lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200308211908.08846.thomas.greene@theregister.co.uk>
From: thomas.greene at theregister.co.uk (Thomas C. Greene )
Subject: Final thoughts on 'Popular Net anonymity service back-doored'

This thread has generated a lot of comments and i'm very pleased to see them.  
I'd like to wrap-up a few items if i may.

Some Register and BugTraq readers have pointed out that there is a disclaimer 
on the JAP web site:  "Due to recent events, we would like to be sure to 
point out, that the JAP software is in development and therefore does not yet 
offer maximum protection."

Perhaps the English here is poorly worded; perhaps in the original German it's 
clearer -- i can't say because i don't read German. But this doesn't sound 
like a warning any stronger than the standard "we're human" disclaimer. It 
sounds too much like, "We've done our level best but we can't guarantee the 
service because we're still ironing out the bugs." That's how i read it, and 
how i think most people would.

No one in his right mind expects *foolproof* security, but we should expect 
prompt disclosure. The JAP folks could have taken a page from the American 
Library Association in its opposition to the Patriot Act and warned us thus: 
"We can't assure your anonymity if a court order requires us to disclose user 
behavior. We will comply with such orders, and we may be prevented from 
warning users when we receive them. To avoid this problem, you should use 
other mixes."

That would have been a decent warning imho. Instead, the JAP team and their 
partners insist that the system is still trustworthy. (I imagine it *can* be 
if you arrange outside mixes.) Some readers and posters to this thread have 
even suggested that users who can't or won't review the source code deserve 
to be harmed. Rather a mad assertion, since there are roughly 550 files in 
the JAP app. And those who can't understand what they find there should not 
be penalized for not being geeks, but should be able to trust the JAP team's 
assertions.

The JAP Web site still claims that, "No one, not anyone from outside, not any 
of the other users, not even the provider of the intermediary service can 
determine which connection belongs to which user." I call that a bald-faced 
lie.

Other readers have suggested that the JAP folks were under a gag order and did 
their best to reveal the problem by signalling the insecurity in the source 
files. I don't buy it. If they were under a gag order, then why did they post 
a confession to alt.2600? And what about the confessional press release from 
ICPP? Would a gag order be written to let them off the hook as soon as 
someone suspected something? I doubt it. The fact that they're talking about 
it now indicates that there never was a gag order. And besides, they've never 
claimed that there was one; only their apologists have.

Now consider this imaginary gag order and the JAP team's liability under it. 
If it existed, they could have gone to the press on condition of anonymity. 
Sure, the German Feds would guess who leaked it, but no decent journo would 
ever testify to that fact so it would never be established in court. The Feds 
can suspect all they want; what matters is what they can prove. Without the 
journo's cooperation they'd prove nothing. Maybe the Gestapo can pressure 
German journos, i don't know; but going to the press outside Germany would 
have been perfectly safe. Those of you who know my column can guess what i'd 
say to some foreign judge who demanded my notes.  

As i said in the Register article, the real issue is disclosure. Nobody 
expects perfection. Honesty and prompt disclosure would be perfectly 
adequate.

chrz, 
t.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