Re: a hole in PGP
At 6:53 PM 7/31/95, Dr. Fred said:
Why (specifically) do you think the MIT version of PGP has no backdoors and is not subject to attacks such as the one outlined in my previous posting?
<Metzger_mode("on")> I've been watching this gark long enough, I think. Look. If you're qualified, look at the PGP source and vet it yourself. If you aren't qualified, figure the market to be efficient in this instance and assume the stuff works. Stop wasting our time and bandwidth harassing the MIT folk about whether or not their code is clean. Such posturing won't wash around here. <Metzger_mode("off")> Seriously, it may be an appeal to authority, but it can safely be assumed that PGP is clean, and that MIT is *not* involved with the NSA and the Red Leptons in a conspiracy to spy on our alt.binaries.pictures.erotica.stoats postings. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell
Phree Phil: Email: zldf@clark.net http://www.netresponse.com/zldf <<<<<
At 6:53 PM 7/31/95, Dr. Fred said:
Why (specifically) do you think the MIT version of PGP has no backdoors and is not subject to attacks such as the one outlined in my previous posting?
<Metzger_mode("on")>
I've been watching this gark long enough, I think.
Look. If you're qualified, look at the PGP source and vet it yourself. If you aren't qualified, figure the market to be efficient in this instance and assume the stuff works.
One of the several points I tried (apparently unsuccessfully) to make is that with a program that large, it is impractical to verify that there are no subtle back doors - regardless of how knowledgeable or skilled you or I may be. Your "assumption of security" perspective is an inappropriate one unless you are trying to get people to use something that is not secure.
Stop wasting our time and bandwidth harassing the MIT folk about whether or not their code is clean. Such posturing won't wash around here.
The headers on the postings allow you to ignore them, but in the meanwhile, the subject matter is in line with this forum, and the questions are legitimate. You will have to do better than to appeal to authority to convince anyone that MIT's version of PGP is secure.
<Metzger_mode("off")>
Seriously, it may be an appeal to authority, but it can safely be assumed that PGP is clean, and that MIT is *not* involved with the NSA and the Red Leptons in a conspiracy to spy on our alt.binaries.pictures.erotica.stoats postings.
Why (specifically) do you think so? Because you claim it? Because the MIT maintainer claims it? You say MIT is not associated with the NSA, but they have historically been funded by the NSA and other federal agencies for work on information security. Do you really think that the only information protected by PGP is dirty pictures? Do you somehow think that MIT and the NSA are above that sort of thing? All you have to do is look at history, and it should be clear that this appeal to authority is often used by those trying to cover things up. If you know something about PGPs security that you aren't telling us, don't beat around the bush about it. Come out and say it. Tell us that you have proven that PGP has no backdoors and what method you used to do that. Tell us that you have hand verified all the code and that none of it overwrites the key generation process and tell us how you verified it. It cannot be safely assumed that any program is clean or that any one person or group is not involved with intentionally subverting security. That violates the fundamental principles of information protection. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
On Mon, 31 Jul 1995, Dr. Frederick B. Cohen wrote:
Why (specifically) do you think so? Because you claim it? Because the MIT maintainer claims it? You say MIT is not associated with the NSA, but they have historically been funded by the NSA and other federal agencies for work on information security. Do you really think that the
Of course MIT was in the NSA's pocket back in 1978 when they mailed me and 3,000 other people a copy of "A Proposal for a Public Key Encryption System" and started this whole Public Key-Private Key thing. It was all part of a plot. If they hadn't done that we might all be using stronger systems today. DCF
On Tue, 1 Aug 1995, Duncan Frissell wrote:
On Mon, 31 Jul 1995, Dr. Frederick B. Cohen wrote:
Why (specifically) do you think so? Because you claim it? Because the MIT maintainer claims it? You say MIT is not associated with the NSA, but they have historically been funded by the NSA and other federal agencies for work on information security. Do you really think that the
Of course MIT was in the NSA's pocket back in 1978 when they mailed me and 3,000 other people a copy of "A Proposal for a Public Key Encryption System" and started this whole Public Key-Private Key thing. It was all part of a plot. If they hadn't done that we might all be using stronger systems today.
Sounds like another LD tentacle to me ;) -- Ed Carp, N7EKG Ed.Carp@linux.org, ecarp@netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp@netcom.com for PGP 2.5 public key an88744@anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory.
On Tue, 1 Aug 1995, Duncan Frissell wrote:
On Mon, 31 Jul 1995, Dr. Frederick B. Cohen wrote:
Why (specifically) do you think so? Because you claim it? Because the MIT maintainer claims it? You say MIT is not associated with the NSA, but they have historically been funded by the NSA and other federal agencies for work on information security. Do you really think that the
Of course MIT was in the NSA's pocket back in 1978 when they mailed me and 3,000 other people a copy of "A Proposal for a Public Key Encryption System" and started this whole Public Key-Private Key thing. It was all part of a plot. If they hadn't done that we might all be using stronger systems today.
You forgot the NSA's most recent overt act in the PGP conspiracy: it gets PGP declared a munition, harassing PZ, gets lots of bad press, etc., all in order to make Cypherpunks believe that there is no back door, when there really is! Shhhhhhhhh. Don't let on that you know. Just go back to Rot-13 encoding.
DCF
EBD
Date: Wed, 2 Aug 1995 02:09:25 -0400 (EDT) From: Brian Davis <bdavis@thepoint.net> You forgot the NSA's most recent overt act in the PGP conspiracy: it gets PGP declared a munition, harassing PZ, gets lots of bad press, etc., all in order to make Cypherpunks believe that there is no back door, when there really is! Shhhhhhhhh. Don't let on that you know. Just go back to Rot-13 encoding. You forgot to mention that although PGP is "provably" secure, that the NSA engine for breaking it is a quantum computer built with "borrowed" extraterrestrial technology.
DCF
EBD P.S.: The Truth Is Out There.
...
Look. If you're qualified, look at the PGP source and vet it yourself. If you aren't qualified, figure the market to be efficient in this instance and assume the stuff works.
One of the several points I tried (apparently unsuccessfully) to make is that with a program that large, it is impractical to verify that there are no subtle back doors - regardless of how knowledgeable or skilled you or I may be. Your "assumption of security" perspective is an inappropriate one unless you are trying to get people to use something that is not secure.
It's true that, in general, the "burden" of demonstrating whether a system is secure should fall primarily on those who claim it is rather than on those who claim it isn't. It's also true that PGP, for whatever reason, is treated with a degree of reverence that is, perhaps, unwarranted. I, for one, would be much happier to see greater vetting of widely-used programs like PGP. But that does not mean that one can expect to be taken seriously by simply throwing darts and seeing where they land. That would mean that essentially no hardware, software, algorithm or protocol could ever be considered trustworthy by anyone for any purpose. There is a difference between raising specific concerns and making vague, wild, unsupported claims, which is how what you wrote below reads to me.
Stop wasting our time and bandwidth harassing the MIT folk about whether or not their code is clean. Such posturing won't wash around here.
The headers on the postings allow you to ignore them, but in the meanwhile, the subject matter is in line with this forum, and the questions are legitimate. You will have to do better than to appeal to authority to convince anyone that MIT's version of PGP is secure.
<Metzger_mode("off")>
Seriously, it may be an appeal to authority, but it can safely be assumed that PGP is clean, and that MIT is *not* involved with the NSA and the Red Leptons in a conspiracy to spy on our alt.binaries.pictures.erotica.stoats postings.
Why (specifically) do you think so? Because you claim it? Because the MIT maintainer claims it? You say MIT is not associated with the NSA, but they have historically been funded by the NSA and other federal agencies for work on information security. Do you really think that the only information protected by PGP is dirty pictures? Do you somehow think that MIT and the NSA are above that sort of thing? All you have to do is look at history, and it should be clear that this appeal to authority is often used by those trying to cover things up. If you know something about PGPs security that you aren't telling us, don't beat around the bush about it. Come out and say it. Tell us that you have proven that PGP has no backdoors and what method you used to do that. Tell us that you have hand verified all the code and that none of it overwrites the key generation process and tell us how you verified it.
No one knows how "prove" anything substantial, much less the absence of backdoors, for anything but the most trivial software and algorithms.
It cannot be safely assumed that any program is clean or that any one person or group is not involved with intentionally subverting security. That violates the fundamental principles of information protection.
Your attempt to cast a near-defamatory shadow of suspicion over the individuals and institutions who wrote the software, without raising even a single specific concern about something you've observed about the code, invites more questions about your own motives than those of MIT or its staff. It seems reasonable to ask you to put up or shut up. -matt Disclaimer: I also give away cryptographic source code, in connection with my job as a research scientist for a company that has even closer ties to the spook community than you seem to think MIT has...
...
It's true that, in general, the "burden" of demonstrating whether a system is secure should fall primarily on those who claim it is rather than on those who claim it isn't. It's also true that PGP, for whatever reason, is treated with a degree of reverence that is, perhaps, unwarranted. I, for one, would be much happier to see greater vetting of widely-used programs like PGP.
Excellent assessment - I wholely agree with it.
But that does not mean that one can expect to be taken seriously by simply throwing darts and seeing where they land. That would mean that essentially no hardware, software, algorithm or protocol could ever be considered trustworthy by anyone for any purpose. There is a difference between raising specific concerns and making vague, wild, unsupported claims, which is how what you wrote below reads to me.
A reasonable response. My question is: Why do you think that the key generation algorithm used by PGP is secure? Specifically, how do we know there is no subtle back door that reduces the problem of testing the typical key space to a solvable problem in today's technology? I don't believe I made ANY "vague, wild, unsupported claims" however, that is certainly a matter of opinion. ...
Why (specifically) do you think so? Because you claim it? Because the MIT maintainer claims it? You say MIT is not associated with the NSA, but they have historically been funded by the NSA and other federal agencies for work on information security. Do you really think that the only information protected by PGP is dirty pictures? Do you somehow think that MIT and the NSA are above that sort of thing? All you have to do is look at history, and it should be clear that this appeal to authority is often used by those trying to cover things up. If you know something about PGPs security that you aren't telling us, don't beat around the bush about it. Come out and say it. Tell us that you have proven that PGP has no backdoors and what method you used to do that. Tell us that you have hand verified all the code and that none of it overwrites the key generation process and tell us how you verified it.
No one knows how "prove" anything substantial, much less the absence of backdoors, for anything but the most trivial software and algorithms.
Excellent - have you looked at the white paper describing the secure "get-only" W3 server available under What's New at http://all.net? I think that this is a step in the right direction toward demonstrating more about a program than that it runs most of the time and seems to give reasonable answers. Perhaps someone would like to make similar demonstrations for PGP.
It cannot be safely assumed that any program is clean or that any one person or group is not involved with intentionally subverting security. That violates the fundamental principles of information protection.
Your attempt to cast a near-defamatory shadow of suspicion over the individuals and institutions who wrote the software, without raising even a single specific concern about something you've observed about the code, invites more questions about your own motives than those of MIT or its staff. It seems reasonable to ask you to put up or shut up.
Under what analysis do you construe "It cannot be safely assumed" as "near-defamatory"? I don't know you any more than you know me. We are both just mail sources on the Internet. Why do you consider it reasonable to assume that we should all trust statements made by people we do not know and have not met based on their assertion that they think a cryptosystem is safe and free of back doors? If I add a PGP signature, does it make me any more trustworthy?
Disclaimer: I also give away cryptographic source code, in connection with my job as a research scientist for a company that has even closer ties to the spook community than you seem to think MIT has...
And I should trust you to tell me that PGP is safe for me to use? -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
On Mon, 31 Jul 1995, Dr. Frederick B. Cohen wrote:
A reasonable response. My question is: Why do you think that the key generation algorithm used by PGP is secure? Specifically, how do we know there is no subtle back door that reduces the problem of testing the typical key space to a solvable problem in today's technology?
Well I told you that I verified the results of the key generation in PGP by testing the primality of p and q and the validity of the key by testing ed = 1 mod (p-1)(q-1). That bit works, period. You seem to be in some doubt about the random starting point for the prime searching. Entropy for the random number generator is collected from the user's keystrokes and is mixed into the random pool. PGP is very careful about how much entropy it attaches to one keystroke and makes sure that the user is prompted to press more keys if it thinks it has not got enough. The random pool is itself stirred periodically by using MD5 to "encrypt" it. This encryption is made strictly one way by using the first 64 bytes of the pool as the key, these 64 bytes are destroyed after use. Now, amongst other times the pool is stirred both before and after use. So, recovering any given state of the pool (i.e. finding the random starting point for a prime search) has to be equivalent to reversing the MD5 transform. There is no known way to do this. - Andy +-------------------------------------------------------------------------+ | Andrew Brown Internet <asb@nexor.co.uk> Telephone +44 115 952 0585 | | PGP (2048/9611055D): 69 AA EF 72 80 7A 63 3A C0 1F 9F 66 64 02 4C 88 | +-------------------------------------------------------------------------+
A reasonable response. My question is: Why do you think that the key generation algorithm used by PGP is secure? Specifically, how do we know there is no subtle back door that reduces the problem of testing the typical key space to a solvable problem in today's technology?
