In Support Of Open Source
chronomatic
one) and those developers are not anonymous, they use their real
names on the mailing lists, and generally interact with other
cryptologists.
The argument I hear is if their actual identities were known then we
would probably also have some basic facts about their education,
their backgrounds, etc. You know, just like a normal person. You want
to know something about somebody before you hire him/trust
him/whatever, right? You don't just say, "Well, there are many other
people that I deal with on the street who are relatively unknown or
anonymous, and my interactions with them have been mostly ok, so
yeah, I guess I really don't need to know anything else about this
guy in the shadows whose software I am relying on to protect my most
important data." meh
I agree it would be better to know who they are. For instance, I
would rather have my crypto software designed by someone like Bruce
Schneier who is A) well known and well respected and B) supports
open-source.
Still, open source is far and away the better choice.
--
Screw the socialist blue-eyed Skindonavian arsewholes.
nix
As a result of following that line of reasoning we seem to have this
"black hole" that software comes out of that we all use. For all we
know, that hole could actually be located in the deliberately obscure
corner office of a major intelligence agency, possibly located in any
of several countries. Or any other private group operating under its
own agenda, of which we know nothing. Unknown/ Untold! Undeserving.
--
I want love and kisses and ponies in a field of pornographic pleasure.
chronomatic
This is true. It is possible to put backdoors in software that are
very deviously hidden (there is a competition every year called the
"C code obfuscation contest" where people do things like this on
purpose, as a contest, and are judged afterwards. The winner in 2008
was so clever that not even the judges understood how his code did
what it did). That said, there is nothing stopping insiders at MS or
Norton or Kaspersky from doing the same thing. It's just in their
case it would be even harder to discover than it would be for TC.
nix
My own use of encryption is merely intended to protect my personal and
financial data from casual theft, so from a personal standpoint I'm
not particularly concerned about the possibility of known (but
secret) weaknesses in the code that can be exploited only by certain
groups. However, there are plenty of other users out there who seem
to be expecting a much higher level of protection from their
"anonymously developed and then unexpectedly handed-out for free"
encryption software, and I feel that their confidence in this type of
software is probably unjustified.
See USCYBERCOMM has no fear or/for/with me. ;) ;0)
LCC
http://www.youtube.com/watch?v=q6zv8kiNmb4
The reason why I gave specifications in my "Merry Christmas" posts
rather than source code is so that any high school graduate geek could
write his own source code in a couple of weekends, with the exception
of the very first post...
Lonnie Courtney Clay
chronomatic
No more unjustified than using crypto products from big software
vendors. Indeed, I would say it is actually *more* likely that crypto
products from big vendors are backdoored. See the Crypto AG case for
one example.
Also, here is a quote from the late 90's from an M$ It's gotten to the
point where no vendor hip to the NSA's power will even start building
products without checking in with Fort Meade first. This includes
even that supposed ruler of the software universe, Microsoft Corp.
"It's inevitable that you design products with specific [encryption]
algorithms and key lengths in mind," said Ira Rubenstein, Microsoft
attorney and a top lieutenant to Bill Gates.
By his own account, Rubenstein acts as a "filter" between the NSA and
Microsoft's design teams in Redmond, Wash. "Any time that you're
developing a new product, you will be working closely with the NSA,"
he noted.
Full article http://cryptome.org/jya/nsa-lsa.htm
Open-source developers who have no financial interest do not have to
bow to the NSA and don't have to fear blackmail or hits to their
bottom line for disobeying.
Aside, Nanc try to keep from going nutzoid on us, OK? Sheesh.
nix
Your article is from 1998. Presumably, if the NSA was continuously
intervening in the development of all encryption products, there would
be (a) numerous such reports in the public domain and (b) more recent
reports. Do we see either occurring? Yes is correct, No is correct,
hard to be incorrect! ;)
DasFox
> http://www.youtube.com/watch?v=q6zv8kiNmb4
malware detected...do not open...
Troll noted...
THANKS
--
Tech, computer repair specialist (on the side), part time Tech
Pro poster to Wilders Security...home base...On usenet to help noobs
Not me...
chronomatic
What makes you think (especially in a post-911 world) that NSA would
stop this behavior? I have no doubt in my mind they still do this.
They are an organization with many thousands of employees and a $30
billion yearly budget (by most estimates -- the actual budget is
secret). They have plenty of motive and resources to weaken non-NSA
encryption systems. Besides, which is easier: Breaking crypto
algorithms or planting backdoors? If I were NSA I would do the
latter. It's obviously much easier to do.
Ari Silverstein
> On Fri, 14 Jan 2011 23:36:29 -0800 (PST), LCC wrote:
>
>> http://www.youtube.com/watch?v=q6zv8kiNmb4
>
> malware detected...do not open...
>
> Troll noted...
>
> THANKS
Good job, Fuchs.
*rofl*
--
“If you give me six lines written by the hand of the most honest of
men, I will find something in them which will hang him.” ~Cardinal
Richelieu
Ari Silverstein
> The reason why I gave specifications in my "Merry Christmas" posts
> rather than source code is so that any high school graduate geek could
> write his own source code in a couple of weekends, with the exception
> of the very first post...
>
> Lonnie Courtney Clay
????? link?
nix
PGP, much has been rounded, some gleaned, mostly anticathartic, others
result the obvious equations. ;)
LCC
Google groups search this group "Lonnie Courtney Clay" "Merry
Christmas" series is 13 posts from 2007 Jun until Nov 2010...
Lonnie Courtney Clay
chronomatic
I never said anything about PGP. What the fuck are you on tonight?
They are one of the few (only?) proprietary encryption vendors that
supply source code and I applaud them for it. Most vendors do not
supply code, so using their products is akin to using a black box
that you just have to blindly trust. This is especially true of
hardware crypto (which seems to be a bigger target for NSA,
especially those that export their hardware to foreign entities).
Now, let's assume PGP's source code was reviewed by a panel of top
crypto experts and found to be clean. Even if this were true, there
is no guarnatee it will work as expected (at least not on a Windows
machine). Why? Because all it takes is a faulty RNG to compromise the
entire system and we already know that the NSA has planted crypto
backdoors in Windows.
<https://secure.wikimedia.org/wikipedia/en/wiki/NSAKEY>
nix
Is that the behind the scenes which props your propeller argument?
Spinning, RPMs unknown? ;) ;0)
chronomatic
Valium? I know you think you can carry on some kind of legitimate
argument but if I were you, I'd start by rethinking the porn links you
put on that macabre', drug induced website of yours.
http://platanalytics.com/page/4/
ITMT, If you can't break the algorithm and if you can't backdoor the
source code itself, then another effective tactic is to compromise
the RNG source. And since Windows is closed source, it would be
exceedingly difficult to disassemble and decompile the source code to
prove anything was amiss (though not impossible). I say "not
impossible" because some crazy cryptologists have actually taken the
time to do just this with Windows code. A couple of Israeli
researchers decompiled and reverse-engineered the RNG code to Windows
2000 and discovered that it had SEVERE flaws -- flaws they said that
were so blatant and easily avoided that either MS has extremely
incompetent crypto people or they did it on purpose. (MS said they
have since fixed the problem). I have read the entire research paper
and you can tell by their comments that they're shocked at how such a
flaw could find its way into the most widely used OS in the world.
