I'm sorry if this is gnawing at old bones for you, but I recently heard from a rather paranoid, anonymous source here in Hungay that PGP was compromised, Zimmermann sold out to the Feds, all versions except possibly early DOS versions of PGP have back doors in them. He is also claiming that the CIA have already provided the backdoor-key to PGP 5.0 to the Hungarian Secret Services. Is he being too paranoid, or what? The reason I am asking cypherpunks, which I realise is not really a list dedicated to PGP, about them, is that their credentials to my mind would be sufficient to discredit. I have heard this rumour in sufficiently bogus intellectual contexts before (Cyberconf8, if that rings a bell to anyone - wouldn't blame you if it didn't) where it seemed blatantly obvious that it was entirely unfounded, as the people who were spreading it could not recognise code if they saw it, and seemed only an attempt to appear to be in the know. This source, however, seems different. Can I have some reassurance, please? And could you possibly suggest how someone unable to check the code themselves could go about authenticating a version of PGP? It is fated to become a rather important issue here soon. thank you holist
In <199811222154.NAA25646@toad.com>, on 11/22/98 at 01:54 PM, holist <holist@mail.matav.hu> said:
I'm sorry if this is gnawing at old bones for you, but I recently heard from a rather paranoid, anonymous source here in Hungay that PGP was compromised, Zimmermann sold out to the Feds, all versions except possibly early DOS versions of PGP have back doors in them. He is also claiming that the CIA have already provided the backdoor-key to PGP 5.0 to the Hungarian Secret Services. Is he being too paranoid, or what?
The reason I am asking cypherpunks, which I realise is not really a list dedicated to PGP, about them, is that their credentials to my mind would be sufficient to discredit. I have heard this rumour in sufficiently bogus intellectual contexts before (Cyberconf8, if that rings a bell to anyone - wouldn't blame you if it didn't) where it seemed blatantly obvious that it was entirely unfounded, as the people who were spreading it could not recognise code if they saw it, and seemed only an attempt to appear to be in the know. This source, however, seems different.
Can I have some reassurance, please? And could you possibly suggest how someone unable to check the code themselves could go about authenticating a version of PGP? It is fated to become a rather important issue here soon.
This is FUD. Goto: http://www.pgpi.com Download the source code to the version of PGP you want to run and compile it yourself. You are free to examine the code and insure that there are no "backdoors" in it. This is the advantage of PGP over the various S/MIME products on the market. PGP source code is available for peer review, Netscape, Microsoft, (add your S/MIME vendor here) is not. -- --------------------------------------------------------------- William H. Geiger III http://www.openpgp.net Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html ---------------------------------------------------------------
On Sun, Nov 22, 1998 at 01:54:42PM -0800, holist wrote:
I'm sorry if this is gnawing at old bones for you, but I recently heard from a rather paranoid, anonymous source here in Hungay that PGP was compromised, Zimmermann sold out to the Feds, all versions except possibly early DOS versions of PGP have back doors in them.
This is probably bullshit since the source is available to open view... However, given that few have the technical skills to audit this source I wonder how easy it would be to insert a backdoor and what form it would take? -- 1024/D9C69DF9 steve mynott steve@tightrope.demon.co.uk http://www.pineal.com/ substitute "damn" every time you're inclined to write "very"; your editor will delete it and the writing will be just as it should be. -- mark twain
At 01:54 PM 11/22/98 -0800, holist wrote:
I'm sorry if this is gnawing at old bones for you, but I recently heard from a rather paranoid, anonymous source here in Hungay that PGP was compromised, Zimmermann sold out to the Feds, all versions except possibly early DOS versions of PGP have back doors in them. He is also claiming that the CIA have already provided the backdoor-key to PGP 5.0 to the Hungarian Secret Services. Is he being too paranoid, or what?
Pure disinformation. It does have a few locally-customized twists to it. As another poster said, you can get the source from www.pgpi.com, check it out yourself, and compile it yourself. There are some versions that have features allowing you to encrypt data to multiple recipients, and some versions allow you to set this with one or more recipients as the default (e.g. yourself, or your corporate security officer.) But you do not need to set this. There are also some design bugs in the early DOS versions that make them weaker than the later DOS versions or the newer versions, so you don't want to use anything before 2.5 anyway. Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
participants (4)
-
Bill Stewart -
holist -
Steve Mynott -
William H. Geiger III