Search Mailing List Archives
[liberationtech] Cryptography super-group creates unbreakable encryption
nadim at nadim.cc
Wed Feb 13 20:54:42 PST 2013
Fabio just discovered that Silent Phone derives device IDs by hashing the
device IMEI with MD5...
On Wed, Feb 13, 2013 at 11:51 PM, Nadim Kobeissi <nadim at nadim.cc> wrote:
> So to recap:
> It hasn't been a few hours since Silent Circle released *some* of their
> source code, and we already know that:
> 1. Silent Circle isn't in built to be a secure communications
> platform, but is simply a rebranding of TiviPhone, a latvian-made VoIP
> software, with added encryption libraries,
> 2. The encryption libraries are themselves not developed by Silent
> Circle, but are third party libraries,
> 3. The third party librares are in some cases outdated, even in the
> face of security advisories,
> 4. There's a good possibility of a buffer overflow being there
> somewhere, with over 40 uses of snprintf().
> I know what I'm doing this weekend! :D
> On Wed, Feb 13, 2013 at 11:33 PM, Nathan of Guardian <
> nathan at guardianproject.info> wrote:
>> Fabio Pietrosanti (naif):
>> > Here some notes i collected with a quick review of the source code:
>> I can see the headlines now...
>> "Cryptography super-group more like a cover band"
>> "Cryptography Boy Band covers Latvian super-group"
>> "Cryptography super-group? More like Milli Vanilli!"
>> or perhaps simply:
>> "SilentCircle's premiere product was outsourced, and based on
>> out-of-date security libraries with known bugs"
>> Finally, just to be clear, I have nothing against re-using code,
>> especially open-source projects that are complimentary. This is exactly
>> what we have done for our work on OSTN/OStel.
>> I do have a problem with people representing software they license from
>> someone else as their own brilliant, weaved-by-the-gods invention.
>> Unsubscribe, change to digest, or change password at:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech