David M. Putzolu
dputzolu at ideal.jf.intel.com
Thu Oct 9 08:59:46 EDT 1997
"dan carter" <daniel.carter at stonebow.otago.ac.nz> wrote:
> However the number of people who find assembler hacking a trivial task
> is a far far smaller number, than the number of people who find making
> a change in C code trivial.
> Thus not releasing source code, greatly reduces the number of people
> able to spam the servers.
Hear hear! Look people, please TRUST the Bovine people and
accept their opaque binaries. All of you people out there
can't be trusted with the source. Let's ignore the fact that
a motivated person can ignore their security measures and use
assembly to get around them.
Is it just me, or does this sound a little like the gov't WRT
some encryption issues? Beyond that, all the Bovine team is
doing in not releasing source is practicing "security
through obscurity" - the protocol used to talk to the servers
is slightly obscured (by being implemented only in assembly.)
Anybody who knows anything about security knows that security
through obscurity (particularly such weak obscurity) is quite naive.
If you are serious about dealing with adversarial key-crackers,
you will need to implement a redundancy scheme that has every
key tested by at least two different people (or more, depending
on what fraction of the key-testing population you believe is
The worst thing is that a single adversary could do quite a bit
of damage, because the adversary can just skip the whole block
and report back immediately, whereas the honest key checker has
to spend a long time looking at each block.
>Darrell... who's somewhat tempted to actually do so, just to
>prove his point..
I'm also tempted to reverse engineer the server communication
protocol. And of course, I wouldn't keep any secrets and would
publish the protocol, which would promptly blow away this
foolish security-through-obscurity scheme. My motivation to
do this is to be able to write a Java client and prove that
the hacker-mentality focus on native code is foolish.
Hilighting the fact that the Bovine security scheme is a joke
would merely be an added bonus.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 2560 bytes
Desc: not available
Url : http://lists.distributed.net/pipermail/rc5/attachments/19971009/24aab92e/attachment-0001.bin
More information about the rc5