Slashdot Mirror

← Back to Stories (view on slashdot.org)

Small Company Wants to Make Encryption Key Management Into a Commodity (Video)

Posted by Roblimo on from the operating-on-the-assumption-that-all-networks-will-be-cracked-sooner-or-later dept.

StrongAuth helps protect data with strong encryption, so that even if a company's network infrastructure is breached, its critical data -- including customers' credit card numbers, for example -- is still safe. Their software is open source, and their objective is to "become like the Toyota Camry of encryption key management," says StrongAuth CTO Arshad Noor. "Everybody should be able to afford it." These are big words from a company that only has 12 employees, all in Silicon Valley, but it's a company that not only has a strong reputation among its small and medium-sized business clients, but is starting to get acceptance from Fortune 500 behemoths, too. In this video interview (and in the transcript), Arshad not only talks about data security, but about how his company makes money while developing and relying purely on open source software. And did somebody ask about Linux? Yes, their software is all based on Linux. CentOS, to be exact.

63 comments

  1. Fail by Anonymous Coward · · Score: 0

    Not gonna work....

  2. Slashvertising by Anonymous Coward · · Score: 2, Informative

    Anyone "should" be able to afford it? Everyone IS able to afford it. Right now.

    1. Re:Slashvertising by Anonymous Coward · · Score: 1

      While this is technically true and this article is definitely a slashvertisement, actually implementing data security is Hard(tm) as the tools are very clunky and information is sparse. Data security should be fairly trivial to implement, but as it stands, everyone has to figure out all the nitty gritty implementation details and roll their own based on low-level encryption algorithms. There is no "just put the password in the database with this function", instead it's a free-for-all navigating what the best current hash algorithms are, whether your data sources are random enough, whether your salt is good enough, etc. Most security experts however seem to have no interest in making security easy, but rather berating everyone for not being a security expert.

    2. Re:Slashvertising by Synerg1y · · Score: 1

      Basic security is fairly easy to implement and typically requires a little bit of common sense and business sense. Turning on https on a web server doesn't require a security expert. It all depends on who you think may target you, obviously the Chinese government has more potential to break in than a basement neckbeard. However, the Chinese government isn't interested in 99.9% of IP addresses despite the title of the other fear-monging article on /.

    3. Re:Slashvertising by Anonymous Coward · · Score: 0

      Turning on https on a web server doesn't require a security expert.

      This also isn't security in any real sense. Encrypted communication is a very basic prerequisite, but a bunch of stuff happens after that point that is "security" and is where the real problems lie. At very least, you need to identify your users, have them log in, store passwords and session tokens. All of these things are nontrivial and without buying into some large web framework (which is not always desirable and often full of their own holes .. e.g. rails), require a very ground-up solution. Try integrating with other software (GPG for instance) and good luck, it's crap and barely works on the native desktop, not to mention web/mobile.

      However, the Chinese government isn't interested in 99.9% of IP addresses despite the title of the other fear-monging article on /.

      No but you don't want some random script kiddie group (anonymous, etc) having a field day with your broken system, either.

    4. Re:Slashvertising by CKW · · Score: 1

      Afford, yes. Implement? PROPERLY?

      I kid you not, 90% of general purpose software developers are not sharp enough to "touch" security related code or systems without leaving GAPING holes because they totally don't understand or misunderstand simple things.

      They can write an if/else or a while loop, but other more advanced things ... just beyond them. And even the moderately smart senior personnel will accidentally leave something in a "prototype" state and accidentally ship it because of deadlines.

      This is the security/encryption equivalent of a Barracuda anti-spam appliance. Yes, any smart sharp sysadmin with sufficient time allocated to the task can implement brilliant near-perfect spam filtering using open source products. LOTS of sysadmins a) aren't that smart: it won't be configured nearly as well as a company needs, and it'll fail frequently or do strange things because they disagree on how it should work, and b) they won't have sufficient man weeks allocated to it, and remember, the less sharp the person is, the more time they'll need and the more problems there will be.

      WAY BETTER for an SMB* to simply drop cash on an "appliance". It's almost impossible for a Barracuda to do worse than your average overworked sysadmin.

      I'm not a shill for the latter, it's simply the device the SMB I work for uses. And our sysadmin's aren't dumb. They're just not brilliant and they are, of course, overworked.

      (*) Small and Medium Busuiness

    5. Re:Slashvertising by unrtst · · Score: 1

      Turning on https on a web server doesn't require a security expert.

      So, you have a cert, and a webserver. Is that cert protected by a password?

      - if no, then anyone that gains access to the server and/or cert can break all transmissions. For example, do you have a backup of the cert? Is it floating around in an email somewhere? How many people can get access to it? etc.

      - if yes, then where is that password? How do you go about protecting the password that protects the cert? You'll run into some of the same problems in protecting the password. That's one of the main problems that a key server solves (I'm pretty sure that's the main goal, or at least one of the primary goals, of the StronKey CryptoCabinet, but I haven't looked into it specifically enough yet)

      Any time you encrypt anything, you need some sort of key, and you must protect it somehow, and still make it available for use in said encryption/decryption.
      Maybe you don't *need* that level of security, but some do, and it's the hard part (er... well... one of the hard parts)

    6. Re:Slashvertising by Synerg1y · · Score: 1

      Whoever signed the cert would house the key... Verisign, Comodo, etc... that's the trick, neither party has the key and a "secure" middle man does, but certs are end point authenticators, https is what would actually encrypt the traffic.

    7. Re:Slashvertising by unrtst · · Score: 1

      You're still missing the point entirely.
      What protects your cert? Is it just filesystem permissions? Is it encrypted with a password that must be entered when the webserver restarts, or encrypted and the webserver config (or helper script) holds a password, or not encrypted?
      The cert authenticates who you are. So if someone gets a copy of your private cert, they can pretend to be you.

      To keep the cert secure, it should be encrypted. A key server serves to provide decryption (or a key to decrypt) the cert in a secure manor. It gets more complicated than that, but that's the general idea. If you're just trusting some "secure middle man" (which isn't the only concern), how do you think they keep all that information secure?

      This has nothing to do with the HTTPS encryption on the wire, nor with the DH key exchange, nor with certificate chain validation up to Verisign/Comodo/etc. (well, their appliance may assist in one or more of those things, but that's not the complex bit).

      Look up "PCI DSS Encrption Key Management" for more info.

  3. Encryption costs time and CPU, not dollars. by Kenja · · Score: 2

    The cost of implementing strong encryption is the time it takes and the CPU cycles to run it. There has never been a high dollar cost that I am aware of other then these two factors. The former issue is alleviated through a standard frame-work, of which there are already a great many. The later can not be reduced, and can be a significant factor on virtual environments where CPU time is at a premium.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:Encryption costs time and CPU, not dollars. by Anonymous Coward · · Score: 0

      And now we're turning it into a bandwidth problem. For the best security those keys need to never be transmitted anywhere - ever. That means any signing needs to happen offsite. ...not to mention the fact that the security has been reduced to a single point of failure. If they are ever compromised the shit is going to hit the fan very very hard indeed.

    2. Re:Encryption costs time and CPU, not dollars. by Anonymous Coward · · Score: 0

      ... a standard frame-work ...

      For starters, there is no frame-work for accessing the public key of an e-mail address. There is a server-to-client encryption (SSL, TLS), but not client-to-client encryption, like that required by email. Some e-mail clients do this but it doesn't work if your recipient is using a different 'brand'.

      ... The later can not be reduced ...

      It's called dedicated hardware: Like that graphics thingie that makes 'Crysis 3' work on your computer. It will also removes the encryption key from computer memory which can be probed by malware.

      Portable devices are getting GPUs but not encryption processing hardware. That makes such devices a weak point that police have been quick to exploit. There have been slashdot stories bemoaning how people load their virtual lives onto something that can easily be stolen or downloaded.

    3. Re:Encryption costs time and CPU, not dollars. by ArsonSmith · · Score: 2

      Interestingly, I do a lot of encryption related work and those two parts are the least of our worries. Key management takes up 90% of the time that is applied to encryption and it is a constant and on going thing that puts data at horrible risk if it's not done right. From both sides, you need to secure the keys well enough that only the people that need them can get them but no so well that the people that need them can lock them selves out.

