Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[INFO] Frog's Summary and Rating of Keyrings Maintainers -- 2003/0

0 views
Skip to first unread message

Anonymous via the Cypherpunks Tonga Remailer

unread,
Sep 25, 2003, 4:03:06 PM9/25/03
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anonymous <Bigapple...@Optonline.Net> wrote:

> On Thu, 25 Sep 2003, Anonymous via the Cypherpunks Tonga Remailer
> <Use-Author-Supplied-Address-Header@[127.1]> wrote:
> >On Fri, 8 Aug 2003, "Dave Korn" <no....@my.mailbox.invalid> wrote:
> >
> ><snip>
> >
> >>Yep, but frog aside, what about jbn? What kind of security problem does =
> it
> >>have?
> >
> >There may be problems with JBN's use of VB random functions. Reliable
> >certainly has some problems there.
> >
> >FWIW, M$ categorically state that the random functions in VB should not be=
>
> >used in crypto applications.
>
> You're right, so it sure is a good thing that *neither* Reliable or Jack B
> Nymble us those random functions for anything but generating file names.

Wrong.

Reliable (1.0.5) uses Rnd in an awful lot of places.

For instance:
- when deciding on the latent time.
- when choosing a random remailer.
- when deciding which skew to allow in Max-Count handling
(yes, more than Max-Count messages are allowed a day)
- when randomizing the length of data that inflate adds.
- when choosing the number of actual hops used in a Rand-Hop: <n>r
directive.
- when selecting a PGP Version for the ASCII armor.
- when generating "random" garbage.

Many of these should not use a poor "random" number generator.

Ishtar

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com

iQA/AwUBP3NE/uDzYSJ1k8qJEQKg4wCgjDME/htbxHCauC8uQ5fBfaew3pAAniWw
4ATvMmqN+DcuV3fEP2phLsHe
=MWqO
-----END PGP SIGNATURE-----

Frog-Admin

unread,
Sep 29, 2003, 10:55:55 AM9/29/03
to
-----BEGIN PGP SIGNED MESSAGE-----

Microsofts' VB "Rnd" is not a random generator, but a pseudorandom generator.
Write a tiny programm to call RND 1000 times and print the result
Call proggy a 1st time
Unload the program
Call proggy a 2st time
Printouts of 1000 numbers will be identical

If you add a "randomize" call at the beginning,
unless you call your program at the same time
(by the 1/1000th of a second (maybe 1/1000000th)
you will get completely different results

If attacker knows the time of "randomize" by 5' minutes
that 5*60*1000 different seeds

- --------------------------------------------------------
But that is not the worse for an attacker (and the best for us).
As you said it: rnd is called in *many* places, at truly 'random' moments, for events you cantt observe.

If you know that the Rnd sequence is 1 2 3 4 5 6 7 ...
If your last observation is "6", you can predict that "next will be 7"
But if you are deprived of a random number of observations,
(say 3, which are used internally) "next" won't be 7, but 10

Reliable does not get its randomness from a pseudorandom generator:
it gets it from the *true* randomness of events which pick on the pseudorandom generator
(just like PGP takes it from random mouse moves or keystrokes)

-----BEGIN PGP SIGNATURE-----
Version: N/A

iQEVAwUBP3gvrYDgT488d3zFAQFrLwgAh3rhtIgNLkjbgnLVLkjiPOWyjCbHlhfl
xHiIyGt+qkNCGlm/I01aBSBL2lsicnXiAivuvGGWErFtF/4j2hqk6oiP/VLBrfbA
H6H0tHJasEG2+385saKCBZOO/rqEVd6S9+bFR8OgGyWcjJ3HZ/cN85JL19lyY52n
zHS8yzCwdnfreEW/BkQWjLXdPqRpuRF2nw6dvZPREkDF6PSJOivkxmH9Xt88EzxI
PR+TmIbQLBMoFuraCEzsKE/FsZCVqgcF2OjbJvMArcHSTSg5sCUm8SJzA+ykdjb3
4Tf9rSC83p5KvYnr4ggPoP16KUtYR9EAA80DbaXZ9RqI3rZ1gAvYGQ==
=9y/R
-----END PGP SIGNATURE-----

Anonymous

unread,
Sep 29, 2003, 11:14:55 AM9/29/03
to

Regarding this joker's nymserver:

You may say, "What wrong with frog's nymserver? The source for
this project is available That makes it safe to use." This is
VERY incorrect. There is much more danger here than, say, an
anon message passing through his remailer. As we all know, it is
frog himself who you must not trust. Why? Because you give frog
all the time in the world to crack your reply block (or pass it
on to the various MIB organizations). Once cracked all your mail
passing through your nym will be readable by him and other
cooperating organizations.

It's your privacy. With all the things frog has done in this
group over 4 years time--the outright abuse, the flooding, the
mail tracing and reading, the lies, the constant suspicious
conduct. Do not test, use, or in any other way promote this
obvious attempt to hijack your privacy.

He has proven untrustworthy in the past. He continues to conduct
himself in an abusive and untrustworthy manner. It has always
been the same since he opened his remailer in 1999. Use of his
services promotes this despicable behavior. Help us run this
joke of an admin out of apas and the privacy community.

0 new messages