"Jay D. Dyson" wrote: > On Fri, 17 May 2002, TERRA209792 wrote: > > What is the best free software > > for encrypting e-mail? Any sugestion? > With the demise of NAI PGP, > your options are somewhat limited.
Well, the history of all of this and the outcome of it all is kind of interesting. Throughout the development of PGP, "the enemy" was pretty much equated with the "three-letter agencies." i found it a very "telling thing" yesterday to have drifted from http://www.cheapbytes.com along a link for a cd containing "Security-Enhanced Linux" to the website http://www.nsa.gov/selinux/ wherein they mention that NAI has "teamed-up" with the NSA in that project. At the NSA's site, there is the result of their ongoing project: a 38MB tarball of C-code and patches to the Linux kernel. Being quite interested in finding how many back-doors this benevolent project might install into what was once (and still is) the most trusted of all OSes, i downloaded, unzipped, and untarred it all to find that i had a 160MB directory of source- code reading ahead of me. Well, of course, that is ludicrous; i haven't the time (or the talent ??) to sift through 0.01% of that !! But, it _does_ reinforce the speculation that a lot of us have had over the years as we watched the development of PGP go from an open-source project undertaken by the Net, to having been taken over by a truly admirable group of graduate and undergrad students and faculty at MIT. Now, doesn't MIT do a lot of contracting with the CIA and the NSA and the DOJ and the DoD and on and on ?? Hmmmmm. But, it was still open-sourced, and the Net still had enough enthused and talented people following the development and hacking away at the evolving product that those "lessers" of us could still have faith in the integrity of PGP. Still, wanting to be able to read the source-code was the prime motivator in my compulsion to learn C. i'd _love_ to be so accomplished as to be able to contribute something worthwhile to something in the open-source realm... besides my rare donations to the FSF ("the Free Software Foundation"... Gnu, emacs, Richard Stallman, gcc, gdb, make, automake, GnuPlot, cvs, bc, bash, all of these, i believe, came from FSF). But, then it was an interesting development that NAI took over the guiding of the evolution of PGP after version 2.6.2. All the development went behind closed doors. But, at least, NAI provided the source-code through version 6.*. But, how much faith could one have in the product then ?? By the time that PGP had evolved to version 5.0 and beyond, NAI had added in all kinds of GUI interfacing and disk-encryption and automated key acquisition and on and on, so that the source had grown to the 'teens of MBs. And, the one time that i actually looked into how one might go about compiling a binary, wondering how it would "diff" from _their_ (NAI's) binaries provided to us, i found that in order to compile the mess, you'd have to have about four to six particular compilers and various software products which i didn't have (or want, their being DOS). So, how many people could then trust that there were no back-doors snuck in by NAI ?? Were people still reviewing the source-code in detail ?? Well, at least the Cyber-Knights (?) had modified the product to allow monstrous key-sizes. But had even they (whoever they are) read _all_ of the code ?? But, then, NAI announced that, as of version 7.0, they would no longer make the source-code available !! Fortunately, at about the time of 6.0, the FSF had gotten GnuPG ready enough to declare "version 1.0" available for release. So, now, in light of all of the above, and especially the part about having found that NAI has colluded with the NSA to produce a "security-enhancement" product that i will supposedly blindly patch into my dearly beloved Linux kernel, i certainly now have _no_ faith in NAI and/or _any_ product that NAI has touched in the past five or so years. So, i guess that it all comes down to several questions and your level of awareness. Do you want your _private_ e-mail to be readable by only your intended recipient, or are you willing to run a product through which the government of the United Snakes might have full access to what you wanted to think was secret and secure from all. And, how aware are you of what comprises the track-record of the NSA and the CIA. Do you know about how they've, for example, used Echelon to spy on public agencies and private companies in, most notably, Europe, and then disclosed their findings to american companies, thus allowing the american companies to under-bid various projects and so to win contracts ?? So, i'm glad to have GnuPG, though i'm even skeptical of that, without having myself read all of the source-code. But, at least i can know that thousands of others _have_ reviewed it. And, now we've got an unelected government which has expressed the wish to declare secret all presidential archives back to Papa Bush and/or Reagan, yet they intend to listen in on conversations that i might have with my attorney, should i ever need one. They have granted themselves the "right" to break into my home when i'm not there and to leave key-press sniffing programs in my computer(s). This government wants to snoop and sniff any and everything that you or i do, but they want us to have zero access to what they're up to. So, if you're deliberating whether to choose PGP or GnuPG, please have the wisdom and the level of consciousness to take into account all that history. Sorry that this was such a long post. john Seattle -- The Central Intelligence Agency owns everyone of any significance in the major media. -- William Colby, former CIA Director
