Re: Anonymous Nymserver: anon.nymserver.com
Someone mistitling itself "Truthmonger" writes:
Now that you seem to have actually read what I have written, perhaps you might consider reading what you, yourself, have written. I stated my case for contending that PGP=>2.5 has been compromised, and got back wild-eyed demands for proof of that which I did not claim, mainly, that PGP had been 'broken.'
To reiterate my original observations: 1. The development of RSA was funded and controlled by the spooks. i.e. - The National Science Foundation and the Navy. 2. The campaign of persecution against Phil Zimmerman ground to a halt once he agreed to PGP using the spook-developed RSAREF subroutines to implement the RSA functions, instead of PGP's original subroutines.
If people with guns came to me and told me that software I had written now had to use their subroutines, instead of my own, then I would consider my software 'compromised', regardless of whether or not I could immediately discern any anomalies in it. It is far, far easier to 'build' a back-door, than to 'find' one.
"TM" (I can't bring myself to use it's full name, since it is so totally inappropriate) has made the following claims: 1. "PGP => 2.5 has been compromised." 2. "It is far, far easier to 'build' a back-door, than to 'find' one." His main arguement rests on the fact that the later versions of PGP use RSAREF, rather than Phil's own code. As support of the first claim, he claims:
1. The development of RSA was funded and controlled by the spooks. i.e. - The National Science Foundation and the Navy.
I'm not sure what you're referring to with "RSA" here - is it the algorithm or the company? If it's the algorithm, you may or may not have the intellectual capacity to verify it yourself - if you don't you have no business telling us it's compromised, and if you do, either publish the problem (and claim your 15 minutes of fame), or admit there is no hole you are aware of. There are plenty of people on this list who can follow the math, even if you can't. If it's the company, then you are either ignorant or lying. RSA has *not* had a good relationship with the USG, as those who have been following the matter over the years know well. Most recently, you will notice that it has licensed some of it's patents to a Japanese chip maker in an effort to avoid problems with US export restrictions. Is this the action of a USG patsy?
2. The campaign of persecution against Phil Zimmerman ground to a halt once he agreed to PGP using the spook-developed RSAREF subroutines to implement the RSA functions, instead of PGP's original subroutines.
PGP 2.5 was released in March 1994, about a year after Phil was indicted. It took until January 1996 for the indictment to be dropped; nearly another two years. If a deal was struck, why did it take so long? The dismissal of Phil's persecution was almost certainly due to (a) the approach of the statute of limitations, and (b), the very high probability that he would be found innocent. if they took him to trial. The government simply ran out of legal pretexts under which to harass him. Now that your supporting assertions have been shown to be flawed, let's return to the original claims. 1. "PGP => 2.5 has been compromised." 2. "It is far, far easier to 'build' a back-door, than to 'find' one." The problem, TM, is that we have full source code, and anyone with the intelligence and knowledge required can check it independently. PGP and RSAREF are both distributed as source. There is not one byte of instructions or data that have to be accepted on faith - no precompiled libraries, no mysterious DLLs or ActiveX controls. If there is a backdoor, show it to us. Your second claim, that it is easier to build a backdoor than to find one, is true but not pertinant. Let's try an analogy. 1. You buy a house from a builder. You, being paranoid, wonder if the builder has included a secret door to enable him to enter the house without your permission. You investigate what you can, but in the end are left with some doubts. 2. You buy a set of blueprints from the builder, and examine them carefully for weaknesses. You then buy a plot of land of your choice, hire the workers you want, get materials from any supplier you wish. You supervise the construction yourself down to the last detail. Others who have purchased the same blue prints include trusted independent architects and construction engineers, who concur with you thatno hidden back doors can be found in the design. At this point, how worried are you that the builder has left himself an unauthorized entry? The situation with PGP >=2.5 is like the second scenario, not the first. What it comes down to "TM" is: Put up or shut up. You can't spread FUD in a situation where there is no unknown to Fear, no Uncertainty to deal with, and no Doubt that we have all the knowledge we need. Respond in a substantive manner. So far, you've avoided doing so. Peter Trei trei@process.com
Peter Trei wrote:
Some handsome devil named "Truthmonger" writes:
I stated my case for contending that PGP=>2.5 has been compromised, and got back wild-eyed demands for proof of that which I did not claim, mainly, that PGP had been 'broken.'
To reiterate my original observations: 1. The development of RSA was funded and controlled by the spooks. i.e. - The National Science Foundation and the Navy. 2. The campaign of persecution against Phil Zimmerman ground to a halt once he agreed to PGP using the spook-developed RSAREF subroutines to implement the RSA functions, instead of PGP's original subroutines.
If people with guns came to me and told me that software I had written now had to use their subroutines, instead of my own, then I would consider my software 'compromised', regardless of whether or not I could immediately discern any anomalies in it. It is far, far easier to 'build' a back-door, than to 'find' one.
His main arguement rests on the fact that the later versions of PGP use RSAREF, rather than Phil's own code.
It is rather surprising to have anyone on this list actually address the issues I raised but, all the same, you seem to want to label the detail you wish to address as my 'main' argument.
As support of the first claim, he claims:
1. The development of RSA was funded and controlled by the spooks. i.e. - The National Science Foundation and the Navy.
If it's the algorithm, you may or may not have the intellectual capacity to verify it yourself - if you don't you have no business telling us it's compromised, and if you do, either publish the problem (and claim your 15 minutes of fame), or admit there is no hole you are aware of. There are plenty of people on this list who can follow the math, even if you can't.
There seems to be a decided lack of people on this list who can follow the English language and simply stated concepts. Once again, I am asked to 'admit' what I have already made plain. What is this neurosis that everyone seems to have regarding PGP which leads them to demand hard-evidence of malfeasance before suggesting that one should not bend over in blind trust for encryption systems whose development was funded by the spooks, and whose method of implementation is a result of threats and coercion? Perhaps the government should have named their Key Escrow schemes "Zimmerman Escrow," instead, in order to take advantage of the bum-buddy mentality among the cypherpunks which seems to hold issues surrounding their holy icon to a different standard than other systems of encryption. The denziens of the cypherpunks list often have math skills far above those to be found in some of the related 'science' forums, but they do not have a monopoly on clever use and manipulation of numbers, bits and bytes. The Navy's Onion Routing system is more sophisticated than their first cousins, the cypherpunks remailers, and there is no 'visible' hole or back-door in their work. I have not seen any great rush by anyone with half-a-brain, however, to indicate the remailers are being abandoned in favor of the Navy's product. Why is that? Could it have anything to do with the same issues I have raised in regard to RSA implementation? I doubt that it would come as a surprise to anyone to know that the Navy also has mathematicians on the payroll, nor that their tenacles in the scientific community are not all wearing uniforms and saluting when their superiors enter the room. I also doubt that there are not those among the cypherpunks who are capable of writing a subroutine to take advantage of unique attributes of individual algorithms.
RSA has *not* had a good relationship with the USG, as those who have been following the matter over the years know well. Most recently, you will notice that it has licensed some of it's patents to a Japanese chip maker in an effort to avoid problems with US export restrictions. Is this the action of a USG patsy?
Their actions resulted in their product infiltrating a market which is noted for being extremely hard to penetrate. Victims of con games are seldom fooled by the 'bad guy' in the ruse.
PGP 2.5 was released in March 1994, about a year after Phil was indicted. It took until January 1996 for the indictment to be dropped; nearly another two years. If a deal was struck, why did it take so long?
I have never contended that Mr. Zimmerman was part of any direct "deal" with the government or the prosecutors. His reputation capital, in my own mind, is high enough that I am certain that it would take a phenomenal amount of pressure in order to get him to betray his principles. On the other hand, only a fool would fail to take into consideration the fact that the government is fully capable of applying a phenomenal amount of pressure when they feel the stakes are high enough. The government, indeed, did not kiss Zimmerman 'on the lips' after the 'deal' with RSA was arranged, but they let his case simply run its natural course, with no additional pressure being applied.
The government simply ran out of legal pretexts under which to harass him.
Take a whiff of some smelling-salts, Peter. The government 'never' runs out of pretexes under which to harass someone who remains an actionable target in their minds. (Where were *you* when J.F.K was shot?)
Now that your supporting assertions have been shown to be flawed,
...battered, but still standing.
let's return to the original claims.
1. "PGP => 2.5 has been compromised." 2. "It is far, far easier to 'build' a back-door, than to 'find' one."
The problem, TM, is that we have full source code, and anyone with the intelligence and knowledge required can check it independently.
