Re: LUDD/CRYPTO: Anti-luddites need to get WASTEd

From: Hal Finney (hal@finney.org)
Date: Mon Jun 09 2003 - 12:19:15 MDT

  • Next message: Party of Citizens: "Re: 91'st update on fly longevity experiments"

    Mike Lorrey wrote:

    > The former brain of NullSoft (owned by AOL) left over his publishing a
    > GNU'd version of his WASTE encrypted messaging and file sharing
    > application, which you can read about on /. This is a highly useful
    > tool, so those wishing to get more involved in fighting luddism, get it
    > (http://www.freedomware.org/waste/index.html) and spread those public
    > keys around. It uses RSA encryption and protects its keyring with a
    > blowfish passphrase encipherment. It has chat as well as messaging and
    > file sharing.

    First, I don't know what this has to do with the Luddites mentioned
    in the subject header.

    Second, the "former brain" in question, Justin Frankel, had (at last
    notice) *threatened* to leave, but has not actually quit, as far as
    has been publicly reported. Read the slashdot discussion closely at
    http://slashdot.org/article.pl?sid=03/06/04/169214, or Frankel's blog
    at http://www.1014.org/.

    Third, the legality of the WASTE package is under question, as AOL, which
    owns NullSoft and hence the software, claimed that Frankel planted the
    GPL license on WASTE without authorization, and that in fact the license
    is not valid and the software was released without permission.

    And fourth, although I have not inspected the crypto, some cypherpunks
    did, and the consensus was that it is not very good. This is from Eric
    Rescorla on Perry Metzger's cryptography list:

    : It's utterly baffling to me why people like this choose to design
    : their own thing rather than just using SSL. I've looked through their
    : design documents and glanced at their code they don't provide any
    : security features that SSL doesn't, and they appear to have made a
    : number of questionable design decisions:
    :
    : (0) Their messages don't appear have any sequence numbers, making them
    : potentially open to a wide variety of integrity attacks. They have some sort
    : of guid but unless you intend to keep a record of all guids through
    : a session (horrible) this is only a partial fix for replay and
    : not a fix at all for removal.
    : (1) They use MD5 instead of HMAC for message authentication. Scary.
    : (2) They use the same encryption keys in both directions. At least
    : they have the sense to run separate PCBC counters. However,
    : based on the code it doesn't look like they reset the PCBC
    : counters after a bad message is received so you may be able to
    : mount a reflection attack.
    : (3) They use Blowfish (why not AES?) in PCBC mode (huh?)
    :
    : I don't think it's worth much time analyzing this... Just one
    : more case of NIH.

    More negative commentary followed, and you can read the thread at:
    http://www.mail-archive.com/cryptography%40metzdowd.com/msg00048.html

    Hal



    This archive was generated by hypermail 2.1.5 : Mon Jun 09 2003 - 12:32:48 MDT