Announcement

Collapse
No announcement yet.

Learn More About The Zinc Crypto API, Which Hopes To Get Into Linux 5.0 With WireGuard

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by DrYak View Post

    Also :
    - One of the main target of Zinc is to have a very small and easy readable codebase. Currently Zinc is at 4k. It's designed on purpose to be easy to review.
    Chacha20Poly1305 implementation alone is 9,5k lines of code. The whole zinc + wireguard is over 25k loc. Everyone can easily check it themselves on https://git.zx2c4.com/linux-dev/log so please don't spread lies.

    Comment


    • #12
      Originally posted by Cape View Post
      I don't trust either Zinc nor WireGuard.
      ​​​​​​
      There is something fishy about it. Also the recent CoC thing made me even more suspicious 🤔
      There are many organisations out there which seek to compromise our systems and reduce our security and our privacy. You're probably aware of some of these negative organisations. This is probably why you get this instinct. I think it's a good instinct to have, but it may be worth asking yourself now: what can I do to reduce my suspicion and resolve the concern I have?

      Some options would be:
      • reduce the trust that is required. Learn more about this technology and maybe even check some of the code.
      • learn about the people involved with this project. Are there people working on the project and the code which you do think are trustworthy?
      • ask yourself what software and what developers you currently trust and why. Objectively compare that software to wireguard and its developers to see if there is actually any reasonable or identifiable cause for your concern.
      • consider learning how to compile your own kernel (if you haven't already). Distributions like Arch and Gentoo are built around easily allowing this kind of activity. You then have the option of not including these Wireguard options.
      • reduce the amount of damage that this code can do if you suspect it could be nefarious. e.g. If a system doesn't need to be online, then airgap it: don't connect it to the internet. If you trust NetBSD more, then use that on a critical system instead of GNU/Linux. You could use virtual machines: IE your base/host OS could be very minimal, not much software installed and a lightweight kernel. The guest operating systems could be single purpose and could include more features.
      Last edited by cybertraveler; 03 October 2018, 08:36 AM.

      Comment


      • #13
        Originally posted by cybertraveler View Post

        There are many organisations out there which seek to compromise our systems and reduce our security and our privacy. You're probably aware of some of these negative organisations. This is probably why you get this instinct. I think it's a good instinct to have, but it may be worth asking yourself now: what can I do to reduce my suspicion and resolve the concern I have?

        Some options would be:
        • reduce the trust that is required. Learn more about this technology and maybe even check some of the code.
        • learn about the people involved with this project. Are there people working on the project and the code which you do think are trustworthy?
        • ask yourself what software and what developers you currently trust and why. Objectively compare that software to wireguard and its developers to see if there is actually any reasonable or identifiable cause for your concern.
        • consider learning how to compile your own kernel (if you haven't already). Distributions like Arch and Gentoo are built around easily allowing this kind of activity. You then have the option of not including these Wireguard options.
        • reduce the amount of damage that this code can do if you suspect it could be nefarious. e.g. If a system doesn't need to be online, then airgap it: don't connect it to the internet. If you trust NetBSD more, then use that on a critical system instead of GNU/Linux. You could use virtual machines: IE your base/host OS could be very minimal, not much software installed and a lightweight kernel. The guest operating systems could be single purpose and could include more features.
        You perfectly described what i had in my mind. I just hope i'm not alone in this one, because i'm not really a programmer... Will look more into it though.

        Comment


        • #14
          Originally posted by Cape View Post

          You perfectly described what i had in my mind. I just hope i'm not alone in this one, because i'm not really a programmer... Will look more into it though.
          I've watched a fair bit of the youtube presentation video that Michael linked. I'm a programmer and I'm security conscious. So far nothing has tingled my spidey senses! Everything this guy is saying makes sense. I'm not getting the impression he has an ulterior agenda and that everything he's saying is just excuses or the construction of a plausible narrative to explain away potentially nefarious actions.