Check it for what? For 'tricks and techniques' that you *know* about? The fact that an individual has taught you 'everything you know' does not lead to the conclusion that they have taught you everything that 'they' know. I am sure you will agree, as well, that if a teenage hacker violates your system, leaving its entrails shredded, that it is small consolation that their math skills are not on a par with your own. Do people with superior knowledge of virus' leave their systems open to attack from unknown techniques? I don't think so. Several years ago, I emailed MicroSoft a short post suggesting that they take steps to prevent their use of macros from being abused. The reply I received, politely telling me to 'piss off,' informed me that virus' could *not* be transmitted via "ASCII" files.
Your second claim, that it is easier to build a backdoor than to find one, is true but not pertinant. Let's try an analogy.
1. You buy a house from a builder. You, being paranoid, wonder if the builder has included a secret door to enable him to enter the house without your permission. You investigate what you can, but in the end are left with some doubts.
2. You buy a set of blueprints from the builder, and examine them carefully for weaknesses. You then buy a plot of land of your choice, hire the workers you want, get materials from any supplier you wish. You supervise the construction yourself down to the last detail. Others who have purchased the same blue prints include trusted independent architects and construction engineers, who concur with you thatno hidden back doors can be found in the design. At this point, how worried are you that the builder has left himself an unauthorized entry?
This is the point at which I realize that the builder has been banging my wife, and that he 'leaked' a rumor of a 'secret' back-door so that I would be too busy to notice my wife letting him in the "back door" that was plainly visible in the blueprints. As well, if the blueprint bore the name of Doug Henning, would you be as secure in your belief that there were no secret doors in place?
What it comes down to "TM" is: Put up or shut up.
Your points are well taken, but far off the mark of the issue I raised, which was one of PGP having been "compromised." You make a strong case for the mathematical strength of RSA implementation having been scrupulously investigated, although not an airtight one, by any means. However, the issue of this or that system having been "compromised" has more to do with the concept, rather than the mathematics, of security. At the risk of being labeled a tenacle of Dr. Vulis, I will use a "cocksucker" analogy, this being an area in which all factions of the cypherpunks list seem to claim knowledge (although on 'opposite' sides of the fence). In the militaristic/spook scheme of things, a system or entity is deemed to be "compromised" if there is a *possibility* of what is sometimes called a *known/unknown* (KU) factor having been introduced into a *controlled* situation or system. i.e. During the Cold War, homosexuality was one of the fulcrums which could be used to pry open the security bonds between an agent and that agent's controller. This was a 'known' factor which raised alarms, and an agent or entity was deemed to be "compromised," regardless of whether this factor was considered to be 'unknown' to the enemy. Trusted systems, as we call them today, were automatically considered to be compromised if there was reason to suspect that they *could have been* compromised, even if it was 'unknown' whether or not they actually *were* compromised. The case of Alan Turning is a prime example, here. Revelation that there existed a fulcrum point which enemy agents could well have used to compromise his work left it open to valid suspicion. It then behooved those with an interest in security matters to scrutinize not only his 'numbers,' but also his 'history,' and that of those around him. It also became in their best interest to assume that his work *had* been compromised, and to take measures to modify or alter it in ways that would conceivably affect any methodologies which were based on hidden designs or schemes.
Respond in a substantive manner. So far, you've avoided doing so.
The issues I raised were not of 'substance,' but of 'shadows.' Had RSA development and implementation been funded and controlled by the KGB, then I seriously doubt if the U.S. Military would have embraced it, no matter what the *numbers* showed. If cypherpunks have a lower standard of suspicion, then I am certain the government would be happy to provide them with *all* the software they care to use.
You can't spread FUD in a situation where there is no unknown to Fear, no Uncertainty to deal with, and no Doubt that we have all the knowledge we need.
If there is "no unknown to Fear," then perhaps you would be so kind to supply me with "substantive" information such as all of the top- secret government documents concerning encryption and the development of RSA. If there is "no Uncertainty to deal with," then I assume that all mathematical possibilities have been discovered and are known to all members of the list, and that there will be no future developments in the field of mathematics or encryption. It there is "no Doubt that (you) have all the knowledge (you) need," then there is a fellow I met in Chicago who runs a Pea/Shell game and, I am certain, would be happy to give you a 'chance' to exercise your Doubt-muscles. Thank you for at least dealing with matters that are in the same ballpark as the issues I raised, as opposed to arguing over whether or not the Dodgers could beat the Sharks. TruthMonger
TruthMonger wrote:
Peter Trei wrote:
Some handsome devil named "Truthmonger" writes:
Take a whiff of some smelling-salts, Peter. The government 'never' runs out of pretexes under which to harass someone who remains an actionable target in their minds. (Where were *you* when J.F.K was shot?)
Once you've been labeled a "conspiracy theorist", you should realize that you've been talking to people who are seeking after a smaller truth than you are. Like the newspapers they read, they'll get the story eventually. Check out the stiff who's pictured with Phil in the MicroTimes current issue, his new partner or something. Phil looks happy, like they gave him a lifetime supply of double-stuff Oreos. PGP really needed to be upgraded in several ways that have already been discussed (briefly!) on the list, but couldn't because: 1. Not enough money to pay to redevelop 60,000+ lines of code that would have to be optimized for consumer PC's. 2. BIG pressure from the feds to not implement new technology (and by that I don't mean elliptic curves or discrete logs or other stuff that was broken years ago). 3. "Competitors" and feds who have years of experience in actual disinformation sciences, spreading FUD (this could apply to me, of course, but I'm really not that kind of person).
Dale Thorn wrote:
TruthMonger wrote:
Peter Trei wrote:
Some handsome devil named "Truthmonger" writes:
Take a whiff of some smelling-salts, Peter. The government 'never' runs out of pretexes under which to harass someone who remains an actionable target in their minds. (Where were *you* when J.F.K was shot?)
Once you've been labeled a "conspiracy theorist", you should realize that you've been talking to people who are seeking after a smaller truth than you are. Like the newspapers they read, they'll get the story eventually.
Dale, I will always remember reading a magazine piece by a fellow who described the increasing persecution of the Jews in Nazi Germany, and the abuses to which he was himself subjected. However, when describing the night when the jackboots kicked in his door to take his family to the death camps, he begins his account by saying, "They came without warning..." I remember thinking, "Buy a clue, dude!"
Check out the stiff who's pictured with Phil in the MicroTimes current issue, his new partner or something. Phil looks happy, like they gave him a lifetime supply of double-stuff Oreos.
Are both of Phil's partner's arms in plain view, or is his partner perhaps holding a gun on him?
PGP really needed to be upgraded in several ways that have already been discussed (briefly!) on the list, but couldn't because:
2. BIG pressure from the feds to not implement new technology (and by that I don't mean elliptic curves or discrete logs or other stuff that was broken years ago).
I agree with TruthMonger's position that the very fact of extreme pressure being applied should be grounds for considering that perhaps PGP might have been compromised at some level, no matter what an analysis of the "numbers" shows, or one's faith in Philly Z. However, I would expand this argument to conclude that all encryption software should be considered "compromised", for the purposes of ultra- level security, given the influences of spooks and shadows during the the whole course of encryption developement. I think that anyone who would use 'any' encryption software 'out of the package' for matters that would seriously impact their life and liberty, should the contents be discovered, is not working on all cylinders. There seems to be some weakly thought out definition of 'paranoia' going around which deems it to be the feeling you are supposed to get when you hear the sound of the jackboots on your door. Excuse me for disagreeing, but I believe the proper feeling at that point in time may be resignation to your own death (and a firm resolve not to go 'alone' into that dark night). Or, if your door is strong enough, you might have one last chance to play "Hide the Salami" with Lady Byrd. Someone suggested to me, in private email, that they would suspect TruthMonger to be a Toto testicle, except for the lack of humor in any of his posts. However, I couldn't help but notice that TruthMonger's original post in this thread was a reply to a request for information in regard to "Anonymous Nymserver at anon.nymserver.com", and a request for an opinion as to the competence and integrity of those involved in its operation. Neither could I help noticing that TruthMonger's reply, which had mercilessly slammed both the integrity and motivations behind all remailer operations, and which suggested that one unequivocally mistrust all of them, was sent from the very anon-server in question. Make of this what you will, but bear in mind that Hypocrisy and Humor are not all that far apart in the dictionary. -- Toto "The Xenix Chainsaw Massacre" http://bureau42.base.org/public/xenix/xenbody.html
Toto wrote:
I will always remember reading a magazine piece by a fellow who described the increasing persecution of the Jews in Nazi Germany, and the abuses to which he was himself subjected. However, when describing the night when the jackboots kicked in his door to take his family to the death camps, he begins his account by saying, "They came without warning..."
