lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 22 Aug 2003 00:35:13 +0200
From: Richard Stevens <mail@...hardstevens.de>
To: "Drew Copley" <dcopley@...e.com>, <bugtraq@...urityfocus.com>
Subject: Re: Popular Net anonymity service back-doored


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

first, let me make one thing clear, I think what happened is very bad. They 
should have done anything else but secretly bug their system. But your logic 
is seriously flawed.

> German police have no jurisdiction in the US, for instance, just as the
> US police have no jurisdiction in Germany -- apart from whatever
> agreement Germany has made with the US regarding post-WWII treaties or
> whatever.

Very unpleasant for sure but also higlhly irrelevant. The people running AN.ON 
are German entities operating under German laws being situated in Germany. 
They were the ones that received the court order so they had to do something. 
If there are international users or not is really highly irrelevant in this 
case. Nobody claimed that German police or courts had juristiction in the US. 

> Still, I do not think anyone would be pleased if it was found that the
> NSA backdoored a US product. How much moreso of a problem would this be
> if local police backdoored a system such as this anonymity system?

Well, you can be sure, people are not pleased here, either. But do you really 
think if american police or better yet the FBI would demand some kind of 
tracking for an anonymizer in the US, they'd care about international users? 
Maybe the individuals operating the anonymizer would react better but I'd be 
surprised if american law enforcement agencies wouldn't use similar measures 
if they could by law (not sure about american laws). 

> This kind of crime sends a message to would be hackers. It says that it
> is okay to hack if the end is justified. Hackers, you may not have
> jurisdiction in Germany, but if you are hacking pedophiles or Neo-Nazis,
> they are law breakers, so your means must be okay. Do people really want
> this? Can anyone really be trusted with this? Wouldn't they hit the
> wrong people and make all sorts of bad mistakes for which they would not
> be held accountable for?

Not really. It's not a crime. You can argue about the correctness of their 
decision to secretly implement this backdoor in an *anonymizer* instead of 
standing up and tearing the service down. But following a valid court order 
is not a crime. Even though I really don't like those laws but spying on 
people seems to be hip after the events of Septembre 11th. 

Regards,

Richard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/RUkkCfA4EwqVdIQRAh7JAJ9Tgt7ZqhaQAuJ7eWt+bp0AlStjaACg7Hrc
W0PYxdAfEnCot0ORC2LlS+s=
=25Si
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