From: “Peter Trei” <trei@process.com>
To: cypherpunks@toad.com
Message Hash: 3912ecbd21a1e075d6885f51f18e67d414ad9b6fa5cca3008d4cc4704903bba0
Message ID: <199703141519.HAA27477@toad.com>
Reply To: N/A
UTC Datetime: 1997-03-14 15:19:15 UTC
Raw Date: Fri, 14 Mar 1997 07:19:15 -0800 (PST)
From: "Peter Trei" <trei@process.com>
Date: Fri, 14 Mar 1997 07:19:15 -0800 (PST)
To: cypherpunks@toad.com
Subject: Re: Anonymous Nymserver: anon.nymserver.com
Message-ID: <199703141519.HAA27477@toad.com>
MIME-Version: 1.0
Content-Type: text/plain
Someone mistitling itself "Truthmonger" writes:
> Now that you seem to have actually read what I have written, perhaps
> you might consider reading what you, yourself, have written.
> I stated my case for contending that PGP=>2.5 has been compromised,
> and got back wild-eyed demands for proof of that which I did not
> claim, mainly, that PGP had been 'broken.'
> To reiterate my original observations:
> 1. The development of RSA was funded and controlled by the spooks.
> i.e. - The National Science Foundation and the Navy.
> 2. The campaign of persecution against Phil Zimmerman ground to a
> halt once he agreed to PGP using the spook-developed RSAREF subroutines
> to implement the RSA functions, instead of PGP's original subroutines.
> If people with guns came to me and told me that software I had
> written now had to use their subroutines, instead of my own, then
> I would consider my software 'compromised', regardless of whether
> or not I could immediately discern any anomalies in it.
> It is far, far easier to 'build' a back-door, than to 'find' one.
"TM" (I can't bring myself to use it's full name, since it is so
totally inappropriate) has made the following claims:
1. "PGP => 2.5 has been compromised."
2. "It is far, far easier to 'build' a back-door, than to 'find'
one."
His main arguement rests on the fact that the later versions
of PGP use RSAREF, rather than Phil's own code.
As support of the first claim, he claims:
> 1. The development of RSA was funded and controlled by the spooks.
> i.e. - The National Science Foundation and the Navy.
I'm not sure what you're referring to with "RSA" here - is it the
algorithm or the company?
If it's the algorithm, you may or may not have the intellectual capacity
to verify it yourself - if you don't you have no business telling us it's
compromised, and if you do, either publish the problem (and claim your
15 minutes of fame), or admit there is no hole you are aware of.
There are plenty of people on this list who can follow the math, even
if you can't.
If it's the company, then you are either ignorant or lying. RSA has
*not* had a good relationship with the USG, as those who have been
following the matter over the years know well. Most recently, you
will notice that it has licensed some of it's patents to a Japanese
chip maker in an effort to avoid problems with US export
restrictions. Is this the action of a USG patsy?
> 2. The campaign
> of persecution against Phil Zimmerman ground to a halt once he
> agreed to PGP using the spook-developed RSAREF subroutines to
> implement the RSA functions, instead of PGP's original subroutines.
PGP 2.5 was released in March 1994, about a year after Phil was
indicted. It took until January 1996 for the indictment to be dropped;
nearly another two years. If a deal was struck, why did it take so
long? The dismissal of Phil's persecution was almost certainly due to
(a) the approach of the statute of limitations, and (b), the very
high probability that he would be found innocent. if they took him
to trial. The government simply ran out of legal pretexts under
which to harass him.
Now that your supporting assertions have been shown to be flawed,
let's return to the original claims.
1. "PGP => 2.5 has been compromised."
2. "It is far, far easier to 'build' a back-door, than to 'find'
one."
The problem, TM, is that we have full source code, and anyone
with the intelligence and knowledge required can check it
independently. PGP and RSAREF are both distributed as source.
There is not one byte of instructions or data that have to
be accepted on faith - no precompiled libraries, no mysterious
DLLs or ActiveX controls.
If there is a backdoor, show it to us.
Your second claim, that it is easier to build a backdoor than to
find one, is true but not pertinant. Let's try an analogy.
1. You buy a house from a builder. You, being paranoid, wonder if
the builder has included a secret door to enable him to
enter the house without your permission. You investigate what you
can, but in the end are left with some doubts.
2. You buy a set of blueprints from the builder, and examine them
carefully for weaknesses. You then buy a plot of land of your choice,
hire the workers you want, get materials from any supplier you wish.
You supervise the construction yourself down to the last detail.
Others who have purchased the same blue prints include trusted
independent architects and construction engineers, who concur with you
thatno hidden back doors can be found in the design. At this
point, how worried are you that the builder has left himself an
unauthorized entry?
The situation with PGP >=2.5 is like the second scenario, not the
first.
What it comes down to "TM" is: Put up or shut up. You can't spread
FUD in a situation where there is no unknown to Fear, no Uncertainty
to deal with, and no Doubt that we have all the knowledge we need.
Respond in a substantive manner. So far, you've avoided doing so.
Peter Trei
trei@process.com
Return to March 1997
Return to “TruthMonger <an7575@anon.nymserver.com>”