Hello!

Various governments around the world - including the US and EU - want
to have backdoors in encryption technology.

Is there anything known how FOSS developers will deal with that?

Especially if they are enforced to implement backdoors.

--
kind regards
Marco

Spam und Werbung bitte an
1713948269ichwillgesperrtwerden@nirvana.admins.ws

On 4/24/2024 1:47 AM, Marco Moock wrote:
> Hello!
>
> Various governments around the world - including the US and EU - want
> to have backdoors in encryption technology.
>
> Is there anything known how FOSS developers will deal with that?
>
> Especially if they are enforced to implement backdoors.
>
>

Is there a backdoor to HMAC?

On 4/24/2024 12:34 PM, Chris M. Thomasson wrote:
> On 4/24/2024 1:47 AM, Marco Moock wrote:
>> Hello!
>>
>> Various governments around the world - including the US and EU - want
>> to have backdoors in encryption technology.
>>
>> Is there anything known how FOSS developers will deal with that?
>>
>> Especially if they are enforced to implement backdoors.
>>
>>
>
> Is there a backdoor to HMAC?

Dr. Spoooooooofs a Lot?

Chris M. Thomasson <chris.m.thomasson.1@gmail.com> wrote:
> On 4/24/2024 1:47 AM, Marco Moock wrote:
>> Hello!
>>
>> Various governments around the world - including the US and EU - want
>> to have backdoors in encryption technology.
>>
>> Is there anything known how FOSS developers will deal with that?
>>
>> Especially if they are enforced to implement backdoors.
>>
>>
>
> Is there a backdoor to HMAC?

To the "algorithm" -- likely no.

In a given implementation of said algorithm in some library code -- now that
is possible. How likely is unknown. Just note the "xz" backdoor that
made the rounds a few weeks back.

Marco Moock wrote:

> Hello!
>
> Various governments around the world - including the US and EU - want
> to have backdoors in encryption technology.
>
> Is there anything known how FOSS developers will deal with that?
>
> Especially if they are enforced to implement backdoors.
>
>

If I would be forced, which I doubt, I would comment the code
with something like this:

// backdoor begins here

backdoor code

// backdoor ends here

and put in the README how to exchange that code with proper one.

HTH

--
Regards
Stefan

Stefan Claas <pollux@tilde.club> wrote:
> Marco Moock wrote:
>
>> Hello!
>>
>> Various governments around the world - including the US and EU -
>> want to have backdoors in encryption technology.
>>
>> Is there anything known how FOSS developers will deal with that?
>>
>> Especially if they are enforced to implement backdoors.
>>
>>
>
> If I would be forced, which I doubt, I would comment the code with
> something like this:
>
> // backdoor begins here
>
> backdoor code
>
> // backdoor ends here
>
> and put in the README how to exchange that code with proper one.

Likely would not work well. Such forcing would likely also be
accompanied by a gag order preventing you from admitting the backdoor
even exists and so such comments and readme text would be a likely gag
order violation that would land you in jail.

Rich wrote:

> Stefan Claas <pollux@tilde.club> wrote:

> > If I would be forced, which I doubt, I would comment the code with
> > something like this:
> >
> > // backdoor begins here
> >
> > backdoor code
> >
> > // backdoor ends here
> >
> > and put in the README how to exchange that code with proper one.
>
> Likely would not work well. Such forcing would likely also be
> accompanied by a gag order preventing you from admitting the backdoor
> even exists and so such comments and readme text would be a likely gag
> order violation that would land you in jail.

Well, I gues this may only apply to big FOSS projects, where they can
force teams, or an individual team member, but not the millions of FOSS
programmers out there.

Another option for folks, living in West-Eurasia, might be to handle
over the correct code to people in BRICS countries and publish it there.

We should also not forget that Democrats (back then Senator Biden),
in the U.S., started the Crypto War ...

