-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, December 29, 2001, at 9:34:40 AM PST, Dierk Haasis wrote:
> 1. 6.5.8 is released by NAI, not by Phil Zimmerman; although is the > last NAI version he recommended wholeheartedly. Well, except perhaps for the following bit from this article: http://www.philzimmermann.com/text/PRZ_leaves_NAI.txt PRZ wrote: >> If NAI ever publishes the complete PGP 7.0.3 source code, I am >> confident that the public will be able to see that there are still >> no back doors. Until that time, I can offer only my own assurances >> that this version of PGP was developed on my watch, and has no back >> doors. In fact, I believe it to be the most secure version of PGP >> produced to date. While the full source code release is still important, there are vulnerability patches that have since been implemented for v7.x that have not been implemented by all v6.5.8 users (even v6.5.8ckt.06 doesn't include the patch for the "Otterloo attack" (released only as a source code snippet for v6.5.8). > 2. CKT versions are based upon officially released source code. True - but they are "hacked" (Imad's own terminology) - and "unofficially altered" as the original question was framed. Strictly speaking, they are also "illegal" builds, and "illegally" distributed. > 3. CKT (namely Imad Faiad) scrutinised the code, scratched out bugs > and added/opened up some features. While the above is true, it is also noteworthy that the bugs Imad "scratched out" were not discovered by him during his review/manipulation of the code - nor were they discovered by any other "peer" by reviewing the source code. While source code review will remain a respected method of review for bugs and security vulnerabilities, we should also be careful not to insinuate that it is *always* the availability of code for review that has resulted in bug discoveries, fixes, and patches. The "ADK bug", "Windows ascii armor parser vulnerability", and the "Otterloo attack" were all discovered by means other than source code review - and none of them were discovered by Imad's scrutiny of the 6.5.8 code. I do respect Imad's apparent abilities, and I have no reason to implicitly distrust him. However - for anyone to use a ckt build without scrutinizing the code, confirming it's "security", and then compiling their own binary from that code, they are essentially in the same boat as most other PGP users - they must *trust* someone (Imad - or the countless, faceless, mysterious "peers" who may or may not be conscientiously reviewing every byte of code and dutifully reporting their findings to the rest of us). Sorry for continuing so far OT in this thread. I'll be happy to read more of this in TBOT. Melissa - -- PGP public keys: mailto:[EMAIL PROTECTED]?subject=PGP_Keys_8&Body=Please%20send%20keys -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) - GPGshell v2.10 iD8DBQE8LkGvjVbXUvsE8ukRAgUYAJwP+QOY+oxhuGpkkg74Hg1Uf+KyCgCgxk9r j18a4aCQwH0MjsW8JAi1jXs= =y3f4 -----END PGP SIGNATURE----- -- ________________________________________________________ Archives : http://tbudl.thebat.dutaint.com Moderators : mailto:[EMAIL PROTECTED] TBTech List: mailto:[EMAIL PROTECTED] Unsubscribe: mailto:[EMAIL PROTECTED] Latest Vers: 1.53d FAQ : http://faq.thebat.dutaint.com