Re: National Security Backdoor in telnetd - all versions.

From: Nico Kadel-Garcia (
Date: 08/31/03

  • Next message: /dev/rob0: "Re: Port Scans - vs Who do I believe?"
    Date: Sun, 31 Aug 2003 00:58:54 GMT

    Au Naturel Productions wrote:
    > On Fri, 29 Aug 2003 00:39:36 +0000, Nico Kadel-Garcia wrote:
    >>Ahh, yes. The old "I know secrets you don't. Trust us, little boy, we
    >>know what's good for you".
    >>Translated: "Bend over the altar for Uncle Sam, little boy. It's a
    >>*sacrament* for your country!"
    > You mean: Bend over alter boy this is the church. Guess you have no clue
    > as of what you are talking about again.

    It's called a "metaphor". In this case, it's pretty precise, because in
    this case the people in power (priest or government) is telling people
    it's their holy duty to open wide for the intrusions, intrusions being
    done for the gratification of the people in power and blatantly not for
    the benefit of the recipient of the invasive procedure.

    Hint. I've dealt with lots of child abusers professionally....

    >>Yes. They protect the military from various exposures, ranging from the
    > <snip>
    >>and is used to cover a lot of sins.
    > Actually not as much as you may think, but then again - some people should
    > not be given that information.

    You're right, according to the sinners, the sin should not be ever
    publicly exposed lest it *embarass* the sinner and somehow "Threaten
    American's Confidence in Their Government(tm)".

    That's a really, really *bad* reason.

    >>behavior other than typical teenage bragging.
    > This is the age of US Government "Preemptive" action. They have never
    > caught anyone who is a cracker, unless someone turned those people in. As
    > is the case with the latest Blaster varient.
    >>Hundreds of arrests nationwide, millions of dollars of private computer
    > <snip>
    >>against the Secret Service for their violations of civil rights.
    > Why aren't you angry about those people, and their homes, that have been
    > destroyed by the SS over guns? Blame Ashcroft for his tactics.

    I am angry for it. It wasn't normally the Secret Service and it's a
    different (and admittedly worse) issue.

    >>And I've personally administered literally thousands of remote
    >>individual machines up to the antipodes of the Earth,. (I avoided the
    >>switches: I hate those languages, but did my share.)
    > And that is impressive in this day and age?

    Just brings across the point that I'm familiar with the interference of
    the crypto-regulations with securing key infrastructure from both
    vandalism and actual potential terrorist attack. The insistence on
    controlling encryption and preventing its spread by clearly
    unconstitutional regulations is actively interfering with the safety and
    security of Americans nationwide, since it actively and passively
    prevents the widespread use of far superior authentication and
    encryption techniques to protect critical resources.

    Civilian resources such as tankers, air-traffic systems, even power
    plants have absolutely horrid security resulting from these stupidities.

    >>Assuring that they interoperate correctly is extremely difficult. It can
    > <snip>
    >>actually imperils their services.
    > If you say so.

    If you don't believe me on this, go back to the SunOS whackiness for the
    "crypt" function and scroll forward for the last 12 years or so with
    other UNIX releases, the Netscape/Internet Explorer 80-bit/128-bit
    encryption wars, RedHat's fun with incorporating GPG and OpenSSH into
    their releases to key-sign their software packages and allow protected
    remote access to X servers as part of the OS instead of everyone having
    to download it from Finland, etc.

    >>Youngster. You may, one day, become educated the hard way....
    > Youngster? Are we getting into "name calling" now? You are losing your
    > stance with me know. I have been "educated" by first hand experience,
    > hence my stance on some restrictions on export of techology. And I bet you
    > don't believe there is still "spying" going on in the world.

    Of course there is, both governmental and corporate. A lot of it is
    illegal, of course, but it's certainly occasionally a useful hobby.

    >>If you are innocent, why won't you let the officer search your house and
    >>your pants and put bugs on your phone? Better yet, why don't you post
    >>with your own email written directly?
    >>Because such easy access can be and will be abused.
    > 1) If an officer asks nicely, I will ask what he is looking for, then let
    > him in.
    > 2) If the officer want to give me a thrill - no problem there.
    > 3) Does the officer have a reason to wiretap?
    > 4) I DON'T LIKE SPAM - there are spammers who rake the NNTP for email
    > addresses. Did you know that?

    That's nice. I don't like police searching me, my house, or my
    communications for things they don't have a warrant for, especially
    electronically since it leaves less evidence of the search and is thus
    subject to new forms of abuse. Did you know that?

    >>No. They should have to get a subpoena for it, which was never even
    > <snip>
    >>stored elsewhere.
    > Let's see: Using the telephone is not a right, but a privledge. If it was
    > a right, noone would be charged for it's use. Stop being so pissed off.

    Free speech is a right. It's not the telephone they're interfering with.
    It's the *speech*, the communications on the telephone which are being
    interfered with.

    >>And since both dual keys were to to be held in undetermined government
    >>hands, with no mandatory standards for their release, it would still be
    >>far too easy for one key to live in one bureaucrat's office files, the
    >>other key to exist in his brother Fred's office files, and them to
    >>exchange keys at will with any federal agency they felt inclined to
    >>cooperate with.
    > The way I understood it - there would have to be a clear and present
    > danger for them to release the key. But hey most people are not too
    > worried about SECURITY to begin with. They can not even keep their own
    > secrets from prying ears (i.e. busines trash browsing).

