Is there any particular reason why people don't strengthen AES (or any other symmetric encryption) by just reencrypting 1000 times? Perhaps interleaving each encryption with encrypting with the first 1, then 2 etc. It would make next to no difference for the end user, who's going to decrypt just once, but I imagine it would add a lot more time to the cracking of the encrypted data than increasing the size of the key.
Exponents are actually what protects information, multiplication just makes people feel good.
i never understood why people go for AES. clearly, if NSA recommends it, in my view it is something to be avoided (i personally go for twofish instead). in ubuntu, ecryptfs uses aes by default, so i would not trust that.
Pick a government. If you trust the Russians use GOST. If you trust the Japanese use CAMILLA. NSA has a dual role in spying and protection from spying. By intentionally selecting a vulnerible algorithm cleared for use in protection of classified secret information they also KNOWINGLY compromise their mission to protect US secrets.
Obviously we can't reason about what we don't know. We must all make our own decisions regarding who/what to trust. I will add AES has been continually subject to attention by researchers because of its heavy use worldwide. To date there is nil public information to indicate it is subject to compromis when used properly.
The big worry is not building from source, but builds delivered by companies like Ubuntu, which you have absolutely no guarantee are actually built from the same source that they publish. Ditto Microsquishy, iOS, Android, et. al.
The big concern is back doors built into distributed binaries.
So what is the practical difference between a "back door" and a security vulnerability anyway? They both remain hidden until found and they both can easily result in total ownage of the (sub)system.
History demonstrates "open source" community is not immune from injection of "innocent" security vulneribilities into open source projects by way of human error. I find it illogical to assume intentional vulnerabilities would be detectible in source code where we have failed to detect innocent ones.
And as for your compiler argument what guarantee do you have the compiler itself is not compromised how do you know epic fail is not being injected into resulting executables during compilation?
Even if you can compile a compiler attacks have been previously demonstrated which are capable of compromising the additional layer of indirection.
I think it is a distinct possibility. If you were for example to canvas a few acres of land with trampolines and bouncy castles you could construct a colony of people with impressive abilities to leap.
Reintegrating leapers from the colony back into non leaper towns could prove quite disruptive proposition for all concerned. Townsfolk may object to lack of toy stores to keep stocks of trampolines or the increased price associated with sudden demand spike. Townsfolk may also not appreciate right of ways being canvased with trampolines or stripmalls with bouncy floors.
Likewise leapers may find the lack of bounce outside the colony to be so disheartening they may become depressed and require counseling.
Someone (e.g. Compliance Innovations) stands to make a lot of CA residents money with this. It would surprise me if legislature was NOT "lobbied" to come up with this otherwise what is the point? Electronic plates serve no practically useful purpose and offer a number of headaches including product cost, installation cost, maintenance/technical assistance, public / privacy issues, hacking exposure..etc.
Recommendation to CA residents: Vote the bums out.
From what I have heard you can't destroy chemical weapons with cruise missile strikes or LOL "cyber attacks". To even try would be dangerous and counterproductive.
As for this insane talk about weakening capacity what kind of degredation is needed to prevent someone from walking over to a chemical weapons supply room and walking out with chemicals? I am unable to comphrend the bredth of stupidity and insanity embedded in TFAs or the US administrations line of thought.
How many hundreds of thousands of additional lives did subsequent US policy claim under the banner of never forgetting 9/11? Was it worth it?
If our government had been more vigilant in who crosses our border, it would have never happened.
This is simply hand waiving. You have no way of predicting what would have occured.
I could just as easily assert had CIA been more vigilant in not hiring asshats like OSBL in the first place 9/11 would have never happened.
One fact is not disputed by anyone. In the next 3 months as many people will have killed one another right here in the US as were killed on 9/11 and every 3 months like clockwork since.
How quickly we forget... oh wait I forget that nobody gives a fuck about that.
Border searches are one of the few powers I am happy to grant my overgrown, bloated, ineffective federal government. If you come to the U.S. with bad intentions, I hope they catch you.
Most likely cuz you don't travel or care about foreign visitors who must go thru extraordinary lengths to get visas and once here too often treated like shit at the border by assholes with badges as I have observed on at least three separate occasions. I feel ashamed of the way we treat our guests to say nothing of the billions in revenue lost each year by people deciding its not worth the trouble.
