21 December 2010

Security Hoot

A2 sends in response to CLSID Shit Lists:

*** BEGIN PGP DECRYPTED/VERIFIED MESSAGE ***

Bluntly as someone who has read Cryptome since within a year of it's
birth, whomever A. (anonymous) is - he's a complete moron.

And I do mean COMPLETE AND UTTER moron who should not be allowed to
handle something as simple as a butter knife.

While SOME of the Class ID's he's talking about can be nefarious, MANY
of them (example CAPICOM) will only screw the owner/user if "bleached"

"bleached" - LOL - someone should have bleached his family gene pool
before he was born for Christ's sakes - what a term.

FWIW, CAPICOM is another (simpler) interface to..

The Microsoft Cryptographic API (aka CryptoAPI or CAPI) which is used to
PROTECT you.  You know - things like software signing and web
certificates - stuff like that.

(As well as (on Vista+) making some decent (pseudo) random numbers on
request.)

CAPICOM is basically the interface for lazy programmers who are
too incompetent to learn the correct and full CAPI specification

Or not smart enough to dig UNDER CAPI to the real base functions.

(I.E. to get a pseudo random number - you can make a handful of
  calls to Crypto API, or one call to "SystemFunction036" in
  the advapi.dll - if you feed that thru AES w/ a random key
  and then thru RC4dropN (N=3072) you get some pretty damn decent
  pseudo randoms to keep the bad guys out. - at least Fermi Labs
  ent tool says they are decent per entropy and Chi-square tests)

If you've ever used a smartcard or a GnuPG card, or a German Privacy
Foundation USB token - likely you've benefitted from CryptoAPI or
CAPICOM.

BTW - since I've been reading Cryptome since (almost) the beginning,
I'm going to ask - what the hell has happened to IT and YOU?

At the beginning it was about Cryptography for the most part, and
a very enlightening read.

As you may have noticed - I have a penchant for Cryptography and
also Cryptanalysis.

(I also designed a nuclear weapon in High School - but that's entirely
 another story)

Now it's become political bitterness and bullshit.

What was it?  Bush II getting elected?

Is it a case of "Bush Derangement Syndrome"?

The timing seems about right.

Yes, Governments do shady shit - ALL GOVERNMENTS.

From attempts at key escrow to warrantless wiretapping to waterboarding.

Then again - if it were my 2y/o son whose life was on the line, you can
be sure that waterboarding, 110v to the testicles, torturing family
members and outright murder would all be on the menu - w/o remorse.

Even further - I'm betting if it were YOUR family member at risk your
pacifist horseshit would go right out the window.

It's funny when it gets personal.

So they all do shady shit - and you're never going to stop it.

We get it - only a fool wouldn't get it.

If I wanted to read "Trowbridge Ford" level conspiracy lunacy,
I'd just read infowars and Alex Jones.

xxxxxxxxxxxx

(Not anonymous - you can Google me ;)

PS: It's a testament to the ineptitude of our government that Julian
    Assange is still breathing.


*** END PGP DECRYPTED/VERIFIED MESSAGE ***

Cryptome: Advocacy of the virtues of strong crypto is hard to do with a clean conscience after seeing how it is used to dupe and delude the public about security. It is not only governments which practice that deception, inventors, producers, contractors, institutions and individuals undergird the illusion of security and profit by it.

Hooting is not bitterness. The truth of hooting is deeply offensive to those who lie for a living -- Descartes an apostate to the Church of St Peter. There is slight chance that the liars are too ignorant to know they lie, close to zero. Long-term lying eventually turns into the certainty of righteousness, blind-faith. Righteousness leads to "legal" murder of disbelievers, call that the "just war" of the faith-blinded who forever try to cover-up the financial rewards of sending young faithful to be killed and maimed. So too the crypto marketeers.

Crypto is always criminally abused, like networks and systems are abused by administrators. Hoot it, use it at your peril.

Whenever Cryptome posts a crypto-security caution, "spreading FUD" is the formulaic comeback of faith peddlers. "Strong crypto" once was argued as an impossibility, now it is a sales gimmick. Worse than that is the promulgation of the notion that inept user-implementation of crypto is its weakness. Hoot this, blaming the victim.

Hoot, also, the latest cybersecurity notion that 24x7 staff is needed for security, that no system unattended can provide it. NSA and other TLAs worldwide are pushing that profitable notion along with their thousands of contractors, researchers, wizards, and, lo and behold, critics. Critics are complicit security-stakeholders, forever crying threat. Well, except Cryptome, its name derived from the crypto-hustle once ignorantly upbeat now hooting of the lessons-learned from cybersecurity FUD-masters.