    I read the description. There was *no* delineated standard for when the
    keys would be released, it was clearly left quite vague and
    undetermined. Like most college's sexual harassment policies, all sorts
    of nice phrases were included with utterly no clear guidelines requiring
    or preventing them from releasing the keys under any circumstances.

    >>This is *completely* unacceptable under the most basic of security *and*
    >>civil rights precepts.
    > Depends on who it was to hold the keys, I can tell you the NSA is one
    > place that would be more then trusted.

    Not by anyone with an IQ over 45. They wrote the algorithms secretly
    with no public review, the hardware is hardened and prevents
    verification of an absence of additional keys or algorithms added after
    the review by the sequestered and NDA signing "experts" who have since
    lost most of their credibility for signing off on this, missing the
    patent violations and the too-short LEAF key problem, and the NSA has
    traditionally been able to draw the invisible cloak of "national
    security" over far, far, far too many of its actions.

    > Tisk Tisk - in cases like that, you would not be given any information as
    > to what was used or how things were "taped". Up until 9/11/2001, most
    > people including the current administration were to "untouchable" for a
    > terrorist attack on the US soil. Oh how quick things change. And if you
    > paid attention you would have heard about such a situation in the past.

    This is because they didn't *read*, and never realized how fragile
    things are. Heck, they haven't even caught on yet that the increase in
    car traffic as people avoid airlines has killed far more people than
    9/11 did.

    If I'd been planning an attack or a drug smuggling or whatever, I'd have
    used Boston too. I've actually walked through their security with a
    costume dagger 3 times, *AFTER* 9/11. Every other city noticed it,
    Boston missed it 3 out of 4 times.

    Fortunately, they've finally replaced the company doing those safety

    >>And for real terrorists, any schmuck can use PGPphone or the other
    > <snip>
    >>traffic and get suspicious about *that*.
    > If you say so.

    PGPphone ran on a MacII. Various voice-over-IP systems are also working
    just fine.

    >>Even without digital encryption, one-time pads for verbal transmissions
    > <snip>
    >>arbitrary messages that cannot be beaten by man-in-the-middle.
    > If you say so. Of course I doubt you have an NDA with the government - so
    > I doubt you would even have a clue at to some techology..

    "Shush, sonny, pay no attention to the man behind the curtain."

    Listen up, folks. A "one-time-pad" is a system where extremely simple
    but extremely random encryption keys are generated as a long list, two
    copies made, and one sent to the remote recipient of future messages.
    Every character (or every word, depending on the system) is encrypted,
    each with the next key on the list.

    There is *ABSOLUTELY NO WAY* to reassemble the original message without
    the one-time-pad. The best you can do is make some guesses about the
    length of the message and what *that* means, from the amount of data sent.

    The only character or message that cannot be encrypted this way is a
    meta-message: "Repeat", or resend the message because I had an error
    recreating it. Some other interesting things happen if you need to
    resync where you are on the one-time-pad lists, but it's still pretty
    damn easy to secure that as well, just not as absolute.

    >>So what are they this week? That *should* be a matter of public record....
    > Why? It should be easy to figure out. The higher the damage could be done
    > to the country, the higher the classification.

    But wait: it's *SECRET*. Just like the Secret Service knowledge of when
    Billy Clienton kicked out his guards and smoked cigars with interns, who
    gets to decide its secret and unknowable to the rest of us is, you
    guessed, impossible to review or examine because of "National
    Security(tm". Or like J. Edgar Hoover's files on civil activists: "Those
    uppity niggras are a risk to our nation, boys!"

    > BTW: It seems that you are trying to have it both ways: Wanting Security
    > but not allowing those who are not "appointed by politians" or
    > "politians" controlling things.

    The security I want is to keep governments, any governments, including
    *my* government, out of my private business. The control of encryption
    provides extremely potent tools to those with the electronic and fiscal
    resources to tap anything they wish, to never reveal they have done so,
    and therefore to misuse the knowledge.

    > FYI: You arguements are getting repeative and boring. Please come up with
    > something of more interest then what you are using. Plus never think I am
    > as young as you think, on any level.

    Why not? You still trust Uncle Sugar to always be your friend and always
      do what's right.

    It don't work that way: Uncle Sugar is often a pretty reliable and
    stand-up guy, especially compared to his peers, but you've still gotta
    keep an eye on him around the punch bowl.

  • Next message: /dev/rob0: "Re: Port Scans - vs Who do I believe?"

    Relevant Pages

    • Re: OT - Kuwait
      ... Making the case for encryption standards that would allow the Feds to ... One place where I agree with you is that the scope of government intrusion ... into the private matters of Americans is much greater than most Americans ... >> strict security procedures to prevent unauthorized release of the keys. ...
    • Re: OT - Kuwait
      ... > One place where I agree with you is that the scope of government intrusion ... > into the private matters of Americans is much greater than most Americans ... >>> strict security procedures to prevent unauthorized release of the keys. ... >> Feds Want to Control Encryption ...
    • Re: How to protect an encrypted file system for off-line attack?
      ... filesystem encryption prevents the contents from being known, ... The kind of government you describe ... With the level of danger involved here, I think the security issue is ... attacker can gain root." ...
    • No Quick Fix For Government Data Security
      ... While encryption and other security technology can help, ... government bureaucracy are seen as the main causes of vulnerability. ...
    • Re: How to protect an encrypted file system for off-line attack?
      ... filesystem encryption prevents the contents from being known, ... not hide the fact that there is a secret. ... destroy the SD and turn off the computer. ... With the level of danger involved here, I think the security issue is ...