[cryptography] QODE(quick offline data encryption)

Kevin kevinsisco61784 at gmail.com
Wed Jan 7 15:12:52 EST 2015


On 1/7/2015 3:05 PM, shawn wilson wrote:
> On Wed, Jan 7, 2015 at 2:40 PM, Jeffrey Goldberg <jeffrey at goldmark.org> wrote:
>> On 2015-01-07, at 12:26 PM, Kevin <kevinsisco61784 at gmail.com> wrote:
>>
>>>     Any company could review it and decide if it's worth using or not.
>> Hi Kevin.
>>
>> Actually that’s a part of my job within the company I work for. I’m the one who can read some of the primary literature in cryptography. Now this makes me unusual, not a lot of companies
>> our size have someone with my skills.
>>
> And I'm betting they're Fortune 100. My point is, the company I work
> for does pentesting and have seen so many issues with information that
> people thought was "encrypted" not being "encrypted" and then leaked
> because it was only obfuscated with some base32/64 or w/e and maybe
> rotated by some value or w/e. It's kinda insane what people will do
> instead of using a well vetted crypto library. So I'm fearful that
> we'll stumble across someone using your library by finding some issue
> with it and the client says "well, we encrypted it" and then "well,
> obviously not".
>
> OTOH, people will be people. If you want to keep it available and hope
> that no one uses it in production and that someone reviews it *shrug*.
> If someone uses it vs making their own system, hopefully you're
> smarter than them (probably) and it'll be harder to break than w/e
> they might've done. And it would probably be a good learning exercise
> if an "expert" got back to you with issues.
If you have the fear that some poor soul will fall victem to a breach 
because of what I've done, take steps to prove that it is a threat and 
put the word out there.
"People will be people..."
And that is exactly what I am saying.


-- 
Kevin


---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com



More information about the cryptography mailing list