      --
      Paying taxes to buy civilization is like paying a hooker to buy love.
    4. Re:Encryption costs time and CPU, not dollars. by Charliemopps · · Score: 1

      Agreed. You need someone that knows what they're doing to keep track of them... those types of people cost, minimum $50k/year... but they rarely ever need do anything at all. It's hard to convince management to keep them on. But when they aren't around and you need them.... whoa unto you.

    5. Re:Encryption costs time and CPU, not dollars. by Alsee · · Score: 0

      CPU cycles isn't much of an issue here. They are selling a Trusted Computing scheme with a Trusted Platform Module preforming the core functions.

        From one of their FAQ's:
      StrongAuthKey Appliance: Cryptographic hardware (TPM or HSM) included in appliance
      StrongKey: Cryptographic hardware must be integrated separately       (This refers to a TPM built into your PC)

      It's bad enough Slashdot has basically dumped an ADVERTIZEMENT here as a front page story, but it's particularly disgusting that they did it for a goddamn motherforking TRUSTED COMPUTING piece of crap. Don't let this shit anywhere near your computer.

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
    6. Re:Encryption costs time and CPU, not dollars. by Anonymous Coward · · Score: 0

      That's how CA certs work newb. Way to think of what people thought of decades ago.

    7. Re:Encryption costs time and CPU, not dollars. by mlts · · Score: 1

      I looked at their appliances... nothing really special that I can't buy from IBM or HP, except IBM has the HSM for keys on a PCI-E card -- no rack space needed.

      I remember in a previous life working for one company. A vendor approached us for a backup solution that was this magic black-box appliance that stored an encryption key for every tape. As the company I worked for had tens of thousands of LTO-4 and LTO-5 tapes, that was a concern. I asked the sales rep how to back up the keys. His reply, "the device can mirror to another device". I asked him how I back up the keys just in case the site was down. His reply: "Buy another device." I just logged on the web server of the tape silo, set a respectable passphrase for encryption of tapes, copied the passphrase to some 3x5 cards which went to different managers around the globe to keep safely via registered mail, and called it done.

      I have also pondered making my own HSM appliances. It would be on an x86 platform with the usual TPM chip, but the "trusted" stuff would be mainly to ensure the HDD was encrypted from the beginning of the boot cycle. It would do the usual signing/decrypting of stuff as everything else does, with various users/groups/roles allowing what keys at what times, and storing audit logs.

      For backups of keys, there was a dedicated USB flash drive port, and there was the option of using the protected storage space on a SD card (each SD card has an additional 20% of usable storage on it, but you have to be part of the SD group to get access to the APIs using it.) That way, the backup private keys would not be physically accessible to the run of the mill SD card reader.

      I even made a prototype appliance of storing username/password tuples in a secure case, just to prevent an intruder from grabbing hashed passwords used for Web users. This device only allowed access via a few commands (none of which allowed a complete database dump), and someone trying to guess the password of a user would get locked out quickly. Of course, one could take a backup via the USB or a SATA port, but that required physical access, and the master encryption key.

      Trick is making an appliance that honestly works, and not trying to sell it by smoke and mirrors.

  4. Re:Given Time... by buchner.johannes · · Score: 3, Insightful

    Given time, the Sun will become a red giant and destroy Earth. Given time, Dark Energy will rip the universe apart.
    The question is will the keys break before or after that.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  5. Slashvertisement. You're doing it right. by xxxJonBoyxxx · · Score: 2

    You even got SlashDot to post a video from a 1990's-style trade show, for God's sake.

    >> Yes, their software is all based on Linux. CentOS, to be exact.

    Er...just one distribution?

  6. And the interested parties are... by SanDogWeps · · Score: 2

    the Playstation Network?

  7. an excellent slashvertisement by nimbius · · Score: 2

    except for the "his company makes money while developing and relying purely on open source software."

    we dont need more assholes building code monastaries.

