| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: thomas.greene at theregister.co.uk (Thomas C. Greene ) Subject: Final thoughts on 'Popular Net anonymity service back-doored' This thread has generated a lot of comments and i'm very pleased to see them. I'd like to wrap-up a few items if i may. Some Register and BugTraq readers have pointed out that there is a disclaimer on the JAP web site: "Due to recent events, we would like to be sure to point out, that the JAP software is in development and therefore does not yet offer maximum protection." Perhaps the English here is poorly worded; perhaps in the original German it's clearer -- i can't say because i don't read German. But this doesn't sound like a warning any stronger than the standard "we're human" disclaimer. It sounds too much like, "We've done our level best but we can't guarantee the service because we're still ironing out the bugs." That's how i read it, and how i think most people would. No one in his right mind expects *foolproof* security, but we should expect prompt disclosure. The JAP folks could have taken a page from the American Library Association in its opposition to the Patriot Act and warned us thus: "We can't assure your anonymity if a court order requires us to disclose user behavior. We will comply with such orders, and we may be prevented from warning users when we receive them. To avoid this problem, you should use other mixes." That would have been a decent warning imho. Instead, the JAP team and their partners insist that the system is still trustworthy. (I imagine it *can* be if you arrange outside mixes.) Some readers and posters to this thread have even suggested that users who can't or won't review the source code deserve to be harmed. Rather a mad assertion, since there are roughly 550 files in the JAP app. And those who can't understand what they find there should not be penalized for not being geeks, but should be able to trust the JAP team's assertions. The JAP Web site still claims that, "No one, not anyone from outside, not any of the other users, not even the provider of the intermediary service can determine which connection belongs to which user." I call that a bald-faced lie. Other readers have suggested that the JAP folks were under a gag order and did their best to reveal the problem by signalling the insecurity in the source files. I don't buy it. If they were under a gag order, then why did they post a confession to alt.2600? And what about the confessional press release from ICPP? Would a gag order be written to let them off the hook as soon as someone suspected something? I doubt it. The fact that they're talking about it now indicates that there never was a gag order. And besides, they've never claimed that there was one; only their apologists have. Now consider this imaginary gag order and the JAP team's liability under it. If it existed, they could have gone to the press on condition of anonymity. Sure, the German Feds would guess who leaked it, but no decent journo would ever testify to that fact so it would never be established in court. The Feds can suspect all they want; what matters is what they can prove. Without the journo's cooperation they'd prove nothing. Maybe the Gestapo can pressure German journos, i don't know; but going to the press outside Germany would have been perfectly safe. Those of you who know my column can guess what i'd say to some foreign judge who demanded my notes. As i said in the Register article, the real issue is disclosure. Nobody expects perfection. Honesty and prompt disclosure would be perfectly adequate. chrz, t.
Powered by blists - more mailing lists