Thu Jul 11 17:23:01 2002

On Thu, 2002-07-11 at 10:07:37 -0400, Adam Pavelec wrote...

; Here's a rather interesting article: 
; I am glad GnuPG is open to review by our community to aviod
; these issues.

Normally I'd blow these off, but given the state of computer and Internet
security at this point, it deserves a good flame.

  1. What measures have you taken to verify that the authors of GnuPG
     have not backdoored their code?? Do you personally know the authors,
     and have you worked with them during every step of the development
     process to ensure they haven't been held at gunpoint to add 
  2. How often do you perform a full cryptographic analysis of the functions
     used in GnuPG? Are you 100% sure they're the standard (i.e. they 
     haven't changed encryption algorithm BLA-31 to work around broken
     code, etc.)?

  3. Have you performed step #1 listed above for GPGshell as well? How can
     you be certain a keystroke logger hasn't been built in to it to catch
     your passphrase?

  4. Have you done thorough source code auditing of your operating systems
     for each machine you use GPG on, and are you working in a clean room
     to ensure that the machines cannot be attacked and backdoored w/o
     your knowledge?

  5. Are you using built in kernel checksumming of swap space and have you
     changed GPG to verify it's checksum each time you run it?

My point here is that making statements as you have made due to some article
you've read is asinine. Yes, NAI's code checking skills obviously are
lacking, and yes eEye is only into things for the glamour they provide,
but please...get some ammo and not an article.