Jean-Francois Avon wrote:
SNAKEOIL ALERT: Cc: Cypherpunks@toad.com
- beware of any product that has not been *extensively* peer-reviewed, with *all* the source code made public. Security breaches are *very* easy to overlook and no software should *ever* be used unless it was peer-reviewed.
I'm a bit surprised that I don't see quite as much concern expressed about hardware. If security is the goal isn't HW part of the chain? Yeah, yeah, I know, there was a blip a while ago about Intel chips, Microsoft kernels and keyboard snooping but it had a depressingly short half-life. Seems to me it would be pretty easy to create rfi on a chip and get products through FCC approval with NSA blessing. Hell, you could probably put a good amount of FLASH on a chip and give the OS a nice safe place to store snooped stuff. The security gaps that could be created in an operating system are as numerous as scoundrels in Parliament.
They try pursue anybody who violates ITAR in a public way. If I were to walk with a PGP diskette across the border outside Cana-USA, I would be liable under ITAR even if I never wrote a line of software in my life.
Literally true but we all know the analogy of borders and speedbumps...
All the govts have vested interest in disseminating pseudo-strong cryptography. This statement is not paranoia, it is recent and regularly recurring history.
Doesn't this seem to point to the need for products with a CP seal of approval? HW/SW/Tools? Mike I think that in the secure communications world I would rather be a wolf amongst sheep in wolfskins than a wolf in sheep's clothing. It would reduce the chances of my hide being nailed to the barn door. What I'm trying to say in a less than literate way is that the issue will only be closed when there are $99 consumer products that implement secure systems.