Slashdot Mirror

← Back to Stories (view on slashdot.org)

Interview with Phil Zimmerman

Posted by Hemos on from the a-man-the-MAN-hates dept.

A reader writes "PGP's creator is participating in an online interview this week. Phil is mainly interested in clearing the air about the recently discovered ADK bug, but the larger topics of encryption and worldwide organized snoop rings (Echelon) have already come up. The interview is open to questions from anyone; runs through Friday 9/8."

12 of 72 comments (clear)

  1. We need secure protocols, not content. by Tackhead · · Score: 5
    The evidence we're seeing - Carnivore being the best example - indicates that The Powers That Be are more interested in traffic analysis than in terms of decrypting your content.

    In other words, all the strong crypto in the DATA segment of the SMTP transaction isn't gonna save you if an FBI agent decides he wants to forge a "From: kiddypr0narchive@fbi.gov" in an email to you. For mail to truly be secure, it's clear that we now need to encrypt all headers in the SMTP and/or POP transactions.

    Likewise, for safe browsing, SSL on the content of the pages isn't enough; all the metadata in the HTTP GET requests have to be encrypted too.

    Traffic analysis makes sense; it's machine-readable data, machine-parsable, and very easy to inject into a database for profiling purposes. Scanning a database for all From: addresses associated with To: fields of osama_bin_laden@secretterroristcamp.iq, or IP addresses associated with Referrer-ID: fields matching the regexp *janetreno*goat*pr0n* is a lot easier than actually trying to examine a terabyte of .JPGs.

    We've seen it in the public domain with the "auto-sue" programs used against Napster users.

    We're seeing the gummint getting into the act with Carnivore. Whaddyawannabet that 5 years from now, when Jaz and ZIP drives are no longer available, the "physical evidence" ceases to be a piddly 120M disk (which can probably only hold the sniffed headers from a handful of users before it has to be swapped for another disc) and becomes a 200G hard drive (which can hold everyone's traffic for a few days)? Hell, the cost of the "removable hard drive Carnivore" isn't much more than the ZIP drive one today.

    At what point will we redesign our basic communications protocols to be snoop-resistant?

  2. What about quantum computers? by ca1v1n · · Score: 4

    I'm sure everyone here has read about the quantum computers that are still in the pre-infancy stages at places like IBM and Los Alamos. Because of their peculiar nature, the quantum computers can factor numbers as easily as they can multiply them, rendering public-key encryption schemes useless. Of course, these systems are still very primitive, the latest ones at around 5 to 7 qubits. Still, it is inevitable that this technology will grow to the point where it could be capable of cracking 128-bit encryption or whatever we are using when the rapidly advancing quantum technology starts to catch up with traditional computers. Quantum computers do offer the possibility of quantum encryption, but due to the inevitable extreme expense of quantum computers at the early stages of development, it is quite likely that intelligence organizations or large corporations will have the ability to crack our codes several years before we gain the ability to protect ourselves from this threat. When this happens, what will we do to protect our privacy against powerful forces that can compromise it at will?

    --
    WARNING: there is a trojan on your
  3. Close, but not quite by dangermouse · · Score: 4

    The reason for encrypting everything you can is a concept called "plausible deniability". If you only encrypt important things, someone can point to encrypted data and say "that's important, he must be up to something, I can tell because it's encrypted." If you encrypt everything, you can deny that any of it (or any given piece of data, more importantly) is at all interesting, and such denial is entirely plausible.

  4. A very large pair... by DESADE · · Score: 4

    Whatever your opinion on encryption is, Phil Zimmerman deserves some respect. He released PGP despite very legitimate threats to his own personal well being.

    I read an interview a long time ago about his reason for doing do. He said he had heard of a rebel group (forget which country) that was fighting against an oppressive govermnent was using PGP to communicate.

    He decided that if his tool could be used to help people struggling for freedom, it did not matter what would happen to him. He released the software shortly thereafter. In my opinion, he's of the earliest true idealists in the world of hi-tech.

  5. Publishing Source by jerdenn · · Score: 3
    from the article: We avoided the export controls by publishing PGP source code in printed books and legally exporting the books (which were not subject to export controls) to Europe, where they were scanned in via OCR and compiled back into working software again and sold on CDROMs all over the world. A neat trick, don't you think? It worked beautifully...

    Actually, one wonders if this will become the method of choice for distribution of 'illegal' source code such as DeCSS, etc...

    -jerdenn

  6. should everything on the internet be encrypted by daniell · · Score: 4
    On NPR I heard a pundit espouse that realistically everything on the internet should be encrypted. [this was the founder of 3com btw]. But I'm of the opinion that this is incorrect in that a lot of stuff doesn't really matter; why for example should you recieve encrypted ad banners (and I'm sure someone will think of a reason they're comfortable with). Arn't we forever going to run into a case where speed is more desireable for some applications (i.e. multicasted video)?

    This has to do with the interview topic of encryption as you may be able to see

    -Daniel

    1. Re:should everything on the internet be encrypted by walnut · · Score: 3

      Please, encode your add banners.

      That way I can choose not to get your public key.

      --
      You say you want a revolution?
    2. Re:should everything on the internet be encrypted by Bill+Currie · · Score: 3
      Heh, I just thought of a reason for encrypted banner ads: targeted advertising. You wouldn't want your neighbour using his tcp sniffer (assuming cable and a smart neighbour, I guess) and seeing banner ads for the local adult toy shop showing up in your stream :).

      Only hole in this I can see is your neighbour could just crack into the ad server and look at the records for what's been sent to you, but that's another issue, I guess.

      Bill - aka taniwha
      --

      --

      Bill - aka taniwha
      --
      Leave others their otherness. -- Aratak

    3. Re:should everything on the internet be encrypted by prak · · Score: 5

      Come on.. you know the answer to this one. If only "interesting" traffic is encrypted there is a lot less encrypted traffic flying across the lines to confuse big brother like organizations. You encrypt everything to make it more difficult to figure out which encrypted packets are the ones you should be interested in brute forcing.

      If big brother like organizations waste a week trying to decrypt your mother's letter about a new recipe she just tried, that is a week they don't have to decrypt the message you reply with explaining why your family has to go into hiding. We need to inject more noise into the system.

      -prak

      --
      -prak
  7. Re:Why not GPL? by qnonsense · · Score: 3

    In all fairness, this latest incident may have never happened to begin with if the code was GPL'd from the start.

    How? The code is not GPL'd for sure, but it sure as hell is open for us to see. Just because it uses the MITPGP License not the GPL does not make it any less secure.

    ...it would have likely been an option that could easially be left out...

    It is an option that is easially left out. Just dissable it. Or, for that matter, don't complile it in, just as you would have the option of doing so with GPL'd code.

    I really don't see what the big deal is that this doesn't use GPL. For security purposes, one Open Source License is just as good as the next.

    --
    There comes a time in every man's life when he must say, "No mother! I do not want any more Jell-O!"
  8. DON'T POST QUESTIONS HERE by 64.28.67.48 · · Score: 5

    Go to the actual site (http://forums.itworld.com/webx?14@@.ee6 caf5) to post a question. /. is not hosting the interview.

    Thrashing...please wait...

    -------------

    --

    -------------
    The truth is out th- oh, wait, here it is...
  9. Complexity and Security by nestler · · Score: 3
    What do you have to say about complexity and its detrimental impact on security systems?

    PGP seems to be a case study in this in that the recent bug has no effect on the older, simpler PGP 2.6. As requests for features by everyone from paranoid hackers (bigger keys) to corporations (ADK's) come in, it is natural to want to add things to software. The problem is that as the software gets more complex, dangerous flaws get much harder to spot (even in open source software). Once a bug like this creeps in, the "feature-rich" software is significantly less useful than the old version in that it doesn't accomplish its original goal: privacy.

    How do you think one should go about trying to achieve a good balance of features/complexity and security?