lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: James.Cupps at sappi.com (James.Cupps@...pi.com)
Subject: On PGP (was: Wiretap or Magic Lantern?)

Whether it is cracked or not is moot. Magic Lantern was a keystroke logger. 

Presumably even if you are a pgp fanatic you will type the password in
somewhere and if the agent feeds back to a central database at that point
then pgp is useless to you. In addition to that, the keys (private key
included) are stored on a local system with a specific file extension. The
RPC DCOM vuln (along with hundreds of others from many different
architectures) existed for years without anyone knowing publicly. Anyone who
thinks that someone didn't know about it for at least some of that time is
naive. Likewise there are probably ones of a similar nature that are not
known of or patched yet.

By the way my last mail made it sound like I don't care if someone looks at
my mail. That isn't true. I do understand the implications and reasonable
concern is warranted. The intention of the message was to stress that it is
possible not to draw a conclusion on whether or not it would be justifiable.


I just realize that there is little I can do about it so I live with the
knowledge that anything I do on a computer connected to the net anywhere is
likely to be public eventually. And obfuscating it with fake email accounts,
proxies or usernames only slows people who really want the information. It
probably doesn't slow them that much.

Like I said before I hope any real NSA (or CIA or FBI) guys reading this
thread get a kick out of where and how we are wrong.

When you send a message (or browse a website or even send a ping with data
content) of any type on the internet it is the same as ordering a bag of
nuts at your favorite sporting event. All the people near you will know you
ordered it and how much you paid. I just choose not to pass my credit card
down the line to the guy with the nuts.


James Cupps
Information Security Officer




-----Original Message-----
From: Exibar [mailto:exibar@...lair.com] 
Sent: Wednesday, April 07, 2004 1:24 PM
To: Feher Tamas; full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] On PGP (was: Wiretap or Magic Lantern?)

Although it is interesting to read, I wouldn't call an article in PCWORLD
conclusive proof that PGP hasn't been compromised by the NSA.

  It is a good article though :-)

  Ex


----- Original Message ----- 
From: "Feher Tamas" <etomcat@...email.hu>
To: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, April 07, 2004 11:56 AM
Subject: [Full-Disclosure] On PGP (was: Wiretap or Magic Lantern?)


> Hello,
>
> >>The terrorsts are not stupid, they use strong encryption and
> >>there is proof that PGP repels NSA.
> >
> >What proof are you referring to?
>
> The case of the italian comrades:
>
> http://www.pcworld.com/news/article/0,aid,110841,00.asp
>
> PGP Encryption Proves Powerful
> by Philip Willan, IDG News Service, 26 May 2003
>
> If the police and FBI can't crack the code, is the technology too strong?
>
> Italian police have seized at least two Psion personal digital assistants
> from members of the Red Brigades terrorist organization. But the major
> investigative breakthrough they were hoping for as a result of the
> information contained on the devices has failed to materialize--
> thwarted by encryption software used by the left-wing revolutionaries.
>
> Failure to crack the code, despite the reported assistance of U.S.
> Federal Bureau of Investigation computer experts, puts a spotlight on
> the controversy over the wide availability of powerful encryption tools.
>
> The Psion devices were seized on March 2 after a shootout on a train
> traveling between Rome and Florence, Italian media and sources close
> to the investigation said. The devices, believed to number two or three,
> were seized from Nadia Desdemona Lioce and her Red Brigades
> comrade Mario Galesi, who was killed in the shootout. An Italian police
> officer was also killed. At least one of the devices contains information
> protected by encryption software and has been sent for analysis to the
> FBI facility in Quantico, Virginia, news reports and sources said.
>
> The FBI declined to comment on ongoing investigations, and Italian
> authorities would not reveal details about the information or equipment
> seized during the shootout.
>
> Pretty Good Privacy
> The software separating the investigators from a potentially invaluable
> mine of information about the shadowy terrorist group, which
> destabilized Italy during the 1970s and 1980s and revived its practice
> of political assassination four years ago after a decade of quiescence,
> was PGP (Pretty Good Privacy), the Rome daily La Repubblica reported.
> So far the system has defied all efforts to penetrate it, the paper said.
>
> Palm-top devices can only run PGP if they use the Palm OS or Windows
> CE operating systems, said Phil Zimmermann, who developed the
> encryption software in the early 1990s. Psion uses its own operating
> system known as Epoc, but it might still be possible to use PGP as a
> third party add-on, a spokesperson for the British company said.
>
> There is no way that the investigators will succeed in breaking the code
> with the collaboration of the current manufacturers of PGP, the Palo
> Alto, California-based PGP, Zimmermann said in a telephone interview.
>
> "Does PGP have a back door? The answer is no, it does not," he
> said. "If the device is running PGP it will not be possible to break it
with
> cryptanalysis alone."
>
> Investigators would need to employ alternative techniques, such as
> looking at the unused area of memory to see if it contained remnants of
> plain text that existed before encryption, Zimmermann said.
>
> Privacy vs. Security
> The investigators' failure to penetrate the PDA's encryption provides a
> good example of what is at stake in the privacy-versus-security debate,
> which has been given a whole new dimension by the September 11
> terrorist attacks in the U.S.
>
> Zimmermann remains convinced that the advantages of PGP, which was
> originally developed as a human rights project to protect individuals
> against oppressive governments, outweigh the disadvantages.
>
> "I'm sorry that cryptology is such a problematic technology, but there is
> nothing we can do that will give this technology to everyone without
> also giving it to the criminals," he said. "PGP is used by every human
> rights organization in the world. It's something that's used for good. It
> saves lives."
>
> Nazi Germany and Stalin's Soviet Union are examples of governments
> that had killed far more people than all the world's criminals and
> terrorists combined, Zimmermann said. It was probably technically
> impossible, Zimmermann said, to develop a system with a back door
> without running the risk that the key could fall into the hands of a
> Saddam Hussein or a Slobodan Milosevic, the former heads of Iraq and
> Yugoslavia, respectively.
>
> "A lot of cryptographers wracked their brains in the 1990s trying to
> devise strategies that would make everyone happy and we just
> couldn't come up with a scheme for doing it," he said.
>
> "I recognize we are having more problems with terrorists now than we
> did a decade ago. Nonetheless the march of surveillance technology is
> giving ever increasing power to governments. We need to have some
> ability for people to try to hide their private lives and get out of the
way
> of the video cameras," he said.
>
> More Good Than Harm?
> Even in the wake of September 11, Zimmermann retains the view that
> strong cryptography does more good for a democracy than harm. His
> personal website, PhilZimmerman.com, contains letters of appreciation
> from human rights organizations that have been able to defy intrusion
> by oppressive governments in Guatemala and Eastern Europe thanks
> to PGP. One letter describes how the software helped to protect an
> Albanian Muslim woman who faced an attack by Islamic extremists
> because she had converted to Christianity.
>
> Zimmermann said he had received a letter from a Kosovar man living in
> Scandinavia describing how the software had helped the Kosovo
> Liberation Army (KLA) in its struggle against the Serbs. On one
> occasion, he said, PGP-encrypted communications had helped to
> coordinate the evacuation of 8,000 civilians trapped by the Serbs in a
> Kosovo valley. "That could have turned into another mass grave,"
> Zimmermann said.
>
> Italian investigators have been particularly frustrated by their failure
to
> break into the captured Psions because so little is known about the
> new generation of Red Brigades. Their predecessors left a swathe of
> blood behind them, assassinating politicians, businessmen, and
> security officials and terrorizing the population by "knee-capping," or
> shooting in the legs, perceived opponents. Since re-emerging from the
> shadows in 1999 they have shot dead two university professors who
> advised the government on labor law reform.
>
> Cracking the Code
> Zimmermann is not optimistic about the investigators' chances of
> success. "The very best encryption available today is out of reach of the
> very best cryptanalytic methods that are known in the academic world,
> and it's likely to continue that way," he said.
>
> Sources close to the investigation have suggested that they may even
> have to turn to talented hackers for help in breaking into the seized
> devices. One of the magistrates coordinating the inquiry laughed at
> mention of the idea. "I can't say anything about that," he said.
>
> The technical difficulty in breaking PGP was described by an expert
> witness at a trial in the U.S. District Court in Tacoma, Washington, in
> April 1999. Steven Russelle, a detective with the Portland Police
> Bureau, was asked to explain what he meant when he said it was
> not "computationally feasible" to crack the code. "It means that in
> terms of today's technology and the speed of today's computers, you
> can't put enough computers together to crack a message of the kind
> that we've discussed in any sort of reasonable length of time," he told
> the court.
>
> Russelle was asked whether he was talking about a couple of years or
> longer. "We're talking about millions of years," he replied.
>
> [BTW: I read the ring was dismantled later, because one of the GSM
> mobile phones they used had to be repaired months earlier and the
> shop owner has preserved the telephone number they gave for
> notification when the unit is ready. His repair warrantly sticker was
> found inside the confiscated phone and so the law enforcement
> contacted him. Parsing the telco's history log for calls to / from that
> single number revealed almost the entire cell's structure. So make
> yourself a favour and buy a disposable mobile phone next time! Unless
> you are an environmental terrorist of course...]
>
> Sincerely: Tamas Feher.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