Ubuntu also has FIPS 140-3. https://ubuntu.com/security/fi...

I have some experience with self-encrypting drives. Many models of drives, when presented with a request to copy, can do one of several things: (a) return all zeros, (b) return an encrypted stream which is NOT the data or (c) return the true encrypted bytes.
Several drives I have used have resorted to the first strategy. Sometimes you can't make a copy of the drive, barring removing the storage chips from the underlying processor which serves it.

I am a certified CC evaluator.

In no way does CC automatically imply resistance to side channel analysis. CC is a framework that permits manufacturers to make certain security-relevant claims. Evaluators then use a structured approach to determine whether those claims are accurate. If the product claims resistance to side channel analysis, then the work to get *assurance* of that claim will only be as good as the evaluator.

In short, existence of a Common Criteria certificate means nothing unless you read the claims and determine the rigour employed by the evaluator to arrive at their conclusions. Even then, such conclusions are based on a *single* iteration of the product under very specific deployment configurations and considerations.

I see lots of people complaining above BH stories. While we cannot filter on the stories (only the editors), the web is OUR web. Tampermonkey script: http://userscripts.org/scripts...

You can understand the nature of the programs you are maintaining without viewing the material they collect.

If I am forced out of Classic, I will leave and never look back.

Fuck beta.

I find it extremely interesting that Appendix E of that report does not discuss the NSA's role (or not) in twiddling with Dual EC DRBG. It's the only crypto component that they've been explicitly called out on, and it's not discussed.

NIST and NSA have all sorts of partnerships (look at NIAP as an example). On the whole, however, they are distinct organizations with some overlapping function. NIST, for example validates cryptography implementations through the CMVP and the CAVP. Also of note is that the NSA has two arms: an offensive arm and a defensive arm. I'm somewhat annoyed with the /. crowd for not recognizing this and realizing that it is the offensive NSA arm which is potentially responsible for deliberate cryptographic weakening.

I just saw a TED talk in which the presenter asked this very question.

Actually, although your message is clear, the details are not entirely correct. Regardless of how long you are outside of the country, if you have strong ties in Canada (a house, a wife/husband/children/family, bank accounts, etc.) then you are still considered a "factual" resident for tax purposes (http://www.cra-arc.gc.ca/tx/nnrsdnts/cmmn/rsdncy-eng.html). You must still FILE taxes, but you don't (necessarily) have to PAY taxes. You pay taxes only on income received from Canadian sources. Any so-called "Worldwide income" is exempt from Canadian taxation as long as there is a tax treaty with the counterparty country (http://www.cra-arc.gc.ca/E/pub/tg/t4131/t4131-e.html#P201_20183).

If you live outside of the country for more than 6 months (6 months plus one day), then you aren't afforded medical insurance. Hence, snow birds who fly back and forth from Canada every 6 months.

Yahoo Answers is the only site I've ever decided needs to be worthy of the Google block.

I've always been amazed at things like SAS 70 which, as the poster states, is based on self-defined criteria. The most shocking part, if I recall correctly, is that the criteria are not publicly consumable! This is the worst part of it all and the key part which needs to change.

You mean something that causes something to churn whenever you see it?

I prefer sexy robocalls from Cowboyneal.