lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <004201c41cc5$1f852110$1214dd80@corp.emc.com> From: exibar at thelair.com (Exibar) Subject: On PGP (was: Wiretap or Magic Lantern?) Although it is interesting to read, I wouldn't call an article in PCWORLD conclusive proof that PGP hasn't been compromised by the NSA. It is a good article though :-) Ex ----- Original Message ----- From: "Feher Tamas" <etomcat@...email.hu> To: <full-disclosure@...ts.netsys.com> Sent: Wednesday, April 07, 2004 11:56 AM Subject: [Full-Disclosure] On PGP (was: Wiretap or Magic Lantern?) > Hello, > > >>The terrorsts are not stupid, they use strong encryption and > >>there is proof that PGP repels NSA. > > > >What proof are you referring to? > > The case of the italian comrades: > > http://www.pcworld.com/news/article/0,aid,110841,00.asp > > PGP Encryption Proves Powerful > by Philip Willan, IDG News Service, 26 May 2003 > > If the police and FBI can't crack the code, is the technology too strong? > > Italian police have seized at least two Psion personal digital assistants > from members of the Red Brigades terrorist organization. But the major > investigative breakthrough they were hoping for as a result of the > information contained on the devices has failed to materialize-- > thwarted by encryption software used by the left-wing revolutionaries. > > Failure to crack the code, despite the reported assistance of U.S. > Federal Bureau of Investigation computer experts, puts a spotlight on > the controversy over the wide availability of powerful encryption tools. > > The Psion devices were seized on March 2 after a shootout on a train > traveling between Rome and Florence, Italian media and sources close > to the investigation said. The devices, believed to number two or three, > were seized from Nadia Desdemona Lioce and her Red Brigades > comrade Mario Galesi, who was killed in the shootout. An Italian police > officer was also killed. At least one of the devices contains information > protected by encryption software and has been sent for analysis to the > FBI facility in Quantico, Virginia, news reports and sources said. > > The FBI declined to comment on ongoing investigations, and Italian > authorities would not reveal details about the information or equipment > seized during the shootout. > > Pretty Good Privacy > The software separating the investigators from a potentially invaluable > mine of information about the shadowy terrorist group, which > destabilized Italy during the 1970s and 1980s and revived its practice > of political assassination four years ago after a decade of quiescence, > was PGP (Pretty Good Privacy), the Rome daily La Repubblica reported. > So far the system has defied all efforts to penetrate it, the paper said. > > Palm-top devices can only run PGP if they use the Palm OS or Windows > CE operating systems, said Phil Zimmermann, who developed the > encryption software in the early 1990s. Psion uses its own operating > system known as Epoc, but it might still be possible to use PGP as a > third party add-on, a spokesperson for the British company said. > > There is no way that the investigators will succeed in breaking the code > with the collaboration of the current manufacturers of PGP, the Palo > Alto, California-based PGP, Zimmermann said in a telephone interview. > > "Does PGP have a back door? The answer is no, it does not," he > said. "If the device is running PGP it will not be possible to break it with > cryptanalysis alone." > > Investigators would need to employ alternative techniques, such as > looking at the unused area of memory to see if it contained remnants of > plain text that existed before encryption, Zimmermann said. > > Privacy vs. Security > The investigators' failure to penetrate the PDA's encryption provides a > good example of what is at stake in the privacy-versus-security debate, > which has been given a whole new dimension by the September 11 > terrorist attacks in the U.S. > > Zimmermann remains convinced that the advantages of PGP, which was > originally developed as a human rights project to protect individuals > against oppressive governments, outweigh the disadvantages. > > "I'm sorry that cryptology is such a problematic technology, but there is > nothing we can do that will give this technology to everyone without > also giving it to the criminals," he said. "PGP is used by every human > rights organization in the world. It's something that's used for good. It > saves lives." > > Nazi Germany and Stalin's Soviet Union are examples of governments > that had killed far more people than all the world's criminals and > terrorists combined, Zimmermann said. It was probably technically > impossible, Zimmermann said, to develop a system with a back door > without running the risk that the key could fall into the hands of a > Saddam Hussein or a Slobodan Milosevic, the former heads of Iraq and > Yugoslavia, respectively. > > "A lot of cryptographers wracked their brains in the 1990s trying to > devise strategies that would make everyone happy and we just > couldn't come up with a scheme for doing it," he said. > > "I recognize we are having more problems with terrorists now than we > did a decade ago. Nonetheless the march of surveillance technology is > giving ever increasing power to governments. We need to have some > ability for people to try to hide their private lives and get out of the way > of the video cameras," he said. > > More Good Than Harm? > Even in the wake of September 11, Zimmermann retains the view that > strong cryptography does more good for a democracy than harm. His > personal website, PhilZimmerman.com, contains letters of appreciation > from human rights organizations that have been able to defy intrusion > by oppressive governments in Guatemala and Eastern Europe thanks > to PGP. One letter describes how the software helped to protect an > Albanian Muslim woman who faced an attack by Islamic extremists > because she had converted to Christianity. > > Zimmermann said he had received a letter from a Kosovar man living in > Scandinavia describing how the software had helped the Kosovo > Liberation Army (KLA) in its struggle against the Serbs. On one > occasion, he said, PGP-encrypted communications had helped to > coordinate the evacuation of 8,000 civilians trapped by the Serbs in a > Kosovo valley. "That could have turned into another mass grave," > Zimmermann said. > > Italian investigators have been particularly frustrated by their failure to > break into the captured Psions because so little is known about the > new generation of Red Brigades. Their predecessors left a swathe of > blood behind them, assassinating politicians, businessmen, and > security officials and terrorizing the population by "knee-capping," or > shooting in the legs, perceived opponents. Since re-emerging from the > shadows in 1999 they have shot dead two university professors who > advised the government on labor law reform. > > Cracking the Code > Zimmermann is not optimistic about the investigators' chances of > success. "The very best encryption available today is out of reach of the > very best cryptanalytic methods that are known in the academic world, > and it's likely to continue that way," he said. > > Sources close to the investigation have suggested that they may even > have to turn to talented hackers for help in breaking into the seized > devices. One of the magistrates coordinating the inquiry laughed at > mention of the idea. "I can't say anything about that," he said. > > The technical difficulty in breaking PGP was described by an expert > witness at a trial in the U.S. District Court in Tacoma, Washington, in > April 1999. Steven Russelle, a detective with the Portland Police > Bureau, was asked to explain what he meant when he said it was > not "computationally feasible" to crack the code. "It means that in > terms of today's technology and the speed of today's computers, you > can't put enough computers together to crack a message of the kind > that we've discussed in any sort of reasonable length of time," he told > the court. > > Russelle was asked whether he was talking about a couple of years or > longer. "We're talking about millions of years," he replied. > > [BTW: I read the ring was dismantled later, because one of the GSM > mobile phones they used had to be repaired months earlier and the > shop owner has preserved the telephone number they gave for > notification when the unit is ready. His repair warrantly sticker was > found inside the confiscated phone and so the law enforcement > contacted him. Parsing the telco's history log for calls to / from that > single number revealed almost the entire cell's structure. So make > yourself a favour and buy a disposable mobile phone next time! Unless > you are an environmental terrorist of course...] > > Sincerely: Tamas Feher. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > >
Powered by blists - more mailing lists