PGP has a backdoor!!!

Discussion in 'privacy technology' started by guest, Feb 1, 2008.

Thread Status:
Not open for further replies.
  1. guest

    guest Guest

    Philip Zimmermann's fag page say no.
    but some examples say this is true. turkish hacker tamer sahin wrote blog, he say dont use pgp. for example maksik has a pgp protected disk, turkish police catch it. 60 days disk cant deciphered, but cia can it. read(turkish)

    dekart say;
    Private Disk does not contain any backdoor. Unlike many other software encryption products, Private Disk does not contain backdoors or government induced escrow keys that would allow the police, or any other authority to decrypt your confidential information. Dekart is a company located in the Republic of Moldova, our state does not have laws that force us to add backdoors to encryption software. This means that your data are well-protected, and that the security of your private information has no breaches. Private Disk's encryption mechanisms were certified by NIST, which guarantees that your data are protected against non-government controlled access attempts too.

    and jetico say;
    b. We didn't insert any "back (or trap) doors" to the BestCrypt software that would allow recovering the information about the password. Our government does not bind us to insert any "backdoors" to our products, and we ourselves strongly believe that only an owner of data should decide who is allowed to access it.

    To help our users to answer the question about possible backdoor (and not only for that), we created a freeware document named 'BestCrypt Development Kit', you can download it from our download page. BDK contains source codes for all the encryption and hash algorithms, so you can make sure yourself if they contain any backdoors or not.


    what is your idea?
    they are say true?
    or encryption is lie?
     
  2. guest

    guest Guest

    http://www.informit.com/guides/content.aspx?g=security&seqNum=101
     
    Last edited by a moderator: Feb 1, 2008
  3. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland
    Use Gnupg
     
  4. SYS 64738

    SYS 64738 Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    130
  5. herbalist

    herbalist Guest

    I have no doubts that the government has pressured, coerced, threatened, etc those who develop and maintain strong encryption software into giving them backdoors. I can only imagine how much pressure they could apply using the patriot act and a claim of supporting terrorism if they refused to "voluntarily" comply. If an individual or company did give in to the pressure, would you expect them to admit that, or to even admit that they were pressured? Admitting to either would get them nothing but trouble.

    The claim that the official PGP builds are backdoored has been around for some time. How true it is, I can't say. I've even heard claims that NAI is/was controlled by the NSA and that the NSA is the one who backdoored it. Either way, it's impossible to prove or disprove. Given the present political climate, it would be no surprise to find that all present day strong encryption apps have been backdoored.

    After version 6.5.8, Network Associates stopped releasing the source code for PGP, which raised a lot of suspicion. The CKT versions of PGP started becoming a popular alternative to the official builds for several reasons. They had features not available in the official versions at that time, PGP disk, larger keys, XP compatibility, available source code, etc. More info here.

    I've also seen claims that a backdoor was discovered and removed when the CKT versions were compiled. Without proof, such a claim wouldn't mean much, but when almost all the sites that dealt with the CKT versions have been taken down and when other PGP compatible apps do their best to steer users away from the CKT builds, it does appear that the powers that be have a problem with them.

    The way I see it, there's nothing to lose by using the CKT builds. If the claims of a removed backdoor are true, users have access to a version of PGP that runs on Win95 thru XP that is truly secure. If the backdoor is pure fiction, the user still gains greater key strength, the PGP disk component, additional plugins, ciphers, and several other features not available in the official versions.
    Rick
     
  6. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    This is the most ridiculous thing. A backdoor would spell the END of the PGP Corporation. Look at their board of directors/advisors and tell me those people would be involved with software that has a backdoor. I would be worried about a lot of software, but frankly, PGP is not one of them. Far from it.
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,722
    Location:
    Texas
  8. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    Hmm.

    Hmm, out of any company, I would trust PGP Corporation the most, in regards to having the competence to implement cryptography correctly and securely. You can request source code from them if you'd like, and they possess FIPS validation (i.e., NIST). Their approach to cryptographic design, and demeanor as a company, is second-to-none, really. Refer to Gerard's comment, as well; it really sums things up.

    Are you referring to this post, by Securology? If so, check out Jon Callas' (PGP Corporation's CTO) response at the PGP Corporation website.
     
  9. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
    The times they are a-changin' ;)
     
  10. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland
    No, it talks about the proprietary PGP and not GPG, you don't seem to distinguish between the two.

    This tread is totally unnecessary because there is GPG and its free and open source, for WDE there are other open source tools. If you are worried about backdoors you can look for them yourself inside GPG, it will always remain in the realm of speculation if there is a backdoor or multiple in PGP, so before and long after this thread, there is no definitive answer to this.
     
    Last edited: Feb 2, 2008
  11. herbalist

    herbalist Guest

    That's an easy statement to make, but much harder to do. Most users couldn't begin to check source code. Even fewer understand both encryption and programming in general well enough to make sense of it. Out of those who can read it, many wouldn't know a deliberate/accidental flaw or back door if they were staring at it. Even if the code checks out in the hands of a real expert, there's the problem of comparing every byte of each file to make certain that they match the source code. Very time consuming.

    There's plenty of people who can do one part or another of the above, but few who are both qualified and capable of doing all of it, and willing to spend the amount of time it's going to take. I'd bet that less than 1% of the dedicated PGP users can even read the source code. Even when someone "qualified" claims to have checked the code and the files, it's still a matter of trust. You have to believe that they're qualified, competent, and honest.

    These discussions about how secure an app is or whether it has a backdoor always overlook the biggest problem. An app is only as secure as the operating system it runs on. Picking at an app that's running on windows is the equivalent of worrying about a tiny window on your home that can be forced when the front door is wide open.

    Rick
     
  12. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland
    You probably mean GPG since there is no readably available source code for PGP.

    And you are right on the rest, that basically even if there is no backdoor present, it is only a tiny part of anyones (Windows) overall security worries. And this is exactly what makes the thread's topic statement "PGP has a backdoor!!!" so pointless.
     
    Last edited: Feb 2, 2008
  13. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Indeed, what about winrar? They claim to be absolutely clean and what about TrueCrypt?
     
  14. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland
    (In general, never listen to what makers claim regarding the trustworthiness of their products, if you don't have a source code or cant verify the creator('s.)

    TrueCrypt is open source Winrar is not, but we don't know if either one is backdoored until we know. TC probably not, everything in between is speculation.
    Since version 5 will make TC even more widely used, it will therefore automatically become a even larger target than it already is.
     
    Last edited: Feb 2, 2008
  15. guest

    guest Guest

    winrars encryption already can broken
     
  16. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    Sure there is.

    Sure there is. At least, it seems readily available enough for me. I would recommend either GnuPG or offerings from PGP Corporation, without any objections.
     
  17. WigglyTheGreat

    WigglyTheGreat Registered Member

    Joined:
    Jul 10, 2006
    Posts:
    137
    I heard that PGP has a backdoor even back close to ten years ago or so. I have no idea if it is true or not, but ever since there was speculation about it so many years ago I never used it again since that time. Once again I don't know if it is true, but I have heard enough to that effect that it made me question it and not use it.
     
  18. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland

    I still rather use GNU Privacy Guard over PGP, its much disputed and a little underdeveloped since there hasn't been a new PGP Desktop Beta for a year now.
     
    Last edited: Feb 2, 2008
  19. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland
    So you replace it with?
     
  20. WigglyTheGreat

    WigglyTheGreat Registered Member

    Joined:
    Jul 10, 2006
    Posts:
    137
    I just did a quick internet search to refresh my memory on this subject and it seems that the speculation I remembered was way back when NAI owned PGP and the source code was not available for a time. Back in 1997 or so I believe. Like I said it was a long time ago and I have no experience with PGP since.

    "For a while — when NAI owned the PGP product — the source-code was unavailable and outside inspection became impossible. As a result, experienced users of PGP lost confidence in newer versions of the product. This situation has been reversed by the PGP Corporation in an attempt to restore confidence."
     
  21. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland
    Ok, thats good to hear, I was not aware of this readjustment.
     
    Last edited: Feb 2, 2008
  22. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    As close to the pinnacle as you're going to get.

    I can't say that I've read every single dispute, but none of them that I have read hold any water. It seems that we, as humans, have minds that are wired for speculating about conspiracies. Patterns, for example, tend to amplify this. It would be a shame to write off what are probably the best cryptographic solutions available (i.e., PGP Corporation's offerings), based on unfounded speculation.

    Of course, anything that's widely adopted - be it cryptographic primitives, protocols, or products - is a target for this kind of thing. The AES is a prime example. Fortunately, those with the right outlook on cryptography know better, and use the AES because of all the good cryptographic and engineering reasons, rather than discard it based on tin foil hat induced nonsense.

    GnuPG is a reasonable recommendation, but for large entities that are bound by constraints not satisfied through using GnuPG, PGP Corporation offers a suite of solutions. In those cases where GnuPG won't suffice, I have no problem with recommending PGP Corporation as a go-to provider. We want solutions that are fielded by the competent and analyzed by the competent.

    PGP Corporation is as close to the pinnacle as you're going to get.
     
  23. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Justin, Out of curiosity, do you use encryption? If so, what do you use?
     
  24. herbalist

    herbalist Guest

    Re: As close to the pinnacle as you're going to get.

    Why is it that a product, company, or application are chosen based on how often a new version is released? When a product or application is good, why change it? PGP is one example. An e-mail or IM encrypted on version 9 isn't any more secure than the same one encrypted on 6.5.8. The exact opposite is possible. The more features and integration that's added to an encryption program, the greater the chance of introducing a flaw that could compromise it, or being vulnerable to a bug in the OS components it integrates with. With encryption software, the less bloated and more free-standing it is, the better. How recent the last release was doesn't make a difference. "Newer is better" is what software and OS vendors want users to believe in order to get them to open their wallets.

    I tried one of the 7x versions and version 8.1, and promptly went back to 6.5.8. Was considering trying the 9x desktop but I don't like the amount of personal info PGP wants in order to download it, or that it's over 20MB. The version I use is 6.4MB, includes PGP disk and plugins for several e-mail apps. It works with all the browsers, e-mail and IM programs I've tried. It does everything I need. I see no good reason to replace it, then pay to keep features I already have.

    Rick
     
  25. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Prove this. I don´t know any source that really broke winrar.
     
Loading...
Thread Status:
Not open for further replies.