Re: [Full-Disclosure] Cryptome Hacked!

From: yossarian (yossarian@planet.nl)
Date: 02/27/03

  • Next message: Steve Wray: "RE: [Full-Disclosure] Cryptome Hacked!" 
    From: "yossarian" <yossarian@planet.nl>
To: <full-disclosure@lists.netsys.com>
Date: Thu, 27 Feb 2003 03:13:14 +0100

    Cryptome Hacked!Sung J. Choe wrote:
    >> Let me turn around the issue a bit - any crypto software distributed with
    the blessing or very active support in >>development of the Powers That Are
    in No Such Agency
    >That is my point exactly. Anybody foolish enough to think that the US govt
    would allow unbreakable crypto to be loose in >the public domain is insane.
    Just imagine an international financial network with transactions conducted
    in total secrecy: the >govt would and should never allow that.

    Well, you are basically saying the US should seek to police the public
    domain. The real issue is not about allowing, but about policing. You cannot
    disallow what you don't control. I might be an insane leftist, but I think
    the US can NOT control 5 bil. people. What it can do, is alienate more
    people. Overextending an empire is usually an indication of its downfall, as
    Toynbee has argued. A really effective strategy would be on the lines of how
    the cold war was won, as outlined by George Kennan in 1949: containment.

    If unbreakable crypto exists, which I really doubt, chances are it might
    just be built outside the US of A. The new standard for crypto in the US is
    Made in Belgium (Rijndael/AES). Boycotting french wine is one thing, but not
    having good crypto in your own defence is insane. The belgian government is
    really opposing Mr. Bush - and might just stay on this course.

    The arabs invented algebra, so why shouldn't a 19 y/o living in Zaoezouate
    invent unbreakable crypto? What then? Nuke the B******? I think we will just
    have to accept that the good ol' US cannot be a John Wayne style sheriff in
    the real world.

    Judging the amount of crypto stuff in the public domain, policing
    development of strong ciphers will be practically impossible for the next 20
    years, anyway. Just take a look at Citeseer, and query something on AES, for
    instance. You''l see what I mean.

    >> can we stay clear of political statements on this forum
    >I apologize for some of the political statements in my post. However,
    please take seriously my questions as they are valid >for this forum given
    TIA (Total Information Awareness) and the current state of global security.
    I appreciate any creative >insight anybody may have regarding my question.

    TIA was stopped, if I am informed correctly. If it ever takes off, the
    legalities of it will be really harmfull to international relations. And
    what do you mean, given TIA - let John Poindexter, the man who considered it
    his job to lie to Congress, go ahead? TIA is no more than a concept, no
    facts have yet been found, just a hype on digital Pearl Harbours created
    that is already dying, see the exit Mr. Clarke.

    TIA is great for the IT industry, but the probability of it catching a real
    evil person are nil. It is a huge relational database - how will its data
    integrity be? Statistically, a very good database has 91% correct records.
    Since TIA will hold intel on all american citizens, and every person
    visiting the country, some 50M per year, it will have some 300M records on
    people alone at kick-off. At best, only 27.000.000 people per year will have
    to be investigated, just to weed out errors. How long does an average
    investigation take? How many men in blue and men in black will you need? Who
    is to pay. The question in international politics still is: How many tanks
    does the Pope have - not how many hackers. Consider the amount of data
    replicated. How fast will such a system grow? What boggles my mind - but
    hey, I'm dutch -it will list people buying certain books (see patriot act),
    but it will not list the guns people own. This should be huge amounts of
    data - or do average American own more guns than books? Sorry, that's
    politics. On a single person, how many fields will it have? 5K? How
    up-to-date will it have to be? In such a registration, will all the other
    underlying systems give valid data? Will the services and agencies providing
    these data, all of sudden start in knowing the whereabouts of all foreign
    students, etc.? Garbage in still is you know what out. SDI was a brilliant
    move, breaking the soviet economy with a technical phantom. But TIA will not
    start a technological arms race. Have you recently checked the stats on
    large IT projects - they fail. This one will be huge. So the state of global
    security will not and cannot be served by a large scale IT approach - the
    bigger the system and the more players iinvolved - the smaller its chances
    for success. TIA will at best be a technical and financial disaster, robbing
    the armed forces of the budgets for real weapons - which I doubt they need,
    anyway, and robbing the rank-and-file of the forces of a raise in pay they
    really DO need.

    > Please feel free to disregard the other statements.
    I will. You can do the same with mine.

    Sung J. Choe <SChoe[at]oicinc.com>, TICSA
    Systems Administrator, Facility Security Officer
         Oceanic Imaging Consultants, Inc. / www.oicinc.com Ph #: (808)
    539-3634

    -----Original Message-----
    From: yossarian [mailto:yossarian@planet.nl]
    Sent: Wednesday, February 26, 2003 2:17 PM
    To: full-disclosure@lists.netsys.com
    Subject: Re: [Full-Disclosure] Cryptome Hacked!