Keep in mind this attack was not some theoretical "look at use we're
awesome and are going to get academic accolades for our totally
impractical attack", but was a real practical attack. This attack
could be used by an adversary to reveal all keys created with the RNG
(all past and future keys -- a pretty horrendous flaw). Now since NSA
has the source code to Windows, do you think they didn't discover
this flaw independently? I would bet my house they did.
Ari Silverstein
Which is /this/ group?
nix
I know because I took the shot.
A photograph or media may be described as overexposed when there is
loss of highlight detail, that is, when the bright parts of an image
are effectively all white, known as “blown out highlights” (or
“clipped whites“). A photograph or media may be described as
underexposed when there is loss of shadow detail, that is, the dark
areas indistinguishable from black, known as “blocked up shadows” (or
sometimes “crushed shadows,” “crushed blacks,” or “clipped blacks,”
especially in video.)
And I’ve got the correct exposure on you. Over not under :0)
chronomatic
> are effectively all white, known as ļæ½blown out highlightsļæ½ (or
> ļæ½clipped whitesļæ½). A photograph or media may be described as
> underexposed when there is loss of shadow detail, that is, the dark
> areas indistinguishable from black, known as ļæ½blocked up shadowsļæ½ (or
> sometimes ļæ½crushed shadows,ļæ½ ļæ½crushed blacks,ļæ½ or ļæ½clipped blacks,ļæ½
> especially in video.)
>
> And Iļæ½ve got the correct exposure on you. Over not under :0)
Looney.
Now fast forward a few years past the above-mentioned Windows 2000ish
RNG flaw. More recently another RNG was introduced, the Dual_EC_DRBG
RNG (which is included in more modern versions of Windows -- but it
is not the default RNG, just to be fair). This RNG is actually a NIST
standard and was designed by the NSA. It was studied by a few crypto
experts (Neils Ferguson among them) and they came to the conclusion
that the elliptic curve constants used in the design were chosen by
NSA and thus would make it extremely easy for them to hide a backdoor
in the RNG itself. This would be almost impossible to prove by an
outsider, but the potential for it is clearly there and would be
simple for NSA to do. As you know, anyone who has control of the RNG
has control over the entire crypto system and all encrypted data
produced by it (no matter how strong the crypto software is).
Ari Silverstein
>> are effectively all white, known as “blown out highlights” (or
>> “clipped whites“). A photograph or media may be described as
>> underexposed when there is loss of shadow detail, that is, the dark
>> areas indistinguishable from black, known as “blocked up shadows” (or
>> sometimes “crushed shadows,” “crushed blacks,” or “clipped blacks,”
>> especially in video.)
>>
>> And I’ve got the correct exposure on you. Over not under :0)
>
> Looney.
You don't know the tenth of it. lol
--
"The only truly secure system is one that is powered off, cast in a
block of concrete and sealed in a lead-lined room with armed guards -
and even then I have my doubts." - Gene Spafford
chronomatic
I know 10x 10 tenths of it.
The problem with crypto is there are so many moving (and extremely
complex) parts that its hard to get right even when you are trying to
get it right. You have RNG's, ciphers, hash functions, key
strengthening mechanisms, padding, salts, etc. Therefore, it is
extremely easy for an organization with NSA's technical expertise to
compromise it. That's why having open-source code and an open
discussion of the design (both before and after it is implemented) is
so important. This is why I think all future algorithms and hashes
should be selected by a process like the AES and SHA-3 competitions.
And this is why I am suspect of the SHA-1 and SHA-2 hash family
design (they were designed solely by NSA). Sure, they might be
perfectly secure, but with NSA's history it's just hard to trust
them. This is why I am ready for the SHA-3 algorithm to be adopted,
as all the candidates were designed by independent experts in the
field.
LCC
nix
So, chronomatic, as time times and we wander about the face of the
CLOCK, have you morphed? Into the venom that you spew? Reverse
engineered?
<http://platanalytics.com/wp-content/uploads/2010/07/a304_green_pit_viper3.jpg>
DasFox
Tech here...BEWARE...IP address WILL be geolocated, recorded and used
for foul...
chronomatic
That's enough, you are obviously high.
So in closing, we have three major strikes against closed-source
crypto:
1) _NSA_KEY
2) Windows 2000/XP RNG flaw
3) Dual_EC_DRBG included in all Windows versions (but not used by
default)
All three of these flaws are in Windows itself, unfortunately. But the
same problems could be there in any closed-source crypto.
Get psychological help.
<eom>
LCC
> On Sat, 15 Jan 2011 00:04:09 -0800 (PST), LCC wrote:
> > On Jan 15, 1:56 am, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
> >> On Fri, 14 Jan 2011 23:47:20 -0800 (PST), LCC wrote:
> >>> On Jan 15, 1:44 am, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
> >>>> On Fri, 14 Jan 2011 23:36:29 -0800 (PST), LCC wrote:
> >>>>> The reason why I gave specifications in my "Merry Christmas" posts
> >>>>> rather than source code is so that any high school graduate geek could
> >>>>> write his own source code in a couple of weekends, with the exception
> >>>>> of the very first post...
>
> >>>>> Lonnie Courtney Clay
>
> >>>> ????? link?
> >>>> --
> >>>> If you give me six lines written by the hand of the most honest of
> >>>> men, I will find something in them which will hang him. ~Cardinal
> >>>> Richelieu
>
> >>> Google groups search this group "Lonnie Courtney Clay" "Merry
> >>> Christmas" series is 13 posts from 2007 Jun until Nov 2010...
>
> >>> Lonnie Courtney Clay
>
> >> Which is /this/ group?
>
> > usenet sci.crypt of course...
>
> > first post...
>
> > Lonnie Courtney Clay
>
> Tech here...BEWARE...IP address WILL be geolocated, recorded and used
> for foul...
>
> THANKS
> --
> Tech, computer repair specialist (on the side), part time Tech
> Pro poster to Wilders Security...home base...On usenet to help noobs
> Not me...
http://groups.google.com/group/lonnie-courtney-clay/browse_thread/thread/e588daa1ea86afb6
post specification number 13 on my personal group. All of the posts
are available there...
Lonnie Courtney Clay
Ari Silverstein
Hey, I remember you! You're as coo-coo as nix. Married?
Ari Silverstein
You still living down the way from my old haunts in Cordova?
--
ļæ½If you give me six lines written by the hand of the most honest of
men, I will find something in them which will hang him.ļæ½ ~Cardinal
Richelieu
DasFox
This is TECH here not your Mother's Baking Group...
I know...smell...a honeypot when I smell it...
Troll...
Ari Silverstein
I clicked the site :( and now I am without useful sperm seed. :(
LCC
On Jan 15, 2:14 am, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
> On Sat, 15 Jan 2011 00:04:09 -0800 (PST), LCC wrote:
> > On Jan 15, 1:56 am, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
> >> On Fri, 14 Jan 2011 23:47:20 -0800 (PST), LCC wrote:
> >>> On Jan 15, 1:44 am, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
> >>>> On Fri, 14 Jan 2011 23:36:29 -0800 (PST), LCC wrote:
> >>>>> The reason why I gave specifications in my "Merry Christmas" posts
> >>>>> rather than source code is so that any high school graduate geek could
> >>>>> write his own source code in a couple of weekends, with the exception
> >>>>> of the very first post...
