lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 11 Nov 2007 21:26:51 +0000
From: Duncan Simpson <dps@...pson.demon.co.uk>
To: Jan Newger <memger@....net>
Cc: bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Standing Up Against German Laws - Project 
 HayNeedle


I know this is obvious to everyone on bugtraq, but nobody seems to that told 
P.S.Ziegler yet. (He might or might not be aware of these facts).

If the report is right and logs recoriding you connecting and obtaining an IP 
address are a concern then you should be terrified already. I suspect that I 
could reconstruct much of what you did online given access to all the 
asssociated logs. Getting an IP address from a DHCP server and using almost 
any other service whatsoever usually generates at least an IP address and 
timestamp. Bind 9 has logs, and they are on by default, so big brother might 
be able to deduce a lot just using your ISP's DNS logs.

When I say that I got this spam from IP address X at time Y, and give full 
headers to back this up, most ISPs work out who was responsible and nuke their 
account. I do not think the "a virus sent that spam not me" or "nobody told me 
not to send spam" line is very effective. If you allowed a virus to send spam 
then the internet does not need your box. Period.

The signal-to-noise logic probably does work, but I am not sure the legal 
angle does. If you were *deliberately* ran the software that acidently 
downloaded that kiddie porn the suggested angle might not work.

A law requiring log data to be retained for 6 momths should be a major problem 
to enforce. Last time I think the UK mooted this it did not happen 
(disclaimer: this might have been a trial balloon designed to generate flak). 
My reaction at the ISP end was "OK, will you buy us the extra hardware 
required?" with the intention the answer would be "no" and the plan quietly 
killed. (Thinking that plain daft things will not be enacted is not always 
reliable, unfortunately).

Of course the "hand over your keys" law is a lot less effective tbat the 
government thinks. If an hour has passed they can have my host private key 
then I no longer have one of the keys required.

-- 
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