[Klug-general] SSL bug

Karl Lattimer karl at qdh.org.uk
Thu May 22 18:05:18 BST 2008 

On Thu, 2008-05-22 at 17:22 +0100, J D Freeman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thu, May 22, 2008 at 09:58:55AM -0400, Karl Lattimer wrote:
> > Hmm, I don't see that I claim that apple invented email there, I was taking
> > the piss out of your for not moving with the times.
> > 
> > Your statement is still libel. 
> 
> As is your statement. The simple act of claiming someone's statement as
> libel has substantial bearing, and you should consider it fully before
> contining down that line.

Actually from a legal stand point I have not claimed you have said
anything that you haven't, I have merely expressed subjective opinion.

Durrr... Libel is an accusation of untruth made in a public printed
forum. Which includes the internet. You claim that I said apple invented
email, I used email as one of a string of examples to highlight the fact
that you seem to be a troglodyte. 


> > Which company? Hmm... Don't want to say it out loud? Funny, every man and
> > his dog knows who I work for...
> 
> Yes, we all know you work for Nokia. I do not however feel any need to
> discuss my previous employers. It is not something which really adds any
> weight to the argument and merely discloses personal information that
> need not be disclosed.

So basically no one then? Where's your evidence! Don't cry at me for
evidence if you're not willing to prove yourself.


> > Yeah, well I have real professionals around me all day long, what I hear at
> > morning coffee is quite a bit more advanced than anything I've ever heard
> > you talking about...
> 
> Me too. A quick grep of the CREDITS file for the linux kernel lists my
> business partner. 

Wow! I'm impressed...

Not...

You obviously don't have a clue who else works next to me, so I'm not
even going to start listing their names, that's when you start to get
into childish nonsense. 


> > Specifically my source is Rodrigo Novo... It was said amongst ourselves, he
> > may have been quoting someone else, he makes a valid point. 
> 
> Who appears to be... well google lists a few results, but nothing
> terribly useful. No Wikipedia page, no only CV, nothing infact to help
> us beyond his name.

Oh I forgot that if its not on google it never happened... I know the
guys credentials, and they're pretty damned good.


> > Also I don't necessarily need to quote someone else, lets just say you can
> > quote me. Personally I think quotations are for fairly stupid people who
> > aren't able to discern opinion on their own.
> 
> Excellent, cos it all works on the basis that noone needs to provide
> evidence! Afterall I invented faster than light travel!
> 
> Come on, be sensible. [citation needed]

How is a quote evidence? A quote is, in court referred to as hear-say,
as in it is heard, and repeated. Exactly how can hear-say become
evidence? You honestly don't have a clue about the difference between a
quotation and evidence, evidence is required to be evidential of an
event, a FACT, not an opinion expressed by one or other individual, for
instance blood stains on a carpet are evidence. Hearing someone say they
killed someone and repeating it is hear-say. Hear say is not taken into
evidence, it is taken into consideration. Evidence must be cataloged
where as hear say is transcribed.

Read your dictionary.


> > So you can't name one?
> 
> I named 2 there, and those are just big flaws in the last couple of
> weeks. A quick google for the phrase "biggest security flaw in history"
> lists a number of options. Starting with a flaw in HSBC's online banking
> which made open 3 million bank accounts. Then a few windows flaws, ooh
> look references to electronic voting machines. Wow there are some great
> ones to choose from. 
> 
> Sitting in utrecht right now tho, I think the giant screwup that is the
> dutch OV chipkart is pretty damn spectacular. Or perhaps the TNT mail
> rooms loss of 25 million personal records. The problem is there are so
> many screwups by so many organisations and individuals it is next to
> impossible to make a claim that one is the worst ever. Especially when
> the person making that claim is rather biased and has a history of
> negative views towards debian.

I don't have a history of negative views against debian, I think its
inferior, I have an opinion. That's not necessarily a history of
negative views. I use a product which is superior, proven by the fact it
does not suffer from a critical entropy flaw. Which has still got far
reaching implications world wide.

Looks like my opinion was right, god damnit I wish I never listened to
people about ubuntu... Then I'd still have one key to rule them all.


> I prefer the view taken by Bruce Schneier, a world renound security
> expert who is respected within his field.
> 
> "This is a big deal"

Bruce is known for understatement... 


