From: "Michael H. Warfield" <mhw@wittsend.com>
Subject: Re: NSA - Spook Linux
Date: Wed, 10 Jan 2001 12:51:17 -0500
Next Article (by Date): Logging documentation Amon Ott
Previous Article (by Date): Re: NSA - Spook Linux Stephen Smalley
Top of Thread: NSA - Spook Linux "Furmanek, Greg"
Articles sorted by: [Date]
[Author]
[Subject]
On Wed, Jan 10, 2001 at 11:32:26AM +0100, Peter Busser wrote: > Hi! > > Wll there was a article on securityfocus recently about how there was a > > fairly obvious buffer overflow in the libsecurity library NSA added, I > > tink it was a remote explot, cant remember though. Personally I wpuldnt > > trust anything that came out of NSA considering the good possibility they > > were behind the strangely named NSA encrytion key found in windowsnt > Well, first of all, no non-trivial program is perfect. The existence of one > buffer overflows is not proof by itself that this NSA stuff is less secure > than other programs. It seems to be a research project, so don't expect > mission critical level security. > Second if all source code is available, how could the NSA hide such tricks like > the MS-Windows/NT encryption key in the system? It might be possible, but it is > no doubt very hard to hide. Gee... Doesn't ANYONE bother to read the final analysis of these things anymore. I know the conspiracy theories are much more fun, but come on... The "MS-Windows/NT encryption key" only allowed them (the NSA) to use their own key for their own software without submitting anything to Microsoft. It wasn't a backdoor and it didn't compromise and non-NSA systems. The one thing the NSA key did was totally screw over the export controls (and may have contributed to the demise of them last year) by making it possible to install foreign crypto into Windows without hosing crypto signed by MS. You just had to "patch" the NSA key to be the key of your choice and then both your key and the MS key would work allowing signatures from either source. As long as there was only one key, they could control who could provide crypto to be installed in Windows. With two keys, they lost that control. :-) > All in all I think it's an interesting project. Provided all source code > are publicly available, I don't think there is any reason to be overly > paranoid about it. I think it's wonderful. We can examine their patches and adopt what ever we want into our software. They've already derived benefit from OpenSourcing it since flaws were quickly discovered and fixed that might have gone into production. > Groetjes, > Peter Busser > -- > Our continuing mission: To seek out knowledge of C, to explore strange UNIX > commands, and to boldly code where no one has man page 4. > > UNIX is user friendly... it's just picky about who it chooses to befriend. > - > To unsubscribe from the rsbac list, send a mail to > majordomo@rsbac.org with > unsubscribe rsbac > as single line in the body. -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! - To unsubscribe from the rsbac list, send a mail to majordomo@rsbac.org with unsubscribe rsbac as single line in the body.
Next Article (by Date): Logging documentation Amon Ott
Previous Article (by Date): Re: NSA - Spook Linux Stephen Smalley
Top of Thread: NSA - Spook Linux "Furmanek, Greg"
Articles sorted by: [Date]
[Author]
[Subject]