Full Disclosure mailing list archives
Re: Re: Popular Net anonymity service back-doored
From: "Dave Howe" <DaveHowe () cmn sharp-uk co uk>
Date: Wed, 27 Aug 2003 10:38:31 +0100
Bernhard Kuemel wrote:
And surely you would apply your opinion to any kind of cryptography like pgp, ssl, etc. There are millions of users out there who do not have the skills (programming, mathematics) to verify such code. Calling them beyond stupid for that is inappropriate. Blindly relying on software may be foolish, but if you keep an open eye for warnings from those that have the skills and do verify the code of popular software it is ok.
Agreed strongly. I am a (perhaps) adequate programmer, and I can use crypto toolkits and/or impliment algos I find in books/online I freely admit I don't have a hope in hell of finding a flaw in the crypto itself - that is why I stick to peer-reviewed algos and, where possible, crypto libraries that other programmer/cryptographers have peer-reviewed (yes, I try to carry out my own source-code reviews. no, I don't have the time or resources to evaluate a big project like pgp 6.x; I certainly compile my own ckt builds, but I have reviewed less than 5% of the code, which is probably a lot more than most skilled programmers would even bother to do - and even then, mostly in modules that are concerned with memory locking (as I am more interested in how pgp does this than the crypto itself)
And - who guarantees that the code that is published is the same that is used on the servers?
well, I would - I wouldn't dream of running a server whose code I hadn't compiled myself; I would also zip up source, zip up binaries and detached-sign both to form a final archive available for download from my server. However, how far can I take that? assuming that I run linux and compile my own kernel and ssl/ssh/etc - how much *can* I compile by myself and not spend my entire life checking for (for example) K&R style self replicating patchers in the compiler? There is a line beyond which a healthy paranoia about security becomes a unhealthy obsession which paralyses the user from ever performing ANY actions. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Popular Net anonymity service back-doored Florian Weimer (Aug 21)
- RE: Re: Popular Net anonymity service back-doored Drew Copley (Aug 21)
- Re: Re: Popular Net anonymity service back-doored Florian Weimer (Aug 21)
- Re: Popular Net anonymity service back-doored Thomas C. Greene (Aug 21)
- Re: Popular Net anonymity service back-doored Aron Nimzovitch (Aug 21)
- Re: Popular Net anonymity service back-doored Barney Wolff (Aug 21)
- RE: Popular Net anonymity service back-doored David Schwartz (Aug 21)
- RE: Popular Net anonymity service back-doored Drew Copley (Aug 22)
- Re: RE: Popular Net anonymity service back-doored felix . roennebeck (Aug 22)
- Re: Popular Net anonymity service back-doored Bernhard Kuemel (Aug 24)
- Re: Re: Popular Net anonymity service back-doored Dave Howe (Aug 27)
- Re: Popular Net anonymity service back-doored Aron Nimzovitch (Aug 21)
- RE: Re: Popular Net anonymity service back-doored Drew Copley (Aug 21)
- Re: Popular Net anonymity service back-doored Alex Russell (Aug 21)
- Re: Popular Net anonymity service back-doored Michael Schlenker (Aug 22)
- Re: Popular Net anonymity service back-doored nordi (Aug 22)
- Re: Popular Net anonymity service back-doored Alex Russell (Aug 22)
- <Possible follow-ups>
- RE: Popular Net anonymity service back-doored David Schwartz (Aug 22)
- Re: Popular Net anonymity service back-doored Alex Russell (Aug 25)