> Note, he doesn't claim the worst ever.
> 
> > Still don't effect an entire e-commerce infrastructure, sorry you FAIL.
> 
> Neither does this, it only effects parts of it, and then only small
> parts of it. I think you are making incorrect over generalisations.

Actually does it? If a key signing authority used debian to sign keys
through the troublesome months, then the fact of the matter is that
every single key they signed is now suspect.

Its a sprawling madness of cryptographic updating...

This is a BIG deal


> > LOL, why? 
> > 
> > If people around me say it, its enough, if I hear the same grumblings in
> > the software community at large then its enough.
> 
> If people around me say that the world was created in seven days, does
> that make it right? Does that counteract years of scientific evidence to
> the contry? Does one person making a claim really get anywhere unless
> they can back thatup with evidence or reasoning? Simpley "Cos I say so"
> is a very week argument. Incredibly week indeed.

We're talking about popular opinion here on this flaw, we compared
various other flaws and we've all realised that this is probably the
largest thing we've ever seen. We've seen people running around like
crazy trying to fix the problems before they get out of control...
Expert opinion dictates public opinion.

This is BIG, REALLY BIG!


> > Why are you so keen to evade the fact that this is the biggest issue the
> > world has had to face with cryptography since the arrival of public key
> > algorithms.
> 
> Because I don't agree with you. Its very simple. You are blowing it out
> of proporsion due to bias and poor argument.

You don't agree with me because you don't like the fact that time and
time again you've extolled the virtue of debian security, now you've
been shamed for your misplaced faith. That and you don't ever agree with
me, which gives me great pleasure in baiting the hell out of you and
discrediting you where appropriate. 


> > I suppose you could probably class 2600 circumventing DES as a fairly big
> > issue too, what with the t-shirts that made the US government a bit red
> > faced an all. That still doesn't detract from the fact that I say this is
> > the biggest security issue I've ever seen, and I've been around to watch
> > the massive sendmail bugs, apache bugs etc...
> 
> Yes, I would put circumventing DES as even higher.

I wouldn't, it may have been referred to as the "Data Encryption
Standard", but the US government already knew it had serious short
comings and were using 3DES at the time of the attack. The only reason
they were embarrassed about it was that it was their primary method of
communication with the UK at the time, and they were sending things they
shouldn't have over that methodology.

Things changed quickly. 

Also I think I'd ignore the loosing of personal data, as we're talking
about computer science here, this is implied by the context in which
we're speaking. This bug beats the hell out of any buffer overflow, heap
overflow, or previous cryptographic issue in the history of computing.
Buffer overflows for example can be fixed in seconds, and prevented
also, their life time is on average 5-6 days. This one is still a big
problem, and will be for some time.


> Infact I think the greatest security flaw in history, one which actually
> saved millions of lives and brought about an end to world war II, has
> to be the weeknesses in Enigma, and the wholesale trust in it by those
> who used it. Yes I am aware I risk the wrath of godwin on that one. 

Enigma didn't have any weaknesses itself, cryptographically speaking its
still secure by todays standards. The problem was introduced because of
notational errors in the plain text rather than a flaw in the algorithm
itself.

If you use enigma to encrypt binary text you'll find that the 'crib' or
'way in' vanishes. The problem came from the keyboard's short comings,
and the notation of sending german over, I could be wrong, a 24 letter
keyboard.

You could I suppose consider this a security flaw, it was a stupid
mistake that lead to a one in a billion chance that someone would ever
find it... Two consecutive e's gave it away, that and a guy who watched
the daisy's grow, but breaking enigma didn't save any lives in the real
world, in fact I think it probably ended up taking more than it saved.
For instance positions of u-boats full of men. You could argue that they
would have killed far more, however if you look at the actual record,
the truth of the matter is people on ships generally were saved. People
on subs generally died.

Oh and don't forget the massive cover ups of the russian massacre of the
poles which could have been acted upon if the plain texts weren't
buried.


> > Never in history has cryptography been owned on such a scale. Quote me on
> > that bitch.
> 
> Again you resort to swearing and insults. Why? Can you not produce a
> balanced well backed up argument without resorting to childish taunts?

Under certain circumstances, profanity provides a relief denied even to
prayer.
  -- Mark Twain.

A god damn quote for you...

K,

/me does a little dance, if you reply, you're dumber than you look, and
you look pretty dumb.

More information about the Kent mailing list