Date: Thu, 7 Dec 2000 00:40:09 +0100
From: Cliff Sarginson
On Wednesday 06 December 2000 14:17, Michael wrote:
Never trust anything that isn't opensource. Learn to code at least enough to look for obvious holes. Is the only way to be safe. :)
Mmm. I hate to say this but a little bit of C coding is not going to teach you enough to find holes in a program of even moderate complexity, let alone in a compiler or complex network program. For encryption programs a pretty deep knowledge of algorithms and mathematics may also be required. Futhermore to understand the output of the compiler code generator you will need to be a red-hot assembly language programmer. And even then it would be a nightmare in optimised code. The point about open-source is that you can compile it yourself, so you are not accepting blindly a binary file from somewhere. You have to trust the origin of the source of course. Cliff
Not true! Take the gcc compiler, for example. How do you compile your compiler without using your compiler? Unless you hand assemble assembler code from keystrokes, you are using something that could have embedded microcode in it. JLK
*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein
On Wed, 6 Dec 2000, Cliff Sarginson wrote:
On Wednesday 06 December 2000 00:39, Jerry Kreps wrote:
I don't know if my email from work made it through the firewall so I am resending the source for the pgp backdoor.
http://www.cert.org/advisories/CA-2000-18.html
JLK
On Tuesday 05 December 2000 08:02, peter hollings wrote:
It's interesting (from a civil liberties perspective) that there is a backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure?
Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm .
For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list.
I would think anyone on this list concerned with security would be well advised to take an interest in this !
(just when you thought it was safe to go into the water...)
Cliff
Regards,
Peter Hollings
----- Original Message ----- From: "Jerry Kreps"
To: "zentara" ; "peter hollings" Cc: ; ; "suse-linux-e" Sent: Monday, December 04, 2000 5:28 PM Subject: Re: [SLE] A very interesting paper by Ken Thompson.. On Monday 04 December 2000 15:36, zentara wrote: > peter hollings wrote: > > Yes, the NSA is a possibility, but I'd be more > > concerned about the ill effects on society that could > > be brought about via a widely distributed, closed, > > proprietary system such as Windows. It's another reason > > for using Linux. > > I'm an old windows basher, but as the article stated, no > OS is immune to the microcode attack. > I was discussing a while back whether pgp and other > encryption programs had "backdoors" in them, the answer > was "if it exists, it's in our c compilers", controlled > by very high level people. I have a paranoid streak. :-)
It's not paranoia if it true, and with regards to pgp it is true. The NSA backdoor to version 6.x of pgp (I don't remember if 5.x has the backdoor) is verified. That is why there was a recent mass movement from pgp to gpg
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or
proven wrong, by experiment.
Unscientific theories -Marxist dialectical history and Freudian psychology
were Popper's favorites-
are formed in such a way that they cannot be falsified by data.
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.