There are two distinct random generators available:
The Continuously Seeded Pseudo Random Number Generator (CSPRNG), which is based on the classic GnuPG derived big pool implementation. Implemented in random/random-csprng.c and used by default.
A FIPS approved ANSI X9.31 PRNG using AES with a 128 bit key. Implemented in random/random-fips.c and used if Libgcrypt is in FIPS mode.
The silver lining seems to be that there's evidence no one has ever actually used Dual EC_DRBG in release versions of the OpenSSL module (though that in turn raises the question of why RSA's BSAFE crypto tool used the RNG by default)....
The takeaway from Thursday's advisory is that Dual EC_DRBG has been formally banished from yet another widely used crypto platform (with RSA's BSAFE being the other one). Before bidding a formal farewell to the algorithm, it's worth mentioning that Dual EC_DRBG was suspiciously absent from Wednesday's report issued by President Obama's advisory panel on NSA surveillance. We would have expected to see at least passing mention of it in Appendix E of the full report, the section that disclosed the US government's role in forging encryption standards. Alas, there's none.
It is quite obvious in light of the recent revelations from Snowden that this weakness was introduced by purpose by the NSA. It is very elegant and leaks its complete internal state in only 32 bytes of output, which is very impressive knowing it takes 32 bytes of input as a seed.
I'll stick with twofish,or AES256 for my openssl and gpg stuff.
jA0EAgMCmK7S4A7OWXhgyWYzILMlE7ATCioESasDPY3H3JiCSGtoQ/UE0VJJPEry qLwoiFhm/Nz1laSMQS/wRITAHSzDTSPnry14W0EdQeAVhvpkhWpJqYovLNTGhweC dm3MtNIZu3oN/jQkghTTfTVY4/WEIdo=...imagine this is really really long and big...megabytes of scrambled data... =pg5p -----END PGP MESSAGE-----
Then fantastic! Now the Bad Guys have the PITA of brute forcing the sensitive information file 1st, before they can wreck havoc with the stolen info.
On the PINS that were stolen, no public news how they were encrypted and stored when the Bad Guys took them, other than the basic "3DES was used."
Without a salt (aka initialization vector aka IV) Then they only have to look for possible PIN value matches. There can only be (roughly) 100,000 PINS if the Target card PINS are like ATM card PINS (usually 4 or 5 digits only).
If someone just makes a loop that uses PIN values in a range of MIN_PIN_ALLOWED to MAX_PIN_ALLOWED (going to guess 0001 to 99999),
Just to say it really simply, it is conseptually a for-loop for(int i = 0; i MAX_PIN_ALLOWED +1; i++)
printf(i); printf(','); printf( ThreeDES(zero_padded_pin) );
That output could be even in RAM, as a lookup (hashtable)
Without a salt (aka initialization vector aka IV) Then they only have to look for matches. There can only be (roughly) 100,000 PINS if the Target card PINS are like ATM card PINS (usually 4 or 5 digits only).
As I understand things, If the PIN was combined with some other information making a salt, or making the pre-3DES-value more unique (and longer) than just the PIN, before 3DES was applied, and a salt were used, would have been more secure.
Hope Target's systems used a salt when creating the 3DES.
If the Triple DES used a salt, then good, it will make it much more likely the PINS are secure, because then the hackers would have to brute-force trying a salt value, then all possible pins for 1 of the Triple DES encrypted PINS, which would take longer.
If the salt was unique for each PIN, then that would be the most secure ( but I do not know how a little machine where people give their pins could do that )
I live in Southern California, and the reduced head load of switching to LED bulbs is noticeable on my summertime electricity bill, when I have to run the Air Conditioner.
What the air conditioner needs to 'overcome': Average person generates 100watts of heat. My house is family of five. Two adults, three kids. So 500 watts of heat.
Ten 60watt old school bulbs: 600watts of heat.
That overcome energy load: 1.1kW.
Switched to all LED or CFL 60watt equivalent bulbs: they use 20watts each. Ten 20watt bulbs: 200watts of heat.
Five people (500w) plus10 LED light bulb heat load (200w) is only 0.7kW of heat the A/C needs to overcome (plus the fridge, but wanted to keep this simple).
Now my A/C has 'four people less' to have to 'fight' to keep the house cool during the summer.
Lastly, both standard light bulbs and flourescents have little wire filiments that can break (burn out), with my family always flicking on-and-off the lights. The cool thing about LEDs is there is no filaments to burn out, since they are solid-state devices. Have had only 1 LED bulb fail so far, and it was 5yrs old (didn't get my money's worth on that one).
for the entire history of this country, we've had laws that say, "first you suspect someone of committing, or conspiring to commit a crime, THEN you spy on them." What's not to understand?
