Mailing List Archive: Re: PGP

Re: PGP

Feb 8, 2000, 12:30 AM

Post #1 of 3 (442 views)

On Mon, 7 Feb 2000, L. Sassaman wrote:

> The commercial version *does not* have back doors. Ignore this FUD.

Okay, prove it.

If you look at the source of any good cryptography software you will
notice that the authors undertake so many precautions and you really
can say, they are paranoid. One example is the forthcoming Twofish
algorithm which uses the 256 bit form of it and not the 128 bit one -
this is really paranoid but done anyway.

And now you say, take this compiled program, believe them that there are
no backdoors in it and if you want, you can take the source and
compile it your self - however there is no prove that the usually
distributed binary version has been build from the known source code.

So tell me the probabilities that you

a) can break the algorithms
b) find a hole in the implementation
c) that someone has tampered with the product

IMO, c has a probability which is orders of magnitude higher than b.

Is there a trusted group of persons who did supervise the whole
production process from the published source, over the tool chain to
the production of the CDROM up to the distribution channels?

I do trust Debian more than a company which got quite a lot of orders
from governmental agencies - but okay, this is only my personal
opinion.

BTW, the Transmeta CPU has a very similar problem, given the huge
amount of software it relies on.

--
Werner Koch at guug.de www.gnupg.org keyid 621CC013

Re: PGP [ In reply to ]

thomasb at trash

Feb 8, 2000, 12:51 PM

Post #2 of 3 (432 views)

Permalink

On Tue, 08 Feb 2000, John Woodman wrote:

Hi!

> Has anyone ever taken the source, compiled it, and compared the result with a
> compiled commercial version (say by running a checksum?)

It isn't worth to do this. If the distributor of the precompiled binary
has used an other compiler[1] or/and an other OS then the two binaries
willn't be equal in any case.

Cheers,
Thomas

[1] Or a version different from your compiler version.
--
Thomas Bader <thomasb@trash.net>, Powered by LINUX 2.2
Infos und Tipps zu Linux, HOWTOs des DLHP <http://www.trash.net/~thomasb/>
==> Einen Unixshellaccount (alles inkl.) gibts unter http://www.trash.net

Re: PGP [ In reply to ]

johnwoodman at mindspring

Feb 8, 2000, 1:58 PM

Post #3 of 3 (438 views)

Permalink

Has anyone ever taken the source, compiled it, and compared the result with a
compiled commercial version (say by running a checksum?)

While different results wouldn't necessarily mean back doors, it *would* make me
suspicious...

> > The commercial version *does not* have back doors. Ignore this FUD.
>
> Okay, prove it.
>
> If you look at the source of any good cryptography software you will
> notice that the authors undertake so many precautions and you really
> can say, they are paranoid. One example is the forthcoming Twofish
> algorithm which uses the 256 bit form of it and not the 128 bit one -
> this is really paranoid but done anyway.
>
> And now you say, take this compiled program, believe them that there are
> no backdoors in it and if you want, you can take the source and
> compile it your self - however there is no prove that the usually
> distributed binary version has been build from the known source code.
>
> So tell me the probabilities that you
>
> a) can break the algorithms
> b) find a hole in the implementation
> c) that someone has tampered with the product
>
> IMO, c has a probability which is orders of magnitude higher than b.
>
> Is there a trusted group of persons who did supervise the whole
> production process from the published source, over the tool chain to
> the production of the CDROM up to the distribution channels?
>
> I do trust Debian more than a company which got quite a lot of orders
> from governmental agencies - but okay, this is only my personal
> opinion.
>
> BTW, the Transmeta CPU has a very similar problem, given the huge
> amount of software it relies on.
>
> --
> Werner Koch at guug.de www.gnupg.org keyid 621CC013
>