lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: dcopley at eeye.com (Drew Copley)
Subject: JAP back doored

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The US really has absolutely nothing to do with this... Anymore than Sudan does, or Indonesia.

If the US forces developers to trojanize their applications, and then be silent about it... Then, yes, let's condemn that. But, they don't. 



> -----Original Message-----
> From: gml [mailto:gml@...ick.net] 
> Sent: Thursday, August 21, 2003 6:27 PM
> To: 'Drew Copley'; full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] JAP back doored
> 
> 
> Except the US, we have jurisdiction over the world apparently.
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Drew Copley
> Sent: Thursday, August 21, 2003 3:50 PM
> To: full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] JAP back doored
> 
> 
> 
> > -----Original Message-----
> > From: Florian Weimer [mailto:fw@...eb.enyo.de]
> > Sent: Thursday, August 21, 2003 12:23 PM
> > To: Drew Copley
> > Cc: full-disclosure@...ts.netsys.com
> > Subject: Re: [Full-Disclosure] JAP back doored
> > 
> > 
> > "Drew Copley" <dcopley@...e.com> writes:
> > 
> > > Why is the state of Germany trojanizing applications which
> > may be run
> > > by anyone on the planet?
> > 
> > Why is the U.S. government interfering with the publication
> > of security advisories if the corresponding software is being 
> > run throughout the world?
> 
> I haven't had any problem issuing security advisories. What 
> is this in reference to?
> 
> Pointing the finger elsewhere does not excuse the fact that 
> the German State has trojanized a popular application which 
> was open to the world to download. And, indeed, the world did 
> download.
> 
> Here are some things I do not care if Germany does:
> 
>  - I don't care if they listen to their own wires
>  - I don't care if they hack into their own criminals systems
>  - I do not care if they use zero day to do this
>  - I do not even care if they hack into criminals systems in 
> other countries if they have some jurisdiction in this and 
> are working with other authorities. For instance, if they 
> were hacking into terrorist networks which spanned across the 
> world and were sharing this information, I would not care.
> 
> A German cop has no jurisdiction over me. He has no 
> jurisdiction over anyone outside of Germany.
> 
> This is the same for every country.
> 
> 
> 
> 
> > 
> > The German government funds the AN.ON project, but allowed
> > for a great deal of independence.  Naturally, this 
> > independence does not extend to the law, thanks to separation 
> > of powers.  Now a judge has forced the operators to implement 
> > a surveillance interface, which is possible because of a 
> > design weakness.  But that's just the beginning of the legal 
> > process.  The project has announced that it plans to fight, 
> > but within the legal system.
> 
> This does not absolve them, nothing you can say absolves 
> them. I realize you have some patriotism here and are 
> speaking from this... But, I also know you do not want the US 
> government to backdoor US applications from US companies 
> without telling you.
> 
> I know this to be true.
> 
> 
> 
> > 
> > > How is it they believe they have a right to trojanize
> > someone outside
> > > of Germany?
> > 
> > Nobody forces you to use the German service if you don't
> > trust the operators or (thanks to recent events) German law 
> > enforcement.
> 
> That is an empty argument not worth going into.
> 
> > 
> > > This is blatantly illegal in just about every country outside of
> > > Germany.  Literally.
> > 
> > No, it isn't.  Most countries with communication
> > infrastructure have laws that regulate law enforcement 
> > access.  This is not a "stupid local law" issue.
> > 
> 
> This also is an empty argument.
> 
> Basically, you are saying if it is discovered the NSA has a 
> backdoor in
> Windows, that this is okay and no one has a right to complain, even if
> they are outside of the US.
> 
> I doubt this would be your case in this situation.
> 
> I am sure many could say, "Well, this situation is different". 
> 
> No, it is not. Let's be honest here.
> 
> > Your country is eavesdropping foreign communication as well.
> 
> My country has not installed a trojan on my system, to my own 
> knowledge,
> all rumors and speculation aside.
> 
> They have not hacked into my system.
> 
> As to what wires they listen to, if they listen to their own, that is
> their business. We have encyption software. If they listen to other
> people's wires, that is outside of their domain, then yes, this should
> be illegal. But, is it proven? Does it remove the fact that 
> there are a
> host of privacy and anonymity tools which we can use?
> 
> But, Germany has decided that people don't have a right to use these
> tools. They have not tried to do even the honorable thing and break
> these things - which is illegal - but they have secretly 
> trojanized the
> code.
> 
> You want me to applaud this?
> 
> Maybe your nation has just given my own nation some new ideas.
> 
> Did you help stop this trend?
> 
> > 
> > > Or, do they believe they are superior to other countries, 
> > and they may 
> > > invade at will?
> > 
> > Please check the facts.  Germany doesn't an operate 
> > eavesdropping base in the U.S., but the U.S. do in Germany.
> 
> I won't even go into that. I do not know what they do there, but their
> rights have been worked out with the German government. If you have an
> issue with that, you need to take that up with their government. 
> 
> If my government allowed German police to trojanize an 
> application I ran
> and my government covered this up... I would be furious at my 
> government
> first, and at Germany second.
> 
> But, none of this is dealing with the matter at hand. These arguments
> are all a distraction.
> 
> I have not intended to offend your patriotic sensibilities. 
> My apologies
> in this regard.
> 
> My statements stand for whatever country might do such a thing, my own
> included.
> 
> ...
> 
> With some reflection, I realize this was done out of 
> incompetence rather
> than out of understanding. I know this. I know it was ignorance, not
> maliciousness, which inspired this. 
> 
> That, is, I guess it is.
> 
> It is true, someone that does wrong knowingly is much more guilty then
> someone that does wrong in ignorance. But, it is also true 
> that they are
> both still guilty.
> 
> I hope that you may bring yourself to condemn this action of your
> government. I hope that you may see it is not something to excuse. For
> by excusing this, surely, you excuse the same from countries 
> you do not
> hold allegiance to.
> 
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP0ZlKQkWkugjEnC3EQLjCQCfRA97DWS5+aX4aMmKnMZqLzHaifUAoKgW
trf4iCdRUFogdsMRwXm0r9oN
=2gHj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