Hacker Contest: Break DriveCrypt and Win 50.000 Euro
Sarah Dean
"SecurStar GmbH is offering 50,000 Euros (44,000 US$) to the first person
who is able to break a DriveCrypt encrypted
container."
Hmmm...
More choice snippets include:
"We offer this challenge because DriveCrypt is known to be the most
secure
and powerful encryption software available..."
(Is it? Is it really? It's *known* to be the *most* secure? So there's
nothing *as* secure (or even more secure) as DriveCrypt?)
"DriveCrypt uses 256 bit military strength encryption allowing..."
(Isn't there something in the snakeoil FAQ about "military strength..."?)
"...prevents brute force attacks as well as passwords from being sniffed
by Hackers or Trojan horses..."
(*Hackers* "sniff" passwords as well as Trojan horses?!)
"The first person who is able to open the container before April 30,
2002"
(So we only get until the end of the month?!)
"The winner agrees to explain and demonstrate to the SecurStar Team the
method they used to break the volume."
(...and presumably if noone comes forward to claim the prize, this
competition will be used to "prove" that DriveCrypt is secure, will it?)
Shaun - This is *NOT* a flame, but *please*, *please*, *please* shout at
SecureStar's marketing dept!
DriveCrypt's a beautiful piece of software, but this kind of marketing
strategy just *reeks* of snakeoil!
Ken D.
>
> I've just received an email from SecureStar:
>
> "SecurStar GmbH is offering 50,000 Euros (44,000 US$) to the first person
> who is able to break a DriveCrypt encrypted
> container."
> Shaun - This is *NOT* a flame, but *please*, *please*, *please* shout at
> SecureStar's marketing dept!
>
> DriveCrypt's a beautiful piece of software, but this kind of marketing
> strategy just *reeks* of snakeoil!
not only that but they give only about 18 days to "break" drivecrypt.
a whole 18 days. it's nothing more than marketing drain bamage.
if they were serious they would have it as a "standing offer" with
no expiry date. or at the very least provide 3-6 months.
basically brute force methods (but very efficiently implemented) do take time,
and in the *real world* the evils will take whatever time is necessary or
apply more horsepower than us mere mortals could afford to own.
a half-month is nothing more than "making a show". they seem to be doing their
damndest to kill off any legitimacy they may have. they obviously plan to
use it to make future claims of "it was unbreakable by hackers worldwide".
ick and barf.
they are begging to have a lot of attention of the wrong kind --
not only applied to their products, but to their website and other things.
websites are often quite easy to 'own'. how will marketing handle the sale
of a "security" product if they make the news of not even able to keep a simple
website safe?
frankly, if i did break DC, i wouldn't claim the prize, i'd *sell* knowlege
of what i did for a far greater price. whether or not Securestar was the
one paying. the truth is random-chance will be a big component; but everyone will
be too damn curious to know what *actually* was done.
for those who'll try... a bit of "human engineering" and luck go a long way.
i bet they didn't use any of the ciphers found in old scramdisk out of some
subconcious fear that the available source would give "some sort" of advantage.
so... no need to try all 8 ciphers, just the new ones. and maybe the "slowest"
cpu wise cipher (whether an old scramdisk one or not).
of course use multiple computers, don't waste time having one computer do more
than one cipher.
i have 4 other pet ideas, anyone want to seduce me to reveal them? :)
one involves using a known container with a known passphrase to check something
to avoid completely wasting your time.
one involves human-engineering the probably inhuman passphrase (program backwards :)
one involves a fundamental programming approach to avoid wasting cpu cycles.
one involves representation and handling of the passphrase within the bruting code.
someone should design a seti@home like distributed system of brute-forcing containers
:)
-ken
Sam Simpson
was lost when opensource SD / e4m moved to closed source DriveCrypt.
I think this "contest" is worth precisely nothing - real peer review is.
--
Regards,
Shaun Hollingworth
>
>
>Shaun - This is *NOT* a flame, but *please*, *please*, *please* shout at
>SecureStar's marketing dept!
>
But Sarah, why should I ?
I don't believe in censorship, and believe almost absolutely in
tolerance...... apart from blatent spam.... which they have promised
me they wouild not involve themselves in....But anyway, I have very
little to do with SecurStar's marketing department... They certainly
don't tell me how to do my job, and I don't tell them how to do
theirs.....
>DriveCrypt's a beautiful piece of software,
Thank you for the kind complement...
>but this kind of marketing strategy just *reeks* of snakeoil!
Well, you can always Email them and voice your opinion rather than
expecting me to do it for you!
Regards,
Shaun.
Shaun Hollingworth
wrote:
>I see this as a poor attempt at trying to gain some of the trust that
>was lost when opensource SD / e4m moved to closed source DriveCrypt.
>
Nope.... Not at all......
>I think this "contest" is worth precisely nothing - real peer review is.
