From: Dan Harmon <harmon@tenet.edu>
Date: Sun, 12 Jun 94 15:36:53 PDT
To: cypherpunks@toad.com
Subject: MacPGP 2.6 (fwd)
Message-ID: <Pine.3.89.9406121741.B273-0100000@Joyce-Perkins.tenet.edu>
MIME-Version: 1.0
Content-Type: text/plain



Just food for thought!


---------- Forwarded message ----------
Date: Sun, 12 Jun 1994 12:44:52 -0700
From: Eric Bear Albrecht <ebear@presto.com>
To: Dan Harmon <harmon@tenet.edu>
Subject: MacPGP 2.6

That signature block in your message seemed awfully short -- does that
indicate a wimpy system?  Read the following excerpt and cogitate on it:

------

Computer underground Digest    Sun  June 5, 1994   Volume 6 : Issue 49
                           ISSN  1004-042X

...

CONTENTS, #6.49 (June 5, 1994)

File 1--AT&T Lab Scientist Discovers Flaw in Clipper Chip
File 2--Jacking in from the SNAFU Port (Clipper Snafu update)
File 3--Jacking in from the "We Knew It All Along" Port (Clipper)
File 4--Crackdown on Italian BBSes Continues
File 5--Norwegian BBS Busts / BitPeace
File 6--BSA: Software Piracy  Problem Shows no Sign of Easing
File 7--Re: "Problems at TCOE" (CuD 6.47)
File 8--Is there an MIT/NSA link-up for PGP 2.6? Some Info

...


------------------------------

Date: Mon, 30 May 1994 18:04:50 -0500 (CDT)
From: tlawless@WHALE.ST.USM.EDU(Timothy Mark Lawless)
Subject: File 8--Is there an MIT/NSA link-up for PGP 2.6? Some Info

For the past week our Unix machine has been down (Might have gotten
some mail bounces) because of a security violation. Durring that week
i re-discovered bbs's. One peice of info i found (And also got the
authors's permission to reprint (At the end) relevent to pgp I thought
i would pass on.

D Area: CypherMail DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
  Msg#: 19                                           Date: 05-24-94  19:47
  From: Leland Ray                                   Read: Yes    Replied: No
    To: All                                          Mark:
  Subj: More on PGP 2.5 & 2.6
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
-----BEGIN PGP SIGNED MESSAGE-----

The following is the complete, unedited plaintext of a message I
received via CompuServe from Christopher W. Geib, a software developer
who spent several years as a military intelligence officer.  Chris has
written a very fine Windows interface for PGP which I'll be uploading
as soon as I get the newest release (with Chris's permission, of
course).  I trust his judgment on this one.

 ~~~ =====(Begin plaintext)=====

Leland,

I sent this to Mich Kabay of the NCSA Forum.  Thought you might find it of
interest. Note that 2.5 is also a MIT/NSA concoction.

Chris
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Mich,

As I reflected on more and more on this posting, it occurred to me
that I was smelling a rat.  The NCSA Forum members and others who
visit here should give thought to this issue.  A puzzle of sorts seems
to be developing regarding PGP in general, and private possession of
crypto in particular.  Let me provide some pieces to this puzzle, and
perhaps you and others may begin to see the bigger picture that seems
to be unfolding.

Piece #1:  As you may already know, MIT is the single largest ($'s)
outside contractor to the NSA.

Piece #2:  MIT is frustrated they feel that they have been somehow
cheated financially by the proliferation of PGP 2.3a as freeware. (I
still think that is insane as RSA was developed using public funding)

Piece #3:  NSA is frustrated because of the apparent strength of the
imported Idea(tm) cipher.

Piece #4:  NSA is pushing the Clipper crypto technology so that Big
Brother can have a free and easy backdoor to violate the privacy of
Americans.  Note too, that Clipper technology was assisted along by
MIT.

Piece #5:  PGP 2.6 will *not* be compatible with 2.3a after Sept 1994
for 2-way encryption.  This accomplishes reduced international secure
traffic by private individuals and businesses.  This is exactly the
same problem that Clipper has.

Have you begun to see the big Puzzle Palace picture yet?  Unless my
eyes deceive me, I would say this, MIT and NSA have teamed up together
on PGP 2.6!  This version, until proven otherwise (through examination
of the source code, etc.), is likely to contain a backdoor big enough
to drive a Mack truck through it.  The back door is likely similar to
Clipper and for the same intent.  Given how much flak NSA has gotten
over Clipper, NSA will very likely stay very mum about the whole
issue.  The big winners are NSA and MIT.  They both get exactly what
each has wanted all along.  MIT gets royalties they think they
deserve, NSA gets what they intend to have anyway, a means to continue
listening into citizens private conversations.  NSA also wins on the
international front by reducing it's workload of analyzing
international encrypted traffic.  Business and the citizens lose
because it isolates the US from Europe and the international
marketplace.

I strongly recommend that anyone who acquires PGP 2.6 do so with a
jaundiced eye.  Until the private sector can review, and analyze this
new MIT/NSA system, one *must* assume that it is as if it contained a
virus, one you may never know it has.  I for one will continue with
the present version as it's inventors have no reason to capture
private communications.

If you think appropriate, please upload to Internet Risks with my
blessings.

Respectfully,

Christopher W. Geib

 ~~~ =====(End of plaintext)=====

So you decide, guys.  Is it worth the risk?  Again, just some
thoughts, but remember this:  if you go to either ver. 2.5 or 2.6,
you'll probably have to revoke your ver. 2.3 keys and start afresh
with new ones, which might not be secure in the first place.

LR

... If the Pope's phones weren't secure, PGP would be a sacrament.

((Post obtaining reprint permission deleted))

...



               **      The wonderful thing about standards      **
               **   is that there are so many to choose from.   **

        Eric Bear Albrecht   ebear@presto.com    W5VZB      Box 6040
        505-758-0579         fax 505-758-5079            Taos, NM 87571