[kwlug-disc] Stronger SSH keys and SSL certificates

unsolicited unsolicited at swiz.ca
Tue Apr 22 03:42:26 EDT 2014


So, now not only are you postulating that the NSA has injected source 
code into OpenSSL, and successfully had it accepted world wide for all 
compile from source repositories (otherwise there would be no point, 
there would be nothing on the other side of the connection for the NSA 
to exploit), you are suggesting that simultaneously they have done so 
into gcc to accept and hide the exploit.

And that they have used it, and penetrated to the corresponding content 
server to sniff your stuff, and there's something in there worth 
sniffing, and being U.S. based there is something in there of use to them.

Moving on ...

On 14-04-21 03:52 PM, Giles Malet wrote:
> On 04/21/2014 03:32 AM, unsolicited wrote:
>> the NSA CANNOT have a back door. It would
>> not survive in the code base.
>
> That is not true, for the simple reason that you are assuming that the
> source is a direct representation of the executable produced. Please
> read this famous article and then reconsider what you said:
>
> http://cm.bell-labs.com/who/ken/trust.html
>
> Admittedly doing something like this would be tricky, but it's not
> beyond the realms of possibility. Just fiddling with say the GCC
> compiler would be enough for this to be a problem.
>
> g
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org





More information about the kwlug-disc mailing list