Fabio just discovered that Silent Phone derives device IDs by hashing the device IMEI with MD5...
WOW NK On Wed, Feb 13, 2013 at 11:51 PM, Nadim Kobeissi <na...@nadim.cc> wrote: > So to recap: > It hasn't been a few hours since Silent Circle released *some* of their > source code, and we already know that: > > > 1. Silent Circle isn't in built to be a secure communications > platform, but is simply a rebranding of TiviPhone, a latvian-made VoIP > software, with added encryption libraries, > 2. The encryption libraries are themselves not developed by Silent > Circle, but are third party libraries, > 3. The third party librares are in some cases outdated, even in the > face of security advisories, > 4. There's a good possibility of a buffer overflow being there > somewhere, with over 40 uses of snprintf(). > > I know what I'm doing this weekend! :D > > > NK > > > On Wed, Feb 13, 2013 at 11:33 PM, Nathan of Guardian < > nat...@guardianproject.info> wrote: > >> Fabio Pietrosanti (naif): >> > Here some notes i collected with a quick review of the source code: >> >> I can see the headlines now... >> >> "Cryptography super-group more like a cover band" >> "Cryptography Boy Band covers Latvian super-group" >> "Cryptography super-group? More like Milli Vanilli!" >> >> or perhaps simply: >> "SilentCircle's premiere product was outsourced, and based on >> out-of-date security libraries with known bugs" >> >> Finally, just to be clear, I have nothing against re-using code, >> especially open-source projects that are complimentary. This is exactly >> what we have done for our work on OSTN/OStel. >> >> I do have a problem with people representing software they license from >> someone else as their own brilliant, weaved-by-the-gods invention. >> >> +n >> >> -- >> Unsubscribe, change to digest, or change password at: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> > >
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
