1994-04-22 - Re: DId you ever think…

Header Data

From: Jim Gillogly <jim@rand.org>
To: cypherpunks@toad.com
Message Hash: 647cde2d4b9e930da35ede0259f7997c5a136929460b085a87d738e64bf9ecd0
Message ID: <9404221800.AA00472@mycroft.rand.org>
Reply To: <9404221630.AA02111@sauron.hope.edu>
UTC Datetime: 1994-04-22 18:01:04 UTC
Raw Date: Fri, 22 Apr 94 11:01:04 PDT

Raw message

From: Jim Gillogly <jim@rand.org>
Date: Fri, 22 Apr 94 11:01:04 PDT
To: cypherpunks@toad.com
Subject: Re: DId you ever think...
In-Reply-To: <9404221630.AA02111@sauron.hope.edu>
Message-ID: <9404221800.AA00472@mycroft.rand.org>
MIME-Version: 1.0
Content-Type: text/plain

> beckman@sauron.cs.hope.edu (Peter Beckman) writes:
> Did anyone ever think that maybe, just maybe, PGP was developed, and before the
> programmer started giving it away for free, that he was paid by the government
> to give them the key which can unlock ANY PGP locked document/file/etc???  I

It's more likely that the government after the fact has started trying to
spread the rumor that PGP has an intentional hole in it or can be broken
easily.  I've seen a number of rumors of this kind, and at least one of
the latter (i.e. they can read traffic with 1024-bit keys easily, but 2-4K
keys might make them sweat) was encouraged by a visiting NSA guy, according
to the person who posted it.  The frequent postings of the first rumor (prz
corrupted) to a.s.pgp look orchestrated to me... but then I'm a bit paranoid.

> distributing, etc... Makes you wonder huh... It's possible.  Maybe he wrote in
> the PGP program a loophole in the encryption so that he could decrypt anything

No, doesn't make me wonder, no, it's not possible.  Read the code -- it's
all free.  If you don't read C, find somebody you trust to read it to you.
Read the math -- it's all been published and vetted by experts.  Watch the
emerging analysis of IDEA; watch the factoring records and the amount of
time required for them.  Don't trust the executables -- recompile it
yourself with a different compiler... they can't hack 'em all.

If you don't know anybody you trust to read code and compile for you,
you're not in a strong enough position to worry about your own security
anyway.  Yes, that's elitist -- sue me.  It's <your> security, so <you>
have to pay attention to the developments that affect it.

	Jim Gillogly
	1 Thrimidge S.R. 1994, 17:59