Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Re: Truly Trulymail

Reply
Thread Tools

Re: Truly Trulymail

 
 
Pubkeybreaker
Guest
Posts: n/a
 
      09-02-2010
On Sep 2, 6:03*pm, Ari Silverstein <(E-Mail Removed)> wrote:
> On Thu, 2 Sep 2010 07:20:51 -0700 (PDT), Pubkeybreaker wrote:


> <snip>
> > Oh??? * Has RSA Security made its code open source? *I'm sure
> > that you can/would/should trust BSAFE for example, even though it is
> > not open source.

>
> > Would you not trust closed-source NIST certified FIPS-140 compliant
> > code?

>
> The open source argument that OS guarantees code safety and proper
> implementation is bullshit. It doesn't.


Which doesn't answer my question.

>
> What it does is allows for peer review, code audit possibilities,
> public timelining, version specifics, public participation by
> suggestion, ideas and added code, and an assortment of other peeks
> under the (code's) covers unavailable with closed source development.


The key word is "allow". OTOH, a company such as RSA Security has a
vested interest in making sure of the correctness of their code --->
They want to
stay in business.

Don't you trust RSA to write correct crypto code???


Please note that cryptography never CREATES trust. All it does is
shift it
from place to place or person to person. The difficulty is knowing
WHO you
can trust.,

>
> What's is best (open v.s. closed) is subject to the product being
> delivered in this case encryption, email clientele and the suggestion
> of privacy by Trulymail. There are only two choices and there is no
> doubt in my mind that when encryption is involved, open source
> projects offer more to and for the general public and to and for the
> those developers who offer their products free or not to said public.
>
> Why?
>
> Mainly because developers cannot be trusted. Open source at least
> kicks open the possibility of review.


As I said, you need to know WHO to trust. Let's have a show of
hands...
How many here do not trust the experts at Entrust, Certicom, RSA
Security,
NTRU, etc. to write correct crypto code????


>
> The best of all worlds is closed source development with entirely
> competent, trusted individuals


Do you think that the experts at the above companies are not to be
trusted?
Or that they are not competent?


>which is why the highest level of
> cryptographic development for the USGov, DoD, DHS and the intertwined
> military-intelligence Agencies happens behind closed doors. Among
> their experts and their contracted experts.


Yep. And some of those contracted experts come from companies
like Entrust etc.

>
> Why does this work? Because they will cut your gonads off and stuff
> them in your mouth while you see your body getting dumped into the
> Potomac whilst suffocating your last breaths.


This last bit is nonsense.



 
Reply With Quote
 
 
 
 
Ari Silverstein
Guest
Posts: n/a
 
      09-02-2010
On Thu, 2 Sep 2010 16:00:39 -0700 (PDT), Pubkeybreaker wrote:

> On Sep 2, 6:27*pm, Ari Silverstein <(E-Mail Removed)> wrote:
>> On Thu, 02 Sep 2010 17:13:19 +0100, Mark Murray wrote:
>>>http://msdn.microsoft.com/en-us/libr...8VS.85%29.aspx

>>
>>> Pubkeybreaker,

>>
>>> Look carefully at the "PROV_*RSA*_AES".

>>
>>> AES has the keysizes you mention, but RSA can quite easily have
>>> 4096 bits.

>>
>> Does it really matter once you get past 2048? 4096 in private key use
>> is slower than molasses without a truly(mail) lol discernible,
>> practical increase in security.

>
> Uh..... Who do you think you are talking with???
>
> I know this better than (almost) anyone else.


I answered Murray. Read the headers.
 
Reply With Quote
 
 
 
 
Ari Silverstein
Guest
Posts: n/a
 
      09-02-2010
On Thu, 2 Sep 2010 15:57:50 -0700 (PDT), Pubkeybreaker wrote:

> On Sep 2, 6:03*pm, Ari Silverstein <(E-Mail Removed)> wrote:
>
>> The best of all worlds is closed source development with entirely
>> competent, trusted individuals which is why the highest level of
>> cryptographic development for the USGov, DoD, DHS and the intertwined
>> military-intelligence Agencies happens behind closed doors. Among
>> their experts and their contracted experts.

