[cryptography] Backdoors in software

John Young jya at pipeline.com
Mon Sep 9 16:31:38 EDT 2013


A distinctive, well-known and exploited, weakness of
comsec is reluctance to give up use of a widely deployed
system even when a fault has been exposed. This happens
again and again because it is difficult to find a new system
that has been tested for wide use, distributed the system,
training in its use, errors in use and mods, with cries of
harried users overloaded with work and insufficient time,
to return to the old familiar system, with subversive return
to the old system despite warnings of security mavens.

This is occuring now. It is not sure which reliable systems
have been broken, only teases of child-like slides lacking
details of proof needed to correct specific weaknesses
or devise a better system without them. Seldom are all
the weaknesses of a system fully disclosed or explored,
instead hurry up with the new one, time's awasting.

Then there it is questionable whether there are true
weaknesses or pretense of them, another favorite to
confuse the enemy desperately seeking a tool to
depend on under most variable and stressful of
conditions far from laboratory-rigged-for-the-contract
triumph.

This inertial force and obligatory doubt, and market
driven output, are powerful forces for disinformation
and have historically proven successful as tactics
and strategy, way back then as now.

Windows has been known to be extremely vulnerable for
many years yet it continues as the most popular program
in the world with all its permuations of vulnerable apps.
Why? Nobody gives a damn that much. Perfectly
fertile ground for hackers and spies, and producers
of upgrades worse than the originals.

To lesser degree that is the same with many popular
programs from Adobe to Cisco to just name it. In the
case of Windows, Adobe and Cisco, for example, weaknesses
are now advertised after initial denial. Honesty of failure is
a selling point. Lesson learned from religion, military, and
adultery.

It should be expected that popular and highly recommended
security systems are vulnerable but will not be abandoned
due to inertia and most importantly the cost of replacement
even when reliable replacements are devised, tested,
distributed and adopted over an extended period of time
with the usual tweakings, errata, standards rejiggling,
charges and denials about undercover agents, covering
tracks, pouring on advertising and expert consultations
to arrive at a plateau of acceptance -- getting products
out the door, whistling dixie and in the dark to handle
the anxiety of discovery another fuck-up and cover-up.

Serial adulterers (and adulterators) win most of the time.

By then the weaknesses of new products will have been
discovered, denied, exploited, sold on the black market,
stolen by opponents, exculpated, pretense of surprise,
rue of deception, outraged calls to arms, and so on.

Here we are at the near of end of one comsec cycle based
on popular use of encryption, now a juvenile about 15 years
old, hardly mature, and the early glimmerings of a new babes to
be born. The babes of market-and-career-spoiled crypto
juveniles no way prepared to be responsible adults trapped
in miserable jobs, far more suited to fucking their brains out.

Why give up Windows, better to bitch about it and promote
comparably weak add ons for security like Tor, Truecrypt and
fashionista ilk. So what if a few users get sent to the slammer
or head lopped by tyrants, bitch about that too, and call for
more hell-raising and fund-raising.

Best is to sell comsec asses to the giants and watch the dividends
roll in.



At 03:28 PM 9/9/2013, you wrote:
>On Mon, Sep 09, 2013 at 01:50:54PM -0500, Nicolai wrote:
> > On Mon, Sep 09, 2013 at 02:20:35PM +0200, David D wrote:
> >
> > > TrueCrypt can be assumed "ok" based on Greenwald using it.    If Snowden
> > > knew of a hole in TrueCrypt then Greenwald would not be using it.  IMO.
> >
> > I don't think this is a useful criteria.  After all, Greenwald probably
> > uses Windows, right?
>
>Schneier uses Windows, too.
>
>http://www.truecrypt.org/docs/supported-operating-systems
>
>TrueCrypt currently supports the following operating systems:
>
>Windows 7  (32-bit and 64-bit)
>Windows Vista  (32-bit and 64-bit)
>Windows XP  (32-bit and 64-bit)
>Windows Server 2008 R2  (64-bit)
>Windows Server 2008  (32-bit and 64-bit)
>Windows Server 2003  (32-bit and 64-bit)
>Windows 2000 SP4
>
>Mac OS X 10.8 Mountain Lion  (32-bit and 64-bit)
>Mac OS X 10.7 Lion  (32-bit and 64-bit)
>Mac OS X 10.6 Snow Leopard  (32-bit)
>Mac OS X 10.5 Leopard
>Mac OS X 10.4 Tiger
>
>Linux  (32-bit and 64-bit versions, kernel 2.6 or compatible)
>
>Note: The following operating systems (among others) are not 
>supported: Windows RT, Windows 2003 IA-64, Windows 2008 IA-64, 
>Windows XP IA-64, and the Embedded/Tablet versions of Windows.
>
> > NB: I'm not making any claim for or against TrueCrypt.
>
>
>_______________________________________________
>cryptography mailing list
>cryptography at randombit.net
>http://lists.randombit.net/mailman/listinfo/cryptography




More information about the cryptography mailing list