1995-08-01 - Re: a hole in PGP

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: rah@shipwright.com (Robert Hettinga)
Message Hash: b35c2b565277cb0970f2968ca52c25ab3c4460b0d7c43508c8567332eb0f897d
Message ID: <9508010008.AA02790@all.net>
Reply To: <v02120d01ac431417e9c5@[]>
UTC Datetime: 1995-08-01 00:14:30 UTC
Raw Date: Mon, 31 Jul 95 17:14:30 PDT

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Mon, 31 Jul 95 17:14:30 PDT
To: rah@shipwright.com (Robert Hettinga)
Subject: Re: a hole in PGP
In-Reply-To: <v02120d01ac431417e9c5@[]>
Message-ID: <9508010008.AA02790@all.net>
MIME-Version: 1.0
Content-Type: text

> At 6:53 PM 7/31/95, Dr. Fred said:
> >        Why (specifically) do you think the MIT version of PGP has no
> >backdoors and is not subject to attacks such as the one outlined in my
> >previous posting?
> <Metzger_mode("on")>
> I've been watching this gark long enough, I think.
> Look. If you're qualified, look at the PGP source and vet it yourself. If
> you aren't qualified, figure the market to be efficient in this instance
> and assume the stuff works.

One of the several points I tried (apparently unsuccessfully) to make is
that with a program that large, it is impractical to verify that there
are no subtle back doors - regardless of how knowledgeable or skilled
you or I may be.  Your "assumption of security" perspective is an
inappropriate one unless you are trying to get people to use something
that is not secure. 

> Stop wasting our time and bandwidth harassing the MIT folk about whether or
> not their code is clean. Such posturing won't wash around here.

The headers on the postings allow you to ignore them, but in the
meanwhile, the subject matter is in line with this forum, and the
questions are legitimate.  You will have to do better than to appeal to
authority to convince anyone that MIT's version of PGP is secure.

> <Metzger_mode("off")>
> Seriously, it may be an appeal to authority, but it can safely be assumed
> that PGP is clean, and that MIT is *not* involved with the NSA and the Red
> Leptons in a conspiracy to spy on our alt.binaries.pictures.erotica.stoats
> postings.

Why (specifically) do you think so? Because you claim it? Because the
MIT maintainer claims it? You say MIT is not associated with the NSA,
but they have historically been funded by the NSA and other federal
agencies for work on information security.  Do you really think that the
only information protected by PGP is dirty pictures? Do you somehow
think that MIT and the NSA are above that sort of thing? All you have to
do is look at history, and it should be clear that this appeal to
authority is often used by those trying to cover things up.  If you know
something about PGPs security that you aren't telling us, don't beat
around the bush about it.  Come out and say it.  Tell us that you have
proven that PGP has no backdoors and what method you used to do that. 
Tell us that you have hand verified all the code and that none of it
overwrites the key generation process and tell us how you verified it.

It cannot be safely assumed that any program is clean or that any one
person or group is not involved with intentionally subverting security.
That violates the fundamental principles of information protection.

-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236