< 2 cents>
Oh well, we can't stop the government from snooping, can we? So I'm just glad those programmers in Finland and at Google announced what everyone has been
suspecting for a long time .... that 128 bit encryption has been broken by the government..
Of course, people always have the right to setup their own stronger encryption systems. As a matter of fact, it is now recomended that all encryptions be done on a separate computer, which has never been connected to the internet. Then, transfer the already encrypted file to a networked computer for sending.
A common sense precaution, it would seem to me, if privacy is an issue for you.
I really don't know who wrote the SSL library with the bug, but with all the geniuses
at Cat Tech and MIT, they couldn't get a decent team together for this important task? I wonder is BSD or FreeBSD affected by this, and I ask because supposedly they were developed by the University of California at Berkeley, under the supervision of qualified professors.
Like I said, it really dosn't matter. They probably have drones now that can silently
hover over your office and record your keystrokes thru the square wave pulses they generate.
Not to go too far off topic on this, but from what has been going on in the news lately, regarding the government forcing coders into placing backdoors in their software, or be put out of business. I speak of course of that man who had some public key software system going, who closed his company rather than comply.
So it seems that if you really do have an unbreakable system, the government shuts
you down.
Another example, is about 15 years ago, some college professor came up with
realtime matrix-on-a-chip system, which worked so well to scramble audio, they shut him down.
So.... there does seem to be historical precedense to the fact that the government allows you to encrypt only with tools they can break. It sort of looks obvious to me, and I find it pathetic that they charge the supposedly best coders with sheer incompetence. But that is just my opinion. Like I said, they probably don't care now, as drones can collect better intelligence. Just my 2 cents.
</2cents>
| [reply] |
To be clear, the heartbleed bug has nothing to do with key size directly. It has to do with using an internal allocator with a buggy LIFO rather than the system malloc() and then trusting user input over calculable data. The only thing that might help with having a longer key is that it might be slightly less likely to fit into the problem memory read into past the end of working data, but multiple 64k chunks could be read back by exploiting this bug.
| [reply] |
To be clear Thanks for explaining that. My point about people suspecting 128 bit encryption being cracked was misleading. Using the term cracked connotes that the government had a mathematically fast way to get decryption without the private key. In that case, the larger the key size would matter.
However, as one security expert says, there are more than one way to crack an encryption system. In this case, the government lucked out, and some bad code
allowed it to appear they mathematically cracked the encryption, with quantuum computing or whatever. Where in actuality, they were sneaky key-thiefs.
While listening to a panel discussion on security on the radio, a panel which included the man wrote wrote PgP, Phil himself; someone asked if the current versions of public key encryption was mathematically sound. They all said yes, but when asked if any of them had been approached by the government for assistence
in hacking their programs, they declined to answer. That silence tells alot.
| [reply] |