Forgot your password?
typodupeerror

Comment: Ok that makes sense.. (Score 1) 162

by dubist (#46258073) Attached to: NSA Ally Spied on US Law Firm
Which kind of explains why senior Australian and American politicians have been in Indonesia recently..

Hate to be the Australian Ambassador to Indonesia at the moment..

Rumour has it that the Indonesians regularly send encrypted birthday greetings for Australian operatives so we will probably just end up with another round of mock outrage and contrition from both sides and then it will be back to the cricket..

I think that its a shame Shirley Temple Black is dead because now there is no one to lead a global round of "Good ship lollypop."

Comment: Focus on the host platform. (Score 2) 39

by dubist (#45983989) Attached to: Encrypted Messaging Startup Wickr Offers $100K Bug Bounty
I support the sentiment of these guys but your code is going to be running on a platform that is largely exploitable by most English speaking foreign governments and possibly well funded crooks.

What this means is that no matter how good your software is it will be ultimately rendered useless by going after the host platform and memory.

Also anything that uses a public key exchange is only secure because certain reversals of transformation are 'hard'. There is no universality to hard, what is hard for me may not be hard for you.. Globally governments and crooks seek out and employ people who are good at working with hard.

Then there are all the other sources of issue, like suitable entropy, which is not to be scoffed if something is 20% less random than is should be then that is a huge advantage.

However most of the above is a bit unfair though because they will not be in a position to do much about it but it does need to be considered by the users though.

Comment: Who else are they going to work for.. (Score 1) 464

by dubist (#45751983) Attached to: Reuters: RSA Weakened Encryption For $10M From NSA
Predictable, irritating but understandable.
When the crypto genie really got going was when home computers became fast enough to generate useful enough prime numbers in times that did not upset domestic home users.
Once this occurred the volume of encrypted "I want to lover you [sic]" traffic would start to drown out potentially useful-to-know-about encrypted traffic.
I am not surprised,

Comment: See if you can find some professional help? (Score 1) 6

by dubist (#45678895) Attached to: Ask Slashdot: Cryptographers, Crowdfunding, and Cluelessness!
Have you tried asking about to see if you can get some professional advice on how to promote it..
Given you guys are developers there is probably a whole lot of soft stuff that is being overlooked that could make a difference.
There are bound to be people at the various hubs and co-working spaces in Melbourne like that one in Richmond opposite the train station..
Cheers

+ - Ask Slashdot: Cryptographers, Crowdfunding, and Cluelessness! 6

Submitted by David Hook
David Hook (3460279) writes "About a month ago the producers of the Bouncy Castle Cryptography APIs, the Legion of the Bouncy Castle, became a fully fledged Australian Charity. There were a few motivations for this: it has allowed us to establish a legal entity that formally owns the code base, it has provided us with a more solid framework in which to manage the project (which is now in the process of heading past 500k lines of C# and Java, so it's getting a bit unwieldy!), and it has given us the ability to legally raise money to support work on the APIs. Armed with our new found legal permission, we decided we'd have a go at raising some funds to have a couple of things FIPS certified. It's proving to be a bit of an adventure!

While a lot of people have asked for FIPS over the years, we do realise, in the light of what's happened recently, thinking about FIPS might seem a bit odd. That said, NIST have announced they're trying to reform, and the reality is that FIPS or something like it will be with us for some time to come. While we'd like to say we hope the reform effort goes well, as organisations like NIST if able to do their jobs well are really really useful, we also figure that having Java and C# APIs which was are not only FIPS certified but publically verifiable would be a step in the right direction all round.

There are other issues we are trying to address with this as well, at the moment FIPS still represents a real barrier to organisations and developers trying to build applications which are to talk to Government and other organisations that require FIPS. There has been some success at crossing this barrier with OpenSSL's efforts but it is clear that a few more offerings in the area are really needed. Most of the users of Bouncy Castle would understand that even if FIPS is not required today, some application they're working on in the future may well require FIPS, or a certification related to it. On top of that, a lot of people have invested a lot of time in learning the BC APIs, and it would seem to be to everyone's benefit that they'd be able apply the same knowledge in a FIPS environment as well. From our point of view going through the process might improve our general QA and further ensure that our implementations really are spot on. Of course, we're still going to maintain our regular distributions, so for anyone using the APIs it'll be their decision to be FIPS compliant or not. We are not really interested in telling people what they can and cannot do — we are more an "opportunity creation" type of group.

So just over a week ago, coinciding with our 50th Java release, Charity registration in hand, we decided to launch our fundraiser. Since then we've had 7943 downloads of the various 1.50 artifacts from our main server, and an unknown number from the central maven repostory and our mirror, and we've raised $2,642.34 AUD and 0.004 Bitcoins. I won't mention everything else that's been downloaded as well, but I'm sure you get the idea. While I'd like to thank the people that have donated, it's clearly a bit of a slow start. Obviously we are a bit new at this, and clearly much better programmers than fund raisers!

