lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <E440CA1A-2266-4AF8-B017-AC97FB9F4261@caustic.org>
Date: Mon, 12 Nov 2007 13:15:53 -0800
From: johan beisser <jb@...stic.org>
To: "Matt D. Harris" <mdh@...itox.net>
Cc: Paul Sebastian Ziegler <psz@...erved.de>,
	bugtraq@...urityfocus.com
Subject: Re: Standing Up Against German Laws - Project HayNeedle


On Nov 12, 2007, at 11:27 AM, Matt D. Harris wrote:

> However some of these issues can be mitigated without too much  
> trouble.  For example, one could have a dynamically growing  
> dictionary of words to search for based on random words in random  
> results pages that it grabs.  At the very least, this would kill  
> any attempts to filter it out of the data mining system.

That'd be a significantly different approach. Even grabbing data from  
the previously browsed cache would also work, as far as seeding  
dictionary goes.

> If the point of the system is primarily to create plausible  
> deniability for the end-user, that is, to allow them to say  
> "hayneedle hit the site, not me, so I am innocent", then I'd say it  
> could be effective in that regard barring some proviso in the law  
> that allow them to persecute someone who did not actually even  
> visit a site of their own volition. Beyond that, it's also  
> effective in terms of turning up the noise to signal ratio and  
> making this law that much less effective, while placing a greater  
> burden of ISPs who are then more likely to lobby against it ever  
> more vigorously.... all while remaining entirely 'white area' in  
> terms of functionality.

If I read the law correctly, it requires retention of "what IP  
connected to another IP" and "which phone number called where." It  
doesn't bother retaining the URL called (my German is rusty, so I may  
be a little off in my interpretation). Connecting to a random IP on a  
random open port (80 and 443, for example) would be a good start to  
accomplish the goal creating chatter. The issue is that the search  
terms to find those ports could lead to connecting to a site that  
increases your profile against general background chatter, even as it  
is raised with random connection traffic.

In that light, I'd regard use of something akin to TOR a slightly  
better solution for protecting privacy and filling up logs.

> I understand your post, but I don't think Mr. Ziegler was over- 
> selling his product's effectiveness beyond what it is really  
> capable of.

I wasn't saying there was overselling the effectiveness. I do think  
the approach is innately flawed from a privacy standpoint.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