Philip Zimmermann's fag page say no.
but some examples say this is true. turkish hacker tamer sahin wrote blog, he say dont use pgp. for example maksik has a pgp protected disk, turkish police catch it. 60 days disk cant deciphered, but cia can it. read(turkish) (http://tsahin.blogspot.com/2007/09/maksikin-yakalanmasndaki-bilinmeyen.html)

dekart say;
Private Disk does not contain any backdoor. Unlike many other software encryption products, Private Disk does not contain backdoors or government induced escrow keys that would allow the police, or any other authority to decrypt your confidential information. Dekart is a company located in the Republic of Moldova, our state does not have laws that force us to add backdoors to encryption software. This means that your data are well-protected, and that the security of your private information has no breaches. Private Disk's encryption mechanisms were certified by NIST, which guarantees that your data are protected against non-government controlled access attempts too.

and jetico say;
b. We didn't insert any "back (or trap) doors" to the BestCrypt software that would allow recovering the information about the password. Our government does not bind us to insert any "backdoors" to our products, and we ourselves strongly believe that only an owner of data should decide who is allowed to access it.

To help our users to answer the question about possible backdoor (and not only for that), we created a freeware document named 'BestCrypt Development Kit', you can download it from our download page. BDK contains source codes for all the encryption and hash algorithms, so you can make sure yourself if they contain any backdoors or not.


what is your idea?
they are say true?
or encryption is lie?

{QUOTE-> PGP

For many PGP is the icon of encryption programs. This asymmetric encryption programs was create with the sole intent to provide the average person a secure method of transmitting data. According to Privacy Defended, "PGP was first developed and released by Phil Zimmermann in 1991. Its impetus was the 1991 Senate Bill 266, an anti-crime bill stating that all encryption software must have a backdoor that allows the government to decrypt any message. This is the ultimate portrayal of the Orwellian Big Brother watching and listening to the public's every word. The believers felt that privacy was the glue that held society together. Without privacy, people are not themselves."

PGP was uploaded and quickly spread throughout the world. In fact, it propagated so thoroughly that it attracted the attention of governments and other encryption companies. As a result of the onslaught of threats, both criminal and civil, the author stopped working on the program. However, by that point the governments/patent chasers had turned PRZ (the creator of PGP) into a martyr, which created a global backlash to the point that PGP's popularity exploded. PRZ eventually founded PGP, Inc. and then sold PGP rights to Network Associates Inc. (NAI) with the agreement that a version would remain free for users, and it would be kept free of backdoors. Eventually NAI sold PGP, but it is still being maintained and a free version is available. In addition to a downloadable exe, you can also download the source code to review and/or compile at your leisure. This ensures that no backdoors are written into the code that would allow a government full access to the encrypted data.

PGP became popular because it represented something people fear; the loss of security. Due to September 11, and other incident, many governments are putting pressure on encryption software providers to include a backdoor to ensure that they can bypass security measure put in place by criminals. This actually occurred recently in a program called JAP (Java Anonymous Proxy). Despite public claims of privacy, the government forced the authors of JAP to include a backdoor that was triggered if a user went to a certain site. This violation of privacy was quickly discovered and reported all over the world, which basically made the backdoor useless, but also damaged JAPs authors credibility. <-QUOTE}http://www.informit.com/guides/content.aspx?g=security&seqNum=101

Use Gnupg

And it has a backdoor, that's what i said.
http://www.wilderssecurity.com/showpost.php?p=1165986&postcount=11

I have no doubts that the government has pressured, coerced, threatened, etc those who develop and maintain strong encryption software into giving them backdoors. I can only imagine how much pressure they could apply using the patriot act and a claim of supporting terrorism if they refused to "voluntarily" comply. If an individual or company did give in to the pressure, would you expect them to admit that, or to even admit that they were pressured? Admitting to either would get them nothing but trouble.

The claim that the official PGP builds are backdoored has been around for some time. How true it is, I can't say. I've even heard claims that NAI is/was controlled by the NSA and that the NSA is the one who backdoored it. Either way, it's impossible to prove or disprove. Given the present political climate, it would be no surprise to find that all present day strong encryption apps have been backdoored.

After version 6.5.8, Network Associates stopped releasing the source code for PGP, which raised a lot of suspicion. The CKT versions of PGP started becoming a popular alternative to the official builds for several reasons. They had features not available in the official versions at that time, PGP disk, larger keys, XP compatibility, available source code, etc. More info here (http://www.wisegeek.com/what-is-the-best-version-of-pgp.htm).

I've also seen claims that a backdoor was discovered and removed when the CKT versions were compiled. Without proof, such a claim wouldn't mean much, but when almost all the sites that dealt with the CKT versions have been taken down and when other PGP compatible apps do their best to steer users away from the CKT builds, it does appear that the powers that be have a problem with them.

The way I see it, there's nothing to lose by using the CKT builds. If the claims of a removed backdoor are true, users have access to a version of PGP that runs on Win95 thru XP that is truly secure. If the backdoor is pure fiction, the user still gains greater key strength, the PGP disk component, additional plugins, ciphers, and several other features not available in the official versions.
Rick

This is the most ridiculous thing. A backdoor would spell the END of the PGP Corporation. Look at their board of directors/advisors and tell me those people would be involved with software that has a backdoor. I would be worried about a lot of software, but frankly, PGP is not one of them. Far from it.

There are options for those in doubt. (http://www.pgp.com/company/whypgp/pgpassurance.html)

{QUOTE-> what is your idea?
they are say true?
or encryption is lie? <-QUOTE}

Hmm, out of any company, I would trust PGP Corporation the most, in regards to having the competence to implement cryptography correctly and securely. You can request source code from them if you'd like, and they possess FIPS validation (i.e., NIST). Their approach to cryptographic design, and demeanor as a company, is second-to-none, really. Refer to Gerard's comment, as well; it really sums things up.

{QUOTE-> And it has a backdoor, that's what i said.
http://www.wilderssecurity.com/showpost.php?p=1165986&postcount=11 <-QUOTE}

Are you referring to this post (http://securology.blogspot.com/2007/10/pgp-whole-disk-encryption-barely.html), by Securology? If so, check out Jon Callas' (PGP Corporation's CTO) response (http://www.pgp.com/newsroom/ctocorner/smile.html) at the PGP Corporation website.

{QUOTE-> a freeware document <-QUOTE}
The times they are a-changin' ;)

{QUOTE-> And it has a backdoor, that's what i said.
http://www.wilderssecurity.com/showpost.php?p=1165986&postcount=11 <-QUOTE}

No, it talks about the proprietary PGP and not GPG, you don't seem to distinguish between the two.

This tread is totally unnecessary because there is GPG and its free and open source, for WDE there are other open source tools. If you are worried about backdoors you can look for them yourself inside GPG, it will always remain in the realm of speculation if there is a backdoor or multiple in PGP, so before and long after this thread, there is no definitive answer to this.

{QUOTE-> If you are worried about backdoors you can look for them yourself inside GPG, <-QUOTE}
That's an easy statement to make, but much harder to do. Most users couldn't begin to check source code. Even fewer understand both encryption and programming in general well enough to make sense of it. Out of those who can read it, many wouldn't know a deliberate/accidental flaw or back door if they were staring at it. Even if the code checks out in the hands of a real expert, there's the problem of comparing every byte of each file to make certain that they match the source code. Very time consuming.

There's plenty of people who can do one part or another of the above, but few who are both qualified and capable of doing all of it, and willing to spend the amount of time it's going to take. I'd bet that less than 1% of the dedicated PGP users can even read the source code. Even when someone "qualified" claims to have checked the code and the files, it's still a matter of trust. You have to believe that they're qualified, competent, and honest.

These discussions about how secure an app is or whether it has a backdoor always overlook the biggest problem. An app is only as secure as the operating system it runs on. Picking at an app that's running on windows is the equivalent of worrying about a tiny window on your home that can be forced when the front door is wide open.

Rick

{QUOTE-> dedicated PGP users can even read the source code.

Rick <-QUOTE}

You probably mean GPG since there is no readably available source code for PGP.

And you are right on the rest, that basically even if there is no backdoor present, it is only a tiny part of anyones (Windows) overall security worries. And this is exactly what makes the thread's topic statement "PGP has a backdoor!!!" so pointless.

{QUOTE-> Given the present political climate, it would be no surprise to find that all present day strong encryption apps have been backdoored. <-QUOTE}
Indeed, what about winrar? They claim to be absolutely clean and what about TrueCrypt?

{QUOTE-> Indeed, what about winrar? They claim to be absolutely clean and what about TrueCrypt? <-QUOTE}
(In general, never listen to what makers claim regarding the trustworthiness of their products, if you don't have a source code or cant verify the creator('s.)

TrueCrypt is open source Winrar is not, but we don't know if either one is backdoored until we know. TC probably not, everything in between is speculation.
Since version 5 will make TC even more widely used, it will therefore automatically become a even larger target than it already is.

winrars encryption already can broken

{QUOTE-> You probably mean GPG since there is no readably available source code for PGP. <-QUOTE}

Sure there is. At least, it seems (http://www.pgp.com/downloads/sourcecode/index.html) readily available enough for me. I would recommend either GnuPG or offerings from PGP Corporation, without any objections.

I heard that PGP has a backdoor even back close to ten years ago or so. I have no idea if it is true or not, but ever since there was speculation about it so many years ago I never used it again since that time. Once again I don't know if it is true, but I have heard enough to that effect that it made me question it and not use it.

{QUOTE-> Sure there is. At least, it seems readily available enough for me. I would recommend either GnuPG or offerings from PGP Corporation, without any objections. <-QUOTE}


I still rather use GNU Privacy Guard over PGP, its much disputed and a little underdeveloped since there hasn't been a new PGP Desktop Beta for a year now.

{QUOTE-> I heard that PGP has a backdoor even back close to ten years ago or so. I have no idea if it is true or not, but ever since there was speculation about it so many years ago I never used it again since that time. Once again I don't know if it is true, but I have heard enough to that effect that it made me question it and not use it. <-QUOTE}

So you replace it with?

I just did a quick internet search to refresh my memory on this subject and it seems that the speculation I remembered was way back when NAI owned PGP and the source code was not available for a time. Back in 1997 or so I believe. Like I said it was a long time ago and I have no experience with PGP since.

"For a while — when NAI owned the PGP product — the source-code was unavailable and outside inspection became impossible. As a result, experienced users of PGP lost confidence in newer versions of the product. This situation has been reversed by the PGP Corporation in an attempt to restore confidence."

{QUOTE-> This situation has been reversed by the PGP Corporation in an attempt to restore confidence." <-QUOTE}

Ok, thats good to hear, I was not aware of this readjustment.

{QUOTE-> I still rather use GNU Privacy Guard over PGP, its much disputed and a little underdeveloped since there hasn't been a new PGP Desktop Beta for a year now. <-QUOTE}

I can't say that I've read every single dispute, but none of them that I have read hold any water. It seems that we, as humans, have minds that are wired for speculating about conspiracies. Patterns, for example, tend to amplify this. It would be a shame to write off what are probably the best cryptographic solutions available (i.e., PGP Corporation's offerings), based on unfounded speculation.

Of course, anything that's widely adopted - be it cryptographic primitives, protocols, or products - is a target for this kind of thing. The AES is a prime example. Fortunately, those with the right outlook on cryptography know better, and use the AES because of all the good cryptographic and engineering reasons, rather than discard it based on tin foil hat induced nonsense.

GnuPG is a reasonable recommendation, but for large entities that are bound by constraints not satisfied through using GnuPG, PGP Corporation offers a suite of solutions. In those cases where GnuPG won't suffice, I have no problem with recommending PGP Corporation as a go-to provider. We want solutions that are fielded by the competent and analyzed by the competent.

PGP Corporation is as close to the pinnacle as you're going to get.

Justin, Out of curiosity, do you use encryption? If so, what do you use?

