Ubuntu Forums - FYI

Kent Borg kentborg at borg.org
Mon Dec 23 21:04:31 UTC 2013

Back in July Sajan Parikh was horrified that I might doubt the 
quality/integrity/competence of commercial crypto software.

Now we learn that RSA put in an NSA backdoor for $10,000,000, and that 
the NSA had a budget for this kind of compromise of $250,000,000.

Where did the rest of the money go?

Open source crypto is not guaranteed to be better, but it as a chance. 
It is tricky to put a backdoor in open source software, someone might 
see it.  And if the NSA wanted to bribe someone to put in a backdoor, it 
is sometimes tricky to know whom to pay off.


On 07/24/2013 09:36 AM, Sajan Parikh wrote:
> On 07/24/2013 07:47 AM, Kent Borg wrote:
>> AES is probably really good.  But if I slap an "AES!" sticker on my
>> product, it doesn't mean my product is any good.  I might be a cheat and
>> a liar, or I might be incompetent with cryptography.  Why should you
>> trust my close-source product?
> You're actually implying right now that LastPass is lying about how 
> they are storing things, and are just 'slapping a sticker' on it?
> How can we ever have a genuine discussion on the practical use of the 
> internet, if you're going to hold that position?
> We quite literally went from me advocating the use of LastPass by the 
> general public, to mitigate the damage of these types of (predictable) 
> breaches, to you and Patrick going on about how either LastPass is 
> lying, or working with the Government with a secret backdoor to all 
> your passwords.
> I think we both realize that discussion has nowhere to go.
> I'll be clearer this time, so as not to seem selfish.  I'm not telling 
> anyone to shut up, but I'll remove myself from this thread unless 
> directly responded to.
>> Before uploading a master key database to some kinda open internet
>> backup, I super-encypt with a gpg (which does get a lot of review).
>> Using a different key for the gpg step.  I now I have a file which is as
>> good as it's *strongest* link, not weakest.
> You 'super-encrypt', eh?

More information about the ubuntu-users mailing list