lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <MDEHLPKNGKAHNMBLJOLKKEADFGAA.davids@webmaster.com>
Date: Thu, 21 Aug 2003 21:00:07 -0700
From: "David Schwartz" <davids@...master.com>
To: <crypto@...uddancer.com>
Cc: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>
Subject: RE: Popular Net anonymity service back-doored



>    From: "David Schwartz" <davids@...master.com>
>    Date: Thu, 21 Aug 2003 17:09:45 -0700
>
>
>    > Only a fool would blindly depend on someone else's software to gain
>    > anonymity without examining the code.  If you need
>    > anonymity, then you
>    > should easily be willing to invest sweat equity, or have a
>    > contractual
>    > arrangement when the threat is only financial.  For more serious
>    > threats requiring anonymity, not reviewing the source when it is
>    > available seems beyond stupid.
>
> 	   I'm 100% with you up to now.
>
>    > I could unserstand your ire if you
>    > were one of our clients, but this was a free service wasn't it?
>
> 	   But now you're teetering on insanity. I get a ride home
>    from a pub, but the
>    driver instead of taking me home takes me to a dark alley and
>    beats me to a
>    pulp. My ire at the betrayal of trust should be based upon
>    whether and how
>    much I paid the driver?!
>
> 	   If you think purchased business loyalty is more
>    reliable, and provokes a
>    more painful betrayal, than loyalty freely offered out of principled
>    devotion to a common cause, you're not in touch with the same
>    reality I am.
>    This is a case of betrayal among people who thought they were
>    engaged in a
>    common cause of principle.

> Oh no.  I would never risk _personal_ security to a computer, but I
> will risk financial security (do I even have a choice).  Since I'm
> only thinking financially, I was thinking of the standard capitalist
> model.

	I think you'll find that there is a ton of overlap between these two
categories.

> To modify your example, my ire would be directed at myself for
> misjudging the safety of the situation, regardless of what it cost.
> Especially if the vehicle carried a sign that said "driver not
> responsible".  I'm sure you read the disclaimers on the website...

	Almost every piece of software contains a EULA/disclaimer that says that
absolutely nothing is guaranteed and you're on your own. You have no way to
audit the software if it's not open source and often are prohibited from
reverse-engineering it anyway. You often have to agree to limit the
author's/manufacturer's liability to the purchase price.

> I'm afraid I only believe in principled devotion from people I can
> personally meet and have known for many years.  The Cypherpunks and
> Detweiler showed how risky that was based on text interchange mediated
> by computers.

	Absolutely, the people who extended trust were foolish to do so. It's very
easy to say that in retrospect. However, "it's your fault for trusting me"
doesn't play.

	If I leave my home while a contractor is working on it and tell him to lock
up and slide the key under the door and he forgets to lock up and a burglar
walks in and steals all my stuff, yes, it's the contractor's fault for being
stupid and leaving my house unlocked. But that does not reduce the
culpability of the burglar, does it? If anything, it's worse to pick on
those less defended.

	DS


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