lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: exibar at thelair.com (Exibar)
Subject: On PGP (was: Wiretap or Magic Lantern?)

Although it is interesting to read, I wouldn't call an article in PCWORLD
conclusive proof that PGP hasn't been compromised by the NSA.

  It is a good article though :-)

  Ex


----- Original Message ----- 
From: "Feher Tamas" <etomcat@...email.hu>
To: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, April 07, 2004 11:56 AM
Subject: [Full-Disclosure] On PGP (was: Wiretap or Magic Lantern?)


> Hello,
>
> >>The terrorsts are not stupid, they use strong encryption and
> >>there is proof that PGP repels NSA.
> >
> >What proof are you referring to?
>
> The case of the italian comrades:
>
> http://www.pcworld.com/news/article/0,aid,110841,00.asp
>
> PGP Encryption Proves Powerful
> by Philip Willan, IDG News Service, 26 May 2003
>
> If the police and FBI can't crack the code, is the technology too strong?
>
> Italian police have seized at least two Psion personal digital assistants
> from members of the Red Brigades terrorist organization. But the major
> investigative breakthrough they were hoping for as a result of the
> information contained on the devices has failed to materialize--
> thwarted by encryption software used by the left-wing revolutionaries.
>
> Failure to crack the code, despite the reported assistance of U.S.
> Federal Bureau of Investigation computer experts, puts a spotlight on
> the controversy over the wide availability of powerful encryption tools.
>
> The Psion devices were seized on March 2 after a shootout on a train
> traveling between Rome and Florence, Italian media and sources close
> to the investigation said. The devices, believed to number two or three,
> were seized from Nadia Desdemona Lioce and her Red Brigades
> comrade Mario Galesi, who was killed in the shootout. An Italian police
> officer was also killed. At least one of the devices contains information
> protected by encryption software and has been sent for analysis to the
> FBI facility in Quantico, Virginia, news reports and sources said.
>
> The FBI declined to comment on ongoing investigations, and Italian
> authorities would not reveal details about the information or equipment
> seized during the shootout.
>
> Pretty Good Privacy
> The software separating the investigators from a potentially invaluable
> mine of information about the shadowy terrorist group, which
> destabilized Italy during the 1970s and 1980s and revived its practice
> of political assassination four years ago after a decade of quiescence,
> was PGP (Pretty Good Privacy), the Rome daily La Repubblica reported.
> So far the system has defied all efforts to penetrate it, the paper said.
>
> Palm-top devices can only run PGP if they use the Palm OS or Windows
> CE operating systems, said Phil Zimmermann, who developed the
> encryption software in the early 1990s. Psion uses its own operating
> system known as Epoc, but it might still be possible to use PGP as a
> third party add-on, a spokesperson for the British company said.
>
> There is no way that the investigators will succeed in breaking the code
> with the collaboration of the current manufacturers of PGP, the Palo
> Alto, California-based PGP, Zimmermann said in a telephone interview.
>
> "Does PGP have a back door? The answer is no, it does not," he
> said. "If the device is running PGP it will not be possible to break it
with
> cryptanalysis alone."
>
> Investigators would need to employ alternative techniques, such as
> looking at the unused area of memory to see if it contained remnants of
> plain text that existed before encryption, Zimmermann said.
>
> Privacy vs. Security
> The investigators' failure to penetrate the PDA's encryption provides a
> good example of what is at stake in the privacy-versus-security debate,
> which has been given a whole new dimension by the September 11
> terrorist attacks in the U.S.
>
> Zimmermann remains convinced that the advantages of PGP, which was
> originally developed as a human rights project to protect individuals
> against oppressive governments, outweigh the disadvantages.
>
> "I'm sorry that cryptology is such a problematic technology, but there is
> nothing we can do that will give this technology to everyone without
> also giving it to the criminals," he said. "PGP is used by every human
> rights organization in the world. It's something that's used for good. It
> saves lives."
>
> Nazi Germany and Stalin's Soviet Union are examples of governments
> that had killed far more people than all the world's criminals and
> terrorists combined, Zimmermann said. It was probably technically
> impossible, Zimmermann said, to develop a system with a back door
> without running the risk that the key could fall into the hands of a
> Saddam Hussein or a Slobodan Milosevic, the former heads of Iraq and
> Yugoslavia, respectively.
>
> "A lot of cryptographers wracked their brains in the 1990s trying to
> devise strategies that would make everyone happy and we just
> couldn't come up with a scheme for doing it," he said.
>
> "I recognize we are having more problems with terrorists now than we
> did a decade ago. Nonetheless the march of surveillance technology is
> giving ever increasing power to governments. We need to have some
> ability for people to try to hide their private lives and get out of the
way
> of the video cameras," he said.
>
> More Good Than Harm?
> Even in the wake of September 11, Zimmermann retains the view that
> strong cryptography does more good for a democracy than harm. His
> personal website, PhilZimmerman.com, contains letters of appreciation
> from human rights organizations that have been able to defy intrusion
> by oppressive governments in Guatemala and Eastern Europe thanks
> to PGP. One letter describes how the software helped to protect an
> Albanian Muslim woman who faced an attack by Islamic extremists
> because she had converted to Christianity.
>
> Zimmermann said he had received a letter from a Kosovar man living in
> Scandinavia describing how the software had helped the Kosovo
> Liberation Army (KLA) in its struggle against the Serbs. On one
> occasion, he said, PGP-encrypted communications had helped to
> coordinate the evacuation of 8,000 civilians trapped by the Serbs in a
> Kosovo valley. "That could have turned into another mass grave,"
> Zimmermann said.
>
> Italian investigators have been particularly frustrated by their failure
to
> break into the captured Psions because so little is known about the
> new generation of Red Brigades. Their predecessors left a swathe of
> blood behind them, assassinating politicians, businessmen, and
> security officials and terrorizing the population by "knee-capping," or
> shooting in the legs, perceived opponents. Since re-emerging from the
> shadows in 1999 they have shot dead two university professors who
> advised the government on labor law reform.
>
> Cracking the Code
> Zimmermann is not optimistic about the investigators' chances of
> success. "The very best encryption available today is out of reach of the
> very best cryptanalytic methods that are known in the academic world,
> and it's likely to continue that way," he said.
>
> Sources close to the investigation have suggested that they may even
> have to turn to talented hackers for help in breaking into the seized
> devices. One of the magistrates coordinating the inquiry laughed at
> mention of the idea. "I can't say anything about that," he said.
>
> The technical difficulty in breaking PGP was described by an expert
> witness at a trial in the U.S. District Court in Tacoma, Washington, in
> April 1999. Steven Russelle, a detective with the Portland Police
> Bureau, was asked to explain what he meant when he said it was
> not "computationally feasible" to crack the code. "It means that in
> terms of today's technology and the speed of today's computers, you
> can't put enough computers together to crack a message of the kind
> that we've discussed in any sort of reasonable length of time," he told
> the court.
>
> Russelle was asked whether he was talking about a couple of years or
> longer. "We're talking about millions of years," he replied.
>
> [BTW: I read the ring was dismantled later, because one of the GSM
> mobile phones they used had to be repaired months earlier and the
> shop owner has preserved the telephone number they gave for
> notification when the unit is ready. His repair warrantly sticker was
> found inside the confiscated phone and so the law enforcement
> contacted him. Parsing the telco's history log for calls to / from that
> single number revealed almost the entire cell's structure. So make
> yourself a favour and buy a disposable mobile phone next time! Unless
> you are an environmental terrorist of course...]
>
> Sincerely: Tamas Feher.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