[<prev] [next>] [day] [month] [year] [list]
Message-ID: <MDEHLPKNGKAHNMBLJOLKKEADFGAA.davids@webmaster.com>
Date: Thu, 21 Aug 2003 21:00:07 -0700
From: "David Schwartz" <davids@...master.com>
To: <crypto@...uddancer.com>
Cc: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>
Subject: RE: Popular Net anonymity service back-doored
> From: "David Schwartz" <davids@...master.com>
> Date: Thu, 21 Aug 2003 17:09:45 -0700
>
>
> > Only a fool would blindly depend on someone else's software to gain
> > anonymity without examining the code. If you need
> > anonymity, then you
> > should easily be willing to invest sweat equity, or have a
> > contractual
> > arrangement when the threat is only financial. For more serious
> > threats requiring anonymity, not reviewing the source when it is
> > available seems beyond stupid.
>
> I'm 100% with you up to now.
>
> > I could unserstand your ire if you
> > were one of our clients, but this was a free service wasn't it?
>
> But now you're teetering on insanity. I get a ride home
> from a pub, but the
> driver instead of taking me home takes me to a dark alley and
> beats me to a
> pulp. My ire at the betrayal of trust should be based upon
> whether and how
> much I paid the driver?!
>
> If you think purchased business loyalty is more
> reliable, and provokes a
> more painful betrayal, than loyalty freely offered out of principled
> devotion to a common cause, you're not in touch with the same
> reality I am.
> This is a case of betrayal among people who thought they were
> engaged in a
> common cause of principle.
> Oh no. I would never risk _personal_ security to a computer, but I
> will risk financial security (do I even have a choice). Since I'm
> only thinking financially, I was thinking of the standard capitalist
> model.
I think you'll find that there is a ton of overlap between these two
categories.
> To modify your example, my ire would be directed at myself for
> misjudging the safety of the situation, regardless of what it cost.
> Especially if the vehicle carried a sign that said "driver not
> responsible". I'm sure you read the disclaimers on the website...
Almost every piece of software contains a EULA/disclaimer that says that
absolutely nothing is guaranteed and you're on your own. You have no way to
audit the software if it's not open source and often are prohibited from
reverse-engineering it anyway. You often have to agree to limit the
author's/manufacturer's liability to the purchase price.
> I'm afraid I only believe in principled devotion from people I can
> personally meet and have known for many years. The Cypherpunks and
> Detweiler showed how risky that was based on text interchange mediated
> by computers.
Absolutely, the people who extended trust were foolish to do so. It's very
easy to say that in retrospect. However, "it's your fault for trusting me"
doesn't play.
If I leave my home while a contractor is working on it and tell him to lock
up and slide the key under the door and he forgets to lock up and a burglar
walks in and steals all my stuff, yes, it's the contractor's fault for being
stupid and leaving my house unlocked. But that does not reduce the
culpability of the burglar, does it? If anything, it's worse to pick on
those less defended.
DS
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists