On Wed, Dec 15, 2010 at 4:11 AM, Rayservers <supp...@rayservers.com> wrote: > Moral: never depend on only one network security layer, and write and verify > your own crypto. Recall Debian and OpenSSL.
A cautionary word about the risks of software monoculture and the importance of diversity and depth of defense for the resilience to security failures is something I share. That said, I would not recommend people to write their own crypto, as cryptography is hard enough to foster any kind of fault, glitch or defect. In turn, this may leads to incidents that promise to be no less severe than those arising from a backdoor in OpenBSD IPSec stack, if any. The security of our software needs the right incentives and sound engineering practices. Our implementations can be only as heterogeneous as the interoperability allows it to be - as a matter of fact, in an information economy driven by economics of networks, an inescapable tension exists between benefiting from positive network externalities and addressing the information security risks. Hence, the claimed backdoor, or a key-leaking mechanism (depending on its exact nature, that we still do not know...), is something that might expose the confidentiality of all our virtual (or virtually) private networks that need to interoperate with OpenBSD, and not only those deploying only OpenBSD machines. Today, code audit is needed even more than before. -- Alfonso De Gregorio, blogs at http://Plaintext.crypto.lo.gy BeeWise, Security Event Futures - http://beewise.org/ _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography