Search Mailing List Archives
[liberationtech] Cryptography super-group creates unbreakable encryption
ali at packetknife.com
Wed Feb 13 22:26:32 PST 2013
Before the pad was ruined we also found out that:
- TiViPhone seems to be part of Silent Circle, (c) and all.. the lead
developers are listed on SC's founding page.
- Likewise the libraries notes, except PolarSSL, also seem to be develop
led by people now working for Silent Circle.
- Nadim admittingly jumped the gun on snprintf() issue
- We can't verify the libraries used or any of the code against the binary
So the skewering was premature. The pad, with other commentary, before it
was ruined is DLable at http://pastebit.com/pastie/12001 .. the revision
history slider still works but who knows how long as someone is mercilessly
trolling Nadim through it now. -Ali
On Wed, Feb 13, 2013 at 11:51 PM, Nadim Kobeissi <nadim at nadim.cc> wrote:
> So to recap:
> It hasn't been a few hours since Silent Circle released *some* of their
> source code, and we already know that:
> 1. Silent Circle isn't in built to be a secure communications
> platform, but is simply a rebranding of TiviPhone, a latvian-made VoIP
> software, with added encryption libraries,
> 2. The encryption libraries are themselves not developed by Silent
> Circle, but are third party libraries,
> 3. The third party librares are in some cases outdated, even in the
> face of security advisories,
> 4. There's a good possibility of a buffer overflow being there
> somewhere, with over 40 uses of snprintf().
> I know what I'm doing this weekend! :D
> On Wed, Feb 13, 2013 at 11:33 PM, Nathan of Guardian <
> nathan at guardianproject.info> wrote:
>> Fabio Pietrosanti (naif):
>> > Here some notes i collected with a quick review of the source code:
>> I can see the headlines now...
>> "Cryptography super-group more like a cover band"
>> "Cryptography Boy Band covers Latvian super-group"
>> "Cryptography super-group? More like Milli Vanilli!"
>> or perhaps simply:
>> "SilentCircle's premiere product was outsourced, and based on
>> out-of-date security libraries with known bugs"
>> Finally, just to be clear, I have nothing against re-using code,
>> especially open-source projects that are complimentary. This is exactly
>> what we have done for our work on OSTN/OStel.
>> I do have a problem with people representing software they license from
>> someone else as their own brilliant, weaved-by-the-gods invention.
>> Unsubscribe, change to digest, or change password at:
> Unsubscribe, change to digest, or change password at:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech