lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: yossarian at planet.nl (yossarian)
Subject: Cryptome Hacked!

Cryptome Hacked!Sung J. Choe wrote:
>> Let me turn around the issue a bit - any crypto software distributed with
the blessing or very active support in >>development of the Powers That Are
in No Such Agency
>That is my point exactly.  Anybody foolish enough to think that the US govt
would allow unbreakable crypto to be loose in >the public domain is insane.
Just imagine an international financial network with transactions conducted
in total secrecy: the >govt would and should never allow that.

Well, you are basically saying the US should seek to police the public
domain. The real issue is not about allowing, but about policing. You cannot
disallow what you don't control. I might be an insane leftist, but I think
the US can NOT control 5 bil. people. What it can do, is alienate more
people. Overextending an empire is usually an indication of its downfall, as
Toynbee has argued. A really effective strategy would be on the lines of how
the cold war was won, as outlined by George Kennan in 1949: containment.

If unbreakable crypto exists, which I really doubt, chances are it might
just be built outside the US of A. The new standard for crypto in the US is
Made in Belgium (Rijndael/AES). Boycotting french wine is one thing, but not
having good crypto in your own defence is insane. The belgian government is
really opposing Mr. Bush - and might just stay on this course.

The arabs invented algebra, so why shouldn't a 19 y/o living in Zaoezouate
invent unbreakable crypto? What then? Nuke the B******? I think we will just
have to accept that the good ol' US cannot be a John Wayne style sheriff in
the real world.

Judging the amount of crypto stuff in the public domain, policing
development of strong ciphers will be practically impossible for the next 20
years, anyway. Just take a look at Citeseer, and query something on AES, for
instance. You''l see what I mean.

>> can we stay clear of political statements on this forum
>I apologize for some of the political statements in my post.  However,
please take seriously my questions as they are valid >for this forum given
TIA (Total Information Awareness) and the current state of global security.
I appreciate any creative >insight anybody may have regarding my question.

TIA was stopped, if I am informed correctly. If it ever takes off, the
legalities of it will be really harmfull to international relations. And
what do you mean, given TIA - let John Poindexter, the man who considered it
his job to lie to Congress, go ahead? TIA is no more than a concept, no
facts have yet been found, just a hype on digital Pearl Harbours created
that is already dying, see the exit Mr. Clarke.

TIA is great for the IT industry, but the probability of it catching a real
evil person are nil. It is a huge relational database - how will its data
integrity be? Statistically, a very good database has 91% correct records.
Since TIA will hold intel on all american citizens, and every person
visiting the country, some 50M per year, it will have some 300M records on
people alone at kick-off. At best, only 27.000.000 people per year will have
to be investigated, just to weed out errors. How long does an average
investigation take? How many men in blue and men in black will you need? Who
is to pay. The question in international politics still is: How many tanks
does the Pope have - not how many hackers. Consider the amount of data
replicated. How fast will such a system grow? What boggles my mind - but
hey, I'm dutch -it will list people buying certain books (see patriot act),
but it will not list the guns people own. This should be huge amounts of
data - or do average American own more guns than books? Sorry, that's
politics. On a single person, how many fields will it have? 5K? How
up-to-date will it have to be? In such a registration, will all the other
underlying systems give valid data? Will the services and agencies providing
these data, all of sudden start in knowing the whereabouts of all foreign
students, etc.? Garbage in still is you know what out. SDI was a brilliant
move, breaking the soviet economy with a technical phantom. But TIA will not
start a technological arms race. Have you recently checked the stats on
large IT projects - they fail. This one will be huge. So the state of global
security will not and cannot be served by a large scale IT approach - the
bigger the system and the more players iinvolved - the smaller its chances
for success. TIA will at best be a technical and financial disaster, robbing
the armed forces of the budgets for real weapons - which I doubt they need,
anyway, and robbing the rank-and-file of the forces of a raise in pay they
really DO need.

> Please feel free to disregard the other statements.
I will. You can do the same with mine.

