Fragen? Antworten! Siehe auch: Alternativlos
Und da steht u.a. die Antwort, wieso sie lieber ein gammeliges Debian-OpenSSL nehmen würden als eigene Krypto. Sie glauben, die eigene Krypto könnte wiedererkennbar sein.
The "custom" crypto is more of NSA falling to its own internal policies/standards which came about in response to prior problems.Die CIA und die NSA unterhalten sich per IRC?
In the past there were crypto issues where people used 0 IV's and other miss-configurations. As a result the NSA crypto guys blessed one library as the correct implementation and every one was told to use that. unfortunately this implementation used the pre-computed negative versions of constants instead of the positive constants in the reference implementation.
I think this is something we need to really watch and not standardize our selves into the same problem
We don't really have an official way of doing strings currently (sounds like NSA does from what I'm seeing in IRC) and I feel like we need to get to that. Off the top of my head one way of protecting against this is dumping all user ids from AD and running a strings check for that in addition to all the other dirty words out there.Und sie fahren Active Directory!