For the Linux kernel, that's how development is done already, for quality control and bloat reduction. Nobody can commit by themselves, it takes at least three people to get a change into mainline. Each developer has their own copy of the tree into which changes are pulled, so they can see all changes that are made, and who made them.

For each part of the kernel, there are a number of people particularly interested in that bit who watch it and work on it. For example, the people making NAS and SAN devices and services keep a close eye on the storage subsystems. Myself, I watch the cm storage stack generally, more specifically LVM, and even more specifically snapshots. There are a few dozen people around the world with special interest in that particular part of the code. No backdoors will come in without some of us spotting it. What COULD happen is that some code could come in that isn't quite as secure as it could be.

It just so happens that I'm a security professional who uses advanced Linux storage systems for a security product called Clonebox, so that's at least one security professional closely watching that part of the code. Thousands of others watch the other parts.

It's convenient that a lot of the development is done by companies like Netapp, Amazon (S3) and Google. You can bet that when Amazon submits code, Netapp and Google are looking closely at it. When RedHat submits something, Canonical will point out any reasons it shouldn't be accepted.

The reason you can boot from a raid card or network is because the BIOS loads and runs BIOS modules from those cards. You may be familiar with the Linux kernel, where most of the functionallity is in modules that become part of the kernel. BIOS is the same. One differentiator between a server motherboard and a consumer one is how much BIOS memory it has, to load modules from many different pieces of hardware. I have one machine with at least four different pieces of hardware that include BIOS. MOST of the BIOS on that machine didn't come with the motherboard.

Yep, the whole thing is stupid. My "black" wife is lighter in color than our "white" friend Kristi, also known as Krispy because she tans often. So there goes the whole black/white thing.

There is such a thing as thug culture. In Boston, you'll find plenty of pale redheads engaged in that culture. It has little to do with race or color, and for Al Sharpton to tell "black" people that they should be part of thug culture is offensive.

High crime is high crime. The areas are what they are. Fuck Jesse Jackson. He's one of the reasons that areas with high black population tend to also have high crime rates.

(This statement has been approved by both my wife and me, who are caramel colored and slightly tan.)

> No, your key is #125125215 in the queue.

In that case, at four hours per key, they'll get to mine in 58,000 years.
It's too bad we can't know for sure that it takes at least a few hours per key, and that it always will. It would be ideal if it took about a day or so per key, with US government level resources.

Which is better marketing than cryptography. To make it REALLY secure, they could add another step, hash it using this function:

function slashHash() {
  return('a');
}

You could never predict the result if they added slashHash to the sequence! :; Note that it doesn't matter if you put slashhash as the last step, the first step, or anywhere in the middle - the whole thing is broken if you have a breakable step anywhere in the procedure.

In the case of KeePass, it's not THAT bad because the thing they are hashing (your password) is probably shorter than either of the hashes, thus easy to guess. An eight character password doesn't provide much security, so not much is being lost. (8-12 characters is insufficient against offline attacks. 10-12 isn't bad for online systems that have server-side brute force /dictionary protection.)

The idea is that because most people's password is their pet's name or something equally easy to guess, KeePass might as well force the attacker to spend a second hashing each guess 500 times. That's not terrible IF you assume the users will choose short, weak passwords. However, it means the attacker does NOT have to guess the right password. They only need to guess any password which collides on any of the 500 rounds! Once the hash matches, hashing a match many more times still results in a match. In that way, it makes it 500 times easier for the attacker.

What that means is that if you did ten million rounds of SHA-256, ANY password would open your KeePass, 'dumb' would always work as an extra password because any password short enough to type will probably collide with "dumb" at one of those 10 million rounds. Of course the user and the attacker both have to sit around waiting for 10 million rounds to finish.

So in summary, more rounds means a) it's easier to guess and b) both the attacker and the user have to wait longer while the rounds run.

To be specific, a hash or signature should only be done once. A DES hash of an MD5 hash is weaker than either DES or MD5, for example.

There is a small exception to the above. Running multiple rounds of the SAME algorithm in a very specific way can sometimes make it slightly more secure against one particular type of attack - brute force. That's a narrow exception, though.

