1995-08-03 - Re: a hole in PGP

Header Data

From: “Richard Freeman” <rfreeman@netaxs.com>
To: fc@all.net (Dr. Frederick B. Cohen)
Message Hash: adf4083a7666cdacc5f469dbdfbcf4ee983455312b80d66d1a86df8e4db1af61
Message ID: <199508030028.UAA11956@access.netaxs.com>
Reply To: N/A
UTC Datetime: 1995-08-03 00:34:49 UTC
Raw Date: Wed, 2 Aug 95 17:34:49 PDT

Raw message

From: "Richard Freeman" <rfreeman@netaxs.com>
Date: Wed, 2 Aug 95 17:34:49 PDT
To: fc@all.net (Dr. Frederick B. Cohen)
Subject: Re: a hole in PGP
Message-ID: <199508030028.UAA11956@access.netaxs.com>
MIME-Version: 1.0
Content-Type: text/plain


On 31 Jul 95 at 20:49, Dr. Frederick B. Cohen wrote:

> 
> History shows that your approach fails. Here are some examples:
> 
>  Tens of thousands of people had source to the http daemon from
>  CERN, and yet none of them noticed a hole that was detected as
>  it was being exploited only a few months ago. 
> 
>  Tens of thousands of people have access to sendmail and yet
>  new holes are found by attackers several times per year on
>  average.
> 
>  Tens of thousands of people have access to the sources of
>  various versions of hundreds of software packages, yet there
>  are holes found every day.
> 

I don't think this is a very good analogy.  The problems that occur with these
programs don't really occur due to a fault the programs themselves so much as
in their interactions with other programs.  Unix is a very complex OS in the
regard that it allows for a lot of program interaction.  Same thing with
something like windoze - you don't see nearly as many program crashes in DOS
as in windoze, because in DOS only one program operates at a time, and it is
in an environment of the developer's choosing, rather than the user's.  I
personally only use pgp on my DOS machine - primarily because it is secure (or
at least reasonably so).  These wierd interactions are very hard to purposely
orchestrate and I doubt that they could be placed into a program which has
been ported into so many different OS's.  Try reading the source yourself.  It
is pretty well commented, and it doesn't fork or anything so there won't be
any kind of wierd in-program interactions.  I personally subscribe to the fact
that so long as there aren't any errors in the OS or compiler or machine
itself, then the source alone is enough to fully determine the operation of a
single-tasking program.  I don't pretend to understand the mathematics behind 
idea and RSA and all that (mostly because I haven't had time to read up on 
them), but it shouldn't be hard to verify that the program does in fact 
correctly execute the algorithm.
-----------------------------------------------------------------
Richard T. Freeman <rfreeman@netaxs.com> - finger for pgp key
3D CB AF BD FF E8 0B 10 4E 09 27 00 8D 27 E1 93 
http://www.netaxs.com/~rfreeman - ftp.netaxs.com/people/rfreeman





Thread