>
> And what do you think it is that I do?


Pick your nose?

Why don't you tell us then we won't have to guess?
 
Reply With Quote
 
Ari Silverstein
Guest
Posts: n/a
 
      09-03-2010
On Thu, 2 Sep 2010 16:27:09 -0700 (PDT), Pubkeybreaker wrote:

> On Sep 2, 6:03*pm, Ari Silverstein <(E-Mail Removed)> wrote:
>> On Thu, 2 Sep 2010 07:20:51 -0700 (PDT), Pubkeybreaker wrote:

>
>> <snip>
>>> Oh??? * Has RSA Security made its code open source? *I'm sure
>>> that you can/would/should trust BSAFE for example, even though it is
>>> not open source.

>>
>>> Would you not trust closed-source NIST certified FIPS-140 compliant
>>> code?

>>
>> The open source argument that OS guarantees code safety and proper
>> implementation is bullshit. It doesn't.

>
> Which doesn't answer my question.
>
>>
>> What it does is allows for peer review, code audit possibilities,
>> public timelining, version specifics, public participation by
>> suggestion, ideas and added code, and an assortment of other peeks
>> under the (code's) covers unavailable with closed source development.

>
> The key word is "allow". OTOH, a company such as RSA Security has a
> vested interest in making sure of the correctness of their code --->
> They want to
> stay in business.
>
> Don't you trust RSA to write correct crypto code???


As much as I do most, yes.

> Please note that cryptography never CREATES trust. All it does is
> shift it
> from place to place or person to person. The difficulty is knowing
> WHO you
> can trust.,


Obviously, just as I posted.

>> The best of all worlds is closed source development with entirely
>> competent, trusted individuals

>
> Do you think that the experts at the above companies are not to be
> trusted?
> Or that they are not competent?


I didn't find any of them necessarily untrustworthy.

>>which is why the highest level of
>> cryptographic development for the USGov, DoD, DHS and the intertwined
>> military-intelligence Agencies happens behind closed doors. Among
>> their experts and their contracted experts.

>
> Yep. And some of those contracted experts come from companies
> like Entrust etc.


???????????

>> Why does this work? Because they will cut your gonads off and stuff
>> them in your mouth while you see your body getting dumped into the
>> Potomac whilst suffocating your last breaths.

>
> This last bit is nonsense.


Ya' think?

And not always.
--
Talk about F-Cars - www.ferrarichat.com/forum/member.php?u=89702
 
Reply With Quote
 
Ari Silverstein
Guest
Posts: n/a
 
      09-03-2010
On Thu, 2 Sep 2010 19:29:09 -0400, Ari Silverstein wrote:

> On Thu, 2 Sep 2010 15:57:50 -0700 (PDT), Pubkeybreaker wrote:
>
>> On Sep 2, 6:03*pm, Ari Silverstein <(E-Mail Removed)> wrote:
>>
>>> The best of all worlds is closed source development with entirely
>>> competent, trusted individuals which is why the highest level of
>>> cryptographic development for the USGov, DoD, DHS and the intertwined
>>> military-intelligence Agencies happens behind closed doors. Among
>>> their experts and their contracted experts.

>>
>> And what do you think it is that I do?

>
> Pick your nose?
>
> Why don't you tell us then we won't have to guess?


Ok, I'll ask again. what is it you do?
 
Reply With Quote
 
Joseph Ashwood
Guest
Posts: n/a
 
      09-03-2010
"Mark Murray" <(E-Mail Removed)> wrote in message
news:4c7fcd1f$0$2516$(E-Mail Removed)...
> On 09/02/10 15:48, Pubkeybreaker wrote:


>> If you want your code vetted, you can hire me at $400.00/hr. And I
>> do have both the required software and crypto background.

>
> Based on the above RSA detail missed, are you really worth $400 an hour?


Yes, he really is. He is a world renowned, world recognised, undeniably
brilliant public key researcher with extensive experience in the research
department of RSA Security. If anything $400/hour is not enough for his
level of capability.

This is from someone who has been at odds with him on multiple occassions. I
obviously have great respect for him, and more than once I have recommended
him to my clients.

