Anonymous Servers - FBI can't crack PGP - There are no "backdoors"

Author

FBI can't crack PGP - There are no "backdoors"

Thrasher Remailer

2005-06-21, 5:46 pm

http://www.pcworld.com/resource/pri...d,110841,00.asp

PGP Encryption Proves Powerful

If the police and FBI can't crack the code, is the technology too
strong?

Philip Willan, IDG News Service Monday, May 26, 2003

ROME -- Italian police have seized at least two Psion personal
digital assistants from members of the Red Brigades terrorist
organization. But the major investigative breakthrough they were
hoping for as a result of the information contained on the devices
has failed to materialize--thwarted by encryption software used by
the left-wing revolutionaries.

Failure to crack the code, despite the reported assistance of U.S.
Federal Bureau of Investigation computer experts, puts a spotlight on
the controversy over the wide availability of powerful encryption
tools.

The Psion devices were seized on March 2 after a shootout on a train
traveling between Rome and Florence, Italian media and sources close
to the investigation said. The devices, believed to number two or
three, were seized from Nadia Desdemona Lioce and her Red Brigades
comrade Mario Galesi, who was killed in the shootout. An Italian
police officer was also killed. At least one of the devices contains
information protected by encryption software and has been sent for
analysis to the FBI facility in Quantico, Virginia, news reports and
sources said.

The FBI declined to comment on ongoing investigations, and Italian
authorities would not reveal details about the information or
equipment seized during the shootout. Pretty Good Privacy

The software separating the investigators from a potentially
invaluable mine of information about the shadowy terrorist group,
which destabilized Italy during the 1970s and 1980s and revived its
practice of political assassination four years ago after a decade of
quiescence, was PGP (Pretty Good Privacy), the Rome daily La
Repubblica reported. So far the system has defied all efforts to
penetrate it, the paper said.

Palm-top devices can only run PGP if they use the Palm OS or Windows
CE operating systems, said Phil Zimmermann, who developed the
encryption software in the early 1990s. Psion uses its own operating
system known as Epoc, but it might still be possible to use PGP as a
third party add-on, a spokesperson for the British company said.

There is no way that the investigators will succeed in breaking the
code with the collaboration of the current manufacturers of PGP, the
Palo Alto, California-based PGP, Zimmermann said in a telephone
interview.

"Does PGP have a back door? The answer is no, it does not," he said.
"If the device is running PGP it will not be possible to break it
with cryptanalysis alone."

Investigators would need to employ alternative techniques, such as
looking at the unused area of memory to see if it contained remnants
of plain text that existed before encryption, Zimmermann said.
Privacy vs. Security

The investigators' failure to penetrate the PDA's encryption provides
a good example of what is at stake in the privacy-versus-security
debate, which has been given a whole new dimension by the September
11 terrorist attacks in the U.S.

Zimmermann remains convinced that the advantages of PGP, which was
originally developed as a human rights project to protect individuals
against oppressive governments, outweigh the disadvantages.

"I'm sorry that cryptology is such a problematic technology, but
there is nothing we can do that will give this technology to everyone
without also giving it to the criminals," he said. "PGP is used by
every human rights organization in the world. It's something that's
used for good. It saves lives."

Nazi Germany and Stalin's Soviet Union are examples of governments
that had killed far more people than all the world's criminals and
terrorists combined, Zimmermann said. It was probably technically
impossible, Zimmermann said, to develop a system with a back door
without running the risk that the key could fall into the hands of a
Saddam Hussein or a Slobodan Milosevic, the former heads of Iraq and
Yugoslavia, respectively.

"A lot of cryptographers wracked their brains in the 1990s trying to
devise strategies that would make everyone happy and we just couldn't
come up with a scheme for doing it," he said.

"I recognize we are having more problems with terrorists now than we
did a decade ago. Nonetheless the march of surveillance technology is
giving ever increasing power to governments. We need to have some
ability for people to try to hide their private lives and get out of
the way of the video cameras," he said. More Good Than Harm?

Even in the wake of September 11, Zimmermann retains the view that
strong cryptography does more good for a democracy than harm. His
personal website, PhilZimmerman.com, contains letters of appreciation
from human rights organizations that have been able to defy intrusion
by oppressive governments in Guatemala and Eastern Europe thanks to
PGP. One letter describes how the software helped to protect an
Albanian Muslim woman who faced an attack by Islamic extremists
because she had converted to Christianity.

Zimmermann said he had received a letter from a Kosovar man living in
Scandinavia describing how the software had helped the Kosovo
Liberation Army (KLA) in its struggle against the Serbs. On one
occasion, he said, PGP-encrypted communications had helped to
coordinate the evacuation of 8,000 civilians trapped by the Serbs in
a Kosovo valley. "That could have turned into another mass grave,"
Zimmermann said.

Italian investigators have been particularly frustrated by their
failure to break into the captured Psions because so little is known
about the new generation of Red Brigades. Their predecessors left a
swathe of blood behind them, assassinating politicians, businessmen,
and security officials and terrorizing the population by
"knee-capping," or shooting in the legs, perceived opponents. Since
re-emerging from the shadows in 1999 they have shot dead two
university professors who advised the government on labor law reform.
Cracking the Code

Zimmermann is not optimistic about the investigators' chances of
success. "The very best encryption available today is out of reach of
the very best cryptanalytic methods that are known in the academic
world, and it's likely to continue that way," he said.

Sources close to the investigation have suggested that they may even
have to turn to talented hackers for help in breaking into the seized
devices. One of the magistrates coordinating the inquiry laughed at
mention of the idea. "I can't say anything about that," he said.

The technical difficulty in breaking PGP was described by an expert
witness at a trial in the U.S. District Court in Tacoma, Washington,
in April 1999. Steven Russelle, a detective with the Portland Police
Bureau, was asked to explain what he meant when he said it was not
"computationally feasible" to crack the code. "It means that in terms
of today's technology and the speed of today's computers, you can't
put enough computers together to crack a message of the kind that
we've discussed in any sort of reasonable length of time," he told
the court.

Russelle was asked whether he was talking about a couple of years or
longer. "We're talking about millions of years," he replied.

Unruh

2005-06-21, 5:47 pm

Thrasher Remailer <thrasher@reece.net.au> writes:

>http://www.pcworld.com/resource/pri...d,110841,00.asp

>PGP Encryption Proves Powerful

>If the police and FBI can't crack the code, is the technology too
>strong?

>Philip Willan, IDG News Service Monday, May 26, 2003

>ROME -- Italian police have seized at least two Psion personal
>digital assistants from members of the Red Brigades terrorist
>organization. But the major investigative breakthrough they were
>hoping for as a result of the information contained on the devices
>has failed to materialize--thwarted by encryption software used by
>the left-wing revolutionaries.

>Failure to crack the code, despite the reported assistance of U.S.
>Federal Bureau of Investigation computer experts, puts a spotlight on
>the controversy over the wide availability of powerful encryption
>tools.

That the police are disappointed is not reason why the laws should change.
They would also have been disappointed if the device was not present.
Should we now have a law that everything anyone does must be kept as a
database on a PDA always carried by the person? That would be wonderful for
the police. And the police would be disappointed if they got our PDA and
did not find that information on the device. But is that justification for
a new law?

>The Psion devices were seized on March 2 after a shootout on a train
>traveling between Rome and Florence, Italian media and sources close
>to the investigation said. The devices, believed to number two or
>three, were seized from Nadia Desdemona Lioce and her Red Brigades
>comrade Mario Galesi, who was killed in the shootout. An Italian
>police officer was also killed. At least one of the devices contains
>information protected by encryption software and has been sent for
>analysis to the FBI facility in Quantico, Virginia, news reports and
>sources said.

>The FBI declined to comment on ongoing investigations, and Italian
>authorities would not reveal details about the information or
>equipment seized during the shootout. Pretty Good Privacy

>The software separating the investigators from a potentially
>invaluable mine of information about the shadowy terrorist group,
>which destabilized Italy during the 1970s and 1980s and revived its
>practice of political assassination four years ago after a decade of
>quiescence, was PGP (Pretty Good Privacy), the Rome daily La
>Repubblica reported. So far the system has defied all efforts to
>penetrate it, the paper said.

And they know this is an invaluable mine of information how?

>Palm-top devices can only run PGP if they use the Palm OS or Windows
>CE operating systems, said Phil Zimmermann, who developed the
>encryption software in the early 1990s. Psion uses its own operating
>system known as Epoc, but it might still be possible to use PGP as a
>third party add-on, a spokesperson for the British company said.

Of course it is.

>There is no way that the investigators will succeed in breaking the
>code with the collaboration of the current manufacturers of PGP, the
>Palo Alto, California-based PGP, Zimmermann said in a telephone
>interview.

Well, he would wouldn;t he.

>"Does PGP have a back door? The answer is no, it does not," he said.
>"If the device is running PGP it will not be possible to break it
>with cryptanalysis alone."

And he knows this how? Yes, we all believe it to be true, but obviously do
not know it to be true. Also the investigators would NOT reveal that they
had broken it even if they had. It is far far far too valuable a piece of
info to be revealed simply in order to fish for possible info on the
RedBrigade. Now, we may discover in the next year that somehow the police
have discovered a number of very useful things about the RedBrigade but it
will have nothing to do with this discover of the PDA at all.

>Investigators would need to employ alternative techniques, such as
>looking at the unused area of memory to see if it contained remnants
>of plain text that existed before encryption, Zimmermann said.
>Privacy vs. Security

>The investigators' failure to penetrate the PDA's encryption provides
>a good example of what is at stake in the privacy-versus-security
>debate, which has been given a whole new dimension by the September
>11 terrorist attacks in the U.S.

It demonstrates nothing of the kind.

>Zimmermann remains convinced that the advantages of PGP, which was
>originally developed as a human rights project to protect individuals
>against oppressive governments, outweigh the disadvantages.

>"I'm sorry that cryptology is such a problematic technology, but
>there is nothing we can do that will give this technology to everyone
>without also giving it to the criminals," he said. "PGP is used by
>every human rights organization in the world. It's something that's
>used for good. It saves lives."

>Nazi Germany and Stalin's Soviet Union are examples of governments
>that had killed far more people than all the world's criminals and
>terrorists combined, Zimmermann said. It was probably technically
>impossible, Zimmermann said, to develop a system with a back door
>without running the risk that the key could fall into the hands of a
>Saddam Hussein or a Slobodan Milosevic, the former heads of Iraq and
>Yugoslavia, respectively.

>"A lot of cryptographers wracked their brains in the 1990s trying to
>devise strategies that would make everyone happy and we just couldn't
>come up with a scheme for doing it," he said.

>"I recognize we are having more problems with terrorists now than we
>did a decade ago. Nonetheless the march of surveillance technology is
>giving ever increasing power to governments. We need to have some
>ability for people to try to hide their private lives and get out of
>the way of the video cameras," he said. More Good Than Harm?

>Even in the wake of September 11, Zimmermann retains the view that
>strong cryptography does more good for a democracy than harm. His
>personal website, PhilZimmerman.com, contains letters of appreciation
>from human rights organizations that have been able to defy intrusion
>by oppressive governments in Guatemala and Eastern Europe thanks to
>PGP. One letter describes how the software helped to protect an
>Albanian Muslim woman who faced an attack by Islamic extremists
>because she had converted to Christianity.

>Zimmermann said he had received a letter from a Kosovar man living in
>Scandinavia describing how the software had helped the Kosovo
>Liberation Army (KLA) in its struggle against the Serbs. On one
>occasion, he said, PGP-encrypted communications had helped to
>coordinate the evacuation of 8,000 civilians trapped by the Serbs in
>a Kosovo valley. "That could have turned into another mass grave,"
>Zimmermann said.

>Italian investigators have been particularly frustrated by their
>failure to break into the captured Psions because so little is known
>about the new generation of Red Brigades. Their predecessors left a
>swathe of blood behind them, assassinating politicians, businessmen,
>and security officials and terrorizing the population by
>"knee-capping," or shooting in the legs, perceived opponents. Since
>re-emerging from the shadows in 1999 they have shot dead two
>university professors who advised the government on labor law reform.
>Cracking the Code

>Zimmermann is not optimistic about the investigators' chances of
>success. "The very best encryption available today is out of reach of
>the very best cryptanalytic methods that are known in the academic
>world, and it's likely to continue that way," he said.

>Sources close to the investigation have suggested that they may even
>have to turn to talented hackers for help in breaking into the seized
>devices. One of the magistrates coordinating the inquiry laughed at
>mention of the idea. "I can't say anything about that," he said.

>The technical difficulty in breaking PGP was described by an expert
>witness at a trial in the U.S. District Court in Tacoma, Washington,
>in April 1999. Steven Russelle, a detective with the Portland Police
>Bureau, was asked to explain what he meant when he said it was not
>"computationally feasible" to crack the code. "It means that in terms
>of today's technology and the speed of today's computers, you can't
>put enough computers together to crack a message of the kind that
>we've discussed in any sort of reasonable length of time," he told
>the court.

>Russelle was asked whether he was talking about a couple of years or
>longer. "We're talking about millions of years," he replied.

A real expert!
This is an almost completely vacuous piece. Given the premise, ( A pda
belonging to a RedBrigade member was found containing encryption) any of us
could have written the rest of the article without another scrap of
information or knowledge.

Chris Hills

2005-06-21, 5:47 pm

In article <I1UND7JY38525.1808796296@reece.net.au>, Thrasher Remailer
<thrasher@reece.net.au> writes
>http://www.pcworld.com/resource/pri...d,110841,00.asp
>
>PGP Encryption Proves Powerful
>
>If the police and FBI can't crack the code, is the technology too
>strong?
>
>Philip Willan, IDG News Service Monday, May 26, 2003
>
>ROME -- Italian police have seized at least two Psion personal
>digital assistants from members of the Red Brigades terrorist
>organization. But the major investigative breakthrough they were
>hoping for as a result of the information contained on the devices
>has failed to materialize--thwarted by encryption software used by
>the left-wing revolutionaries.
>
>Failure to crack the code, despite the reported assistance of U.S.
>Federal Bureau of Investigation computer experts, puts a spotlight on
>the controversy over the wide availability of powerful encryption
>tools.

This does not mean that they did not crack the code.

For many reasons the Italians & FBI may not want the criminals to know
it has been cracked.

For many other and many similar reasons the FBI may have cracked the
code and retrieved the data but not want the Italians to know that they
have cracked the code.

There are reasons why the FBI may hay have cracked the code but not want
anyone outside the FBI to know this.

>"Does PGP have a back door? The answer is no, it does not," he said.
>"If the device is running PGP it will not be possible to break it
>with cryptanalysis alone."

In the interests of survival and or national security people will say
anything. His statement may be true or it may not. He may believe his
statement to be correct weather it is would be a different matter.

--
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills Staffs England /\/\/\/\/
/\/\/ chris@phaedsys.org www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Argyle

2005-06-21, 8:46 pm

On Tue, 21 Jun 2005 23:39:45 +0100, Chris Hills <chris@phaedsys.org> wrote:

>In article <I1UND7JY38525.1808796296@reece.net.au>, Thrasher Remailer
><thrasher@reece.net.au> writes
>
>
>This does not mean that they did not crack the code.
>
>For many reasons the Italians & FBI may not want the criminals to know
>it has been cracked.
>
>For many other and many similar reasons the FBI may have cracked the
>code and retrieved the data but not want the Italians to know that they
>have cracked the code.
>
>There are reasons why the FBI may hay have cracked the code but not want
>anyone outside the FBI to know this.
>
>
>In the interests of survival and or national security people will say
>anything. His statement may be true or it may not. He may believe his
>statement to be correct weather it is would be a different matter.

Interesting thoughts, but not likely. The best and the brightest of the
government employees working in crypto were schooled in it by the best and
the brightest of college professors. MIT and so on.

The scholars have not succeeded in breaking it. What makes you think others
have?

A fortune awaits some professor of crypto if he can break it. Simply not
possible if you have some understanding of math.

Regards,
Argyle

BTW, unfortunately some of our fellows in the world are not so lucky as we
in the US. In the UK, I believe I had read you must turn over the keys to an
encrypted message or face jail. If it was so easy to break, there would not
be a need for such a law.
Regards,
Argyle

Nomen Nescio

2005-06-22, 2:46 am

On Tue, 21 Jun 2005, Argyle <argyle@nospam> wrote:
>On Tue, 21 Jun 2005 23:39:45 +0100, Chris Hills <chris@phaedsys.org> wrote:
>
>
>Interesting thoughts, but not likely. The best and the brightest of the
>government employees working in crypto were schooled in it by the best and
>the brightest of college professors. MIT and so on.
>
>The scholars have not succeeded in breaking it. What makes you think others
>have?
>
>A fortune awaits some professor of crypto if he can break it. Simply not
>possible if you have some understanding of math.
>
>Regards,
>Argyle

And therein lies the trouble. The people who smugly insist "The government
can break your little secret code" have no understanding of the math behind
it at all.

And when you try to explain to them that even with the fastest processors
available today, we are talking on the scale of ***millions of years*** to
brute force a single message, their stupid cow-like eyes glaze over as the
begin remebering the latest "Seinfeld" or "Everybody Loves Raymond"
episode. It's a complete waste of time. The average idiot on the street
may or may not even know what a "prime number" is.

>
>BTW, unfortunately some of our fellows in the world are not so lucky as we
>in the US. In the UK, I believe I had read you must turn over the keys to an
>encrypted message or face jail. If it was so easy to break, there would not
>be a need for such a law.
>Regards,
>Argyle

Argyle

2005-06-22, 2:46 am

On Wed, 22 Jun 2005 04:20:03 +0200 (CEST), Nomen Nescio <nobody@dizum.com>
wrote:

>On Tue, 21 Jun 2005, Argyle <argyle@nospam> wrote:
>
>And therein lies the trouble. The people who smugly insist "The government
>can break your little secret code" have no understanding of the math behind
>it at all.
>
>And when you try to explain to them that even with the fastest processors
>available today, we are talking on the scale of ***millions of years*** to
>brute force a single message, their stupid cow-like eyes glaze over as the
>begin remebering the latest "Seinfeld" or "Everybody Loves Raymond"
>episode. It's a complete waste of time. The average idiot on the street
>may or may not even know what a "prime number" is.
>

I learned what a prime number was back in high school. I have been around
for awhile. I suppose they think PGP is simply a Captain Midnight
encoder/decoder ring that you got with Bosco or a few cereal box tabs. I
remember the plastic silver ring, just not how I got it.

Regards,
Argyle

me qsuser

2005-06-22, 2:46 am

In article <I1UND7JY38525.1808796296@reece.net.au>
Thrasher Remailer <thrasher@reece.net.au> wrote:

**OK, would you like to buy some magic beans??? LOL Boy are you gullible

**

> http://www.pcworld.com/resource/pri...d,110841,00.asp
>
> PGP Encryption Proves Powerful
>
> If the police and FBI can't crack the code, is the technology too
> strong?
>
> Philip Willan, IDG News Service Monday, May 26, 2003
>
> ROME -- Italian police have seized at least two Psion personal
> digital assistants from members of the Red Brigades terrorist
> organization. But the major investigative breakthrough they were
> hoping for as a result of the information contained on the devices
> has failed to materialize--thwarted by encryption software used by
> the left-wing revolutionaries.
>
> Failure to crack the code, despite the reported assistance of U.S.
> Federal Bureau of Investigation computer experts, puts a spotlight on
> the controversy over the wide availability of powerful encryption
> tools.
>
> The Psion devices were seized on March 2 after a shootout on a train
> traveling between Rome and Florence, Italian media and sources close
> to the investigation said. The devices, believed to number two or
> three, were seized from Nadia Desdemona Lioce and her Red Brigades
> comrade Mario Galesi, who was killed in the shootout. An Italian
> police officer was also killed. At least one of the devices contains
> information protected by encryption software and has been sent for
> analysis to the FBI facility in Quantico, Virginia, news reports and
> sources said.
>
> The FBI declined to comment on ongoing investigations, and Italian
> authorities would not reveal details about the information or
> equipment seized during the shootout. Pretty Good Privacy
>
> The software separating the investigators from a potentially
> invaluable mine of information about the shadowy terrorist group,
> which destabilized Italy during the 1970s and 1980s and revived its
> practice of political assassination four years ago after a decade of
> quiescence, was PGP (Pretty Good Privacy), the Rome daily La
> Repubblica reported. So far the system has defied all efforts to
> penetrate it, the paper said.
>
> Palm-top devices can only run PGP if they use the Palm OS or Windows
> CE operating systems, said Phil Zimmermann, who developed the
> encryption software in the early 1990s. Psion uses its own operating
> system known as Epoc, but it might still be possible to use PGP as a
> third party add-on, a spokesperson for the British company said.
>
> There is no way that the investigators will succeed in breaking the
> code with the collaboration of the current manufacturers of PGP, the
> Palo Alto, California-based PGP, Zimmermann said in a telephone
> interview.
>
> "Does PGP have a back door? The answer is no, it does not," he said.
> "If the device is running PGP it will not be possible to break it
> with cryptanalysis alone."
>
> Investigators would need to employ alternative techniques, such as
> looking at the unused area of memory to see if it contained remnants
> of plain text that existed before encryption, Zimmermann said.
> Privacy vs. Security
>
> The investigators' failure to penetrate the PDA's encryption provides
> a good example of what is at stake in the privacy-versus-security
> debate, which has been given a whole new dimension by the September
> 11 terrorist attacks in the U.S.
>
> Zimmermann remains convinced that the advantages of PGP, which was
> originally developed as a human rights project to protect individuals
> against oppressive governments, outweigh the disadvantages.
>
> "I'm sorry that cryptology is such a problematic technology, but
> there is nothing we can do that will give this technology to everyone
> without also giving it to the criminals," he said. "PGP is used by
> every human rights organization in the world. It's something that's
> used for good. It saves lives."
>
> Nazi Germany and Stalin's Soviet Union are examples of governments
> that had killed far more people than all the world's criminals and
> terrorists combined, Zimmermann said. It was probably technically
> impossible, Zimmermann said, to develop a system with a back door
> without running the risk that the key could fall into the hands of a
> Saddam Hussein or a Slobodan Milosevic, the former heads of Iraq and
> Yugoslavia, respectively.
>
> "A lot of cryptographers wracked their brains in the 1990s trying to
> devise strategies that would make everyone happy and we just couldn't
> come up with a scheme for doing it," he said.
>
> "I recognize we are having more problems with terrorists now than we
> did a decade ago. Nonetheless the march of surveillance technology is
> giving ever increasing power to governments. We need to have some
> ability for people to try to hide their private lives and get out of
> the way of the video cameras," he said. More Good Than Harm?
>
> Even in the wake of September 11, Zimmermann retains the view that
> strong cryptography does more good for a democracy than harm. His
> personal website, PhilZimmerman.com, contains letters of appreciation
> from human rights organizations that have been able to defy intrusion
> by oppressive governments in Guatemala and Eastern Europe thanks to
> PGP. One letter describes how the software helped to protect an
> Albanian Muslim woman who faced an attack by Islamic extremists
> because she had converted to Christianity.
>
> Zimmermann said he had received a letter from a Kosovar man living in
> Scandinavia describing how the software had helped the Kosovo
> Liberation Army (KLA) in its struggle against the Serbs. On one
> occasion, he said, PGP-encrypted communications had helped to
> coordinate the evacuation of 8,000 civilians trapped by the Serbs in
> a Kosovo valley. "That could have turned into another mass grave,"
> Zimmermann said.
>
> Italian investigators have been particularly frustrated by their
> failure to break into the captured Psions because so little is known
> about the new generation of Red Brigades. Their predecessors left a
> swathe of blood behind them, assassinating politicians, businessmen,
> and security officials and terrorizing the population by
> "knee-capping," or shooting in the legs, perceived opponents. Since
> re-emerging from the shadows in 1999 they have shot dead two
> university professors who advised the government on labor law reform.
> Cracking the Code
>
> Zimmermann is not optimistic about the investigators' chances of
> success. "The very best encryption available today is out of reach of
> the very best cryptanalytic methods that are known in the academic
> world, and it's likely to continue that way," he said.
>
> Sources close to the investigation have suggested that they may even
> have to turn to talented hackers for help in breaking into the seized
> devices. One of the magistrates coordinating the inquiry laughed at
> mention of the idea. "I can't say anything about that," he said.
>
> The technical difficulty in breaking PGP was described by an expert
> witness at a trial in the U.S. District Court in Tacoma, Washington,
> in April 1999. Steven Russelle, a detective with the Portland Police
> Bureau, was asked to explain what he meant when he said it was not
> "computationally feasible" to crack the code. "It means that in terms
> of today's technology and the speed of today's computers, you can't
> put enough computers together to crack a message of the kind that
> we've discussed in any sort of reasonable length of time," he told
> the court.
>
> Russelle was asked whether he was talking about a couple of years or
> longer. "We're talking about millions of years," he replied.

me qsuser

2005-06-22, 2:46 am

In article <I1UND7JY38525.1808796296@reece.net.au>
Thrasher Remailer <thrasher@reece.net.au> wrote:

**OK, would you like to buy some magic beans??? LOL Boy are you gullible

Mxsmanic

2005-06-22, 2:46 am

Unruh writes:

> And he knows this how? Yes, we all believe it to be true, but obviously do
> not know it to be true.

If the world's best cryptanalysts have not cracked it, it's unlikely
that an unskilled police investigator will magically stumble upon a
successful crack.

> Also the investigators would NOT reveal that they had broken it
> even if they had. It is far far far too valuable a piece of
> info to be revealed simply in order to fish for possible info on the
> RedBrigade.

Police investigators would, because the above would not occur to them.
Additionally, they wouldn't be able to use information obtained by
cracking the encryption in court without revealing that they had cracked
the encryption, and I can't imagine them letting convictions slip away
just to protect some greater objective.

> Now, we may discover in the next year that somehow the police
> have discovered a number of very useful things about the RedBrigade but it
> will have nothing to do with this discover of the PDA at all.

They haven't cracked it, so that won't happen (assuming the encrypted
information would have even helped them in the first place).

> It demonstrates nothing of the kind.

It is strong evidence. Of course, if you have a crack for the
algorithms used, nothing prevents you from publishing it.

> A real expert!
> This is an almost completely vacuous piece. Given the premise, ( A pda
> belonging to a RedBrigade member was found containing encryption) any of us
> could have written the rest of the article without another scrap of
> information or knowledge.

That's because the article was _about_ encrypted information found on a
Red Brigade PDA. It was not a treatise on cryptography.

--
Transpose gmail and mxsmanic in my e-mail address to reach me directly.

Mxsmanic

2005-06-22, 2:46 am

Chris Hills writes:

> This does not mean that they did not crack the code.

True, but they didn't. They may have gotten past the encryption in
other ways, however.

> There are reasons why the FBI may hay have cracked the code but not want
> anyone outside the FBI to know this.

There are many more reasons why the FBI would not have cracked the code
to begin with. The algorithms are the strongest part of PGP, so
logically those are the last things that anyone would attack.

> In the interests of survival and or national security people will say
> anything. His statement may be true or it may not. He may believe his
> statement to be correct weather it is would be a different matter.

The source is available. Does anyone ever look at it?

--
Transpose gmail and mxsmanic in my e-mail address to reach me directly.

Simon H. Garlick

2005-06-22, 2:46 am

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 21 Jun 2005 20:20:28 -0000, in alt.security.pgp Thrasher Remailer
<thrasher@reece.net.au> wrote:

>http://www.pcworld.com/resource/pri...d,110841,00.asp
>

Didn't we go over the points in this article when it was published? That is
to say, over two years ago?

shg

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQrj8s5Wn2pPDur23EQKCfgCg4Fsi32u/tcfbzK5ktSOtTO26fmoAoJLa
OtZtJBIQOYiiV7+FJsdYX91k
=p6v5
-----END PGP SIGNATURE-----

Juergen Nieveler

2005-06-22, 2:46 am

Mxsmanic <mxsmanic@gmail.com> wrote:

> If the world's best cryptanalysts have not cracked it, it's unlikely
> that an unskilled police investigator will magically stumble upon a
> successful crack.

Ah, but you can't proof it. All you know is that they SAID they
couldn't crack it - so either they couldn't, or the information gained
was considered not important enough to disclose the fact that PGP is
broken.

It's impossible to proof one or the other based on the information
given.

>
> Police investigators would, because the above would not occur to them.
> Additionally, they wouldn't be able to use information obtained by
> cracking the encryption in court without revealing that they had
> cracked the encryption, and I can't imagine them letting convictions
> slip away just to protect some greater objective.

Do you really believe the FBI would care enough about a few Red-Brigade-
members? Let alone the NSA, who would probably be asked to do the
actual cracking...

Juergen Nieveler
--
Computer, we need to have a little talk

Juergen Nieveler

2005-06-22, 2:46 am

Argyle <argyle@nospam> wrote:

> Interesting thoughts, but not likely. The best and the brightest of
> the government employees working in crypto were schooled in it by the
> best and the brightest of college professors. MIT and so on.
>
> The scholars have not succeeded in breaking it. What makes you think
> others have?

The NSA is generally reputed to have a much better maths department
than all US universities combined...

Juergen Nieveler
--
Computer, we need to have a little talk

Juergen Nieveler

2005-06-22, 2:46 am

Mxsmanic <mxsmanic@gmail.com> wrote:

>
> The source is available. Does anyone ever look at it?

The source code is meaningless if the cipher itself was broken. If the
NSA has come up with a way to factorise primes a lot faster than anybody
else, they could break PGP even though there is no backdoor.

However, if they did they wouldn't announce it...

Juergen Nieveler
--
?pu gnikcab yb naem uoy tahw siht sI

Johan Wevers

2005-06-22, 2:46 am

Thrasher Remailer <thrasher@reece.net.au> wrote:

>Investigators would need to employ alternative techniques, such as
>looking at the unused area of memory to see if it contained remnants
>of plain text that existed before encryption, Zimmermann said.

Oh, I don't see much problems for the police. They do have one prisoner
according to the newspaper. Then it's easy: let the US invent some fake
charge against her, extradict her, and the US will torture the information
out of her. Looks like an opportunity to keep Lindy England in shape.
With the current hysteria on terrorism perhaps even European governments
will act this way.

--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

Chris Hills

2005-06-22, 7:46 am

In article <5tphb1d08uqs5s3dhru4hfv2n2mgk9hu64@4ax.com>, Mxsmanic
<mxsmanic@gmail.com> writes
>Unruh writes:
>
>
>If the world's best cryptanalysts have not cracked it,

You have no evidence for this. The intelligence services are into
deception and counter deception. They are not going to tell you if they
ahve cracked it. They will lie to anyone about it.

>it's unlikely
>that an unskilled police investigator will magically stumble upon a
>successful crack.

Unlikely but possible stranger things have happened. People win
lottery's at 20 million to one. You even get multiple people winning
lotteries at 20 million to 1 so it does happen

>
>
>Police investigators would, because the above would not occur to them.

Not so. As soon as organised crime or terrorism gets involved the
ordinary Police usually get side lined and the specialists take over.

>Additionally, they wouldn't be able to use information obtained by
>cracking the encryption in court without revealing that they had cracked
>the encryption, and I can't imagine them letting convictions slip away
>just to protect some greater objective.
>
>

Quite possibly.... but of course they will be completely unconnected :-)

>They haven't cracked it

You have absolutely no evidence for that. When the UK cracked Enigma in
WWII the let cities get bombed and ships sunk rather than let it be
known that they had cracked the code.

>, so that won't happen (assuming the encrypted
>information would have even helped them in the first place).

All information is equally useful. Either as a positive or a negative.
In some cases simply helping to build up a picture. the information in
the PDA may be meaningless in this investigation but supply a piece
somewhere else. EG a meeting with Fred in Paris last year, Now you know
Fred wasn't in New York and is not a suspect in XYZ so it was Bill.....

>
>It is strong evidence. Of course, if you have a crack for the
>algorithms used, nothing prevents you from publishing it.

How naive....

>
>That's because the article was _about_ encrypted information found on a
>Red Brigade PDA. It was not a treatise on cryptography.
>

True. Also you don't know that they actually have the PDA....
the PDA could have need damaged/destroyed etc and thay are just trying
to spook the Red Brigade who will not be certain that they encryption
has not been cracked by the NSA because they Never Say Anything :-)

Bluff and counter bluff.

--
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills Staffs England /\/\/\/\/
/\/\/ chris@phaedsys.org www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Chris Hills

2005-06-22, 7:46 am

In article < Xns967D56B712F35juergennieveler@nieveler
.org>, Juergen
Nieveler <juergen.nieveler.nospam@arcor.de> writes
>Mxsmanic <mxsmanic@gmail.com> wrote:
>
>
>Ah, but you can't proof it. All you know is that they SAID they
>couldn't crack it - so either they couldn't, or the information gained
>was considered not important enough to disclose the fact that PGP is
>broken.

or THAT important that they don't want to let on. In case they find more
PDA's

>It's impossible to proof one or the other based on the information
>given.

I agree.
>
>Do you really believe the FBI would care enough about a few Red-Brigade-
>members? Let alone the NSA, who would probably be asked to do the
>actual cracking...

I believe the FBI care a caring sharing organisation that holds every
life sacred and upholds the law in every case :-)

--
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills Staffs England /\/\/\/\/
/\/\/ chris@phaedsys.org www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Bluejay

2005-06-22, 7:46 am

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>On Tue, 21 Jun 2005 19:57:02 -0400, Argyle <argyle@nospam> wrote:

>Interesting thoughts, but not likely. The best and the brightest of
>the government employees working in crypto were schooled in it by
>the best and the brightest of college professors. MIT and so on.
>
>The scholars have not succeeded in breaking it. What makes you think
> others have?
>
>A fortune awaits some professor of crypto if he can break it. Simply
> not possible if you have some understanding of math.
>
>Regards, Argyle
>

Oh, for krissakes quit trying to make sense. That ain't what
use(less)net is for, especially in in apa-s. :o)

- --
Bluejay at Cotse dot Net

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQrlC8eFjVI9fbU4iEQKb/QCfQH57Wb9OH5AfMz1/1WTUYkiaMZgAnA0Y
purHKCEblPdAq97clWR9sOti
=eEJ7
-----END PGP SIGNATURE-----

A QuickSilver Tutorial
https://www.cotse.net/users/bluejay...ilver/menu.html

The eelbash/cheshire/bogg/asmodeous/parsifal Chronicles
http://www.cotse.net/users/bluejay/...claration2.html

PGP Key is here:
http://www.cotse.net/users/bluejay/...ey-11-18-04.txt

Chris Hills

2005-06-22, 7:46 am

In article <c5qhb1tpjcmvn0ed1bu6udu3qjhlpjlej8@4ax.com>, Mxsmanic
<mxsmanic@gmail.com> writes
>Chris Hills writes:
>
>
>True, but they didn't.

You have no idea if that is correct. (though it is probably right)

> They may have gotten past the encryption in
>other ways, however.

True.

>
>
>There are many more reasons why the FBI would not have cracked the code
>to begin with. The algorithms are the strongest part of PGP, so
>logically those are the last things that anyone would attack.

Maybe. You have no idea what other information was on the PDA

>
>
>The source is available. Does anyone ever look at it?
>

--
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills Staffs England /\/\/\/\/
/\/\/ chris@phaedsys.org www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Johan Wevers

2005-06-22, 5:47 pm

Argyle <argyle@nospam> wrote:

>BTW, unfortunately some of our fellows in the world are not so lucky as we
>in the US. In the UK, I believe I had read you must turn over the keys to an
>encrypted message or face jail. If it was so easy to break, there would not
>be a need for such a law.

However, if the PDA would contain proof of serious crime, they would
probably still not do it. This law only harms the small criminals, not
the big ones.

--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

Unruh

2005-06-22, 5:47 pm

Argyle <argyle@nospam> writes:

>Interesting thoughts, but not likely. The best and the brightest of the
>government employees working in crypto were schooled in it by the best and
>the brightest of college professors. MIT and so on.

>The scholars have not succeeded in breaking it. What makes you think others
>have?

Because that is their job, while college profs only work on it part time
(teaching, other research, etc) The number of people who full time try to
break say rsa in the outside world is very small.

>A fortune awaits some professor of crypto if he can break it. Simply not
>possible if you have some understanding of math.

What fortune? the only way he gets a fortune is by selling the idea to the
Mafia say, and then he will also want to keep it secret.
Fame in teh math and crypto community, maybe, but not fortune.
And if you have some understanding of math, you know that whether RSA is
breakable is unknown, as is factoring in poly time ( and that they are not
equivalent).

>Regards,
>Argyle

>BTW, unfortunately some of our fellows in the world are not so lucky as we
>in the US. In the UK, I believe I had read you must turn over the keys to an
>encrypted message or face jail. If it was so easy to break, there would not
>be a need for such a law.

Sure there would. That law is about control and power, not breaking codes.

Unruh

2005-06-22, 5:47 pm

Nomen Nescio <nobody@dizum.com> writes:

>And therein lies the trouble. The people who smugly insist "The government
>can break your little secret code" have no understanding of the math behind
>it at all.

As do people who post on alt.security.pgp

>And when you try to explain to them that even with the fastest processors
>available today, we are talking on the scale of ***millions of years*** to
>brute force a single message, their stupid cow-like eyes glaze over as the
>begin remebering the latest "Seinfeld" or "Everybody Loves Raymond"
>episode. It's a complete waste of time. The average idiot on the street
>may or may not even know what a "prime number" is.

Why anyone would try to brute force it is beyond me. Factoring is far far
easier than brute forcing for example (not easy enough but far easier than
brute forcing).

I personally do not believe that say RSA has been broken, but that has
nothing to do with the "math" behind it and certainly nothing to do with
the difficulty of brute force attacks.
A 256 bit RSA key is easily breakable. A brute force attack on it is as
difficult as brute forcing a 256 bit AES key, which is far beyond anyone's
ability, and yet 256 bit RSA is very very weak. Why? Because there exist
highly efficient factoring algorithms.

[vbcol=seagreen]

Unruh

2005-06-22, 5:47 pm

Mxsmanic <mxsmanic@gmail.com> writes:

>Chris Hills writes:

[vbcol=seagreen]
>True, but they didn't. They may have gotten past the encryption in
>other ways, however.

You know they didn't how? You have inside information perhaps?
I suspect strongly that PGP has not been broken. But also know that my
suspicions are not worth much in the grand scheme of things.

[vbcol=seagreen]
>There are many more reasons why the FBI would not have cracked the code
>to begin with. The algorithms are the strongest part of PGP, so
>logically those are the last things that anyone would attack.

This we suspect, but do not know.

For example if they used 256 bit RSA key, then breaking the code is far
easier than any of the other options and is a sure thing.

[vbcol=seagreen]
>The source is available. Does anyone ever look at it?

What has that to do with anything?

Unruh

2005-06-22, 5:47 pm

Chris Hills <chris@phaedsys.org> writes:

>In article <5tphb1d08uqs5s3dhru4hfv2n2mgk9hu64@4ax.com>, Mxsmanic
><mxsmanic@gmail.com> writes
[vbcol=seagreen]
>You have no evidence for this. The intelligence services are into
>deception and counter deception. They are not going to tell you if they
>ahve cracked it. They will lie to anyone about it.

[vbcol=seagreen]
>Unlikely but possible stranger things have happened. People win
>lottery's at 20 million to one. You even get multiple people winning
>lotteries at 20 million to 1 so it does happen

When 20million play then the odds of someone winning become very large.

[vbcol=seagreen]
>Not so. As soon as organised crime or terrorism gets involved the
>ordinary Police usually get side lined and the specialists take over.

[vbcol=seagreen]
>Quite possibly.... but of course they will be completely unconnected :-)

Of course.

Sniper .308

2005-06-22, 5:47 pm

On 22 Jun 2005 14:55:30 GMT, Unruh <unruh-spam@physics.ubc.ca> wrote:

[vbcol=seagreen]

Except with 256 bit encryption it is more like 1 in 1.16^77 or

1 in 115,792,089,237,316,000,000,000,000,000
,000,000,000,000,000,000,000,000,000,000
,000
,000,000,000,000,000

if you want cut it in half and it is still 1 in 5.79^76

1 in 57,896,044,618,658,100,000,000,000,000
,000,000,000,000,000,000,000,000,000,000
,000
,000,000,000,000,000.

Divide the first number by 20 million you still get

1 in 5,789,604,461,865,810,000,000,000,000
,000,000,000,000,000,000,000,000,000,000
,000
,000,000,000

I like those odds

Neil W Rickert

2005-06-22, 5:47 pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Unruh <unruh-spam@physics.ubc.ca> writes:
>Argyle <argyle@nospam> writes:

[vbcol=seagreen]
[vbcol=seagreen]
>Because that is their job, while college profs only work on it part time
>(teaching, other research, etc) The number of people who full time try to
>break say rsa in the outside world is very small.

That's a bit too simple. Breaking RSA is equivalent to a solving a
factoring problem. Factoring is of mathematical interest in its own
right, independent of its use in cryptography. There are more number
theorists than there are cryptographers.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SunOS)

iD8DBQFCuZ6SvmGe70vHPUMRAkVCAKCoFZg/s1cc30iwJ7/TJEYGn9+cfACeJ/BV
Rt34TPkxeK+AkREpCHNKzqI=
=0erO
-----END PGP SIGNATURE-----

Mxsmanic

2005-06-22, 5:47 pm

Juergen Nieveler writes:

> Ah, but you can't proof it.

No need. There are other, far greater risks to security. Cracking an
algorithm is extraordinarily unlikely, and in fact is near the bottom of
the list of things to worry about. There's no point in thinking about
it until you've eliminated all the much larger risks that make cracking
the algorithm unnecessary.

> Do you really believe the FBI would care enough about a few Red-Brigade-
> members?

I don't know.

> Let alone the NSA, who would probably be asked to do the actual cracking...

I'm not sure the NSA would do it, even if it could. If I were the NSA,
I wouldn't trust the FBI with the information that an algorithm had been
cracked, since FBI employees are far more likely to breach security than
NSA employees. FBI people are cops, NSA people are introverted geeks.
The former invariably find it harder to keep their lips sealed than the
latter.

