LOL Silly isn't it? Well according to a show on Techtv called Spy School it does. I didn't see the show but this evening Leo Laport (sp?) touched on it a little when people was writing asking about. Leo said that PGP don't have a backdoor for the government. I searched the Techtv web site and found nothing on this. I don't think this is true at all I tought I would just post this here to see what others think. So please post what you think about this subject.

This link right here might shed some light on why they reported that PGP had or has a backdoor in it. http://lists.insecure.org/lists/politech/2001/Jan/0063.html
It's a rather old sroty and I'm sure everyone here read this or heard about it.

Well the source code for the 6.x version is freely available so any backdoor could be easily spotted :)

ORE BAD NEWS FOR PRIVACY: PGP GONE BAD

NAI, makers of McAfee Virus software, bought Pretty Good Privacy (PGP) for $35 mil in 1997. Science Applications International Corporation (SAIC) then bought NAI. Both George H. W. Bush and Bobby Inman, the Naval admiral and former NSA chief involved with the Iran-Contra affair and other dark side government affairs, are former directors of SAIC. So is Clinton Secretary of Defense William Perry. SAIC has so many links to the Pentagon that, like Dyncorp, it is considered by many to be a government shill. With so many dealings with government the buyout of PGP by SAIC should be viewed as extremely suspicious. Bobby Inman was a big promoter of the concept that Government must control all encryption. PGP was the only private holdout for years and is good enough to cause government spooks much lost sleep. Phil Zimmerman, the anti-government creator of PGP says that copies of its encryption software which were sold before Fall 2001, when he left NAI, are solid, but future versions may be tainted. So beware. If you have existing copies of PGP obtained prior to fall of last year, do not upgrade to any new versions.

Good find. Nice reading.

Philip Zimmermann
Creator of PGP

Background

Philip R. Zimmermann is the creator of Pretty Good Privacy. For that, he was the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread all around the world following its 1991 publication as freeware. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world. After the government dropped its case in early 1996, Zimmermann founded PGP Inc. That company was acquired by Network Associates Inc (NAI) in December 1997, where he stayed on for three years as Senior Fellow. In August 2002 PGP was acquired from NAI by a new company called PGP Corporation, where Zimmermann now serves as special advisor and consultant. Zimmermann currently is consulting for a number of companies and industry organizations on matters cryptographic, and is also a Fellow at the Stanford Law School's Center for Internet and Society.

http://www.mit.edu/~prz/index.shtml

http://www.pgp.com/?l=prz

Thanks for the good reading and links gunnarj

gunnarj:

You wrote:

-{ Quote: " quoting: gunnarj link=board=20;threadid=16578;start=0#msg102770 date=1069304090]
Phil Zimmerman, the anti-government creator of PGP says that copies of its encryption software which were sold before Fall 2001, when he left NAI, are solid, but future versions may be tainted. So beware. If you have existing copies of PGP obtained prior to fall of last year, do not upgrade to any new versions.
" }-

I want to clarify a few things here.

First, Zimmerman left NAI after version 7.0.3. NAI stopped doing full source code releases with version 7.0. Zimmerman said he could vouch for every version from 7.0 through 7.0.3 because he had access to the source code. So, it's simply not the case that every version prior to "fall of last year" is OK, unless "fall of last year" means Fall of 2001. The last version that NAI released was PGP Corp. Desktop 7.1.1.

Second, Zimmerman never said "future versions may be tainted"; he said he couldn't vouch for any versions past 7.0.3. That may seem like splitting hairs, but there is a difference.

Third, as the short bio of PRZ that you posted notes, the newly created PGP Corp. -- which includes both PRZ and Bruce Schneier on its board -- acquired PGP from NAI in August of 2002. Since PGP Corp. acquired PGP from NAI, it has been doing full source code releases for the new PGP 8.0.x versions.

Here's a short breakdown of how this works out:

PGP.1.x - PGP 6.5.8: full source code release

PGP 7.0 - PGP 7.0.3: partial source code release; PRZ vouches for these versions.

PGP 7.0.4 - PGP 7.1.1: partial source code release; PRZ does not vouch for these versions.

PGP 8.0.0 - PGP 8.0.3: full source code release

Best,

Eric L. Howes

Thanks for the the info Eburger.

Eric,

full source code availability means there's no need to distrust the product?

Not that I'm going to believe backdoor claims based on Gunnar J's posts, which are a combination of coincidences and tenous links aimed at conspiracy theorists, and would be thrown out in a court of law as extremely bad evidence before you could say J. Edgar Hoover.

-{ Quote: "full source code availability means there's no need to distrust the product?" }-

Not necessarily, but IMO given how long this (6.5.8) version has been in circulation, and how immensely popular it is, and how much scrutiny it has been under by crypto-analysts - this really does offer a lot of assurance that there is no backdoor.

Still, one can never reeeeeally be sure ;)

J. Edgar Hoover:

Full source code availability does not mean a 100% guarantee against a backdoor. But it does significantly decrease the liklihood, esp. since the PGP source code is being examined by many people.

Theoretically it might be possible for PGP Corp. to release source code for review but use a slightly tweaked version of that code when compiling binaries. In fact, just this possibility was discussed recently on the PGP List. From what I could tell, no two compilers would ever compile exactly identical binaries from the same code, so you can't compile a binaries from the source code released for review and expect an exact match with the binaries released by PGP Corp. That makes the job of using the released source code to evaluate the company's offering less than straightforward.

Nonetheless, a full source code release goes a long ways toward building trust, and that's about the best most ordinary users can expect. Ideally, you would review the source code yourself line by line, then compile your own binaries from that code. That's obviously not practical for the majority of users, so we have to rely on others to do the job for us. And that means constantly assessing just how diligently and openly the source code is being reviewed.

PGP stands out in this regard. PGP is one of the more scrutinized crypto apps around. And that should make it more trustworthy.

Best,

Eric L. Howes

Bottom Line:

One can not be *certain* that there is not a back door to PGP as was postulated in the opening post to this thread.

I did not realize that posting here required evidence that could stand up "in a court of law".

If you count on PGP to protect your privacy, the odds are good that it will protect you from most threats, and most prying eyes,
but I would not count on it protecting you from *everyone*, esp. those in the intelligence field. I consider it a damn good bet that it has been compromised by NSA among others.

Sorry if that sounds like 'conspiracy theory'. I take it that those who hold such a dim view of conspiracy theory believe in the concept of 'coincidence theory' which IMHO is a more naive approach to life than the former.

regards,

gj


Sorry to step on any sacred cows here :P

gunnarj:

You wrote:

-{ Quote: " quoting: gunnarj link=board=20;threadid=16578;start=0#msg104230 date=1069817287]
Bottom Line:
One can not be *certain* that there is not a back door to PGP as was postulated in the opening post to this thread." }-

No, one can't be 100% certain that there isn't a backdoor in PGP, but when it has been demonstrated that there are plenty of checks in the place to ensure that there aren't, the burden of proof becomes still heavier on those who would insist that there probably is. So far, all we ever seem to hear is unverifiable rumor and innuendo, which is not convincing.

-{ Quote: " quoting: gunnarj link=board=20;threadid=16578;start=0#msg104230 date=1069817287]I did not realize that posting here required evidence that could stand up "in a court of law"." }-

What we have been asking for is something beyond unsupported speculation and rumor-mongering. The bottom line is this: if you want to maintain that it is "a damn good bet that it has been compromised by NSA among others," then you'd better be prepared to offer up good reasons and solid evidence. So far, I haven't seen them.

-{ Quote: " quoting: gunnarj link=board=20;threadid=16578;start=0#msg104230 date=1069817287]If you count on PGP to protect your privacy, the odds are good that it will protect you from most threats, and most prying eyes, but I would not count on it protecting you from *everyone*, esp. those in the intelligence field. I consider it a damn good bet that it has been compromised by NSA among others." }-

Reasons? Evidence? Why kind of compromise are you talking about? Please explain how you think this compromise works. And please explain how you think this back door has escaped the notice of top civilian cryptographers who have examined PGP and even contributed to it.

-{ Quote: " quoting: gunnarj link=board=20;threadid=16578;start=0#msg104230 date=1069817287]Sorry if that sounds like 'conspiracy theory'. I take it that those who hold such a dim view of conspiracy theory believe in the concept of 'coincidence theory' which IMHO is a more naive approach to life than the former." }-

And which coincidences would you be talking about? Coincidences are funny things, esp. when they're being selected out from a wide range of events. When "coincidences" become the only necessary (or minimal) standard of proof, logic flies out the window.

-{ Quote: " quoting: gunnarj link=board=20;threadid=16578;start=0#msg104230 date=1069817287]Sorry to step on any sacred cows here :P
" }-

Oh, please. What you've said here isn't any different than what dozens, if not hundreds, of folks say on Usenet everyday. Give us reasons and evidence for thinking that there's a backdoor in PGP and then you might be saying something dangerous.

Eric L. Howes

LOL, I don't think it's fair to call people paranoid because they believe pgp has being cracked.

After all we are talking of a community of people who on average run half a dozen firewalls,antiviruses, and routers all on one computer! :)

JayK:

You wrote:

-{ Quote: " quoting: JayK link=board=20;threadid=16578;start=0#msg104327 date=1069850349]
LOL, I don't think it's fair to call people paranoid because they believe pgp has being cracked.
" }-

I never called the poster "paranoid." Indeed, I never characterized the poster at all. The problem I have with those posts is not "paranoia," but rather the lack of any good reasons or evidence for thinking that "pgp is cracked" (your words). Standards of fairness do not require me or anyone else to ignore the lack of good reasons and solid evidence for claims that it is a "damn good bet that it has been compromised by NSA among others."

Eric L. Howes

-{ Quote: " quoting: eburger68 link=board=20;threadid=16578;start=15#msg104340 date=1069852880]
JayK:

You wrote:

-{ Quote: " quoting: JayK link=board=20;threadid=16578;start=0#msg104327 date=1069850349]
LOL, I don't think it's fair to call people paranoid because they believe pgp has being cracked.
" }-

I never called the poster "paranoid." Indeed, I never characterized the poster at all. The problem I have with those posts is not "paranoia," but rather the lack of any good reasons or evidence for thinking that "pgp is cracked" (your words).

Eric L. Howes
" }-

Lacking good reasons for suspecting something bad, sure sounds like paranoia to me :) What would you call it?

JayK:

You asked:

-{ Quote: " quoting: JayK link=board=20;threadid=16578;start=15#msg104343 date=1069853063]
Lacking good reasons for suspecting something bad, sure sounds like paranoia to me :) What would you call it?
" }-

I choose not to call it anything beyond a position that lacks good reasons and evidence to support it. That's sufficient. I'm all for netizens and citizens being skeptical; that skepticism should encompass all manner of claims, though.

Best,

Eric L. Howes

"The Technocratic Age is slowly designing an every day more controlled society. The society will be dominated by an elite of persons free from traditional values (!) who will have no doubt in fulfilling their objectives by means of purged techniques with which they will influence the behavior of people and will control and watch the society in all details". "... it will become possible to exert a practically permanent watch on each citizen of the world"

- Zbigniew Brzezinski -

.............

Truth is a powerful solvent. Stone walls melt before its relentless might. The Internet is one of the most powerful agents of freedom. It exposes truth to those who wish to see and hear it. It is no wonder that some governments and organizations fear the Internet and its ability to make the truth known. The phrase "freedom of speech" is often used to characterize a key element of democratic societies : open communication and especially open government. But freedom of speech is less than half of the equation. It is also vital that citizens have the freedom to hear and see. It is the latter area in which many governments have intervened in an attempt to prevent citizens from gaining access to information that their governments wish to withhold from them.

..........

"The Internet under Surveillance - Obstacles to the free flow of information online"

http://www.rsf.org/article.php3?id_article=7280

http://www.rsf.org/IMG/pdf/doc-2236.pdf

http://www.rsf.org/rubrique.php3?id_rubrique=378

~~~~~~~~~~~~~

Spooks on the net

http://www.heureka.clara.net/sunrise/spooks.htm

~~~~~~~~~~~

Data Miners and the State

http://www.lewrockwell.com/elkins/elkins68.html

~~~~~~~~~~~~

COINTELPRO in Cyberspace

http://www.lewrockwell.com/elkins/elkins67.html

~~~~~~~~~~~~~

COINTELPRO: The Untold American Story

http://www.derechos.net/paulwolf/cointelpropapers/coinwcar3.htm

~~~~~~~~~~~~~~~

DOJ Net Surveillance Under Fire

http://www.wired.com/news/print/0,1294,59150,00.html

~~~~~~~~~~~~~~~~

International co-operation in internet surveillance

http://www.heise.de/tp/english/special/enfo/4306/1.html

~~~~~~~~~~~~~~~~~

Your friendly community spies

http://www.crossroad.to/articles2/2002/spy.html

~~~~~~~~~~~~~~~~~

Homeland Security and the transformation of America

http://www.crossroad.to/articles2/2003/homeland.htm

USA MILITARY: assuming major new domestic policing and surveillance
roles
Tue Nov 25


Mission Creep Hits Home
By William M. Arkin
Los Angeles Times
Sunday 23 November 2003

American armed forces are assuming major new domestic policing and
surveillance roles.
http://www.truthout.org/docs_03/printer_112503A.shtml

Preoccupied with the war in Iraq and still traumatized by Sept. 11,
2001, the American public has paid little attention to some of what
is being done inside the United States in the name of anti-terrorism.
Under the banner of "homeland security," the military and
intelligence communities are implementing far-reaching changes that
blur the lines between terrorism and other kinds of crises and will
break down long-established barriers to military action and
surveillance within the U.S.

"We must start thinking differently," says Air Force Gen. Ralph
E. "Ed" Eberhart, the newly installed commander of Northern Command,
the military's homeland security arm. Before 9/11, he says, the
military and intelligence systems were focused on "the away game" and
not properly focused on "the home game." "Home," of course, is the
United States.

Eberhart's Colorado-based command is charged with enhancing homeland
security in two ways: by improving the military's capability to
defend the country's borders, coasts and airspace — unquestionably
within the military's long-established mission — and by
providing "military assistance to civil authorities" when authorized
by the secretary of Defense or the president.

That too may sound unexceptionable: The military has long had
mechanisms to respond to a request for help from state governors. New
after 9/11 are more aggressive preparations and the presumption that
local government will not be able to carry the new homeland security
load. Being the military, moreover, contingency planners approach
preparing by assuming the worst. All of this is a major — and
potentially dangerous — departure from past policy.

The U.S. military operates under the 1878 Posse Comitatus Act, which
prohibits the direct use of federal troops "to execute the laws" of
the United States. The courts have interpreted this to mean that the
military is prohibited from any active role in direct civilian law
enforcement, such as search, seizure or arrest of civilians.

"There are abundant reasons for rejecting the further expansion of
the military's domestic role," says Mackubin T. Owens, a professor of
strategy and force planning at the Naval War College. Looking at the
issue historically, Owens wrote in an August 2002 essay in the
National Review's online edition that "the use of soldiers as a posse
[places] them in the uncomfortable position of taking orders from
local authorities who had an interest in the disputes that provoked
the unrest in the first place." Moreover, Owens said, becoming more
involved in domestic policing can be "subtle and subversive … like a
lymphoma or termite infestation." Though we are far from
having "tanks rumbling through the streets," he said, the potential
long-term effect of an increasing military role in police and law
enforcement activities is "a military contemptuous of American
society and unresponsive to civilian authorities."

Eberhart says his Northern Command operates scrupulously within the
bounds of the law. "We believe the [Posse Comitatus] Act, as amended,
provides the authority we need to do our job, and no modification is
needed at this time," he told the House Armed Services Committee in
March.

Of course, what he knows is that amendments approved by Congress in
1996 for that earlier civilian war, the war on drugs, have already
expanded the military's domestic powers so that Washington can act
unilaterally in dispatching the military without waiting for a
state's request for help. Long before 9/11, Congress authorized the
military to assist local law enforcement officials in domestic "drug
interdiction" and during terrorist incidents involving weapons of
mass destruction. Furthermore, the president, after proclaiming a
state of emergency, can authorize additional actions.