How do you know that "the only way a patent troll makes money is if someone willing to actually make the thing has the same idea"? Patents are published, so the person willing to implement the invention could have just read the published patent and decided they want to make it.
Most crap I've seen is intentionally written to be as confusing, obtuse and useless as possible. The last thing they want is competition or anyone in the patent office to understand what "circular transportation facilitation device" really means.
That is one of the mechanisms that patents promote the progress of science and useful arts: the public gives the inventor an exclusive right (which they can assign or licence), and the inventor gives the public his/her knowledge. It's a trade.
What is actually happening in the real world companies doing all the work implementing obvious aggregations of technology without any external help and getting randomly dinged by speculators who didn't do any of the "fucking work". Obvious ideas should be worthless instead USTPO has turned them into goldmines.
First Snowden is a looser 29 year old high school graduate who was not qualified for his position.
Now he is brilliant cuz he knows how to use what amounts to 'su'
Suppose if I were incompetent and I needed to explain why a 29 year old "looser" did something he would not have been able to do had I not been incompetent I would call him brilliant too.
Why do they even bother anymore? They are in such a deep trust hole light barely reaches the bottom and yet they feel compelled to keep digging.
Delegated administration is a hard problem. It can be difficult to design a system that can't be bypassed in some way by leveraging second order consequences of ones abilities to effect the system then again this is NSA...you'd think they would use a solver or something to scan for all such possible opportunities or at least characterize and restrict them.
If someone sends me a text while they know I'm sleeping and know I have to drive to work in the morning can they be held liable when I get into my car and allide with a stationary lamp post due to lack of sleep caused by the text messages?
One of the fucked up things about this country is number of lawyers and their illogical influence on production and interpretation of law having the effect of reinforcing gainful employment of lawyers. Last I remember US has something on order of half the worlds lawyers yet carries only 5% of its population.
In an environment where everyone can be blaimed for the stupidity of others or actions beyond their control then everyone is guilty of something which seems to me to be the goal. The more common sense is thrown out the window the more productivity and society suffers.
God help us all if Kevin Bacon ever gets hauled into court.
Perhaps it is the google translation but I don't understand the logic in the point being made by TFA.
I agree the world is better off without TPM or anything like it because it becomes too cheap and easy for opressive regimes to lock down computation to only approved operating systems modified to constantly monitor and snitch on the end users activities. There is also risk of PCs turning into lockdown hell that is smart phones and tablets.
Real world "secure boot" benefits to end users are questionable at best. With physical access all bets are off and an attacker could just as easily replace a motherboard as they could a disk drive.
The "freedom" arguments seem to be logically separate from trust argument being made..and this is the problem I don't understand how TPM negativly impacts trust in a vendor/OS.
It seems to me whether the operating system is booted secure or insecure you are still very much at the mercy of the underlying OS not to do shit behind your back contrary to your interests. This requires trust in the vendor and trust in the legal regime the vendor is bound by force to operate.
If you want to say MS is not trustworthy because of NSA fine. If you want to say MS is not trustworthy because it is Microsoft fine... But the TPM argument...I simply don't see the connection.
some PRISM documents may be OK but releasing details of foreign intelligence operations is another matter.
Remind me to shed a tear. NSA/CIA are controlled by politicians who are controlled by corporations. Most spying twoard "western" countries seems to be of the selfish self-serving variety.
Snowden will probably go down as the person responsible for starting up the cold war again.
In the same way a gun manufacturer is responsible for the misuse of the weapons they produce.
Of course he is certainly not solely responsible but he has definitely contributed another issue into international relations that eventually will harm someone down the line.
Secret capabilities once used naturally erode over time. They've had a heck of a run, certainly much longer than stealth Helos used in Bin Laden raid...They knew from day one eventually it would come out. If not Snowden it would be someone or thing else...this is how the game works. Its why the NSA does not waste their stash of 0-days on petty LEA crap.
The real kicker in this entire mess is that the people pushing out the information will get the opposite of what they are seeking.
The more people are aware of TLA willingness (to use) capabilities the more people can take technical measures to counter capabilities used against their interests. It also serves to increase legislative pressures to fix overreach which unecessarily harms trust in US government and US corporations.
Instead of introducing transparency to government affairs the government will double down and put policies and procedures in place to get rid of any existing transparency.
While they are expected to take measures to mitigate leaks it is also possible to see "legitimate" channels strengthened for example legislative action to provide more public data/oversight of covert activities.
If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?
I never dismiss conspiracies out of hand yet I do tend to ignore most for lack of evidence and interest.
A recurring theme that has always bothered me skeptics are almost always on the winning side by default without having expended any effort to get there. I have observed some tend to invoke and get away with many of the same errors in judgement and thought as the pro-conspiracy crowd.
Writing a broad article means you don't have to address or defend specific claims, you can use the most crazy claims to drown out nuanced assertions and you can invent and beat down as many strawmen as your imagination allows.
While it is often not possible to prove negatives this is no excuse for making the unwarranted leap of asserting that you can. For example in TFA:
"The idea that aircraft that produce contrails are really spraying âoechemtrailsâ is preposterous on its face"
Translation: your crazy.
"Airlines mostly operate based on the weight of the aircraft. The weight of the passengers, cargo, and luggage onboard is crucial for both determining how much fuel is onboard, which ultimately determines how much they pay to fill the tanks, as well as the balance of the aircraft in flight. If the plane is too heavy or the weight is distributed incorrectly, it could crash."
Is this really why the claim is preposterious? Many have claimed chemtrails to be fuel additives. No attempt to quantify how much sulfur dioxide or whatever mystery sauce one could sneak aboard or consider aggregate effect of all commercial aircraft contributions over time or what quantity of x, y and z would be necessary to effect climate or people.. just vauge hand waving.
The people who want to believe the conspiracy will believe it no matter what you tell them. If you try to explain the science and prove the theory wrong, youâ(TM)re wrong, because âoethatâ(TM)s just what they want you to think.â
I think the central problem here is your need to "prove the theory wrong". Fundementally there is no proving most conspiracy theories wrong and to even try is a fools errand.
If you want to rescuse someone who has fallen into a conspiracy trap the best approach I know of is to lead by example and insist on detail and vigour in exploring available evidence.
This is not an OpenSSL-flaw. Proper initialization of a CPRNG is critical and the OpenSSL documentation states that. The choice of OpenSSL is however especially bad with a bad initialization, as the OpenSSL CPRNG does not continue to seed the generator with additional entropy during its operation, unlike/dev/random or/dev/urandom. Google messed up spectacularly in two regards:
According to FAQ if/dev/urandom is there openssl uses it.
OpenSSL is a very convoluted library which evolved organically. Few people understand how to use it properly.
Google peeps regularly contribute significantly to the OpenSSL project. I find it hard to accept this as an excuse.
But I'm guessing the problem here is that OpenSSL's PRNG, even though it is effectively a global singleton, must be _manually_ initialized by the process.
While this used to be the case a long long while ago it has not been true since 0.9.7. Any reasonably current version of openssl (e.g. any version without known vulnerabilities) automatically handles this for you by sucking from/dev/urandom, CryptGenRandom(), etc as needed on major platforms.
I fail to comphrend WTF is going on here. Is/dev/urandom broke? Are they using an ancient version/fork of openssl? Are they actively seeding the PRNG with predictable garbage when it is not necessary? Either way faulting OpenSSL seems out of line to me.
"'How on earth could I, a junior analyst, possibly believe I could change the world for the better over the decisions of those with the proper authority?"
Whenever I begin a sentance with how on earth followed immediately by possibly nonsensical belligerance is sure to follow... who knows if this was sincere or not but It does remind me of another "confession"
Most news media spews propoganda in some respect even if when that respect is apolitical in the form of human laziness, lack of knowledge or button pushing and invocation of hyperbole to attract interest/ratings.
As long as you understand context only real question does SNR of nonsense and propoganda to useful objective information make media x worth yer time 2 parse.
Slashdot Mirror
Oracle, love'em or hate'em makes some rock solid databases.
I suppose if you ignore annoying database bugs and endless parade of critical security vulnerabilities I could see this being true.
I'd be willing to bet there are more deployments of MySQL than of all other standalone RDBMSs combined.
I'd be willing to bet there are more deployments of SQLite than all other standalone RDBMSs combined.
Support TLS 1.2 and TLS-SRP in your browser.
Is there any particular reason why people don't strengthen AES (or any other symmetric encryption) by just reencrypting 1000 times? Perhaps interleaving each encryption with encrypting with the first 1, then 2 etc. It would make next to no difference for the end user, who's going to decrypt just once, but I imagine it would add a lot more time to the cracking of the encrypted data than increasing the size of the key.
Exponents are actually what protects information, multiplication just makes people feel good.
i never understood why people go for AES. clearly, if NSA recommends it, in my view it is something to be avoided (i personally go for twofish instead). in ubuntu, ecryptfs uses aes by default, so i would not trust that.
Pick a government. If you trust the Russians use GOST. If you trust the Japanese use CAMILLA. NSA has a dual role in spying and protection from spying. By intentionally selecting a vulnerible algorithm cleared for use in protection of classified secret information they also KNOWINGLY compromise their mission to protect US secrets.
Obviously we can't reason about what we don't know. We must all make our own decisions regarding who/what to trust. I will add AES has been continually subject to attention by researchers because of its heavy use worldwide. To date there is nil public information to indicate it is subject to compromis when used properly.
The big worry is not building from source, but builds delivered by companies like Ubuntu, which you have absolutely no guarantee are actually built from the same source that they publish. Ditto Microsquishy, iOS, Android, et. al.
The big concern is back doors built into distributed binaries.
So what is the practical difference between a "back door" and a security vulnerability anyway? They both remain hidden until found and they both can easily result in total ownage of the (sub)system.
History demonstrates "open source" community is not immune from injection of "innocent" security vulneribilities into open source projects by way of human error. I find it illogical to assume intentional vulnerabilities would be detectible in source code where we have failed to detect innocent ones.
And as for your compiler argument what guarantee do you have the compiler itself is not compromised how do you know epic fail is not being injected into resulting executables during compilation?
Even if you can compile a compiler attacks have been previously demonstrated which are capable of compromising the additional layer of indirection.
I think it is a distinct possibility. If you were for example to canvas a few acres of land with trampolines and bouncy castles you could construct a colony of people with impressive abilities to leap.
Reintegrating leapers from the colony back into non leaper towns could prove quite disruptive proposition for all concerned. Townsfolk may object to lack of toy stores to keep stocks of trampolines or the increased price associated with sudden demand spike. Townsfolk may also not appreciate right of ways being canvased with trampolines or stripmalls with bouncy floors.
Likewise leapers may find the lack of bounce outside the colony to be so disheartening they may become depressed and require counseling.
Someone (e.g. Compliance Innovations) stands to make a lot of CA residents money with this. It would surprise me if legislature was NOT "lobbied" to come up with this otherwise what is the point? Electronic plates serve no practically useful purpose and offer a number of headaches including product cost, installation cost, maintenance/technical assistance, public / privacy issues, hacking exposure..etc.
Recommendation to CA residents: Vote the bums out.
From what I have heard you can't destroy chemical weapons with cruise missile strikes or LOL "cyber attacks". To even try would be dangerous and counterproductive.
As for this insane talk about weakening capacity what kind of degredation is needed to prevent someone from walking over to a chemical weapons supply room and walking out with chemicals? I am unable to comphrend the bredth of stupidity and insanity embedded in TFAs or the US administrations line of thought.
How quickly we forget 9/11.
How many hundreds of thousands of additional lives did subsequent US policy claim under the banner of never forgetting 9/11? Was it worth it?
If our government had been more vigilant in who crosses our border, it would have never happened.
This is simply hand waiving. You have no way of predicting what would have occured.
I could just as easily assert had CIA been more vigilant in not hiring asshats like OSBL in the first place 9/11 would have never happened.
One fact is not disputed by anyone. In the next 3 months as many people will have killed one another right here in the US as were killed on 9/11 and every 3 months like clockwork since.
How quickly we forget... oh wait I forget that nobody gives a fuck about that.
Border searches are one of the few powers I am happy to grant my overgrown, bloated, ineffective federal government. If you come to the U.S. with bad intentions, I hope they catch you.
Most likely cuz you don't travel or care about foreign visitors who must go thru extraordinary lengths to get visas and once here too often treated like shit at the border by assholes with badges as I have observed on at least three separate occasions. I feel ashamed of the way we treat our guests to say nothing of the billions in revenue lost each year by people deciding its not worth the trouble.
One of the benefits of capitalism is competition. Allowing the state to have an uncontested monopoly on education strikes me as a "Bad" idea.
How do you know that "the only way a patent troll makes money is if someone willing to actually make the thing has the same idea"? Patents are published, so the person willing to implement the invention could have just read the published patent and decided they want to make it.
Most crap I've seen is intentionally written to be as confusing, obtuse and useless as possible. The last thing they want is competition or anyone in the patent office to understand what "circular transportation facilitation device" really means.
