Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Popular Net anonymity service back-doored
From: Alex Russell <alex () netWindows org>
Date: Thu, 21 Aug 2003 17:30:06 -0500

On Thursday 21 August 2003 07:05, Thomas C. Greene  wrote:
I agree that the dirty work has to be done on the proxy, but it's
reasonable to imagine that the client update was issued to maintain
compatibility with whatever was done to the proxy software. Maybe the two
are unrelated as the group says, but how can I trust them when they
continue to soft-pedal the security implications of the back door?

Yes, the code sort of shouts at you, and this may well be a deliberate
heads up.  However, the group is still in denial, insisting that their
service is secure (see the press release linked in the Register story).

For them, the people that know the changes they made, they can still trust the 
system as much as they ever have. I have no doubt that for them it is as 
secure as ever and I think that helps explain why they cling to this claim. 
You and I, however, don't have that advantage and therefore can't trust it.

It's not secure, and claiming that it is taints anything else they may be
doing on behalf of users. They're *still* saying it's impossible for anyone
to intercept users' traffic or identify them. That simply isn't true.

To the extent that you ever trusted this statement, it is still as true as it 
ever was. What has changed is more likely your realization that the system 
relies on resources necessarialy beyond your control and inspection. If their 
statement isn't true now, it wasn't true then.

It's likely were legally prevented from issuing a clear warning, which is
why I say they should have taken the service down in protest.  I don't know
German law, but I'd be surprised if the courts can force you to provide a
communications service just so the Feds can use it.

I wouldn't be so suprised at such a ruling, although I'd really like to hear 
from someone with familiarity with German law.

Leaving a hint in the source and waiting for someone to call them on it may
be a legal strategem, but it's not a good way of maintaining user trust. 
It took too long for this to become public.  A better way to maintain trust
would be to stage a protest shutdown, or, if that's legally risky, a silent
shutdown and a subsequent leak to the press.  No decent reporter would
reveal their source in a case like this, and approaching a journo based in
another country would add another layer of protection.

If this is their proverbial cry for attention, then I kind of like the 
strategy. Consider that with explicit external notification of any sort 
(anonymous remailer, etc...), they are the ones taking action to subvert the 
system intentionally. Assuming that the opponent in this situation is a 
governmental entity with local physical enforcement power, then there's not a 
lot of situations in which they can imagine being verifiably unobserved in 
making any kind of public statement. Putting this in a CVS commit, however, 
allows them to claim that they were just trying to comply (wink wink) and 
doesn't run larger risks since there's nothing out of the ordinary to deny.

This doesn't mean I trust them, but it is probably one of the better ways for 
them to subvert the order IMO.

Regards.

-- 
Alex Russell
alex () burstlib net
alex () netWindows org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]