          I've seen Open Source projects before where my spidey senses have flared up because the reasons for actions being given just don't seem to be valid or the logical course of action for achieving their stated goals. This has led me to consider that they are up to something else.

          So far, so good!

          Comment


          • #15
            We've got papers and security proofs and such, if you're interested in that kind of thing: https://www.wireguard.com/papers/wireguard.pdf https://www.wireguard.com/formal-verification/

            It's always funny reading these conspiracy theory allusions though (this thread and more so others too). The thing that strikes me is how they refer to me/theproject/whatever as so distant, as such an other, as this far-removed hidden-in-a-bunker-somewhere entity, inaccessibly evaluable. But in reality, here I am, hanging out on Phoronix and stressing about PRIME render offloading on my Nvidia binary blob graphics driver, tweaking out about mesa bugs, running a gazillion benchmarks for random things... the same as everyone else here pretty much. So, well, hi 👋 -- I'm a person too.

            (Also, I mail stickers for free if anybody wants some.)

            Comment


            • #16
              Originally posted by zx2c4 View Post

              (Also, I mail stickers for free if anybody wants some.)
              Don't fall for it guys! He's using the stickers as a way to get your address so you can be added to... the list!

              jk

              Comment


              • #17
                Originally posted by zx2c4 View Post
                We've got papers and security proofs and such, if you're interested in that kind of thing: https://www.wireguard.com/papers/wireguard.pdf https://www.wireguard.com/formal-verification/

                It's always funny reading these conspiracy theory allusions though (this thread and more so others too). The thing that strikes me is how they refer to me/theproject/whatever as so distant, as such an other, as this far-removed hidden-in-a-bunker-somewhere entity, inaccessibly evaluable. But in reality, here I am, hanging out on Phoronix and stressing about PRIME render offloading on my Nvidia binary blob graphics driver, tweaking out about mesa bugs, running a gazillion benchmarks for random things... the same as everyone else here pretty much. So, well, hi 👋 -- I'm a person too.

                (Also, I mail stickers for free if anybody wants some.)
                Was that you in the video giving the presentation? I watched the whole thing: it was very interesting. I like your (I'm assuming) calm voice. You sound a little bit like Edward Snowdan.I'm guessing you're from the same part of the US.

                Don't take the concern personally. People are understandably worried about infiltration in this day and age.

                Comment


                • #18
                  The Zinc author is making a good impression in this talk but he is acting very hostile aproach against other people in the coding community who make open-source implementations based off his work. His actions and non-proffesional behavior and personal attacks on the offical WireGuard mailing-list against a guy that made Windows c++ user-space implementation of the WireGuard protocol is a good example. It really turned me off.

                  Comment


                  • #19
                    Originally posted by fontana_73 View Post
                    The Zinc author is making a good impression in this talk but he is acting very hostile aproach against other people in the coding community who make open-source implementations based off his work. His actions and non-proffesional behavior and personal attacks on the offical WireGuard mailing-list against a guy that made Windows c++ user-space implementation of the WireGuard protocol is a good example. It really turned me off.
                    *Insert code of conduct rant for the rest of the thread because feelings*

                    Comment


                    • #20
                      I just generally don't trust people who claims to be in the security industry but act on feelings and not facts. The same day the Windows client, TunSafe, was released he banned the author from the #wireguard IRC channel. Some days later he posted in the mailing-list that he has reverse-engineered the client and found security issues. Instead of informing the community or the TunSafe author with facts about the security issues so it can be fixed, he's put up warnings on the wireguard homepage and other places where people discuss TunSafe. When people ask information about what the security issues are he refuses to anwer and demand them to stop asking.

                      The least I expect from someone in the security industry is that they provide information to the creator of a software if they find security holes. The Zinc author publicly refuses to do this. It's not my personal feeling.

                      The Windows client author is not an unknown. It's the same guy coded uTorrent and the Spotify core.


                      Comment

                      Working...
                      X