SecurityFocus

Popular Net anonymity service back-doored Aug 21 2003 04:56AM
Thomas C. Greene (thomas greene theregister co uk) (4 replies)

JAP unbackdoored Aug 27 2003 07:43PM
Kristian Koehntopp (kris koehntopp de)

Re: Popular Net anonymity service back-doored Aug 21 2003 06:38PM
Florian Weimer (fw deneb enyo de) (1 replies)

Re: Popular Net anonymity service back-doored Aug 21 2003 12:05PM
Thomas C. Greene (thomas greene theregister co uk) (3 replies)

Re: Popular Net anonymity service back-doored Aug 22 2003 07:34AM
nordi (nordi addcom de)

On Thursday, 21. August 2003 14:05, Thomas C. Greene wrote:
> It's not secure, and claiming that it is taints anything else they may be
> doing on behalf of users. They're *still* saying it's impossible for anyone
> to intercept users' traffic or identify them.

Actually, this is absolutely not what they are saying. When you visit the
website of the JAP project http://anon.inf.tu-dresden.de/ it says in big, red
letters:

"Aus aktuellem Anlass weisen wir noch einmal ausdrücklich daraufhin, dass
sich die JAP Software in Entwicklung befindet und noch nicht maximale
Sicherheit bietet. (siehe unten ... )"

In English this means something like

"Due to recent events we explicitly inform you of the fact that the JAP
software is still being developed and does not yet provide maximum security.
(see below ...)"

As I said: big, red letters at the top of their main page. And when you click
that "see below" link it says there "Attention! [...] This version does NOT
yet implement the security features described above and desired by us. But it
does alread protect you against atackers that control the net only locally at
one place such as [...] the owner of a mix."

So by the time you download that software you should have already read _two_
statements telling you that JAP is not as secure as it could be. It also
tells you that in the current configuration, the JAP people can see all your
traffic if they want to: Note that it says it will protect you against "the
owner of _A_ mix". But if you take the Dresden-Dresden cascade, the JAP
people obviously control _all_ of them. And the above statement already
implies that in this case, JAP cannot protect you.

If you still want to use JAP,
http://www.heise.de/newsticker/data/uma-20.08.03-000/ (in German) tells you
how to do it securely: simply use just a single mix that is not controlled by
the JAP project and you'll be fine. The court order is only valid for the JAP
people, so everybody else in Germany (and elsewhere of course) can offer a
non-backdoored mix which will make the cascade secure. This actually means
that all cascades but the Dresden-Dresden one are secure.

MfG
nordi

--
Denn der Menschheit drohen Kriege, gegen welche die vergangenen wie armselige
Versuche sind, und sie werden kommen ohne jeden Zweifel, wenn denen, die sie
in aller Öffentlichkeit vorbereiten, nicht die Hände zerschlagen werden.
Bertolt Brecht, 1952

[ reply ]

Re: Popular Net anonymity service back-doored Aug 21 2003 10:30PM
Alex Russell (alex netWindows org)

Re: Popular Net anonymity service back-doored Aug 21 2003 09:41PM
Aron Nimzovitch (crypto clouddancer com) (2 replies)

Re: Popular Net anonymity service back-doored Aug 24 2003 09:42AM
Bernhard Kuemel (darsie gmx at)

RE: Popular Net anonymity service back-doored Aug 21 2003 10:29PM
Drew Copley (dcopley eeye com)

Re: Popular Net anonymity service back-doored Aug 21 2003 04:42PM
Andreas Kuntzagk (andreas kuntzagk mdc-berlin de) (1 replies)

RE: Popular Net anonymity service back-doored Aug 21 2003 08:16PM
Drew Copley (dcopley eeye com) (1 replies)

Re: Popular Net anonymity service back-doored Aug 21 2003 10:35PM
Richard Stevens (mail richardstevens de)

Re: Popular Net anonymity service back-doored Aug 21 2003 04:37PM
MightyE (trash mightye org)