    --
    Good people go to bed earlier.
  8. So, another one for the just pile? by Anonymous Coward · · Score: 0

    CentOS? They are kidding right?

    1. Re:So, another one for the just pile? by Chris+Mattern · · Score: 1

      Hey, it's this new Linux thing. They've heard that it's all the rage with these computer kids.

  9. Re:Given Time... by Anonymous Coward · · Score: 2, Insightful

    The question is will the keys break before or after that.

    Secret information is usually time-sensitive. The question is: Can the keys be broken before the information is worthless (de-classified)?

    It's been included many times before, but here is the obligatory XKCD: http://xkcd.com/538/

    As the cartoon and Schneider reveal, those using the security system can be exploited, if one can find them. That's been mentioned many times on 'National security letter' stories where the government is intruding into someone's online life.

  10. Backup Key Appliance by Anonymous Coward · · Score: 0

    How do you backup the key appliance?

  11. Backfired by Anonymous Coward · · Score: 1

    I was looking into their products, but after this blatant slashvertisement, I'm going to take my business elsewhere. You're making slashdot even worse dice. I won't support companies that help you kill yourself.

    1. Re:Backfired by Anonymous Coward · · Score: 0

      Idiotic comments like this is why I don't come here anymore.

  12. Slashdot. STAHP. by PhxBlue · · Score: 5, Insightful

    Dear "Editors":

    This is a new low, even for slashvertising.

    Responsible journalists do their damnedest to make sure their work looks nothing like the ads that appear on their sites. You've just done the exact opposite. In fact, remember when The Atlantic posted a Scientology ad as editorial content? Remember the outcry that went up about the distinction between advertising and news? Well, you've just done the exact same thing.

    Knock it the fuck off. Slashdot was supposed to be "news for nerds." If you want to sell out, do it on your personal time, not here.

    --
    !#@%*)anks for hanging up the phone, dear.
    1. Re:Slashdot. STAHP. by Anonymous Coward · · Score: 0

      They have already sold out dumbass. Dice is at the helm, not a vague mission statement

    2. Re:Slashdot. STAHP. by Anonymous Coward · · Score: 0

      Wow you've got a head full of shit and a mouthful of dicks. Stick your snobby little FYIs back up your he-pussy you fucking no talent bitch

    3. Re:Slashdot. STAHP. by PhxBlue · · Score: 3, Insightful

      FYI - none of these videos are paid ads.

      Then it's free advertising. Still not seeing the distinction, except that StrongAuth got an even better deal than we thought.

      Those who want to believe otherwise are free to do so, but that doesn't alter the facts.

      Slashvertising is a common enough practice that it has its own portmanteau. That's a fact. And I don't know what you think constitutes journalism, but to me, it doesn't mean sitting down one-on-one with a company talking head and tossing him a bunch of softball questions. That's public relations at best, marketing at worst, but it is not journalism.

      Also FYI: America's elected president wasn't born in Kenya and little blue men don't truck the sun around the earth on an invisible track every day.

      Right, because insulting your readers does wonders to bolster your credibility.

      --
      !#@%*)anks for hanging up the phone, dear.
    4. Re:Slashdot. STAHP. by Anonymous Coward · · Score: 0

      "America's elected president wasn't born in Kenya"

      Really? So now you are whoring your little websight for the corporations *and* the state?

      Wipe the brown off of your nose lickspittle.

      I am the only free man on this train. The rest of you are cattle!

    5. Re:Slashdot. STAHP. by Roblimo · · Score: 3, Insightful

      You're right. I shouldn't get upset by people who choose to believe things that aren't true. I apologize.

      I understand the definition of journalism you're using. However, I do not believe that it's necessary to be negative at all times.

      In this case, Tim had a pleasant conversation with the CTO of a company that releases the software it develops for free, under the LGPL.

      What should Tim do? Thunder "How dare you do that!?" at the man?

      Re portmanteaus: Anybody can create one. For instance, I could coin "Slashcretin" to describe some of our less intelligent readers.

      But since I am supposed to absorb abuse, but never supposed to react to it, I will not use the word "Slashcretins" to describe even the most foul-mouthed, ignorant Slashdot readers. (And no, you are not one.)

