lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F48889B.9080907@gmx.at>
From: darsie at gmx.at (Bernhard Kuemel)
Subject: Re: Popular Net anonymity service back-doored

Hi!

Aron Nimzovitch wrote:
> Only a fool would blindly depend on someone else's software to gain
> anonymity without examining the code.  If you need anonymity,
 > then you should easily be willing to invest sweat equity, or
 > have a contractual arrangement when the threat is only
 > financial.  For more serious threats requiring anonymity,
 > not reviewing the source when it is available seems beyond
 > stupid.

And surely you would apply your opinion to any kind of 
cryptography like pgp, ssl, etc. There are millions of users out 
there who do not have the skills (programming, mathematics) to 
verify such code. Calling them beyond stupid for that is 
inappropriate. Blindly relying on software may be foolish, but if 
you keep an open eye for warnings from those that have the skills 
and do verify the code of popular software it is ok.

And - who guarantees that the code that is published is the same 
that is used on the servers? So reviewing code only helps if you 
compile and use it yourself or maybe in situations like remailer 
chains you rely on the assumption that at least one remailer will 
use the published code. But JAP IMO is not a chain of independent 
systems.

Bernhard

-- 
Low end Serverhousing ab 25 e inkl. 1x 11 e/GB, etc.: http://bksys.at


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