Focus on Microsoft
Announcing TGP - Thor's Godly Privacy Jul 09 2010 06:55PM
Thor (Hammer of God) (thor hammerofgod com) (1 replies)
Re: Announcing TGP - Thor's Godly Privacy Jul 10 2010 05:36PM
Jeffrey Walton (noloader gmail com) (1 replies)
RE: Announcing TGP - Thor's Godly Privacy Jul 10 2010 06:37PM
Thor (Hammer of God) (thor hammerofgod com) (1 replies)
Re: Announcing TGP - Thor's Godly Privacy Jul 13 2010 02:40AM
Jeffrey Walton (noloader gmail com) (1 replies)
RE: Announcing TGP - Thor's Godly Privacy Jul 13 2010 05:26AM
Thor (Hammer of God) (thor hammerofgod com) (1 replies)
Re: Announcing TGP - Thor's Godly Privacy Jul 13 2010 11:17PM
Phillip Macey (phillip macey cisra canon com au) (2 replies)
Thor (Hammer of God) wrote:
> Personally, I think providing the source for a program like TGP makes it less secure. The reason for this is that if I post the source, anyone can recompile it with Trojan options, distribute it, and no one would know. I mean, it's .NET - so even if I did post the source, you really don't know if the calls I make are "real" ones from the source alone. While the source may make it easier for you to see how I implement TGP, you can really just do that on your own if you wish... It's all tried and true cryptographic standards that can be independently verified with any other utility that supports SHA256, AES256, and RSA. Logic dictates that if one is capable of verifying an implementation by source code audit, then one is capable of writing it on their own. But people don't really do that in real life - the let other people (like me) write stuff and throw it out there and people trust them not to do something unethical.
>
Actually, even if you don't release your source someone can easily
re-distribute a look alike program with trojan's included. Just write a
new program and mimic the user interfaces. Once the trojan is installed,
bomb out with an error message. The unfortunate people who ran it will
not know any better other than thinking TGP is a buggy program and not
worth the bother of trying it again. How can I know that you are not
releasing a program with a trojan buried within it somewhere? (Im not
suggesting that you actually are.. just pointing out that the program
you released is actually quite indistinguishable from the theoretical
trojan one that you were talking about). You are trying to implement
'security by obscurity' by not releasing source. That is never a really
good way to secure something nor is it a good way to prove to people
that an implementation is secure. A secure encryption program is more
that just not including a trojan - it is a correct implementation that
does not expose the original data. Your argument is quite flawed.

Both open and closed source have their place but yours is not a good
reason to be closed. For the record, Im not trying to convince you that
you should release the source.. It is yours to do what you want with.
You don't need a reason to keep it to yourself if thats what you want to
do. I am also not trying to suggest that you are releasing a trojan or
incorrect implementation (I really dont have any way to tell) ;-)

> People need to remember that posting source code was NOT originally so you could see if something was secure or implemented correctly. It was so that you could compile it yourself when you had environmental dependencies of your own. And you don't know if I post the "real" source code or not. You have to trust me, or audit the binaries. If you are going to audit the binaries, then you don't really need the source.
>
The other way to look at it is that if you supply a binary and source, I
have no way of knowing that it is the 'real' binary built from the
supplied source. It works both ways. I do agree that at some point there
has to be a certain level of trust. Even an open source os like linux or
openbsd is generally distributed as a binary - a computer cant boot from
a bunch of source code and header files.
> I know there are as many valid reasons for closed source as there are against. But it all comes down to what the author chooses to do, and for now, I choose not to disclose the source...
>

--
Thanks,
Phill Macey (CiSRA IT Services)

[ reply ]
RE: Announcing TGP - Thor's Godly Privacy Jul 16 2010 04:26PM
Wayne Anderson (wfrazee wynweb net)
RE: Announcing TGP - Thor's Godly Privacy Jul 14 2010 12:23AM
Thor (Hammer of God) (thor hammerofgod com)


 

Privacy Statement
Copyright 2010, SecurityFocus