lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 11 Nov 2007 03:38:50 +0900
From: Paul Sebastian Ziegler <psz@...erved.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Standing Up Against German Laws -
	Project	HayNeedle

> How would this help with stored phone calls? How would this 
> help with the general problem?

You are right to notice: It doesn't help with the calls at all.

> While I think it is nice that you think about doing 
> something against this I don't really like your idea since 
> you totally miss that traffic does not only mean HTTP so I 
> don't really see any point of not just using gpg,tor, etc.

The law passed does not talk about saving the actual traffic but only
the connections made. This is the key difference. If we look at
connections only, it doesn't matter if we create HTTP traffic or [insert
random protocol here] traffic. HTTP is simply the easiest to generate.

Using Tor is of course the perfect solution, as long as it doesn't put
you under a general observation. GPG is not really involved in this law,
since only the connections are saved while the content is not.

> You write "This way it is very hard to tell which 
> connections are actually made by the user thus generating 
> plausible deniability." on your website and I also don't 
> think this is valid because noone cares if it was you or an 
> application creating this traffic

Well no, actually there have been many recorded cases where people did
care. Say you want to profile someone and cant tell what was
automatically created. Also this is how most TOR-exit nodes get away
free when illegal traffic is tracked back to them. So the theory has in
fact got some backing.

> it also does not 
> prevent people to store your traffic and I would aspect them  
> to have pretty good methods to devide important and 
> unimportant traffic ;)

They definitely have. But as I said, this is not what HayNeedle is
about. There are many crazy laws the German government is currently
working on and I am not here to target all of them. In this case all I
target is the storage of the connection data - which is specified within
the new law. If they want to eavesdrop on me or anyone, well yes,
HayNeedle wouldn't help at all. But that was never the intention.

Many Greetings
Paul

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