I never said that I thought that PGP (or anything else) is "secure." But to the extent that I do trust it for any given purpose, it is for approximately the same reasons that I trust lots of other things that I rely on. I've spot checked some of the code - far from an exhaustive analysis - and I've yet to discover anything myself that points to any specific weakness. I assume that others have done the same, and I also assume that someone like me who did discover a weakness would be likely, as I would be, to publish it and that therefore I'd hear about it. This is, for better or for worse, about as much as can be said for almost anything in the cryptographic world. Far from perfect, to be sure, but hardly unusual or unique to PGP. ...
Under what analysis do you construe "It cannot be safely assumed" as "near-defamatory"?
Because you seem to be pointing a finger at specific people. Your recent messages imply (to me, at least) that you think one or more members of the MIT PGP project may have deliberately tampered with some of the PGP code. You think the risk of this sort of thing having occurred is especially great - greater than with other products, in fact - with MIT PGP because of some (unspecified) connection you believe MIT has with NSA. (If I am mistaken here and you don't think MIT PGP is at special risk, please clarify this - I suspect others got the same impression). PGP did not come from "MIT". It came from specific individuals who work there and who are named in the code and documentation. They have professional and personal reputations and feelings just like we all do. Some of these individuals are on or close to this list. To imply, without offering evidence, that these people are somehow tainted and that their work should be especially mistrusted is harmful and hurtful to them. To use such implications as the entire basis for claims about the security of or risks associated with specific software does not move our understanding of things forward. Pointing out something specific, on the other hand, would move things forward. I think your "arguments" about this subject so far have been vague, unscholarly, unprofessional, needlessly personal, and just plain insulting. -matt
Under what analysis do you construe "It cannot be safely assumed" as "near-defamatory"?
Because you seem to be pointing a finger at specific people. Your recent messages imply (to me, at least) that you think one or more members of the MIT PGP project may have deliberately tampered with some of the PGP code.
I don't believe I actually said any such thing. Perhaps you are not reading (or I am not writing) carefully enough. All I think I did was ask why I should believe they have not when they or those like them have done it before.
You think the risk of this sort of thing having occurred is especially great - greater than with other products, in fact - with MIT PGP because of some (unspecified) connection you believe MIT has with NSA. (If I am mistaken here and you don't think MIT PGP is at special risk, please clarify this - I suspect others got the same impression).
PGP is a product that is specifically disliked by the powers that be because it provides free access to strong cryptography which is against the public policy of the US government. That means that people in that same said government likely feel it is their duty to make certain that they can still read PGP mail.
PGP did not come from "MIT". It came from specific individuals who work there and who are named in the code and documentation. They have professional and personal reputations and feelings just like we all do. Some of these individuals are on or close to this list. To imply, without offering evidence, that these people are somehow tainted and that their work should be especially mistrusted is harmful and hurtful to them.
I didn't mean to be hurtful, but I did and do mean to ask why we should believe that PGP is secure. Their blind faith is not adequate for the level of trust being put in PGP - even if they are really sincere. In terms of implication, I don't believe I implied any such thing. I only asked why we should trust them with our individual freedom.
To use such implications as the entire basis for claims about the security of or risks associated with specific software does not move our understanding of things forward. Pointing out something specific, on the other hand, would move things forward. I think your "arguments" about this subject so far have been vague, unscholarly, unprofessional, needlessly personal, and just plain insulting.
I obviously disagree, but I still haven't heard a single response along the lines of "here's why we believe it is secure..." I have heard lots of responses along the lines of "believe us or convince yourself..." and "read a 'Request for Comments' and that explains it all", but those leads have not panned out - so far, the RFC tells us that PGP is not secure and the convince yourself argument holds no water. The fact is, you seem to support the idea that PGP is secure without a reasonable basis, and when pushed a bit harder, agree that it probably is not secure. How is it "unscholarly, unprofessional, needlessly personal, and just plain insulting" to question the idea that hundreds of thousands of people are trusting their freedom to software that is probably not secure? I think it is highly unprofessional to try to claim that PGP is secure and to try to bolster that position by claiming that some "Request for Comments" supports it when that same said RFC refutes it. It has been my general impression that "scholarly" means, among other things, questioning the status quo and finding out where the generally accepted ideas break down. I am a professional in the field of information protection, and I consider it highly unprofessional in this field to assume that systems are secure without ample evidence to support it. So far, I see no ample evidence to support the security of PGP's key generation algorithm relative to the concerns I have expressed. Those concerns are fairly specific as far as I am concerned, but if you feel I have to demonstrate a specific attack that works in order to question the adequacy of protection, I think you have it backwards. If the people at MIT feel personally insulted because I have questioned their previously accepted ideas, it's just too bad. I didn't say they had bad breath or that they were arogant or that they were ugly, all I said was that their professional opinions seem to lack adequate foundation when subjected to scrutiny. This is professional comment, not a personal one. As far as the potential that they are working with the NSA to subvert personal privacy, it is a potential, just as it is a potential that I am working with the NSA to undermine confidence in PGP. The issue is and should be, why (specifically) do you believe that PGP is secure. This is how professionals deal with these sorts of questions: If you do not believe it is secure, you should say why not. In my case, I question its security and have given at least one example of how it could be insecure. If you do believe it is secure, you should be able to support your contention with more than reference to RFCs, vague comments, and claiming that you have read the code and didn't catch anything. If you cannot specifically address my question, say so, tell us all that the security of PGP is an open question, and either leave it open or go after closing it. OR come up with another alternative that doesn't ignore my question, doesn't avoid the issue, doesn't appeal to authority that fails to adequately support your contentions, and doesn't claim that I an somehow unprofessional or scholarly for questioning an unproven contention. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Under what analysis do you construe "It cannot be safely assumed" as "near-defamatory"?
Because you seem to be pointing a finger at specific people. Your recent messages imply (to me, at least) that you think one or more members of the MIT PGP project may have deliberately tampered with some of the PGP code.
I don't believe I actually said any such thing. Perhaps you are not reading (or I am not writing) carefully enough. All I think I did was ask why I should believe they have not when they or those like them have done it before.
This speaks for itself. "They or those like them," indeed! ...
The fact is, you seem to support the idea that PGP is secure without a reasonable basis, and when pushed a bit harder, agree that it probably is not secure.
