RE: [Full-Disclosure] Cryptome Hacked!

From: batz (batsy@vapour.net)
Date: 02/27/03

Next message: Sung J. Choe: "RE: [Full-Disclosure] Cryptome Hacked!"

Previous message: Sung J. Choe: "RE: [Full-Disclosure] Cryptome Hacked!"
Maybe in reply to: Sung J. Choe: "[Full-Disclosure] Cryptome Hacked!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: batz <batsy@vapour.net>
To: "Sung J. Choe" <schoe@oicinc.com>
Date: Wed, 26 Feb 2003 20:18:16 -0500 (EST)

On Wed, 26 Feb 2003, Sung J. Choe wrote:

:> Third, the best method of ensuring the integrity of software right now
:> is signed crypographic checksums from someone you trust.
:What would you use to generate that checksum? Can you trust the software
:used to generate the checksum? How can you trust that software? Please
:do not give some simple-minded answer like "cryptographic checksums" since
:that does not answer my specific question.
:

You cannot trust software. You can only trust processes, people and
institutions.

So, I will reiterate my original answer which is that you can
trust cryptographic checksums *from someone you trust*, or more
accurately, ones which have been generated using a process you
trust. If you want to know how to evaluate how much trust you
should have in a process, then maybe the Common Criteria, BS7799,
the TCSec rainbow books, should help. Better yet, have a plan B
for dealing with the possibility that your trust may be unfounded.

-- 
batz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Sung J. Choe: "RE: [Full-Disclosure] Cryptome Hacked!"
Previous message: Sung J. Choe: "RE: [Full-Disclosure] Cryptome Hacked!"
Maybe in reply to: Sung J. Choe: "[Full-Disclosure] Cryptome Hacked!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]