Perhaps the immortality part was an exaggeration, but I was thinking about the way the Kremlin avoids admitting any health problems of the leaders. That happened in case of Yeltsin and allegedly in case of Putin's absence in March this year. Recently there was an interesting article about this "health PR" dating the tradition back to the USSR era, but I can't find it right now.
This is hardly unique to Russia - after all, FDR avoided being photographed from the waist down and wore special braces when standing and Kennedy had many secret health problems. I think this is more a fact of projecting an image of power in any society.
The thing is however that any cryptosystem can be trivially compromised by making its PRNG predictable.
This cannot be caught by observing the network traffic and it is really hard to catch by reversing or tracing the binary. Especially if the compromise is not an outright srand(0), but an algorithmic weakness. Then, even if it is found, then it's virtually impossible to determine whether it was benign or deliberate. Now further consider the implications if an app uses a 3rd party PRNG such as those supplied by the operating system or the hardware or if it gets its PRNG seed data from an inherently untrusted sources (such as the OS).
I mean ... the source code being open is obviously irrelevant to the security of a pre-built binary and the adherence to the open specs is not much of an assurance either, because of the PRNG angle. In practical terms it really means that you have to have trust in a product vendor. Period. Because there is always a way for them to screw you over and to get away with it.
Weaknesses in random number generation are arguably easier to spot in instrumented binaries and dynamic analysis than they are with static analysis. Auditing an RNG from source involves enough mental modeling to trace random numbers and track the state of whatever generator provided them.
Telegram bashing aside, this is very wrong. It is always better to have the source code to inspect the entire package. Without the source code, there is no way to fully verify the security of a solution. For Telegram and WhatsApp, the clients and server code should be released if you want to make sure.
People can give you whatever source code they want. That doesn't meant it's the same as what's running in production. While this is tin-foil-hat paranoia, when it comes to encryption software in this post-snowden world it is definitely more reliable to reverse-engineer the binary & network traffic than to just believe the provided source-code to encryption in a popular social app. Or compile the app from source that has been verified by trusted people. Definitely not believing that a binary blob running on your hardware is the same as the provided source.
That said, it's also good to ask for source code so later on when reverse-engineering shows something different you've now caught the offending party in a lie; which is something good to have on record to refer to later on.
> Without the source code, there is no way to fully verify the security of a solution.
So you are telling me if you had the source code you would not be able to verify the code and also use the code to fully verify the expected behavior of the binary?
this is very wrong: No, it is quite correct. It is slightly more convenient to have the source code, But then again, it can be misleading, as you don't know if that source code is actually corresponding to the binary that is actually executing.
Open sourcing/Making available for inspection the source code of an application is not enough if the herd just uses the pre built binaries instead of compiling it themselves. Perhaps we can someday have free and open source software with reproducible builds[0]?
Interestingly, there are a large number of non-gmail.com addresses in there, including 123k yandex.ru addresses, plus a (very) small number of yahoo.com and hotmail.com addresses. Here's the output of "cut -d@ -f2 | sort | uniq -c | sort -nr":
The data hasn't been very well edited from whatever dump it came from. For example, there are lines that end in "gmail.com_xtube", "gmail.com7777", "gmail.com|login", etc, which are curious.
Assuming hacker did sign in into your Gmail , you might be able to get that information from the list of last logins in your Gmail account. Any IP that's out of your normal location would reveal that.
More in this link
https://support.google.com/mail/answer/45938?hl=en
Yeah, this is an account that only forwards emails, so I almost never log in. However, when I changed my password now I logged in and out a bunch of times. This made this very short list of recently logged locations only contain one line that was not from today. Hmm. Would be better if they showed 50 recent logins or something...
The webpage gave the correct first two letters of my password...but that was changed more than a year and half ago, so this leak must be VERY old. I have been using last pass for the past time and when I got it I immediately changed my google password. This is the reason why I'm saying is that old.
I bet there are some people who have other leaked account & password lists, and since the isleaked.com site is kind enough to give the first two characters of the password for any given email account, it'd probably be possible to guess the passwords for some of those accounts.
The thing is that Russia and China are not heavily spying on Germany, despite the fact, that they don't even have such close relationships as US and Germany [before]
Despite? :) Americans can freely spy in Germany because of the close relationship. In fact, thanks to our close relationship, we hand our data over for free in many cases (SWIFT, zomg!).
Lol. Of course they are, but German people are not very smart. They're upset their allies spy on them for their own protection, but if their enemies do that it's normal and not even a reason to cool relationships!
Well, North Korea probably yes. But I haven't noticed such tradition in Russia.