I never made any claim that PGP is "secure". Quite the contrary - I've been complaining about the security implications of PGP's monolithic structure and complexity since I first saw the code, though I did state the basis on which I trust it little less than I trust other software of equal complexity. Primarily, however, I jumped in to this discussion to take issue with your unfair implication that there is reason to suspect deliberate wrongdoing on the part of the MIT people. If your remarks are based on some specific information you know about some person or group, please tell us. Otherwise, it would be a shame allow your credibility to taint these people in the backs of people's minds just for the sake of a casual, throwaway rhetorical device. There is no need to raise the specter of an evil conspiracy to make your point. It's irrelevant and beneath you, based on what I've read of your earlier work on viruses. Feel free to have the last word if you'd like, since we seem to AGREE that PGP needs more analysis and scrutiny. -matt
Hello fc@all.net (Dr. Frederick B. Cohen) and mab@crypto.com (Matt Blaze) and cypherpunks@toad.com I'm afraid I missed the start of this thread, sorry if I'm repeating... ...
The fact is, you seem to support the idea that PGP is secure without a reasonable basis, and when pushed a bit harder, agree that it probably is not secure.
The problem is that "secure" is not really something that can be proved. (I'm not sure if that's a theoretical or a practical fact, but it remains.) For one thing, I'm not even sure the RSA algorithm itself is secure. (At least I've never heard of a proof; have you?) As long as I'm using PGP to send letters to grandma, the cost (to me) of a successful attack is small. I therefore expend little effort to verify that it is secure. If/when I start to use it for more serious applications, I will read the source code. I might even modify it (eg. accord less entropy per keystroke) if I'm not happy with it. If circumstances warranted, I could re-implement it from the appropriate RFC (is it out yet or still draft?). However, in such circumstances, I very much suspect a one-time-pad would be used.
This is how professionals deal with these sorts of questions:
If you do not believe it is secure, you should say why not.
I do not believe that it can be proven secure.
In my case, I question its security and have given at least one example of how it could be insecure.
If you doubt the key-gen routine: * you are certainly free to make up your own keys any way you like, * write your own and argue that it's better, and/or * find a way to break the key-gen routine.
If you do believe it is secure, you should be able to support your contention with more than reference to RFCs, vague comments, and claiming that you have read the code and didn't catch anything.
Adding to the list: * I've never heard of anyone catching anything (except the headers on clearsigned messages problem).
If you cannot specifically address my question, say so, tell us all that the security of PGP is an open question, and either leave it open or go after closing it.
The security of anything is an open question. You shouldn't spend more on proving security than a breach would cost. Hope I'm making sense... Jiri -- If you want an answer, please mail to <jirib@cs.monash.edu.au>. On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two)
This might seem a bit long, and I'd like to apologize to the real cypherpunks for my ranting.
Because you seem to be pointing a finger at specific people. Your recent messages imply (to me, at least) that you think one or more members of the MIT PGP project may have deliberately tampered with some of the PGP code.
I don't believe I actually said any such thing. Perhaps you are not reading (or I am not writing) carefully enough. All I think I did was ask why I should believe they have not when they or those like them have done it before.
You have. I doubt it was intentional, but you have, continually. Here are some snipets of things you've said. First, you say that it is a rational concern since PGP was taken over by us:
The term paranoid is inappropriate in this context. Paranoia refers to an irrational fear, while I am expressing a rational concern over a system that has been taken over by a (partially) government funded university and which has not been properly verified. The history of cryptography (as they say) is (quite literally) littered with the dead bodies of people killed because somebody else thought a cryptosystem was good enough when it was not.
Then you talk about the MIT version as if it were the original thing:
Why (specifically) do you think the MIT version of PGP has no backdoors and is not subject to attacks such as the one outlined in my previous posting?
PGP 2.0 was released in September, 1992, from Europe, and many many people have been examining it ever since. I truly belive that there are no backdoors. Does that mean the program is completely bug-free? Hardly. Does it mean that some attack against PGP wont be discovered in the future? I dont know, I'm not a diviner, I cannot forsee the future, and I have no idea what technology will come in the future. For all I know, someone will prove that P=NP and all this will be for naught. Anyways, to get back to my claims of your hurtful statements:
Why (specifically) do you think so? Because you claim it? Because the MIT maintainer claims it? You say MIT is not associated with the NSA, but they have historically been funded by the NSA and other federal agencies for work on information security. Do you really think that the only information protected by PGP is dirty pictures? Do you somehow think that MIT and the NSA are above that sort of thing? All you have to do is look at history, and it should be clear that this appeal to authority is often used by those trying to cover things up. If you know
I DO NOT GET PAID FOR ANY WORK I DO ON PGP! I HAVE NEVER RECEIVED A DIME FOR MY WORK. I WORK ON PGP BECAUSE I BELIEVE IN IT. Having said that, I cannot BELIEVE you would have the Balls to say that the NSA has bought me. Go re-read what you've said. You have just said that the MIT PGP team, through MIT, is bound to be covering something up because of historical fact. I have never said "Believe me when I said PGP is secure". I have continually asked for you to check on the security yourself. But you have continually refused to do that, and asked why it is secure! So, you refuse to look for yourself, and you refuse to believe it when you are told. So, what the hell do you want? Do you want a line-by-line examination of the code???? Sheesh!
It cannot be safely assumed that any program is clean or that any one person or group is not involved with intentionally subverting security. That violates the fundamental principles of information protection.
You're right, which is why the source code is publically available. I would wholeheartedly agree with you if only binaries are shipped, but the source is available. Anyone can look through and verify the code. Anyone can try to find weaknesses. In fact, everyone is encouraged to do so. I don't see how _this_ "violates the fundamental principles of information protection".
You might be, but even if you are not, that doesn't mean there are no back doors. Your inability to detect a backdoor gives me little confidence, since this is at least an NP-complete problem and, with all due respect, today, nobody can prove that PGP is free of backdoors
I think I've finally figured out where you are completely confused!!! You are confusing "back door" with "bug". FYI: A back door is usually a means to make it easy for someone to get into a system. For example, if I put in code so that I could read every PGP message by typing the passphrase "Setec Astronomy", that would be a backdoor. The fact that httpd was exploitable, or sendmail holes, or etc. are BUGS, not Back doors. Your problem is that you are using these terms interchangably. THEY ARE NOT THE SAME. Putting in a backdoor has the connotation of intent. A bug is an accidental occurrance that was a side effect of poor coding, a typo, carelessness, confusion, inconsistency, etc. A back door, on the other hand, is a DELIBERATE ATTEMPT TO REDUCE OR CIRCUMVENT SECURITY!
"...Choosing random quantities to foil a resourceful and motivated adversary is surprisingly difficult. ...recommends the use of truly random hardware techniques and shows that the existing hardware on many systems can be used for this purpose."
PGP does not use "truly random hardware techniques"
Oh? It doesnt? How can you say that? In what way does it not do this? The RFC states, in your quote, that "existing hardware on many systems can be used" for truly random hardware techniques. Please, substantiate your claim that PGP does not do this. Show me code segments which show it does not. Show me an analysis that goes contrary to the RFC.
