[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Validating a program
Dale Thorn wrote:
| Adam Shostack wrote:
| > Dale Thorn wrote:
| > | [email protected] wrote:
| > | > >> On Tue, 5 Nov 1996, Edward R. Figueroa wrote:
| > | > >> > Last, I would like to know once and for all, is PGP compromised, is
| > | > >> > there a back door, and have we been fooled by NSA to believe it's secure?
|
| > | > You can read and compile the source code yourself.
|
| > | Really? All 60,000 or so lines, including all 'includes' or attachments?
| > | I'll bet you can't find 10 out of 1,000 users who have read the total source,
| > | let alone comprehended and validated it.
|
| [snip]
|
| > In short, if you're paranoid, feel free to look over the source. But the fact that
| > most people have never peeked under the hood is not a strike against pgp at all.
|
| The quip about peeking under the hood may apply OK to an automobile, but to a program
| which encrypts? Granted that most messages (99+ % ??), if read by NSA et al, won't
| put the sender in any great danger, but when the application is really serious, as it
| always is sooner or later, you must realize that people could be taking great risks
| with PGP encryption, and "pretty sure" isn't good enough when it's really, really
| vital to have bulletproof security.
You're wrong.
People can make their own choices about what level of risk
they're willing to accept. That they make bad choices is not my
problem, except when they're paying for my opinion.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume