Re: Truly Trulymail

[nemo_outis]

"Mr. B" <not@supplied.com> wrote in
news:i5m6j6$sfh$1@speranza.aioe.org:

....snip interesting points...


I'm an old man and old men tell long-winded stories. And so…

Many, many years ago I was attending a lecture in higher
mathematics at McGill. The professor was developing a topic
and at one point said, "And so it obviously follows…" as he
then proceeded to write down a new equation on the blackboard.

One student interjected, "Sir, I don't see how that obviously
follows."

The professor silently stared at the blackboard for about 30
seconds and then abruptly turned on his heel and walked out of
the classroom.

Fifteen minutes later he returned (dutiful students that we
were, we hadn't bailed). He then said, "Of course it's
obvious!" and proceeded to fill two blackboards explaining
why.

Your story of how easy it is for someone to set up a mime
cert. or get GPG going or do whatever other arcana are
necessary for encrypted email very much reminds me of
Professor Bach's "Of course it's obvious!"

No, it isn't easy or obvious. For one thing an ordinary user
hasn't the slightest clue that it is MIME or PGP or
Quicksilver he should be tinkering with and not something else
entirely, never mind the mechanics of doing so once he
establishes that that is what he should be doing. It's very
far from obvious or easy. He must become a security hobbyist,
investigate and research, question others, filter out the
nonsense and the misinformation, avoid dead ends and wild
goose chases, and on and on.

Is it doable? Of course it is - if he wants it badly enough
and is willing to put up with the pain in the ass of doing all
this. But for most folks the game isn't worth the candle.
They don't want to become "junior security experts," they
don't want a new time-consuming security hobby, they just want
to CONVENIENTLY send their email with modestly improved
privacy. Especially since it is far from obvious that, even
if they do all this security rigmarole, that the encrypted
email still won't fail for some overlooked reason and bounce,
get lost in the aether, be unreadable, or whatever.

And even once he does all this, he's still not finished.
Nope, he has to become a "security missionary" proselytizing
to convince all his friends and family to also do the same as
otherwise the whole exercise is pointless. What a PITA!

(Consider, for example, that people are willing to pay $25 to
port their existing telephone number rather than have to
contact all their friends with a new one. There's a coarse
metric for how simple encryption has to become to be broadly
adopted.)

Ordinary folks want modestly improved privacy - they are not,
in general, looking for military-grade security. They send
letters in envelopes rather than postcards because it's easy
and gives improved privacy - even though they are under no
illusions that a sealed letter cannot be opened and resealed
by a sufficiently motivated adversary (or rendered transparent
by Freon, or…).

If they had to make their own envelope glue by rendering cow's
hooves they'd stick with postcards, however. And despite the
protestations of security aficionados like you and me, the
ordinary user regards the current state of encrypting email to
be nearly that much bother. They want quick and easy - or
better still, invisible and transparent, with no need for any
hands-on intervention.

They don't give a **** about MITM attacks (99.99% aren't aware
there is such a thing but they wouldn't care if they did
know). They aren't worried about serious adversaries, they
mostly just want modest privacy with minimum hassle. If the
hassle is too great it's just not worth it.

As for crap about needing a lot of additional security
precautions or you leave people "vulnerable" consider this:
right now they aren't using ANYTHING for privacy or security
and won't unless and until it becomes dirt easy. Any method
of improved email privacy, even though imperfect, would be a
big improvement.

(As for security on the PC itself, this is a chimera. NOTHING
even an expert can do can prevent security compromise if an
adversary has unfettered access to the machine - the ordinary
person is wise to be oblivious to this risk. For instance, if
you want to frighten the **** out of yourself take a look at
the CAs listed in your certificate store - and spend an
afternoon trying to purge the flaky ones out of, say,
Firefox.)

No, the ordinary person doesn't need the "whole catastrophe"
you want to foist on him, he just wants modestly improved
email privacy resistant to casual snooping. CONVENIENTLY!

Remember: The perfect is the enemy of the good!

