lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000001c2de14$b888cb00$0201a8c0@fosi>
From: steve.wray at paradise.net.nz (Steve Wray)
Subject: Cryptome Hacked!

You posed a general question;

> > This brings up the following question: What is the best method for
> > ensuring the integrity of software which require a high 
> level of trust?

I answered in general terms.

But to be particular, I know nothing of this person
or his software.

Is the sourcecode available for public scrutiny or isn't it?

If not then why not?

Thats a question you might like to consider.

But don't get too paranoid it might be merely because he's trying
to make a profit out of it.

Its just that lacking scrutiny one can never be too sure.

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Morgan Marquis-Boire
> Sent: Thursday, 27 February 2003 1:44 p.m.
> To: Steve Wray
> Cc: schoe@...inc.com; full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Cryptome Hacked!
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Why would John Young tamper with the software available on his site?
> Do you not think that if this were discovered it would reduce 
> what ever
> credibility he and his site may have in the crypto community?
> Given the nature of the website and its pro-crypto stance, it makes
> little sense to me the idea that some one would deliberately 
> weaken the 
> tools provided on the site.
> In what way do you feel the tools may have been tampered with?
> 
> On Thu, 27 Feb 2003 12:58:35 +1300
> "Steve Wray" <steve.wray@...adise.net.nz> wrote:
> 
> > Sticking my neck out, I'd say that the *best* method would be;
> > 
> > 0. Be familiar with your OS and with the programming
> > language in which the software is written and 
> > 
> > 1. Go over the source code line by line inspecting the
> > whole thing.
> > 
> > 2. If you don't have access to the source don't trust it,
> > no way no how.
> > 
> > Ok that was the dead serious part.
> > 
> > 3. If people you know and trust have access to the source that
> > may mitigate failure at (2), but only marginally. 
> > You need a face-to-face relationship with the parties you trust 
> > and who have access to the source; email or other internet 
> > relationships do not count.
> > 
> > (Ok so certain types of psychopath can reliably lie and fool even
> > the clinically paranoid. Yup, even people who are psychotically
> > paranoid can be lured into disclosing their bank details by
> > a 'creative psychopath'.)
> > 
> > So if you want to be able to trust it only personal inspection
> > of the source will do.
> > 
> > You *did* say "high level of trust"
> > 
> > Personally I don't feel a need for this level of paranoia. Phew
> > I can live my life and not feel concerned about the conversations
> > they have about me on the TV. The ones that noone else can hear.
> > Mwahahahaaaaaa
> > 
> > -----Original Message-----
> > From: full-disclosure-admin@...ts.netsys.com
> > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Sung J.
> > Choe
> > Sent: Thursday, 27 February 2003 12:10 p.m.
> > To: 'full-disclosure@...ts.netsys.com'
> > Subject: [Full-Disclosure] Cryptome Hacked!
> > 
> > 
> > Cryptome.org, a site for privacy enthusiasts and leftists alike, was
> > apparently hacked today.  Their server is up but "all files were
> > deleted".  Besides the usual anti-American/anti-government 
> vitriol that
> > is usually found at Cryptome.org, they also distribute 
> crypto software.
> > This brings up the following question: What is the best method for
> > ensuring the integrity of software which require a high 
> level of trust?
> > I am almost sure that any crypto software distributed by 
> such extremists
> > as John Young (operator of cryptome.org) has been tampered 
> with in some
> > way.  Does anybody else share this opinion? 
> > 
> > 
> > .--------------------------------------------------. 
> > | Sung J. Choe <schoe[at]oicinc.com>, TICSA        | 
> > | Systems Administrator, Facility Security Officer | 
> > .--------------------------------------------------.----. 
> >                     | Oceanic Imaging Consultants, Inc. | 
> >                     | Phone #: (808) 539-3634 x3634     | 
> >                     .-----------------------------------. 
> > 568D CAD6 53A0 92E6 4A2A  4E87 3BA0 5F90 37BB 8EE7 
> >  
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 
> - -- 
> Morgan Marquis-Boire
> Unix Systems Consultant
> Datacom Systems Ltd.
> (025) 954-931
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> 
> iD8DBQE+XV9mMMI56vuqwigRAtAdAKC5Xe33yGrZ0GGuTL97ze/1+aQABgCfROz1
> vnyp8oj2WYZiVsRjJq/Vk+g=
> =Wpy7
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