RE: [Full-Disclosure] Cryptome Hacked!
From: Steve Wray (steve.wray@paradise.net.nz)
Date: 02/27/03
- Previous message: SGI Security Coordinator: "[Full-Disclosure] Buffer Overrun Vulnerability in /sbin/ps on IRIX"
- In reply to: Sung J. Choe: "[Full-Disclosure] Cryptome Hacked!"
- Next in thread: Morgan Marquis-Boire: "Re: [Full-Disclosure] Cryptome Hacked!"
- Reply: Morgan Marquis-Boire: "Re: [Full-Disclosure] Cryptome Hacked!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steve Wray" <steve.wray@paradise.net.nz> To: "'Sung J. Choe'" <schoe@oicinc.com>, <full-disclosure@lists.netsys.com> Date: Thu, 27 Feb 2003 12:58:35 +1300
Sticking my neck out, I'd say that the *best* method would be;
0. Be familiar with your OS and with the programming
language in which the software is written and
1. Go over the source code line by line inspecting the
whole thing.
2. If you don't have access to the source don't trust it,
no way no how.
Ok that was the dead serious part.
3. If people you know and trust have access to the source that
may mitigate failure at (2), but only marginally.
You need a face-to-face relationship with the parties you trust
and who have access to the source; email or other internet
relationships do not count.
(Ok so certain types of psychopath can reliably lie and fool even
the clinically paranoid. Yup, even people who are psychotically
paranoid can be lured into disclosing their bank details by
a 'creative psychopath'.)
So if you want to be able to trust it only personal inspection
of the source will do.
You *did* say "high level of trust"
Personally I don't feel a need for this level of paranoia. Phew
I can live my life and not feel concerned about the conversations
they have about me on the TV. The ones that noone else can hear.
Mwahahahaaaaaa
-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Sung J.
Choe
Sent: Thursday, 27 February 2003 12:10 p.m.
To: 'full-disclosure@lists.netsys.com'
Subject: [Full-Disclosure] Cryptome Hacked!
Cryptome.org, a site for privacy enthusiasts and leftists alike, was
apparently hacked today. Their server is up but "all files were
deleted". Besides the usual anti-American/anti-government vitriol that
is usually found at Cryptome.org, they also distribute crypto software.
This brings up the following question: What is the best method for
ensuring the integrity of software which require a high level of trust?
I am almost sure that any crypto software distributed by such extremists
as John Young (operator of cryptome.org) has been tampered with in some
way. Does anybody else share this opinion?
.--------------------------------------------------.
| Sung J. Choe <schoe[at]oicinc.com>, TICSA |
| Systems Administrator, Facility Security Officer |
.--------------------------------------------------.----.
| Oceanic Imaging Consultants, Inc. |
| Phone #: (808) 539-3634 x3634 |
.-----------------------------------.
568D CAD6 53A0 92E6 4A2A 4E87 3BA0 5F90 37BB 8EE7
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Next message: Kevin Spett: "Re: [Full-Disclosure] Cryptome Hacked!"
- Previous message: SGI Security Coordinator: "[Full-Disclosure] Buffer Overrun Vulnerability in /sbin/ps on IRIX"
- In reply to: Sung J. Choe: "[Full-Disclosure] Cryptome Hacked!"
- Next in thread: Morgan Marquis-Boire: "Re: [Full-Disclosure] Cryptome Hacked!"
- Reply: Morgan Marquis-Boire: "Re: [Full-Disclosure] Cryptome Hacked!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