Regards,

[nemo_outis]

unruh <unruh@wormhole.physics.ubc.ca> wrote in
news:slrni7tber.kak.unruh@wormhole.physics.ubc.ca:

> On 2010-09-01, nemo_outis <abc@xyz.com> wrote:
>> "Mr. B" <not@supplied.com> wrote in
>> news:i5lf39$igk$1@speranza.aioe.org:
>>
>> ...
>>>> PGP and GPG, no matter how interesting they are, are a
>>>> failure - they have totally failed to convert ordinary
>>>> email users from the postcard model of email with
>>>> everything wide open.
>
> a) Everything is not wide open. YOu have to work to read
> others mail in transit
> b) A failure? Where was the it ever stated that the goal of
> thse programs was to "convert ordinary email users"?
> It is like calling cars a failure because they did not
> persuade everyone to brush their teeth every night.


The context of this thread is TrulyMail, an attempt to provide
modestly improved email privacy in a convenient way for a mass
market rather than for a tiny coterie of security aficionados.

PGP and GPG don't do this. If you prefer to say that they were
only intended for security initiates and not a mass market and
therefore aren't really failures, that's OK by me.

But viewed either way - as mass-market failures or as niche-
market successes - PGP and GPG have proved themselves
irrelevant to mass market email privacy, the context of this
thread.

Regards,

[Ari Silverstein]

On Wed, 01 Sep 2010 07:57:31 -0400, Mr. B wrote:

> Yes, because proprietary cryptosystems have never been disastrous for their
> users. Really, this would not be so bad if Trulymail was at least
> compatible with existing cryptosystems like PGP or S/MIME. Perhaps it is,

Hell, we couldn't get the bugger to connect to the servers. lol

> but the details are scant; the only relevant detail I have seen so far is
> that it uses RSA and AES. Even basic details like how keys are signed or
> verified (or if they are signed/verified) are missing.
>
>> Nobody, and I mean nobody, is going to do a thorough review of
>> the source code of a commercial produuct like TrulyMail, even
>> if it were available. Open-source for it is a total red
>> herring, the kind of thing only *******s like you fasten upon.
>>
>> The OP for TrulyMail got it exactly right - use it or don't.
>
> Hey, this discussion found its way to sci.crypt, so I assume that someone
> wanted opinions on Trulymail's usefulness as a cryptosystem.

Gee, I would think so since its cryptography is at the core of its
software architecture. You know, sorta like a Corvette and Road and
Track?

From the thread, and from search engine results, it appears that
Trulymail isn't very interested in any kind of review. They haven't
submitted the project anywhere I can find, in over two years, yet they
are in Ver 3. Trulymail had to get invited to Usenet and Andre was
forthcoming that he was quite aware of Usenet. I can't find much of
anything on them...except now this thread.

> Perhaps "Ari"
> is a known troll (he is certainly combative), but that does not change the
> reality that a certain degree of openness is necessary when it comes to
> cryptography.

Ari's been around for a long, long time and Ari is very open for
inspection. Thousands more article/posts have been made about and by
area than Trulymail.

Ari has been called more or less everything at some time and Ari
reflects "That's Usenet"!

>> It's not targeted at *******s like you, Ari.
>
> Then who, in your opinion, is it targeting?

Trulymail claims (straight from their website to be "better than
email, better than any email client...truly private, 100% spam
elimination and on and on and on. That means in no doubt they are
targeting the most powerful email users, the ones who want, need and
will utilize "the best".

In that short list of features above are at severe overstatements, at
worst complete fabrications. I can tell you the GUI looks like crap,
absolutely an embarrassment for a Ver3 product.

http://www.trulymail.com/Features.aspx

> I could target Joe Public with
> ROT13, does that mean that I should not be criticized for doing so?
>
> -- B

As long as you come clean about the value of ROT13, target away. Call
ROT13, say, "truly the best ", and Ari is probably going to pay you a
visit. :)
--
Talk about F-Cars - www.ferrarichat.com/forum/member.php?u=89702

[Buck Mulligan]

On 9/1/2010 6:23 PM, Ari Silverstein wrote:
> On Wed, 01 Sep 2010 07:57:31 -0400, Mr. B wrote:
> <snip>

>> Perhaps "Ari"
>> is a known troll (he is certainly combative),
> Ari's been around for a long, long time and Ari is very open for
> inspection. Thousands more article/posts have been made about and by
> area than Trulymail.
>
> Ari has been called more or less everything at some time and Ari
> reflects "That's Usenet"!

