1993-05-27 - Re: VinCrypt

Header Data

From: greg@ideath.goldenbear.com (Greg Broiles)
To: cypherpunks@toad.com
Message Hash: c32d6f988aed3e8a84200ae1441664ce1379af0e18469844299d54419449def9
Message ID: <5T774B1w164w@ideath.goldenbear.com>
Reply To: N/A
UTC Datetime: 1993-05-27 07:59:12 UTC
Raw Date: Thu, 27 May 93 00:59:12 PDT

Raw message

From: greg@ideath.goldenbear.com (Greg Broiles)
Date: Thu, 27 May 93 00:59:12 PDT
To: cypherpunks@toad.com
Subject: Re: VinCrypt
Message-ID: <5T774B1w164w@ideath.goldenbear.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

J. Michael Diehl <uunet!triton.unm.edu!mdiehl> writes:

> > Even as a former 'hacker' myself, the second to last person I would
> > trust not to install a backdoor (next to the NSA) is a hacker.
>
> Are you meaning to imply that there is a backdoor in this package?  If so, how
> do you justify this claim?

It seems safer to assume that the software is insecure, until proven
otherwise. This is the approach that's been taken with the Clipper
chip, and seemed reasonable in that case - I suggest that it is in
this case, as well.

> > In addition, merely having been a systems hacker hardly qualifies
> > one for writing complex crypto software.  Without any assurance as
> > to the authors' qualifications for writing a crypto package, or
> > their integrity.  Even if I could trust their integrity, I'm very
> > leery of black-box software.
>
> You seem to know something about them that I do not.  Care to share your
> knowledge?  Thanx in advance.

Rather, the original poster (Clark Reynard) seems to *not* have information
 - e.g., information about how or why the author(s) of this crypto package
are trustable, or why we should consider their software secure if we
can't look at the source.

If they are so naive as to think that the NSA can't afford a copy of
Sourcer and a few person-hours to disassemble VinCrypt, what other
(absurd) assumptions have they made? If a machine can execute it, a
machine (or a machine and a person) can disassemble it. I can't believe
that anyone's willing to take this VinCrypt crap even a little bit
seriously. Any dork with a laser printer can print up a press release
and mail it out - looks like maybe this was a slow week for the
computer press.

As far as I can tell, we're supposed to assume that VinCrypt is useful
software because of the political/social perspective of its authors.
While I share their suspicion of the powers that be, I do not trust them
to write software that is free of intentional and/or nonintentional
weaknesses.


-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQCVAgUBLARuSX3YhjZY3fMNAQESdQP+LP7jdBJLzvzDItehb4Lwwwch9Wi1LfS6
5pvPd/+NeXYNb2RDYSbf7RNvQ6nQTgLYvD9cs8Xw5kXAJzhA/6PVULgMj66OsC63
3SMeVzQuu3Ui0Ki0nF+RslKNDL/gffurPSzJ9Pwn4uCiAFiXObjkriYE5M02bJOw
Ax7pVUq7ueQ=
=Mj7Z
-----END PGP SIGNATURE-----

--
Greg Broiles                            greg@goldenbear.com
Golden Bear Computer Consulting         +1 503 465 0325
Box 12005 Eugene OR 97440               BBS: +1 503 687 7764





Thread