{QUOTE-> I still rather use GNU Privacy Guard over PGP, its much disputed and a little underdeveloped since there hasn't been a new PGP Desktop Beta for a year now. <-QUOTE}
Why is it that a product, company, or application are chosen based on how often a new version is released? When a product or application is good, why change it? PGP is one example. An e-mail or IM encrypted on version 9 isn't any more secure than the same one encrypted on 6.5.8. The exact opposite is possible. The more features and integration that's added to an encryption program, the greater the chance of introducing a flaw that could compromise it, or being vulnerable to a bug in the OS components it integrates with. With encryption software, the less bloated and more free-standing it is, the better. How recent the last release was doesn't make a difference. "Newer is better" is what software and OS vendors want users to believe in order to get them to open their wallets.

I tried one of the 7x versions and version 8.1, and promptly went back to 6.5.8. Was considering trying the 9x desktop but I don't like the amount of personal info PGP wants in order to download it, or that it's over 20MB. The version I use is 6.4MB, includes PGP disk and plugins for several e-mail apps. It works with all the browsers, e-mail and IM programs I've tried. It does everything I need. I see no good reason to replace it, then pay to keep features I already have.

Rick

{QUOTE-> winrars encryption already can broken <-QUOTE}
Prove this. I don´t know any source that really broke winrar.

{QUOTE-> Justin, Out of curiosity, do you use encryption? If so, what do you use? <-QUOTE}

In the past, on various platforms, I've used PGP, GnuPG, and MacGPG, and still do, occasionally. I'm most always on a Mac nowadays, and I'm currently playing around with some products from PGP Corporation. In the future, I wouldn't mind looking into AxCrypt and IronKey; they look like promising software and hardware solutions, respectively.

{QUOTE-> Prove this. I don´t know any source that really broke winrar. <-QUOTE}

Gary S.-W. Yeo and Raphael C.-W. Phan present attacks on WinRar, in their 2006 paper, entitled, "On the security of the WinRAR encryption feature (http://www.springerlink.com/index/51184370N1G2854G.pdf)." In the abstract, they state, "Our results, compared to recent attacks on WinZip by Kohno, show that WinRAR appears to offer slightly better security features." Tadayoshi Kohno presents attacks on WinZip in his 2004 paper, entitled, "Attacking and repairing the WinZip encryption scheme ( http://www.cs.washington.edu/homes/yoshi/papers/WinZip/winzip.pdf)."

(Unfortunately, I don't have a copy of the Yeo and Phan paper, so I can't comment on it. If you have 32 bucks - or around 22 euros, in your case - itching to be spent, you can purchase a copy from Springer.)

{QUOTE->
GnuPG is a reasonable recommendation, but for large entities that are bound by constraints not satisfied through using GnuPG, PGP Corporation offers a suite of solutions. In those cases where GnuPG won't suffice, I have no problem with recommending PGP Corporation as a go-to provider. We want solutions that are fielded by the competent and analyzed by the competent.

PGP Corporation is as close to the pinnacle as you're going to get. <-QUOTE}

I was speaking for myself, I'm not a large entity so rather use Gnupg. I don't think PGP has a backdoor and quite frankly don't care, because I don't use it. Only the person who started this topic states this by calling it "PGP has a backdoor!!!". By the word "disputed" I meant that many reviews are not that positive about PGP desktop anymore, including my personal experiences with it. The more negative reviews were more focused on a application standpoint and not its security. I did not mean to suggest that applications in general that are actively developed, are therefore better. Only between PGP/GPG I'd rather use the more actively developed GPG, at this moment at least.

{QUOTE-> The way I see it, there's nothing to lose by using the CKT builds. If the claims of a removed backdoor are true, users have access to a version of PGP that runs on Win95 thru XP that is truly secure. If the backdoor is pure fiction, the user still gains greater key strength, the PGP disk component, additional plugins, ciphers, and several other features not available in the official versions.
Rick <-QUOTE}

Hate to say this, because of the mile long definition of "national security", no software can be assumed to be "safe" from being opened by the government. And the US government doesn't even need to get it's hands dirty in the process -- it has the means and power to get it and have it done by third parties to avoid the legal loopholes.

How and why criminals would want to engage in their activities on computers, never ceases to amaze me of their stupidity. Just like murders, no murder is "perfect" and non detectable, new technology = new answers. Same goes with encryption. 12k keys won't stop a determined team of sleuths.

{QUOTE-> Same goes with encryption. 12k keys won't stop a determined team of sleuths. <-QUOTE}

On CourtTV there was a show that said that DA offices across the country are loaded with computer hard drives that have encrypted data they can't get to. Without it, they have no access to crucial data.

On an episode of Dateline, a spokesperson for the Department of Homeland Security said the #1 problem (yes, number one) problem all intelligence agencies must deal with is: encryption.

No, the U.S. government has no "secret powers" to break strong encryption.

{QUOTE-> No, the U.S. government has no "secret powers" to break strong encryption. <-QUOTE}

Not to perpetuate conspiracy theories, but I will say that its possible they do have some abilities but will gladly not use them in the common place to not tip the hand that they can. By that, it makes sense that they would give up the opportunity to put a person in jail by not decrypting the "evidence" to prevent the fact that they can decrypt it from being known to the public.

I wish to point to a system that I just learned existed, called NarusInsight (http://en.wikipedia.com/wiki/Narus). According to the literature on the website (http://www.narus.com), it can process data at a rate of 10 Billion Bits of data per second. Of course what its doing is specialized, but if that specialty piece of hardware can do that for IP traffic, I'm sure there is hardware available that can tear through current encryption routines with Brute Force in a time that is considerably less than the proposed "years" (or longer.)

You always hear reports of the NSA approving things like AES for government encryption up to "Top Secret", but isn't there a security classification above Top Secret? And would the NSA really worry about our own information being able to be decrypted by us? Just my own thoughts. Especially hearing about the 5th cable to be damaged in the Mid-East.

{QUOTE-> Not to perpetuate conspiracy theories, but I will say that its possible they do have some abilities but will gladly not use them in the common place to not tip the hand that they can. By that, it makes sense that they would give up the opportunity to put a person in jail by not decrypting the "evidence" to prevent the fact that they can decrypt it from being known to the public.

I wish to point to a system that I just learned existed, called NarusInsight (http://en.wikipedia.com/wiki/Narus). According to the literature on the website (http://www.narus.com), it can process data at a rate of 10 Billion Bits of data per second. Of course what its doing is specialized, but if that specialty piece of hardware can do that for IP traffic, I'm sure there is hardware available that can tear through current encryption routines with Brute Force in a time that is considerably less than the proposed "years" (or longer.)

You always hear reports of the NSA approving things like AES for government encryption up to "Top Secret", but isn't there a security classification above Top Secret? And would the NSA really worry about our own information being able to be decrypted by us? Just my own thoughts. Especially hearing about the 5th cable to be damaged in the Mid-East. <-QUOTE}

I'm curious what your last point about damaged Internet cables has to do with the topic at hand. Are you thinking there is some kind of U.S. conspiracy to bring down the Internet? And that relates to encryption how? And no, TOP SECRET is the highest level of classification in the U.S. government. There are only four:
Top Secret
Secret
Confidential
Restricted

Just leading where my own thoughts originated. Personally I havnt' been to concerned with Encryption, be it via GPG, TrueCrypt, or other methods, until recent (past year) events. I can go farther, but it would be getting either farther off topic.

{QUOTE-> I'm curious what your last point about damaged Internet cables has to do with the topic at hand. <-QUOTE}
Without knowing any of the details about this incident, it would make sense to damage a particular cable if that forced the use of another cable which was already being monitored. More for the purpose of intercepting the data than decrypting it.

As far as brute forcing an encrypted file or communication is concerned, the intelligence agencies may have a lot of combined computer power, but the requirements of brute forcing strong encryption would still make that a very time consuming and expensive process, one that's not worth doing just to see what someone might be hiding. They could end up wasting months worth of their combined processing power only to find a container full of porn images someone was hiding from their spouse.

Given the cost and difficulty in trying to force open strong encryption, it wouldn't suprise me at all if they've forced the domestic vendors of strong encryption apps to make it easy for them, then ordered them to say nothing about it or be charged with supporting terrorism. The way I read the Patriot act and its total lack of requiring them to furnish proof, it could be used that way. It's already being (mis)used to give them access to everything else, from communications to financial and medical records. It would be hard to believe that they neglected to include encryption-ware. IMO, all domestic encryption software released after 9/11 is suspect.

