Yet another Sternlight distortion, intentional misrepresentation
Ed Stone
-----BEGIN PGP SIGNED MESSAGE-----
The post below by Mr. Sternlight (which he titled,"Yet another PGP bug') is
an example of distortionand intentional misrepresentation. I submit:
1. Mr. Sternlight's post, in its entirety;
2. Mr. Finney's post, in its entirety;
3. The words found in Mr. Finney's post, that were NOT found in Mr.
Sternlight's post;
4. The words found in Mr. Sternlight's post that were NOT found in Mr.
Finney's post.
Draw your own conclusions from the content provided.
Hint: NO PGP program sold or provided free by PGP Inc, now or in the past,
uses "Elgamal Signatures" at any point, for anything. I have found NO PGP
program from other vendors or free sources, available anywhere, that uses
"Elgamal Signatures" for anything.
>>>>>>>>>>>>>>>>>
Mr. Sternlight's post, in its entirety:
"Subject: Yet another PGP bug
From: da...@sternlight.com (David Sternlight)
Newsgroups: comp.security.pgp.discuss
Subject: Yet another PGP bug
Date: Fri, 05 Dec 1997 16:55:33 -0800
Organization: DSI/USCRPAC/IER
Lines: 19
Message-ID: <david-05129...@lax-ca69-39.ix.netcom.com>
NNTP-Posting-Host: lax-ca69-39.ix.netcom.com
X-NETCOM-Date: Fri Dec 05 4:55:38 PM PST 1997
X-Newsreader: MT-NewsWatcher 2.3.5
- From Hal Finney of PGP Inc. to the Open PGP mailing list:
One word of caution for those who may be tempted to un-comment the ElGamal
signature code in the 5.0 source: there is a security flaw as written.
The problem is not in the signatures per se but in the key generation.
ElGamal signatures require some care in the choice of the generator.
We use a generator of 2 for ElGamal encryption, which is safe for that
purpose, but is not safe for ElGamal signatures.
So before enabling ElGamal signatures, they must change the keygen code.
(Topher Belknap please also note, in the context of who one trusts to do
crypto programming, and the subtleties involved.)
David
- --
The search for a single solution to each of the problems of mankind
inevitably leads to tyranny.--Sir Isaiah Berlin, d. Nov 5, 1997"
>>>>>>>>>>>>>>
Hal Finney's complete post to the IETF OpenPGP List:
"Hal Finney (h...@rain.org)
Fri, 5 Dec 1997 10:44:14 -0800
Peter Gutmann, pgu...@cs.auckland.ac.nz, writes:
> To get around this, you could use Elgamal for
> signatures (although the current PGP doesn't support
> this, the code is commented out).
One word of caution for those who may be tempted to
un-comment the ElGamal signature code in the 5.0 source:
there is a security flaw as written.
The problem is not in the signatures per se but in
the key generation.ElGamal signatures require some
care in the choice of the generator. We use a generator
of 2 for ElGamal encryption, which is safe for that
purpose, but is not safe for ElGamal signatures.
So before enabling ElGamal signatures, they must change
the keygen code.
(I don't know of any reason to use ElGamal signatures
in place of DSS signatures though.)
Hal"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Specifically, the words found in Mr. Finney's post, that were not repeated by
Mr. Sternlight in his post:
"Peter Gutmann, pgu...@cs.auckland.ac.nz, writes:
> To get around this, you could use Elgamal for
> signatures (although the current PGP doesn't support
> this, the code is commented out)."
"(I don't know of any reason to use ElGamal signatures
in place of DSS signatures though.)"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Specifically, the words found in Mr. Sternlight's post, that were not found
in Mr.Finney's post"
"(Topher Belknap please also note, in the context of who
one trusts to do crypto programming, and the subtleties
involved.)"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I submit that in the "context of who one trusts" to provide fair, honest,
balanced, "whole-truth" advice on crypto software, Mr. Sternlight is not to
be so trusted, and as support for that, I have submitted the content above as
demonstration of documented distortion and intentional misrepresentation on
his part.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Business Security 5.5.2
iQEVAwUBNIllVoVSIIjbt1r5AQEZPgf/WTgsCEbVL5BlNyb896iTbPmo6OEO0tg+
0QYKDEwmO7deqlDVetX3pnSPm3pbbw5zEasCAlXhxRcq6Od7HFHgq8OsF60w06R+
Z0JZpj+gJeFcKNJjBk3voSPQeKmCU6FALmzGKuxx/PN4kS+gLtve2T6NPam30DdF
BPIjeFIUitdekWOguUWobMBUs99HoYMiQ1W22pufNYN4FbsqJS301OpfNOGxt3B9
xY4ZQwJaOgF6c/LBqMKsWNDLzc5TNA7bDP3YpmtBvsBDL47lj5sDulKLhBPJ7vVm
6dMEZGz1yOg/nD4kUyPTktNORt2HPBhkbvbmo2e2XDmTK2CCAJG+xA==
=mE1D
-----END PGP SIGNATURE-----
--
-------------------------------
Ed Stone
est...@synernet-robin.com
remove "-birdname" spam avoider
-------------------------------
Anthony E. Greene
-----BEGIN PGP SIGNED MESSAGE-----
On Sat, 6 Dec 1997 09:49:12 -0500, nos...@synernet.com ( Ed Stone) wrote:
[relevant, but lengthy, material available in original post or via
the Web at <http://www.pobox.com/~agreene/pgp/tourdeforce.txt> ]
>I submit that in the "context of who one trusts" to provide fair, honest,
>balanced, "whole-truth" advice on crypto software, Mr. Sternlight is not to
>be so trusted, and as support for that, I have submitted the content above
as
>demonstration of documented distortion and intentional misrepresentation on
>his part.
Bravo Ed!
Thank you,
Tony
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQCdAwUBNIlgsERUP9V4zUMpAQHXWgQ7Bcfp9wR5ojF2WihcKbizhZL6LFljBENZ
5zxaevzri4wiwp2wXuJLcGdSI7gVCwv2CDknf/aH2BBGOu/IfOg1cMaVd+brtYd9
vYXUawJNim2khEi2g4pY+PFQFdFVZ0yjpzBqUfhjlFVDvtxO97znf3VKUqC1C5VU
89hRrMe6vQJMa98mqcC8DA==
=fCZW
-----END PGP SIGNATURE-----
P.S. PGP 5.5 (freeware) users will not be able to verify this
signature, although I can verify theirs. PGP 5.0 users can talk
to everyone. See link below.
-------------------------------------------------------------
Anthony E. Greene <NoS...@pobox.com> NoSpam=agreene
Use PGP -- Envelopes and Signatures for Email
What is PGP? <http://www.pobox.com/~agreene/pgp/>
My PGP Key: <http://www.pobox.com/~agreene/pgp/agreene.key>
FREEWARE Win95 PGP 5.0: <http://web.mit.edu/network/pgp.html>
-------------------------------------------------------------
Cipher
In article <MPG.ef32ff24...@news.vnet.net> Ed Stone,
nos...@synernet.com writes:
>I submit that in the "context of who one trusts" to provide fair, honest,
>balanced, "whole-truth" advice on crypto software, Mr. Sternlight is not to
>be so trusted, and as support for that, I have submitted the content above as
>demonstration of documented distortion and intentional misrepresentation on
>his part.
Mr. Sternlight? Any response?
Sternbot must be down.....
Cipher
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 Charset: noconv
iQA/AwUBM81uIbKO9JtAv+/uEQKiBACg0InZT+DGQBNFWAZ4/2Rbm4i2X/8AnjkS
xeNHEHShMX0KgKmIttKbduQn=467z
-----END PGP SIGNATURE-----
Isaac
In article <MPG.ef32ff24...@news.vnet.net>, Ed Stone wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>The post below by Mr. Sternlight (which he titled,"Yet another PGP bug') is
>an example of distortionand intentional misrepresentation. I submit:
>
>1. Mr. Sternlight's post, in its entirety;
>2. Mr. Finney's post, in its entirety;
>3. The words found in Mr. Finney's post, that were NOT found in Mr.
>Sternlight's post;
>4. The words found in Mr. Sternlight's post that were NOT found in Mr.
>Finney's post.
In looking over the post itself, I didn't find anything too disturbing. It's
the characterizing of the situtation as "Yet another PGP bug" that I found
completely inaccurate. In most cases things like this cost the poster
credibility.
Isaac
David Lesher
Cipher <cip...@mindspring.com> writes:
>Mr. Sternlight? Any response?
>Sternbot must be down.....
Maybe he's "reverted to a gelatinous state" as someone else does
to recuperate....?? He does sing "I must be going" every so often...
The good news is he is no longer harassing the IEFT working group
lists. But I'm not sure if they fixed their filters to keep him
out, or if someone finally got his attention with a clue-by-four. In
any case, he's made a whole new legion of enemies there.
(BTW, Bet we don't hear anything more re: EPIC quotes for a while,
considering the withdrawal from the KRA...)
--
A host is a host from coast to coast.................wb8foz@nrk.com
& no one will talk to a host that's close........[v].(301) 56-LINUX
Unless the host (that isn't close).........................pob 1433
is busy, hung or dead....................................20915-1433
David Sternlight
In article <66eh4e$7...@camel21.mindspring.com>, Is...@yellow.submarine.pla
(Isaac) wrote:
The difference, Isaac, was due to my inadvertently not demarking my
comment. In an immediate reply to my own post, I corrected that, well
before Stone's post appeared at my end. He's single-handedly (well, no,
along with Lesher and some of Hennessy--are they really different personas
for the same person?) tried to turn a PGP/crypto group into an
anti-Sternlight group. If one counts the number of his posts that aren't
about PGP or crypto but whose burden is personal attacks, one will realize
what a huge net abuser he is. This is an especially serious violation of
netiquette since comp.security.pgp (the one I read among the cross-posts)
is a mainstream newsgroup and not an alt.--where standards are somewhat
looser.
As to whether a bug in source code (commented out or not) is a bug or not,
it seems Finney thought so. Finney's text accompanying my title was
unambiguous.
PGP apologists will, of course, struggle mightily to rationalize it.
David
Ed Stone
In article <david-07129...@lax-ca66-51.ix.netcom.com> of Sun, 07 Dec
1997 12:28:55 -0800, da...@sternlight.com says...
> In article <66eh4e$7...@camel21.mindspring.com>, Is...@yellow.submarine.pla
> (Isaac) wrote:
>
> >In article <MPG.ef32ff24...@news.vnet.net>, Ed Stone wrote:
> >>-----BEGIN PGP SIGNED MESSAGE-----
> >>
> >>The post below by Mr. Sternlight (which he titled,"Yet another PGP bug') is
> >>an example of distortionand intentional misrepresentation. I submit:
> >>
> >>1. Mr. Sternlight's post, in its entirety;
> >>2. Mr. Finney's post, in its entirety;
> >>3. The words found in Mr. Finney's post, that were NOT found in Mr.
> >>Sternlight's post;
> >>4. The words found in Mr. Sternlight's post that were NOT found in Mr.
> >>Finney's post.
> >
> >In looking over the post itself, I didn't find anything too disturbing. It's
> >the characterizing of the situtation as "Yet another PGP bug" that I found
> >completely inaccurate. In most cases things like this cost the poster
> >credibility.
> >
> >Isaac
>
> The difference, Isaac, was due to my inadvertently not demarking my
> comment. In an immediate reply to my own post, I corrected that, well
> before Stone's post appeared at my end.
Message ID, or repost please. We'd love to see it. ;-)
> He's single-handedly (well, no,
> along with Lesher and some of Hennessy--are they really different personas
> for the same person?) tried to turn a PGP/crypto group into an
> anti-Sternlight group. If one counts the number of his posts that aren't
> about PGP or crypto but whose burden is personal attacks, one will realize
> what a huge net abuser he is. This is an especially serious violation of
> netiquette since comp.security.pgp (the one I read among the cross-posts)
> is a mainstream newsgroup and not an alt.--where standards are somewhat
> looser.
Having reread this several times, I do not see anything that conflicts with
my classification of the Sternlight post as "distortion, intentional
misrepresentation".
>
> As to whether a bug in source code (commented out or not) is a bug or not,
> it seems Finney thought so. Finney's text accompanying my title was
> unambiguous.
> PGP apologists will, of course, struggle mightily to rationalize it.
>
> David
As one who often challenges reader's efforts at mindreading, Mr. Sternlight's
words, "it seems Finney thought so", are quite interesting. ;-)
I think the case has been made, definitively.
David Sternlight
In article <66fgkt$l...@camel20.mindspring.com>, Is...@yellow.submarine.pla
(Isaac) wrote:
>As Finney suggests, there is no reason to uncomment the code.
>No additional functionality will result. Further, you are not allowed
>to distribute the changed version anyway. If you do uncomment the code
>the result should be signatures that no one else can verify. Sure
>seems silly to me.
The fact remains that PGP distributed code with a serious bug in it. It
was commented out because it wasn't part of the standard suite. But it
wasn't in distributed 5.0 as a paperweight. Obviously, if nobody
uncomments and compiles it, there won't be a problem. But it illustrates
that PGP's coders can write seriously buggy code in which the problems are
relevant to crypto issues, just like anyone else who puts his pants on one
leg at a time. And Finney's note was not distributed for his health--he
obviously thought there was a problem.
This is particularly significant because it falsifies:
1. Netscape has had bugs, but PGP hasn't;
2. Any coder can code crypto code and no special crypto-coding skills are
required.
3. PGP is more likely to be reliable than other products, for
institutional reasons.
4. It doesn't matter that PGP is much more lightly staffed and vastly less
experienced for writing and checking crypto code than, say, RSADSI.
5. The IETF-PGP list is just for discussing formats for Open PGP, and not
matters with respect to existing PGP.
and any number of other nonsensical assertions peddled here by the unholy
trinity.
It also shows the low tolerance among some here for anything negative about PGP.
It also enhances Hal FInney's integrity, for which he deserves full marks.
And another thing. PGP 5.52 was released, and found buggy and promptly
pulled and replaced with 5.53, as those who have been following things
here know. Another nail in the coffin of the argument that PGP is
completely "trustworthy". It is no more or less trustworthy than any other
code, and on first principles (staff experience at writing crypto code and
understanding the subtleties of crypto computation) probably less
trustworthy than code from, say, RSADSI.
David Sternlight
Cipher wrote:
>
> If the code is commented out and therfore not executed, how can it be a
> bug? It never runs! It can't screw anything up.
It was source code. It is standard practice to comment out parts of source
code and leave them as user options to be chosen before compiling. Check any
boilerplate profile file for a good example. In fact check PGP's own options
file, in which many user choices are offered and all but a few defaults
commented out. Thus commented out matter is expected to be used by some users,
and it is no defense to argue that bugs don't matter if code is commented out.
In some cases, alternative source code streams are activated by compile-time
variables and branch points. This is a more modern and more convenient
practice, but the older approach of uncommenting is also often found. I think
Stone, who vociferously and abrasively makes the argument that bugs don't
count because it is commented out code, clearly doesn't know much about
software practice, or is being disingenuous. Either way he's not a "credible witness".
>
> According to your logic any commented code is a bug. What does it matter
> if it is code or my Grandma's cookie recipe?
See above.
>
> Also, tell me why you don't like PGP.
I like it fine for the purposes for which it's useful, and use it myself for
that. Because of its trust model I find non-infringing versions mainly useful
for those correspondents whose keys I'm willing to check personally. In
contrast, when I need to trust a stranger I want someone I trust and who will
indemnify me to vouch for him, like a bank, a credit card company, or an
audited S/MIME certificate issuer (like Verisign) whose standards I both know
and trust.
> What would recommend to replace
> it.
RIPEM can do much the same thing, is also free, and has a similar
certification model with some extensions. It was way ahead of PGP for several
years on the Mac, because the Mac version was coded by Ray Lau, the inventor
of Stuffit, while the Mac version of PGP was, for some time, a command-line
port. Now each has about as good a user interface. But RIPEM isn't as
popular. For the purposes of web of trust models, I find (non-infringing)
versions of PGP more convenient, providing they are fully RSA compatible (2.x
or, if you have your RSA keys, 5.0). As for arms-length trust between
strangers, I recomment X509/S-MIME as implemented in either Netscape
Communicator or Microsoft Internet Explorer. Communicator is fully released
for the Mac with a good user interface; Explorer with a good Mac crypto
interface is still in beta, but should be out in a few weeks. Explorer's
e-mail program, Outlook Express, will also be in the forthcoming version of
Microsoft Office for the Mac, and has excellent S/MIME-X509 capabilities.
> You see, I like the idea of being able to send mail the spooks can't
> read. Any recommendation as to something superior to PGP, utilizing
> public and secret keys, would be appreciated.
Any of the above are thought to be resistant to eavesdropping via
cryptanalysis if you use long enough keys. At least 512 bits for RSA, though
1024 is better and many use 2048. Physical security at your end must not be
neglected. If you're using a shared machine, special procedures (keep your
keys on a diskette and take them with you) are needed as well.
David
Cipher
In article <david-07129...@lax-ca66-51.ix.netcom.com> David
Sternlight, da...@sternlight.com writes:
>As to whether a bug in source code (commented out or not) is a bug or not,
>it seems Finney thought so. Finney's text accompanying my title was
>unambiguous.
>PGP apologists will, of course, struggle mightily to rationalize it.
If the code is commented out and therfore not executed, how can it be a
bug? It never runs! It can't screw anything up.
According to your logic any commented code is a bug. What does it matter
if it is code or my Grandma's cookie recipe?
Also, tell me why you don't like PGP. What would recommend to replace
it. You see, I like the idea of being able to send mail the spooks can't
read. Any recommendation as to something superior to PGP, utilizing
public and secret keys, would be appreciated.
Cipher/Member news.newusers.questions Moderation Board
Visit my Mac help site at
http://www.geocities.com/SiliconValley/Lakes/4404/
PGP Public Key available at my website
Isaac
In article <david-07129...@lax-ca66-51.ix.netcom.com>,
David Sternlight wrote:
>The difference, Isaac, was due to my inadvertently not demarking my
>comment. In an immediate reply to my own post, I corrected that, well
>
>As to whether a bug in source code (commented out or not) is a bug or not,
>it seems Finney thought so. Finney's text accompanying my title was
>unambiguous.
>PGP apologists will, of course, struggle mightily to rationalize it.
>
So if anyone disagrees with you they are probably a PGP apologist?
Cute.
I thought it was fairly clear that your comment was your own words so
I had no problem with the added comment. I also thought it was clear
from the quoted material in your post that Finney did not think the
commented out code was a problem. His point was rather that amateurs
should probably not uncomment the code. Your own comment emphasized this
point as well.
The real problem was that the text you omitted made it even clearer
the Finney felt the issue was not a bug. This is the only issue I
had with your post.
As Finney suggests, there is no reason to uncomment the code.
No additional functionality will result. Further, you are not allowed
to distribute the changed version anyway. If you do uncomment the code
the result should be signatures that no one else can verify. Sure
seems silly to me.
Isaac
David Lesher
SternFUD expounds.....
>{Stone's} single-handedly (well, no,
>along with Lesher and some of Hennessy--are they really different personas
>for the same person?) tried to turn a PGP/crypto group into an
>anti-Sternlight group. If one counts the number of his posts that aren't
>about PGP or crypto but whose burden is personal attacks, one will realize
>what a huge net abuser he is. This is an especially serious violation of
>netiquette since comp.security.pgp (the one I read among the cross-posts)
>is a mainstream newsgroup and not an alt.--where standards are somewhat
>looser.
This is really a ROTFLMAO, considering SternFUD just spent a
week-plus messing FOUR of the IETF Working Group mailing lists
with his own nonsense.. You'd think FUD would move the discussion
as suggested below. But he keep dragging it back here -- why is that?
Here are Dave Del Torto's IETF List comments regarding same:
Since it was Mr. Sternlight who first saw fit to insert his
opinions here (without regard for netiquette, or first
familiarizing himself with the WG's Charter), perhaps it
would be appropriate to move this thread to
<news:alt.fan.david-sternlight>. Those who are so inclined
may spelunk deeply into his opinions there without further
involving the members of this Working Group (some of whom I
suspect might still wish to move the OpenPGP standard
forward, unencumbered by irrelevancies such as debates over
why PGP Inc's freeware doesn't contain this cipher or that
hash).
(And I chuckle over his fervent wish that he has but one person
opposing his Jihad....)
Anthony E. Greene
-----BEGIN PGP SIGNED MESSAGE-----
On Sun, 07 Dec 1997 19:19:25 -0800, da...@sternlight.com (David Sternlight)
wrote:
>In article <66fgkt$l...@camel20.mindspring.com>, Is...@yellow.submarine.pla
>(Isaac) wrote:
>
>>As Finney suggests, there is no reason to uncomment the code.
>>No additional functionality will result. Further, you are not allowed
>>to distribute the changed version anyway. If you do uncomment the code
>>the result should be signatures that no one else can verify. Sure
>>seems silly to me.
>
>The fact remains that PGP distributed code with a serious bug in it. It
>was commented out because it wasn't part of the standard suite.
Can we agree on this definition of "bug":
:Bug (computer), in computer science, an error in software or hardware. In
:software, a bug is an error in coding or logic that causes a program to
:malfunction or to produce incorrect results.
:
:"Bug (computer)," Microsoft(R) Encarta(R) 96 Encyclopedia. (c) 1993-1995
:Microsoft Corporation. All rights reserved.
Granted, Encarta is not *the* definitive reference on the English langauge,
but I think this definition fits what most of us understand as the meaning
of "bug" in this context.
Since the code in question is commented out, it seems not to fit this
definition.
Tony
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQCcAwUBNItg9URUP9V4zUMpAQH3JgQ0Dn9VlTR/KJSedvnSFdAojbp2PyBnIv3L
JvoB/Fj0mGic5LngmbiXtcthUCj3CZrSdhzheo6tSBQR1YMVpcA5xiY3iKOkGjjh
ILXcOcSBOHEkSL49RjOKDAGx/l6DfrZtno69KYPGNSICQCIKz7CE0FwxrWECivMA
PvCiruN9y2+6Le2L/0zF
=fzPD
Isaac
In article <david-07129...@lax-ca66-60.ix.netcom.com>,
>The fact remains that PGP distributed code with a serious bug in it. It
You persist in calling commented out code a bug. The commenting out
of incomplete, or unused but possibly useful code is a very common practice
when working on software. Code is written to establish functionality.
Decisions are later made to disable such functionality or to abort
the development of some feature. Code is then commented out rather
than dropping it in the bit bucket. In this case, since the commented out
code is useful if certain precautions are taken, there is legitimacy in
leaving the commented code in. One could argue whether there was sufficient
info in the comment to keep amateurs from uncommenting it, but so far noone
has made such a point. We all agree that uncommenting the code will
result in buggy software.
If you have not participated in the design of a significant software
project, it is possible that the practice might be unknown to you, but
you persist after being corrected. For people who are familiar with or
understand the nature of comments, your persistence is probably at
the expense of your credibility.
