Full Disclosure mailing list archives
RE: Cryptome Hacked!
From: "Steve Wray" <steve.wray () paradise net nz>
Date: Thu, 27 Feb 2003 17:00:09 +1300
You posed a general question;
This brings up the following question: What is the best method for ensuring the integrity of software which require a highlevel of trust?
I answered in general terms. But to be particular, I know nothing of this person or his software. Is the sourcecode available for public scrutiny or isn't it? If not then why not? Thats a question you might like to consider. But don't get too paranoid it might be merely because he's trying to make a profit out of it. Its just that lacking scrutiny one can never be too sure.
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Morgan Marquis-Boire Sent: Thursday, 27 February 2003 1:44 p.m. To: Steve Wray Cc: schoe () oicinc com; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Cryptome Hacked! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Why would John Young tamper with the software available on his site? Do you not think that if this were discovered it would reduce what ever credibility he and his site may have in the crypto community? Given the nature of the website and its pro-crypto stance, it makes little sense to me the idea that some one would deliberately weaken the tools provided on the site. In what way do you feel the tools may have been tampered with? On Thu, 27 Feb 2003 12:58:35 +1300 "Steve Wray" <steve.wray () paradise net nz> wrote:Sticking my neck out, I'd say that the *best* method would be; 0. Be familiar with your OS and with the programming language in which the software is written and 1. Go over the source code line by line inspecting the whole thing. 2. If you don't have access to the source don't trust it, no way no how. Ok that was the dead serious part. 3. If people you know and trust have access to the source that may mitigate failure at (2), but only marginally. You need a face-to-face relationship with the parties you trust and who have access to the source; email or other internet relationships do not count. (Ok so certain types of psychopath can reliably lie and fool even the clinically paranoid. Yup, even people who are psychotically paranoid can be lured into disclosing their bank details by a 'creative psychopath'.) So if you want to be able to trust it only personal inspection of the source will do. You *did* say "high level of trust" Personally I don't feel a need for this level of paranoia. Phew I can live my life and not feel concerned about the conversations they have about me on the TV. The ones that noone else can hear. Mwahahahaaaaaa -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Sung J. Choe Sent: Thursday, 27 February 2003 12:10 p.m. To: 'full-disclosure () lists netsys com' Subject: [Full-disclosure] Cryptome Hacked! Cryptome.org, a site for privacy enthusiasts and leftists alike, was apparently hacked today. Their server is up but "all files were deleted". Besides the usual anti-American/anti-governmentvitriol thatis usually found at Cryptome.org, they also distributecrypto software.This brings up the following question: What is the best method for ensuring the integrity of software which require a highlevel of trust?I am almost sure that any crypto software distributed bysuch extremistsas John Young (operator of cryptome.org) has been tamperedwith in someway. Does anybody else share this opinion? .--------------------------------------------------. | Sung J. Choe <schoe[at]oicinc.com>, TICSA | | Systems Administrator, Facility Security Officer | .--------------------------------------------------.----. | Oceanic Imaging Consultants, Inc. | | Phone #: (808) 539-3634 x3634 | .-----------------------------------. 568D CAD6 53A0 92E6 4A2A 4E87 3BA0 5F90 37BB 8EE7 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html- -- Morgan Marquis-Boire Unix Systems Consultant Datacom Systems Ltd. (025) 954-931 - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+XV9mMMI56vuqwigRAtAdAKC5Xe33yGrZ0GGuTL97ze/1+aQABgCfROz1 vnyp8oj2WYZiVsRjJq/Vk+g= =Wpy7 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Cryptome Hacked! Sung J. Choe (Feb 26)
- RE: Cryptome Hacked! Steve Wray (Feb 26)
- Re: Cryptome Hacked! Morgan Marquis-Boire (Feb 26)
- Re: Cryptome Hacked! Ian Eyberg (Feb 26)
- RE: Cryptome Hacked! Steve Wray (Feb 26)
- Re: Cryptome Hacked! Etaoin Shrdlu (Feb 26)
- Re: Cryptome Hacked! Morgan Marquis-Boire (Feb 26)
- RE: Cryptome Hacked! Steve Wray (Feb 26)
- Re: Cryptome Hacked! Kevin Spett (Feb 26)
- Re: Cryptome Hacked! yossarian (Feb 26)
- Re: Cryptome Hacked! batz (Feb 26)
- <Possible follow-ups>
- RE: Cryptome Hacked! Sung J. Choe (Feb 26)
- RE: Cryptome Hacked! batz (Feb 26)
- RE: Cryptome Hacked! Sung J. Choe (Feb 26)
- Re: Cryptome Hacked! yossarian (Feb 26)
- RE: Cryptome Hacked! Sung J. Choe (Feb 26)
- Re: Cryptome Hacked! Kevin Spett (Feb 26)