Well, it has little to do with me. As I said before, the marketing men
at Securstar don't tell me how to do my job.........
So please, Sam, address your comments to them.....
As for open source, SecurStar still intend to address that problem in
the best way possible, coupled with a need to stay in business....
There WILL eventually be more source issued, that any of our
commercial competitors, unless they release it all that is..... That
is my wish.... We have plans for a brand new GUI, and I hope that will
fit into a newer more open model with as much source code released as
is commercially possible.
Regards,
Shaun.
Sam Simpson
Shaun Hollingworth wrote:
> On Thu, 11 Apr 2002 19:58:46 +0100, Sam Simpson <s...@samsimpson.com>
> wrote:
>
>
>>I see this as a poor attempt at trying to gain some of the trust that
>>was lost when opensource SD / e4m moved to closed source DriveCrypt.
>>
>
>
> Nope.... Not at all......
Is there a purpose to the "contest" then?
>>I think this "contest" is worth precisely nothing - real peer review is.
>
>
> Well, it has little to do with me. As I said before, the marketing men
> at Securstar don't tell me how to do my job.........
>
> So please, Sam, address your comments to them.....
My comments are just a general note on the situation - not aimed at
anyone in particular. I'm sure Hafner et al read this group, so I hope
the users disatisfaction is feeding though ;)
> As for open source, SecurStar still intend to address that problem in
> the best way possible, coupled with a need to stay in business....
> There WILL eventually be more source issued, that any of our
> commercial competitors, unless they release it all that is..... That
> is my wish.... We have plans for a brand new GUI, and I hope that will
> fit into a newer more open model with as much source code released as
> is commercially possible.
Fantastic - look forward to seeing the results of this development.
Darkhorse
"Shaun Hollingworth" <sh...@securstar.de> wrote in message
news:3cb7a870...@news.btconnect.com...
>
> I don't believe in censorship, and believe almost absolutely in
> tolerance...... apart from blatent spam.... which they have promised
> me they wouild not involve themselves in....
Bloody good job too. I know where warez versions are available for download, if
I see them start spamming I'll start posting the links.
Chris Epler
On 11 Apr 2002 18:18:05 GMT, Sarah Dean <sde...@softhome.net> wrote:
Shaun Hollingworth
>Well, they just lost any future business from me..
>
It is a pity instead of whinging about this email, you didn't mention
the enormous amout of trouble we (and more specifically I) went to to
try and resolve your techincal problems.......
I hope whoever you give your "business" too, goes to the same trouble
as I did.
Regards,
Shaun.
Shaun Hollingworth
Yeko) wrote:
>Sarah Dean <sde...@softhome.net> wrote:
>
>>DriveCrypt's a beautiful piece of software...
>
>sh...@securstar.de (Shaun Hollingworth) wrote:
>
>>Thank you for the kind complement...
>
>Kind, perhaps, but unfortunately it carries about as much weight as
>Stevie Wonder's opinion of the Mona Lisa.
>
What is wrong with some of you people ?
I said "kind" not "heavy"....
Shaun.
If you don't like the flavour, roll your own...
Shaun Hollingworth
Why not just simply complain about it, rather than involving yourself
in activity regarded by many to be criminal ?
Regards,
Shaun.
Darkhorse
posted the warez links the spam stopped.
Paul Le Roux
know how to both make money and publish source?
i'd like to hear from you.
In article <3cb8a8cc...@news.btconnect.com>, sh...@securstar.de says...
Paul Le Roux
for suggestions on how I can prove my products secure without
having to release all the source !
the trouble is my competitors would snap up my ideas in a heartbeat
otherwise....which has already happened, why should they be ridding
high on my back while I do all the work?
if I was not interested in security why would I have released
the source for E4M to begin with? which is still available on the net,
and you can see the careful attention paid to detail for yourself.
I am not saying the open source
arguments are invalid, but to move forward there has to be some middle
ground... that would be far more useful a discussion point than
constantly referring to open source articles about the evil of closed
software, and constantly trying to tarnish everyone by pointing out
the well known instances of snake-oil !
In article <K78AIPS03735...@frog.gilgamesh.org>,
Anonymous...@See.Comment.Header says...
>
>In article <a99avr$452$1...@reader09.wxs.nl>
>pau...@rocketmail.com (Paul Le Roux) wrote:
>>
>> yes exactly the point, any open source fanatics out there who
>> know how to both make money and publish source?
>> i'd like to hear from you.
>
>You're missing the point.
>We simply have different interests than you do.
>We're interested in security; you're interested in making money.
>I'm perfectly willing to accept your claim that the two are
>incompatible.
>
>Nothing wrong with trying to make a living; that's what Norton's
>Diskreet and Crypto AG did.
>But Norton put out a laughably insecure product, and CryptoAG
>put in a backdoor for the benefit of a government agency.
>Neither would have been possible if they had published their
>source.
