Jerry Leichter, CRYPTO-Mailing-List, zur WPA2-Attacke, 16.10.2017 It's possible (via a replay attack) to force a party to a WPA2 "reset its session" information - to the information it was already using. This includes the key and the nonce and other initialization. This is deadly, because the protocol uses AES as a stream cipher.
William Hugh Murray, in SANS NewsBites 19/069 (über Kaspersky, 01.09.2017) Kaspersky, man and firm, have been respected, responsible, and contributing members of the world-wide security community for more than a quarter of a century. Their relationship to the Russian state is no more nefarious than that of any US corporate citizen to the US state. Unless and until the US government produces evidence, I will consider their derogation of Kaspersky to be political propaganda.
John Pescatore, on SANS NewsBites Vol. 19 Num. 055, July 14th, 2017 (Kaspersky removed from US-Software-List) This is a political decision that can be matched by other countries making similar political decisions about US cybersecurity companies. I can't think of a single political decision over my entire career that was a net positive to cybersecurity overall.
M. K. Shen, on CRYPTO-Mailing-List, May 7th, 2017 There is certainly no question that strong end-to-end encryption can be done well by persons having sufficient knowledge in crypto. However the mass of the common people would have to trust the opinions or certifications of some institutional bodies, whether governmental or not, and let the processing be done accordingly, whereby various software, hardware and institutional bodies are involved, the trustworthiness of all of them have to be assumed very much like in religions. That's a fundamentally unsolvable problem of privacy and security IMHO.
William Hugh Murray in SANS NewsBites Vol. 19 Num. 031 Business does not "run" old code. Old code runs the business. Like it or not, applications have a finite useful life. It Is important to know what it is and to have a plan for what to do at the end of the application's life.
Ralf Senderek, CRYPTO-Mailing-List, 18.03.2017, zu Theorie und Praxis der IT-Sicherheit ...the only thing we have to worry about are secure systems and not secure primitives in an abstract space.
Peter Gutmann, CRYPTO-Mailing-List, 24.02.2017, über SHA1-Kollisionen After sitting through an endless flood of headless-chicken messages on multiple media about SHA-1 being fatally broken, I thought I'd do a quick writeup about what this actually means. In short: Reports of SHA-1's demise are considerably exaggerated.
Peter Gutmann, CRYPTO-Mailing-List, 01.01.2017, über Smart Metering Most of the models (from that line) are advertised with a remote disconnect option. So you've got a mass of more or less insecure devices for which you could create the electrical equivalent of a water hammer...