Indeed, the military is presently operating under just such an
emergency declaration. Eberhart's command has defined three levels of
operations, each of which triggers a larger set of authorized
activities. The levels are "extraordinary," "emergency"
and "temporary." At the "temporary" level, which covers such things
as the Olympic Games or the Super Bowl, limited assistance can be
provided to law enforcement agencies when a governor requests it,
primarily in such areas as logistics, transportation and
communications. During "emergencies," the military can provide
similar support, mostly in response to specific events such as the
attacks on the World Trade Center.

It is only in the case of "extraordinary" domestic operations that
the unique capabilities of the Defense Department are deployed. These
include not just such things as air patrols to shoot down hijacked
planes or the defusing of bombs and other explosives, , but also
bringing in intelligence collectors, special operators and even full
combat troops.

Given the absence of terrorist attacks inside the United States since
9/11, it may seem surprising that Northern Command is already working
under the far-reaching authority that goes with "extraordinary
operations." But it is.

"We are not going to be out there spying on people," Eberhart told
PBS' NewsHour in September. But, he said, "We get information from
people who do." Some of that information increasingly comes not from
the FBI or those charged with civilian law enforcement but from a
Pentagon organization established last year, the Counterintelligence
Field Activity (CIFA). The seemingly innocuous CIFA was originally
given the mission of protecting the Defense Department and its
personnel, as well as "critical infrastructure," against espionage
conducted by terrorists and foreign intelligence services.

But in August, Defense Secretary Donald H. Rumsfeld expanded CIFA's
mission, charging it with maintaining "a domestic law enforcement
database that includes information related to potential terrorist
threats directed against the Department of Defense." The group's
Assessments and Technology Directorate, which shares offices with the
Justice Department's Foreign Terrorist Tracking Task Force, has
already identified 200 foreign terrorist suspects in the U.S.,
according to a Defense Department report to Congress.

This year, the Pentagon inspector general authorized assigning
military special agents to 56 FBI Joint Terrorism Task Force
operations at FBI field offices. These military agents will pursue
leads in local communities of potential threats to the military.
Eberhart also plans to have his own cadre of agents working with
local law enforcement. Next year, he plans to transform Joint Task
Force Six, a drug interdiction unit of 160 military personnel at Ft.
Bliss, Texas, into Joint Interagency Task Force North. The new task
force will be given nationwide responsibility for working with law
enforcement agencies.

CIFA, moreover, has been given a domestic "data mining" mission:
figuring out a way to process massive sets of public records,
intercepted communications, credit card accounts, etc., to
find "actionable intelligence." "Homeland defense relies on the
sharing of actionable intelligence among the appropriate federal,
state, and local agencies," says Lt. Gen. Edward G. Anderson III,
Eberhart's deputy.

Another ambitious domestic project is being undertaken by the
National Geospatial-Intelligence Agency, which is
gathering "geospatial information" about 133 cities, the borders and
seaports. This "urban data inventory" combines unclassified and
classified data (including such things as the location of emergency
services, communications, transportation and food supplies) with a
high-resolution satellite map of the United States. When the mapping
efforts are completed, a national "spatial data infrastructure" will
be created down to the house level. Intelligence analysts speak of
one day being able to identify individual occupants, as well as their
national background and political affiliations. Though the military
is just getting its systems in place, there can be no other
conclusion: Domestic surveillance is back.

It's not that we're heading toward martial law. We're not. But
outside the view of most of the public, the government is daily
expanding military operations into areas of local government and law
enforcement that historically have been off-limits. And it doesn't
seem far-fetched to imagine that those charged with
assembling "actionable intelligence" will slowly start combining
databases of known terrorists with seemingly innocuous lists of
contributors to charities or causes, that membership lists for
activist organizations will be folded in, that names and personal
data of anti-globalization protesters will be run through the "data
mine." After all, the mission of Northern Command and other Pentagon
agencies is to identify groups and individuals who could potentially
pose threats to Defense Department and civilian installations.

Given all this, it might be a good time for state and local
governments to ask themselves whether the federal government, through
the military, is slowly eroding their power to manage what — for very
good reasons — have always been considered local responsibilities.

