Warning: Constant ABSPATH already defined in /home/public/wp-config.php on line 27
Making Us Safe? — Why Now?
On-line Opinion Magazine…OK, it's a blog
Random header image... Refresh for more!

Making Us Safe?

by Bryan

So Pam Bondi ran for Florida Attorney General based on being tough on criminals. One of her signature issues was to reduce the time from being convicted of a crime and given the death sentence and having that sentence carried out. She was going to eliminate all of the ‘unnecessary delays’ caused by defendants getting stays of execution.

Floridians now know that she has added a new justification for a stay of execution: to accommodate her reelection fundraiser.

A man convicted of multiple murders and rapes was give a three-week stay because the execution date would interfere with Ms Bondi’s reelection launch. This is her idea of doing her job.

6 comments

1 Kryten42 { 09.12.13 at 9:11 am }

Well let’s see… She’s a politician, & a repug. Therefore, a hypocrite by definition. So, who could be surprised? And of course the governor jumped at the opportunity. He has an excuse to attend a fund raiser instead of an execution (and has someone to blame, which also proves she’s a poli & a rethug… She’s stupid). *shrug* 😉

OT: I just read one of the few sane and plausible articles about GCHQ & NSA supposedly *breaking* encryption.

Has the NSA really broken “strong” encryption?

About time. 🙂

2 Bryan { 09.12.13 at 4:14 pm }

OT: I’m guessing that they are screwing with the random number generator to reduce the number of possible keys. If there was a central depository not controlled by any government of the public keys and we start seeing duplicates showing up, that will confirm it.

If you only have to look at 100K keys, you can break things quickly.

3 Badtux { 09.13.13 at 12:30 am }

I’m thinking more man-in-the-middle attack myself if they’re doing large-scale decrypting of data in transit. All you need is to subvert one of the root key servers (or have a buggy implementation leak key information for a hardware VPN device) and there you go, SSL is plain text as far as they’re concerned at that point. It would surprise me if the NSA has *not* done this, it’s the logical thing to do.

AES, I trust. That algorithm has been vetted to the beyond and back. RSA… well, we’ve had hints of some possible attacks on RSA, but they’re still theoretical at this point because while they reduce the field size slightly, the field size is still far beyond what’s possible to brute force for anything that’s 2048 or 4096 bits. (1024 bits is likely toast though). SSL… there are a few modes that I trust somewhat, but only with pre-shared keys (otherwise it’s man-in-the-middle supreme). Anything closed source — not at all. Not at all. If I can’t see the source code and vet it myself, I presume that it’s toast.

As for random number generators, they’re hard, but not *that* hard. The one built in to the Linux kernel is good. Really good. As in, probably as good as you can get on a deterministic machine. Once the machine has been running long enough to collect sufficient entropy, predicting what it’s going to give you isn’t happening. Unfortunately, that is probably the one and only well vetted PRNG on the planet. Closed-source PRNG’s are likely crap. That’s all the commercial operating systems and all of the hardware VPN devices. Garbage. Useless.

So now you know why my choice of OS for secure operations is a highly hardened Linux, and why I view SSL as pretty much a toy as commonly used. It is possible to securely communicate with SSL. But not in the way that it’s commonly used.

4 Bryan { 09.13.13 at 12:53 am }

The problem I have with SSL is that it is really designed more to identify the URI than secure the communications. What is needed is a neutral depository for public keys that does nothing but deal with those keys and isn’t beholden to any government. That is a hard nut to crack.

Open source is the only way to go, as you know what is going on and don’t have to hope it works the way you need it work.

I think that the hardware for man-in-the-middle was what they wanted to do to the Lavabit server, which is why he shutdown.

The Amazon CIO must be sweating bullets over these revelations. What happens if people get nervous about using credit cards on-line?

For me the big thing is all of the contractors involved. That is a recipe for disaster. No one knows what they may have walked away with because they don’t have reliable audit trails.

5 Badtux { 09.14.13 at 12:35 am }

Did I call it, or did I call it? NSA did a man-in-the-middle attack disguising itself as Google. Apparently put themselves into a CA — the story did not say which one — as Google, then impersonated Google on major backbone routes.

Wow. Thing is, being right does *not* make me feel better in this instance…

6 Bryan { 09.14.13 at 2:30 pm }

Yep, they have blown the CA system to pieces and it will never really be trusted again. The step-by-step will be published on the Dark Side sometime soon, and the script-kiddies will go on a rampage. So much for keeping things secure.

There is no one left who thinks things through. Instead of making progress we have lost a decade in security.

Being right is nice, but the problem is knowing what will happen next…