[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Popular Net anonymity service back-doored

To: "Email List: Full Disclosure" <full-disclosure@lists.netsys.com>
Subject: Re: [Full-Disclosure] Re: Popular Net anonymity service back-doored
From: "Dave Howe" <DaveHowe@cmn.sharp-uk.co.uk>
Date: Wed, 27 Aug 2003 10:38:31 +0100

Bernhard Kuemel wrote:
> And surely you would apply your opinion to any kind of
> cryptography like pgp, ssl, etc. There are millions of users out
> there who do not have the skills (programming, mathematics) to
> verify such code. Calling them beyond stupid for that is
> inappropriate. Blindly relying on software may be foolish, but if
> you keep an open eye for warnings from those that have the skills
> and do verify the code of popular software it is ok.
Agreed strongly.
I am a (perhaps) adequate programmer, and I can use crypto toolkits and/or
impliment algos I find in books/online
I freely admit I don't have a hope in hell of finding a flaw in the crypto
itself - that is why I stick to peer-reviewed algos and, where possible,
crypto libraries that other programmer/cryptographers have peer-reviewed
(yes, I try to carry out my own source-code reviews. no, I don't have the
time or resources to evaluate a big project like pgp 6.x; I certainly
compile my own ckt builds, but I have reviewed less than 5% of the code,
which is probably a lot more than most skilled programmers would even
bother to do - and even then, mostly in modules that are concerned with
memory locking (as I am more interested in how pgp does this than the
crypto itself)

> And - who guarantees that the code that is published is the same
> that is used on the servers?
well, I would - I wouldn't dream of running a server whose code I hadn't
compiled myself; I would also zip up source, zip up binaries and
detached-sign both to form a final archive available for download from my
server. However, how far can I take that? assuming that I run linux and
compile my own kernel and ssl/ssh/etc - how much *can* I compile by myself
and not spend my entire life checking for (for example) K&R style self
replicating patchers in the compiler? There is a line beyond which a
healthy paranoia about security becomes a unhealthy obsession which
paralyses the user from ever performing ANY actions.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Re: Popular Net anonymity service back-doored
  - From: Florian Weimer <fw@deneb.enyo.de>
- [Full-Disclosure] Re: Popular Net anonymity service back-doored
  - From: "Thomas C. Greene " <thomas.greene@theregister.co.uk>
- [Full-Disclosure] Re: Popular Net anonymity service back-doored
  - From: Aron Nimzovitch <crypto@clouddancer.com>
- [Full-Disclosure] Re: Popular Net anonymity service back-doored
  - From: Bernhard Kuemel <darsie@gmx.at>

Prev by Date: Re: [Full-Disclosure] Improving E-mail security...
Next by Date: Re: [Full-Disclosure] ADODB.Stream object
Prev by thread: [Full-Disclosure] Re: Popular Net anonymity service back-doored
Next by thread: [Full-Disclosure] Re: Popular Net anonymity service back-doored
Index(es):
- Date
- Thread