RE: Re: Popular Net anonymity service back-doored

["Drew Copley" <dcopley () eeye com>]

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> Florian Weimer
> Sent: Thursday, August 21, 2003 11:39 AM
> To: bugtraq () securityfocus com; full-disclosure () lists netsys com
> Cc: Thomas C. Greene 
> Subject: [Full-disclosure] Re: Popular Net anonymity service 
> back-doored
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> "Thomas C. Greene " <thomas.greene () theregister co uk> writes:

<snip>

> However, perhaps the JAP team at TU Dresden hadn't much 
> choice.  I haven't seen the court order, but I could imagine 
> that they weren't allowed to inform the users because it 
> would have harmed the criminal investigation.  Following the 
> order while fighting it within the legal system is perhaps a 
> wiser choice than just resisting it (and thus breaking the 
> law yourself).  But I agree that it takes them awfully long 
> to update their web site, now that some information is public.


I would think, I would know, there would be a moral obligation to tell
their users. Moral... A conscience obligation, an obligation of
conscience.

At the very least, they could have exposed this anonymously on the
Usenet or someplace. (Indeed...)

Regardless, it the German authorities who used the authority of the
German State to do this. It is the German State which is culpable in
this situation. 

Who cares if they watch their own wires? But, they have no right to put
code on people's systems outside of Germany. If they do not have this
right inside of Germany, I do not care.

I do not care if this causes them a problem.

There is no justification of the means to an end. They have absolutely
no jurisdiction in the US. Are they saying they do not believe in
boundaries anymore? Are we allowed to hack all of their pedophiles and
Neo-Nazis as we wish? They are breaking the law and we have no authority
to hack them. Are they giving us this authority? I think not.

But, this is the message they have sent with this.

As for the errors... Thomas Greene lost my trust last year when he
started to lie about the entire security community and made obnoxious
and pervasive comments about where security vulnerabilities come from...
His misleading of the public has affected a great many of people to this
very day. 

My trust with him is broken by his own gross violations.


> Finally, they could have avoided all the hassle if they 
> hadn't published the source code.  Why did they publish?  I 
> don't believe it's an accident.
>
> For BUGTRAQ readers: Symantec strips message headers.  The original
> To: and Cc: are:
>
> To: bugtraq () securityfocus com, full-disclosure () lists netsys com
> Cc: "Thomas C. Greene " <thomas.greene () theregister co uk> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.3.2-cvs (GNU/Linux)
>
> iQEVAwUBP0URumOpx4pWo0FrAQLTXQf/aJLMGYtvLpzbB8BtYNFqdoHEQlu/QUmv
> gzouWH76cIL6zVJLK7eAM6nNI29itfOm/mJRfAJvU5B7FVAbFfPyhwEuBr4bUCYj
> wkIwdM0tQihu+SBdIEIKdrSlfpNbstGJiKkQkPPpa2EREqqVYLadGk95KughJ1AG
> f9HJzUG5jbPS/FEXrEYSqudJeVQPVPGUdmXbl0ayq8y2+AtZnk9NCJIFbXlBXf9P
> /zK+AoORdDl6t8fzKfUwi/qTu4qads/+eHklAbaKo2EyghjquKubTQdWpQodpt17
> 2CB/D25ULum2e8LWN6el2AW+PjkyaxeVBenKQV8Rw9Zv2JLenZsWrQ==
> =sN0C
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html