The other reason is that many companies are not interested in training people anymore: they want someone already trained to put to the task immediately without additional costs.
I call that an answering machine.:) If you don't talk to it, and i don't know who you are, i wont even bother getting off the couch.
For my house POTS, I do the same: I tell all my family and friends that I screen my calls, so when I hear their voice, I'll pick up. Also, I set the phone ringer to low, or silent, so I wont be annoyed by all the ringging/hang-ups of the bots.
For my cell phone, I mostly use it for texting, and thankfully most cell phones 'whitelist' as it says if the caller is a contact you already put into your cellphone's memory.
"Embrace, extend, and extinguish",[1] also known as "Embrace, extend, and exterminate",[2] is a phrase that the U.S. Department of Justice found[3] was used internally by Microsoft[4] to describe its strategy for entering product categories involving widely used standards, extending those standards with proprietary capabilities, and then using those differences to disadvantage its competitors.
In my opinion, it already is an Orwellian police-state, as exposed by the whistle-blower(s).
In 50yrs or so, perhaps supporting facts will be declassified, or FOIA access-able, but more likely as history has taught: any evidence of wrongdoing will likely be destroyed.
"PolitiFact is a project of the Tampa Bay Times to help you find the truth in American politics. Reporters and editors from the Times fact-check statements by members of Congress, the White House, lobbyists and interest groups and rate them on our Truth-O-Meter"
You didn't really think it takes $4 Trillion to catch a bunch of terrorists, did you?
Agreed.
More likely: takes a lot of financing to build and maintain a constant global police-state surveillance system that monitors everyone, all the time, with apparent impunity.
Slashdot Mirror
http://www.gnupg.org/documentation/manuals/gcrypt/Random_002dNumber-Subsystem-Architecture.html#Random_002dNumber-Subsystem-Architecture
I'd recommend reading "The Cathedral and the Bazaar" by Raymond.
http://en.wikipedia.org/wiki/The_Cathedral_and_the_Bazaar
http://arstechnica.com/security/2013/12/nsas-broken-dual_ec-random-number-generator-has-a-fatal-bug-in-openssl/
I'll stick with twofish,or AES256 for my openssl and gpg stuff.
Only readable by root on my Debian Stable workstation:
robert@debian:/etc/NetworkManager/system-connections$ ls -latr ..
total 16
drwxr-xr-x 5 root root 4096 May 20 2013
-rw------- 1 root root 329 May 21 2013 geophile.net
-rw------- 1 root root 399 Jul 4 13:22 Auto geophile.net
drwxr-xr-x 2 root root 4096 Jul 4 13:22 .
robert@debian:/etc/NetworkManager/system-connections$ cat geophile.net
cat: geophile.net: Permission denied
robert@debian:/etc/NetworkManager/system-connections$
Now, if the entire file of PIN data was itself encrypted with 3DES, so that the stolen file of pins and 3DES hashes just looks like:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.12 (GNU/Linux)
jA0EAgMCmK7S4A7OWXhgyWYzILMlE7ATCioESasDPY3H3JiCSGtoQ/UE0VJJPEry ...imagine this is really really long and big...megabytes of scrambled data...
qLwoiFhm/Nz1laSMQS/wRITAHSzDTSPnry14W0EdQeAVhvpkhWpJqYovLNTGhweC
dm3MtNIZu3oN/jQkghTTfTVY4/WEIdo=
=pg5p
-----END PGP MESSAGE-----
Then fantastic! Now the Bad Guys have the PITA of brute forcing the sensitive information file 1st, before they can wreck havoc with the stolen info.
Exactly.
On the PINS that were stolen, no public news how they were encrypted and stored when the Bad Guys took them, other than the basic "3DES was used."
Without a salt (aka initialization vector aka IV) Then they only have to look for possible PIN value matches. There can only be (roughly) 100,000 PINS if the Target card PINS are like ATM card PINS (usually 4 or 5 digits only).
PIN | 3DES value
------------------------
0001 | aslhas..gibberish.that.always.matches.PIN.0001
0002 | sadglhagh.gibberis.that.always.matches.PIN.0002
99999 | 97aash.gibberish.that.always.matches.PIN.99999
etc
If someone just makes a loop that uses PIN values in a range of MIN_PIN_ALLOWED to MAX_PIN_ALLOWED (going to guess 0001 to 99999),
Just to say it really simply, it is conseptually a for-loop
for(int i = 0; i MAX_PIN_ALLOWED +1; i++)
printf(i); printf(','); printf( ThreeDES(zero_padded_pin) );
That output could be even in RAM, as a lookup (hashtable)
Without a salt (aka initialization vector aka IV) Then they only have to look for matches. There can only be (roughly) 100,000 PINS if the Target card PINS are like ATM card PINS (usually 4 or 5 digits only).
