-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday, December 29, 2001, at 9:34:40 AM PST, Dierk Haasis wrote:

> 1. 6.5.8 is released by NAI, not by Phil Zimmerman; although is the
> last NAI version he recommended wholeheartedly.

Well, except perhaps for the following bit from this article:

http://www.philzimmermann.com/text/PRZ_leaves_NAI.txt

PRZ wrote:

>> If NAI ever publishes the complete PGP 7.0.3 source code, I am
>> confident that the public will be able to see that there are still
>> no back doors. Until that time, I can offer only my own assurances
>> that this version of PGP was developed on my watch, and has no back
>> doors. In fact, I believe it to be the most secure version of PGP
>> produced to date.

While the full source code release is still important, there are
vulnerability patches that have since been implemented for v7.x that
have not been implemented by all v6.5.8 users (even v6.5.8ckt.06
doesn't include the patch for the "Otterloo attack" (released only as
a source code snippet for v6.5.8).

> 2. CKT versions are based upon officially released source code.

True - but they are "hacked" (Imad's own terminology) - and
"unofficially altered" as the original question was framed. Strictly
speaking, they are also "illegal" builds, and "illegally" distributed.

> 3. CKT (namely Imad Faiad) scrutinised the code, scratched out bugs
> and added/opened up some features.

While the above is true, it is also noteworthy that the bugs Imad
"scratched out" were not discovered by him during his
review/manipulation of the code - nor were they discovered by any
other "peer" by reviewing the source code.

While source code review will remain a respected method of review for
bugs and security vulnerabilities, we should also be careful not to
insinuate that it is *always* the availability of code for review that
has resulted in bug discoveries, fixes, and patches. The "ADK bug",
"Windows ascii armor parser vulnerability", and the "Otterloo attack"
were all discovered by means other than source code review - and none
of them were discovered by Imad's scrutiny of the 6.5.8 code.

I do respect Imad's apparent abilities, and I have no reason to
implicitly distrust him. However - for anyone to use a ckt build
without scrutinizing the code, confirming it's "security", and then
compiling their own binary from that code, they are essentially in the
same boat as most other PGP users - they must *trust* someone (Imad -
or the countless, faceless, mysterious "peers" who may or may not be
conscientiously reviewing every byte of code and dutifully reporting
their findings to the rest of us).

Sorry for continuing so far OT in this thread.  I'll be happy to read
more of this in TBOT.

Melissa
- -- 
PGP public keys:
mailto:[EMAIL PROTECTED]?subject=PGP_Keys_8&Body=Please%20send%20keys

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - GPGshell v2.10

iD8DBQE8LkGvjVbXUvsE8ukRAgUYAJwP+QOY+oxhuGpkkg74Hg1Uf+KyCgCgxk9r
j18a4aCQwH0MjsW8JAi1jXs=
=y3f4
-----END PGP SIGNATURE-----


-- 
________________________________________________________
Archives   : http://tbudl.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
TBTech List: mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]
Latest Vers: 1.53d
FAQ        : http://faq.thebat.dutaint.com 

Reply via email to