--
Regards
Stefan

Stefan Claas <pollux@tilde.club> wrote:
> Rich wrote:
>
>> Stefan Claas <pollux@tilde.club> wrote:
>
>> > If I would be forced, which I doubt, I would comment the code with
>> > something like this:
>> >
>> > // backdoor begins here
>> >
>> > backdoor code
>> >
>> > // backdoor ends here
>> >
>> > and put in the README how to exchange that code with proper one.
>>
>> Likely would not work well. Such forcing would likely also be
>> accompanied by a gag order preventing you from admitting the
>> backdoor even exists and so such comments and readme text would be a
>> likely gag order violation that would land you in jail.
>
> Well, I gues this may only apply to big FOSS projects,

Your prior post did not specify FOSS vs. closed source.

> where they can force teams, or an individual team member, but not the
> millions of FOSS programmers out there.

We might like to think there are millions of FOSS programmers, but
reality is more like this XKCD than we want to believe:

https://xkcd.com/2347/

> Another option for folks, living in West-Eurasia, might be to handle
> over the correct code to people in BRICS countries and publish it
> there.

In essence, that is what happened with PGP, and was in part what led to
the US govt. giving up on their "crypto export bans". You should be
able to find an article on the history on the web if you want details.

> We should also not forget that Democrats (back then Senator Biden),
> in the U.S., started the Crypto War ...

Yes, and worries of inserting backdoors have been around since prior to
that time. Some that ultimately turned out to appear to be unfounded
(the worry that the NSA's tweak of the DES s-boxes was a hidden
backdoor, years later it turned out the tweaks increased DES's
resistance to differential attacks). Others were more explicit
(clipper chip, which explicitily contained a "govt. backdoor").

On 4/28/2024 2:06 AM, Stefan Claas wrote:
> Rich wrote:
>
>> Stefan Claas <pollux@tilde.club> wrote:
>
>>> If I would be forced, which I doubt, I would comment the code with
>>> something like this:
>>>
>>> // backdoor begins here
>>>
>>> backdoor code
>>>
>>> // backdoor ends here
>>>
>>> and put in the README how to exchange that code with proper one.
>>
>> Likely would not work well. Such forcing would likely also be
>> accompanied by a gag order preventing you from admitting the backdoor
>> even exists and so such comments and readme text would be a likely gag
>> order violation that would land you in jail.
>
> Well, I gues this may only apply to big FOSS projects, where they can
> force teams, or an individual team member, but not the millions of FOSS
> programmers out there.
>
> Another option for folks, living in West-Eurasia, might be to handle
> over the correct code to people in BRICS countries and publish it there.
>
> We should also not forget that Democrats (back then Senator Biden),
> in the U.S., started the Crypto War ...
>

Think if an algorithm A that is published for anyone to implement. Not
raw code, but the algorithm itself. A standard, like HMAC or something.
There "might" be a backdoor in the algorithm itself, however its very,
VERY, very... hard to find. This is why I asked about HMAC having a
backdoor by default. Something that dr. spoofs a lot can take advantage
of. Rich said probably not, wrt the algorithm itself...

Chris M. Thomasson wrote:

> On 4/28/2024 2:06 AM, Stefan Claas wrote:
> > Rich wrote:
> >
> >> Stefan Claas <pollux@tilde.club> wrote:
> >
> >>> If I would be forced, which I doubt, I would comment the code with
> >>> something like this:
> >>>
> >>> // backdoor begins here
> >>>
> >>> backdoor code
> >>>
> >>> // backdoor ends here
> >>>
> >>> and put in the README how to exchange that code with proper one.
> >>
> >> Likely would not work well. Such forcing would likely also be
> >> accompanied by a gag order preventing you from admitting the backdoor
> >> even exists and so such comments and readme text would be a likely gag
> >> order violation that would land you in jail.
> >
> > Well, I gues this may only apply to big FOSS projects, where they can
> > force teams, or an individual team member, but not the millions of FOSS
> > programmers out there.
> >
> > Another option for folks, living in West-Eurasia, might be to handle
> > over the correct code to people in BRICS countries and publish it there.
> >
> > We should also not forget that Democrats (back then Senator Biden),
> > in the U.S., started the Crypto War ...
> >
>
> Think if an algorithm A that is published for anyone to implement. Not
> raw code, but the algorithm itself. A standard, like HMAC or something.
> There "might" be a backdoor in the algorithm itself, however its very,
> VERY, very... hard to find. This is why I asked about HMAC having a
> backdoor by default. Something that dr. spoofs a lot can take advantage
> of. Rich said probably not, wrt the algorithm itself...

But would a published algorithm not been more peer reviewed than later
a lot of code implementations, from various people?

--
Regards
Stefan

On 4/29/2024 10:45 AM, Stefan Claas wrote:
> Chris M. Thomasson wrote:
>
>> On 4/28/2024 2:06 AM, Stefan Claas wrote:
>>> Rich wrote:
>>>
>>>> Stefan Claas <pollux@tilde.club> wrote:
>>>
>>>>> If I would be forced, which I doubt, I would comment the code with
>>>>> something like this:
>>>>>
>>>>> // backdoor begins here
>>>>>
>>>>> backdoor code
>>>>>
>>>>> // backdoor ends here
>>>>>
>>>>> and put in the README how to exchange that code with proper one.
>>>>
>>>> Likely would not work well. Such forcing would likely also be
>>>> accompanied by a gag order preventing you from admitting the backdoor
>>>> even exists and so such comments and readme text would be a likely gag
>>>> order violation that would land you in jail.
>>>
>>> Well, I gues this may only apply to big FOSS projects, where they can
>>> force teams, or an individual team member, but not the millions of FOSS
>>> programmers out there.
>>>
>>> Another option for folks, living in West-Eurasia, might be to handle
>>> over the correct code to people in BRICS countries and publish it there.
>>>
>>> We should also not forget that Democrats (back then Senator Biden),
>>> in the U.S., started the Crypto War ...
>>>
>>
>> Think if an algorithm A that is published for anyone to implement. Not
>> raw code, but the algorithm itself. A standard, like HMAC or something.
>> There "might" be a backdoor in the algorithm itself, however its very,
>> VERY, very... hard to find. This is why I asked about HMAC having a
>> backdoor by default. Something that dr. spoofs a lot can take advantage
>> of. Rich said probably not, wrt the algorithm itself...
>
> But would a published algorithm not been more peer reviewed than later
> a lot of code implementations, from various people?
>

I hope so! I ask this question about HMAC because my experimental
encryption uses it.

http://fractallife247.com/test/hmac_cipher/ver_0_0_0_1?ct_hmac_cipher=409075759deda6c624863f74354fbf7e2acc9a01e6e9cc37c544a4c45a306137211c8f704c1b9a367dae45792768e627e4d19b3ac6a1a6116bc7a72efc6c37e05e55cce00350a31b0f1347bd1342534ba75c9b2bd7

On 4/29/2024 1:29 PM, Chris M. Thomasson wrote:
> On 4/29/2024 10:45 AM, Stefan Claas wrote:
[...]
> I hope so! I ask this question about HMAC because my experimental
> encryption uses it.
>
> http://fractallife247.com/test/hmac_cipher/ver_0_0_0_1?ct_hmac_cipher=409075759deda6c624863f74354fbf7e2acc9a01e6e9cc37c544a4c45a306137211c8f704c1b9a367dae45792768e627e4d19b3ac6a1a6116bc7a72efc6c37e05e55cce00350a31b0f1347bd1342534ba75c9b2bd7

I updated my site to use HTTPS. So, I need to alter my link code to
include https://*

sorry about that shit!

;^o

Chris M. Thomasson <chris.m.thomasson.1@gmail.com> wrote:
> On 4/29/2024 10:45 AM, Stefan Claas wrote:
>> But would a published algorithm not been more peer reviewed than
>> later a lot of code implementations, from various people?
>
> I hope so! I ask this question about HMAC because my experimental
> encryption uses it.