Kasper Bergh
news:a9a29e$o48$1...@reader05.wxs.nl...
> I am not saying the open source
> arguments are invalid, but to move forward there has to be some middle
> ground... that would be far more useful a discussion point than
> constantly referring to open source articles about the evil of closed
> software, and constantly trying to tarnish everyone by pointing out
> the well known instances of snake-oil !
Very well put. Perhaps people could start being constructive instead of just
posting useless criticism?
/Kasper Bergh
Paul Le Roux
time on your hands any program can be disabled, source or no source,
the main issue is people stealing ideas/code, most of the work that
goes into a product like DC or DCPP is about working around MS Windows
issues & bugs, ie: the problem is that Windows itself is closed source! which
makes a program like DC or DCPP monumentally harder to code.
This know how is where the value is, E4M /SD spawned dozens of competing
programs all around the world. If we simply worked day & night churning out
code that programmers at other companies being paid more simply copied into
their programs what's the point of it all?. This is the trouble I don't
think that the open source arguments are invalid, but there just seems
nothing new to move the debate forward. The real trouble is that until
Windows is displaced from the desktop, writing good software for it
takes allot of time, and allot of money, how do I recover this if the
product is open source? Yes I could charge per copy, but how many
people would honestly pay? How many people would buy a copy only so
they could incorporate the ideas or code in their own products?
In article <404ed95adbe790ea...@dizum.com>, nob...@dizum.com
says...
>
><yes exactly the point, any open source fanatics out there who
><know how to both make money and publish source?
><i'd like to hear from you.
>
>Here's what I don't understand: someone, in another thread, mentioned that
>there are warez copies of DC available. DC doesn't have source code available
>and yet it is cracked. So if a prog can be cracked anyway, w/o source code,
>why is giving away source code problematic? Is it a question of being able
>to steal certain design ideas specific to that program if the source code is
>made available?
>
Shaun Hollingworth
(Zarya) wrote:
>In article <a99avr$452$1...@reader09.wxs.nl>
>pau...@rocketmail.com (Paul Le Roux) wrote:
>>
>> yes exactly the point, any open source fanatics out there who
>> know how to both make money and publish source?
>> i'd like to hear from you.
>
>You're missing the point.
>We simply have different interests than you do.
>We're interested in security;
Then why don't you get out your "C" compiler, and write your OWN OTFE
disk encrypter and give me the source, so I can take full advantage of
it and use what I learn, in DriveCrypt ?
I was interested in security, and that's what I did........ Why do you
think Scramdisk was born ?
Then when you write it, give it away and you then get loads of users
complaing at you all the time, you will wonder what the point really
was...... I presume even you have some method of making a living....
When Scramdisk was being sold for NT, I would have made far more money
cleaning the streets... In fact I LOST money on it....
I do not know why I have to keep repeating myself but
I DO HOPE TO release a version which as as much source available as
possible. Perhaps even a limited version totally open source.....
These will be new versions, because they will require major changes to
the structure of the program. So we might as well sort all the issues
out at once... Including a much easier to use DDK because people want
that....
If it is a verison of the mainstream product, there will certainly be
a closed source veneer between it, and the windows functionality
employed to implement the system on windows. This should be treated
as an extension to Windows, for the purposes of analysing security of
the system. It will be possible to show that this has NO effect on
security at least to the degree that not having windows source, as no
effect on security... That way, we will not be releasing details of
some of our hard won tricks.... On the other hand, the crypto side
should be proven to the users, who should be able to build that side
for themselves, with the correct tools, and analyse what information
goes to, and from the closed source component(s) to see if there is
the possibility of leaks....
If that still isn't good enough, feel free to use the freeware version
of Scramdisk, which has the source code. Note that WE HAVE NOT TAKEN
THIS AWAY.
Regards,
Shaun.
Paul Le Roux
closed-source FUD would still say that somehow the closed source part of the
system was either badly written so insecure or a plant for the NSA,
or both.
I think these people don't understand that open source applications=dead end
as far as innovation is concerned yes there is great open source out there,
Linux, all the cool GNU stuff, GNOME, KDE, OpenSSL, Apache, but most of
these are written by hobbyist's and cannot/will not make the main
stream unless someone can find a business
model to fit them around. Yes OpenSSL/Apache have made the big time thanks
to people like IBM. But Apache uses the BSD style license (like E4M) which is
more business friendly, and which allow their incorporation into IBM's
closed source web offerings, it's difficult to see a viable business model
emerging from the GNU GPL stuff.
Most of the folks making money out of the GPL'd code are following a services
model like RedHat, or shoehorning Linux into appliances, they're not making
money from selling Linux itself, in fact I suspect selling Linux cd's is really
just a loss leader for RedHat.
Personally I think the entire open v's closed source argument is the "open
source religious zealot's" excuse for anti-business sentiment and has nothing
to do with security.
