Robert Moskowitz wrote: > > On 01/09/2014 05:15 PM, Les Mikesell wrote: >> On Thu, Jan 9, 2014 at 3:55 PM, John R Pierce <pierce at hogranch.com> >> wrote: >>> On 1/9/2014 1:27 PM, Kanwar Ranbir Sandhu wrote: >>>> I think everyone should assume the entire ecosystem is compromised and >>>> shouldn't trust anything. Code should be reviewed and bugs/weaknesses >>>> removed IMMEDIATELY. The problem is obviously not everyone is a >>>> programmer and not everyone will have the knowledge to understand how >>>> to fix/improve the security issues. Of course, some software is still >>>> good, but who's going to verify that and when? If you don't use free >>>> software, you're a goner because now you have no ability whatsoever to >>>> audit the code! >>> I've programmed for 40 years, and I don't understand encryption >>> algorithms nor can I evaluate their strengths and weaknesses. I know >>> very few programmers who can. None personally, in fact. >> I always just assumed that blowfish was good precisely because it >> wasn't the one that was recommended/promoted by the groups likely to >> be compromised. But, I try to stay out of politics so I don't worry >> much about keeping secrets anyway. > > Bruce's twofish was better; it was his AES submission. Ah, thanks, Rob, I was about to post that Bruce had recommended something better than his old Blowfish (and yes, I've some small acquaintance with Bruce - via GT). mark