As I understand things, If the PIN was combined with some other information making a salt, or making the pre-3DES-value more unique (and longer) than just the PIN, before 3DES was applied, and a salt were used, would have been more secure.
Hope Target's systems used a salt when creating the 3DES.
If the Triple DES used a salt, then good, it will make it much more likely the PINS are secure, because then the hackers would have to brute-force trying a salt value, then all possible pins for 1 of the Triple DES encrypted PINS, which would take longer.
If the salt was unique for each PIN, then that would be the most secure ( but I do not know how a little machine where people give their pins could do that )
If no salt was used, then might be another case like what happened to Adobe: http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/
Here is a pix of my son's room with a 3000k 800 lumen bulb:
I think the light looks bright white, with plenty of light.
http://mrflash818.livejournal.com/142140.html
I live in Southern California, and the reduced head load of switching to LED bulbs is noticeable on my summertime electricity bill, when I have to run the Air Conditioner.
What the air conditioner needs to 'overcome':
Average person generates 100watts of heat.
My house is family of five. Two adults, three kids. So 500 watts of heat.
Ten 60watt old school bulbs: 600watts of heat.
That overcome energy load: 1.1kW.
Switched to all LED or CFL 60watt equivalent bulbs: they use 20watts each.
Ten 20watt bulbs: 200watts of heat.
Five people (500w) plus10 LED light bulb heat load (200w) is only 0.7kW of heat the A/C needs to overcome (plus the fridge, but wanted to keep this simple).
Now my A/C has 'four people less' to have to 'fight' to keep the house cool during the summer.
Lastly, both standard light bulbs and flourescents have little wire filiments that can break (burn out), with my family always flicking on-and-off the lights. The cool thing about LEDs is there is no filaments to burn out, since they are solid-state devices. Have had only 1 LED bulb fail so far, and it was 5yrs old (didn't get my money's worth on that one).
Consumer Reports did an article comparing LED bulbs this year.
Go take a look at their findings, and see if you like their recommendations.
...they are my favorite. The light looks 'bright white', not blueish, and 800 lumens is about the same as an old-school 60watt halogen.
...try switching to an LED light bulb that has a 'color' of 3000k, and a light output of 800+ lumens (they are my favorite).
The 2700k 'color' LEDs look like a regular old school generic frosted light bulb.
The 5000k 'daylight' bulbs _I_don't_like_, because they seem too blue-ish, and make people's faces look ill.
800 lumens roughly is the same light output as a standard 60watt bulb.
Lastly, Consumer Reports recently did testing and a write-up on their ratings of recent LED bulbs and brands.
...good for them!
Yep!
This might be a good BOINC project, just saying.
Exactly!
Targeted individuals to the NSA_GLOBAL_DATASTORE, not with the current Orwellian Dragnet, m'kay?
Agreed. Does seem often to be the case lately.
Agree, but hate seeing companies and employers being so short-sighted.
Seems in one generation, since the dotcom's, the idea of investing in someone, training them, mutual risk for long term mutual gain, is fading away.
For my house POTS, I do the same: I tell all my family and friends that I screen my calls, so when I hear their voice, I'll pick up.
Also, I set the phone ringer to low, or silent, so I wont be annoyed by all the ringging/hang-ups of the bots.
For my cell phone, I mostly use it for texting, and thankfully most cell phones 'whitelist' as it says if the caller is a contact you already put into your cellphone's memory.
http://en.wikipedia.org/wiki/Embrace,_extend_and_extinguish
In my opinion, it already is an Orwellian police-state, as exposed by the whistle-blower(s).
In 50yrs or so, perhaps supporting facts will be declassified, or FOIA access-able, but more likely as history has taught: any evidence of wrongdoing will likely be destroyed.
"PolitiFact is a project of the Tampa Bay Times to help you find the truth in American politics. Reporters and editors from the Times fact-check statements by members of Congress, the White House, lobbyists and interest groups and rate them on our Truth-O-Meter"
http://www.politifact.com/
Agreed.
More likely: takes a lot of financing to build and maintain a constant global police-state surveillance system that monitors everyone, all the time, with apparent impunity.