William M. Arkin is a military affairs analyst who writes regularly
for The Los Angeles Times Opinion.

========================================
Mission Creep Hits Home
Los Angeles Times (subscription), CA - Nov 23, 2003

... Force Gen. Ralph E. "Ed" Eberhart, the newly installed commander
of Northern Command, the military's homeland security arm
http://makeashorterlink.com/?E439455A6


The Northern Command will unify a range of domestic security duties
now spread over several military units and services.
http://why-war.com/news/2002/07/17/widermil.html

General Eberhart, who will also remain leader of Norad, will be
responsible in his new job for coordinating the military's response
to natural disasters like floods, hurricanes and forest fires,
officials said.

The new command would also oversee a unit known as the Joint Task
Force Civil Support, which is trained to respond to attacks that
involve chemical, biological or nuclear weapons.

While the command will have specific defensive responsibilities, like
flying combat patrols over American cities, General Eberhart's
mission will also involve the delicate task of backing up civilian
agencies in time of need.

"We will respond in support of a lead federal agency, such as the
F.B.I. or FEMA," he said. "There will be certain things you can do
with federal troops and certain things you cannot. There are some
situations where there's no other alternatives, and federal forces
have to be used to secure the safety and security of our people."

Mr. Rumsfeld and Gen. Richard B. Myers, the chairman of the Joint
Chiefs of Staff, have said that in a catastrophe, the military might
help quarantine disaster victims and deal with the water and
sanitation needs of thousands of people.
"If a city had no ability to respond and no ability to command and
control, there's a situation where the president says: `This is an
emergency. Northern Command, you have the lead,' " General Eberhart
said. "God forbid, we'd be prepared to do that."

Wider Military Role in U.S. Is Urged
HTTP://www.nytimes.com/2002/07/21/politics/21PENT.html

==================================

Searched the web for Northern Command, the military's homeland
security arm. Results 1 - 10 of about 974
http://makeashorterlink.com/?H519525A6

gunnarj:

Those are all very interesting articles, and I would urge folks to take a look at them -- esp. those who might not be informed about our government's increasing appetite for information about its citizens and the way that information can be abused.

None of those articles, however, provides specific evidence or good reasons to believe that PGP has been compromised with a "back door" of some kind. Those articles do provide reasons to be skeptical and vigilant about the government's claim to need ever greater legal powers to protect its citizens, but that's it.

General skepticism about the government's means and motives for acquiring and abusing information about its citizens does not translate into good reasons for believing that PGP has in fact been compromised.

If you have more specific evidence, I'd welcome the opportunity to look at it.

Eric L. Howes

Eric,

While not specifically about PGP, the following is interesting re crypto and NSA. Thanks for your insights and if I find anything more specific as to PGP I'll pass it on.

Regards,

gunnarj

...........................


It is interesting to me to experience which aspects of the NSA_KEY
episode people actually remember after these years. It also provides a
marvelous example of how well solid spin-control can in fact shape
perhaps not the present, but certainly the future past.

Yes, it is true that MSFT expressed that choosing the name NSA_KEY was a bad choice made by the programmer asked to add this key. And there can be little doubt that this variable name choice was indeed unfortunate, at least to Microsoft, given that it both alerted the public to the fact that there was a second security master key in Microsoft's operating system products in addition to the key Microsoft used themselves. There can be even less doubt that at least Microsoft considered the resultant publicity of this discovery, fueled by the name Microsoft itself had given to the key, to be very, very unfortunate.

Microsoft asserts that "the name [NSA_KEY] reflects the fact that the
key is present in the design to satisfy the NSA technical review per US
cryptographic export regulations". See
http://cryptome.org/nsakey-ms-dc.htm

In light of the above, frequently heard assertions by third-parties that
the inclusion of NSA_KEY in Windows was unrelated to NSA requirements carry a certain parallel universe quality.

Since there is no dispute that NSA_KEY was included in Windows to "to
satisfy the NSA technical review", the only disputes remaining relate to
the precise purpose of NSA_KEY (and who holds copies of the
corresponding secret key).