But the RFC acknowledges that these methods are highly suspect and should not be trusted.
You're right, it should not be blindly trusted. Go read the code and examine the algorithms to prove to yourself that it is secure. I've done that to the extent that I wish, and I believe it is secure. But you wont take my word for it, so go ahead and check! Oh, wait, you wont do that either. Sorry. I forgot.
How is it "unscholarly, unprofessional, needlessly personal, and just plain insulting" to question the idea that hundreds of thousands of people are trusting their freedom to software that is probably not secure? I think it is highly unprofessional to try to claim that PGP is secure and to try to bolster that position by claiming that some "Request for Comments" supports it when that same said RFC refutes it.
Show me some proof that PGP is "probably not secure"? Come on, there is a finite probability that I can walk through a wall! The laws of quantum probablility give me this finite probability! But I'd be hard pressed to show you that I can walk through the wall. It looks good on paper, but it just ain't gonna happen. As for the RFC, it does not refute that PGP is secure. In fact, PGP pretty much follows the RFCs guidelines. You clearly have selective reading. A useful skill -- I should learn it.
It has been my general impression that "scholarly" means, among other things, questioning the status quo and finding out where the generally accepted ideas break down. I am a professional in the field of information protection, and I consider it highly unprofessional in this field to assume that systems are secure without ample evidence to support it.
Dont forget that you have to run PGP in some OS. Please show me a secure OS! Given that the OS cannot be secure (using your logic it is intuitively obvious that this is true) then how can you ask to see a program any more secure than the enviornment in which it runs? PGP tries to be as secure as possible given the environment in which it is being run.
So far, I see no ample evidence to support the security of PGP's key generation algorithm relative to the concerns I have expressed. Those concerns are fairly specific as far as I am concerned, but if you feel I have to demonstrate a specific attack that works in order to question the adequacy of protection, I think you have it backwards.
No, your concerns have been utterly vague. The closest you've come to being at all specific is some vague notion of analyzing keystrokes. In every message I've responded to, I've asked you to expand upon what you mean. What kind of analysis do you mean? How do you propose to analyze keystroke timings? Even if you have a probabalistic model of keystroke timings, all you can possibly do is compare two different probabilities to see if they are the same. But that doesn't help you limit the search on keys.
If the people at MIT feel personally insulted because I have questioned their previously accepted ideas, it's just too bad. I didn't say they
I'm not insulted that you are questioning PGP. I am insulted because in every message you have sent, you have postulated some conspiracy with the government or postulated some intentional weakening of PGP. Your statements could almost be construed as libelous, which is why I feel insulted. I feel extremely comfortable with people questioning the security of PGP. What I dont like is someone stating that it is not secure, slaiming some sort of back door (which connotes some intent to reduce the security) and does not back up the claim with any proof.
In my case, I question its security and have given at least one example of how it could be insecure.
And I've asked to you explain your conjecture, which you have constantly either refused to do or intentionally ignored.
If you do believe it is secure, you should be able to support your contention with more than reference to RFCs, vague comments, and claiming that you have read the code and didn't catch anything.
No matter what, PGP's security is based upon the security of RSA, which in turn is based upon the difficult of factoring, which has never been proven to be hard. Therefore, there is always the possibility that someone will find a polynomial factoring algorithm which would completely destroy any security in PGP.
If you cannot specifically address my question, say so, tell us all that the security of PGP is an open question, and either leave it open or go after closing it.
Ok. Please explain what kind of keystroke timing analysis you propose, and I will attempt to answer that, or concede your point.
OR come up with another alternative that doesn't ignore my question, doesn't avoid the issue, doesn't appeal to authority that fails to adequately support your contentions, and doesn't claim that I an somehow unprofessional or scholarly for questioning an unproven contention.
Have you heard the thought experiment of putting a back-door in login by modifying the C compiler to modilgy the C compiler to modify login? Think about that in terms of the security of PGP -- you are always going to be limited in security to the security of the system on which you are running. I only believe you are being unscholarly because you are making claims without any supporting evidence. _THAT_ is unscholarly! Now, if you are asking if PGP is completely bug free, I will be the first to admit that it is not. I am certain that there are latent bugs in the code (and there are many that have been fixed since the 2.6.2 release). However that has not been your statement nor your questions. You have asked about back doors, an intentional act to reduce the security, and to that I vehemently say that there are none. How do I know that you haven't been infected by a computer virus? Perhaps there was a computer virus that flashed subliminal messages on your screen to make you think you were L. Detweiler and think that Desert Storm was the greatest thing since sliced bread? Improbable? Perhaps, but prove to me that this didn't happen! How do you know that Microsoft Windows doesn't send all your keystrokes to Bill Gates for him to peruse? Prove to me that we landed on the moon! Some have contended that it was all a hoax. Prove to me that the universe existed before I was concious of it. How do I know that you exist? Perhaps all this is a dream -- and if so, I sure hope to god I wake up soon. Good night. -derek
RFC 1750 says: # "...Choosing random quantities to foil a resourceful and motivated # adversary is surprisingly difficult. ...recommends the use of truly # random hardware techniques and shows that the existing hardware on many # systems can be used for this purpose." Dr. Frederick B. Cohen writes: $ PGP does not use "truly random hardware techniques" I wrote: % Correct. Derek Atkins writes:
Oh? It doesnt? How can you say that? In what way does it not do this? The RFC states, in your quote, that "existing hardware on many systems can be used" for truly random hardware techniques. Please, substantiate your claim that PGP does not do this. Show me code segments which show it does not. Show me an analysis that goes contrary to the RFC.
Warning: I'm about to quibble over semantics. I'm not being accused of being a NSA lackey (yet), so I guess I have more time for pettiness ;) In the context of RFC 1750, it appears to me that the phrase "truly random hardware techniques" does not refer to the type of RNG method employed in PGP. Section 5.3 discusses the use of built-in digitizers of analog natural sources, and turbulence in disk drive chambers, as the "truly random" "existing hardware" techniques. Keystroke timing only seems to fall under 6.2, Non-Hardware Sources of Randomness. ----------------------------------------------------------------------- 5.3 Existing Hardware Can Be Used For Randomness As described below, many computers come with hardware that can, with care, be used to generate truly random quantities. 5.3.1 Using Existing Sound/Video Input [...] 5.3.2 Using Existing Disk Drives [...] ----------------------------------------------------------------------- 6.2 Non-Hardware Sources of Randomness The best source of input for mixing would be a hardware randomness such as disk drive timing affected by air turbulence, audio input with thermal noise, or radioactive decay. However, if that is not available there are other possibilities. These include system clocks, system or input/output buffers, user/system/hardware/network serial numbers and/or addresses and timing, and user input. ----------------------------------------------------------------------- -Futplex <futplex@pseudonym.com> "We love our lovin' -- but not like we love our freedom" -Joni Mitchell
Sorry for the long reply. I hpe this will be taken off-line soon. ...