Sung J. Choe <SChoe[at]oicinc.com>, TICSA
Systems Administrator, Facility Security Officer
     Oceanic Imaging Consultants, Inc. / www.oicinc.com   Ph #: (808)
539-3634

-----Original Message-----
From: yossarian [mailto:yossarian@...net.nl]
Sent: Wednesday, February 26, 2003 2:17 PM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Cryptome Hacked!


Well, the mirror on lessgov is gone too.But http://cryptome.sabotage.org/ is
still up, anyway. So you can see for yourself that they have PGP as the only
crypto product they offer. If they have altered it, anyone can see by
comparing the source, which they also provide (both stored offsite, and also
unavailable right now)

I can believe that you are almost sure, but since this is a fact you can
verify, why assume, why not prove it?

Let me give you a hint: Look at the paper from Claude Crepeau and Alain
Slakmon on Simple Backdoors to RSA key generation. If you want to alter PGP
in a way difficult to detect, this would be the way. Any other way would be
too obvious. If you see how feasable this is, rethink your position. Any
keyscheme you use may be backdoored, so generating your own keypairs might
just not suffice.

Let me turn around the issue a bit - any crypto software distributed with
the blessing or very active support in development of the Powers That Are in
No Such Agency, would you assume that there is no backdoor? Just google on
Key Recovery features, in P1363 or any other mainstream PKI - search on
project Krisis by the EU, or look at the archived site kra.org (on
archive.org), look at the discussions related to the wassenaar agreements.
See the continuing story from clipper chip via Key Escrow to CKI on certain
if not all governments wanting access to your keys for policing? What if the
company you serve has offices all over the world? Will you give the
cryptokeys to all the countries were you have offices? Remember that ex-C1A
boss Wooley admitted 'checking' on European companies, whether they violated
trade embargoes? How? As security professionals we need to be aware on who
might be reading our confidential information - and then decide whether this
is acceptable to the company whose data you must secure. Don't forget that
maybe some gov. agencies might lose the keys to the data you should be
protecting. What a nice liability case it would be, heh!. Say I open an
office in Australia - and the gov there wants root to my systems, for
policing. Should I give them access to the corporate network or just the
Australian office? But will my network zoning suffice, to keep them off,
say, my Miami office's network? Is it legal in Florida giving access to
unspecified police or intelligence communities in other countries to data,
maybe even sensitive to national security? This will be a definite No, so in
order not to break the law in one country, I must break it in another
country. How to risk manage this?

On a personal note: I am almost sure that the risk to my personal well-being
by the American/Government, albeit small, is bigger than that posed by
extremists as John Young, who do not have much means, budget or interest in
bothering me. Taking on the US govt, as they do, they'll have there hands
full.

And Plz. can we stay clear of political statements on this forum, this is
one of the few places I can hang around and not be bothered by political
statements, not linked at all to the subjectmatter of the list?

Yossarian
----- Original Message -----
From: Sung J. Choe
To: 'full-disclosure@...ts.netsys.com'
Sent: Thursday, February 27, 2003 12:10 AM
Subject: [Full-Disclosure] Cryptome Hacked!


Cryptome.org, a site for privacy enthusiasts and leftists alike, was
apparently hacked today.  Their server is up but "all files were deleted".
Besides the usual anti-American/anti-government vitriol that is usually
found at Cryptome.org, they also distribute crypto software.  This brings up
the following question: What is the best method for ensuring the integrity
of software which require a high level of trust?  I am almost sure that any
crypto software distributed by such extremists as John Young (operator of
cryptome.org) has been tampered with in some way.  Does anybody else share
this opinion?


.--------------------------------------------------.
| Sung J. Choe <schoe[at]oicinc.com>, TICSA        |
| Systems Administrator, Facility Security Officer |
.--------------------------------------------------.----.
                    | Oceanic Imaging Consultants, Inc. |
                    | Phone #: (808) 539-3634 x3634     |
                    .-----------------------------------.
568D CAD6 53A0 92E6 4A2A  4E87 3BA0 5F90 37BB 8EE7

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