That is one of the mechanisms that patents promote the progress of science and useful arts: the public gives the inventor an exclusive right (which they can assign or licence), and the inventor gives the public his/her knowledge. It's a trade.
What is actually happening in the real world companies doing all the work implementing obvious aggregations of technology without any external help and getting randomly dinged by speculators who didn't do any of the "fucking work". Obvious ideas should be worthless instead USTPO has turned them into goldmines.
Of all the inherently useless and broken protocols in use today SMTP email takes the cake.
Anyone can impersonate anyone else with impunity. Phishing and PC zombification via Email is boundless.
Anyone can send you whatever useless garbage they want without your consent.
No useful security of any kind.
Inability to transmit large content and no way to facilitate realtime communication.
Message delivery is a crapshoot thanks to hapazard proliferation of automated filters with minds of their owns.
The failure of SMTP on all levels and massive operational costs it has incurred for administrators and users is mind boggling.
First Snowden is a looser 29 year old high school graduate who was not qualified for his position.
Now he is brilliant cuz he knows how to use what amounts to 'su'
Suppose if I were incompetent and I needed to explain why a 29 year old "looser" did something he would not have been able to do had I not been incompetent I would call him brilliant too.
Why do they even bother anymore? They are in such a deep trust hole light barely reaches the bottom and yet they feel compelled to keep digging.
Delegated administration is a hard problem. It can be difficult to design a system that can't be bypassed in some way by leveraging second order consequences of ones abilities to effect the system then again this is NSA...you'd think they would use a solver or something to scan for all such possible opportunities or at least characterize and restrict them.
I'm still waiting on that slashdot article introducing the worlds first working economically viable fusion generator.
If someone sends me a text while they know I'm sleeping and know I have to drive to work in the morning can they be held liable when I get into my car and allide with a stationary lamp post due to lack of sleep caused by the text messages?
One of the fucked up things about this country is number of lawyers and their illogical influence on production and interpretation of law having the effect of reinforcing gainful employment of lawyers. Last I remember US has something on order of half the worlds lawyers yet carries only 5% of its population.
In an environment where everyone can be blaimed for the stupidity of others or actions beyond their control then everyone is guilty of something which seems to me to be the goal. The more common sense is thrown out the window the more productivity and society suffers.
God help us all if Kevin Bacon ever gets hauled into court.
OMG I just found a super secret undo command.
First you have to unlock secret undo commands. This is done by visiting your favorite porn site and pressing the left shift key five (5) times.
Once unlocked press Ctrl + 'W' and go wash your hands.
Perhaps it is the google translation but I don't understand the logic in the point being made by TFA.
I agree the world is better off without TPM or anything like it because it becomes too cheap and easy for opressive regimes to lock down computation to only approved operating systems modified to constantly monitor and snitch on the end users activities. There is also risk of PCs turning into lockdown hell that is smart phones and tablets.
Real world "secure boot" benefits to end users are questionable at best. With physical access all bets are off and an attacker could just as easily replace a motherboard as they could a disk drive.
The "freedom" arguments seem to be logically separate from trust argument being made..and this is the problem I don't understand how TPM negativly impacts trust in a vendor/OS.
It seems to me whether the operating system is booted secure or insecure you are still very much at the mercy of the underlying OS not to do shit behind your back contrary to your interests. This requires trust in the vendor and trust in the legal regime the vendor is bound by force to operate.
If you want to say MS is not trustworthy because of NSA fine. If you want to say MS is not trustworthy because it is Microsoft fine... But the TPM argument...I simply don't see the connection.
some PRISM documents may be OK but releasing details of foreign intelligence operations is another matter.
Remind me to shed a tear. NSA/CIA are controlled by politicians who are controlled by corporations. Most spying twoard "western" countries seems to be of the selfish self-serving variety.
Snowden will probably go down as the person responsible for starting up the cold war again.
In the same way a gun manufacturer is responsible for the misuse of the weapons they produce.
Of course he is certainly not solely responsible but he has definitely contributed another issue into international relations that eventually will harm someone down the line.
Secret capabilities once used naturally erode over time. They've had a heck of a run, certainly much longer than stealth Helos used in Bin Laden raid...They knew from day one eventually it would come out. If not Snowden it would be someone or thing else...this is how the game works. Its why the NSA does not waste their stash of 0-days on petty LEA crap.