I'm wondering if I'm the only one who wonders if you would "reflect"
that way before or after doing something, for example, like "flooding"
sci.crypt with forgeries of purely nonsensical posts, you know, the way
it happened a few years ago?

Or, just for another example, before or after hacking into someone's
website and redirecting all traffic to a pornographic website?

I'm just wondering if you were to do something like that, would you
"reflect" before, or after?


>
> <snip>
>> I could target Joe Public with
>> ROT13, does that mean that I should not be criticized for doing so?
>>
>> -- B
> As long as you come clean about the value of ROT13, target away. Call
> ROT13, say, "truly the best ", and Ari is probably going to pay you a
> visit. :)

And now I'm wondering what you could possibly mean by that.

[Ari Silverstein]

On Wed, 01 Sep 2010 20:31:04 GMT, nemo_outis wrote:

> "Mr. B" <not@supplied.com> wrote in
> news:i5m6j6$sfh$1@speranza.aioe.org:
>
> ...snip interesting points...
>
> I'm an old man and old men tell long-winded stories. And so…

You're also known for snipping anything that knocks your knees out
from under you (ahem) then bloviating to the max to divert the thread
to your satisfaction.

Excuse me, please continue...

> Many, many years ago I was attending a lecture in higher

<snipped boring BS>; *reinserted sci.crypt* which is where Mr. B is
reading this thread...as you know but purposefully left out.

Hope you don't mind, learned the art of snipping from you, please
continue...

> Your story of how easy it is for someone to set up a mime
> cert. or get GPG going or do whatever other arcana are
> necessary for encrypted email very much reminds me of
> Professor Bach's "Of course it's obvious!"
>
> No, it isn't easy or obvious. For one thing an ordinary user
> hasn't the slightest clue that it is MIME or PGP or
> Quicksilver he should be tinkering with and not something else
> entirely, never mind the mechanics of doing so once he
> establishes that that is what he should be doing. It's very
> far from obvious or easy. He must become a security hobbyist,
> investigate and research, question others, filter out the
> nonsense and the misinformation, avoid dead ends and wild
> goose chases, and on and on.

Agreed...so?

> Is it doable? Of course it is - if he wants it badly enough
> and is willing to put up with the pain in the ass of doing all
> this. But for most folks the game isn't worth the candle.
> They don't want to become "junior security experts," they
> don't want a new time-consuming security hobby, they just want
> to CONVENIENTLY send their email with modestly improved
> privacy.

Stop.

Typical nemo rant, just gloss over the facts, make assumptions to suit
your argument, and bury it in an edited, nemo-favorable response.

Trulymail is *not*, I repeat *not* been found to be private at all.

<snipped useless continuation of why PGP is not easy; point conceded>

> Ordinary folks want modestly improved privacy - they are not,
> in general, looking for military-grade security.

Not only are "ordinary folks " unable to define or decide what levels
of privacy they want, OFs by and large aren't aware that email privacy
is an issue. They don't see spam as privacy invasion, which it is,
just a PITA.

Email privacy is a grey matter which is why I claim it has to be all
in or nothing at all.

> They send letters in envelopes rather than postcards because it's
> easy and gives improved privacy - even though they are under no
> illusions that a sealed letter cannot be opened and resealed by a
> sufficiently motivated adversary (or rendered transparent by Freon,
> or…).

A letter must be physically routed. This is something that can be
tracked point to point. Postal users understand the system and they
know that postal mail is protected from being opened by anyone except
Sender and Recipient.

Email is an illusory system that OFs have little to no knowledge
about, are unaware that Federal law allows ISPs to read emails (on
their servers and providers too).

So your analogy hols no value.

> If they had to make their own envelope glue by rendering cow's
> hooves they'd stick with postcards, however. And despite the
> protestations of security aficionados like you and me, the
> ordinary user regards the current state of encrypting email to
> be nearly that much bother. They want quick and easy - or
> better still, invisible and transparent, with no need for any
> hands-on intervention.