      So have a nice day, and thank you for your input. :)

      - Robin

    6. Re:Slashdot. STAHP. by Alsee · · Score: 2

      by Roblimo (357)
      FYI - none of these videos are paid ads.

      It doesn't much matter - from the reader's point of view it's indistinguishable from a paid advertizement. Your readers are seriously put off by this article. That in itself is enough to establish that you blew it here

      And note that the grandparent post said "Responsible journalists do their damnedest to make sure their work looks nothing like the ads that appear on their sites" - pretty well acknowledging that it may not be a paid advertizement, and that you blew it even if it wasn't paid.

      Also FYI: America's elected president wasn't born in Kenya and little blue men don't truck the sun around the earth on an invisible track every day.

      It looks like a paid ad, it's hardly surprising people are going to suspect it's a paid ad, particularly when there was no statement to the contrary at the time. That's hardly some loony conspiracy theory. You blew it, it was a bad article, simply answer that it wasn't a paid ad and move on and avoid the appearance of paid ads in the future. Calling your readers loony birthers only compounds the problem.

      MY bigger issue is that you knew this company was pushing a Trusted Computing scheme. (He directly mentioned the Trusted Platform Module during the interview). I, and a lot of people here, find that far more offensive than the idea of a paid article. At least a paid article I can begrudgingly understand - Slashdot is a business and sometimes parts of a revenue model can be annoying but understandable. But knowingly getting in bed with Trusted Computing - promoting it - that's just plain villain terrain. This stuff is fucking evil, and a large percentage of your readership views it as fucking evil. And I assume you're well aware that the large majority of us view is as fucking evil. It is the single greatest threat to Open Source, it's a direct assault against the fundamental ownership and control of your own computer, it's an ideology to "fix" general purpose computers so they are not general purpose computers. It redefines "security" to mean glorified DRM schemes. It is the single greatest threat to lockdown/exterminate innovation and new technology.

      WTF were you thinking?!?!

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
    7. Re:Slashdot. STAHP. by PhxBlue · · Score: 1

      You're right. I shouldn't get upset by people who choose to believe things that aren't true. I apologize.

      Good call. Life's too short. And getting upset by "people who choose to believe things that aren't true" is how religious crusades and emacs/vi flamewars start.

      I understand the definition of journalism you're using. However, I do not believe that it's necessary to be negative at all times.

      Neither do I. But it should be based on something more than, "[Subject name here] likes it." Something needs to be of interest to a large number of people in order to be news.

      Re portmanteaus: Anybody can create one. For instance, I could coin "Slashcretin" to describe some of our less intelligent readers.

      Yes, and when you can show me lists of articles on Slashdot tagged "Slashcretin," give me a holler. :)

      --
      !#@%*)anks for hanging up the phone, dear.
    8. Re:Slashdot. STAHP. by cusco · · Score: 1

      Doesn't help that most of the major media outlets have been broadcasting press releases as 'news' for the last several years in exchange for promised advertising. It's not a big leap to assume that Dice would do the same thing as CNN or NBC. Thanks for letting us know that they aren't actual ads, I had just assumed that some of them were.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  13. Nothing but a whorefest by shaitand · · Score: 4, Informative

    I get this everywhere else. I don't need it on Slashdot too.

    1. Re:Nothing but a whorefest by Roblimo · · Score: 1

      So what do you want? something uncompromisingly negative to make up for something positive?

      Why aren't Slashdot editors allowed to like anything? Hmm?

    2. Re:Nothing but a whorefest by Gizzmonic · · Score: 1

      Your life is a whorefest? All I can say is, make sure you get tested regularly!

      --
      (-1, Raw and Uncut is the only way to read)
    3. Re:Nothing but a whorefest by Anonymous Coward · · Score: 0

      I suspect your whoring is not within the realm of possibility for a typical Slashdotter.

      How do you do it? Do girls finally love kernel debugging techniques?

    4. Re:Nothing but a whorefest by shaitand · · Score: 2

      Sure but at least put it up in a way that PRETENDS not to be an advertisement. I think a fair number of us work in the enterprise tech world and browse Slashdot to escape it for awhile. This stuff floods our inbox all day long.

