Re: How T-Mobil's network was compromised

[Paul Wouters <paul () xelerance com>]

On Thu, 17 Feb 2005, Richard Porter wrote:

> > Not sure I'd trust PGP running on carrier hardware. These are the same

But where do you end your paranioa? Do you trust RNG's on die? You cannot
really ever 'fully' trust crypto hardware that does not have an open spec.

Whatever happened to the people chasing down the time delays in Pentium-I
CPU's when executing onducmented (backdoor?) instructions to get to ring 0?
Didn't one of them die? :)

> That is a great point (And made me really think about it) but do you think
> it would be a back door into the PGP implementation? 

If T-mobile wants to have your PGP messages, and they give you the PGP
application, they can easilly use a T-mobile "Additional Decryption Key" (ADK)
to ensure they can read all your messages. If you would be using a real pgp
implementation on the other end, it would ask you if you want to encrypt to
the ADK as well. If you'd hit another t-mobile PGP handset, this could then
ofcourse happen without any notice.

Blackbox cryptography is just always wrong. 

Paul

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave