lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.30.QNWS.0308221327520.13628-100000@thetis.deor.org>
From: wolf at priori.net (Meyer Wolfsheim)
Subject: Re: Popular Net anonymity service back-doored (fwd)

On Fri, 22 Aug 2003, Thomas Shaddack wrote:

> Yet more info. Let's not overreact before we get complete dataset.

It is worth noting that the notice mentioned below was placed on the JAP
website only after the news of the back channel was made public on Usenet
and the various security mailing lists.

Not the most laudable behavior, to say the least.


-MW-

> ---------- Forwarded message ----------
> Date: Fri, 22 Aug 2003 09:34:27 +0200
> Subject: Re: Popular Net anonymity service back-doored
> From: nordi <nordi@...com.de>
> To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
>
> On Thursday, 21. August 2003 14:05, Thomas C. Greene  wrote:
> > It's not secure, and claiming that it is taints anything else they may be
> > doing on behalf of users. They're *still* saying it's impossible for anyone
> > to intercept users' traffic or identify them.
>
>
> Actually, this is absolutely not what they are saying. When you visit the
> website of the JAP project http://anon.inf.tu-dresden.de/ it says in big, red
> letters:
>
> "Aus aktuellem Anlass weisen wir noch einmal ausdr|cklich daraufhin, dass
> sich die JAP Software in Entwicklung befindet und noch nicht maximale
> Sicherheit bietet. (siehe unten ... )"
>
> In English this means something like
>
> "Due to recent events we explicitly inform you of the fact that the JAP
> software is still being developed and does not yet provide maximum security.
> (see below ...)"
>
> As I said: big, red letters at the top of their main page. And when you click
> that "see below" link it says there "Attention! [...] This version does NOT
> yet implement the security features described above and desired by us. But it
> does alread protect you against atackers that control the net only locally at
> one place such as [...] the owner of a mix."
>
> So by the time you download that software you should have already read _two_
> statements telling you that JAP is not as secure as it could be. It also
> tells you that in the current configuration, the JAP people can see all your
> traffic if they want to: Note that it says it will protect you against "the
> owner of _A_ mix". But if you take the Dresden-Dresden cascade, the JAP
> people obviously control _all_ of them. And the above statement already
> implies that in this case, JAP cannot protect you.
>
>
> If you still want to use JAP,
> http://www.heise.de/newsticker/data/uma-20.08.03-000/ (in German) tells you
> how to do it securely: simply use just a single mix that is not controlled by
> the JAP project and you'll be fine. The court order is only valid for the JAP
> people, so everybody else in Germany (and elsewhere of course) can offer a
> non-backdoored mix which will make the cascade secure. This actually means
> that all cascades but the Dresden-Dresden one are secure.
>
>
> MfG
> nordi
>
>
> --
> Denn der Menschheit drohen Kriege, gegen welche die vergangenen wie armselige
> Versuche sind, und sie werden kommen ohne jeden Zweifel, wenn denen, die sie
> in aller Vffentlichkeit vorbereiten, nicht die Hdnde zerschlagen werden.
> Bertolt Brecht, 1952
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