[kwlug-disc] Stronger SSH keys and SSL certificates
unsolicited
unsolicited at swiz.ca
Tue Apr 22 03:42:26 EDT 2014
So, now not only are you postulating that the NSA has injected source
code into OpenSSL, and successfully had it accepted world wide for all
compile from source repositories (otherwise there would be no point,
there would be nothing on the other side of the connection for the NSA
to exploit), you are suggesting that simultaneously they have done so
into gcc to accept and hide the exploit.
And that they have used it, and penetrated to the corresponding content
server to sniff your stuff, and there's something in there worth
sniffing, and being U.S. based there is something in there of use to them.
Moving on ...
On 14-04-21 03:52 PM, Giles Malet wrote:
> On 04/21/2014 03:32 AM, unsolicited wrote:
>> the NSA CANNOT have a back door. It would
>> not survive in the code base.
>
> That is not true, for the simple reason that you are assuming that the
> source is a direct representation of the executable produced. Please
> read this famous article and then reconsider what you said:
>
> http://cm.bell-labs.com/who/ken/trust.html
>
> Admittedly doing something like this would be tricky, but it's not
> beyond the realms of possibility. Just fiddling with say the GCC
> compiler would be enough for this to be a problem.
>
> g
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
More information about the kwlug-disc
mailing list