[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000001c2de14$b888cb00$0201a8c0@fosi>
From: steve.wray at paradise.net.nz (Steve Wray)
Subject: Cryptome Hacked!
You posed a general question;
> > This brings up the following question: What is the best method for
> > ensuring the integrity of software which require a high
> level of trust?
I answered in general terms.
But to be particular, I know nothing of this person
or his software.
Is the sourcecode available for public scrutiny or isn't it?
If not then why not?
Thats a question you might like to consider.
But don't get too paranoid it might be merely because he's trying
to make a profit out of it.
Its just that lacking scrutiny one can never be too sure.
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
> Morgan Marquis-Boire
> Sent: Thursday, 27 February 2003 1:44 p.m.
> To: Steve Wray
> Cc: schoe@...inc.com; full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Cryptome Hacked!
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Why would John Young tamper with the software available on his site?
> Do you not think that if this were discovered it would reduce
> what ever
> credibility he and his site may have in the crypto community?
> Given the nature of the website and its pro-crypto stance, it makes
> little sense to me the idea that some one would deliberately
> weaken the
> tools provided on the site.
> In what way do you feel the tools may have been tampered with?
>
> On Thu, 27 Feb 2003 12:58:35 +1300
> "Steve Wray" <steve.wray@...adise.net.nz> wrote:
>
> > Sticking my neck out, I'd say that the *best* method would be;
> >
> > 0. Be familiar with your OS and with the programming
> > language in which the software is written and
> >
> > 1. Go over the source code line by line inspecting the
> > whole thing.
> >
> > 2. If you don't have access to the source don't trust it,
> > no way no how.
> >
> > Ok that was the dead serious part.
> >
> > 3. If people you know and trust have access to the source that
> > may mitigate failure at (2), but only marginally.
> > You need a face-to-face relationship with the parties you trust
> > and who have access to the source; email or other internet
> > relationships do not count.
> >
> > (Ok so certain types of psychopath can reliably lie and fool even
> > the clinically paranoid. Yup, even people who are psychotically
> > paranoid can be lured into disclosing their bank details by
> > a 'creative psychopath'.)
> >
> > So if you want to be able to trust it only personal inspection
> > of the source will do.
> >
> > You *did* say "high level of trust"
> >
> > Personally I don't feel a need for this level of paranoia. Phew
> > I can live my life and not feel concerned about the conversations
> > they have about me on the TV. The ones that noone else can hear.
> > Mwahahahaaaaaa
> >
> > -----Original Message-----
> > From: full-disclosure-admin@...ts.netsys.com
> > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Sung J.
> > Choe
> > Sent: Thursday, 27 February 2003 12:10 p.m.
> > To: 'full-disclosure@...ts.netsys.com'
> > Subject: [Full-Disclosure] Cryptome Hacked!
> >
> >
> > Cryptome.org, a site for privacy enthusiasts and leftists alike, was
> > apparently hacked today. Their server is up but "all files were
> > deleted". Besides the usual anti-American/anti-government
> vitriol that
> > is usually found at Cryptome.org, they also distribute
> crypto software.
> > This brings up the following question: What is the best method for
> > ensuring the integrity of software which require a high
> level of trust?
> > I am almost sure that any crypto software distributed by
> such extremists
> > as John Young (operator of cryptome.org) has been tampered
> with in some
> > way. Does anybody else share this opinion?
> >
> >
> > .--------------------------------------------------.
> > | Sung J. Choe <schoe[at]oicinc.com>, TICSA |
> > | Systems Administrator, Facility Security Officer |
> > .--------------------------------------------------.----.
> > | Oceanic Imaging Consultants, Inc. |
> > | Phone #: (808) 539-3634 x3634 |
> > .-----------------------------------.
> > 568D CAD6 53A0 92E6 4A2A 4E87 3BA0 5F90 37BB 8EE7
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> - --
> Morgan Marquis-Boire
> Unix Systems Consultant
> Datacom Systems Ltd.
> (025) 954-931
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
>
> iD8DBQE+XV9mMMI56vuqwigRAtAdAKC5Xe33yGrZ0GGuTL97ze/1+aQABgCfROz1
> vnyp8oj2WYZiVsRjJq/Vk+g=
> =Wpy7
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists