lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87ptiya8ao.fsf@deneb.enyo.de>
From: fw at deneb.enyo.de (Florian Weimer)
Subject: Re: Popular Net anonymity service back-doored

"Drew Copley" <dcopley@...e.com> writes:

> I would think, I would know, there would be a moral obligation to tell
> their users. Moral... A conscience obligation, an obligation of
> conscience.

I usually interpret German privacy law much more liberally than ICPP
and was really surprised that they would do what they did, I was even
downright offended (even though I've never been a JAP user).  But
apparently they decided to fight within the legal system, so they
didn't have much choice.  Personally, I increasingly view the other
option (terminating the service and informing the former users) as a
cheap exit strategy.  The conflict would have ended there, and the
legal limits of anonymity would not have been tested in court (which
still might not happen, but there's now a realistic chance).

The JAP team has broken the unconditional promise not to spy on users,
right.  But the project continues, on another level and with fewer
users, and I hope we will still learn quite a bit from it.

> At the very least, they could have exposed this anonymously on the
> Usenet or someplace. (Indeed...)

They did, in a rather convoluted way.  I don't think it's fair to
criticize them on this point.

I'm worried mainly by three things:

  (a) Quite a few pieces of information are public now.  Why don't
      they update their web pages accordingly, including the Official
      Declaration?  (Maybe the ongoing criminal investigation
      interferes with that, maybe some employees are on vacation.)

  (b) The ICPP claims that "only the access to the IP address
      mentioned in the judicial instruction will be recorded".  The
      mix source code implements something else, which allows for far
      broader surveillance (and not for monitoring of a specific IP
      address).  Why is there such a discrepancy?

  (c) An employee of TU Dresden (the university that operates the main
      mix chain used by AN.ON) described the logging extension in
      2001, and announced its implementation for 2002.  But this
      didn't happen, and the JAP team didn't fix the fundamental
      weakness of the service, either: TU Dresden still operate both
      ends of the most usable mix cascade.

> Who cares if they watch their own wires? But, they have no right to put
> code on people's systems outside of Germany.

In fact, they didn't.  The surveillance is implemented in the mixes.
It is not compiled in by default.  The binary they ship does not
contain the code.

Actually, this is the main weakness of the JAP service: The JAP team
could implement logging on their own mixes (and this was even
documented).

> Are they saying they do not believe in boundaries anymore?

It's modern to sue German companies in the U.S. because law offers
punitive damages there (which don't exist in German law).

Legal relationships between countries are quite messy.  International
treaties are blatantly ignored or carefully undermined.  U.S. courts
claim jurisdiction over any place in the world (except the other 49
states).  In most countries, courts have applied local law to foreign
companies offering services over the Internet.

Of course you can sue the Federal Republic of Germany over the alleged
breach of your privacy, but ICPP's way of tackling the matter is more
likely to succeed, IMHO.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