Why do you think this represents an argument for Trulymail? *Everyone*
would prefer an invisible, automated secure email system, so what?
Trulymail isn't any of those things. Not one proof whatsoever.

<snipped repetitive BS>

> As for crap about needing a lot of additional security
> precautions or you leave people "vulnerable" consider this:
> right now they aren't using ANYTHING for privacy or security
> and won't unless and until it becomes dirt easy. Any method
> of improved email privacy, even though imperfect, would be a
> big improvement.

What? You don't consider https Gmail as "anything for privacy"? Secure
login to Fastmail? Two of the most robust email services available?

> (As for security on the PC itself...

Off topic, bloviation, diversions, etc.

> No, the ordinary person doesn't need the "whole catastrophe"
> you want to foist on him, he just wants modestly improved
> email privacy resistant to casual snooping. CONVENIENTLY!
>
> Remember: The perfect is the enemy of the good!
>
> Regards,

One of the things that happens whenever you go off your meds is you
take 30 min to say the obvious. Above is a perfect example of an
attempt to thread hijack, not one mention of Trulymail (note subject
of thread just nemo outising along misinforming and meandering. Why
you have become so patently disingenuous I proffer is old age.

Grandpa, you've become a bore.
--
Talk about F-Cars - www.ferrarichat.com/forum/member.php?u=89702

[Ari Silverstein]

On Wed, 01 Sep 2010 17:53:20 GMT, nemo_outis wrote:

> Ari Silverstein <AriSilverstein@yahoo.com> wrote in
> news:8e7fvlFpgU1@mid.individual.net:
>
> ...
>> The terms identification, authentication, verification and
>> ultimately authorization are defined from the world of
>> biometrics. Where these processes can be invoked.

<selective and dishonest snipping>

> No, Ari, the "world of biometrics" is not where these terms
> are defined, despite the eagerness of some techies to coopt
> and kidnap them.

Which I alluded to in the part that you dishonestly snipped, you
disingenuous knucklehead.

> Identification, authentication, verification
> and authorization are terms with long, well-understood and
> broadly applied meanings dating back long before the word
> "biometrics" was even coined.

Which I alluded to in the part that you dishonestly snipped, you
disingenuous knucklehead.

> And even the diversity and
> range of meaningS (not meaning) of these terms carries
> considerable significance.

Which I alluded to in the part that you dishonestly snipped, you
disingenuous knucklehead.

> If techies wish to apply specialized limited meanings to these
> terms in some specialized limited context, fine - but don't
> pretend that that somehow pre-empts and supplants the
> original.

Which I alluded to in the part that you dishonestly snipped, you
disingenuous knucklehead.

>> Think of it this way. If I walk up to you and say "Hi, I'm
>> Ari" without something to verify my ID (Passport, secure
>> credentials card, etc.) you have nothing of value except a
>> statement. Much like your password matching on your server.
>
> No, Ari, all a passport, birth certificate, Verisign cert, or
> other document is is just another "statement" from some other
> person or institution.

Which statements are our best and most secure means of verifying
identity in any ordinary circumstance as per my walk-up scenario.

But you knew that so why...?

> Why you should put more trust in one rather than the other is
> determined by the context and circumstances.

One and one is two, are we bonding yet?

> Trust is a non-trivial problem. And dressing it up with
> pseudomathematical techie concepts that are manifestly wrong
> (e.g., trust relationships are transitive) doesn't really
> tackle the problem - it's just putting lipstick on the pig.

WTF are you talking about? I was talking about Trulymail' using the
term authentication in terms of verifying the login person's identity.
They claim it does. It don't, it doesn't do *anythin*g except allow
the process of /someone/ to match a password to the one on their
server.

That's it, no pigs involved. Snap back to reality, nemo.

> If you truly want security than human relationships are the
> core (of which trust is one very mportant aspect). If you
> really want security you would do far better to read
> Shakespeare than the HAC. Greed, power-lust, ambition, envy,
> spite, betrayal, revenge - these are the real security issues
> - not trivia such as whether you use 128 or 256-bit AES.

*larf*

> Techies fall in love with the technology and often lose track
> of the real issues for which it is just a tool.
>
> Regards,

You fall in love with your keyboard and post like a tool. lol
--
Talk about F-Cars - www.ferrarichat.com/forum/member.php?u=89702

[nemo_outis]

"Steve Terry" <gfourwwk@tesco.net> wrote in
news:i5mmrf$92e$1@news.eternal-september.org:

....
>> I believe we were discussing the trustworthiness of
>> credentials. Well, yours don't make the cut.


> If you could be bothered to search Google groups archives
> you'd find i've been posting on Usenet with my own name for
> years


Let me quote from my favorite movie, Casablanca:

Ugarte: "You despise me, don't you?"

Rick: "If I gave you any thought I probably would."

Are you beginning to understand how little I care about your
whining protests?

Regards,

[nemo_outis]

Ari Silverstein <AriSilverstein@yahoo.com> wrote in
news:8e83tqFr4vU1@mid.individual.net:

Ari, you have conclusively demonstrated that you can be stupid
longer than I can be patient.

I have no intention of taking your endless whining pointless
idiocies seriously.

You were dismissed. So do be a good lad and **** off.

[vince]

On Thu, 2 Sep 2010 11:18:00 +1200, Dave Doe wrote:

> In article <Xns9DE662FEB7E4Dpqwertyu@69.16.185.250>, abc@xyz.com says...
>>
>> Ari Silverstein <AriSilverstein@yahoo.com> wrote in
>> news:8e69t4FoiuU1@mid.individual.net:
>>
>> You still here? You were dismissed.
>
> I bozo binned the wanker! :) Look ma, no more crap.

Look a nemo outis sockpuppet!

[Ari Silverstein]

On Thu, 02 Sep 2010 01:14:28 GMT, nemo_outis wrote:

> Ari Silverstein <AriSilverstein@yahoo.com> wrote in
> news:8e83tqFr4vU1@mid.individual.net:
>
> Ari, you have conclusively demonstrated that you can be stupid
> longer than I can be patient.

I so enjoy kicking your ass around, grandpa, then watching you hit the
bricks with your tail between your legs.

> I have no intention of taking your endless whining pointless
> idiocies seriously.

Uh-huh. Three thousand words and one butt whooping later.

> You were dismissed. So do be a good lad and **** off.

Just send your Nepal ***** of a wife on over to my house and put your
teeth back in before you gum your macaroni and cheese to yellow
piss-paste.

And your attempt to block my response by altering the Follow-Up failed
too, you sorry sack of ****.

<VVVBG>
--
Talk about F-Cars - www.ferrarichat.com/forum/member.php?u=89702

[nemo_outis]

Ari Silverstein <AriSilverstein@yahoo.com> wrote in
news:8e8h03Fq5rU1@mid.individual.net:

**** off, Ari.

[Madhav \Mr. Nepal\ Acharya]

On Thu, 02 Sep 2010 05:42:31 GMT, nemo_outis wrote:

> Ari Silverstein <AriSilverstein@yahoo.com> wrote in
> news:8e8h03Fq5rU1@mid.individual.net:

>> Ari, you have conclusively demonstrated that you can be stupid
>> longer than I can be patient.

>> I have no intention of taking your endless whining pointless
>> idiocies seriously.

>> You were dismissed.


> **** off, Ari. I admit, I hate jewball bastards like you and cannot
> keep myself from constantly answering you.

> fyi my wife never ****ed anyone from Nepal.

i phucked your ugly wife i paed nothing you lye you are scum of erth
--
skype:mranep cell:813-610-2978; work:813-386-4500; work2:813-915-1663
Motto: Why face the world myself when my wife's skirt, it is so dark
and comfy under it? Proclamation: "A man can have sex with sheep,
cows and camels and so on. However, he should kill the animal after
he has his orgasm. He should not sell the meat to the people in
Nepal; Ok I did so beat me with a Yeti dick.

[a]

**** off, Ari. You're just trolling John for the sake of being difficult.
Hundreds of apps exist where you don't know the makers and their history.





"Ari Silverstein" <AriSilverstein@yahoo.com> wrote in message news:8e4kfpFr7gU1@mid.individual.net...
> On Tue, 31 Aug 2010 07:48:47 -0700 (PDT), TrulyMail Support wrote:
>
>>> If you're dealing with security products, especially without open
>>> source coding, /who/ you are and your background is extremely
>>> important.
>>
>> I guess it all depends on who we are targeting as our customer. For
>> John Q. Public to choose a system to keep his private messages
>> private, does he care about who made Thunderbird+GPG+Enigmail or who
>> made TrulyMail?
>>
>> I believe he does not. I believe his primary concern is how to keep
>> his private communications private without spending a day getting
>> three pieces of software installed, setup, and configured to
>> interoperate. Of course, the easier path for him is to use TrulyMail,
>> click the Next button a few times, and have everything done
>> automatically.
>
> Let me translate. You want newbies, dumbasses and those with no
> education in anything cryptology to guy into your product.
>
> OK, at least we have your marketing plan down.
>
>> You are clearly a very detail-oriented person. You want to know
>> everything about whatever topic you dig into. There is nothing wrong
>> with that. There are many open source systems out there which allow
>> you to go through the code line-by-line and you can see everything it
>> does.
>
> Hardly detail oriented. Examining open source code isn't my cop of tea
> either.
>
> But I do believe in peer review and your rather flippant attitude "see
> you in Santiagoe" toward your code is utter ********.
>
> But, hey, there is a large market for morons who will trust their
> privacy with people like you so have at it. Expect to get zero
> credibility from anyone has any teensy bit of workable knowledge
> regarding encryption.
>
>> We are not that kind of company. We are a 'bring secure, convenient
>> communications to the masses' kind of company.
>
> You're a bring the bucks to John kinda company who hides behind single
> names and averts the honest intentions of prying eyes.
>
>> Different fits for different people.
>
> Most certainly but you can have your profits and your credibility as
> well. For whatever reason, none of which I can think of that is either
> honest or straightforward, Trulymail has decided to take the lowest of
> low roads.
>
> The only reasons you would do so are:
>
> 1) Trulymail is comprised of a set of waffling imbeciles.
> 2) You're crooked
>
> You see, transparency is the lifeblood of professional cryptology. The
> breast that feeds its reliability and innocence. You guys are as
> valuable as a tit on a boy pig.
>
> Now you are exposed which is a good thing for everyone including you.
> Repent. Turn away from the Dark Side.
>
> This "trust us, we're really good guys" is a bunch of hocus-pocus BS,
> it demeans you and it demeans your products.
>
> Remember Allende.
> --
> Ari's Fun Times!
> http://tr.im/hrFG
> Motto: Run, rabbit, Run!

[Paulo Marques]

a wrote:
> **** off, Ari. You're just trolling John for the sake of being difficult.
> Hundreds of apps exist where you don't know the makers and their history.

Ari's arguments might not have been expressed in the best of ways (to
put it mildly) but he is correct in that you can not trust the
cryptography of a closed source application. Even worse than that is an
application with an undisclosed algorithm.

Yes, hundreds (most likely thousands or more) of applications exist for
which you have no sources, but you don't write sensitive information in
those applications and expect privacy, etc.

For all you now, TrulyMail might encrypt an escrow key in the message
that allows them to decrypt any message, or send an encrypted copy like
that to their own servers for all the messages you send and snoop on all
your "secret" traffic.

The point is that they _might_ be good and honest people who would never
do anything like that, but there is no way for the end user to know that
for sure...

--
Paulo Marques - www.grupopie.com

"Who is general Failure and why is he reading my disk?"

[Pubkeybreaker]

On Sep 2, 9:44*am, Paulo Marques <pmarq...@grupopie.com> wrote:
> a wrote:
> > **** off, Ari. You're just trolling John for the sake of being difficult.
> > Hundreds of apps exist where you don't know the makers and their history.
>
> Ari's arguments might not have been expressed in the best of ways (to
> put it mildly) but he is correct in that you can not trust the
> cryptography of a closed source application.