The three most popular interpretations are:

1) Microsoft included a second key to be able to continue signing CAPI
modules should the first key be lost. This is MSFT's official
explanation. I suspect that there are not many security experts that
will be satisfied with this explanation. The canonical way of addressing
the risk of a CA, rather than a user, key being lost is in backing up
the CA key, potentially in secret-shared form.

2) Microsoft included a second key to be able to sign CAPI modules
outside the U.S., while still somehow adhering to U.S. export law. If
CAPI modules were to be signed in multiple locations, using multiple CA
keys is a reasonable approach. I have heard this theory advanced by
respectable folks and it may well be true. The shortcomings of this
theory are that no CAPI module distributed by MSFT has ever been found to be signed by NSA_KEY. If MSFT has installed the second key to sign CAPI modules in a production CA, why is the key not being used? The other shortcoming of this theory is that Microsoft itself denies that
such a second CA is in operation.

3) Microsoft's NSA_KEY enables the NSA and/or other intelligence
agencies to sign their own CAPI modules without NSA being required to
disclose those modules to MSFT. There may be perfectly benign
explanations why NSA might wish to so such a thing. Examples include
enabling CAPI modules for NSA-generated, in-house ciphers used in
classified applications. Of course this capability would also enable NSA
to sign modules that can be used to undermine the OS security of just
about any Windows installation out there. The sole shortcoming with this explanation appears to be that Microsoft denies that the NSA has access to the NSA_KEY secret key.

Given the above scenarios, and in light of Microsoft's public
statements, the reader must form their own opinion of the likely purpose of NSA_KEY. It may or may not be a source of comfort to know that NSA_KEY has since been renamed to KEY2. Had NSA_KEY been known as KEY2 from the beginning, the world would have never known about NSA_KEY's existence.
http://freedom.gmsociety.org/pipermail/remops/2003-May/012683.html
...........

The other problem with this is that NSA could have done this with a
custom version of Windows, which is presumably easily within their power to have. It seems most unlikely to me that they do out-of-the-box Windows installs, so I assume this would impose almost no burden on them.

The more likely explanation is so that the NSA can feed CAPI modules
with backdoors to selected members of the public, IMO. This probably
explains why they haven't been found in the wild, too.

.......

NSA's Backdoor Key from Lotus-Notes
http://cypherspace.org/adam/hacks/lotus-nsa-key.html


NSA's keys
http://cypherspace.org/adam/hacks/ms-nsa-key.html


Only NSA can listen, so that's OK
http://www.heise.de/tp/english/inhalt/te/2898/1.html


Report: U.S. Uses Key Escrow To Steal Secrets
http://www.techweb.com/wire/story/TWB19990518S0004

gunnarj:

Not to prolong this discussion, but I think our readers ought to hear from several respected figures in the world of computer security and cryptography who threw cold water on the NSA_KEY story several years ago:

Bruce Schneier
http://www.schneier.com/crypto-gram-9909.html#NSAKeyinMicrosoftCryptoAPI
(http://www.schneier.com/crypto-gram-9909.html#NSAKeyinMicrosoftCryptoAPI)

Schneier, by the way, is one of the most respected researchers in the field of cryptography.

Russ Cooper
http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=52
(http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=52)

Russ Cooper edits NT BugTraq, the widely read and respected security digest.

Kevin McAleavey
http://www.nsclean.com/nsakey.html

Kevin is the author of BOClean, NSClean, and several other widely respected anti-malware products.

All three of these authors provide thorough analysis of the NSA_KEY story and explain why the fears that the NSA has planted a back door in Windows are simply unfounded.

As all three authors explain, the researcher who stumbled over the NSA_KEY did make an important find inasmuch as he demonstrated an exploitable flaw in the design of Microsoft's CryptoAPI (CAPI). But that flaw is exploitable by anyone, not just the NSA.

For those wanting a more readable background on this story, see the following:

WIRED
http://www.wired.com/news/print/0,1294,21577,00.html
(http://www.wired.com/news/print/0,1294,21577,00.html)

If nothing else, this story demonstrates the dangers of leaping to quick conclusions in a field like crypto based on "coincidences."