>wasn't in distributed 5.0 as a paperweight. Obviously, if nobody
>uncomments and compiles it, there won't be a problem. But it illustrates
>that PGP's coders can write seriously buggy code in which the problems are
The code isn't buggy. Precautions other than simply uncommenting are
required to use it, but as far as anyone has said, the code is okay as it
stands. What leads you to believe the code is buggy. Noone but you
says it is.
>And another thing. PGP 5.52 was released, and found buggy and promptly
>pulled and replaced with 5.53, as those who have been following things
If someone has explained why PGP 5.52 was pulled, I missed it. I suspect
that there was a bug, but I have no way to check for myself. Did you
encounter any bugs in the version you downloaded?
>here know. Another nail in the coffin of the argument that PGP is
>completely "trustworthy". It is no more or less trustworthy than any other
>code, and on first principles (staff experience at writing crypto code and
I really can't argue with this statement. Code varies widely in
trustworthiness so the statement is meaningless. My car is no slower
than any other car.
>understanding the subtleties of crypto computation) probably less
>trustworthy than code from, say, RSADSI.
>
You've established no basis whatsoever for this conclusion.
Isaac
Isaac
In article <348B773D...@sternlight.com>, David Sternlight wrote:
>Cipher wrote:
>>
>> If the code is commented out and therfore not executed, how can it be a
>> bug? It never runs! It can't screw anything up.
>
>code and leave them as user options to be chosen before compiling. Check any
>boilerplate profile file for a good example. In fact check PGP's own options
>file, in which many user choices are offered and all but a few defaults
>commented out. Thus commented out matter is expected to be used by some users,
There are a number of ways to comment out C code. You've described one of
them. Another method is to surround the code as I've shown below:
/*
Some commented out code. You can't activate me.
*/
Yet another method is this
#if 0
Some potentially volatile code. You can't activate me.
#endif
In neither case can ANY compiler options result in the code being activated.
You'll have to edit the source to remove the comment. Do you know whether
the code we're discussing can be activated by adding a simple command
line option or specifying a simple preprocessor define? If not shouldn't
you find out before you go ranting about something you don't know about?
Even if the code does allow a command line option like -DUSE_ELGAMAL_SIGS
to activate the code, it still would not constitute a bug as long as the
variable were not tied to other compiler options and there was sufficient
warning about the results of such a flag in the source code which is
where one might learn of the existence of the flag.
>and it is no defense to argue that bugs don't matter if code is commented out.
>In some cases, alternative source code streams are activated by compile-time
>variables and branch points. This is a more modern and more convenient
>practice, but the older approach of uncommenting is also often found. I think
>Stone, who vociferously and abrasively makes the argument that bugs don't
Either you don't know what you are talking about or you are deliberately
distorting the truth. There is nothing modern about what you describe.
It's not more convenient then the methods I've illustrated, it's
different because it serves a different purpose.
Isaac
David Lesher
SternFUD vents drive plazma:
>This is particularly significant because it falsifies:
>1. Netscape has had bugs, but PGP hasn't;
>2. Any coder can code crypto code and no special crypto-coding skills are
>required.
>3. PGP is more likely to be reliable than other products, for
>institutional reasons.
>4. It doesn't matter that PGP is much more lightly staffed and vastly less
>experienced for writing and checking crypto code than, say, RSADSI.
>5. The IETF-PGP list is just for discussing formats for Open PGP, and not
>matters with respect to existing PGP.
(Stand back! He's going to pop an warp core overload! Evacuate the
Jefferies Tubes....)
I love it. PGP source code, which is available for examination, is
buggy. Ergo, NetScrape source, which is not, is therefore perfect....
You are reaching new lows with this thread, UnProfessor...
(I guess FUD's bottom is still smarting from the spanking he got
for messing on the IETF Working Group lists; note the sulking
tone above..)
Ed Stone
In article <348B773D...@sternlight.com> of Sun, 07 Dec 1997 20:27:51 -
0800, da...@sternlight.com says...
