[Klug-general] SSL bug

J D Freeman klug at quixotic.org.uk
Thu May 22 19:00:19 BST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, May 22, 2008 at 08:01:42PM +0300, Karl Lattimer wrote:
> Actually from a legal stand point I have not claimed you have said
> anything that you haven't, I have merely expressed subjective opinion.
> 
> Durrr... Libel is an accusation of untruth made in a public printed
> forum. Which includes the internet. You claim that I said apple invented
> email, I used email as one of a string of examples to highlight the fact
> that you seem to be a troglodyte. 

Infact everything you have said is "subjective opinion".

> So basically no one then? Where's your evidence! Don't cry at me for
> evidence if you're not willing to prove yourself.

I am not going to be drawn into revealing my employment history, I don't
see that it is relevant. Whilst you feel that the very fact you work for
nokia is an amazing boost to you and your oppinions, I beg to differ. 

To quote a previous email to you:

I don't want to get into a willy waving competition, you immediately
start on a winner (actually having one).

> Wow! I'm impressed...
> 
> Not...
> 
> You obviously don't have a clue who else works next to me, so I'm not
> even going to start listing their names, that's when you start to get
> into childish nonsense. 

You are right. I do not have a roll call of all those in your office.
Neither do I need one. Simply being surrounded by intelligent people
does not automatically validate your view.

> Oh I forgot that if its not on google it never happened... I know the
> guys credentials, and they're pretty damned good.

Thats good. Just cos you know it does not help your argument.

"I cured cancer, my friend John saw me do it" isn't a valid way of
proving something. Without an independant peer reviewed publication,
there is no way anything can be anything more than an oppinion, and
without proper citation and references, there is little to make that
oppinion worth listening too.

> How is a quote evidence? A quote is, in court referred to as hear-say,
> as in it is heard, and repeated. Exactly how can hear-say become
> evidence? You honestly don't have a clue about the difference between a
> quotation and evidence, evidence is required to be evidential of an
> event, a FACT, not an opinion expressed by one or other individual, for
> instance blood stains on a carpet are evidence. Hearing someone say they
> killed someone and repeating it is hear-say. Hear say is not taken into
> evidence, it is taken into consideration. Evidence must be cataloged
> where as hear say is transcribed.

However, testimony from someone is considered valid in a court of law,
as is blood on the carpet. You appear to be waffling without providing
any actual answer to my questions.

> Read your dictionary.

I do.

> I don't have a history of negative views against debian, I think its
> inferior, I have an opinion. That's not necessarily a history of
> negative views. I use a product which is superior, proven by the fact it
> does not suffer from a critical entropy flaw. Which has still got far
> reaching implications world wide.

Email archives beg to differ:

http://mailman.lug.org.uk/pipermail/kent/2006-December/001496.html

> Bruce is known for understatement... 

He is also known as a world renound expert in the field of security with
numerous publications to his name. I am going to cite him as a good
source for material. Rather than some guy the rest of the world doesn't
know, but you assure us is a top bloke.

> Actually does it? If a key signing authority used debian to sign keys
> through the troublesome months, then the fact of the matter is that
> every single key they signed is now suspect.
> 
> Its a sprawling madness of cryptographic updating...
> 
> This is a BIG deal

Do you have documentable proof that this has occured? Do verisign do
everything on debian? 

This is hearsay. You are providing no evidence to backup your claims.
STILL.

> We're talking about popular opinion here on this flaw, we compared
> various other flaws and we've all realised that this is probably the
> largest thing we've ever seen. We've seen people running around like
> crazy trying to fix the problems before they get out of control...
> Expert opinion dictates public opinion.
> 
> This is BIG, REALLY BIG!

You are talking popular oppinion amoungst you and your colleagues at
Nokia. Amoungst my friends we don't agree. This is oppinion. You are
allowed to hold what ever oppinion you want. I however beleive you are
wrong. 

> You don't agree with me because you don't like the fact that time and
> time again you've extolled the virtue of debian security, now you've
> been shamed for your misplaced faith. That and you don't ever agree with
> me, which gives me great pleasure in baiting the hell out of you and
> discrediting you where appropriate. 

Can you quote me on that one? Can you show references where I have
claimed debian to be the most secure linux? Kindly provide evidence to
backup your claim.

> I wouldn't, it may have been referred to as the "Data Encryption
> Standard", but the US government already knew it had serious short
> comings and were using 3DES at the time of the attack. The only reason
> they were embarrassed about it was that it was their primary method of
> communication with the UK at the time, and they were sending things they
> shouldn't have over that methodology.
> 
> Things changed quickly. 

Each to their own oppinion.

> Also I think I'd ignore the loosing of personal data, as we're talking
> about computer science here, this is implied by the context in which
> we're speaking. This bug beats the hell out of any buffer overflow, heap
> overflow, or previous cryptographic issue in the history of computing.
> Buffer overflows for example can be fixed in seconds, and prevented
> also, their life time is on average 5-6 days. This one is still a big
> problem, and will be for some time.

I prefer to look at things beyond the world of my computer. I would also
suggest that fixing 25 million personal records that are floating about
is a far bigger task than admins updating their ssh keys.

> Enigma didn't have any weaknesses itself, cryptographically speaking its
> still secure by todays standards. The problem was introduced because of
> notational errors in the plain text rather than a flaw in the algorithm
> itself.

The implementation of enigma was flawed, including things like the
repetition of the day key, and the fact the plug board didn't really do
anything.

> You could I suppose consider this a security flaw, it was a stupid
> mistake that lead to a one in a billion chance that someone would ever
> find it... Two consecutive e's gave it away, that and a guy who watched
> the daisy's grow, but breaking enigma didn't save any lives in the real
> world, in fact I think it probably ended up taking more than it saved.
> For instance positions of u-boats full of men. You could argue that they
> would have killed far more, however if you look at the actual record,
> the truth of the matter is people on ships generally were saved. People
> on subs generally died.

Yes, and the people who depended on the food and supplies carried on
those ships didn't die of starvation. Yes some people died, however in
the grand scheme of things, the human race goes on. And ultimately the
sacrifice of a few, helped the many. Few could argue that the cracking
of enigma and lorenz didn't shorten the war.

> Under certain circumstances, profanity provides a relief denied even to
> prayer.
>   -- Mark Twain.
> 
> A god damn quote for you...

The only reference and quote you are willing to give, and it adds
nothing useful to your case.

> /me does a little dance, if you reply, you're dumber than you look, and
> you look pretty dumb.

I dunno. Thats not for me or you to decide.

J
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFINbSt42M0lILkmGIRAtpzAKDzIbbEOBrzvN56SEV0CcaMfthysgCgwpA8
TD2Sw/67Sg1NQxOc692aCU4=
=NEhm
-----END PGP SIGNATURE-----



More information about the Kent mailing list