[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Anonymous Nymserver: anon.nymserver.com



Someone mistitling itself "Truthmonger" writes:

>   Now that you seem to have actually read what I have written, perhaps 
> you might consider reading what you, yourself, have written.
>   I stated my case for contending that PGP=>2.5 has been compromised, 
> and got back wild-eyed demands for proof of that which I did not
> claim, mainly, that PGP had been 'broken.'

>   To reiterate my original observations:
> 1. The development of RSA was funded and controlled by the spooks.
> i.e. - The National Science Foundation and the Navy.
> 2. The campaign of persecution against Phil Zimmerman ground to a
> halt once he agreed to PGP using the spook-developed RSAREF subroutines
> to implement the RSA functions, instead of PGP's original subroutines.

>   If people with guns came to me and told me that software I had 
> written now had to use their subroutines, instead of my own, then
> I would consider my software 'compromised', regardless of whether
> or not I could immediately discern any anomalies in it.
>   It is far, far easier to 'build' a back-door, than to 'find' one.

"TM" (I can't bring myself to use it's full name, since it is so
totally inappropriate) has made the following claims:

1. "PGP => 2.5 has been compromised."
2. "It is far, far easier to 'build' a back-door, than to 'find' 
    one."

His main arguement rests on the fact that the later versions
of PGP use RSAREF, rather than Phil's own code.

As support of the first claim, he claims:

> 1. The development of RSA was funded and controlled by the spooks.
> i.e. - The National Science Foundation and the Navy. 

I'm not sure what you're referring to with "RSA" here - is it the 
algorithm or the company? 

If it's the algorithm, you may or may not have the intellectual capacity 
to verify it yourself - if you don't you have no business telling us it's 
compromised, and if you do, either publish the problem (and claim your 
15 minutes of fame), or admit there is no hole you are aware of. 
There are plenty of people on this list who can follow the math, even
if you can't.

If it's the company, then you are either ignorant or lying. RSA has 
*not* had a good relationship with the USG, as those who have been 
following the matter over the years know well. Most recently, you 
will notice that it has licensed some of it's patents to a Japanese
chip maker in an effort to avoid problems with US export 
restrictions. Is this the action of a USG patsy?

> 2. The campaign
> of persecution against Phil Zimmerman ground to a halt once he
> agreed to PGP using the spook-developed RSAREF subroutines to
> implement the RSA functions, instead of PGP's original subroutines.

PGP 2.5 was released in March 1994, about a year after Phil was
indicted. It took until January 1996 for the indictment to be dropped;
nearly another two years. If a deal was struck, why did it take so
long? The dismissal of Phil's persecution was almost certainly due to
(a) the approach of the statute of limitations, and (b), the very 
high probability that he would be found innocent. if they took him 
to trial. The government simply ran out of legal pretexts under 
which to harass him.

Now that your supporting assertions have been shown to be flawed,
let's return to the original claims.

1. "PGP => 2.5 has been compromised."
2. "It is far, far easier to 'build' a back-door, than to 'find' 
    one."

The problem, TM, is that we have full source code, and anyone
with the intelligence and knowledge required can check it
independently. PGP and RSAREF are both distributed as source.
There is not one byte of instructions or data that have to 
be accepted on faith - no precompiled libraries, no mysterious
DLLs or ActiveX controls. 

If there is a backdoor, show it to us.

Your second claim, that it is easier to build a backdoor than to
find one, is true but not pertinant. Let's try an analogy.

1. You buy a house from a builder. You, being paranoid, wonder if
the builder has included a secret door to enable him to
enter the house without your permission. You investigate what you
can, but in the end are left with some doubts.

2. You buy a set of blueprints from the builder, and examine them
carefully for weaknesses. You then buy a plot of land of your choice, 
hire the workers you want, get materials from any supplier you wish. 
You supervise the construction yourself down to the last detail. 
Others who have purchased the same blue prints include trusted 
independent architects and construction engineers, who concur with you 
thatno hidden back doors can be found in the design. At this 
point, how worried are you that the builder has left himself an 
unauthorized entry?

The situation with PGP >=2.5 is like the second scenario, not the 
first.

What it comes down to "TM" is: Put up or shut up. You can't spread
FUD in a situation where there is no unknown to Fear, no Uncertainty
to deal with, and no Doubt that we have all the knowledge we need.

Respond in a substantive manner. So far, you've avoided doing so.

Peter Trei
[email protected]