There your larger concern would be someone hiding a backdoor in the
python library you utilize to perform the HMAC. I.e., someone
slipping compressed and obsfucated test files into the tests directory
for the library, then modifying the python build system in a sly way to
deobsfucate and decompress the test files, yielding "backdoor code"
that is slyly inserted into the copy of the library your example on the
web loads when it does its work.

While that is tricky to keep hidden, it is by far your bigger threat
than worrying that there's a backdoor in the underlying HMAC algorithm.
The underlying algorithm (assuming it is SHA or one of the other known
ones) has likely been vetted enough that it (if followed to the letter
by a given library) does not have a probem.

But the library you use, do you carefully check just exactly what
changed when you upgrade to a new version (for whatever reason you
might upgrade to a new version)? That's the path to being backdoored,
something getting slipped into the library code you are using.

And, note, the library could be backdoored such that when you feed it
data, it produces the exact expected outputs (while also doing
something else as well). Which would mean any tests you might have
yourself to verify the library produces correct hash outputs would
pass, even though the "backdoor code" got inserted.

Rich <rich@example.invalid> writes:
> Stefan Claas <pollux@tilde.club> wrote:
>> Rich wrote:
>>> Stefan Claas <pollux@tilde.club> wrote:
>>> > If I would be forced, which I doubt, I would comment the code with
>>> > something like this:
....
>>> > // backdoor begins here
....
>>>
>>> Likely would not work well. Such forcing would likely also be
>>> accompanied by a gag order preventing you from admitting the
>>> backdoor even exists and so such comments and readme text would be a
>>> likely gag order violation that would land you in jail.
>>
>> Well, I gues this may only apply to big FOSS projects,
>
> Your prior post did not specify FOSS vs. closed source.

It was, however, a response to:

>>>>> > Is there anything known how FOSS developers will deal with that?

so there weren't many dots to join.

Phil
--
We are no longer hunters and nomads. No longer awed and frightened, as we have
gained some understanding of the world in which we live. As such, we can cast
aside childish remnants from the dawn of our civilization.
-- NotSanguine on SoylentNews, after Eugen Weber in /The Western Tradition/

Backdoors.

When people use PRIVATE ENCRYPTION BEFORE any messaging enters a public
channel.......

.......backdoors are the least of their worries!

Am 07.05.2024 18:20 Uhr schrieb Edward Teach:

> Backdoors.
>
> When people use PRIVATE ENCRYPTION BEFORE any messaging enters a
> public channel.......
>
> ......backdoors are the least of their worries!

Isn't enough. There is a time when that message is unencrypted (e.g.
when entering it to the crypto application). The operating system can
then read the cleartext. If the backdoor is in the OS, X11 etc., it
still works here.

On 5/8/2024 9:27 PM, Marco Moock wrote:
> Am 07.05.2024 18:20 Uhr schrieb Edward Teach:
>
>> Backdoors.
>>
>> When people use PRIVATE ENCRYPTION BEFORE any messaging enters a
>> public channel.......
>>
>> ......backdoors are the least of their worries!
>
> Isn't enough. There is a time when that message is unencrypted (e.g.
> when entering it to the crypto application). The operating system can
> then read the cleartext. If the backdoor is in the OS, X11 etc., it
> still works here.
>

Go to a 100% "clean room", cloaked, cannot receive and/or send anything...

Encrypt a message on a clean thumb drive. Take out the clean disk with a
single file on it. Destroy the computer... Exit the clean room. This
disk contains an encrypted file.

Is it safe?

Chris M. Thomasson wrote:

> On 5/8/2024 9:27 PM, Marco Moock wrote:
> > Am 07.05.2024 18:20 Uhr schrieb Edward Teach:
> >
> >> Backdoors.
> >>
> >> When people use PRIVATE ENCRYPTION BEFORE any messaging enters a
> >> public channel.......
> >>
> >> ......backdoors are the least of their worries!
> >
> > Isn't enough. There is a time when that message is unencrypted (e.g.
> > when entering it to the crypto application). The operating system can
> > then read the cleartext. If the backdoor is in the OS, X11 etc., it
> > still works here.
> >
>
> Go to a 100% "clean room", cloaked, cannot receive and/or send anything...
>
> Encrypt a message on a clean thumb drive. Take out the clean disk with a
> single file on it. Destroy the computer... Exit the clean room. This
> disk contains an encrypted file.
>
> Is it safe?

To expensive I would say. Better use secure pencil and paper ciphers.

BTW. You can also purchase Faraday equipment, relatively cheap and use
a second offline mini notebook with it. I purchased such things from
China[1] and the U.S.[2]

[1] <https://www.bing.com/shop?q=emf+rf+shielding+nickel+copper+fabric+from+china&FORM=SHOPPA&originIGUID=56F802844E0A485EBC37D87DA405CAC0>

[2] https://mosequipment.com/
--
Regards
Stefan

On 5/9/2024 2:33 AM, Stefan Claas wrote:
> Chris M. Thomasson wrote:
>
>> On 5/8/2024 9:27 PM, Marco Moock wrote:
>>> Am 07.05.2024 18:20 Uhr schrieb Edward Teach:
>>>
>>>> Backdoors.
>>>>
>>>> When people use PRIVATE ENCRYPTION BEFORE any messaging enters a
>>>> public channel.......
>>>>
>>>> ......backdoors are the least of their worries!
>>>
>>> Isn't enough. There is a time when that message is unencrypted (e.g.
>>> when entering it to the crypto application). The operating system can
>>> then read the cleartext. If the backdoor is in the OS, X11 etc., it
>>> still works here.
>>>
>>
>> Go to a 100% "clean room", cloaked, cannot receive and/or send anything...
>>
>> Encrypt a message on a clean thumb drive. Take out the clean disk with a
>> single file on it. Destroy the computer... Exit the clean room. This
>> disk contains an encrypted file.
>>
>> Is it safe?
>
> To expensive I would say. Better use secure pencil and paper ciphers.
>
> BTW. You can also purchase Faraday equipment, relatively cheap and use
> a second offline mini notebook with it. I purchased such things from
> China[1] and the U.S.[2]
>
> [1] <https://www.bing.com/shop?q=emf+rf+shielding+nickel+copper+fabric+from+china&FORM=SHOPPA&originIGUID=56F802844E0A485EBC37D87DA405CAC0>
>
> [2] https://mosequipment.com/

There are some interesting meta materials that can be used for a cloak:

https://youtu.be/_JpMJTJXf28

https://fractenna.com

Chris M. Thomasson <chris.m.thomasson.1@gmail.com> wrote:
> On 5/8/2024 9:27 PM, Marco Moock wrote:
>> Am 07.05.2024 18:20 Uhr schrieb Edward Teach:
>>
>>> Backdoors.
>>>
>>> When people use PRIVATE ENCRYPTION BEFORE any messaging enters a
>>> public channel.......
>>>
>>> ......backdoors are the least of their worries!
>>
>> Isn't enough. There is a time when that message is unencrypted (e.g.
>> when entering it to the crypto application). The operating system can
>> then read the cleartext. If the backdoor is in the OS, X11 etc., it
>> still works here.
>>
>
> Go to a 100% "clean room", cloaked, cannot receive and/or send anything...
>
> Encrypt a message on a clean thumb drive.

Where did you obtain the thumb drive?

Did you build it, from the ground up, or did you bring it into the
clean-room after purchase from a vendor?

If you purchased from a vendor, then how do you know said vendor did
not include a hardware backdoor on that thumb drive?

> Take out the clean disk with a
> single file on it. Destroy the computer...

How did the computer get into the clean room? How are you sure that no
hardware on the computer has a backdoor, or that no software running on
the computer has a backdoor?