--
Transpose gmail and mxsmanic in my e-mail address to reach me directly.

Mxsmanic

2005-06-22, 5:47 pm

Chris Hills writes:

> You have no evidence for this.

That's why I said "if"; you can't prove a negative.

However, I'm not worried. The cryptographic algorithms used today are
by far the _least_ vulnerable aspects of practical cryptographic
applications. It's a lot easier to look for and exploit implementation
weaknesses, which are bound to exist.

> The intelligence services are into
> deception and counter deception. They are not going to tell you if they
> ahve cracked it. They will lie to anyone about it.

Maybe, but since they haven't cracked it, it doesn't matter.

> Unlikely but possible stranger things have happened.

In the world of security, you have to keep probabilities in perspective.
Just because cryptographic algorithms are fun doesn't mean that it's
wise to dedicate all your time and effort to making them secure. A weak
implementation of the algorithm and it won't matter how unbreakable the
algorithm itself might be. The NSA knows this, but apparently most
other people do not.

> People win
> lottery's at 20 million to one. You even get multiple people winning
> lotteries at 20 million to 1 so it does happen

Lots of things happen. But if you worry about the most unlikely
scenarios, you're an easy target for the bad guys.

> Not so. As soon as organised crime or terrorism gets involved the
> ordinary Police usually get side lined and the specialists take over.

The extraordinary police aren't much better, when it comes to
cryptography. They invariably think in terms of physical,
cops-n-robbers scenarios, and they are bored by mathematics and theory.

> You have absolutely no evidence for that.

Prove me wrong.

> When the UK cracked Enigma in WWII the let cities get bombed and
> ships sunk rather than let it be known that they had cracked the code.

Which is functionally identical to not having cracked the code, so it
didn't matter that they had cracked it.

If a Mafia wiseguy does something with encryption and some spooks crack
the code but do not use the knowledge they gain to convict the bad guy
because they don't want to reveal that they cracked the code, then the
result for the wiseguy is exactly the same as it would be if they had
never cracked it: he remains secure and safe.

> All information is equally useful.

Not necessarily. Some information is irrelevant.

> In some cases simply helping to build up a picture. the information in
> the PDA may be meaningless in this investigation but supply a piece
> somewhere else. EG a meeting with Fred in Paris last year, Now you know
> Fred wasn't in New York and is not a suspect in XYZ so it was Bill.....

Much of the most useful information in the PDA isn't going to be
encrypted, anyway.

> How naive....

As I've said, if you have a crack, publish it.

I say no crack exists. Prove me wrong. A single example would suffice.

--
Transpose gmail and mxsmanic in my e-mail address to reach me directly.

Mxsmanic

2005-06-22, 5:47 pm

Unruh writes:

> When 20million play then the odds of someone winning become very large.

There's only one NSA.

--
Transpose gmail and mxsmanic in my e-mail address to reach me directly.

Mxsmanic

2005-06-22, 5:47 pm

Juergen Nieveler writes:

> The NSA is generally reputed to have a much better maths department
> than all US universities combined...

That has never been completely true, although they do have a great bunch
of mathematicians. It is less true now than it has been in the past,
also. As far as cryptography goes, with cryptologic research now much
more out in the open and much more widely practiced, the NSA's advantage
has dramatically diminished. They have computer horsepower, but they
don't necessarily have the best minds. Their total math brainpower is
probably better than any one _single_ institution in the world, but it
is not better than _all_ of them combined.

--
Transpose gmail and mxsmanic in my e-mail address to reach me directly.

Mxsmanic

2005-06-22, 5:47 pm

Juergen Nieveler writes:

> The source code is meaningless if the cipher itself was broken.

The cipher doesn't matter if the source code is broken.

And source code is almost always broken, whereas ciphers typically are
not.

> If the
> NSA has come up with a way to factorise primes a lot faster than anybody
> else, they could break PGP even though there is no backdoor.

Yes, but they haven't done that. They have, however, found
implementation flaws in all sorts of things, and that allows them to
achieve the same results as cracking a cipher would, in many cases.

--
Transpose gmail and mxsmanic in my e-mail address to reach me directly.

Mxsmanic

2005-06-22, 5:47 pm

Chris Hills writes:

> You have no idea if that is correct.

If you say so.

> Maybe. You have no idea what other information was on the PDA

That doesn't matter. I'm talking about implementations.

You know, all you need is a weakness in your key generation algorithm,
and even the strongest cipher becomes useless. While the cypherdolts
are salivating over ciphers, people like the NSA are looking for (and
finding) weaknesses just about everywhere else.

Like I said, has _anyone_ carefully audited the source code to _any_
version of PGP?

--
Transpose gmail and mxsmanic in my e-mail address to reach me directly.

Mxsmanic

2005-06-22, 5:47 pm

Unruh writes:

> For example if they used 256 bit RSA key, then breaking the code is far
> easier than any of the other options and is a sure thing.

I doubt that they would use 256-bit RSA. It's not the default for PGP,
and if they were sophisticated they'd raise it to the maximum allowable.

> What has that to do with anything?

Everything. I can see the NSA smiling from here.

--
Transpose gmail and mxsmanic in my e-mail address to reach me directly.

Paul Rubin

2005-06-22, 5:47 pm

Mxsmanic <mxsmanic@gmail.com> writes:
> Like I said, has _anyone_ carefully audited the source code to _any_
> version of PGP?

Yes.

George Orwell

2005-06-22, 5:47 pm

On Tue, 21 Jun 2005, johanw@vulcan.xs4all.nl (Johan Wevers) wrote:

>Oh, I don't see much problems for the police. They do have one prisoner
>according to the newspaper. Then it's easy: let the US invent some fake
>charge against her, extradict her, and the US will torture the information
>out of her. Looks like an opportunity to keep Lindy England in shape.
>With the current hysteria on terrorism perhaps even European governments
>will act this way.

Oh, yeah, I remember you. You're that ignorant America hater who thinks he
is OHHHH so smart, yet believes the most ridiculous things, as long as
they're bad, and about America.

You're just jealous because your country is some neutral little Northern
European ice-sheet, far too pussy to defend itself against anything at all,
yet still has a place in military history for giving us the word
"quisling".

Look it up, and hang your head in shame.

Fuzzy Logic

2005-06-22, 5:47 pm

Thrasher Remailer <thrasher@reece.net.au> wrote in
news:I1UND7JY38525.1808796296@reece.net.au:

> PGP Encryption Proves Powerful
>
> If the police and FBI can't crack the code, is the technology too
> strong?

If you're in Minnesota you may not want to use encryption:

The case, although never put before a jury, could establish the precendent
that the use of an encryption programme might be admitted as evidence of
criminal intent, as least in Minnesota. The attitude seems to be "if you
have nothing to hide why do you need secrecy tools".

Source:

<http://www.theregister.co.uk/2005/0...ild_abuse_case/>

Nomen Nescio

2005-06-22, 5:47 pm

On Wed, 22 Jun 2005, Mxsmanic <mxsmanic@gmail.com> wrote:
>Juergen Nieveler writes:
>
>
>That has never been completely true, although they do have a great bunch
>of mathematicians. It is less true now than it has been in the past,
>also. As far as cryptography goes, with cryptologic research now much
>more out in the open and much more widely practiced, the NSA's advantage
>has dramatically diminished. They have computer horsepower, but they
>don't necessarily have the best minds. Their total math brainpower is
>probably better than any one _single_ institution in the world, but it
>is not better than _all_ of them combined.
>

How dare you not believe our carefully constructed story?!?!? Didn't you
know the NSA can break any secret code in existence in only 15 minutes?
That we have quantum computers and prime number sieves and some other stuff
that only the government has.

Don't you know the FBI has a database of everything you have ever
purchased? That they just collect the DNA off of the pennies you handle,
and that the have a database of your DNA, too? ANd our joint FBI/NSA/CIA
satellites can read your thoughts from orbit, so that if you even think of
your passphrase, we'll snatch it right out of your head?

Please stay where you are. As soon as we get a fix on your position, we'll
be right over. If we can get the damn Buick started.

Anonymous

2005-06-22, 5:47 pm

On Wed, 22 Jun 2005, Fuzzy Logic <bob@arc.ab.caREMOVETHIS> wrote:
>Thrasher Remailer <thrasher@reece.net.au> wrote in
>news:I1UND7JY38525.1808796296@reece.net.au:
>
>
>If you're in Minnesota you may not want to use encryption:
>
>The case, although never put before a jury, could establish the precendent
>that the use of an encryption programme might be admitted as evidence of
>criminal intent, as least in Minnesota. The attitude seems to be "if you
>have nothing to hide why do you need secrecy tools".
>
>Source:
>
><http://www.theregister.co.uk/2005/0...ild_abuse_case/>

This attitude will not survive past the lower courts. Minnesota (and
Wisconsin) are both liberal strongholds, where squishy feel-good (what they
call)"common sense" thinking like "if you have nothing to hide why do you
need secrecy tools" and "The ends justify the means" and other softheaded
thinking is the norm among both the sheeple and their elected mushheads.

Anonymity and privacy have already been upheld and supported at the Federal
level

-=-
This message was sent via two or more anonymous remailing services.

nemo_outis

2005-06-22, 5:47 pm

Mxsmanic <mxsmanic@gmail.com> wrote in
news:g09jb1tl9222uea9bsddgkg188uevkess3@
4ax.com:

> Chris Hills writes:
>
>
> If you say so.
>
>
> That doesn't matter. I'm talking about implementations.
>
> You know, all you need is a weakness in your key generation algorithm,
> and even the strongest cipher becomes useless. While the cypherdolts
> are salivating over ciphers, people like the NSA are looking for (and
> finding) weaknesses just about everywhere else.
>
> Like I said, has _anyone_ carefully audited the source code to _any_
> version of PGP?
>

You raise a valid point. And it's a point on which some theoretical
results are available (from Ross Anderson, no less). He opines that for a
number of scenarios (not too contrived ones :-) the security of open-
source code is no better than closed-source code. See, for instance:

Security in Open versus Closed Systems
The Dance of Boltzmann, Coase and Moore
http://www.ftp.cl.cam.ac.uk/ftp/use...14/toulouse.pdf

or

Open and Closed Systems are Equivalent
(that is, in an ideal world)
http://www.ftp.cl.cam.ac.uk/ftp/use...oulousebook.pdf

Regards,

Jeff P

2005-06-22, 5:47 pm

"Fuzzy Logic" <bob@arc.ab.caREMOVETHIS> wrote in message
news:Xns967D7E870E989bobarcabca@198.161.157.145...
> Thrasher Remailer <thrasher@reece.net.au> wrote in
> news:I1UND7JY38525.1808796296@reece.net.au:
>
>
> If you're in Minnesota you may not want to use encryption:
>
> The case, although never put before a jury, could establish the precendent
> that the use of an encryption programme might be admitted as evidence of
> criminal intent, as least in Minnesota. The attitude seems to be "if you
> have nothing to hide why do you need secrecy tools".
>
> Source:
>
> <http://www.theregister.co.uk/2005/0...ild_abuse_case/>

I have an idea. Why not make encryption system such that it would be capable
of encoding two different data sources into the same encrypted message, and
decrypting one of the two depending two altering pass phrases. Just provide
the program with a bunch of copies of unimportant files from your computer.

That way when someone finds the encrypted documents and accuses you of
having something to hide, you can gladly offer to decrypt them for them.
When they find that it is all just a bunch of worthless unimportant crap
that is decrypted, they may tend to believe more so that you don't have
anything to hide. Meanwhile you could actually have something worth hiding
woven into the very same encrypted message that simply doesn't get decrypted
with the rest of it unless you use a second level pass phrase.

-Jeff

Unruh

2005-06-22, 5:47 pm

Neil W Rickert <rickert+nn@cs.niu.edu> writes:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1

>Unruh <unruh-spam@physics.ubc.ca> writes:
[vbcol=seagreen]
[vbcol=seagreen]
[vbcol=seagreen]
[vbcol=seagreen]
>That's a bit too simple. Breaking RSA is equivalent to a solving a
>factoring problem. Factoring is of mathematical interest in its own
>right, independent of its use in cryptography. There are more number
>theorists than there are cryptographers.

No. breaking RSA is not known to be equivalent to a factoring problem. It
may be possible that one can break rsa in some other way. Certainly if you
can factor than you can break rsa. But it is not known if you break rsa
then you can factor.

There may be more number theorists than cryptographers, but a) NSA employs
a number of these and b) most academic number theorists do not work on
factoring.

Unruh

2005-06-22, 5:47 pm

Mxsmanic <mxsmanic@gmail.com> writes:

>Chris Hills writes:

[vbcol=seagreen]
>That's why I said "if"; you can't prove a negative.
^^^^

>However, I'm not worried. The cryptographic algorithms used today are
>by far the _least_ vulnerable aspects of practical cryptographic
>applications. It's a lot easier to look for and exploit implementation
>weaknesses, which are bound to exist.

[vbcol=seagreen]
>Maybe, but since they haven't cracked it, it doesn't matter.

I am looking for the "if" in this sentence, but I cannot find it.

.....
[vbcol=seagreen]
>Which is functionally identical to not having cracked the code, so it
>didn't matter that they had cracked it.

No, it is not. At other times they used the information.

>If a Mafia wiseguy does something with encryption and some spooks crack
>the code but do not use the knowledge they gain to convict the bad guy
>because they don't want to reveal that they cracked the code, then the
>result for the wiseguy is exactly the same as it would be if they had
>never cracked it: he remains secure and safe.

No, because once you know the information it can often be easy to find
other sources for that same information. The police just happen to be
located where the next crime is to be committed.

[vbcol=seagreen]
>As I've said, if you have a crack, publish it.

>I say no crack exists. Prove me wrong. A single example would suffice.

No, it is you that are making the overblown claims. As such it is up to you
to justify those claims. You state categorically that no crack exists.
Prove that.

Unruh

2005-06-22, 5:47 pm

Mxsmanic <mxsmanic@gmail.com> writes:

>Unruh writes:

[vbcol=seagreen]
>I doubt that they would use 256-bit RSA. It's not the default for PGP,
>and if they were sophisticated they'd raise it to the maximum allowable.

So do I believe they use a stronger key. YOur claim is that it is always
better to use other techniques than breaking the cypher. I am pointing out
that that claim is wrong. IF breaking the cypher is easy, then that is the
prefered way of getting the information. If breaking the cypher is very
hard and expensive, then other ways may be preferable.

256 bit RSA is in the former category. 1024 bit rsa may well be in the
second.

Unruh

2005-06-22, 5:47 pm

George Orwell <nobody@mixmaster.it> writes:

>On Tue, 21 Jun 2005, johanw@vulcan.xs4all.nl (Johan Wevers) wrote:

[vbcol=seagreen]
>Oh, yeah, I remember you. You're that ignorant America hater who thinks he
>is OHHHH so smart, yet believes the most ridiculous things, as long as
>they're bad, and about America.

NOte that it has been proven in a court that the USA agents carry out torture.
Whether or not that was an abberation or was policy is not proven, although
there are suspicious circumstances including legal opinions stating that
torture is OK.

>You're just jealous because your country is some neutral little Northern
>European ice-sheet, far too pussy to defend itself against anything at all,
>yet still has a place in military history for giving us the word
>"quisling".

To stand alongside a Benedict Arnold.

Note that that was a war that the USA refused to fight in, and would have
stayed out of if the Japan-Germany treaty had not been there.

>Look it up, and hang your head in shame.

Yes?

Unruh

2005-06-22, 5:47 pm

Fuzzy Logic <bob@arc.ab.caREMOVETHIS> writes:

>Thrasher Remailer <thrasher@reece.net.au> wrote in
>news:I1UND7JY38525.1808796296@reece.net.au:

[vbcol=seagreen]
>If you're in Minnesota you may not want to use encryption:

>The case, although never put before a jury, could establish the precendent
>that the use of an encryption programme might be admitted as evidence of

No, not the use. There had never been any evidence of use. The mere
possession of the program was enough.

>criminal intent, as least in Minnesota. The attitude seems to be "if you
>have nothing to hide why do you need secrecy tools".

>Source:

><http://www.theregister.co.uk/2005/0...ild_abuse_case/>

Unruh

2005-06-22, 5:47 pm

"nemo_outis" <abc@xyz.com> writes:

>Mxsmanic <mxsmanic@gmail.com> wrote in
> news:g09jb1tl9222uea9bsddgkg188uevkess3@
4ax.com:

[vbcol=seagreen]
>You raise a valid point. And it's a point on which some theoretical
>results are available (from Ross Anderson, no less). He opines that for a
>number of scenarios (not too contrived ones :-) the security of open-
>source code is no better than closed-source code. See, for instance:

>Security in Open versus Closed Systems
>The Dance of Boltzmann, Coase and Moore
>http://www.ftp.cl.cam.ac.uk/ftp/use...14/toulouse.pdf

Well, I would say that the first part of that paper is a pretty shakey one.
Ie, the model he has of the discovery process and of the behaviour of
closed vs Open Source testers is pretty naive. It is interesting, but not
much more than that.