Oh??? Has RSA Security made its code open source? I'm sure
that you can/would/should trust BSAFE for example, even though it is
not open source.

Would you not trust closed-source NIST certified FIPS-140 compliant
code?


> Even worse than that is an
> application with an undisclosed algorithm.

This is certainly true.

[TrulyMail Support]

> On Sep 2, 9:44*am, Paulo Marques <pmarq...@grupopie.com> wrote:

> > Even worse than that is an
> > application with an undisclosed algorithm.
>
> This is certainly true.

We have disclosed our algorithms. Please see the posting to that
effect. I'll repeat it here for your convenience.

-------
Our TrulyMail client is built using Microsoft's .Net
and our encryption uses their cryptographic library using the Rijndael
algorithm (PROV_RSA_AES cryptographic service provider). We use a
4096-
bit key, as mentioned earlier.
-------

[Pubkeybreaker]

On Sep 2, 10:34*am, TrulyMail Support <supp...@trulymail.com> wrote:
> > On Sep 2, 9:44*am, Paulo Marques <pmarq...@grupopie.com> wrote:
> > > Even worse than that is an
> > > application with an undisclosed algorithm.
>
> > This is certainly true.
>
> We have disclosed our algorithms. Please see the posting to that
> effect. I'll repeat it here for your convenience.
>
> -------
> Our TrulyMail client is built using Microsoft's .Net
> and our encryption uses their cryptographic library using the Rijndael
> algorithm (PROV_RSA_AES cryptographic service provider). We use a
> 4096-
> bit key, as mentioned earlier.
> -------

This last comment shows that you have no clue as to what you are
doing.
Rijndael's key sizes are 128, 192, and 256 bits.

If you are using a 4096 bit key for some *public key algorithm*, you
have not disclosed what that algorithm is, or how you are using it.
Nor have you disclosed the key generation mechanism.

I trust Microsoft's crypto library (the one who wrote it is a
colleague
and co-author of mine) and would know how to use it.

By your own admission, your company has ZERO crypto knowledge.
How can anyone trust you to USE Microsoft's library in the correct
way?


If you want your code vetted, you can hire me at $400.00/hr. And I
do
have both the required software and crypto background.

[nemo_outis]

Pubkeybreaker <pubkeybreaker@aol.com> wrote in
news:940e20f3-a654-479a-8fa1-d972c31fe084@f25g2000yqc.googlegr
oups.com:

> On Aug 31, 10:01*pm, "nemo_outis" <a...@xyz.com> wrote:
>> "Joseph Ashwood" <ashw...@msn.com> wrote
>> innews:Gohfo.36956$6o7.15680@new
> sfe21.iad:

> And for an ordinary person, it is no better solution to
> "trust the code reviewer" than to "trust the code writer."
> The unqualified layman still has to operate on a **trust
> model** Whether it's a reviewer or a writer - you're only
> **displacing** where the trust gets placed. Hell, even if
> the code were completely vetted a dishonest operator (of
> closed or open source crypto software) could still subvert
> security - as I have repeatedly shown right here!

> Yes, crypto is hard to get right. And not one person in a
> million has both the programming and crypto skills to do a
> thorough review of any serious program's crypto code.



> I would be happy to do a thorough review of this software
> for them. For a fee. I charge $400.00/hr
>
> And yes. I am qualified.


Which is precisely why open-source crypto code is largely
pointless in terms of a thorough review. The unqualified
can't do it, and the qualified won't do it.

Not without a fee. In which case, the source might just as
well be closed.

Moreover, when you're finished your review, why the hell
should a potential new user place any trust in the quality,
competence and thoroughness of your review? You (or the
company that hired you) will be asking the users to "trust"
you - why should they?

Why indeed? After all, even if your credentials are
impressive, your honesty unimpeachable, and your fame
widespread (and are they?) you're a hired gun with a clear
conflict of interest. He who pays the piper calls the tune -
or at least that's a legitimate worry for a potential new
user. Hell, that question arises even with independent
certified labs doing FIPS evaluations.

