[liberationtech] Cryptography super-group creates unbreakable encryption

Ali-Reza Anghaie ali at packetknife.com
Wed Feb 13 22:26:32 PST 2013 

Before the pad was ruined we also found out that:

- TiViPhone seems to be part of Silent Circle, (c) and all.. the lead
developers are listed on SC's founding page.
- Likewise the libraries notes, except PolarSSL, also seem to be develop
led by people now working for Silent Circle.
- Nadim admittingly jumped the gun on snprintf() issue
- We can't verify the libraries used or any of the code against the binary
builds

Etc.

So the skewering was premature. The pad, with other commentary, before it
was ruined is DLable at http://pastebit.com/pastie/12001 .. the revision
history slider still works but who knows how long as someone is mercilessly
trolling Nadim through it now. -Ali



On Wed, Feb 13, 2013 at 11:51 PM, Nadim Kobeissi <nadim at nadim.cc> wrote:

> So to recap:
> It hasn't been a few hours since Silent Circle released *some* of their
> source code, and we already know that:
>
>
>    1. Silent Circle isn't in built to be a secure communications
>    platform, but is simply a rebranding of TiviPhone, a latvian-made VoIP
>    software, with added encryption libraries,
>    2. The encryption libraries are themselves not developed by Silent
>    Circle, but are third party libraries,
>    3. The third party librares are in some cases outdated, even in the
>    face of security advisories,
>    4. There's a good possibility of a buffer overflow being there
>    somewhere, with over 40 uses of snprintf().
>
> I know what I'm doing this weekend! :D
>
>
> NK
>
>
> On Wed, Feb 13, 2013 at 11:33 PM, Nathan of Guardian <
> nathan at guardianproject.info> wrote:
>
>> Fabio Pietrosanti (naif):
>> > Here some notes i collected with a quick review of the source code:
>>
>> I can see the headlines now...
>>
>> "Cryptography super-group more like a cover band"
>> "Cryptography Boy Band covers Latvian super-group"
>> "Cryptography super-group? More like Milli Vanilli!"
>>
>> or perhaps simply:
>> "SilentCircle's premiere product was outsourced, and based on
>> out-of-date security libraries with known bugs"
>>
>> Finally, just to be clear, I have nothing against re-using code,
>> especially open-source projects that are complimentary. This is exactly
>> what we have done for our work on OSTN/OStel.
>>
>> I do have a problem with people representing software they license from
>> someone else as their own brilliant, weaved-by-the-gods invention.
>>
>> +n
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130214/824e22bc/attachment.html>

More information about the liberationtech mailing list