1997-06-22 - why we need source code (was Re: RC5 crack)

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: fabrice@math.Princeton.EDU
Message Hash: 51a1b3b85852fcbb9a9b3904a560ac7ac23077de0952354f3e0cf18b7b2ca6e0
Message ID: <199706220814.JAA06026@server.test.net>
Reply To: <19970621160629.55632@math.princeton.edu>
UTC Datetime: 1997-06-22 08:20:22 UTC
Raw Date: Sun, 22 Jun 1997 16:20:22 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Sun, 22 Jun 1997 16:20:22 +0800
To: fabrice@math.Princeton.EDU
Subject: why we need source code (was Re: RC5 crack)
In-Reply-To: <19970621160629.55632@math.princeton.edu>
Message-ID: <199706220814.JAA06026@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain




Fabrice Planchon <fabrice@math.Princeton.EDU> writes:
> Comme disait Adam Back (aba@dcs.ex.ac.uk):
> >
> > Also, no source code.
> >
>
> there have been some discussions about that on the list, they seem
> to fair bogus datas sent to the servers. Kind of makes sense, but
> they could at least release the core source without the
> communication protocol...

Yes, and it's inconvenient for a number of reasons:

- those running the rc5 crack don't sign their binaries (presumably
  because they don't use PGP, or don't know what it is or something),
  who knows what you're downloading, virus, disk formatter, what ever.
  If you had source code, you could verify it yourself at least, even
  if there is no signature.

- This problem with taking too few keys, if you had the source, and they
  can't be bothered to write instructions, or even brief usage notes,
  you could at least figure out how to use it from the source

- Having source allows more people to verify it's correctness (saving
  burning keys on subtly flawed code), spot bugs, etc.  Also allows
  others to find speedups.

- The point about stopping bogus keys being submitted, some validity,
  however.

- Another reason I suspect they won't give source is that they want to
  conceal the key from you because they have other ideas about where the
  money should go than perhaps you do.  (They want $1000 for themselves,
  and will give $8000 to project Gutenburg (boring)).

- When I see people worring about concealing protocols, I get this
  urge to insert a tap between the client and server, and post the
  protocol, to remove that worry for them.

Adam
-- 
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`






Thread