      This thing doesn't even promote an actual solution it just delivers the rah rah pep talk these guys would have in the company meetings they subject their staff to. Lots of enthusiasm and feigned altruism, no content. I don't mind a slashvertisment slipping through now and again if it introduces me to some neat new thing or raises interesting discussion. But this has none of that. Just the nonsense philosophical spin a random company is putting on having the same goal as every other corp, milking profits.

      Hopefully this is just a one off event that resulted from an editor doing a solid for a friend. Still i think it would be more effective if some geek driving the tech for a project in this company wrote up about something sweet it does and the marketing department kissed off. I think you'll find that I'm not one of those who usually rants about the editors. ;)

  14. Re:Given Time... by Anonymous Coward · · Score: 0

    the Sun will become a red giant and destroy Earth.

    and so will your mom

  15. Re:Given Time... by Anonymous Coward · · Score: 0

    MD5 was supposed to be good until the end of every Marvel comic alternate universe, but it still fell. You are measuring Current Attacks times Moore's law, but some unknown element that turns Knuth-Paper-Stacks(XKCD://1162) into linear time can come from anywhere. The attacks will only get better with time, which is a curve that seems to run a few decades behind the creation of new crypto tools. Still not long enough to be dead and gone before your encrypted laundry comes out.

  16. Cleartext has to be available by Todd+Knarr · · Score: 1

    The problem I see is that for software to process and work with the encrypted data it must be decrypted without human intervention. That means that either the software itself has to know the decryption key, the software has to know the authentication key used to get the decryption key from the crypto infrastructure, or the decryption key has to be available from the infrastructure without authentication. So while the encryption can protect against an intruder who's gained access to the network from the inside (without accessing the externally-visible side of the applications), it can't protect against an intruder who's gained access to the applications. And it seems like the most common exploits use vulnerabilities in the applications to gain access through the applications. So once the application is compromised, how does the encryption prevent the application from getting the decrypted data when the one unchangeable requirement is that the application can get the decrypted data to work on?

    It's the same dilemma as with full-drive encryption. Sure, it'll protect your drive against someone who physicall steals your laptop. How much good will it do you against the malware slipped into your machine that accesses data while you're using your machine?

  17. Re:Given Time... by Anonymous Coward · · Score: 1

    Well, as one who is working on the project, I don't think that... ... wait a minute: the project is open source?!?!!? My boss never told me that; that's crazy. So much for using the industry standard strong encryption, ROT26. I may have to go back to my old job. They've got to be more clear about these things on job applications.

  18. Re:Given Time... by K.+S.+Kyosuke · · Score: 2

    Given time, the Sun will become a red giant and destroy Earth.

    Actually, now it's gonna be by courtesy of Oracle, but same difference.

    --
    Ezekiel 23:20
  19. Bad Name for a Company by xxxJonBoyxxx · · Score: 1

    >> StrongAuth helps protect data with strong encryption

    So...why's it called "strong authentication"?

  20. Wait...what? by Chris+Mattern · · Score: 2

    Encryption Key Management IS a commodity. What in hell are these yahoos talking about?

  21. Fundamental ignorance? by rich_salz · · Score: 1

    From their website: "DES and the International Data Encryption Algorithm (IDEA) are the two most commonly used symmetric techniques." Totally wrong. Doesn't make you feel good about them as a security company.

    1. Re:Fundamental ignorance? by Anonymous Coward · · Score: 0

      Depends on which thing they are measuring. RC4 is still more commonly used by browsers than AES. Credit card fossi^H^H^H^H^Hworld mainly lives in the land of DES and IDEA, although they've been supposed to move elsewhere for years.

  22. Ridiculous advertising by Anonymous Coward · · Score: 0

    Another obvious instance of Slashdot shilling for money.

  23. Slashvertisment by tomalpha · · Score: 1

    Ugh. I haven't logged in to post for some time. This kind of story is why. I hope they paid for this and the standard of posting hasn't just sunk to a new low without $$$ exchanged.

    1. Re:Slashvertisment by cusco · · Score: 1

      Higher up the thread Roblimo said that none of the videos are paid ads.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    2. Re:Slashvertisment by tomalpha · · Score: 1

      Yes, and I had read that before posting my comment. I want to believe, but find it harder to do so recently. To state the obvious: Dice have a credibility problem with some of the slashdot crowd. They need to go out of their way to avoid the *appearance* of paid-for-journalism. IMHO they didn't get this one right. However well intentioned it may or may not have been; it doesn't *appear* to be well intentioned. It's not the first time, and I dare say it won't be the last. They should be worried when their audience stops calling them out on it because we'll have given up caring at that point. I don't want to give up caring, but sometimes they make it hard.

  24. Bad Metaphor by Anonymous Coward · · Score: 0

    A company that wants to help you secure your data wants to "become like the Toyota Camry of encryption key management".

    One of the most common stolen cars? I think their metaphor needs a little work...

  25. Stenography! I love it! by VortexCortex · · Score: 1

    Unlike the other clueless commenters who revile this "slashvertizement", I recognize that this must be a form of stenographic encryption. Roblimo must have needed a way to send a secret message, or to permanantly store his PGP revocation key (I'm always losing that); Thus, this article was created to deliver the stenographically encoded payload in the text and/or video. You're not fooling me!.

    Nice touch including the tags in the headline so you can easiliy retrieve the article later by searching "Management Encryption Key". Might want to be a little less obvious next time though.

  26. Can't I just download bouncy castle? by rsilvergun · · Score: 1

    If you're writing Java it's easy. It's a bit more trouble with .Net because nobody's bothered with a good tutorial.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  27. Antique Geekmeister by Anonymous Coward · · Score: 0

    Too bad that some of the best CentOS developers, such as Dag Wiers who runs the RPMforge repository, have switched to Scientific Linux. I've worked with both. There is not a *signle thing* that CentOS does better, except emulating Red Hat in the very features that a clone is free to do better but CentOS elects not to, such as including hooks for RPMforge, EPEL, and atrrpms to provide non-Red Hat components sucha s additional perl modules and open source addons such as Nagios (EPEL), more recent versions of core components like perl modules and Subversion (from RPMforge) and better packaging of the legally encumbered NVidia drivers (from atrpms). *All* are available with system provided yum installations, from Scientific Linux. And they've got live CD's that work, very well, with official support, something that neither CentOS nor Red Hat do. And their archives of previous releases are available on their main FTP sites, soemthing that neither Red Hat nor CentOS do, either.

    CentOS has stapled themselves so thoroughly to aping Red Hat that ther are not any *benefits* of it Worse, they're hiding away all but the current releases, which is just nasty for anyone doing commercial support who has to go digging throught the deprecated tiny pipe at vault.centos.org. (This happened to me last week, for a customer who is still using CentOS 5.4 despite my objections.) The *only* benefit of CentOS over Red Hat is not having to register the operaitng systems to get updates by default, and Scientific Linux has that as well. With people Like Dag Weiers in the support community, and the mild corporate reassurances of CERN that they'll continue, they're the right solution for people who can't afford Red Hat corporate support. And Scientific Linux users find, and report, bugs almost almost as fast as the Red Hat knowledgebase users.

    If you're going with the freeware, I'd dump CentOS *yesterday*. And definitely get the commercial support from Red Hat if you want to talk to the engineers who wrote the software with your bug reports. (I've doe this with corporate sites for years, for material I can't find fixes for mysels, especially leading edge kernel support na dvirtualization server issues.)

  28. MIT did this 10 years ago by Anonymous Coward · · Score: 0

    It's called "Kerberos". Both Samba and Active Directory do very good work with tiken management and session encryption with Kerberos. Statically preserved private tokens are a *bad thing*, which we've seen again and again with all the stolen SSH private keys I use to wander around client's networks with.by sniffing their NFS shares, backup tapes, and laptops.

    GPG is a bit better for static data preservation: it needs buy-in, not new protocols, to incorporate more broadly.

  29. Re:Given Time... by Anonymous Coward · · Score: 0

    or will that be the year of Linux on the desktop