[CentOS] Can we trust RedHAt encryption tools?

Thu Jan 9 22:35:20 UTC 2014
m.roth at 5-cent.us <m.roth at 5-cent.us>

Robert Moskowitz wrote:
>
> On 01/09/2014 05:15 PM, Les Mikesell wrote:
>> On Thu, Jan 9, 2014 at 3:55 PM, John R Pierce <pierce at hogranch.com>
>> wrote:
>>> On 1/9/2014 1:27 PM, Kanwar Ranbir Sandhu wrote:
>>>> I think everyone should assume the entire ecosystem is compromised and
>>>> shouldn't trust anything.  Code should be reviewed and bugs/weaknesses
>>>> removed IMMEDIATELY.  The problem is obviously not everyone is a
>>>> programmer and not everyone will have the knowledge to understand how
>>>> to fix/improve the security issues.  Of course, some software is still
>>>> good, but who's going to verify that and when?  If you don't use free
>>>> software, you're a goner because now you have no ability whatsoever to
>>>> audit the code!
>>> I've programmed for 40 years, and I don't understand encryption
>>> algorithms nor can I evaluate their strengths and weaknesses.   I know
>>> very few programmers who can.  None personally, in fact.
>> I always just assumed that blowfish was good precisely because it
>> wasn't the one that was recommended/promoted by the groups likely to
>> be compromised.   But, I try to stay out of politics so I don't worry
>> much about keeping secrets anyway.
>
> Bruce's twofish was better; it was his AES submission.

Ah, thanks, Rob, I was about to post that Bruce had recommended something
better than his old Blowfish (and yes, I've some small acquaintance with
Bruce - via GT).

         mark