[Noisebridge-discuss] Anti-piracy / anti-Pirate Bay law currently in Congress [drama]

[Sai]

On Tue, Sep 28, 2010 at 3:39 PM, Martin Bogomolni <martinbogo at gmail.com> wrote:
> If there is something in the code you feel is a back-door, or insecure (and the
> code is open source, and freely available) I'd be interested in having
> you point it out.   It would be of help to the community.

This is something that I think Tor does really well,
compared to things like Haystack. Security through transparency -
through actively encouraging people to try to break your system and
giving them the tools to do so - basically always wins over obscurity.

(This is one of those rare cases where [zomg!] I actually agree with
Jake. He had a good interview w/ On the Media about this recently:
http://www.onthemedia.org/episodes/2010/09/17/segments/158136)

My guess though is that our new friend's suspicions are a priori,
rather than technical. Those are harder to rebut short of just saying
"well nobody's shown a serious flaw yet short of owning entry and exit
nodes, or sniffing unencrypted exit traffic, so it's probably safe".
Which is kinda the same as the safety of PGP; the open crypto
community believes that 256-bit PGP crypto is effectively unbreakable,
but we don't (and won't) know if the NSA has some crazy attack we
don't know about.

I think that's about as good as security gets, though.

Incidentally, re http://decloak.net - anyone know why HD Moore has the
second usage of the secret in the md5 hash? (md5("secret" .
$_SERVER['REMOTE_ADDR'] . $_SERVER['REMOTE_PORT'] . time() .
"secret");)

AFAICT this is pure voodoo, unless md5 is a non-perfect hash in some
way that's not clear to me.

- Sai