on. I quickly
| downloaded a copy of the academic paper that
| was cited as the sole source for the story
| and read it. As I feared, OpenSSL was getting
| some bad press unfairly. One must really read
| this academic computer science article in the
| context it was written; most commenting about
| this paper probably did not.
|
| First of all, I don't claim to be an expert
| on cryptography, and I think my knowledge
| level to opine on this subject remains
| limited to a little blog post like this and
| nothing more. Between college and graduate
| school, I worked as a system administrator
| focusing on network security. While a
| computer science graduate student, I did take
| two cryptography courses, two theory of
| computation courses, and one class on
| complexity theory0. So, when compared to the
| general population I probably am an expert,
| but compared to people who actually work in
| cryptography regularly, I'm clearly a novice.
| However, I suspect many who have hitherto
| opined about this academic article to declare
| this "severe vulnerability" have even less
| knowledge than I do on the subject.
`----
http://ebb.org/bkuhn/blog/2010/03/05/crypto-fear.html
Related:
Open Source Software Institute Announces Release of Updated OpenSSL FIPS Object
Module
,----[ Quote ]
| This most recent validated OpenSSL FIPS Object Module is based on version
| 0.9.8 of the OpenSSL cryptographic library and is freely available for
| download through the OSSI website (oss-institute.org). Updated versions of
| OpenSSL FIPS Object Module Security Policy and User Guide will be available
| for download through the OSSI website (oss-institute.org) and may be used and
| reproduced without restriction.
`----
http://www.newswiretoday.com/news/42949/
All systems go for validation of updated OpenSSL module
,----[ Quote ]
| Weathersby says the OSSI has reason to believe the complaints came from
| proprietary vendors hoping to initiate a FUD campaign that would create doubt
| in the minds of government agencies who were considering using OpenSSL as a
| data exchange solution.
`----
http://www.linux.com/feature/119134
,----[ Quote ]
| "After a long and arduous journey that included a suspended validation last
| year .. OpenSSL has regained its FIPS 140-2 validation"
|
| "We called it the FUD campaign," he says. "There were all kinds of
| complaints sent to the CMVP including one about 'Commie code.' .. Silly or
| no, each complaint that's filed really slows down the process."
|
| "the ones they did see often contained redacted, or blacked-out, data about
| who had filed the complaint .. in some cases, proprietary software vendors
| were lodging the complaints.
`----
http://www.linux.com/article.pl?sid=07/02/08/1935232
FCC ignores more than 100 years of wisdom
,----[ Quote ]
| In 1883 French cryptographer Auguste Kerckhoffs published a set of six
| design principles for military encryption systems. The second of these
| principles is generally known today under the observation that security
| through obscurity is not security. The Federal Communications Commission
| (FCC) seems not to have read the history books or to be aware of how its
| sister federal agencies develop security standards....
`----
http://www.infoworld.nl/idgns/bericht.phtml?id=002570DE00740E1800257313005EC092
The FCC, FOSS, and software radios: a mixed bag
,----[ Quote ]
| After studying the new rules -- published in the Federal Register last month
| and taking effect today -- the SFLC concluded that the laws are not
| FOSS-restrictive because they "apply to hardware manufacturers who distribute
| SDR devices, regardless if they use FOSS in them or not." And the Center says
| that since the rules specifically mention the GNU/Linux operating system, the
| FCC is actually acknowledging the importance of open source.
`----
http://www.linux.com/feature/116769
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkuS9JEACgkQU4xAY3RXLo7A9gCgjym85btle0YCCqJixa+X5nJv
iCkAoK+1fw4qp6aLIGvKhgz2xJ9PICke
=p31a
-----END PGP SIGNATURE-----
|
|