lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: goncalo.costa at kpnqwest.pt (Goncalo Costa)
Subject: JAP back doored

>
> Don't be a smart ass.
>

Well, good morning to you too !

> Your arguments have nothing to do with the argument at hand which is quite
> simple: Governments should have no right to force developers to trojanize
> their applications and keep silent about it.
>

Governments have a lot of powers they should not have but German government
had nothing to do with this.

I hope you can tell the difference between a government eavesdropping on
someone and a judge/court order to eavesdrop on a suspect to gather evidence
against him.

> There have been some notes come out of this:

1> Germany has now removed this legal action, which is great

I think you should stop for a minute and try to learn the difference between
Germany (country), the German state, the German government and the German
judicial system.

"Germany" did nothing.

If you want to talk about the German government you could talk about
http://www.gnupg.org/aegypten

> 2> They intended to only watch traffic to a single German server

It seems you did not follow some posts on this list. I believe someone from
Germany explained the why and how of this JAP backdoor, and mentioned that.

3> The developers may not
> have been so forced into doing this, as much as willing -- I rather doubt
> this, especially since the order was rescinded, but their culpability does
> factor into this

So you mean these guys offering a free public anonymizing service are to
blame for complying with a court order ? I'm sure you would rather go to
jail. Where's the free public anonymizing service you're providing to the
Internet ? I'd like to use it. I'm sure I can trust you to keep my id safe.

4> I, personally, admit I would not care if they did this
> for a very serious reason such as for pedophiles or terrorists... I think a
> lot of people outraged would have to agree with this... However, I am sure
> a lot would not
>

(I believe the same person also wrote) it was a pedophilia case.

> As for the US government, this is utterly unimportant. I was playing around
> even to begin to mess with that. Yes, I am unaware of the US actively
> trojanizing applications by forcing the developers to do this.

Lotus Notes NSA backdoor ?
We're not talking about a court order here.
And Notes was not free software - its customers paid for it.
Nor it was open source software as is the case with JAP.

> So are you.
> This is illegal. You wouldn't like it if it was the US doing this. So, what
> are your real motives here?
>

Besides money that is ? :-)

Your emails seemed more focused on the German government than anything else.
German government had nothing to do with this. This was a judge/court order.

My motives were plain and simple:

- you seem to believe that your government and its agencies always play by
  the book - I was trying to show you that they don't

- you should not bash (especially the way you did) the German government when
  your own government has a much worse track record on eavesdropping on
  everyone else around the world

- you should not blindly trust your government nor its agencies as you seem
  to. They have abused their powers in the past. They are abusing their
  powers in the present. They will abuse their powers in the future.

Governments are made of people like you and me (worse in fact ;-).

Complaining of these decisions (which are mandated by a judge or court) is
really useless and a paradox. In my opinion either:

case 1. you don't trust the state/authorities/whatever and you cannot trust
        anything and you cannot expect anonymous services to work as
        advertised (this is the case in dictatorships/authoritarian regimes)

case 2. you are a hardcore privacy advocate and accept no eavesdropping on
        anyone no matter what - not even eavesdropping on the suspect of
        kidnapping your child

case 3. you (almost) trust the state/authorities/whatever and recognize/accept
        the need to do certain things, as eavesdropping, that need to be done
        in "some situations but not all" to "some people but not all"

As you said:

> 4> I, personally, admit I would not care if they did this for a very
> serious reason such as for pedophiles or terrorists...

So you are clearly in case 3. 

(probably the same goes for everyone else who complained about this)

But if you trust the system then you must also trust that this is done only
when "it has to be done", and there's no use in complaining there, is there ?

In this case you were clearly not trusting the German state and were bashing
it as if it was a "case 1" (dictatorship or authoritarian regime).

Will there be _abuses_ by the authorities and the people behind them ?
Sure, but we'll complain about _that_ with reason on our side then.

>
> >
> > The world is made of people and people are the same
> > everywhere. Time and place don't seem to make a great
> > difference. Being naive and keeping your eyes shut doesn't
> > help either.
>
> I love being called na?ve by teenagers that have never even seen a dead
> body.
>

As I said before, from your posts to this list regarding this thread you seem
to have a blind faith in your government and its agencies. I would call that
being naive. 

Thanks for the tip: I've modified my mail headers not to leak my age again !

And please explain that "dead body" part again.

>
> You think for some reason that I am opposed to intelligence actions by the
> US? I am not even opposed to Germany if they did this because it was
> against terrorists or pedophiles.
>

Well. As I explained before, if you accept this for some reasons then you
must trust "them" to know when to do it.

> You are the one quite na?ve if you believe your nation can exist free
> without an intelligence agency.
>

I don't remember having written this in my post. Did I ?

> Regardless, the existence of intelligence agencies is entirely a different
> matter.

Again: I don't remember having written anything about this in my post.

> What errors these agencies may have done in the past - US or German

Errors ? What errors ? Errors are something you do by mistake.
These agencies make no errors (unless when they're caught).

They deliberately abuse their powers when they have to.

> - is entirely irrelevant.
>

To this thread and list: yes.
To know history and to learn from it: no.

> Each matter must be taken at a time.
>
> Apples give no insight into oranges.
>

I always suspected that ! :-)

> > I would also suggest a daily reading at http://cryptome.org/
>
> Yeah, a lot of great American sites like this. In fact, I bet you know a
> lot more about the US intelligence then you do about Portugese.
>

You almost got it right: "Portuguese". Don't hesitate to ask me if you
need help with your English ! :-)

(I do hope you have a sense of humour)

> In fact, I bet you know a
> lot more about the US intelligence then you do about Portugese.
>

Well ! That's easy isn't it ?
There's not much to know about Portuguese intelligence agencies is there ? 

And I'd like to hear your comments on my post to FD included below
(http://lists.netsys.com/pipermail/full-disclosure/2003-August/009108.html)

Best Regards to you too
Goncalo


-------------------------------------------------------

Subject: Java Anonymous Proxy (JAP) backdoored - another interesting story 
Date: Tue, 26 Aug 2003 11:02:32 +0100
From: Goncalo Costa goncalo.costa@...qwest.pt
To: full-disclosure@...ts.netsys.com


For those of you shocked at learning that JAP had been backdoored at
the request/order of a judge/court to investigate a criminal, here is
another interesting story.

Notice the SURFOLA.com disclaimer.

----------  Forwarded Message  ----------
>Date: Sat, 23 Aug 2003 00:00:11 +0200
From: Barry Wels <b.wels@...6.com>
>Subject: blackmail / real world stego use
>Sender: owner-cryptography@...zdowd.com
>To: cryptography@...zdowd.com
>
>
>Hi,
>
>So far I have only found one English item in the news about this.
>
>http://www.expatica.com/index.asp?pad=2,18,&item_id=33655
>
>So let me translate some of the dutch information about this
>interesting case :
>
>A 45-year old chip designer from Utrecht was arrested June 3.
>He confessed to have tried to blackmail the 'Campina' food company.
>He had threatened to poison their products, and demanded 200.000 euro.
>
>The most remarkable thing about this case is however how he
>communicated with Campina, and how he thought to receive the money.
>
>He forced Campina to open a bank account, and get a 'world card' with
>it. Then they had to deposit 200.000 Euro on it (about 185.000
>US dollar). He ordered them to buy a credit card reader, and read the
>information off the magnetic-stripe of the 'world card'.
>Then they had to send him the output of the card reader, together with
>the pin code. With this information, he then could create a copy of
>the 'world card' using a card-writer and a blank card.
>
>To send him the information, he made them use steganography!
>Campina received an envelope via snailmail containing a floppy with a
>stego program and instructions.
>
>They had to encode the 'world card' info into a picture of a red VW
>golf, using the stego program, and a fixed crypto key that was
>included in the envelope.
>
>Finally, they had to place the picture in a fake add on a website
>where large amounts of people sell/buy second hand cars.
>
>He would then read the add, and make a copy of the picture.
>Decode the stego info out of it, write his own copy of the card,
>and withdraw money. Without ever having personal contact with Campina
>(or the police). To be real clever, he did not approach the website
>with the car adds directly. Police found out the add was approached
>trough a US anonymizer called SURFOLA.com. SURFOLA.com claims on their 
>website :
>
>"We will not give out your name, residence address, or e-mail address
>to any third parties without your permission, for any reason, at any
>time, ever."
>
>The Utrecht police informed the FBI, and asked for assistance. Within
>24 hours, the FBI cracked the case, supplying the Dutch police with
>a '@....nl' e-mail address and some paypal.com financial data.
>
>This data led to the 45 year old chip programmer.
>After his identity was known, the police ofcourse started surveillance on
>him. The 'desert terrorist' was arrested red-handed when he withdrew money
>from an ATM using the world-card copy....
>---
>
>Greetings,
>
>Barry Wels.
>
-------------------------------------------------------


Powered by blists - more mailing lists