Anonymous wrote: > > Now that the PGP key management "bug" is public, I'd like to comment > on some source code issues and follies. > > The source for versions in question (starting from 5.*) has been available > for more than two years. > > While many crypto experts intensely bullshit about the importance > of the source code to counter "security through obscurity", it appears > than none really looked at the sources closely. A-Yup. But those who hid, overlooked it. One thing that I have found weird about PGP 6.x is that it insists on installing itself as both a network driver and as one of those windows cute toys that lives in the system tray. The big problem with this is that I store my ring on an encrypted disk which isn't mounted when NT starts up anyway, so it fails to start up. I suppose if I wanted to bother, I could buy a Windblows compiler and "fix" this. While the VPN functionality of PGPNet might be useful, I find it a bit cumbersome. This might be why it was thrown in. Perhaps so as to force you to install it on a normal drive, so your keyring might be accessible. So for me, the net result is that I don't use the VPN features. The usual warnings about trusiting binaries apply of course. How does anyone know that the binary called PGP 6.5 Freeware or 6.5i doesn't contain backdoors or key generation flaws? But we've discussed that to death already. -- ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :Surveillance cameras|Passwords are like underwear. You don't /|\ \|/ :aren't security. A |share them, you don't hang them on your/\|/\ <--*-->:camera won't stop a |monitor, or under your keyboard, you \/|\/ /|\ :masked killer, but |don't email them, or put them on a web \|/ + v + :will violate privacy|site, and you must change them very often. [EMAIL PROTECTED] http://www.sunder.net ------------