>
> >>>>> Lonnie Courtney Clay
>
> >>>> ????? link?
> >>>> --
> >>>> If you give me six lines written by the hand of the most honest of
> >>>> men, I will find something in them which will hang him. ~Cardinal
> >>>> Richelieu
>
> >>> Google groups search this group "Lonnie Courtney Clay" "Merry
> >>> Christmas" series is 13 posts from 2007 Jun until Nov 2010...
>
> >>> Lonnie Courtney Clay
>
> >> Which is /this/ group?
>
> > usenet sci.crypt of course...
>
> > first post...
>
> > Lonnie Courtney Clay
>
> Hey, I remember you! You're as coo-coo as nix. Married?
> --
> If you give me six lines written by the hand of the most honest of
> men, I will find something in them which will hang him. ~Cardinal
> Richelieu
LOL interesting that you should ask if I am married, as I am
corresponding with a Russian psychotherapist whom I will probably
marry. Upon finding a wife, you will be surprised at the change in my
surface persona. The past efforts which I have made on the internet
have been for the sole purpose of finding a woman intelligent enough
to decipher what I am saying. Mission accomplished!
Lonnie Courtney Clay
Ari Silverstein
Nice set of posts Time-O-Matic, next time leave the flat chested,
spindly legged, horse-faced...
<http://platanalytics.com/wp-content/uploads/2010/08/22286975986_ORIG2.jpeg>
...nix-bitch at Wilders. /lol/
Ari Silverstein
Oh please don't marry nix. Oh, *Russkie*, well, good luck there. Never
had a Russkie bitch, report back :)
Ari Silverstein
> Valium? I know you think you can carry on some kind of legitimate
> argument but if I were you, I'd start by rethinking the porn links you
> put on that macabre', drug induced website of yours.
>
> http://platanalytics.com/page/4/
>
> http://www.redtube.com/25232
*BWAHAHAAAAHAAAAAA*
LCC
http://www.youtube.com/watch?v=7dx2CUMtZ-0
LOL LOL as I said, mission accomplished!
Lonnie Courtney Clay
Ari Silverstein
Damn, flourescent! lol
Seriously, I used to ride horsies at a friends farm in Oakland and
spent many a drunken HS night at Lakeland Amusement park.
LCC
I live in Fayette county outside Arlington. Memphis center is about 40
miles away, we pass Lakeland exit is on the way into town...
Lonnie Courtney Clay
Ari Silverstein
Next time hang a roundabout right at the Rockcreek Parkway exit, we
lived off Colonial Golf course for years. At the terminus of I-40
right be4 Overton Park, I used to own a building where my office
resided. Went to Rhodes (Southwestern back then), member of Chickasaw
CC.
You know where I-40 meets i-240? The exit right before it, I can't
remember the name, Wimbledon tennis courts, oh shit, Belz would kill
me, anyway, Jack Belz and I JVed that office park.
Hey, we're practically related!
--
ļæ½If you give me six lines written by the hand of the most honest of
men, I will find something in them which will hang him.ļæ½ ~Cardinal
Richelieu
Ari Silverstein
Shelby Oaks Corporate Center! heh I knew I'd remember.
--
ļæ½If you give me six lines written by the hand of the most honest of
men, I will find something in them which will hang him.ļæ½ ~Cardinal
Richelieu
Ari Silverstein
Ari Silverstein
> On Sat, 15 Jan 2011 00:35:28 -0800 (PST), LCC wrote:
>
NOT.
This video is no longer available because the YouTube account
associated with this video has been terminated.
Sorry about that.
--
ļæ½If you give me six lines written by the hand of the most honest of
men, I will find something in them which will hang him.ļæ½ ~Cardinal
Richelieu
Ari Silverstein
> On Sat, 15 Jan 2011 03:47:19 -0500, Ari Silverstein wrote:
>
>> On Sat, 15 Jan 2011 00:35:28 -0800 (PST), LCC wrote:
>>
Select "the famous Tarzan yell" from :
http://users.skynet.be/sky40152/movie.htm
*LOL* Loved that we used to run around our neighborhood yodelng like
Johnny!
Ari Silverstein
> On Sat, 15 Jan 2011 03:47:19 -0500, Ari Silverstein wrote:
>
>> On Sat, 15 Jan 2011 00:35:28 -0800 (PST), LCC wrote:
>>
Born to be wild :
My first concert at the Mid south Colosseum
http://www.youtube.com/watch?v=V7tuUG6dLv4
LCC
Tarzan yell nowadays, they will haul you off to the rubber room...
Lots of the links have rotted since 2007...
https://sites.google.com/site/lonniecourtneyclay/
documents the course of my mating dance, thousands of pages of text...
Lonnie Courtney Clay
Ari Silverstein
Nice site, you do realize that it is useless to rally around the long
decayed BORs, yes?
--
Passwords, people, they are not just for game shows. If you refuse to
make the effort to remember a few long, diverse passwords, then don't
scream at me
when your FICO is 496 and your bank accounts are zeroed out.
LCC
After this conversation, I might get deported to Russia instead of her
coming to the U.S.A. to marry me. Frankly Scarlett, I don't care
either way LOL.
Lonnie Courtney Clay
DasFox
>>> *LOL* Loved that we used to run around our neighborhood yodelng like
>>> Johnny!
>>> --
>>> If you give me six lines written by the hand of the most honest of
>>> men, I will find something in them which will hang him. ~Cardinal
>>> Richelieu
>>
>> Tarzan yell nowadays, they will haul you off to the rubber room...
>> Lots of the links have rotted since 2007...
>>
>> https://sites.google.com/site/lonniecourtneyclay/
>> documents the course of my mating dance, thousands of pages of text...
>>
>> Lonnie Courtney Clay
>
> Nice site, you do realize that it is useless to rally around the long
> decayed BORs, yes?
LCC "Ari" is FRANK CAMPER who had to change his name to Duane
Ritter...
CAREFUL...
<https://encrypted.google.com/search?q=%22frank+camper%22+ritter&ie=UTF-8>
KILLER...
<http://www.secure-gear.com/security-software/Re-Worried-Yet-19733-.htm>
Frank lures in with LIES...
DasFox
> Frankly
GOOD...you got my post...
Ari Silverstein
Tell me you have met her...other than an ad in a mag.
--
9ec4c12949a4f31474f299058ce2b22a
LCC
http://www.youtube.com/my_playlists?p=853E41AA07CFFB73
Have a selection of tunes to make you feel better. I couldn't care
less who he or anybody else is...
Lonnie Courtney Clay
LCC
http://www.military-quotes.com/forum/roast-obl-t43646.html
Because if the Islamofascists couldn't get to me in three years,
nobody else is likely to make it to the house...
Lonnie Courtney Clay
DasFox
YOU don't hear me...
Am I getting through...?
FRANK CAMPER "Ari" will come to you now that you have divulged to KILL
you...
"Camper was arrested on suspicion of conspiring with two California
woman - Charlotte Wychoff and Elizabeth Leta Hamilton - to set two
car bombs in a failed attempt to *kill* Robyn Richoff and Harriet
Russo. The attempted victims were disgruntled employees of Hamilton
and Wychoff..."
Note *KILL*...you have put yourself and your bride in HEAVY DANGER...
Ari Silverstein
Fox, if I wanted him dead, LCC wouldn't be posting.
--
"It's Google's world, and we're just living in it." ~ Clint Bouton,
2010
DasFox
More trolling...
You do not own this playlist...is what it said...
Ari Silverstein
Hey, Lonnie, I gotta scoot, day starts here at 0500, will look at your
stuff and get back.
--
Just Say Now!
http://firedoglake.com/justsaynow
LCC
http://en.wikipedia.org/wiki/Three_Days_of_the_Condor
LOL nobody really knows who anybody else is in this game of life...
Lonnie Courtney Clay
LCC
DasFox
LISTEN to me...Camper is CIA
see bottom of pg...
<http://theaircooledroadracers.blogspot.com/2006/11/retro-racings-frank-camper-shares-his.html>
http://preview.tinyurl.com/4gfd574
Camper hunts Usenet for prey...you have divulged to much...he's
working you...FACT....
http://preview.tinyurl.com/4l6rsoz
No JOKE...pay attention to me...
DasFox
GO TO HELL...I will hunt you forever...you KILLED my friends...
NEVER FORGET...ETERNAL VIGILANCE...
LCC
> On Sat, 15 Jan 2011 01:22:06 -0800 (PST), LCC wrote:
> > On Jan 15, 3:18 am, LCC <claylon...@comcast.net> wrote:
> >> On Jan 15, 3:13 am, DasFox <das...@gmail.com> wrote:
>
> >>> On Sat, 15 Jan 2011 01:08:51 -0800 (PST), LCC wrote:
> >>> > Frankly
>
> >>> GOOD...you got my post...
>
> >>> THANKS
> >>> --
> >>> Tech, computer repair specialist (on the side), part time Tech
> >>> Pro poster to Wilders Security...home base...On usenet to help noobs
> >>> Not me...
>
> >>http://www.youtube.com/my_playlists?p=853E41AA07CFFB73
>
> >> Have a selection of tunes to make you feel better. I couldn't care
> >> less who he or anybody else is...
>
> >> Lonnie Courtney Clay
>
> >http://www.military-quotes.com/forum/roast-obl-t43646.html
>
> > Because if the Islamofascists couldn't get to me in three years,
> > nobody else is likely to make it to the house...
>
> > Lonnie Courtney Clay
>
> LISTEN to me...Camper is CIA
>
> see bottom of pg...
>
>
> http://preview.tinyurl.com/4gfd574
>
> Camper hunts Usenet for prey...you have divulged to much...he's
> working you...FACT....
>
> http://preview.tinyurl.com/4l6rsoz
>
> No JOKE...pay attention to me...
>
> THANKS
> --
> Tech, computer repair specialist (on the side), part time Tech
> Pro poster to Wilders Security...home base...On usenet to help noobs
> Not me...
I am not worried about anything, least of all a CIA agent, unless he
does something unsanctioned, in which case he might be surprised what
happens...
Thanks for your concern. DON'T PANIC! LOL LOL Douglas Adams...
Lonnie Courtney Clay
DasFox
> I am not worried about anything, least of all a CIA agent, unless he
> does something unsanctioned, in which case he might be surprised what
> happens...
DEAD...that's waht you will be...Camper has survived for over 55yrs of
covert and clandestine KILLING sprees and YOU think YOU are
superior...?
Dude, fuck off with your delusionals and your silly assed web
assertions...
You are WARNED...
LCC
Not me at all. I don't need a gun, I have a donk, as in "Crocodile
Dundee". I am sorry that I annoyed you, I certainly did not intend to
annoy anyone...
Lonnie Courtney Clay
Dave U. Random
> On Sat, 15 Jan 2011 00:11:57 -0800 (PST), LCC wrote:
>
>> On Jan 15, 2:07 am, DasFox <das...@gmail.com> wrote:
>>> On Sat, 15 Jan 2011 00:04:09 -0800 (PST), LCC wrote:
>>>> On Jan 15, 1:56 am, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
>>>>> On Fri, 14 Jan 2011 23:47:20 -0800 (PST), LCC wrote:
>>>>>> On Jan 15, 1:44 am, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
>>>>>>> On Fri, 14 Jan 2011 23:36:29 -0800 (PST), LCC wrote:
>>>>>>>> The reason why I gave specifications in my "Merry Christmas" posts
>>>>>>>> rather than source code is so that any high school graduate geek could
>>>>>>>> write his own source code in a couple of weekends, with the exception
>>>>>>>> of the very first post...
>>>
>>>>>>>> Lonnie Courtney Clay
>>>
>>>>>>> ????? link?
>>>>>>> If you give me six lines written by the hand of the most honest of
>>>>>>> men, I will find something in them which will hang him. ~Cardinal
>>>>>>> Richelieu
>>>
>>>>>> Christmas" series is 13 posts from 2007 Jun until Nov 2010...
>>>
>>>>>> Lonnie Courtney Clay
>>>
>>>>> Which is /this/ group?
>>>
>>>> usenet sci.crypt of course...
>>>> http://groups.google.com/group/sci.crypt/browse_thread/thread/9116d40...
>>>
>>>> first post...
>>>
>>>> Lonnie Courtney Clay
>>>
>>> for foul...
>>>
>>> THANKS
>>> --
>>> Tech, computer repair specialist (on the side), part time Tech
>>> Pro poster to Wilders Security...home base...On usenet to help noobs
>>> Not me...
>>
>>
>> post specification number 13 on my personal group. All of the posts
>> are available there...
>>
>> Lonnie Courtney Clay
>
> This is TECH here not your Mother's Baking Group...
>
> I know...smell...a honeypot when I smell it...
>
> Troll...
>
> THANKS
Recipes for cooking fox:
http://answers.yahoo.com/question/index?qid=20080410031509AAuhWb7
"Fox meat is not tender and has a wild taste about it...
I will require that you let the meat lie overnight in salted water with a hint of vinegar in it...
Next day it should be cooked on a low heat for four hours or so or cut in to cubes and cooked in a pressure pot for about an hour...
It makes for a venison stew when done with potatoes and vegetables.
We usually do not fry or BBQ it because it is tough.
Remember that a fox has almost no fat so the meat tends to be dry like deer meat would be...
I do not think it is wonderful at all, and would avoid eating it"
DasFox
You've never had good venison...OBVIOUS
> I do not think it is wonderful at all, and would avoid eating it"
No problems, I keep my MEAT behind my zipper...LOL
unruh
On 2011-01-15, nix <ms...@hushmail.com> wrote:
> On Sat, 15 Jan 2011 02:28:06 -0500, chronomatic wrote:
>
>> There are a number of open-source crypto projects (GnuPG being a big
>> one) and those developers are not anonymous, they use their real
>> names on the mailing lists, and generally interact with other
>> cryptologists.
>>
>> The argument I hear is if their actual identities were known then we
>> would probably also have some basic facts about their education,
>> their backgrounds, etc. You know, just like a normal person. You want
>> to know something about somebody before you hire him/trust
>> him/whatever, right? You don't just say, "Well, there are many other
>> people that I deal with on the street who are relatively unknown or
>> anonymous, and my interactions with them have been mostly ok, so
>> yeah, I guess I really don't need to know anything else about this
>> guy in the shadows whose software I am relying on to protect my most
>> important data." meh
>>
>> I agree it would be better to know who they are. For instance, I
>> would rather have my crypto software designed by someone like Bruce
>> Schneier who is A) well known and well respected and B) supports
>> open-source.
