More on fortifying Lotus Notes
Ben Laurie
ben at algroup.co.uk
Mon, 07 Jun 1999 10:41:14 +0100
Nicholas Bohm wrote:
>
> At 07:08 PM 6/4/1999 +0100, Paul Crowley wrote:
> >Ian BROWN <I.Brown@cs.ucl.ac.uk> writes:
> >> Paul Crowley wrote:
> >> >Is that because Lotus has been engineered such that it's harder to
> >> >reverse-engineer or modify? Because presumably if we could find
> >> >where the NSA's public key is stored in the binary, a Lotus-Fortify
> >> >program could replace it with a randomly-generated one for which the
> >> >private key has been discarded?
> >>
> >> "Playing hide and seek with stored keys" by Adi Shamir and Nicko van
> >> Someren describes how to use the high entropy of keys compared to
> >> program instructions and data to find an embedded key...
> >>
> >> http://www.ncipher.com/products/files/papers/anguilla/keyhide2.pdf
> >
> >I've finally fetched and read this paper, and it seems to be pretty
> >straightforward to implement. A few questions:
> >
> >* What legal hurdles stand in the way of (a) using a bunch of tools to
> >search the binary files that come with Notes to find the embedded
> >public key, (b) publishing the key, and (c) writing a program to find
> >the key and scramble it?
>
> Check the terms of the Notes licence. Unless the licence imposes an
> explicit contractual prohibition, neither searching a file nor modifying it
> (manually or automatically) are copyright infringements. Publishing the
> key would be a copyright infringement; but why bother?
>
> Also check that the licence does not prohibit the user from modifying the
> program or running the program as modified. Users concerned about the risk
> of invalidating their Notes licences by making its encryption secure
> against the NSA may wish to raise the matter with Lotus.
I thought that reverse engineering and modifying a program for the
benefit of the licence holder were specifically allowed, regardless of
licence?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi