[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Validating a program




On Thu, 7 Nov 1996 14:41:06 -0500 (EST) Adam Shostack <[email protected]>
writes:
>
>Dale Thorn wrote:
>| [email protected] wrote:
>| > >> On Tue, 5 Nov 1996, Edward R. Figueroa wrote:
>| > >> > Last,  I would like to know once and for all,  is PGP 
>compromised,  is
>| > >> > there a back door, and have we been fooled by NSA to believe
>| > >> > it's secure? 
>| > You can read and compile the source code yourself.
>
>| Really?  All 60,000 or so lines, including all 'includes' or 
>attachments?
>| 
>| I'll bet you can't find 10 out of 1,000 users who have read the 
>total source,
>| let alone comprehended and validated it.
>
>	The fact that most readers have not examined it does not mean
>that the availability of the source is not important.  If the source
>was tightly held, perhaps some experts would have seen it.  Thats not
>likely, security experts are in high demand today, with companies
>paying a lot for their time.  Phil could not have competed.
>
>	In addition, up and coming experts, curious amatuers, and
>students couldn't have looked at it.  Having your protocol open to
>wide review is a good thing even if few people take advantage of it,
>because you may hire the wrong experts.  The experts you hire may miss
>something.  Someone may have a new attack under development, and not
>be able to try it against your software.
>
>	The multitude of hackers who ported pgp also contributed a
>large stack of bug reports and fixes.  Without source availablity, the
>mac, os/2, amiga & UNIX ports would be held up, or perhaps not exist.
>
>	Publicly distributed source code also tends to be of higher
>quality (see Fuzz Revisited, at grilled.cs.wisc.edu)
>
>
>	In short, if you're paranoid, feel free to look over the
>source.  But the fact that most people have never peeked under the
>hood is not a strike against pgp at all.
>
>
>
>-- 
>"It is seldom that liberty of any kind is lost all at once."
>					               -Hume
>
>
>
>
Maybe you missed my point, or I miss-communicated.  My question is as
follows:  If PGP and DES are as secure as thought to be, then why is it
not ruled illegal software, just as they do with silencers, narcotics,
certain type weapons, etc.....    My opinion is "NOT  A PARANOID VIEW, BUT RATHER A REALITY".   I find it impossible that software that could be a National Security Threat, being shared by the masses!    I believe
either people are nieve, or ignorant of the capability of the NSA.    If
there are "back-doors to the algorithms, you can bet your life you and no
one else will find out.     The conceivability that encryption on the Net
is safe, is ludicrous!

Just my thoughts, and not paranoia.


Ed