>>
>> Still, open source is far and away the better choice.
>
> As a result of following that line of reasoning we seem to have this
> "black hole" that software comes out of that we all use. For all we
> know, that hole could actually be located in the deliberately obscure
> corner office of a major intelligence agency, possibly located in any
> of several countries. Or any other private group operating under its
> own agenda, of which we know nothing. Unknown/ Untold! Undeserving.
But you have the product and can, if you desire, read it and figure out
how good it is. That is something you cannot do with closed source. It
could also come out of some deliberately obscure corenr office of a
major intelligence agency, and you would never know it.
LCC
we know nothing. Unknown/ Untold! Undeserving."
UNemployed UNfathomable UNlikely UNpredictable UNutterably OBScure...
LOL LOL!
Lonnie Courtney Clay
nix
Cyber IEDs for sale ;)
Listen, I need to make this brief as I嚙踝蕭m baking some amaretti cookies
for Lieutenant General Keith Alexander. I have a little treat planned
for his next coffee break. There嚙踝蕭s nothing like the smell of cookies
to hide the aura of fried ions that嚙踝蕭s enveloping the NSA. All of my
guests are intimately familiar with the issues. ;0)
You are invited. ;)
More specifically, we need to reengineer the Internet to make
attribution, geolocation, intelligence analysis and impact assessment
嚙碼 who did it, from where, why and what was the result 嚙碼 more
manageable.
--
I want love and kisses and ponies in a field of pornographic pleasure.
nix
Semiotic nays(l)ayer? With Deltability backgrounds? Feeling along with
CommunuoRussians? Believable?
Playing with semiotics is like playing hide and seek with meaning.
Semiotic deconstruction is an incantation. It invents reality by
deconstructing myth. Semiotics breaks and illuminates. It is
communication fission. Learn this by heart. The CIA is supposed to
know this.
"Indeed, adversaries have already taken advantage of computer
networks and the power of information technology…to influence
directly the perceptions and will of the U.S. Government and the
American population."
LCC
http://www.military-quotes.com/forum/what-listening-right-now-page660-t6830.html
Have a heaping double ration of BS. Can you tell a bald faced lie from
the bare faced truth?
LCC
Winner and STILL ChampION! LOL LOL!
Lonnie Courtney Clay
LCC
search my full name, rec.gambling.poker 2007...
"MOBY DICK rises from the deep laughing crazily and spreads a royal
flush"
Had enough of my snow jobs?
Lonnie Courtney Clay
nix
If they are one in the same? Can you? ;)
The access to cryptocommunication enables the formation of organic
intelligence entities. Organic intelligence entities, as opposed to
structural ones, are driven by ideology. They have their own momentum.
They have no dead weight. Everyone is there because they want to be
there.
Unlike open sores or open source? ;0)
LCC
> On Sat, 15 Jan 2011 17:26:13 -0800 (PST), LCC wrote:
> > On Jan 15, 7:12 pm, nix <m...@hushmail.com> wrote:
> >> On Sat, 15 Jan 2011 16:16:51 -0800 (PST), LCC wrote:
> >>> "Or any other private group operating under its own agenda, of which
> >>> we know nothing. Unknown/ Untold! Undeserving."
>
> >>> UNemployed UNfathomable UNlikely UNpredictable UNutterably OBScure...
>
> >>> LOL LOL!
>
> >>> Lonnie Courtney Clay
>
> >> Semiotic nays(l)ayer? With Deltability backgrounds? Feeling along with
> >> CommunuoRussians? Believable?
>
> >> Playing with semiotics is like playing hide and seek with meaning.
> >> Semiotic deconstruction is an incantation. It invents reality by
> >> deconstructing myth. Semiotics breaks and illuminates. It is
> >> communication fission. Learn this by heart. The CIA is supposed to
> >> know this.
>
> >> "Indeed, adversaries have already taken advantage of computer
> >> networks and the power of information technology…to influence
> >> directly the perceptions and will of the U.S. Government and the
> >> American population."
> >> --
> >> I want love and kisses and ponies in a field of pornographic pleasure.
>
>
> > Have a heaping double ration of BS. Can you tell a bald faced lie from
> > the bare faced truth?
>
> > LOL LOL!
>
> > Lonnie Courtney Clay
>
> If they are one in the same? Can you? ;)
>
> The access to cryptocommunication enables the formation of organic
> intelligence entities. Organic intelligence entities, as opposed to
> structural ones, are driven by ideology. They have their own momentum.
> They have no dead weight. Everyone is there because they want to be
> there.
>
> Unlike open sores or open source? ;0)
> --
> I want love and kisses and ponies in a field of pornographic pleasure.
LOL LOL I am an omnivorous onion devouring the world's cultural
compost heap. My persona typing in this message knows nothing of the
forces moving beneath the surface, except that they are really
jokers...
http://groups.google.com/group/lonnie-courtney-clay/browse_thread/thread/634e49f8e70e6b93?hl=en
http://www.youtube.com/watch?v=uLemdORSx_E
DIG IT?
The current (and fourth) volume in my internet ebook series is
titled :
"For all those fuc*ers out there"...
Lonnie Courtney Clay
Fritz Wuehler
> But you have the product and can, if you desire, read it and figure out
> how good it is. That is something you cannot do with closed source.
Wrong again. That may be something YOU cannot do with closed source. But it
is not something that cannot be done with closed source or no source.
I personally question how many can do it with open source. Mostly its a warm
fuzzy for you guys because you can't write code or read it. You're just
fooling yourselves.
If you are a real developer you can look at the executable. A real developer
doesn't need source to know what the code is doing and a real developer
would know the source is no proof of anything. If you really want to know
what the code does first you have to know you are looking at the right
code. That's what disassemblers are for. There is no guarantee the source
you have matches the executable you are running. What matters is the
executable. You constantly miss this point. That tells me you're not a
developer. You seem to understand crypto pretty well. Stick with what you
know and don't lecture people on things you don't know.
> It could also come out of some deliberately obscure corenr office of a
> major intelligence agency, and you would never know it.
You would never know it even if it was in the source because nobody has time
to audit all the source for everything they use. Even if you did you
couldn't audit everything in the chain from compiler, linker down to the
hardware. You're fooling yourself. Open source is for communists. The only
purpose it serves is creating a legion of mindless serfs who trust anything.
That's worse than closed source which at least creates a healthy environment
of distrust. That distrust should be extended to all software regardless of
license, open/closed, etc.
kg
>If you are a real developer you can look at the executable. A real developer
>doesn't need source to know what the code is doing and a real developer
>would know the source is no proof of anything.
Maybe "The Story of Mel, a Real Programmer" is an appropriate response.
I've had the pleasure of reading decompiled Java code for a moderately
large program. The original code would have been useful. Documentation
would have been even more useful.
--
kg
Bilbo Warble
> LOL interesting that you should ask if I am married, as I am
> corresponding with a Russian psychotherapist whom I will probably
psychotherapist
psycho-the-rapist
just sayin'
unruh
> unruh <un...@wormhole.physics.ubc.ca> wrote:
>
>> But you have the product and can, if you desire, read it and figure out
>> how good it is. That is something you cannot do with closed source.
