Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Good and Bad Crypto



john saylor <js0000 at gmail.com> writes:

> On 4/22/14, 14:37 , Edward Ned Harvey (blu) wrote:
>> You're saying, that the only way anybody in the world can trust
>> anything, is to literally download everything from source, *read*
>> all the source, and compile it themselves.
>
> instead of just calling "bs" can you suggest some other means by which
> you can trust crypto software?
>
> if you're not doing this work [source examination and local compile]
> then what are you basing your trust upon?
>
> someone else's word? someone else's audit report? what other means are
> available to you?

There's always FIPS 140 certification:
http://oss-institute.org/latest-news/248-openssl-announces-new-fips-140-2-validation-

But it appears that the testing labs doing that insist that at least
they themselves get to see the source code:
http://www.albany.edu/acc/courses/ia/acc661/sp800-29.pdf

I would agree that my studying all the source code I run isn't
realistic.  (Nonetheless it's nice to daydream about running a system
simple enough where that's almost feasible -- minix? plan 9?)  I've
spent hours here and there this week just trying to read enough X source
to figure out whether I'm right in thinking I need to do the following
to use the security extension or if there's a more direct way and
whether there's a way to mark XVideo as a secure extension. The
documentation isn't very clear about what access you already need before
running xauth generate.

(trusted_user) $ xhost +si:localuser:untrusted_user
(trusted_user) $ su -l untrusted_user -c xterm
(untrusted_user) $ xauth generate :0 . timeout 10000
(trusted_user) $ xhost -si:localuser:untrusted_user
(untrusted_user) $ firefox & mplayer & etc.

Auditing everything I use would be too much time, and I don't have the
skill. It's the wider world I'm counting on, but ideally, it would be a
wider group than a single company's development department or that
company plus a single government test lab. 



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org