>or

>Open and Closed Systems are Equivalent
>(that is, in an ideal world)
>http://www.ftp.cl.cam.ac.uk/ftp/use...oulousebook.pdf

>Regards,

Argyle

2005-06-22, 8:46 pm

-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 22 Jun 2005 06:53:09 -0400 (EDT), "Bluejay"
<bluejay-no-spam@cotse.net.invalid> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>
>Oh, for krissakes quit trying to make sense. That ain't what
>use(less)net is for, especially in in apa-s. :o)

Sorry, you are right. Don't know what came over me.

There is life on the moon, we just have not discovered it yet. Mars, of
course yes, despite the critics, I saw my favorite Martian on TV.

I love speculation, nothing but opions. No facts or proof, just opinions.

I speculate there are tin soldiers walking around on the rings of Saturn.
They are so small we haven't seen them yet. But I'll bet the NSA has seen
them, they are keeping it covered up. They have more resources than we.

-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt

iQEVAwUBQrn7OSIiyMNoHRmfAQEBAgf+KtJNfhQL
1FjHQILnnr8oO2I2rw6ZDrRt
SzDj1HNKhPgIS1q2v+brxkGmnZURm6b8JKkx6hk/5Nrb9ymo2KRjs7RAB0qWeo0d
6xo6pxV5upkNKVCED6Hy8nBcgYz3Cpmv1rO8RsZ/VLpej9w5+hylW5+E4RybViMf
3BwuFgpl1gXE9ELf5R5OW0qxAXlvjoTMlWtmjQ04
wlOcdJEqj2hpa3UmMbnXgFJK
yDne59TWhUe86eEqTTr8SxVB/HbPyqGNv0RAHPT/FgI+ZvQRkCeEdA9g5qkiJLgc
uyoQeDFMReumWXwlIn3bv9hK0lDCGG+4r4rrw0W0
OWpWeQ3u6XZ/UQ==
=emO6
-----END PGP SIGNATURE-----

Regards,
Argyle

nemo_outis

2005-06-22, 8:46 pm

Unruh <unruh-spam@physics.ubc.ca> wrote in
news:d9cmtj$hg2$6@nntp.itservices.ubc.ca:

> "nemo_outis" <abc@xyz.com> writes:
>
>
>
>
>
>
>
> Well, I would say that the first part of that paper is a pretty shakey
> one. Ie, the model he has of the discovery process and of the
> behaviour of closed vs Open Source testers is pretty naive. It is
> interesting, but not much more than that.
>

Well, I don't think Ross thought that he had said the last word on the
subject and all journals could thenceforth cease publication. The paper
is clearly intended to be thought-provoking rather than definitive and it
certainly achieves that objective.

The paper was produced by a heavyweight with a cross-disciplinary
approach to security and not just a narrow focus on mathematical
cryptography. He provides a broader perspective that that of many
quants, so I don't think his views, preliminary, tentative, or incomplete
as they may be, should be dismissed too lightly.

Regards,

nemo_outis

2005-06-22, 8:46 pm

Unruh <unruh-spam@physics.ubc.ca> wrote in
news:d9clej$hg2$3@nntp.itservices.ubc.ca:

> Mxsmanic <mxsmanic@gmail.com> writes:
>
>
>
>
> So do I believe they use a stronger key. YOur claim is that it is
> always better to use other techniques than breaking the cypher. I am
> pointing out that that claim is wrong. IF breaking the cypher is easy,
> then that is the prefered way of getting the information. If breaking
> the cypher is very hard and expensive, then other ways may be
> preferable.
>
> 256 bit RSA is in the former category. 1024 bit rsa may well be in the
> second.

And, a fortiori, cracking 16-bit RSA should be child's play.

Your logic is impeccable; your connection to real-world security is more
tenuous.

Yes, 256-bit RSA may be relatively easy to crack, but it falls into a
category analogous to using giraffes as beasts of burden: nobody does it!

Since neither you (I presume) nor I have access to the internal workings
of the NSA, whatever is said about their capabilities must remain largely
speculative. But what we can say is that there are NO public
indications (inadequate though those indications may be) which would
suggest they can crack RSA, AES or any other modern algorithm using
reasonably-long keys.

Nor is there any indication in the public community that these algorithms
are in danger of being cracked any time soon. Yes, it is lamentable that
we do not have rigorous proofs that cracking RSA is equivalent to
factoring, etc. but that does not detract significantly from the real-
world conclusion that attacking the algorithm seems very unpromising.

In the real world security is about managing risks, not eliminating them.
About balancing limited effort and resources against those risks. And in
that balance, Mxmaniac is right that implementation flaws and human
foibles are far more promising avenues of attack than defeating the
algorithms. In fact, so unpromising as to be currently dismissable. And
accordingly he is right to instead emphasize putting the effort and
resources where the real risks are perceived to lie.

Could both he and I be wrong? Yep! That's the annoying thing about
risk. However, while the race is not always to the swift or the battle
to the strong, that's the way to bet!

Regards,

Mxsmanic

2005-06-22, 8:46 pm

Unruh writes:

> NOte that it has been proven in a court that the USA agents
> carry out torture.

There isn't any country that hasn't carried out torture, although the
USA used to have a pretty good record compared to many other countries.

> Whether or not that was an abberation or was policy is not proven, although
> there are suspicious circumstances including legal opinions stating that
> torture is OK.

It was policy, but the policy was an aberration, as traditionally the
USA has not approved of torture. Unfortunately, there have been
precedents, although they've been relatively rare compared to the
routine and institutionalized practice of torture in many other
countries.

--
Transpose gmail and mxsmanic in my e-mail address to reach me directly.

Mxsmanic

2005-06-22, 8:46 pm

Unruh writes:

> I am looking for the "if" in this sentence, but I cannot find it.

Some things have such a high probability that I consider them
certainties for most practical purposes.

> No, it is not. At other times they used the information.

But the other times are not what count, for the person against whom they
did _not_ use the information.

Similarly, using PGP doesn't count if your adversary plans to torture
your passphrase out of you. But if he doesn't plan to do that, PGP
counts.

> No, because once you know the information it can often be easy to find
> other sources for that same information.

Not if your adversary is careful. And if you have other sources, you
don't need to crack the code to begin with.

> No, it is you that are making the overblown claims.

There's nothing overblown about such a claim. There isn't any black
magic in the spook agencies; they are people like any other. They have
a lot of funding and they keep their work secret, but they are not
breaking laws of thermodynamics or travelling in time. They are
constrained by the same math that constrains everyone else.

--
Transpose gmail and mxsmanic in my e-mail address to reach me directly.

Mxsmanic

2005-06-22, 8:46 pm

Nomen Nescio writes:

> How dare you not believe our carefully constructed story?!?!?

I'm interested in security, so I can't afford to believe things that put
security at risk. People who spend all their time protecting against
the risks that interest them tend to overlook the risks that don't;
unfortunately, the latter are precisely the risks from which smart
adversaries will profit.

> Didn't you know the NSA can break any secret code in existence
> in only 15 minutes?

They have a full staff of pink unicorns working on their cryptography.

> Don't you know the FBI has a database of everything you have ever
> purchased? That they just collect the DNA off of the pennies you handle,
> and that the have a database of your DNA, too? ANd our joint FBI/NSA/CIA
> satellites can read your thoughts from orbit, so that if you even think of
> your passphrase, we'll snatch it right out of your head?

Hmm. Where have I heard this before? Or more precisely, where have I
read such things before on the Web? Usually on pages with white text on
black backgrounds, IIRC.

--
Transpose gmail and mxsmanic in my e-mail address to reach me directly.

Mxsmanic

2005-06-22, 8:46 pm

Paul Rubin <http://phr.cx@NOSPAM.invalid> writes:

> Yes.

Who has audited the source code, which code was audited, and what were
the results?

--
Transpose gmail and mxsmanic in my e-mail address to reach me directly.

Mxsmanic

2005-06-22, 8:46 pm

nemo_outis writes:

> You raise a valid point. And it's a point on which some theoretical
> results are available (from Ross Anderson, no less). He opines that for a
> number of scenarios (not too contrived ones :-) the security of open-
> source code is no better than closed-source code.

No surprise there. Publishing code doesn't make it more secure by
itself.

--
Transpose gmail and mxsmanic in my e-mail address to reach me directly.

Mxsmanic

2005-06-22, 8:46 pm

Unruh writes:

> So do I believe they use a stronger key. YOur claim is that it is always
> better to use other techniques t