PGP has a backdoor!!!

What I use and then some.

In the past, on various platforms, I've used PGP, GnuPG, and MacGPG, and still do, occasionally. I'm most always on a Mac nowadays, and I'm currently playing around with some products from PGP Corporation. In the future, I wouldn't mind looking into AxCrypt and IronKey; they look like promising software and hardware solutions, respectively.

Gary S.-W. Yeo and Raphael C.-W. Phan present attacks on WinRar, in their 2006 paper, entitled, "On the security of the WinRAR encryption feature." In the abstract, they state, "Our results, compared to recent attacks on WinZip by Kohno, show that WinRAR appears to offer slightly better security features." Tadayoshi Kohno presents attacks on WinZip in his 2004 paper, entitled, "Attacking and repairing the WinZip encryption scheme."

(Unfortunately, I don't have a copy of the Yeo and Phan paper, so I can't comment on it. If you have 32 bucks - or around 22 euros, in your case - itching to be spent, you can purchase a copy from Springer.)

 

Re: As close to the pinnacle as you're going to get.

I was speaking for myself, I'm not a large entity so rather use Gnupg. I don't think PGP has a backdoor and quite frankly don't care, because I don't use it. Only the person who started this topic states this by calling it "PGP has a backdoor!!!". By the word "disputed" I meant that many reviews are not that positive about PGP desktop anymore, including my personal experiences with it. The more negative reviews were more focused on a application standpoint and not its security. I did not mean to suggest that applications in general that are actively developed, are therefore better. Only between PGP/GPG I'd rather use the more actively developed GPG, at this moment at least.

 

Hate to say this, because of the mile long definition of "national security", no software can be assumed to be "safe" from being opened by the government. And the US government doesn't even need to get it's hands dirty in the process -- it has the means and power to get it and have it done by third parties to avoid the legal loopholes.

How and why criminals would want to engage in their activities on computers, never ceases to amaze me of their stupidity. Just like murders, no murder is "perfect" and non detectable, new technology = new answers. Same goes with encryption. 12k keys won't stop a determined team of sleuths.

 

On CourtTV there was a show that said that DA offices across the country are loaded with computer hard drives that have encrypted data they can't get to. Without it, they have no access to crucial data.

On an episode of Dateline, a spokesperson for the Department of Homeland Security said the #1 problem (yes, number one) problem all intelligence agencies must deal with is: encryption.

No, the U.S. government has no "secret powers" to break strong encryption.

 

Not to perpetuate conspiracy theories, but I will say that its possible they do have some abilities but will gladly not use them in the common place to not tip the hand that they can. By that, it makes sense that they would give up the opportunity to put a person in jail by not decrypting the "evidence" to prevent the fact that they can decrypt it from being known to the public.

I wish to point to a system that I just learned existed, called NarusInsight. According to the literature on the website, it can process data at a rate of 10 Billion Bits of data per second. Of course what its doing is specialized, but if that specialty piece of hardware can do that for IP traffic, I'm sure there is hardware available that can tear through current encryption routines with Brute Force in a time that is considerably less than the proposed "years" (or longer.)

You always hear reports of the NSA approving things like AES for government encryption up to "Top Secret", but isn't there a security classification above Top Secret? And would the NSA really worry about our own information being able to be decrypted by us? Just my own thoughts. Especially hearing about the 5th cable to be damaged in the Mid-East.

 

I'm curious what your last point about damaged Internet cables has to do with the topic at hand. Are you thinking there is some kind of U.S. conspiracy to bring down the Internet? And that relates to encryption how? And no, TOP SECRET is the highest level of classification in the U.S. government. There are only four:
Top Secret
Secret
Confidential
Restricted

 

Just leading where my own thoughts originated. Personally I havnt' been to concerned with Encryption, be it via GPG, TrueCrypt, or other methods, until recent (past year) events. I can go farther, but it would be getting either farther off topic.

 

Without knowing any of the details about this incident, it would make sense to damage a particular cable if that forced the use of another cable which was already being monitored. More for the purpose of intercepting the data than decrypting it.

As far as brute forcing an encrypted file or communication is concerned, the intelligence agencies may have a lot of combined computer power, but the requirements of brute forcing strong encryption would still make that a very time consuming and expensive process, one that's not worth doing just to see what someone might be hiding. They could end up wasting months worth of their combined processing power only to find a container full of porn images someone was hiding from their spouse.

Given the cost and difficulty in trying to force open strong encryption, it wouldn't suprise me at all if they've forced the domestic vendors of strong encryption apps to make it easy for them, then ordered them to say nothing about it or be charged with supporting terrorism. The way I read the Patriot act and its total lack of requiring them to furnish proof, it could be used that way. It's already being (mis)used to give them access to everything else, from communications to financial and medical records. It would be hard to believe that they neglected to include encryption-ware. IMO, all domestic encryption software released after 9/11 is suspect.

More than any other kind of software, encryption apps require some trust from the user. There is absolutely no point in using an encryption app if you're suspicious of it. When NAI stopped releasing the PGP source code, I stopped trusting the official versions. As for the CKT versions, they were originally created from the released source code, then modified to include features, components and bug fixes that weren't included in the official versions. I trust the motivations behind their creation. I also like the fact that they were compiled overseas, beyond the reach of those who would most like to have a backdoor added to them. So far, the only reason I've seen not to use them is that it's not an official version. IMO, that's more of a reason to stay with them. The CKT versions have been checked over quite well. If there was anything of consequence wrong with them, the vendor of the official version would have made sure that everyone was aware of it.

Other than brute force and possible backdoors in the encryption apps themselves, government agencies don't have any magic keys that open encrypted files. By far, the easiest way they could defeat someones encryption would be to compromise their operating system. Not a difficult task when the OS is Windows, especially when the NSA has "helped" Microsoft to secure Vista and XP. When one considers that the patches for XP are coming out as fast as ever and that Vista is nowhere near as secure as it was claimed to be, I'll let the readers decide just what kind of "help" the NSA provided.

IMO, the best way to reduce the possibility of a backdoor in your encryption software (and your OS) is to use software that predates this present day paranoia. That's one of several reasons I stay with 98, an unofficial version of PGP, and with a file/partition encryption program that was obtained before 9/11. Strong encryption algorithms have been around for some time. Blowfish for instance was first released in 1993. AES dates back to 1998. Neither has been broken, and they're 10-15 years old. I've yet to find anything regarding either encryption app or the algorithms I use being compromised, so I'm staying with them.
Rick

 

Don't worry about the cryptography.

Right. Many folks cling to the illusion that we need to pay more attention to the cryptography we use, when in reality, it's already the strongest link in most any system. On the other hand, if you're using strong cryptography, and it's the weakest link in your system, then you're doing something incredibly right. Teach us!

There are almost always easier ways to get at data, and so it goes that when systems fail, it's rarely ever because of the cryptography itself; it's because of a weakness in the cryptography's environment. This is no exception, in regards to the NSA. Not only is this so because of their technological prowess, but they can flex their muscle and often obtain information directly from a particular source, making things a lot easier and less expensive.

Don't worry about cryptography; it's everything else that will let you down. If you're going to be concerned with what the NSA can do, there are far more alarming concerns than that of a cryptographic nature.

 

I look at encryption as a former police officer. If people are encrypting their email for a criminal purpose, it's more than likely something immediate. I'm assuming, if the password or key is strong enough, it will take time to break into even by Govt. By the time the encryption can be broken, the deed is probably done or well underway.

As for Al Quaeda, Taliban, terrorism, etc, I have little doubt they all use encryption in some form and, sadly, they all seem pretty effective. If encryption can easily be broken, we'd already have Osama bin Ladin and the war would be over. Personally, I think the NSA, DIA, FBI and the rest of the alphabet agencies would like us to THINK they're better than they are.

I use encryption only for a handful of things, and only on my computer - income tax, etc. Uncle Sam and his band of thieves already have that information anyway. As for the rest, most of it doesn't need to be encrypted but it makes me feel good.

 

Well it's not like the FBI and Homeland Security don't have more important issues at hand.....like intercepting the emails of gay college students and spying on PETA. I mean you'll have to admit.....The vegetarians and the queers are gonna be the ruination of this country. Osama can wait.