The real kicker in this entire mess is that the people pushing out the information will get the opposite of what they are seeking.
The more people are aware of TLA willingness (to use) capabilities the more people can take technical measures to counter capabilities used against their interests. It also serves to increase legislative pressures to fix overreach which unecessarily harms trust in US government and US corporations.
Instead of introducing transparency to government affairs the government will double down and put policies and procedures in place to get rid of any existing transparency.
While they are expected to take measures to mitigate leaks it is also possible to see "legitimate" channels strengthened for example legislative action to provide more public data/oversight of covert activities.
If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?
I never dismiss conspiracies out of hand yet I do tend to ignore most for lack of evidence and interest.
A recurring theme that has always bothered me skeptics are almost always on the winning side by default without having expended any effort to get there. I have observed some tend to invoke and get away with many of the same errors in judgement and thought as the pro-conspiracy crowd.
Writing a broad article means you don't have to address or defend specific claims, you can use the most crazy claims to drown out nuanced assertions and you can invent and beat down as many strawmen as your imagination allows.
While it is often not possible to prove negatives this is no excuse for making the unwarranted leap of asserting that you can. For example in TFA:
"The idea that aircraft that produce contrails are really spraying âoechemtrailsâ is preposterous on its face"
Translation: your crazy.
"Airlines mostly operate based on the weight of the aircraft. The weight of the passengers, cargo, and luggage onboard is crucial for both determining how much fuel is onboard, which ultimately determines how much they pay to fill the tanks, as well as the balance of the aircraft in flight. If the plane is too heavy or the weight is distributed incorrectly, it could crash."
Is this really why the claim is preposterious? Many have claimed chemtrails to be fuel additives. No attempt to quantify how much sulfur dioxide or whatever mystery sauce one could sneak aboard or consider aggregate effect of all commercial aircraft contributions over time or what quantity of x, y and z would be necessary to effect climate or people.. just vauge hand waving.
The people who want to believe the conspiracy will believe it no matter what you tell them. If you try to explain the science and prove the theory wrong, youâ(TM)re wrong, because âoethatâ(TM)s just what they want you to think.â
I think the central problem here is your need to "prove the theory wrong". Fundementally there is no proving most conspiracy theories wrong and to even try is a fools errand.
If you want to rescuse someone who has fallen into a conspiracy trap the best approach I know of is to lead by example and insist on detail and vigour in exploring available evidence.
This is not an OpenSSL-flaw. Proper initialization of a CPRNG is critical and the OpenSSL documentation states that. The choice of OpenSSL is however especially bad with a bad initialization, as the OpenSSL CPRNG does not continue to seed the generator with additional entropy during its operation, unlike /dev/random or /dev/urandom. Google messed up spectacularly in two regards:
According to FAQ if /dev/urandom is there openssl uses it.
http://www.openssl.org/support/faq.html#USER1
OpenSSL is a very convoluted library which evolved organically. Few people understand how to use it properly.
Google peeps regularly contribute significantly to the OpenSSL project. I find it hard to accept this as an excuse.
But I'm guessing the problem here is that OpenSSL's PRNG, even though it is effectively a global singleton, must be _manually_ initialized by the process.
While this used to be the case a long long while ago it has not been true since 0.9.7. Any reasonably current version of openssl (e.g. any version without known vulnerabilities) automatically handles this for you by sucking from /dev/urandom, CryptGenRandom(), etc as needed on major platforms.
I fail to comphrend WTF is going on here. Is /dev/urandom broke? Are they using an ancient version/fork of openssl? Are they actively seeding the PRNG with predictable garbage when it is not necessary? Either way faulting OpenSSL seems out of line to me.
"'How on earth could I, a junior analyst, possibly believe I could change the world for the better over the decisions of those with the proper authority?"
Whenever I begin a sentance with how on earth followed immediately by possibly nonsensical belligerance is sure to follow ... who knows if this was sincere or not but It does remind me of another "confession"
http://en.wikipedia.org/wiki/USS_Pueblo_(AGER-2)#Aftermath
Most news media spews propoganda in some respect even if when that respect is apolitical in the form of human laziness, lack of knowledge or button pushing and invocation of hyperbole to attract interest/ratings.
As long as you understand context only real question does SNR of nonsense and propoganda to useful objective information make media x worth yer time 2 parse.
http://rt.com/usa/nsa-review-group-clapper-445/