You posed a general question; > > This brings up the following question: What is the best method for > > ensuring the integrity of software which require a high > level of trust?
I answered in general terms. But to be particular, I know nothing of this person or his software. Is the sourcecode available for public scrutiny or isn't it? If not then why not? Thats a question you might like to consider. But don't get too paranoid it might be merely because he's trying to make a profit out of it. Its just that lacking scrutiny one can never be too sure. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Morgan Marquis-Boire > Sent: Thursday, 27 February 2003 1:44 p.m. > To: Steve Wray > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Cryptome Hacked! > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Why would John Young tamper with the software available on his site? > Do you not think that if this were discovered it would reduce > what ever > credibility he and his site may have in the crypto community? > Given the nature of the website and its pro-crypto stance, it makes > little sense to me the idea that some one would deliberately > weaken the > tools provided on the site. > In what way do you feel the tools may have been tampered with? > > On Thu, 27 Feb 2003 12:58:35 +1300 > "Steve Wray" <[EMAIL PROTECTED]> wrote: > > > Sticking my neck out, I'd say that the *best* method would be; > > > > 0. Be familiar with your OS and with the programming > > language in which the software is written and > > > > 1. Go over the source code line by line inspecting the > > whole thing. > > > > 2. If you don't have access to the source don't trust it, > > no way no how. > > > > Ok that was the dead serious part. > > > > 3. If people you know and trust have access to the source that > > may mitigate failure at (2), but only marginally. > > You need a face-to-face relationship with the parties you trust > > and who have access to the source; email or other internet > > relationships do not count. > > > > (Ok so certain types of psychopath can reliably lie and fool even > > the clinically paranoid. Yup, even people who are psychotically > > paranoid can be lured into disclosing their bank details by > > a 'creative psychopath'.) > > > > So if you want to be able to trust it only personal inspection > > of the source will do. > > > > You *did* say "high level of trust" > > > > Personally I don't feel a need for this level of paranoia. Phew > > I can live my life and not feel concerned about the conversations > > they have about me on the TV. The ones that noone else can hear. > > Mwahahahaaaaaa > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Sung J. > > Choe > > Sent: Thursday, 27 February 2003 12:10 p.m. > > To: '[EMAIL PROTECTED]' > > Subject: [Full-Disclosure] Cryptome Hacked! > > > > > > Cryptome.org, a site for privacy enthusiasts and leftists alike, was > > apparently hacked today. Their server is up but "all files were > > deleted". Besides the usual anti-American/anti-government > vitriol that > > is usually found at Cryptome.org, they also distribute > crypto software. > > This brings up the following question: What is the best method for > > ensuring the integrity of software which require a high > level of trust? > > I am almost sure that any crypto software distributed by > such extremists > > as John Young (operator of cryptome.org) has been tampered > with in some > > way. Does anybody else share this opinion? > > > > > > .--------------------------------------------------. > > | Sung J. Choe <schoe[at]oicinc.com>, TICSA | > > | Systems Administrator, Facility Security Officer | > > .--------------------------------------------------.----. > > | Oceanic Imaging Consultants, Inc. | > > | Phone #: (808) 539-3634 x3634 | > > .-----------------------------------. > > 568D CAD6 53A0 92E6 4A2A 4E87 3BA0 5F90 37BB 8EE7 > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > - -- > Morgan Marquis-Boire > Unix Systems Consultant > Datacom Systems Ltd. > (025) 954-931 > - -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > > iD8DBQE+XV9mMMI56vuqwigRAtAdAKC5Xe33yGrZ0GGuTL97ze/1+aQABgCfROz1 > vnyp8oj2WYZiVsRjJq/Vk+g= > =Wpy7 > -----END PGP SIGNATURE----- > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