Once again, all you have done is displace the trust
relationship - from the code writer to the code reviewer.

Moreover, the folks at whom TrulyMail is targeted probably
don't give a flying **** about code reviews even if they were
done by crypto luminaries like Bruce Schneier. The response
of an ordinary person to this is likely to be, "Bruce Who?"
No, the company would likely get better marketing results
using a frothy endorsement from a chesty blonde bimbo.

But even if the review was thorough and competent, and even if
the user did care, he's still nowhere near secure.
You see, nobody uses source code - they use binaries
(especially in Windows - nobody compiles from source). And
there's no guarantee whatsoever that the binary that gets
executed reflects the source code that was reviewed - the
company could just substitute a bug-infested backdoored
version of both the server and client binaries if it chose and
the poor user would be none the wiser.

And I haven't even touched upon patches and version upgrades -
do you expect the company to hire you for another code revierw
for each of these? Fat chance!

Regards,

[Mark Murray]

On 09/02/10 15:48, Pubkeybreaker wrote:
> -------
>> Our TrulyMail client is built using Microsoft's .Net
>> and our encryption uses their cryptographic library using the Rijndael
>> algorithm (PROV_RSA_AES cryptographic service provider). We use a
>> 4096-
>> bit key, as mentioned earlier.
>> -------
>
> This last comment shows that you have no clue as to what you are
> doing.
> Rijndael's key sizes are 128, 192, and 256 bits.
>
> If you are using a 4096 bit key for some *public key algorithm*, you
> have not disclosed what that algorithm is, or how you are using it.
> Nor have you disclosed the key generation mechanism.

http://msdn.microsoft.com/en-us/libr...8VS.85%29.aspx

Pubkeybreaker,

Look carefully at the "PROV_*RSA*_AES".

AES has the keysizes you mention, but RSA can quite easily have
4096 bits.

> I trust Microsoft's crypto library (the one who wrote it is a
> colleague
> and co-author of mine) and would know how to use it.

Then slow down - I think you are missing important details here.

> By your own admission, your company has ZERO crypto knowledge.
> How can anyone trust you to USE Microsoft's library in the correct
> way?
>
>
> If you want your code vetted, you can hire me at $400.00/hr. And I
> do have both the required software and crypto background.

Based on the above RSA detail missed, are you really worth $400 an hour?

M

[Pubkeybreaker]

On Sep 2, 12:13*pm, Mark Murray <w.h.o...@example.com> wrote:
> On 09/02/10 15:48, Pubkeybreaker wrote:
>
> > -------
> >> Our TrulyMail client is built using Microsoft's .Net
> >> and our encryption uses their cryptographic library using the Rijndael
> >> algorithm (PROV_RSA_AES cryptographic service provider). We use a
> >> 4096-
> >> bit key, as mentioned earlier.
> >> -------
>
> > This last comment shows that you have no clue as to what you are
> > doing.
> > Rijndael's key sizes are 128, *192, and 256 bits.
>
> > If you are using a 4096 bit key for some *public key algorithm*, *you
> > have not disclosed what that algorithm is, *or how you are using it.
> > Nor have you disclosed the key generation mechanism.
>
> http://msdn.microsoft.com/en-us/libr...8VS.85%29.aspx
>
> Pubkeybreaker,
>
> Look carefully at the "PROV_*RSA*_AES".
>
> AES has the keysizes you mention, but RSA can quite easily have
> 4096 bits.
>
> > I trust Microsoft's crypto library (the one who wrote it is a
> > colleague
> > and co-author of mine) and would know how to use it.
>
> Then slow down - I think you are missing important details here.
>
> > By your own admission, your company has ZERO crypto knowledge.
> > How can anyone trust you to USE *Microsoft's library in the correct
> > way?
>
> > If you want your code vetted, *you can hire me at $400.00/hr. *And I
> > do have both the required software and crypto background.
>
> Based on the above RSA detail missed, are you really worth $400 an hour?

I miised no detail. I quote what was written:

"PROV_RSA_AES"

This is a bunch of acronyms that have been run together and connected
by underscores. It is not RSA, I can read, Apparently, you can't.