>
> Wrong again. That may be something YOU cannot do with closed source. But it
> is not something that cannot be done with closed source or no source.
>
> I personally question how many can do it with open source. Mostly its a warm
> fuzzy for you guys because you can't write code or read it. You're just
> fooling yourselves.
You cannot eat rice with a hair. Therefore there is no point in trying
to eat rice.
Source code is so many orders of magnitude easier to read than compilled
code that your comparison becomes ludicrous. Yes, IF you are interested
in one particular little well defined feature of a program, you can read
the compiled code (have you ever tried that with a FORTH compiled code?)
but it is hard.
No it is not a warm fuzzy. It does two things, it makes it so much
easier to read that someone will read it and the producer knows that it
is easier to read and that will help dissuade him from sticking in the
problem.
>
> If you are a real developer you can look at the executable. A real developer
> doesn't need source to know what the code is doing and a real developer
> would know the source is no proof of anything. If you really want to know
Horseshit. A real developer also has difficulty reading compiled code.
> what the code does first you have to know you are looking at the right
> code. That's what disassemblers are for. There is no guarantee the source
> you have matches the executable you are running. What matters is the
Sure there is, if I compile it myself. That is what compilers are for.
> executable. You constantly miss this point. That tells me you're not a
> developer. You seem to understand crypto pretty well. Stick with what you
> know and don't lecture people on things you don't know.
>
>> It could also come out of some deliberately obscure corenr office of a
>> major intelligence agency, and you would never know it.
>
> You would never know it even if it was in the source because nobody has time
> to audit all the source for everything they use. Even if you did you
> couldn't audit everything in the chain from compiler, linker down to the
You seem to think that it is an all or nothing affair. "If I cannot
guarentee 100% I might as well do nothing". To believe that the compiler
and linker could have been subverted in order to subvert this one single
program I am using is getting into the realm of paranoia.
> hardware. You're fooling yourself. Open source is for communists. The only
??? And now you are frothing at the mouth.
> purpose it serves is creating a legion of mindless serfs who trust anything.
> That's worse than closed source which at least creates a healthy environment
> of distrust. That distrust should be extended to all software regardless of
And in which you can do nothing to verify your trust.
> license, open/closed, etc.
>
LCC
http://www.youtube.com/watch?v=mJmjB1GvJO0
Data seduced by Tasha - Star Trek
LOL LOL
Lonnie Courtney Clay
Anonymous
> unruh <un...@wormhole.physics.ubc.ca> wrote:
>
>> But you have the product and can, if you desire, read it and figure out
>> how good it is. That is something you cannot do with closed source.
>
> Wrong again. That may be something YOU cannot do with closed source. But
> it is not something that cannot be done with closed source or no source.
*chuckle*
By all MEANS do entertain us by trying to explain how, in your bizarre
little mind, you're rationalizing a statement to the effect that you can
see something that's not there. How the voices in your head guide you
along the way...
> I personally question how many can do it with open source. Mostly its a
> warm fuzzy for you guys because you can't write code or read it. You're
> just fooling yourselves.
Nevermind... your whole "argument" just degraded to the online equivalent
of a 4 year old stomping his feet and screeching "IS NOT! IS NOT! IS
NOT!" as loud as they can.
<idiotic straw grabs at what "real developers" might do... flushed>
Ari Silverstein
> I personally question how many can do it with open source. Mostly its a warm
> fuzzy for you guys because you can't write code or read it. You're just
> fooling yourselves.
>
> If you are a real developer you can look at the executable. A real developer
> doesn't need source to know what the code is doing and a real developer
> would know the source is no proof of anything. If you really want to know
> what the code does first you have to know you are looking at the right
> code. That's what disassemblers are for. There is no guarantee the source
> you have matches the executable you are running. What matters is the
> executable. You constantly miss this point. That tells me you're not a
> developer. You seem to understand crypto pretty well. Stick with what you
> know and don't lecture people on things you don't know.
>
>> It could also come out of some deliberately obscure corenr office of a
>> major intelligence agency, and you would never know it.
>
> You would never know it even if it was in the source because nobody has time
> to audit all the source for everything they use. Even if you did you
> couldn't audit everything in the chain from compiler, linker down to the
> hardware. You're fooling yourself. Open source is for communists.
You were doing so well until...........^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
THIS
Now you're a buffoon.
nix
>> nix here. So, chronomatic, as time times and we wander about the
>> face of the CLOCK, have you morphed? Into the venom that you spew?
>> Reverse engineered?
>>
>> <http://platanalytics.com/wp-content/uploads/2010/07/a304_green_pit_viper3.jpg>
>
> That's enough, you are obviously high.
>
> So in closing, we have three major strikes against closed-source
> crypto:
>
> 1) _NSA_KEY
> 2) Windows 2000/XP RNG flaw
> 3) Dual_EC_DRBG included in all Windows versions (but not used by
> default)
>
> All three of these flaws are in Windows itself, unfortunately. But the
> same problems could be there in any closed-source crypto.
>
> Get psychological help.
>
> <eom>
Isn’t there a substantial difference between an encryption product
that (a) uses an RNG embedded within Windows versus one that (b)
pulls “some of its entropy from OS sources”? Is TrueCrypt less secure
because it pulls “some of its entropy from OS sources”? It’s not at
all clear to me that such is the case. Pull the open" levers? Reject
the rejected? ;)
chronomatic
Well, I am torn on TC itself. The developers make me uneasy. Their
anonymity isn't that big a deal, but their refusal to publicly
publish bugs and publish a changelog is highly suspicious. Any
project that considers itself open-source does not hide bugs and
refuse to publish changelogs.
Truecrypt has no SVN/Git tree that is publicly accessible, that is
their code is not collaborative -- only they can change it. And they
do not accept patches from third parties. It's also difficult to get
past versions of the source code which makes it difficult for people
on the outside to keep track of changes in the code from one version
to the next.
Their coding practices and secrecy makes one suspicious. There is
absolutely no reason for them to do the things they do if they are
really wanting to be transparent and open.
--
Screw the socialist blue-eyed Skindonavian arsewholes.
Ari Silverstein
Suspicious of what? That they could care less what you or anyone else
thinks? They are NSA NOCs?
> Any project that considers itself open-source does not hide bugs and
> refuse to publish changelogs.
Bullshit but I am sure you believe that since the dim bulbs in your
tiny head couldn't illuminate a night light.
> Truecrypt has no SVN/Git tree that is publicly accessible, that is
> their code is not collaborative -- only they can change it. And they
> do not accept patches from third parties. It's also difficult to get
> past versions of the source code which makes it difficult for people
> on the outside to keep track of changes in the code from one version
> to the next.
Like who? Name one person that has ever documented tryig to review TC
source code.
Can't? No fucking shit so there goes that concept of an argument.
> Their coding practices and secrecy makes one suspicious.
One = you, the majority of the rest f us don't give a flying crap.
> There is absolutely no reason for them to do the things they do if
> they are really wanting to be transparent and open.
Guess what? They obviously don't care to be either one of those.
If you can't get through reading a few chapters in a book like
Pfleeger then surely there must be some simpler but rigorous tutorial
on security somewhere on the Net.
