Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones

[Dale <rdalek1967@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2872 bytes --]

Mick wrote:
> On Friday 18 Apr 2014 19:08:21 Dale wrote:
>> I'm a little vague on some things but it seems the claim was that NSA
>> had some sort of backdoor that was built in from the beginning of the
>> project for encryption which sounded like it would include httpS and
>> others.  Again, the details are fuzzy.  I would say that I need to
>> bookmark this sort of thing but I already have so many bookmarks that it
>> is very hard to dig through them as it is.  Adding more may be
>> counterproductive, yet again.
>
> I think that you are referring to their Dual_EC_DRBG (Dual Elliptic Curve
> Deterministic Random Bit Generator) which is/was used by RSA Security
(not RSA
> the algorithm developed by Ron Rivest, Adi Shamir and Leonard Adleman).
>
>
http://www.computing.co.uk/ctg/news/2295881/rsa-warns-customers-against-nsa-compromised-security-product#
>
> I don't know if Schneier said, stay away from elliptic curve algos and
use
> symmetric keys instead, because of this.  Others have tried to crack
elliptic
> curves and have not been successful - so one has to tread carefully. 
Given
> the NSA/NIST and big corporates are all in it up to their neck, I
would guess
> that distrusting *everything* they have or could be behind is a healthy
> attitude to take at the moment.  ;-)
>

Well, I just wondered if it was true or not.  If the NSA has some sort
of back hack then encryption to them is meaningless.  Thing is, I don't
know if it is true or not.  I wouldn't be surprised if it is for sure.

I try to keep things as secure as I can and protect myself from the bad
guys but this sort of things makes me wonder if it really does much if
any good.  If companies/governments have backdoor ways to get passed it,
then there is no way to know who else can use that too.  All it takes is
for one employee/contractor with the knowledge to decide to sell out and
then the whole thing is compromised.

Imagine if it were to come out that there is a backdoor key to all the
encryption that is currently in use.  That would really throw a wrench
into the whole internet community.  I just read that yet another store
has been hacked into and customer info stolen here in the USA.  Waiting
to see it from a reputable source before getting to deep into it.

Of recent, I have seriously thought of encrypting my /home partition. 
I'm not a crook but like a guy said once in a TV interview, if a person
looks long enough and hard enough, they will find something then build a
career off building the rest.  There are to many laws for anyone to
really be able to safely say they have never broken the law before.

I thought I read that article on Linux Journal but I can't find it there
so it must have been somewhere else.  < shrugs >

Thanks.

Dale

:-)  :-)

-- 
I am only responsible for what I said ... Not for what you understood or
how you interpreted my words!


[-- Attachment #2: Type: text/html, Size: 3898 bytes --]