Gosh, I feel bad whipping on one of the old/reliable/reputable posters here, but, this seems to perfectly describe one T.C. May and how he just couldn't believe what Sandy was doing, or that Sandy would consider the c-punks' reputation to be expendable.
Check out the stiff who's pictured with Phil in the MicroTimes current issue, his new partner or something. Phil looks happy, like they gave him a lifetime supply of double-stuff Oreos.
Are both of Phil's partner's arms in plain view, or is his partner perhaps holding a gun on him?
I think someone else has a gun on both of them. The "partner" is wearing a badly-composed grin, but then he may have been pulled out of the closet at the last moment for the photo, and the light could be bothering him.
I agree with TruthMonger's position that the very fact of extreme pressure being applied should be grounds for considering that perhaps PGP might have been compromised at some level, no matter what an analysis of the "numbers" shows, or one's faith in Philly Z.
Not only the software, but folks get lulled into complacency with the "new, distributed" lists, thinking that since Gilmore/Sandfort are "gone", everything is going to be OK from now on.
There seems to be some weakly thought out definition of 'paranoia' going around which deems it to be the feeling you are supposed to get when you hear the sound of the jackboots on your door. Excuse me for disagreeing, but I believe the proper feeling at that point in time may be resignation to your own death (and a firm resolve not to go 'alone' into that dark night).
I have a Sid Vicious t-shirt that says "never let them take you alive". I really enjoyed the story of the Warsaw ghetto uprising when I first heard it, and whereas Sid and the Warsaw dwellers are from a different time and mindset, I think us modern folks can draw the appropriate analogies.
Or, if your door is strong enough, you might have one last chance to play "Hide the Salami" with Lady Byrd.
A gun in one hand and a babe in the other - what a privelege to be an American!! BTW, I saw an all-stainless Colt King Cobra .357 in a pawn shop the other day for $475. Clean as a whistle. I snatched that puppy up real quick. It would be my dying wish to have some otherwise faceless bureaucrat be the recipient of its intended use, should it come to that.
Someone suggested to me, in private email, that they would suspect TruthMonger to be a Toto testicle, except for the lack of humor in any of his posts. However, I couldn't help but notice that TruthMonger's original post in this thread was a reply to a request for information in regard to "Anonymous Nymserver at anon.nymserver.com", and a request for an opinion as to the competence and integrity of those involved in its operation.
Exactly. Now who would be taking an option on throwaways like that?
Neither could I help noticing that TruthMonger's reply, which had mercilessly slammed both the integrity and motivations behind all remailer operations, and which suggested that one unequivocally mistrust all of them, was sent from the very anon-server in question. Make of this what you will, but bear in mind that Hypocrisy and Humor are not all that far apart in the dictionary.
[hee hee hee]
Dale Thorn wrote:
A gun in one hand and a babe in the other - what a privelege to be an American!! BTW, I saw an all-stainless Colt King Cobra .357 in a pawn shop the other day for $475. Clean as a whistle. I snatched that puppy up real quick. It would be my dying wish to have some otherwise faceless bureaucrat be the recipient of its intended use, should it come to that.
Sounds kinda expensive. What kind of gun is that? - Igor.
Igor Chudov @ home wrote:
Dale Thorn wrote:
A gun in one hand and a babe in the other - what a privelege to be an American!! BTW, I saw an all-stainless Colt King Cobra .357 in a pawn shop the other day for $475. Clean as a whistle. I snatched that puppy up real quick. It would be my dying wish to have some otherwise faceless bureaucrat be the recipient of its intended use, should it come to that.
Sounds kinda expensive. What kind of gun is that?
I hadn't shopped for a gun in 10 years, and the only high-quality Colt revolver I knew of then was the Python, which was $675 new in 1986. I'm sure the equivalent today would be $1200 or more, so I thought the Cobra at $475 used was a good deal. I assume the Cobra is equivalent to the Python, it sure looks and feels like it. If you're familiar with these things, you can tell a lot just by pulling the trigger and "feeling" the action.
participants (5)
-
Dale Thorn -
ichudov@algebra.com -
Peter Trei -
Toto -
TruthMonger