On 1/7/2015 3:05 PM, shawn wilson wrote:
On Wed, Jan 7, 2015 at 2:40 PM, Jeffrey Goldberg <[email protected]> wrote:
On 2015-01-07, at 12:26 PM, Kevin <[email protected]> wrote:
Any company could review it and decide if it's worth using or not.
Hi Kevin.
Actually that’s a part of my job within the company I work for. I’m the one who
can read some of the primary literature in cryptography. Now this makes me
unusual, not a lot of companies
our size have someone with my skills.
And I'm betting they're Fortune 100. My point is, the company I work
for does pentesting and have seen so many issues with information that
people thought was "encrypted" not being "encrypted" and then leaked
because it was only obfuscated with some base32/64 or w/e and maybe
rotated by some value or w/e. It's kinda insane what people will do
instead of using a well vetted crypto library. So I'm fearful that
we'll stumble across someone using your library by finding some issue
with it and the client says "well, we encrypted it" and then "well,
obviously not".
OTOH, people will be people. If you want to keep it available and hope
that no one uses it in production and that someone reviews it *shrug*.
If someone uses it vs making their own system, hopefully you're
smarter than them (probably) and it'll be harder to break than w/e
they might've done. And it would probably be a good learning exercise
if an "expert" got back to you with issues.
If you have the fear that some poor soul will fall victem to a breach
because of what I've done, take steps to prove that it is a threat and
put the word out there.
"People will be people..."
And that is exactly what I am saying.
--
Kevin
---
This email is free from viruses and malware because avast! Antivirus protection
is active.
http://www.avast.com
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