He is absolutely worth $400 an hour.
Joe

 
Reply With Quote
 
Joseph Ashwood
Guest
Posts: n/a
 
      09-03-2010
"TrulyMail Support" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

Lets start at the very beginning, which algorithms do you use exactly?
You've said you use PROV_RSA_AES, but that is just the provider, not the
algorithms.

The problem you are experiencing is that you tick so many checkboxes for
snake oil. You have no experience in cryptography, you have repeatedly
avoided saying what algorithm is used, you have repeatedly stated you won't
disclose the workings, you rely on having experience in a field largely
unrelated to claim security, you have demonstrated a lack of understanding
of the competition (PGP, contrary to your statements, has offered 4096-bit
keys for at least a decade). These are just the very beginning of what needs
to be fixed. When I said you need at least another 10 years in cryptography
before you're ready to release a product I wasn't kidding.
Joe

 
Reply With Quote
 
nemo_outis
Guest
Posts: n/a
 
      09-03-2010
"Joseph Ashwood" <(E-Mail Removed)> wrote in
news:zO%fo.98423$(E-Mail Removed):

> Yes, he really is. He is a world renowned, world
> recognised, undeniably brilliant public key researcher with
> extensive experience in the research department of RSA
> Security. If anything $400/hour is not enough for his level
> of capability.


Yep, everyone knows Bob Silverman's rep.

Regards,
 
Reply With Quote
 
Ari Silverstein
Guest
Posts: n/a
 
      09-03-2010
On Thu, 2 Sep 2010 22:29:02 -0700, Joseph Ashwood wrote:

> "Mark Murray" <(E-Mail Removed)> wrote in message
> news:4c7fcd1f$0$2516$(E-Mail Removed)...
>> On 09/02/10 15:48, Pubkeybreaker wrote:

>
>>> If you want your code vetted, you can hire me at $400.00/hr. And I
>>> do have both the required software and crypto background.

>>
>> Based on the above RSA detail missed, are you really worth $400 an hour?

>
> Yes, he really is. He is a world renowned, world recognised, undeniably
> brilliant public key researcher with extensive experience in the research
> department of RSA Security. If anything $400/hour is not enough for his
> level of capability.
>
> This is from someone who has been at odds with him on multiple occassions. I
> obviously have great respect for him, and more than once I have recommended
> him to my clients.
>
> He is absolutely worth $400 an hour.
> Joe


Damn, Joe, he'd better get $400/hr to pay you for this extra-glorious
endorsement.

I kid.

But you might give him a few lessons in following Usenet conversations
(who replied to whom) and using a newsreader, dumping Google Groups.

I don't kid.
--
´Looking Above and Beyond the Ramp: A Study of Buffalo Students˙
Attitudes toward Alternative Modes of Transportation"
 
Reply With Quote
 
Ari Silverstein
Guest
Posts: n/a
 
      09-03-2010
On Fri, 03 Sep 2010 05:56:36 GMT, nemo_outis wrote:

> "Joseph Ashwood" <(E-Mail Removed)> wrote in
> news:zO%fo.98423$(E-Mail Removed):
>
>> Yes, he really is. He is a world renowned, world
>> recognised, undeniably brilliant public key researcher with
>> extensive experience in the research department of RSA
>> Security. If anything $400/hour is not enough for his level
>> of capability.

>
> Yep, everyone knows Bob Silverman's rep.
>
> Regards,


http://preview.tinyurl.com/24ts27e
--
´Looking Above and Beyond the Ramp: A Study of Buffalo Students˙
Attitudes toward Alternative Modes of Transportation"
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
A truly uninstantiable class? Ian Pilcher Java 19 10-16-2005 03:58 PM
Truly Sign out a user Chris Kettenbach ASP .Net 2 10-15-2005 03:13 AM
[OT] Truly an MCNGP? T-Bone Microsoft Certification 0 11-05-2004 02:43 PM
Prospect of MCSE truly frightening Julian Ford MCSE 14 04-05-2004 04:57 PM
Re: truly abstract (platform independent) pathnames Harald Hein Java 9 08-17-2003 01:01 PM



Advertisments