Why trust gpg4win?

[Robert J. Hansen]

On 7/25/2013 3:34 PM, takethebus at gmx.de wrote:
> why should I trust gpg4win? I have doubts since it was ordered by the
> "Bundesamt für Sicherheit in der Informationstechnik (BSI)", which has
> close connections to secret services. Is gunPT any better? Finally, why
> should I trust gunpg? I'm a windows user.

Some thoughts --

First, if you're concerned about the involvement of government
intelligence agencies then you're on the wrong mailing list.  They're
already here, and for the most part they're quite helpful individuals.

Consider In-Q-Tel.  In-Q-Tel is a nonprofit venture capital firm that
invests in technology companies for the purpose of keeping the United
States intelligence community ahead of the curve.  If there's going to
be some big sweeping change rocking through the tech world in the next
few years, it's In-Q-Tel's job to know about it, potentially to invest
in it, and to keep the U.S. intelligence community abreast of it.
(In-Q-Tel is *not* a government agency: it just has deep ties to the
intelligence community.)

Now, if you were to go over a list of In-Q-Tel personnel, you'd find
that a very senior person within In-Q-Tel has posted to this list in
recent memory, reads this list regularly, and when he speaks generally
gives very good advice.  (I'm not publicizing this person's name because
I don't want him to get deluged in mail.  However, he is public about
his association with In-Q-Tel, so I don't feel there's a problem with
saying this person exists.)

Should we shun this person from the community?  Would telling this
person "hit the road, Jack, we don't want you around here any more" make
any of us safer?  Or would we instead lose the contributions of someone
who has a unique and useful perspective, and who has always given sage
counsel?

John W. Moore, who hasn't been seen on these lists in a long time, was
always quite open about his past as a United States Marine and his time
spent working for the NSA while in uniform.  John was always patient and
helpful with newbies.  He was an important part of Enigmail.  Should we
stop using Enigmail because John W. Moore once worked for Fort Meade?

I live in the Washington D.C. metro area and attend a handful of
computer forensics conferences around here.  A couple of years ago I
wound up sitting in an auditorium at the NSA, because they were willing
to host one of the conferences.  Should I be shunned because I've been
inside an NSA auditorium?  When I was in graduate school and working in
electronic voting, my advisor and I wound up having a couple of
conversations with CIA personnel who wanted our opinions on the
trustworthiness of foreign elections -- "can the results from this
country be trusted?" sort of thing.  Should I be shunned because I've
briefed a couple of people about the electoral conditions in remote,
far-off places?  My father is a federal judge: does that make me any
more suspect?  One of my friends is an FBI agent: maybe that ought
disqualify me?



... It is completely natural to have concerns about the trustworthiness
of GnuPG and to wonder whether it has ties to the BSI and/or BND.  But I
respectfully suggest that if you're going to worry about that, you
should first worry about the GnuPG community as a whole.  Within this
community there exist an awful lot of people who have ties to the
government, to law-enforcement, to intelligence agencies, and more.

But that doesn't mean we're the bad guys, and it doesn't mean the
community is endangered because we're present.  I believe it's quite the
opposite.  The In-Q-Tel executive has an incredible perspective on
developing technologies, and we all benefit from that.  John Moore's
firsthand knowledge of history was very useful to us.  For me, growing
up around government and law-enforcement taught me a lot about how they
think and see the world, and I can impart some of that.

The moral of the story, I think, is that you shouldn't be worried about
the BSI or the BND.  Worry about people instead.  Ask yourself this
question: do you really believe Werner would deliberately compromise
GnuPG in order to satisfy a demand from the BND?

If your answer is "yes," then you probably shouldn't use GnuPG at all.

If your answer is "no," then it doesn't matter if Werner is working for
the BND himself.  (He's not, by the way.)  If you don't believe Werner
would do that to you, then there's no problem.

In the end, it's all a question of trust... and that means it's
something that *only you* can answer.