Well, the mirror on lessgov is gone too.But http://cryptome.sabotage.org/ is
still up, anyway. So you can see for yourself that they have PGP as the only
crypto product they offer. If they have altered it, anyone can see by comparing
the source, which they also provide (both stored offsite, and also unavailable
right now)
I can believe that you are almost sure, but since
this is a fact you can verify, why assume, why not prove it?
Let me give you a hint: Look at the paper from
Claude Crepeau
and Alain Slakmon on Simple Backdoors to RSA
key generation. If you want to alter PGP in a way difficult to detect, this
would be the way. Any other way would be too obvious. If you see how feasable
this is, rethink your position. Any keyscheme you use may be backdoored, so
generating your own keypairs might just not suffice.
Let me turn around the issue a bit - any crypto
software distributed with the blessing or very active support in development of
the Powers That Are in No Such Agency, would you assume that there is no
backdoor? Just google on Key Recovery features, in P1363 or any other mainstream
PKI - search on project Krisis by the EU, or look at the archived site kra.org
(on archive.org), look at the discussions related to the wassenaar agreements.
See the continuing story from clipper chip via Key Escrow to CKI on certain if
not all governments wanting access to your keys for policing? What if the
company you serve has offices all over the world? Will you give the cryptokeys
to all the countries were you have offices? Remember that ex-C1A boss Wooley
admitted 'checking' on European companies, whether they violated trade
embargoes? How? As security professionals we need to be aware on who might be
reading our confidential information - and then decide whether this is
acceptable to the company whose data you must secure. Don't forget that maybe
some gov. agencies might lose the keys to the
data you should be protecting. What a nice liability case it would be, heh!. Say
I open an office in Australia - and the gov there wants root to my systems, for
policing. Should I give them access to the corporate network or just the
Australian office? But will my network zoning suffice, to keep them off, say, my
Miami office's network? Is it legal in Florida giving access to unspecified
police or intelligence communities in other countries to data, maybe even
sensitive to national security? This will be a definite No, so in order not to
break the law in one country, I must break it in another country. How to risk
manage this?
On a personal note: I am almost sure that the risk
to my personal well-being by the American/Government, albeit small, is bigger
than that posed by extremists as John Young, who do not have much means, budget
or interest in bothering me. Taking on the US govt, as they do, they'll have
there hands full.
And Plz. can we stay clear of political statements
on this forum, this is one of the few places I can hang around and not be
bothered by political statements, not linked at all to the subjectmatter of the
list?
Yossarian
|
Title: Cryptome Hacked!
- [Full-Disclosure] Cryptome Hacked! Sung J. Choe
- RE: [Full-Disclosure] Cryptome Hacked! Steve Wray
- Re: [Full-Disclosure] Cryptome Hacked! Ian Eyberg
- Re: [Full-Disclosure] Cryptome Hacked! Kevin Spett
- RE: [Full-Disclosure] Cryptome Hacked! yossarian
- RE: [Full-Disclosure] Cryptome Hacked! Sung J. Choe
- RE: [Full-Disclosure] Cryptome Hacked! Sung J. Choe
- Re: [Full-Disclosure] Cryptome Hacked! yossarian
- RE: [Full-Disclosure] Cryptome Hacked! Steve Wray
- Re: [Full-Disclosure] Cryptome Hacked! Etaoin Shrdlu
- Re: [Full-Disclosure] Cryptome Hacked! Kevin Spett
- RE: [Full-Disclosure] Cryptome Hacked! Steve Wray