That's my point. They won't spend any money tracking me. Well, not more than about $10-$50, since I'm pretty sure I'm on a list or two. They WILL spend money tracking whoever appears to be the next bin Ladin. Cool. I'd like them to be able to track bin Laden, while it's not anywhere near worth it to track me.

If I were using "1 bit encryption" they WOULD break it. They proof of that is that they DO track people who use 0 bit (plain email, phone). That's bad. I prefer that everyone use encryption enough so NSA finds it worthwhile to track 0-100 people.

Ps - I said I'm probably on a list. I've worked in security for many years, so my footprints can be found looking at information about exploits, etc. I run a system where we teach cybersecurity to state and local government employees, so I frequent sites that a bad guy might find interesting. On top of that, I use words like "freedom" and "Constitution" and we now know the Obama administration considers those words to be red flags.

Yeah, actually if someone is bad enough to make the NSA's top 10 list, it'd probably be good for someone to be reading their email. I have a BIG problem with the fact that the NSA is tracking everyone's emails and phone calls. I've contacted my congressman about that more than once, calling them out very publicly.

The top NSA agents know who the really bad guys are, the guys who will probably be involved in the next 9/11. Maybe they can't publicize the intelligence that proves it, maybe they are missing a few details, but we knew who bin Laden was. I'm fine with invading their privacy.

But but but if they invade anyone's privacy, they'll invade everyone's privacy. If we let them, yes. Ideally what we want is systems, including budgets and oversight, which only allow them to spy on a few people, so they have to pick which ten people they really do need to spy on.

True, I skipped step 1 "get a few levels above helldesk".
However, if you can speak business, or translate a little bit of techspeak into something that makes business sense and do it in front of a mid-manager or above, that may help you GET into a position where you can do so regularly.

If that speculation is right, that a billion dollars will buy hardware that takes a few hours to break one key, great. That would mean nobody is going to break MY key, and that al Qaeda's keys were broken soon after they started using them. Works for me.

Perhaps they should do this and that. They aren't reading this thread, so talking about what they should do is not helpful.
What can we nerds do to help the situation? If speaking in terms of business risks solves the problem ...

You see relevant news stories on CNN / MSNBC / Fox. How hard is it, really, to send your boss the link with a note saying "I noticed we're vulnerable to this. I'd like to discuss securing our systems from this type of problem"?

I don't know about you, but I HAVE hard data to base my estimates on. If you don't, a professional opinion giving a rough estimate isn't "made of whole cloth". If you're making recommendations, you should be able to say with some confidence that an SQL injection attack on a public web server is at least 100X more LIKELY than having your WAP cracked. Management may not know that, but somebody in IT should know it and be able to communicate it to management.

If you are asking for resources to be spent to avoid a particular risk, you either have the professional knowledge to discuss the level of risk, or you're talking out your ass.

How can you get that knowledge? We logged just over 10,000 brute-force attacks last year on the x,000 sites we monitor. I can query those logs to provide various numbers. So logging is one way. The major security lists get several reports per day. MMonitoring those lists will help you understand the threats - how common they are, how costly they are, and how to mitigate the risk. Sometimes engineers focus on mitigation, but knowing how to mitigate risk is pointless until you know which risks you should be focused on.

Suppose you don't have time to learn about all that. You probably don't have time to learn about a lot of things, so you listen to some experts. Bruce Scheiner or myself might post something you'll want to read and feel you can trust. If we security professionals do our jobs right, we'll include some risk assessment data. You can always ask us questions. Every three years, you might call one of us in to look at your systems and provide some specific recommendations, along with information about WHY we recommend those things.
 

> If the boss doesn't understand still doesn't ask why you think something is important then
> he is just as much to blame for the communication failure

That's true for ANY communication failure. What does blame get you?

If I'd like to get something done, I can either communicate it in a way that gets it done, or not.
It does me no good to go about it such that it fails and I can blame the other guy.
Blame and $2 will buy a cup of coffee ($8 in California).