lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: gml at phrick.net (gml)
Subject: JAP back doored

Except the US, we have jurisdiction over the world apparently.

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Drew Copley
Sent: Thursday, August 21, 2003 3:50 PM
To: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] JAP back doored



> -----Original Message-----
> From: Florian Weimer [mailto:fw@...eb.enyo.de] 
> Sent: Thursday, August 21, 2003 12:23 PM
> To: Drew Copley
> Cc: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] JAP back doored
> 
> 
> "Drew Copley" <dcopley@...e.com> writes:
> 
> > Why is the state of Germany trojanizing applications which 
> may be run 
> > by anyone on the planet?
> 
> Why is the U.S. government interfering with the publication 
> of security advisories if the corresponding software is being 
> run throughout the world?

I haven't had any problem issuing security advisories. What is this in
reference to?

Pointing the finger elsewhere does not excuse the fact that the German
State has trojanized a popular application which was open to the world
to download. And, indeed, the world did download.

Here are some things I do not care if Germany does:

 - I don't care if they listen to their own wires
 - I don't care if they hack into their own criminals systems
 - I do not care if they use zero day to do this
 - I do not even care if they hack into criminals systems in other
countries if they have some jurisdiction in this and are working with
other authorities. For instance, if they were hacking into terrorist
networks which spanned across the world and were sharing this
information, I would not care.

A German cop has no jurisdiction over me. He has no jurisdiction over
anyone outside of Germany.

This is the same for every country.




> 
> The German government funds the AN.ON project, but allowed 
> for a great deal of independence.  Naturally, this 
> independence does not extend to the law, thanks to separation 
> of powers.  Now a judge has forced the operators to implement 
> a surveillance interface, which is possible because of a 
> design weakness.  But that's just the beginning of the legal 
> process.  The project has announced that it plans to fight, 
> but within the legal system.

This does not absolve them, nothing you can say absolves them. I realize
you have some patriotism here and are speaking from this... But, I also
know you do not want the US government to backdoor US applications from
US companies without telling you.

I know this to be true.



> 
> > How is it they believe they have a right to trojanize 
> someone outside 
> > of Germany?
> 
> Nobody forces you to use the German service if you don't 
> trust the operators or (thanks to recent events) German law 
> enforcement.

That is an empty argument not worth going into.

> 
> > This is blatantly illegal in just about every country outside of 
> > Germany.  Literally.
> 
> No, it isn't.  Most countries with communication 
> infrastructure have laws that regulate law enforcement 
> access.  This is not a "stupid local law" issue.
> 

This also is an empty argument.

Basically, you are saying if it is discovered the NSA has a backdoor in
Windows, that this is okay and no one has a right to complain, even if
they are outside of the US.

I doubt this would be your case in this situation.

I am sure many could say, "Well, this situation is different". 

No, it is not. Let's be honest here.

> Your country is eavesdropping foreign communication as well.

My country has not installed a trojan on my system, to my own knowledge,
all rumors and speculation aside.

They have not hacked into my system.

As to what wires they listen to, if they listen to their own, that is
their business. We have encyption software. If they listen to other
people's wires, that is outside of their domain, then yes, this should
be illegal. But, is it proven? Does it remove the fact that there are a
host of privacy and anonymity tools which we can use?

But, Germany has decided that people don't have a right to use these
tools. They have not tried to do even the honorable thing and break
these things - which is illegal - but they have secretly trojanized the
code.

You want me to applaud this?

Maybe your nation has just given my own nation some new ideas.

Did you help stop this trend?

> 
> > Or, do they believe they are superior to other countries, 
> and they may 
> > invade at will?
> 
> Please check the facts.  Germany doesn't an operate 
> eavesdropping base in the U.S., but the U.S. do in Germany.

I won't even go into that. I do not know what they do there, but their
rights have been worked out with the German government. If you have an
issue with that, you need to take that up with their government. 

If my government allowed German police to trojanize an application I ran
and my government covered this up... I would be furious at my government
first, and at Germany second.

But, none of this is dealing with the matter at hand. These arguments
are all a distraction.

I have not intended to offend your patriotic sensibilities. My apologies
in this regard.

My statements stand for whatever country might do such a thing, my own
included.

...

With some reflection, I realize this was done out of incompetence rather
than out of understanding. I know this. I know it was ignorance, not
maliciousness, which inspired this. 

That, is, I guess it is.

It is true, someone that does wrong knowingly is much more guilty then
someone that does wrong in ignorance. But, it is also true that they are
both still guilty.

I hope that you may bring yourself to condemn this action of your
government. I hope that you may see it is not something to excuse. For
by excusing this, surely, you excuse the same from countries you do not
hold allegiance to.




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