More than any other kind of software, encryption apps require some trust from the user. There is absolutely no point in using an encryption app if you're suspicious of it. When NAI stopped releasing the PGP source code, I stopped trusting the official versions. As for the CKT versions, they were originally created from the released source code, then modified to include features, components and bug fixes that weren't included in the official versions. I trust the motivations behind their creation. I also like the fact that they were compiled overseas, beyond the reach of those who would most like to have a backdoor added to them. So far, the only reason I've seen not to use them is that it's not an official version. IMO, that's more of a reason to stay with them. The CKT versions have been checked over quite well. If there was anything of consequence wrong with them, the vendor of the official version would have made sure that everyone was aware of it.
{QUOTE-> Hate to say this, because of the mile long definition of "national security", no software can be assumed to be "safe" from being opened by the government. And the US government doesn't even need to get it's hands dirty in the process -- it has the means and power to get it and have it done by third parties to avoid the legal loopholes. <-QUOTE}
Other than brute force and possible backdoors in the encryption apps themselves, government agencies don't have any magic keys that open encrypted files. By far, the easiest way they could defeat someones encryption would be to compromise their operating system. Not a difficult task when the OS is Windows, especially when the NSA has "helped" Microsoft to secure Vista and XP. (http://www.washingtonpost.com/wp-dyn/content/article/2007/01/08/AR2007010801352.html) When one considers that the patches for XP are coming out as fast as ever and that Vista is nowhere near as secure as it was claimed to be, I'll let the readers decide just what kind of "help" the NSA provided.

IMO, the best way to reduce the possibility of a backdoor in your encryption software (and your OS) is to use software that predates this present day paranoia. That's one of several reasons I stay with 98, an unofficial version of PGP, and with a file/partition encryption program that was obtained before 9/11. Strong encryption algorithms have been around for some time. Blowfish for instance was first released in 1993. AES dates back to 1998. Neither has been broken, and they're 10-15 years old. I've yet to find anything regarding either encryption app or the algorithms I use being compromised, so I'm staying with them.
Rick

{QUOTE-> By far, the easiest way they could defeat someones encryption would be to compromise their operating system. <-QUOTE}

Right. Many folks cling to the illusion that we need to pay more attention to the cryptography we use, when in reality, it's already the strongest link in most any system. On the other hand, if you're using strong cryptography, and it's the weakest link in your system, then you're doing something incredibly right. Teach us!

There are almost always easier ways to get at data, and so it goes that when systems fail, it's rarely ever because of the cryptography itself; it's because of a weakness in the cryptography's environment. This is no exception, in regards to the NSA. Not only is this so because of their technological prowess, but they can flex their muscle and often obtain information directly from a particular source, making things a lot easier and less expensive.

Don't worry about cryptography; it's everything else that will let you down. If you're going to be concerned with what the NSA can do, there are far more alarming concerns than that of a cryptographic nature.

I look at encryption as a former police officer. If people are encrypting their email for a criminal purpose, it's more than likely something immediate. I'm assuming, if the password or key is strong enough, it will take time to break into even by Govt. By the time the encryption can be broken, the deed is probably done or well underway.

As for Al Quaeda, Taliban, terrorism, etc, I have little doubt they all use encryption in some form and, sadly, they all seem pretty effective. If encryption can easily be broken, we'd already have Osama bin Ladin and the war would be over. Personally, I think the NSA, DIA, FBI and the rest of the alphabet agencies would like us to THINK they're better than they are.

I use encryption only for a handful of things, and only on my computer - income tax, etc. Uncle Sam and his band of thieves already have that information anyway. As for the rest, most of it doesn't need to be encrypted but it makes me feel good.

{QUOTE-> If encryption can easily be broken, we'd already have Osama bin Ladin and the war would be over. . <-QUOTE}

Well it's not like the FBI and Homeland Security don't have more important issues at hand.....like intercepting the emails of gay college students and spying on PETA. I mean you'll have to admit.....The vegetarians and the queers are gonna be the ruination of this country.;D Osama can wait.