From: pierre@shell.portal.com (Pierre Uszynski)
Date: Fri, 5 Nov 93 07:57:46 PST
To: cypherpunks@toad.com
Subject: Re:  ViaCrypt PGP has arrived
Message-ID: <9311051556.AA16560@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


> From: jim@bilbo.suite.com (Jim Miller)
[...]
> I realize that by not compiling the code myself on my own machine I basically  
> have to trust the ViaCrypt PGP implementation.  So be it.  If there is  
> something wrong with ViaCrypt PGP I believe it will eventually be discovered.   
> Somebody will no doubt disassemble it and look for backdoors.  If someone finds  
> one, ViaCrypt's reputation will be worthless.  It's in ViaCrypts best interest  
> not to put in any backdoors.

Unfortunately, backdoors have not been the main security problem in
commercial system software, bugs and "honest mistakes" have been.
Unfortunately too, there has been very little pressure by customers
to hold companies accountable for the software they ship. Usually
somebody uncovers a bug, uses it for a while, is detected, and that causes
(in the best case) the software company to issue a new patch. Some
distribute the patches for free, some make you pay big bucks for it.

But never is the company really harmed by the fact that it claimed
some level of security (or functionality), and was not providing it.

If, in the future, ViaCrypt says "ooops, there was a debugging switch
left on when we compiled, here is a free patch." would you discard your
ViaCrypt PGP, buy the competitor's version (there is none), and sue them?
Did they include any disclaimer in the license?

Call me cynical,
Pierre.
pierre@shell.portal.com