E4M was open source, I have not in all the time it was available anyone
who actually looked at the code, most of the people in this group and
elsewhere wouldn't even understand the code -even though theyre the same
people banging the open source drum. But I did get about 50 emails a day
with time wasting questions... the whole point in the begining of
E4M was to publish the code to get peer review and help to enhance the
product, in the end people climbed onto my back, did not help one bit,
bitched all the time, stole the code for incorporation into their own
products, and generally abused the whole situation.
In article <3cc890bd...@news.btconnect.com>, sh...@securstar.de says...
Shaun Hollingworth
wrote:
>This would not be good enough,
For those who complain you mean ?
>I don't see the point, the people spreading
>closed-source FUD would still say that somehow the closed source part of the
>system was either badly written so insecure or a plant for the NSA,
> or both.
>
But someone who REALLY knew what they were doing would be able to
PROVE otherwise and make that other person then look hideously
stupid........
I would only release a software model, where the proof of safety was
possible. Otherwise. there is no point at all to it.
So In the source that is available for such a model I will advise
them (in it) to think carefully, before commenting that it isn't
enough, lest they make themselves look a right jerk by more
knowledgable folk....
The problem for me, is that it would be a complete re-write and
therefore would take time....
Regards,
Shaun.
Sam Simpson
the other way round: the people reading here and posting questions are
the customers and will be making the security / open source decision.
It's their job to make a compelling argument why we should trust them
(in light of the weight of evidence calling for open source publication)
vs their commercial interests.
Sam Simpson
> This would not be good enough, I don't see the point, the people spreading
> closed-source FUD would still say that somehow the closed source part of the
> system was either badly written so insecure or a plant for the NSA,
> or both.
>
> I think these people don't understand that open source applications=dead end
> as far as innovation is concerned
Erm, right.
> yes there is great open source out there,
> Linux, all the cool GNU stuff, GNOME, KDE, OpenSSL, Apache, but most of
> these are written by hobbyist's and cannot/will not make the main
> stream unless someone can find a business
> model to fit them around.
What web server powers 80% of the web Paul? Not bad for hobbyists.
Compare this to the "closed source" equivalent from MS, esp. from a
security perspective.
> Yes OpenSSL/Apache have made the big time thanks
> to people like IBM.
Apache success isn't down to the recent input from IBM. It predates
that by quite a bit....
> But Apache uses the BSD style license (like E4M) which is
> more business friendly, and which allow their incorporation into IBM's
> closed source web offerings, it's difficult to see a viable business model
> emerging from the GNU GPL stuff.
We aren't asking for a GPL release of DC. Source code release != GPL.
> Most of the folks making money out of the GPL'd code are following a services
> model like RedHat, or shoehorning Linux into appliances, they're not making
> money from selling Linux itself, in fact I suspect selling Linux cd's is really
> just a loss leader for RedHat.
>
> Personally I think the entire open v's closed source argument is the "open
> source religious zealot's" excuse for anti-business sentiment and has nothing
> to do with security.
I work for an IT company. I like IT companies.
I don't like (and nor do cryptographers) security vendors saying "trust
us". Frankly why should I?
nemo outis
wrote:
>True, but don't forget that SecureStar are trying to convince us, not
>the other way round: the people reading here and posting questions are
>the customers and will be making the security / open source decision.
>
>It's their job to make a compelling argument why we should trust them
>(in light of the weight of evidence calling for open source publication)
>vs their commercial interests.
>
You're not entirely right about the customer being the ultimate arbiter; in
free markets it takes two to tango. The customer decides whether and which he
will buy and the producer whether he will produce.
For the customer to be an arbiter, he must have options to pick from. While
it is true that the customer can always choose the "null option" and keep his
money in his wallet because none of the choices are any good, that still
doesn't address the customer's underlying objective: obtaining a satisfactory
security product.
There must be choices available in the marketplace for the customer to choose
anything other than the null option. While it is true that some of those
choices may appear as "free" products produced solely for the joy of doing so
or out of an altruistic dedication to serving mankind, that's not much of a
commercial model. And in the absence of a viable commercial model, options for
the customer are likely to be pretty meagre. (That Paul and Shaun have had to
turn to the commercial sphere to keep bread on the table is pretty good
confirmation that altruism may not be as dependable as some think.)
For commercial products to appear there must be some protections for the
producer to not have the fruits of his labour stolen by either unscrupulous
customers or unscrupulous competitors. Open source protects the customer but
only by having the poor producer stand naked and defenceless, exposed to those
who would steal and/or re-market his work. (And arguably only the most picky
of customers care about open-source and these are only a small subset of the
total, although, of course, they may be disproportionately influential.
It's understandable that a producer would just shrug off the demands of that
group as unworkable.)
So those who cry for open source from a commercial vendor because they do not
trust his competence or honesty are effectively asking him to instead extend a
*universal* trust, not only to that particular customer, but to the whole
world. Hardly a fair demand. In the absence of an open-source commercial
model that protects producers, any producer who is a "rational economic man"
will not go that route.
So let's hear some models that would protect the producer while still meeting
the "trust but verify" needs of customers, rather than just repeated chanting
of the litany of "open-source."
Regards,
nemo outis
>Shaun wrote:
><I do not know why I have to keep repeating myself but
><I DO HOPE TO release a version which as as much source available as
><possible. Perhaps even a limited version totally open source.....
>
>crypto programs, I have little choice but to ultimately take a leap of faith
>because I have no ability to compile and examine, etc., the source code. Of
>course, I take this same leap with all of the other closed source stuff that
>I use everyday. I suppose that open source makes me *feel* better, based upon
>the assumption that there are people out there who know how and enjoy monkeying
>with these things that might find and reveal potential problems, but even in
>that event, it still comes down to blind faith. That said, what about
> enlisting
>some respected guru to review the full source code? This would still be
> unacceptable
>to some people, I'm sure, but perhaps it would be a good compromise? Also,
>I'm curious, who found the one or two flaws in the earlier version of Scramdisk
>that's discussed on the Sarah Dean page? Did these discoveries have anything
>to do with the source code? How long after that version of SD had been
> released
>were these things found?
>
"Guru review" (by no less a guru than Bruce Schneier himself) is used by
Winmagic, a Canadian maker of full-HD OTFE encryption programs.
It should also be possible for reputable academics or crypto experts to obtain
evaluation copies by signing a NDA. In the absence of compensation, however,
I can't imagine why they would want to do free QA and marketing for a
commercial company. And if they were compensted the open-source crowd would
probably cry "conflict of interest."
In fact, I suppose a commercial company could allow *anyone* to review the
source, contingent on them signing a NDA and posting a bond that would leave
them penniless if they divulged or pirated anything. So are any of the
open-source crowd willing to do that in order to review the security code they
use? Kinda reminds me of the story of the sweet young thing, who, after she
sat in the dentist's chair, cupped the dentist's balls in her hand, smiled
sweetly, and said, "We're not going to hurt each other, are we?"
Regards,
Paul Le Roux
Paul Le Roux
In article <3CB9ECC0...@samsimpson.com>, s...@samsimpson.com says...
>
>Paul Le Roux wrote:
>> This would not be good enough, I don't see the point, the people spreading
>> closed-source FUD would still say that somehow the closed source part of the
>> system was either badly written so insecure or a plant for the NSA,
>> or both.
>>
>> I think these people don't understand that open source applications=dead end
>> as far as innovation is concerned
>
>Erm, right.
>
>> yes there is great open source out there,
>> Linux, all the cool GNU stuff, GNOME, KDE, OpenSSL, Apache, but most of
>> these are written by hobbyist's and cannot/will not make the main
>> stream unless someone can find a business
>> model to fit them around.
>
>What web server powers 80% of the web Paul? Not bad for hobbyists.
nobody cares what web server powers 80% of the web!!, what they care about
is what web server powers the "business web", i'm sure apache has more than
80% of non-profits, schools, universities, individual web sites, etc
when it comes to businesses though (except for some major dotcom's) most are
using IIS on WinNT or some other commercial web server on Solaris or similar
commercial unix.
this may change with IBM's involvement because it brings in commercial
credibility to an otherwise technically excellent product, which until now
apache has lacked, and credibility is everything!, no business is going to
trust mission critical web based apps to a hobbyist web server
any more than they would trust it to run on hobbyist operating system.
Don't get me wrong, personally I think IIS is an unsafe product,
and personally I use squid, apache, openssl, openssh etc
but this is "our techie" world, the real world is a different place.
nemo outis
Ok, I'll start the ball rolling with some partial solutions to open source for
DC++ Most of these would go at least some way to convince users that there
has not been inadvertent error. However, it is nearly insurmountable to prove
that there are no deliberate backdoors; that takes extensive source-code
review by many experts over a period of time - and even then there are no
guarantees. So here goes…
First, it's possible that source for just the crypto routines could be
revealed, leaving the bootup and HD driver aspects proprietary. Not a full
solution but a start. However, even this exposes optimizations or any clever
code the manufacturer has implemented in the crypto routines.
So how about carrying the idea little further? Say allow a hook, a DC++ API,
where the random numbers used for the initializing vectors and key could be
replaced by a user routine, or at least the numbers entered and dumped
manually. Supplement that with "clumsy-ware," source code provided by the
manufacturer to do the crypto routines (inefficiently but correctly, so that
the commercial value of the clumsyware source code is much reduced). The idea
is that the clumsyware source code, once compiled, should be
demonstrably equivalent - in a functional sense - to the manufacturer's binary
code, thereby allowing confirmation of encryption security But it should
be so inefficient as to be near worthless for other than confirmation
purposes.
This approach would allow a user to confirm that the commercial product and
the (user-compiled) clumsy-ware would produce exactly the same encrypted
sectors, given the same key and vectors. Functional equivalence of the
binary-commercial and source-clumsyware crypto codes would establish - to some
degree - that the code is correct in the sense that they both produce the same
inputs from the same outputs. And to a large degree the issue of the device
mounting, drivers, etc. would be irrelevant, since the only thing that matters
is the end result on the hard disk (Yes I know that the drive-access code
could contain a subliminal channel, store or leak keys, etc. That's why I only
speak of protecting against incompetence, not deliberate trapdoors.)
In fact, providing a user with an API into which he can splice whatever
personal or third-party parts of the crypto code he prefers (an idea used by
Bestcrypt) has considerable merit. Let the user splice in his own (P)RNG if
he doesn't have confidence in Securstar's.
In fact, carrying the idea of clumsyware even further, perhaps a clumsy 16-bit
drive mounting and access scheme (perhaps locking the user into FAT, not NTFS,
for the file system) permanently linked to INT 13 (i.e., no 32-bit drivers)
could be provided by the manufacturer, allowing the paranoid user to trade
speed and efficiency for security. The clumsyware INT-13 access would be
open-source which the user could examine before compiling (although a compiled
version could be thrown in for the lazy but paranoid).
Variations and improvements on the above will readily occur to the ingenious.
Regards,
PS The manufacturer should easily be able to hire programmers expert at
producing clumsyware - I've certainly met many in my time :-)
PPS And the beauty of all this is that not one user in ten thousand truly
cares about open source enough to compile source code. No, he wll rely on the
assertions of others that they have checked before compiling it and he will
then merrily use the binary - so much for the average user's trust model!
Schemes such as the above are mostly just marketing devices to instill
confidence - they needn't be particularly well implemented. It's just a
demonstration of a beginning of a start of a commencement of estalishing
trustworthiness. But then again, I'm a cynical old man :-)
Andy Jeffries
>>What web server powers 80% of the web Paul? Not bad for hobbyists.
>
> nobody cares what web server powers 80% of the web!!, what they care
> about is what web server powers the "business web", i'm sure apache has
> more than 80% of non-profits, schools, universities, individual web
> sites, etc
>
> when it comes to businesses though (except for some major dotcom's) most
> are using IIS on WinNT or some other commercial web server on Solaris or
> similar commercial unix.
Of course you are kidding!!! OK, you must mean sites like bbc.co.uk and
amazon.com. Even biggies like Oracle.com are running on an Apache based
server.
> this may change with IBM's involvement because it brings in commercial
> credibility to an otherwise technically excellent product, which until
> now apache has lacked, and credibility is everything!, no business is
> going to trust mission critical web based apps to a hobbyist web server
> any more than they would trust it to run on hobbyist operating system.
Hmmm, Apache being the largest online book retailer isn't going to trust
it's web based apps to a hobbyist web server! And I'm sure google.com
(the world's largest, by FAR, search engine) won't trust itself to a
hobbyist operating system.
What about the US Air Force, Army, Navy and NASA all using Linux
clusters. Damn that hobbyist operating system. Oh wait, but they
aren't a commercial entity, OK, what about Pfizer, DuPont and AT&T?
> Don't get me wrong, personally I think IIS is an unsafe product, and
> personally I use squid, apache, openssl, openssh etc but this is "our
> techie" world, the real world is a different place.
The thing is, the business guys don't realise it. There was a story from
a top US bank on the web a while ago (I think it was "First National",
but not being American, the name doesn't really stick to a corporate
image so I may have remembered it wrong). When the marketing manager was
asked about the presence of Linux in the bank he replied "Oh no, we are a
bank. We can't trust our data on systems that are open". When the IT
manager was asked the same question and told the marketing manager's
reponse he replied "We actually run our mission critical stuff on a Linux
cluster, but we don't shout about it".
Maybe the business guys just don't know that it's gaining more of a
stronghold than the public knows.
--
Andy Jeffries
Linux/PHP Programmer
http://www.andyjeffries.co.uk/
- Windows Crash HOWTO: compile the code below in VC++ and run it!
main (){for(;;){printf("Hung up\t\b\b\b\b\b\b");}}
Sam Simpson
> In article <3CB9EB40...@samsimpson.com>, Sam Simpson <s...@samsimpson.com>
> wrote:
>
>>True, but don't forget that SecureStar are trying to convince us, not
>>the other way round: the people reading here and posting questions are
>>the customers and will be making the security / open source decision.
>>
>>It's their job to make a compelling argument why we should trust them
>>(in light of the weight of evidence calling for open source publication)
>>vs their commercial interests.
>>
>
>
> You're not entirely right about the customer being the ultimate arbiter; in
> free markets it takes two to tango. The customer decides whether and which he
> will buy and the producer whether he will produce.
>
> For the customer to be an arbiter, he must have options to pick from. While
> it is true that the customer can always choose the "null option" and keep his
> money in his wallet because none of the choices are any good, that still
> doesn't address the customer's underlying objective: obtaining a satisfactory
> security product.
Very true, but (depending upon the customers weighting for security and
technical ability) there are free alternatives to DC.
> There must be choices available in the marketplace for the customer to choose
> anything other than the null option. While it is true that some of those
> choices may appear as "free" products produced solely for the joy of doing so
> or out of an altruistic dedication to serving mankind, that's not much of a
> commercial model.
We're discussing "source available" vs "closed source", not the business
model.
Releasing source doesn't prevent charging for the product.
> And in the absence of a viable commercial model, options for
> the customer are likely to be pretty meagre. (That Paul and Shaun have had to
> turn to the commercial sphere to keep bread on the table is pretty good
> confirmation that altruism may not be as dependable as some think.)
Yep, and there are thousands of people who are paid for by the open
source community.
> For commercial products to appear there must be some protections for the
> producer to not have the fruits of his labour stolen by either unscrupulous
> customers or unscrupulous competitors. Open source protects the customer but
> only by having the poor producer stand naked and defenceless,
You still have legal protection (e.g. copyright, patents etc).
> exposed to those
> who would steal and/or re-market his work. (And arguably only the most picky
> of customers care about open-source and these are only a small subset of the
> total, although, of course, they may be disproportionately influential.
> It's understandable that a producer would just shrug off the demands of that
> group as unworkable.)
I totally agree with this last point: I will never buy a copy of
DriveCrypt (erm, I run Linux for a start), but I'll shout the loudest
when they don't follow security good practices.
> So those who cry for open source from a commercial vendor because they do not
> trust his competence or honesty are effectively asking him to instead extend a
> *universal* trust, not only to that particular customer, but to the whole
> world. Hardly a fair demand. In the absence of an open-source commercial
> model that protects producers, any producer who is a "rational economic man"
> will not go that route.
>
> So let's hear some models that would protect the producer while still meeting
> the "trust but verify" needs of customers, rather than just repeated chanting
> of the litany of "open-source."
I hear what you are saying, but my job isn't to tell them how to make
money, it's to tell potential customers that using closed source
security isn't a good idea.
In some ways I feel compelled to shout about the source issue in respect
of DC: I shouted against BestCrypt and other OTFE packages because they
were closed source (compared to SD, e4m) and I shout about PGP going
closed source.
Just because I've worked with Shaun for 3 years and like him personally
very much doesn't mean I'm going to be a hypocrite.
Shaun Hollingworth
wrote:
>Introducing "clumsyware" (TM reg)...
>
>Ok, I'll start the ball rolling with some partial solutions to open source for
>DC++ Most of these would go at least some way to convince users that there
>has not been inadvertent error. However, it is nearly insurmountable to prove
>that there are no deliberate backdoors; that takes extensive source-code
>review by many experts over a period of time - and even then there are no
>guarantees. So here goes…
>
>First, it's possible that source for just the crypto routines could be
>revealed, leaving the bootup and HD driver aspects proprietary. Not a full
>solution but a start. However, even this exposes optimizations or any clever
>code the manufacturer has implemented in the crypto routines.
>
>So how about carrying the idea little further? Say allow a hook, a DC++ API,
>where the random numbers used for the initializing vectors and key could be
>replaced by a user routine, or at least the numbers entered and dumped
>manually.
[snip]
In my possible model ALL this would be open source...... So you could
do what you wanted........ The code to make a complete disk would be
open source.
The closed source, components would be the stuff that made disks
appear and dissappear...... IE the iteraction with Windows..... It
would appear like just normal operating system interfaces, and the
user would be able to see them and learn exactly what they do... There
may have to be callbacks for data requests to write to the disk, and
read from it, but that would be all....
Regards,
Shaun.
Shaun Hollingworth
>On 13 Apr 2002 13:14:35 GMT, pau...@rocketmail.com (Paul Le Roux) wrote:
>
>>yes exactly the point, any open source fanatics out there who
>>know how to both make money and publish source?
>>i'd like to hear from you.
>>
>I think I heard a rumor that a number of book publishing houses were
>considering the possibility of going to a closed source model as well. You
>will be allowed to read a plot summary with annotations by notable literary
>pundits, but the actual source code of the book will not be made available.
>They have assured their critics that just as much enjoyment will be
>possible, without their having to risk the theft of their valuable
>intellectual property. They maintain that there is no inherent value to
>making the source code of the books available, and the risks associated
>with open source do not justify it.
>
>
Believe me, if they could get away with it, they probably would.....
There has been many an author troubled by plagiarism...
Does this sound so daft ?
CD manufacturers are making CDs which won't play on (some) CD
players......
Shaun.