> Exit the clean room. This disk contains an encrypted file.
>
> Is it safe?

The answer depends upon whether the thumbdrive and/or the computer used
in the clean room contained a hardware or software back door.

On 5/9/2024 3:15 PM, Rich wrote:
> Chris M. Thomasson <chris.m.thomasson.1@gmail.com> wrote:
>> On 5/8/2024 9:27 PM, Marco Moock wrote:
>>> Am 07.05.2024 18:20 Uhr schrieb Edward Teach:
>>>
>>>> Backdoors.
>>>>
>>>> When people use PRIVATE ENCRYPTION BEFORE any messaging enters a
>>>> public channel.......
>>>>
>>>> ......backdoors are the least of their worries!
>>>
>>> Isn't enough. There is a time when that message is unencrypted (e.g.
>>> when entering it to the crypto application). The operating system can
>>> then read the cleartext. If the backdoor is in the OS, X11 etc., it
>>> still works here.
>>>
>>
>> Go to a 100% "clean room", cloaked, cannot receive and/or send anything...
>>
>> Encrypt a message on a clean thumb drive.
>
> Where did you obtain the thumb drive?
>
> Did you build it, from the ground up, or did you bring it into the
> clean-room after purchase from a vendor?
>
> If you purchased from a vendor, then how do you know said vendor did
> not include a hardware backdoor on that thumb drive?
>
>> Take out the clean disk with a
>> single file on it. Destroy the computer...
>
> How did the computer get into the clean room? How are you sure that no
> hardware on the computer has a backdoor, or that no software running on
> the computer has a backdoor?
>
>> Exit the clean room. This disk contains an encrypted file.
>>
>> Is it safe?
>
> The answer depends upon whether the thumbdrive and/or the computer used
> in the clean room contained a hardware or software back door.

Hopefully, the thumbdrive is clean. If there even is such a thing...

;^o

On Thu, 9 May 2024 22:15:01 -0000 (UTC), Rich wrote:

> How did the computer get into the clean room? How are you sure that no
> hardware on the computer has a backdoor, or that no software running on
> the computer has a backdoor?

And even more problematic: electrons are constantly recycled, who can tell
where they've been prior to entering the room?

--
Cri-Cri

Cri-Cri wrote:

> On Thu, 9 May 2024 22:15:01 -0000 (UTC), Rich wrote:
>
>> How did the computer get into the clean room? How are you sure that
>> no hardware on the computer has a backdoor, or that no software
>> running on the computer has a backdoor?
>
> And even more problematic: electrons are constantly recycled, who can
> tell where they've been prior to entering the room?
>
You make sure to power the room with a.c., so no new electrons enter.
But better check on the copper that was used for the initial
construction.
--
*********** To reply by e-mail, make w single in address **************

Chris M. Thomasson wrote:

> On 5/9/2024 3:15 PM, Rich wrote:

> > The answer depends upon whether the thumbdrive and/or the computer used
> > in the clean room contained a hardware or software back door.
>
> Hopefully, the thumbdrive is clean. If there even is such a thing...

Why not use a 3.5 inch disk drive and 3.5 inch disks? Still available
at Amazon and I think the content written on 3.5 inch disk can be easily
examined with a disk editor. And they are loud, so you can hear the read/write
process. :-)

--
Regards
Stefan

On 10/05/2024 17:19, Stefan Claas wrote:
> Chris M. Thomasson wrote:
>
>> On 5/9/2024 3:15 PM, Rich wrote:
>
>>> The answer depends upon whether the thumbdrive and/or the computer used
>>> in the clean room contained a hardware or software back door.
>>
>> Hopefully, the thumbdrive is clean. If there even is such a thing...
>
> Why not use a 3.5 inch disk drive and 3.5 inch disks? Still available
> at Amazon and I think the content written on 3.5 inch disk can be easily
> examined with a disk editor. And they are loud, so you can hear the read/write
> process. :-)
>

Write-once CDs are also good.

Peter Fairbrother