Here are some snipets of things you've said. First, you say that it is a rational concern since PGP was taken over by us:
The term paranoid is inappropriate in this context. Paranoia refers to an irrational fear, while I am expressing a rational concern over a system that has been taken over by a (partially) government funded university and which has not been properly verified. The history of cryptography (as they say) is (quite literally) littered with the dead bodies of people killed because somebody else thought a cryptosystem was good enough when it was not.
This is a true statement. Tens of thousands of people have dies because cryptosystems were trusted when they should not have been (hind sight being 20/20 of course).
Then you talk about the MIT version as if it were the original thing:
Why (specifically) do you think the MIT version of PGP has no backdoors and is not subject to attacks such as the one outlined in my previous posting?
PGP 2.0 was released in September, 1992, from Europe, and many many people have been examining it ever since. I truly belive that there are no backdoors.
So you believe that there are no backdoors because it was released from Europe and people have looked at it since. ...
Anyways, to get back to my claims of your hurtful statements:
Why (specifically) do you think so? Because you claim it? Because the MIT maintainer claims it? You say MIT is not associated with the NSA, but they have historically been funded by the NSA and other federal agencies for work on information security. Do you really think that the only information protected by PGP is dirty pictures? Do you somehow think that MIT and the NSA are above that sort of thing? All you have to do is look at history, and it should be clear that this appeal to authority is often used by those trying to cover things up. If you know
I DO NOT GET PAID FOR ANY WORK I DO ON PGP! I HAVE NEVER RECEIVED A DIME FOR MY WORK. I WORK ON PGP BECAUSE I BELIEVE IN IT. Having said that, I cannot BELIEVE you would have the Balls to say that the NSA has bought me. Go re-read what you've said. You have just said that the MIT PGP team, through MIT, is bound to be covering something up because of historical fact.
I think that you miss the point. If you worked for the NSA, you would probably say this as well. The point is that, for the purposes of looking at the security of PGP, we should assume that you have evil intent, whether you do or not. I didn't say that the NSA bought you. I asked " Why (specifically)..." The question mark at the end is a dead give-away. It is factually accurate that government agencies have gotten the cooperation of academics in the past to carry out subversions in order to further their goals. I asked "Do you somehow think that MIT and the NSA are above that sort of thing?" You apparently do, but history tell us that it is imprudent to do this. So if there has been a failure in communications in this respect, I appologize for not making it as clear as I might have. If you feel personally slighted, I am sorry that you feel this way. Nevertheless, I believe that it is prudent to believe that the NSA has "bought you" for the purpose of assessing the security of PGP and to ask the question "Why (specifically) do you think so?"
I have never said "Believe me when I said PGP is secure". I have continually asked for you to check on the security yourself. But you have continually refused to do that, and asked why it is secure! So, you refuse to look for yourself, and you refuse to believe it when you are told.
I have not refused to do any such thing. I have had a copy of PGP for quite some time, but it is too large and complex for me to verify by hand, and I know of no automated technique that can do the job in any reasonable amount of time. I was probably wrong to assume that this was obvious.
So, what the hell do you want? Do you want a line-by-line examination of the code???? Sheesh!
I think it would be prudent to do and publish a line-by-line walkthrough of the source of PGP (although not to the whole list please). You should be trying to prove properties such as the non-interference of any of the rest of the code with the key generation (or other) algorithms. This may be done by an information flow analysis similar to what was done on our secure W3 server. It would also be prudent to perform adequate tests of the properties of inputs from people to determine the true information content of the seeds and to publish these results so they can be critiqued. Perhaps it would also be valuable to have the members of this list contribute ideas about properties they think would be worth verifying.
It cannot be safely assumed that any program is clean or that any one person or group is not involved with intentionally subverting security. That violates the fundamental principles of information protection.
You're right, which is why the source code is publically available. I would wholeheartedly agree with you if only binaries are shipped, but the source is available. Anyone can look through and verify the code. Anyone can try to find weaknesses. In fact, everyone is encouraged to do so. I don't see how _this_ "violates the fundamental principles of information protection".
The problem is that merely shipping however many lines of source code does little to demonstrate its propriety. A publicly posted version of the source for IRC, for example, had an obvious Trojan horse that wasn't detected for more than 6 months and was actively being used to attack systems over the entire period. In order to assess the source code, it is necessary to also publish appropriate demonstrations of WHY it is secure.
You might be, but even if you are not, that doesn't mean there are no back doors. Your inability to detect a backdoor gives me little confidence, since this is at least an NP-complete problem and, with all due respect, today, nobody can prove that PGP is free of backdoors
I think I've finally figured out where you are completely confused!!! You are confusing "back door" with "bug". FYI: A back door is usually a means to make it easy for someone to get into a system. For example, if I put in code so that I could read every PGP message by typing the passphrase "Setec Astronomy", that would be a backdoor. The fact that httpd was exploitable, or sendmail holes, or etc. are BUGS, not Back doors.
But don't you see? If I introduce a subtle backdoor and make it look like a bug, I have plausible deniability. Since I, as an independent observer, cannot tell whether the hole is intentional or accidental, I should, for the purposes of considering security, assume that it is intentional.
Your problem is that you are using these terms interchangably. THEY ARE NOT THE SAME. Putting in a backdoor has the connotation of intent. A bug is an accidental occurrance that was a side effect of poor coding, a typo, carelessness, confusion, inconsistency, etc. A back door, on the other hand, is a DELIBERATE ATTEMPT TO REDUCE OR CIRCUMVENT SECURITY!
But how can I, as an independent observer, tell if it is an accident or a cleaverly intentional subversion? I cannot look into your brain and tell the difference, and no statement you make can reasonably convince me. They may not be the same, but they are not differentiable by an independent observer. From a scientific point of view, they are the same. From a humanistic point of view they may be different.
"...Choosing random quantities to foil a resourceful and motivated adversary is surprisingly difficult. ...recommends the use of truly random hardware techniques and shows that the existing hardware on many systems can be used for this purpose."
PGP does not use "truly random hardware techniques"
Oh? It doesnt? How can you say that? In what way does it not do this? The RFC states, in your quote, that "existing hardware on many systems can be used" for truly random hardware techniques. Please, substantiate your claim that PGP does not do this. Show me code segments which show it does not. Show me an analysis that goes contrary to the RFC.
You have it backwards. You show me that the techniques you claim to be truely random are indeed that. Supposedly random number generators have been created for many years, and plenty of them have been broken after many years of being held to be secure with the algorithm and the full details available for all to see.
But the RFC acknowledges that these methods are highly suspect and should not be trusted.
You're right, it should not be blindly trusted. Go read the code and examine the algorithms to prove to yourself that it is secure. I've done that to the extent that I wish, and I believe it is secure. But you wont take my word for it, so go ahead and check! Oh, wait, you wont do that either. Sorry. I forgot.
But I cannot prove that it is secure. In fact, I believe that it is not!
How is it "unscholarly, unprofessional, needlessly personal, and just plain insulting" to question the idea that hundreds of thousands of people are trusting their freedom to software that is probably not secure? I think it is highly unprofessional to try to claim that PGP is secure and to try to bolster that position by claiming that some "Request for Comments" supports it when that same said RFC refutes it.
Show me some proof that PGP is "probably not secure"? Come on, there is a finite probability that I can walk through a wall! The laws of quantum probablility give me this finite probability! But I'd be hard pressed to show you that I can walk through the wall. It looks good on paper, but it just ain't gonna happen.
That's exactly what the Germans said about the Enigma and others have been saying about cryptosystems for the past 4,000+ years. They have been shown wrong again and again, and as a result, people like me want more than just an "I believe it's secure".
As for the RFC, it does not refute that PGP is secure. In fact, PGP pretty much follows the RFCs guidelines. You clearly have selective reading. A useful skill -- I should learn it.
It takes years of practice.
It has been my general impression that "scholarly" means, among other things, questioning the status quo and finding out where the generally accepted ideas break down. I am a professional in the field of information protection, and I consider it highly unprofessional in this field to assume that systems are secure without ample evidence to support it.
Dont forget that you have to run PGP in some OS. Please show me a secure OS! Given that the OS cannot be secure (using your logic it is intuitively obvious that this is true) then how can you ask to see a program any more secure than the enviornment in which it runs? PGP tries to be as secure as possible given the environment in which it is being run.
I agree that it is often easier to break into the computer to get the keys than it is to break the cryptosystem. That was my next bone to pick with PGP - the way it stores the keys. But I'll save that for another day.
So far, I see no ample evidence to support the security of PGP's key generation algorithm relative to the concerns I have expressed. Those concerns are fairly specific as far as I am concerned, but if you feel I have to demonstrate a specific attack that works in order to question the adequacy of protection, I think you have it backwards.
No, your concerns have been utterly vague. The closest you've come to being at all specific is some vague notion of analyzing keystrokes. In every message I've responded to, I've asked you to expand upon what you mean. What kind of analysis do you mean? How do you propose to analyze keystroke timings? Even if you have a probabalistic model of keystroke timings, all you can possibly do is compare two different probabilities to see if they are the same. But that doesn't help you limit the search on keys.
For example, you can generate the most probable 10^40 or so input sequences, do key generation, and test against them to find out if the user's key is one of them. The question I am posing could be considered as a question of the information content of the original input to PGP's key generation process. How could this be subtly altered by a person responsible for maintaining PGP or detected and not repaired by same? For example, a loop index could be calculated incorrectly by having a different part of PGP overwrite the loop index using an incorrect ponter conversion. Then the loop that uses all of the input bits would be subtly altered so as to use fewer of them. The results would still look random but the total search space would be reduced to the point where a good supercomputer could run through it in only a few hours.
If the people at MIT feel personally insulted because I have questioned their previously accepted ideas, it's just too bad. I didn't say they
I'm not insulted that you are questioning PGP. I am insulted because in every message you have sent, you have postulated some conspiracy with the government or postulated some intentional weakening of PGP.
And history tells us that the U.S. government does this quite often. They are actively trying to harass PGP's author using a variety of what could be reasonably called dirty tricks, they are actively trying to prevent the use of good cryptography in the US, and they are actively trying to make certain uses of cryptography illegal. Why should I believe that they would not also try to subvert PGP?
Your statements could almost be construed as libelous, which is why I feel insulted. I feel extremely comfortable with people questioning the security of PGP. What I dont like is someone stating that it is not secure, slaiming some sort of back door (which connotes some intent to reduce the security) and does not back up the claim with any proof.
What I don't like is people that state it is secure but can't back it up with real facts. Why (specifically) do you believe PGP is secure? Forget your ego and the posturing about how you are not working for the NSA and come up with a really good demonstration of the reason PGP is secure, and I will be very quick to commend you. ...
Ok. Please explain what kind of keystroke timing analysis you propose, and I will attempt to answer that, or concede your point.
Fair enough. A useful first step would be to demonstrate the real information content of the keystrokes and timings entered by the user across a reasonable number of different platforms, users, and trials. That would start to address the potential that there is a fundamental mistake in (or intentional corruption of) the input process. The demonstrations described earler would also be worthwhile in demonstrating the lack of subtle interaction among the parts of PGP (I refer to the information flow analysis). After that, you should solicit other ideas from as wide an audience as possible to see what sorts of properties should be considered for this sort of program, and go about picking the most important ones first, and so on. I would be happy to discuss further details off-line.
OR come up with another alternative that doesn't ignore my question, doesn't avoid the issue, doesn't appeal to authority that fails to adequately support your contentions, and doesn't claim that I an somehow unprofessional or scholarly for questioning an unproven contention.
Have you heard the thought experiment of putting a back-door in login by modifying the C compiler to modilgy the C compiler to modify login? Think about that in terms of the security of PGP -- you are always going to be limited in security to the security of the system on which you are running.
Not a thought experiment, the Turing award paper in 1984 - came out just a little bit after the IFIP conference in which computer viruses were first publicly described and analyzed.
I only believe you are being unscholarly because you are making claims without any supporting evidence. _THAT_ is unscholarly!
I think there is good supporting historical evidence for my questions. But I don't believe I have made any "claims". ... -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
A reasonable response. My question is: Why do you think that the key generation algorithm used by PGP is secure? Specifically, how do we know there is no subtle back door that reduces the problem of testing the typical key space to a solvable problem in today's technology?
I don't believe I made ANY "vague, wild, unsupported claims" however, that is certainly a matter of opinion.
