From: John Young <jya@pipeline.com>
Date: Sun, 7 Dec 1997 03:33:05 +0800
To: cypherpunks@toad.com
Subject: Re: SynData/Schneier Attack Network Associates
Message-ID: <1.5.4.32.19971206192208.00706884@pop.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain



cvhd@indyweb.net wrote:

>I have never bought into any of the conspiranauts BS about 
>PGP backdoors as long as PZ was involved with it but I will 
>certainly assume it is to be a "given" with PGP in the hands 
>of McAfee.

Has Phil Zimmermann responded to the months long  criticism
of PGP 5.0 for Business and PGP's acquisition by Network
Associates?

If not, what seems to be the most reasonable explanation for
Phil not answering, to allay suspicions and sustain PGP's
worldwide reputation? The explanations by others working
with PGP, Inc. would surely be more credible if Phil expressed 
public support for their views.

I still find it hard to accept that Phil would squander his personal
reputation, and thereby the reputation of his invention, by
refusing to provide a public accounting of what's happening
with PGP Inc. And, no matter the legal and financial restrictions
that might be contraining him. And no matter that PGP's
competitors are probably encouraging some of the attacks.

Security by obscurity, by indifference to public doubts, seems
to be a surefire way to undermine Phil's years long struggle
to distinguish himself from those less courageous than him
who are pushing products less reliable than PGP has been
believed to be until now.

It's a haunting thought to consider that Phil may have been
shown evidence by others that PGP is not as reliable as many 
have long believed, evidence that perhaps demonstrates what
he knew all along. This is harsh suspicion and one that needs
his response, if for no other reason to allay the fear that even
prior versions of PGP are now suspect.

PGP and Phil's personal reputation are at stake, not PGP, Inc., 
which is secondary. There are lots of folks whose freedom, 
if not lives, may be at risk due to his silence.

Perhaps it's time for Phil to reaffirm that difficult choice between 
success and conviction, between making a killing and betraying 
others to do so. To remind those who think you can have both 
ways and get away with it is a cowardly fantasy too often hidden 
behind self-serving ethics.

If Phil personally (not the PGP officer, not the distinguished scientist
bullshit role, not the PGP employees) refuses to stand behind PGP 
as it has been known and trusted, then PGP and Phil should be 
denounced forever as a grand deception and treachery, even 
worse than the other crypto products eagerly shaped -- and openly 
proud of it -- to fit the specs of the paymaster snoops Phil himself 
once bravely challenged.

I think Phil will come through now, as he has in the past, to distinguish
himself and PGP (not Inc.) from the craven pack.

If he doesn't, it's smart to give up using PGP in all its guises past and
future.