[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Anonymous Nymserver: anon.nymserver.com




Peter Trei wrote:
> Some handsome devil named "Truthmonger" writes:
 
> >   I stated my case for contending that PGP=>2.5 has been compromised,
> > and got back wild-eyed demands for proof of that which I did not
> > claim, mainly, that PGP had been 'broken.'
> 
> >   To reiterate my original observations:
> > 1. The development of RSA was funded and controlled by the spooks.
> > i.e. - The National Science Foundation and the Navy.
> > 2. The campaign of persecution against Phil Zimmerman ground to a
> > halt once he agreed to PGP using the spook-developed RSAREF subroutines
> > to implement the RSA functions, instead of PGP's original subroutines.
> 
> >   If people with guns came to me and told me that software I had
> > written now had to use their subroutines, instead of my own, then
> > I would consider my software 'compromised', regardless of whether
> > or not I could immediately discern any anomalies in it.
> >   It is far, far easier to 'build' a back-door, than to 'find' one.
> 
> His main arguement rests on the fact that the later versions
> of PGP use RSAREF, rather than Phil's own code.

  It is rather surprising to have anyone on this list actually address
the issues I raised but, all the same, you seem to want to label the
detail you wish to address as my 'main' argument.
 
> As support of the first claim, he claims:
> > 1. The development of RSA was funded and controlled by the spooks.
> > i.e. - The National Science Foundation and the Navy.
 
> If it's the algorithm, you may or may not have the intellectual capacity
> to verify it yourself - if you don't you have no business telling us it's
> compromised, and if you do, either publish the problem (and claim your
> 15 minutes of fame), or admit there is no hole you are aware of.
> There are plenty of people on this list who can follow the math, even
> if you can't.

  There seems to be a decided lack of people on this list who can follow
the English language and simply stated concepts.
  Once again, I am asked to 'admit' what I have already made plain.
  What is this neurosis that everyone seems to have regarding PGP which
leads them to demand hard-evidence of malfeasance before suggesting
that one should not bend over in blind trust for encryption systems
whose development was funded by the spooks, and whose method of
implementation is a result of threats and coercion?
  Perhaps the government should have named their Key Escrow schemes 
"Zimmerman Escrow," instead, in order to take advantage of the bum-buddy
mentality among the cypherpunks which seems to hold issues
surrounding their holy icon to a different standard than other systems
of encryption.

  The denziens of the cypherpunks list often have math skills far above
those to be found in some of the related 'science' forums, but they do
not have a monopoly on clever use and manipulation of numbers, bits
and bytes.
  The Navy's Onion Routing system is more sophisticated than their first
cousins, the cypherpunks remailers, and there is no 'visible' hole or
back-door in their work. I have not seen any great rush by anyone with
half-a-brain, however, to indicate the remailers are being abandoned in
favor of the Navy's product.
  Why is that? Could it have anything to do with the same issues I have
raised in regard to RSA implementation?

  I doubt that it would come as a surprise to anyone to know that the
Navy also has mathematicians on the payroll, nor that their tenacles
in the scientific community are not all wearing uniforms and saluting
when their superiors enter the room.
  I also doubt that there are not those among the cypherpunks who are
capable of writing a subroutine to take advantage of unique attributes
of individual algorithms.
  
> RSA has
> *not* had a good relationship with the USG, as those who have been
> following the matter over the years know well. Most recently, you
> will notice that it has licensed some of it's patents to a Japanese
> chip maker in an effort to avoid problems with US export
> restrictions. Is this the action of a USG patsy?

  Their actions resulted in their product infiltrating a market which
is noted for being extremely hard to penetrate. Victims of con games
are seldom fooled by the 'bad guy' in the ruse.

> PGP 2.5 was released in March 1994, about a year after Phil was
> indicted. It took until January 1996 for the indictment to be dropped;
> nearly another two years. If a deal was struck, why did it take so
> long?

  I have never contended that Mr. Zimmerman was part of any direct
"deal" with the government or the prosecutors.
  His reputation capital, in my own mind, is high enough that I am
certain that it would take a phenomenal amount of pressure in order
to get him to betray his principles.
  On the other hand, only a fool would fail to take into consideration
the fact that the government is fully capable of applying a phenomenal
amount of pressure when they feel the stakes are high enough.
  The government, indeed, did not kiss Zimmerman 'on the lips' after 
the 'deal' with RSA was arranged, but they let his case simply run
its natural course, with no additional pressure being applied.

> The government simply ran out of legal pretexts under
> which to harass him.

  Take a whiff of some smelling-salts, Peter. The government 'never' 
runs out of pretexes under which to harass someone who remains an
actionable target in their minds.
  (Where were *you* when J.F.K was shot?)
 
> Now that your supporting assertions have been shown to be flawed,

  ...battered, but still standing.

> let's return to the original claims.
 
> 1. "PGP => 2.5 has been compromised."
> 2. "It is far, far easier to 'build' a back-door, than to 'find'
>     one."
 
> The problem, TM, is that we have full source code, and anyone
> with the intelligence and knowledge required can check it
> independently.

  Check it for what? For 'tricks and techniques' that you *know*
about?
  The fact that an individual has taught you 'everything you know'
does not lead to the conclusion that they have taught you everything
that 'they' know.
  I am sure you will agree, as well, that if a teenage hacker violates
your system, leaving its entrails shredded, that it is small consolation
that their math skills are not on a par with your own. Do people with
superior knowledge of virus' leave their systems open to attack from
unknown techniques? I don't think so.
  Several years ago, I emailed MicroSoft a short post suggesting that
they take steps to prevent their use of macros from being abused. The
reply I received, politely telling me to 'piss off,' informed me that
virus' could *not* be transmitted via "ASCII" files.

> Your second claim, that it is easier to build a backdoor than to
> find one, is true but not pertinant. Let's try an analogy.
 
> 1. You buy a house from a builder. You, being paranoid, wonder if
> the builder has included a secret door to enable him to
> enter the house without your permission. You investigate what you
> can, but in the end are left with some doubts.
 
> 2. You buy a set of blueprints from the builder, and examine them
> carefully for weaknesses. You then buy a plot of land of your choice,
> hire the workers you want, get materials from any supplier you wish.
> You supervise the construction yourself down to the last detail.
> Others who have purchased the same blue prints include trusted
> independent architects and construction engineers, who concur with you
> thatno hidden back doors can be found in the design. At this
> point, how worried are you that the builder has left himself an
> unauthorized entry?

  This is the point at which I realize that the builder has been banging
my wife, and that he 'leaked' a rumor of a 'secret' back-door so that
I would be too busy to notice my wife letting him in the "back door"
that was plainly visible in the blueprints.
  As well, if the blueprint bore the name of Doug Henning, would you be
as secure in your belief that there were no secret doors in place?

> What it comes down to "TM" is: Put up or shut up. 

  Your points are well taken, but far off the mark of the issue I 
raised, which was one of PGP having been "compromised." You make a
strong case for the mathematical strength of RSA implementation 
having been scrupulously investigated, although not an airtight one,
by any means. However, the issue of this or that system having been
"compromised" has more to do with the concept, rather than the
mathematics, of security.

  At the risk of being labeled a tenacle of Dr. Vulis, I will use a
"cocksucker" analogy, this being an area in which all factions of the
cypherpunks list seem to claim knowledge (although on 'opposite'
sides of the fence).

  In the militaristic/spook scheme of things, a system or entity is 
deemed to be "compromised" if there is a *possibility* of what is 
sometimes called a *known/unknown* (KU) factor having been introduced 
into a *controlled* situation or system.
  i.e. During the Cold War, homosexuality was one of the fulcrums which
could be used to pry open the security bonds between an agent and that
agent's controller.
   This was a 'known' factor which raised alarms, and an agent or entity
was deemed to be "compromised," regardless of whether this factor was
considered to be 'unknown' to the enemy. Trusted systems, as we call
them today, were automatically considered to be compromised if there
was reason to suspect that they *could have been* compromised, even if
it was 'unknown' whether or not they actually *were* compromised.

  The case of Alan Turning is a prime example, here. Revelation that 
there existed a fulcrum point which enemy agents could well have used
to compromise his work left it open to valid suspicion.
  It then behooved those with an interest in security matters to 
scrutinize not only his 'numbers,' but also his 'history,' and that
of those around him. It also became in their best interest to assume
that his work *had* been compromised, and to take measures to modify
or alter it in ways that would conceivably affect any methodologies
which were based on hidden designs or schemes.

 
> Respond in a substantive manner. So far, you've avoided doing so.

  The issues I raised were not of 'substance,' but of 'shadows.' 
  Had RSA development and implementation been funded and controlled by
the KGB, then I seriously doubt if the U.S. Military would have embraced
it, no matter what the *numbers* showed.
  If cypherpunks have a lower standard of suspicion, then I am certain
the government would be happy to provide them with *all* the software
they care to use.

>  You can't spread
> FUD in a situation where there is no unknown to Fear, no Uncertainty
> to deal with, and no Doubt that we have all the knowledge we need.

  If there is "no unknown to Fear," then perhaps you would be so kind
to supply me with "substantive" information such as all of the top-
secret government documents concerning encryption and the development
of RSA.
  If there is "no Uncertainty to deal with," then I assume that all
mathematical possibilities have been discovered and are known to all
members of the list, and that there will be no future developments in
the field of mathematics or encryption.
  It there is "no Doubt that (you) have all the knowledge (you) need,"
then there is a fellow I met in Chicago who runs a Pea/Shell game and,
I am certain, would be happy to give you a 'chance' to exercise your
Doubt-muscles.

  Thank you for at least dealing with matters that are in the same
ballpark as the issues I raised, as opposed to arguing over whether
or not the Dodgers could beat the Sharks.
 
TruthMonger