lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308211718.28829.alex@netWindows.org>
From: alex at netWindows.org (Alex Russell)
Subject: Re: Popular Net anonymity service back-doored

On Thursday 21 August 2003 07:05, Thomas C. Greene  wrote:
> I agree that the dirty work has to be done on the proxy, but it's
> reasonable to imagine that the client update was issued to maintain
> compatibility with whatever was done to the proxy software. Maybe the two
> are unrelated as the group says, but how can I trust them when they
> continue to soft-pedal the security implications of the back door?
>
> Yes, the code sort of shouts at you, and this may well be a deliberate
> heads up.  However, the group is still in denial, insisting that their
> service is secure (see the press release linked in the Register story).

For them, the people that know the changes they made, they can still trust the 
system as much as they ever have. I have no doubt that for them it is as 
secure as ever and I think that helps explain why they cling to this claim. 
You and I, however, don't have that advantage and therefore can't trust it.

> It's not secure, and claiming that it is taints anything else they may be
> doing on behalf of users. They're *still* saying it's impossible for anyone
> to intercept users' traffic or identify them. That simply isn't true.

To the extent that you ever trusted this statement, it is still as true as it 
ever was. What has changed is more likely your realization that the system 
relies on resources necessarialy beyond your control and inspection. If their 
statement isn't true now, it wasn't true then.

> It's likely were legally prevented from issuing a clear warning, which is
> why I say they should have taken the service down in protest.  I don't know
> German law, but I'd be surprised if the courts can force you to provide a
> communications service just so the Feds can use it.

I wouldn't be so suprised at such a ruling, although I'd really like to hear 
from someone with familiarity with German law.

> Leaving a hint in the source and waiting for someone to call them on it may
> be a legal strategem, but it's not a good way of maintaining user trust. 
> It took too long for this to become public.  A better way to maintain trust
> would be to stage a protest shutdown, or, if that's legally risky, a silent
> shutdown and a subsequent leak to the press.  No decent reporter would
> reveal their source in a case like this, and approaching a journo based in
> another country would add another layer of protection.

If this is their proverbial cry for attention, then I kind of like the 
strategy. Consider that with explicit external notification of any sort 
(anonymous remailer, etc...), they are the ones taking action to subvert the 
system intentionally. Assuming that the opponent in this situation is a 
governmental entity with local physical enforcement power, then there's not a 
lot of situations in which they can imagine being verifiably unobserved in 
making any kind of public statement. Putting this in a CVS commit, however, 
allows them to claim that they were just trying to comply (wink wink) and 
doesn't run larger risks since there's nothing out of the ordinary to deny.

This doesn't mean I trust them, but it is probably one of the better ways for 
them to subvert the order IMO.

Regards.

-- 
Alex Russell
alex@...stlib.net
alex@...Windows.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