| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: alex at netWindows.org (Alex Russell) Subject: Re: Popular Net anonymity service back-doored On Thursday 21 August 2003 07:05, Thomas C. Greene wrote: > I agree that the dirty work has to be done on the proxy, but it's > reasonable to imagine that the client update was issued to maintain > compatibility with whatever was done to the proxy software. Maybe the two > are unrelated as the group says, but how can I trust them when they > continue to soft-pedal the security implications of the back door? > > Yes, the code sort of shouts at you, and this may well be a deliberate > heads up. However, the group is still in denial, insisting that their > service is secure (see the press release linked in the Register story). For them, the people that know the changes they made, they can still trust the system as much as they ever have. I have no doubt that for them it is as secure as ever and I think that helps explain why they cling to this claim. You and I, however, don't have that advantage and therefore can't trust it. > It's not secure, and claiming that it is taints anything else they may be > doing on behalf of users. They're *still* saying it's impossible for anyone > to intercept users' traffic or identify them. That simply isn't true. To the extent that you ever trusted this statement, it is still as true as it ever was. What has changed is more likely your realization that the system relies on resources necessarialy beyond your control and inspection. If their statement isn't true now, it wasn't true then. > It's likely were legally prevented from issuing a clear warning, which is > why I say they should have taken the service down in protest. I don't know > German law, but I'd be surprised if the courts can force you to provide a > communications service just so the Feds can use it. I wouldn't be so suprised at such a ruling, although I'd really like to hear from someone with familiarity with German law. > Leaving a hint in the source and waiting for someone to call them on it may > be a legal strategem, but it's not a good way of maintaining user trust. > It took too long for this to become public. A better way to maintain trust > would be to stage a protest shutdown, or, if that's legally risky, a silent > shutdown and a subsequent leak to the press. No decent reporter would > reveal their source in a case like this, and approaching a journo based in > another country would add another layer of protection. If this is their proverbial cry for attention, then I kind of like the strategy. Consider that with explicit external notification of any sort (anonymous remailer, etc...), they are the ones taking action to subvert the system intentionally. Assuming that the opponent in this situation is a governmental entity with local physical enforcement power, then there's not a lot of situations in which they can imagine being verifiably unobserved in making any kind of public statement. Putting this in a CVS commit, however, allows them to claim that they were just trying to comply (wink wink) and doesn't run larger risks since there's nothing out of the ordinary to deny. This doesn't mean I trust them, but it is probably one of the better ways for them to subvert the order IMO. Regards. -- Alex Russell alex@...stlib.net alex@...Windows.org
Powered by blists - more mailing lists