RE: Cryptome Hacked!

["Steve Wray" <steve.wray () paradise net nz>]

You posed a general question;

> > This brings up the following question: What is the best method for
> > ensuring the integrity of software which require a high 
> level of trust?

I answered in general terms.

But to be particular, I know nothing of this person
or his software.

Is the sourcecode available for public scrutiny or isn't it?

If not then why not?

Thats a question you might like to consider.

But don't get too paranoid it might be merely because he's trying
to make a profit out of it.

Its just that lacking scrutiny one can never be too sure.

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> Morgan Marquis-Boire
> Sent: Thursday, 27 February 2003 1:44 p.m.
> To: Steve Wray
> Cc: schoe () oicinc com; full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Cryptome Hacked!
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Why would John Young tamper with the software available on his site?
> Do you not think that if this were discovered it would reduce 
> what ever
> credibility he and his site may have in the crypto community?
> Given the nature of the website and its pro-crypto stance, it makes
> little sense to me the idea that some one would deliberately 
> weaken the 
> tools provided on the site.
> In what way do you feel the tools may have been tampered with?
>
> On Thu, 27 Feb 2003 12:58:35 +1300
> "Steve Wray" <steve.wray () paradise net nz> wrote:
>
> > Sticking my neck out, I'd say that the *best* method would be;
> >
> > 0. Be familiar with your OS and with the programming
> > language in which the software is written and 
> >
> > 1. Go over the source code line by line inspecting the
> > whole thing.
> >
> > 2. If you don't have access to the source don't trust it,
> > no way no how.
> >
> > Ok that was the dead serious part.
> >
> > 3. If people you know and trust have access to the source that
> > may mitigate failure at (2), but only marginally. 
> > You need a face-to-face relationship with the parties you trust 
> > and who have access to the source; email or other internet 
> > relationships do not count.
> >
> > (Ok so certain types of psychopath can reliably lie and fool even
> > the clinically paranoid. Yup, even people who are psychotically
> > paranoid can be lured into disclosing their bank details by
> > a 'creative psychopath'.)
> >
> > So if you want to be able to trust it only personal inspection
> > of the source will do.
> >
> > You *did* say "high level of trust"
> >
> > Personally I don't feel a need for this level of paranoia. Phew
> > I can live my life and not feel concerned about the conversations
> > they have about me on the TV. The ones that noone else can hear.
> > Mwahahahaaaaaa
> >
> > -----Original Message-----
> > From: full-disclosure-admin () lists netsys com
> > [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Sung J.
> > Choe
> > Sent: Thursday, 27 February 2003 12:10 p.m.
> > To: 'full-disclosure () lists netsys com'
> > Subject: [Full-disclosure] Cryptome Hacked!
> >
> >
> > Cryptome.org, a site for privacy enthusiasts and leftists alike, was
> > apparently hacked today.  Their server is up but "all files were
> > deleted".  Besides the usual anti-American/anti-government 
> vitriol that
> > is usually found at Cryptome.org, they also distribute 
> crypto software.
> > This brings up the following question: What is the best method for
> > ensuring the integrity of software which require a high 
> level of trust?
> > I am almost sure that any crypto software distributed by 
> such extremists
> > as John Young (operator of cryptome.org) has been tampered 
> with in some
> > way.  Does anybody else share this opinion? 
> >
> >
> > .--------------------------------------------------. 
> > | Sung J. Choe <schoe[at]oicinc.com>, TICSA        | 
> > | Systems Administrator, Facility Security Officer | 
> > .--------------------------------------------------.----. 
> >                     | Oceanic Imaging Consultants, Inc. | 
> >                     | Phone #: (808) 539-3634 x3634     | 
> >                     .-----------------------------------. 
> > 568D CAD6 53A0 92E6 4A2A  4E87 3BA0 5F90 37BB 8EE7 
> >  
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> - -- 
> Morgan Marquis-Boire
> Unix Systems Consultant
> Datacom Systems Ltd.
> (025) 954-931
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
>
> iD8DBQE+XV9mMMI56vuqwigRAtAdAKC5Xe33yGrZ0GGuTL97ze/1+aQABgCfROz1
> vnyp8oj2WYZiVsRjJq/Vk+g=
> =Wpy7
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html