Best,

Eric L. Howes

Yes, there were and are numerous experts who quickly and vehemently jumped into the fray to disabuse any and all of the notion that there could be a relationship between the software (esp. microsoft) we use and the intelligence agencies. What a silly notion, after all. Just musings for quacks and conspiracy theorists.


Methinks, they and thou protest too much.

best,

gj

This says it all:

"if I find anything more specific as to PGP I'll pass it on" --- in other words, you had nothing and still have nothing by way of specific proof. When your bluff was called, you resorted to 2 things:

(1) by saying that an absence of proof that there wasn't a backdoor was presence of proof that there was one. PLEASE.......you need to sit for your philosophy 101 again.

(2) introduce a mountain of "facts" and "evidence" that were germane to anything but proof of the precise allegation you were making; that's right,. obfuscate the issue, go right ahead......you need more practice preaching to the non-converted. That's a bigger challenge, by the way.

Last of all, do the rolling eyes thing and practice some cheap skepticism, and engage in ad hominem attacks to deflect attention from the fact that you still haven't proven your original allegation. But it's okay to say that others who demand proof are "disbusing any and all of the notion" of any link between intelligence agencies and software. Aside from the obvious cheap shot of using absolute terms ("any" and "all") to tar everyone with the same brush (another favourite tactic of an unskilled argument), you end up with another cheap shot by playing the wounded animal ("woe is me, I must be silly to think so") and acting like a crybaby ("my detractors call me a quack, they're such bad people"), at the end of the day, you still have not proven your original allegation! ......but tried every dirty trick in the book to worm your way out of the burden of proof.

But hey, this is the Internet, not a "court of law," as you pointed out, and you are entitled to your rumor mongering. Go right ahead......

LOL.


Go get 'em, J. Edgar! ;D

gunnarj,

-{ Quote: "Go get 'em, J. Edgar!" }-

Perhaps I'm wrong, but I really think this was a challenge to you "gunnarj" to actually provide proof - any proof - any at all...

Do you have any?

Do you really think that *if* the NSA or other similar agencies had a back door to the most popular crypto program that there would be 'proof', i.e. something that could be proved in a court of law?

So, I'm taking your question as a facetious one, not really something you expect an affirmative answer to. Your question was framed in such a way as to give away your intent in asking the question;

-{ Quote: ""to actually provide proof - any proof - any at all...Do you have any?"" }-

...as if this question by itself wins some kind of debate. I think the question was answered early on in this thread when I mentioned not expecting evidence that could be proved in a 'court of law'.


It was never my intent here to provide 'proof' of a back door to PGP, nor did I ever say that it was. I responded to someone else's question with quotes and links and my own opinion as to whether or not it ws likely that there is indeed a back door. Since we affirmed early on that there is no 100 percent postitive way to say that there is no back door, my point was to put my opinion in context by showing the ways that goverment is indeed involved in surveillance including computer surveillance. That in itself should give anyone pause, instead of becoming combative and insisting on a "proof' that I never said was there in the first place.


cheerio ;)

gj

Ah, I see.

Thanks, that makes it all very clear.

Sarcasm is par for the course when one brings up anything critical to popular opinion, and when someone challenges "experts", especially "computer experts".

Such a withering final shot, "LowWaterMark". You sure 'nuff put me in my place.

-{ Quote: "Ah, I see.

Thanks, that makes it all very clear. " }-


If my answer wasn't sufficiently clear, I humbly apologise. and beg your favour.

Hope I haven't unneccesarily antagonized too many here!!

Well, what can I say - that's the way I replied. But, you seem to be saying that the lack of proof is proof. Or that the NSA or whoever is so beyond anyone's understanding that no one could ever see the truth...

But that is wrong. Have you looked at the source code to PGP? It is available and the truth about it is there to be seen. (And yes, I've looked at it myself. My company bought the rights to the source code during the period that NAI owned it so we could port it over to the OpenVMS environment. We did so and found no backdoors, hidden keys, etc.)

The truth may be out there, but in this case the truth is that all these claims about government backdoors is just rumors. Nothing but rumors that some people start repeating as if that makes it true.