    Well, the mirror on lessgov is gone too.But http://cryptome.sabotage.org/ is
    still up, anyway. So you can see for yourself that they have PGP as the only
    crypto product they offer. If they have altered it, anyone can see by
    comparing the source, which they also provide (both stored offsite, and also
    unavailable right now)

    I can believe that you are almost sure, but since this is a fact you can
    verify, why assume, why not prove it?

    Let me give you a hint: Look at the paper from Claude Crepeau and Alain
    Slakmon on Simple Backdoors to RSA key generation. If you want to alter PGP
    in a way difficult to detect, this would be the way. Any other way would be
    too obvious. If you see how feasable this is, rethink your position. Any
    keyscheme you use may be backdoored, so generating your own keypairs might
    just not suffice.

    Let me turn around the issue a bit - any crypto software distributed with
    the blessing or very active support in development of the Powers That Are in
    No Such Agency, would you assume that there is no backdoor? Just google on
    Key Recovery features, in P1363 or any other mainstream PKI - search on
    project Krisis by the EU, or look at the archived site kra.org (on
    archive.org), look at the discussions related to the wassenaar agreements.
    See the continuing story from clipper chip via Key Escrow to CKI on certain
    if not all governments wanting access to your keys for policing? What if the
    company you serve has offices all over the world? Will you give the
    cryptokeys to all the countries were you have offices? Remember that ex-C1A
    boss Wooley admitted 'checking' on European companies, whether they violated
    trade embargoes? How? As security professionals we need to be aware on who
    might be reading our confidential information - and then decide whether this
    is acceptable to the company whose data you must secure. Don't forget that
    maybe some gov. agencies might lose the keys to the data you should be
    protecting. What a nice liability case it would be, heh!. Say I open an
    office in Australia - and the gov there wants root to my systems, for
    policing. Should I give them access to the corporate network or just the
    Australian office? But will my network zoning suffice, to keep them off,
    say, my Miami office's network? Is it legal in Florida giving access to
    unspecified police or intelligence communities in other countries to data,
    maybe even sensitive to national security? This will be a definite No, so in
    order not to break the law in one country, I must break it in another
    country. How to risk manage this?

    On a personal note: I am almost sure that the risk to my personal well-being
    by the American/Government, albeit small, is bigger than that posed by
    extremists as John Young, who do not have much means, budget or interest in
    bothering me. Taking on the US govt, as they do, they'll have there hands
    full.

    And Plz. can we stay clear of political statements on this forum, this is
    one of the few places I can hang around and not be bothered by political
    statements, not linked at all to the subjectmatter of the list?

    Yossarian
    ----- Original Message -----
    From: Sung J. Choe
    To: 'full-disclosure@lists.netsys.com'
    Sent: Thursday, February 27, 2003 12:10 AM
    Subject: [Full-Disclosure] Cryptome Hacked!

    Cryptome.org, a site for privacy enthusiasts and leftists alike, was
    apparently hacked today. Their server is up but "all files were deleted".
    Besides the usual anti-American/anti-government vitriol that is usually
    found at Cryptome.org, they also distribute crypto software. This brings up
    the following question: What is the best method for ensuring the integrity
    of software which require a high level of trust? I am almost sure that any
    crypto software distributed by such extremists as John Young (operator of
    cryptome.org) has been tampered with in some way. Does anybody else share
    this opinion?

    .--------------------------------------------------.
    | Sung J. Choe <schoe[at]oicinc.com>, TICSA |
    | Systems Administrator, Facility Security Officer |
    .--------------------------------------------------.----.
                        | Oceanic Imaging Consultants, Inc. |
                        | Phone #: (808) 539-3634 x3634 |
                        .-----------------------------------.
    568D CAD6 53A0 92E6 4A2A 4E87 3BA0 5F90 37BB 8EE7

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    Relevant Pages

    • Re: Security of crypto security measures
      ... You're guessing the platform is safe ... detection software found virus on the diskettes I handed out. ... The crypto math and ... This just means match the lockbox to the security you have in the ...
      (sci.crypt)
    • Re: Still Looking for that One, BRAVE, NASA and/or NAA Employee Re: Apollo One
      ... >>disagree with cryptological security by obscurity. ... Except that in a properly designed crypto system, ... Again, however, if the keys themselves are encrypted with a high-order ...
      (sci.space.history)
    • Re: 8 bit white noise algorithm
      ... Key the cipher with the key of your choice (since security is not a concern, key management is not a concern). ... and then there are crypto-quality PRNGs. ... Most crypto algorithms only achieve high security when used in a rolling mode, initially seeded with something truly random. ...
      (comp.dsp)
    • Re: Security of crypto security measures
      ... How secure are the crypto security measures in practice today? ... gangsters could carry the safe away. ... So how sure is a normal user of security software in the security ...
      (sci.crypt)
    • Re: software crypto is useless
      ... > in runtime, your keys, passwords, and signatures, etc. all become doubtful. ... Each security module, software as well as hardware, has ... Software crypto can be ...
      (sci.crypt)