lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 13 Oct 2011 22:09:18 -0400
From: Valdis.Kletnieks@...edu
To: "andrew.wallace" <andrew.wallace@...ketmail.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Possible German Governmental Backdoor found
	("R2D2")

On Thu, 13 Oct 2011 17:51:24 PDT, "andrew.wallace" said:
> I'm not moderated, I was completely brick walled. I rely on the industry to post my stuff on my behalf.

Let's see. "not moderated, completely brick walled". How well does that hold up?

The note you replied to left the full-disclosure site at this time:

Received: from lists.grok.org.uk (EHLO lists.grok.org.uk) ([77.66.26.37])       by zidane.cc.vt.edu (MOS 4.2.2-FCS FastPath queued)     with ESMTP id QWF63339; Thu, 13 Oct 2011 17:40:50 -0400 (EDT)
Received: from lists.grok.org.uk (localhost [127.0.0.1])        by lists.grok.org.uk (Postfix) with ESMTP id B28BF3D3; Thu,  13 Oct 2011 22:40:46 +0100 (BST)

The timestamp on zidane is reliable, it's NTP synced.  So I have a high degree
of confidence that the following line (4 seconds before) is also a reliable
timestamp of when Postfix enqueued Byron's mail.  So pretty much nobody
should be in posession of a copy much before that timestamp.

Your reply stating the list was moderated has:

Received: from localhost (localhost [127.0.0.1]) 	by rikku.cc.vt.edu (MOS 3.10.10a-GA)	id LLD06213; Thu,  13 Oct 2011 17:44:34 -0400 (EDT)
Received: from steiner.cc.vt.edu (steiner.cc.vt.edu [198.82.163.51]) 	by rikku.cc.vt.edu (MOS 3.10.10a-GA)	with ESMTP id LLD06212; Thu,  13 Oct 2011 17:44:33 -0400 (EDT)
(a few omitted)
Received: (qmail 73517 invoked by uid 60001); Thu, 13 Oct 2011 21:44:32 +0000
Received: from [82.40.88.173] by web59615.mail.ac4.yahoo.com via HTTP; Thu,  13 Oct 2011 14:44:32 -0700 (PDT)
X-mailer: YahooMailWebService/0.8.114.317681
Message-id: <1318542272.69082.YahooMailNeo@...59615.mail.ac4.yahoo.com>

So you replied to it from Yahoo a whole 3 minutes and 46 seconds after it was
posted, which means that you had a copy even earlier (given that it takes at
least a little time to compose and send a reply in Yahoo's webmail interface -
even longer if the message isn't in a Yahoo mailbox already (this becomes
relevant further on).  Now how could this have come to pass?

Conclusion:  One of the following  explanations of how you got a copy is true:

0) The message doesn't show any cc: fields, but Byron *could* have included a
Bcc: field to include you, or somebody else who then followed step (2) below.
Personally, I'm doubtful, as there's no obvious *reason* for Byron to have done
so on this particular message (in particular, no reason to have used a bcc:
instead of a cc:)  But I'll let him speak to that himself.  There's also the
minor breach of netiquette of replying to a bcc:'ed note, thus revealing the
fact you were on the bcc:. Overall likelyhood:  Doubtful.

1) You have control of an account that is subscribed to the list (and thus
receives messages) that eventually ends up at Yahoo, but are unable to post
from that address, and did a "reply" the instant it showed up in your Yahoo
mailbox. This goes somewhat against your claim that you're totally "brick
walled".  But other than that, it holds up remarkably well.  Plenty of time to
get a "You have new mail" notification, open it, pop in a one-line reply, and
hit send.

1a) Some address is subscribed to the list, and acting as a "list exploder" by
forwarding to multiple addresses not on the original list, including an address
you control at Yahoo. Fairly unlikely, as these have fallen out of favor in the
last few years, precisely because the semantics of "reply" and bounce messages
through a list exploder are very hard to get right (this is only easy to do in
walled-garden scenarios like an Exchange cluster where you control the
horizontal and vertical - once you let an outside MUA like YahooMail get
involved, it goes pear-shaped very quickly).

2) Somebody else received the post, thought of you, forwarded it to you so you
could receive it, and you replied to it, all within less than 4 minutes.  If so, please
speak to the person you received it from, as their forward incorrectly re-used
this from Byron's post:

Message-id: <4E975936.9010507@...il.com>

resulting in your message containing this:

In-reply-to: <4E975936.9010507@...il.com>

See RFC5322, section 3.6.4 for details.  Manual forwarding of a message
is quite clearly a "new" message, so the Message-ID: should be regenerated.
Since the vast majority of MUA's get this right, I rank this as low-probability.

3) You spend *far* too much time hitting refresh on list archive web pages and
then hand-composing a reply into Yahoo Mail.  Congrats on figuring out how to
get Yahoo Mail to include the In-Reply-To: header, that takes some doing.

4) You have some other reasonable explanation of how you came to be in
posession of a copy just a few minutes after it was posted.

Overall:  (1) is highly likely, (3) is very sad if true, jury's still out on
(4) till we hear something plausible, rest are unlikely.


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