Oh, how about WildersASS Security Forum?
*harsh*
--
"Unfortunately, the screams of the insane echo for quite some time on
the Internet." ~ Stephen K. Gielda - "The Church Of The Swimming
Elephant" (www.cotse.net)
nix
> On Sun, 16 Jan 2011 17:49:31 -0500, chronomatic wrote:
>
>> On Sun, 16 Jan 2011 17:47:21 -0500, nix wrote:
>>
>>> On Sat, 15 Jan 2011 03:11:00 -0500, chronomatic wrote:
>>>
>>>>> nix here. So, chronomatic, as time times and we wander about the
>>>>> face of the CLOCK, have you morphed? Into the venom that you spew?
>>>>> Reverse engineered?
>>>>>
>>>>> <http://platanalytics.com/wp-content/uploads/2010/07/a304_green_pit_viper3.jpg>
>>>>
>>>> That's enough, you are obviously high.
>>>>
>>>> So in closing, we have three major strikes against closed-source
>>>> crypto:
>>>>
>>>> 1) _NSA_KEY
>>>> 2) Windows 2000/XP RNG flaw
>>>> 3) Dual_EC_DRBG included in all Windows versions (but not used by
>>>> default)
>>>>
>>>> All three of these flaws are in Windows itself, unfortunately. But the
>>>> same problems could be there in any closed-source crypto.
>>>>
>>>> Get psychological help.
>>>>
>>>> <eom>
>>>
>>> Isnļæ½t there a substantial difference between an encryption product
>>> that (a) uses an RNG embedded within Windows versus one that (b)
>>> pulls ļæ½some of its entropy from OS sourcesļæ½? Is TrueCrypt less secure
>>> because it pulls ļæ½some of its entropy from OS sourcesļæ½? Itļæ½s not at
Happy New Year, Frank. Youļæ½ve got your glass of champagne, am I right?
I know weļæ½ve had a running joke here about the champagne, but itļæ½s
truly ok tonight, is it not? Youļæ½re among friends. ;)
Hereļæ½s to the best year of ļæ½listening inļæ½ youļæ½ve ever had. Listening?
But there are some scary stories on the internet, Frank. And some of
them involve you. And I know you probably wish you didnļæ½t have to hear
them. But youļæ½re pretty much forced to consider the possibilities,
arenļæ½t you? Ear to your screen? Bluetoothed? Arms length transactings?
Cheers.
Eutychismenos o kainourgios chronos.
LunchBox
> --
> "Unfortunately, the screams of the insane echo for quite some time on
> the Internet." ~ Stephen K. Gielda - "The Church Of The Swimming
> Elephant" (www.cotse.net)
COTSE Cotse Cotse on and on and on. Transparent shill enough?
Yours truly,
"Lunchturds"
--
I am known as LockBox on the Wilders Security forums. pls do not
say bad words or do anything to frighten me. I am tender.
Ari Silverstein
> Happy New Year, Frank. You’ve got your glass of champagne, am I right?
> I know we’ve had a running joke here about the champagne, but it’s
> truly ok tonight, is it not? You’re among friends. ;)
>
> Here’s to the best year of “listening in” you’ve ever had. Listening?
>
> But there are some scary stories on the internet, Frank. And some of
> them involve you. And I know you probably wish you didn’t have to hear
> them. But you’re pretty much forced to consider the possibilities,
> aren’t you? Ear to your screen? Bluetoothed? Arms length transactings?
>
> Cheers.
>
> Eutychismenos o kainourgios chronos.
There's still time to GTFO before they put them on and take you away
in the ding-ding truck.
<http://2.bp.blogspot.com/_635zBOw7O0w/Smxvnh8t2bI/AAAAAAAAADw/hpYMyCRiKBM/s1600/white+coats.jpg>
> --
> I want love and kisses and ponies in a field of pornographic pleasure.
lol
Anonymous
Ari Silverstein <AriSilv...@yahoo.com> wrote:
<eom>
>
> Nice set of posts Time-O-Matic, next time leave the flat chested,
> spindly legged, horse-faced...
> ...nix-bitch at Wilders. /lol/
I see you like to insult women. Is that easier and more secure for
you? I bet you are a real ladies man yourself, a real charming
hunk of a guy, or is it that your underdeveloped puney wank will
never make prime time on her site or anyone else's. Are you
envious of her obvious creative wit, which surely exceeds your
clogged and arterially deficient grey matter?
Ari Silverstein
> In article <8pd3rl...@mid.individual.net>
> Ari Silverstein <AriSilv...@yahoo.com> wrote:
>
> <eom>
>>
>> Nice set of posts Time-O-Matic, next time leave the flat chested,
>> spindly legged, horse-faced...
>
>> ...nix-bitch at Wilders. /lol/
>
> I see you like to insult women.
Damn, is your whore Mother here...and I messed insulting her? /lol/
--
ļæ½If you give me six lines written by the hand of the most honest of
men, I will find something in them which will hang him.ļæ½ ~Cardinal
Richelieu
Mok-Kong Shen
> unruh<un...@wormhole.physics.ubc.ca> wrote:
>
>> But you have the product and can, if you desire, read it and figure out
>> how good it is. That is something you cannot do with closed source.
>
> Wrong again. That may be something YOU cannot do with closed source. But it
> is not something that cannot be done with closed source or no source.
>
> I personally question how many can do it with open source. Mostly its a warm
> fuzzy for you guys because you can't write code or read it. You're just
> fooling yourselves.
See the development history of Linux. Consider even an extreme analogue:
most mathematicians wouldn't check the proof of FLT because of lack of
knowledge and/or time but some experts do carefully read the paper
(indeed the original version had errors that were found and later
corrected) and that's sufficient for the correctness of the result to
be established. As I mentioned in the thread on potential RSA backdoors
in key generation software for certification, programverification
techniques could be applied to open sources (obviously certain
requirements on the quality of the codes to be verified must be
fulfilled).
M. K. Shen
Noob
> This is true. It is possible to put backdoors in software that are
> very deviously hidden (there is a competition every year called the
> "C code obfuscation contest" where people do things like this on
> purpose, as a contest, and are judged afterwards. The winner in 2008
> was so clever that not even the judges understood how his code did
> what it did).
[citation needed]
As far as I can tell, the last contest (the 19th IOCCC) occurred in 2007,
and the source code for the winning entries is not yet available.
http://www.ioccc.org/main.html
http://www.ioccc.org/years.html
http://developers.slashdot.org/article.pl?sid=09/02/25/0147244
Anonymous
> Source code is so many orders of magnitude easier to read than compilled
> code that your comparison becomes ludicrous.
No, wrong again. People can develop skills reading source or executables.
It's just doing it every day until you get good at it. You're fooling
yourself into believing having source helps you. You don't audit all your
source, nobody has time for that. Like I said you are taking it on faith
the compiler and linker and OS do what the source says. That's unlikely even
without malice.
> No it is not a warm fuzzy. It does two things, it makes it so much
> easier to read that someone will read it and the producer knows that it
> is easier to read and that will help dissuade him from sticking in the
> problem.
No, it does no such thing. What it does is lull you into a false sense of
security because you think somebody else will audit it. It turns out nobody
audits anything. It's a big happy circle jerk.
> Horseshit. A real developer also has difficulty reading compiled code.