Paul Le Roux
that people seeing clumsy code produced by clumsy programmers (of which
you rightly say there are many) means everyone might think that we ourselves
are clumsy!
But your right for DCPP what should happen in my view:
1. the random number stuff should be done in a dll through a well defined api
or atleast how this works should be published
2. the file formats for the Key Stores, the stego stuff, the format of the mbr etc
should be published
3. how the sector encryption works should be published
4. how the key derivation function works should be published
5. the driver api should be published
(with this info, anyone can write a test program to verify the crypto-integrity
of the product)
[giving away the INT13 hook and the low level code is a non-starter as most of the
work went in there and not into the high level 32-bit code, most of the low level
code is hand coded assembler, sha1 for example took me 3 months to write, and in the
end the full FIPS compliant SHA1 is about 400 bytes. other bits of the low level
code is self-decompressing using a 130 byte lempel ZIV 77 decompressor which also
took months to write, and hand optimise the various parameters]
Trouble is it's best for everyone who wants openness to email SecurStar direct
and ask for it!, the "powers that be" don't actually read this newsgroup!!
They will then juggle these requests from a commercial perspective before
deciding to pay for all this documentation to be produced, or pay to have changes
made to either DC or DCPP to satisfy people who want to verify the product for
themselves. Personally I have no problem handing out this information.
In article <54ou8.33105$de1.1...@news3.calgary.shaw.ca>, nemo_...@hotmail.com says...
Paul Le Roux
In article <pan.2002.04.15.09....@andyjeffries.remove.co.uk>,
ne...@andyjeffries.remove.co.uk says...
>
>On Mon, 15 Apr 2002 00:10:58 +0100, Paul Le Roux wrote:
>>>What web server powers 80% of the web Paul? Not bad for hobbyists.
>>
>> nobody cares what web server powers 80% of the web!!, what they care
>> about is what web server powers the "business web", i'm sure apache has
>> more than 80% of non-profits, schools, universities, individual web
>> sites, etc
>>
>> when it comes to businesses though (except for some major dotcom's) most
>> are using IIS on WinNT or some other commercial web server on Solaris or
>> similar commercial unix.
>
>Of course you are kidding!!! OK, you must mean sites like bbc.co.uk and
>amazon.com. Even biggies like Oracle.com are running on an Apache based
>server.
not kidding at all, do a survey yourself and you will be surprised,
the best sites like google etc are using the technically best product
which is linux/apache because they have no choice in the matter
(the competition would fall over), this was not my point, my point was
that the overwhelming majority of businesses are not using linux or
apache because these solutions lack credibility, that some techies are
using these solutions without official sanction changes nothing.
These arguments have been going on for years, the US government squandered
the only opportunity in a generation to change this. Linux tech's are not
going to change this, us arguing this point is not going to change this,
No 'business suit' understands this stuff anyway, and you'd have a
better chance posting messages at your local golf, and not here,
if you want to change the situation.
Paul
Sam Simpson
> In article
> <pan.2002.04.15.09....@andyjeffries.remove.co.uk>,
> ne...@andyjeffries.remove.co.uk says...
>>
>>On Mon, 15 Apr 2002 00:10:58 +0100, Paul Le Roux wrote:
>>>>What web server powers 80% of the web Paul? Not bad for hobbyists.
>>>
>>> nobody cares what web server powers 80% of the web!!, what they care
>>> about is what web server powers the "business web", i'm sure apache
>>> has more than 80% of non-profits, schools, universities, individual
>>> web sites, etc
>>>
>>> when it comes to businesses though (except for some major dotcom's)
>>> most are using IIS on WinNT or some other commercial web server on
>>> Solaris or similar commercial unix.
>>
>>Of course you are kidding!!! OK, you must mean sites like bbc.co.uk and
>>amazon.com. Even biggies like Oracle.com are running on an Apache based
>>server.
>
> not kidding at all, do a survey yourself and you will be surprised, the
> best sites like google etc are using the technically best product which
> is linux/apache because they have no choice in the matter (the
> competition would fall over), this was not my point, my point was that
> the overwhelming majority of businesses are not using linux or apache
> because these solutions lack credibility, that some techies are using
> these solutions without official sanction changes nothing.
+ 70% of sites on the net are using Apache, including the BIG users that
Andy has previously listed.
Chosing a web platform isn't done at a techie level but normally requires
management / director level buy-in, which they have clearly received.
> These arguments have been going on for years, the US government
> squandered the only opportunity in a generation to change this.
This doesn't require USG support....It's gonna happen, just by the pure
economics (and MS incompetence).
> Linux
> tech's are not going to change this, us arguing this point is not going
> to change this, No 'business suit' understands this stuff anyway, and
> you'd have a better chance posting messages at your local golf, and not
> here,
> if you want to change the situation.
Paul Le Roux
wake me up when linux = $.
In article <pan.2002.04.17.22...@samsimpson.com>,
s...@samsimpson.com says...