So, I guess, my scoop is that we are doing a fundraiser, and despite our abilities in the API department and the widespread use of the APIs, we're clearly not doing it very well. It appears almost no one is aware of it! Anyone interested in donating can find the details on the Bouncy Castle website but I would also like to use this opportunity to get some feed back on the whole idea, and what concerns people might have about the changes to how we are now doing things at Bouncy Castle. Some people have suggested that it would be more appropriate for some larger IT companies to be donating, and while we'd certainly appreciate a grand gesture, for us having a broad base of donors is also an important way of maintaining our independence. Having said that, any suggestions about how we might proceed more effectively will also be most welcome and I will follow this track so I can respond to any questions people might have."

+ - Australia's National Broadband Network (NBN) downgraded->

Submitted by RobHart
RobHart (70431) writes "Following election promises to create a "better, cheaper, sooner" NBN, the new Australian government has reneged, announcing instead n NBN to cost $12bn more and take four years longer. The critical change is that the new network is based on Telstra's aging and unreliable copper network rather than fibre to the home as has already been delivered during the NBN roll out to date."
Link to Original Source

Comment: Given the number of users... (Score 1) 1

by dubist (#45668487) Attached to: A tale of Cryptographers and Crowdfunding for dummies.
Hi All, I think the biggest issue is that BC has succeeded to the point where it is just part of the ecosystem and its actual significance is not so readily apparent to the average developer. BC is a genuinely independent cryptographic api. again... BC is a genuinely independent cryptographic api.

+ - A tale of Cryptographers and Crowdfunding for dummies. 1

Submitted by David Hook
David Hook (3460279) writes "About a month ago the producers of the Bouncy Castle Cryptography APIs, the Legion of the Bouncy Castle, became a fully fledged Australian Charity. There were a few motivations for this: it has allowed us to establish a legal entity that formally owns the code base, it has provided us with a more solid framework in which to manage the project (which is now in the process of heading past 500k lines of C# and Java. so it's getting a bit unweildy!), and it has given us the ability to legally raise money to support work on the APIs. So armed with our new found legal permission, we decided we'd have a go at getting some funds to have a couple of things FIPS certified.

While a lot of people have asked for this over the years, we do realise, in the light of what's happened recently, thinking about FIPS might seem a bit odd. That said, NIST have announced they're trying to reform, and we'd really like to show we're supporting the effort, because organisations like NIST, when they can do their jobs well, are really really useful. Besides we figure that having Java and C# APIs which was are not only FIPS certified but publically verifiable would be a step in the right direction all round.

We also figure that FIPS will stay in some fashion, regardless, but the barrier to been able to "talk" to organisations that insist on it will also stay if there are not a few more ways of people being able to use freely available open source solutions to meet the FIPS requirement. Most of the users of Bouncy Castle would understand that even if FIPS is not required today, some application they're working on in the future may well require FIPS, or a certification related to it. A lot of people have invested a lot of time in learning the BC APIs, and it would seem to be to everyone's benefit that they'd be able to use the same knowledge in a FIPS environment as well. I guess we'd also hope it would improve our general QA, as just having to go through the process might help spring clean things a bit, but that remains to be seen. Of course, we're still going to maintain our regular distributions, so for anyone using the APIs it'll be their decision to use FIPS or not.

So about a week ago, coinciding with our 50th Java release, we decided to launch our fundraiser. Since then we've had 5468 downloads of the various 1.50 artifacts from our main server, and an unknown number from the central maven repostory and our mirror, and we've raised $2,642.34 AUD and 0.004 Bitcoins. I won't mention everything else that's been downloaded as well, but I'm sure you get the idea. It's a bit of a slow start, and obviously we are a bit new at this, and clearly much better programmers than fund raisers!

So I guess, my scoop is that we are doing a fundraiser, and despite our abilities in the API department, we're not doing it very well. Anyone interested in donating can find the details at https://www.bouncycastle.org/donate/index.cgi but I would also like to use this opportunity to get some feed back on the whole idea, and what concerns people might have about the changes to how we are now doing things at Bouncy Castle. Some people have suggested that it would be more appropriate for some larger IT companies to be donating, but while we'd certainly appreciate a grand gesture, for us having a broad base of donors is also an important way of maintaining our independence. Having said that, any suggestions about how we might proceed more effectively will also be most welcome."

Comment: Remember who uses NIST crypto transformations (Score 1) 168

by dubist (#45001953) Attached to: Silent Circle Moving Away From NIST Cipher Suites After NSA Revelations
For the record the US government uses the NIST cryptographic transformations as recommended by its own NSA so on a global scale of one to broken they can't be that bad. So for generalist every day encryption they should be fine, if your trying to hide something that might have some sort of national security implications then if your legitimately in possession / generating that kind of information then there will be a different set of protocols and standards to follow. People would shit their pants if the world suddenly turned to using ad-hoc unreviewed transformations because at that point all bets are off, no seriously, all bets are off. Cheers

Comment: For the most part the Oracle stuff works.. (Score 2) 372

by dubist (#44267301) Attached to: Ask Slashdot: Is Postgres On Par With Oracle?
As much as I hate to admit it.. The Oracle stuff for the most part just works and if you have competent DBA's you don't have to worry about it. You may regret using oracle when you get the bill and sometimes it does not have the more esoteric features of the other DB's but you will be glad for its stability and its enterprise focused features in the long run.. And no one will sack you for choosing Oracle.

You have a tendency to feel you are superior to most computers.

Working...