At 10:13 PM 1/29/96 -0800, you wrote:

Firstly, if this is viewed as "Noise" rather than "Signal", please accept my apologies. Looks like a real technical discussion instead of a flame - obviously the wrong list :-)

The matter at hand concerns my concern over my inability to check the "integrity" of a PGP windoze shell written by Michael R. Lyman at Aegis Research Corp.

I worry that since the shell has access to my secret ring that it might be sending it somewhere without my knowledge. I don't know that package, but most of them act as wrappers around DOS PGP rather than filtering keystrokes or doing PGP internals.

There are several risks - getting your secret ring, getting your passphrase, getting the RSA parameters without the passphrase itself. Obviously, having your secret key ring file leak is not good, but the fun parts _are_ IDEA-encrypted using your passphrases, so it's not too much of a risk. Having the passphrase or the raw keys stolen would obviously be worse. DOS/Windows is _not_ a secure operating system, if you believe that there's more than one person in the universe. (DOS doesn't believe that, so in some sense it's perfectly secure. :-) Nathaniel Borenstein's recent postings are a good reminder that keystrokes can be stolen, easily, in that environment.

The freeware was, according to Mr.Lyman, developed "Project Manager, Forward Air Missile Defense, United States Army Missile Command". That gvt. affiliation gives me considerable pause as regards back doors and other ways my secret ring and pass phrase could be compromised.

Does anyone have any familiarity with this freeware? I do not think I am being paranoid.. just careful. Lastly, if I am not a programmer, what sort of inspection can I perform on the software to make sure it is not "bugged"?

Without source code, if you're not a programmer, the things to look for are circumstantial evidence - is the copy of the program you got off the server PGP-signed by the purported author? Or by any programmers you trust? That doesn't tell you the program is trustable, but it does tell you if it's a fake replacing the real thing. Is the real thing trustable? (Well, probably...) There's also the problem of leaking your key back to the Bad Guys, but that's easy - the program could leak it out in your PGP messages (either obviously, as a second recipient, or in subtle nasty ways like playing with the system clock on timestamps.) #-- # Thanks; Bill # Bill Stewart, stewarts@ix.netcom.com, Pager/Voicemail 1-408-787-1281 # http://www.idiom.com/~wcs