Interesting...

Adam Pavelec apavelec@benefit-services.com
Thu Jul 11 18:46:02 2002 

My memory must be terrible because I don't recall writing anything about a
backdoor, nor can I bring to mind anything in the below-linked article
regarding a backdoor.  Besides, this is a USER's mailing list -- not a
DEVELOPER's list.  I figured that GnuPG users would be interested in such
news, since many of them were most likely first introduced to PGP through,
well, NAI/McAfee PGP itself.  Some might even still be using the perilous
product(s) and may very well be vulnerable to the threat.  To think that I
am asinine due to my comment is perhaps to insult yourself, for you seem to
be more committed to the development of GPG than assisting the users of it;
and my comment merely implicates a level thanks to the developers of GnuPG
for doing what they do the way they do it.

----- Original Message -----
From: <uid0-414@catastrophe.net>
To: "Adam Pavelec" <apavelec@benefit-services.com>
Cc: <gnupg-users@gnupg.org>
Sent: Thursday, July 11, 2002 11:24 AM
Subject: Re: Interesting...


> On Thu, 2002-07-11 at 10:07:37 -0400, Adam Pavelec wrote...
>
> ; Here's a rather interesting article:
> ; http://www.eweek.com/article2/0,3959,368778,00.asp
> ;
> ; I am glad GnuPG is open to review by our community to aviod
> ; these issues.
>
> Normally I'd blow these off, but given the state of computer and Internet
> security at this point, it deserves a good flame.
>
> Adam,
>
>   1. What measures have you taken to verify that the authors of GnuPG
>      have not backdoored their code?? Do you personally know the authors,
>      and have you worked with them during every step of the development
>      process to ensure they haven't been held at gunpoint to add
>      backdoors?
>
>   2. How often do you perform a full cryptographic analysis of the
functions
>      used in GnuPG? Are you 100% sure they're the standard (i.e. they
>      haven't changed encryption algorithm BLA-31 to work around broken
>      code, etc.)?
>
>   3. Have you performed step #1 listed above for GPGshell as well? How can
>      you be certain a keystroke logger hasn't been built in to it to catch
>      your passphrase?
>
>   4. Have you done thorough source code auditing of your operating systems
>      for each machine you use GPG on, and are you working in a clean room
>      to ensure that the machines cannot be attacked and backdoored w/o
>      your knowledge?
>
>   5. Are you using built in kernel checksumming of swap space and have you
>      changed GPG to verify it's checksum each time you run it?
>
> My point here is that making statements as you have made due to some
article
> you've read is asinine. Yes, NAI's code checking skills obviously are
> lacking, and yes eEye is only into things for the glamour they provide,
> but please...get some ammo and not an article.
>
> -#0
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>