Just food for thought! ---------- Forwarded message ---------- Date: Sun, 12 Jun 1994 12:44:52 -0700 From: Eric Bear Albrecht <ebear@presto.com> To: Dan Harmon <harmon@tenet.edu> Subject: MacPGP 2.6 That signature block in your message seemed awfully short -- does that indicate a wimpy system? Read the following excerpt and cogitate on it: ------ Computer underground Digest Sun June 5, 1994 Volume 6 : Issue 49 ISSN 1004-042X ... CONTENTS, #6.49 (June 5, 1994) File 1--AT&T Lab Scientist Discovers Flaw in Clipper Chip File 2--Jacking in from the SNAFU Port (Clipper Snafu update) File 3--Jacking in from the "We Knew It All Along" Port (Clipper) File 4--Crackdown on Italian BBSes Continues File 5--Norwegian BBS Busts / BitPeace File 6--BSA: Software Piracy Problem Shows no Sign of Easing File 7--Re: "Problems at TCOE" (CuD 6.47) File 8--Is there an MIT/NSA link-up for PGP 2.6? Some Info ... ------------------------------ Date: Mon, 30 May 1994 18:04:50 -0500 (CDT) From: tlawless@WHALE.ST.USM.EDU(Timothy Mark Lawless) Subject: File 8--Is there an MIT/NSA link-up for PGP 2.6? Some Info For the past week our Unix machine has been down (Might have gotten some mail bounces) because of a security violation. Durring that week i re-discovered bbs's. One peice of info i found (And also got the authors's permission to reprint (At the end) relevent to pgp I thought i would pass on. D Area: CypherMail DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD Msg#: 19 Date: 05-24-94 19:47 From: Leland Ray Read: Yes Replied: No To: All Mark: Subj: More on PGP 2.5 & 2.6 DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD -----BEGIN PGP SIGNED MESSAGE----- The following is the complete, unedited plaintext of a message I received via CompuServe from Christopher W. Geib, a software developer who spent several years as a military intelligence officer. Chris has written a very fine Windows interface for PGP which I'll be uploading as soon as I get the newest release (with Chris's permission, of course). I trust his judgment on this one. ~~~ =====(Begin plaintext)===== Leland, I sent this to Mich Kabay of the NCSA Forum. Thought you might find it of interest. Note that 2.5 is also a MIT/NSA concoction. Chris ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Mich, As I reflected on more and more on this posting, it occurred to me that I was smelling a rat. The NCSA Forum members and others who visit here should give thought to this issue. A puzzle of sorts seems to be developing regarding PGP in general, and private possession of crypto in particular. Let me provide some pieces to this puzzle, and perhaps you and others may begin to see the bigger picture that seems to be unfolding. Piece #1: As you may already know, MIT is the single largest ($'s) outside contractor to the NSA. Piece #2: MIT is frustrated they feel that they have been somehow cheated financially by the proliferation of PGP 2.3a as freeware. (I still think that is insane as RSA was developed using public funding) Piece #3: NSA is frustrated because of the apparent strength of the imported Idea(tm) cipher. Piece #4: NSA is pushing the Clipper crypto technology so that Big Brother can have a free and easy backdoor to violate the privacy of Americans. Note too, that Clipper technology was assisted along by MIT. Piece #5: PGP 2.6 will *not* be compatible with 2.3a after Sept 1994 for 2-way encryption. This accomplishes reduced international secure traffic by private individuals and businesses. This is exactly the same problem that Clipper has. Have you begun to see the big Puzzle Palace picture yet? Unless my eyes deceive me, I would say this, MIT and NSA have teamed up together on PGP 2.6! This version, until proven otherwise (through examination of the source code, etc.), is likely to contain a backdoor big enough to drive a Mack truck through it. The back door is likely similar to Clipper and for the same intent. Given how much flak NSA has gotten over Clipper, NSA will very likely stay very mum about the whole issue. The big winners are NSA and MIT. They both get exactly what each has wanted all along. MIT gets royalties they think they deserve, NSA gets what they intend to have anyway, a means to continue listening into citizens private conversations. NSA also wins on the international front by reducing it's workload of analyzing international encrypted traffic. Business and the citizens lose because it isolates the US from Europe and the international marketplace. I strongly recommend that anyone who acquires PGP 2.6 do so with a jaundiced eye. Until the private sector can review, and analyze this new MIT/NSA system, one *must* assume that it is as if it contained a virus, one you may never know it has. I for one will continue with the present version as it's inventors have no reason to capture private communications. If you think appropriate, please upload to Internet Risks with my blessings. Respectfully, Christopher W. Geib ~~~ =====(End of plaintext)===== So you decide, guys. Is it worth the risk? Again, just some thoughts, but remember this: if you go to either ver. 2.5 or 2.6, you'll probably have to revoke your ver. 2.3 keys and start afresh with new ones, which might not be secure in the first place. LR ... If the Pope's phones weren't secure, PGP would be a sacrament. ((Post obtaining reprint permission deleted)) ... ** The wonderful thing about standards ** ** is that there are so many to choose from. ** Eric Bear Albrecht ebear@presto.com W5VZB Box 6040 505-758-0579 fax 505-758-5079 Taos, NM 87571