More on fortifying Lotus Notes
lists@notatla.demon.co.uk
lists at notatla.demon.co.uk
Sat, 5 Jun 1999 00:16:11 +0100
Paul Crowley <paul@hedonism.demon.co.uk>
> * What legal hurdles stand in the way of (a) using a bunch of tools to
> search the binary files that come with Notes to find the embedded
> public key, (b) publishing the key, and (c) writing a program to find
> the key and scramble it?
The tools are already here.
od will show you the content
dd if=INPUT_FILE of=df bs=1 count=3 seek=10374 conv=notrunc
I've just writen 3 'A's into a binary of 'df'.
002882: 64 20 41 76 41 41 41 61 62 6c 65 20 43 61 70 61 d AvAAAable Capa
Writing a real binary editor is not that hard either.
* What should be done to the key once it's found? Is it sufficient to
> replace most of it with random noise, or is it important that it be
> replaced with a real key?
Experiment ought to find that out. It would be fairly easy for them to
have some built-in check at encryption time, but they may not have
bothered. Not much is really worth doing in a model where someone can
make arbitrary changes to the binaries you ship.