OK, let me put my 2 pence collaboration: Let's see. I can try to write a nice program to protect myself. I could XOR something with my key (00000000) and use that. Then tell my fellows and all of us use the same program. Or I could even be more tricky and implement something more complex. Now, my knowledge, time and resources are limited. I see that MIT or whomever has made a program that, under test, is more secure than my XOR 00000000 implementation. I may not fully trust them but it is better than anything I could come out with. So, my position is: if it's the best thing I have access to, I only have two options: either I use it or I give up with cryptography at all. Right? Now, I think that what I am trying to say is: if you can come up with something better, please do. All the Free (and Wannabe Free) World will be eternally grateful to you. If you can't, then you only have the above two options. Bragging about hypothetical fears that you can't demonstrate at all is not only stupid, it is also pesimistic, destructive, improductive and threatening all kinds of freedom. Nazi perhaps? Dunno. And I don't care. Security? As you have already been told, you can only prove it negatively. So, since you can only prove that it can fail, but can't prove it can't, any discussion is irrelevant unless you have any real proof. All the process is based in a fight against time: you are assuming that nobody can break your crypto process before the secret becomes irrelevant. All your security lies in the fact that *YOU* don't know of anybody that can break the problem but can't deny that someone could ever possibly discover a clever algorithm. Thus: either you have proofs that it can be broken, or know a better algorithm, or can name someone who can proof s/he can break it, or you just trust it the best you can. Any other kind of discussion is a sophism. Dr?... hum. Let me try then a different analogy: I do have a patient with a letal disease with no known therapy. Then someone comes up with A, which cures people, but -being new- could maybe possibly perhaps have some secondary effect that no one knows yet and can't be demonstrated (but could exist). Now, should I trust the lifes of my patients to therapy A or should I wait for some years to be secure it has no secondary effects?. Even so, since the fact nobody has reported them doesn't mean it could not have them (only that nobody has discovered them), I can't be 100% sure. Oh, well, I guess that if your doctor never gave you a therapy 'cos you can never be 100% sure, you would not like the idea. Would you trust your life to that therapy when you know for sure you are about to die if you don't? What if A saved 100%, but there was a therapy B that saved 20% with no known secondary effects either? Which one would you chose? Thus, can you trust lives and whatnot to something not fully known? I'd say that unless you have something better, that's your better bet. So, since you know for sure that if you don't use any cryptography at all, you must communicate in the clear, what do you do? So, can you come up with something better or not? jr
From: fc@all.net (Dr. Frederick B. Cohen) Date: Mon, 31 Jul 1995 20:08:15 -0400 (EDT) One of the several points I tried (apparently unsuccessfully) to make is that with a program that large, it is impractical to verify that there For better or for worse, we all must use programs (or collections of programs) that large or larger: even if PGP could be implemented in 1 % of the current source code, it would still be running in an operating system that's cramped in 4 megabytes of ram, because that's a characteristic of the common modern operating systems. The operating systems PGP is running in are larger than PGP itself; if PGP is too large to practically verify the nonexistance of back doors, then there's nothing we can do whatsoever to disprove the existance of back doors. ...are no subtle back doors - regardless of how knowledgeable or skilled you or I may be. Your "assumption of security" perspective is an inappropriate one unless you are trying to get people to use something that is not secure. Or unless you're trying to subject a program to a standard nothing ever written these days is going to meet because it runs in an operating system that's a lot harder to verify as being secure. Please note: I am not trying to suggest that there are purposeful or inadvertent back doors in any of the variants of PC-DOS, Windows, or the Macintosh OS, or more than usual in the various Unix variants (of which the details are available on RISKS; of course, Unix can probably be made reasonably secure if one is aware of the issues involved, which isn't a bad idea. This isn't meant to be a disendorsement of Unix.) The headers on the postings allow you to ignore them, but in the meanwhile, the subject matter is in line with this forum, and the questions are legitimate. You will have to do better than to appeal to authority to convince anyone that MIT's version of PGP is secure. Can you _convince_ me that MacOS 7.5, or Windows 3.1 (the OS I currently use), or WWG, or OS/2 3.0, or Linux, or NetBSD, is reasonably secure? Why (specifically) do you think so? Because you claim it? Because the MIT maintainer claims it? You say MIT is not associated with the NSA, but they have historically been funded by the NSA and other federal agencies for work on information security. Do you really think that the only information protected by PGP is dirty pictures? Do you somehow think that MIT and the NSA are above that sort of thing? All you have to do is look at history, and it should be clear that this appeal to authority is often used by those trying to cover things up. If you know something about PGPs security that you aren't telling us, don't beat around the bush about it. Come out and say it. Tell us that you have proven that PGP has no backdoors and what method you used to do that. Tell us that you have hand verified all the code and that none of it overwrites the key generation process and tell us how you verified it. It cannot be safely assumed that any program is clean or that any one person or group is not involved with intentionally subverting security. That violates the fundamental principles of information protection. What OS should I use to do this? Should I just give up on anything beyond TRS-DOS 6.2? Phil
On Mon, 31 Jul 1995, Phil Fraering wrote:
For better or for worse, we all must use programs (or collections of programs) that large or larger: even if PGP could be implemented in 1 % of the current source code, it would still be running in an operating system that's cramped in 4 megabytes of ram, because that's a characteristic of the common modern operating systems.
Ahem! Commiedore APOLOGIED when it released its 512K OS a couple of years ago. These things _don't_ have to be this large.
The operating systems PGP is running in are larger than PGP itself;
Got that straight!
which isn't a bad idea. This isn't meant to be a disendorsement of Unix.)
Oh, please! Now that I'm back with my direct connection, I want another OS holy war! I want to killfile LOTS of people (or two people in particular).
What OS should I use to do this? Should I just give up on anything beyond TRS-DOS 6.2?
No! Use UltraDos. Much better! Nathan Now THAT's noise....
Nathan, I know about the Amiga's small OS; I have used them on and off over the years and recently acquired a non-functional one that I had repaired; it's at the repair shop in Houston, waiting for the next time I'm able to go to Houston and pick it up. I really didn't want to start an OS holy war, although personally my recent experiences with Windows incline me towards joining the Linux Inquisition. Our main weapon is fear, fear and suprise! Our _two_ main weapons are fear, suprise, and an almost fanatical devotion to the principles of K & R C. OUR THREE main weapons are... Hmm. Maybe I should come in again... +----------------+Quote from _Infinite In All Directions_, F.J. Dyson-----+ | Phil Fraering / \"The English Hierarchy, if there be anything unsound in| | pgf@tyrell.net\ /its constitution, has reason to tremble even at an air | +----------------+-pump or an electrical machine."---Joseph Priestly------+
participants (14)
-
Andy Brown -
Brian Davis -
Dave Otto -
Derek Atkins -
Duncan Frissell -
Ed Carp [khijol SysAdmin] -
fc@all.net -
J. R. Valverde (EMBL Outstation: the EBI) -
Jiri Baum -
lmccarth@cs.umass.edu -
Matt Blaze -
Nathan Zook -
Phil Fraering -
rah@shipwright.com