I don't. It's just practice, practice, practice.
> > code. That's what disassemblers are for. There is no guarantee the
> > source you have matches the executable you are running. What matters is
> > the
> Sure there is, if I compile it myself. That is what compilers are for.
No, you keep missing the simple facts. Your compiler could be compromised.
It could be buggy. If it's gcc it *is* buggy. Your linker coule be
compromised or buggy. Your OS could be compromised or buggy. Get it? What's
your threat model? Just that somebody gives you bad source and you can find
it? You have to be able to insure that the source gets compiled as it should
and you really have no way of knowing that unless you audit each executable.
Nobody has time for that. Game over.
> You seem to think that it is an all or nothing affair. "If I cannot
> guarentee 100% I might as well do nothing". To believe that the compiler
> and linker could have been subverted in order to subvert this one single
> program I am using is getting into the realm of paranoia.
Why is that any more paranoid than thinking the app is compromised? If I can
patch your toolchain with exploits I can p0wn your whole system, I don't
have to screw around with separate source applications. One stop shopping.
It's economical and it's a good threat model. Simply finding bugs in the
compiler or linker from outside that could be exploited is a great way to
mount an attack. Why do you insist the only problems are in source?
Compilers and linkers are also source, they're big and complicated and hard
to audit. And all the open source fanbois use the same crappy toolchain.
You painted a nice bullseye on yourselves.
What's your threat model? Only source? You have your head in the sand.
LCC
I have to agree with Anonymous here. Furthermore, he did not mention
that the standard cell design of the chip sets used could be a source
of compromised security. For example, when the cache of a
microprocessor requests a new memory partition, a microcode sequence
could be used to copy the contents of the cache threads about to be
replaced into a disk root file which tracks every memory access on the
machine. So if you EVER had source input to a cryptographic program on
a computer which is available on a network, then potentially, your
activities could be monitored. If you want true security, then do not
use computers at all, keep it in your head...
If you want an audience for your memes, then babble endlessly on the
internet until you attract attention LOL..
Lonnie Courtney Clay
Mok-Kong Shen
> unruh<un...@wormhole.physics.ubc.ca> wrote:
>> Horseshit. A real developer also has difficulty reading compiled code.
>
> I don't. It's just practice, practice, practice.
[snip]
Some 20 years ago I happened to know that there were a few persons
doing sort of bit-programming for a certain hardware that performed
some control functions in certain machines, i.e. without an assembler
but setting practically every bit manually. Certainly, pure
"theoretically" it would also have been feasible to obtain something
as complex as e.g. Windows7 that way. But in cases where more
easy/comfortable ways of doing something in techniqes "is"
(economically) available, why would one "want" to do the same the hard
way?
M. K. Shen
Anonymous
> unruh <un...@wormhole.physics.ubc.ca> wrote:
>
>> Source code is so many orders of magnitude easier to read than
>> compilled code that your comparison becomes ludicrous.
>
> No, wrong again. People can develop skills reading source or
> executables. It's just doing it every day until you get good at it.
What horseshit. Anyne whose EVER done any of this stuff knows damn well
deciphering compiled executables is an order of magnitude more difficult
than reading source code. Period. It's not even in question ya' dimwit,
and if you had anything that even remotely resembled something remotely
related to a clue you'd realize that's one of the MAIN reasons things
like decompilers and debuggers exits.
> You're fooling yourself into believing having source helps you. You
You're being a knuckle dragging buffoon... willfully I'm sure. Nobody's
really THAT fucking stupid.
>> Horseshit. A real developer also has difficulty reading compiled code.
>
> I don't. It's just practice, practice, practice.
Then what does this do smartass...
83 ec 10 b8 c0 84 04 08 89 04 24 e8 22 ff ff ff c9
c3 90 90 90 90 55 89 e5 5d c3 8d 74 26 00 8d bc 27
00 00 00 00 55 89 e5 57 56 53 e8 4f 00 00 00 81 c3
d9 e5 53 83 ec 04 a1 0c 9f 04 08 83 f8 ff 74 13 bb
Hex dump of a common function and enough context that ANYONE could figure
it out.
I can't wait to hear your excuse, fuckwit.
Nomen Nescio
> unruh <un...@wormhole.physics.ubc.ca> wrote:
>
>> Source code is so many orders of magnitude easier to read than
>> compilled code that your comparison becomes ludicrous.
>
> No, wrong again. People can develop skills reading source or
> executables. It's just doing it every day until you get good at it.
What horseshit. Anyne whose EVER done any of this stuff knows damn well
deciphering compiled executables is an order of magnitude more difficult
than reading source code. Period. It's not even in question ya' dimwit,
and if you had anything that even remotely resembled something remotely
related to a clue you'd realize that's one of the MAIN reasons things
like decompilers and debuggers exits.
> You're fooling yourself into believing having source helps you. You
You're being a knuckle dragging buffoon... willfully I'm sure. Nobody's
really THAT fucking stupid.
>> Horseshit. A real developer also has difficulty reading compiled code.
>
> I don't. It's just practice, practice, practice.
Then what does this do smartass...
chronomatic
That was an excellent post, and thanks for posting irrelevant links.
There are several articles actually name names and give quotes from
people who work for closed source companies -- Microsoft included.
That and original articles which came from CNN. Now, the MS spokesman
did not admit "yeah we backdoor Windows" but he did say "whenever you
develop something to do with crypto, you are always going to be
working closely with NSA." One can take that comment two ways:
A) NSA is there to help make a secure product.
B) NSA is there to make sure the crypto isn't too strong.
I think B makes more sense. After all, Americans aren't the only
people to use Windows and NSA wants to ensure they can read foreign
communications. That's their job. It's what they spend billions doing.
It's why they are the single largest employer of mathematicians in
America. I don't mind NSA reading my stuff, but it's a slippery slope.
Perhaps tomorrow other agencies will want this same access. And then
later, LEA's will want it. And then the local police will be jealous
and also want the ability to read all encrypted mail. Before long we
have witch hunts. You get the idea. We have already seen this same
scenario (of Police wanting the help of intelligence agencies) with
the now defunct NAO. That was an office that would give cops access to
spy satellite data. The idea was introduced by Bush but later killed
by Congress, thank God.
Another issue is that introducing intentional flaws for intelligence
agencies often comes with other problems which make the crypto
susceptible to hackers and people in the private sector who exploit
these holes. Intentionally weakening something is simply not a good
idea because the "trap-door" never stays secret. Someone on the
outside will be smart enough to find it eventually.
chronomatic
That was an excellent post, and thanks for posting irrelevant links.
Ari Silverstein
And the list of other potential compromises goes on and on. Spot on to
both of you.
> If you want true security, then do not use computers at all, keep it
> in your head...
There is no complete security hat is practical and cost effective.
Your head id only a waterboard away.
--
“If you give me six lines written by the hand of the most honest of
men, I will find something in them which will hang him.” ~Cardinal
Richelieu
Ari Silverstein
Certainly. :)
LCC
Wisdom of Foghorn Leghorn
Somebody, ah say somebody knocked...
Ever had a period of months when you would wake up to the sound of
knocks on your bedroom door? Release code from your friendly
neighborhood narco-hypnosis squad...
"Nutty as a fruitcake"...
Lonnie Courtney Clay