<snip>
> I like it fine for the purposes for which it's useful, and use it myself for
> that. Because of its trust model I find non-infringing versions mainly useful
> for those correspondents whose keys I'm willing to check personally. In
> contrast, when I need to trust a stranger I want someone I trust and who will
> indemnify me to vouch for him, like a bank, a credit card company, or an
> audited S/MIME certificate issuer (like Verisign) whose standards I both know
> and trust.
The mention of concern for "non-infringing", and VeriSign, recalls that just
last month, VeriSign paid out a two million dollars in stock to settle a
trademark infringement lawsuit (according to VeriSign's statements to the
Securities and Exchange Commission). Curious that there is concern for "non-
infringement" in one set of software, but not in another. ;-)
Greg Hennessy
In article <348B773D...@sternlight.com>,
David Sternlight <da...@sternlight.com> wrote:
>It was source code. It is standard practice to comment out parts of source
>code and leave them as user options to be chosen before compiling.
It is *NOT* standard practice to do this.
You can't do it with Microsoft code.
You can't do it with Netscape code.
You can't do it with RSADSI code.
As an overwhelming rule of thumb, users don't recompile.
Anyone who recompiles after altering the source code is taking
responsibility for the code, the the vendor who produced the code.
> I think Stone, who vociferously and abrasively makes the argument
> that bugs don't count because it is commented out code, clearly
> doesn't know much about software practice, or is being
> disingenuous. Either way he's not a "credible witness".
I would change the third word above.
Greg Hennessy
In article <david-07129...@lax-ca66-51.ix.netcom.com>,
David Sternlight <da...@sternlight.com> wrote:
>This is an especially serious violation of
>netiquette since comp.security.pgp (the one I read among the cross-posts)
>is a mainstream newsgroup and not an alt.--where standards are somewhat
>looser.
This comes with ill grace from somone who recently posted numerous
off topic posts to the IETF open-pgp mailing list.
Greg Hennessy
In article <david-07129...@lax-ca66-60.ix.netcom.com>,
David Sternlight <da...@sternlight.com> wrote:
>This is particularly significant because it falsifies:
>1. Netscape has had bugs, but PGP hasn't;
David one again fabricates straw men arguments to knock down.
I've asked multiple times for David to provide evidice that anyone
argues that PGP code is bug free. He doesn't answer, but continues to
make statements as above.
Ed Stone
In article <66gvpc$a...@clarknet.clark.net> of 8 Dec 1997 14:21:32 GMT,
g...@clark.net says...
> In article <348B773D...@sternlight.com>,
> David Sternlight <da...@sternlight.com> wrote:
<snip>
> > I think Stone, who vociferously and abrasively makes the argument
> > that bugs don't count because it is commented out code, clearly
> > doesn't know much about software practice, or is being
> > disingenuous. Either way he's not a "credible witness".
>
> I would change the third word above.
Mr. Hennessy is correct, I (Stone) made no such point. Possibly Mr.
Sternlight intended to comment it out? ;-)
Ed Stone
In article <66gvum$a...@clarknet.clark.net> of 8 Dec 1997 14:24:22 GMT,
g...@clark.net says...
> In article <david-07129...@lax-ca66-51.ix.netcom.com>,
> David Sternlight <da...@sternlight.com> wrote:
> >This is an especially serious violation of
> >netiquette since comp.security.pgp (the one I read among the cross-posts)
> >is a mainstream newsgroup and not an alt.--where standards are somewhat
> >looser.
>
> This comes with ill grace from somone who recently posted numerous
> off topic posts to the IETF open-pgp mailing list.
The duality of Mr. Sternlight's standards model is legend, including his
public excoriation of PGP Inc upon its being *accused* of intellectual
property infringement, in the face of his silence about VeriSign paying two
million dollars in stock to settle an intellectual property infringement
lawsuit just last month (Bidzos is Chairman of VeriSign and RSADSI owns more
than 28% of VeriSign); his concern for McAfee's ethics as member of the Key
Recovery Alliance (they withdrew from membership Friday), in the face of
RSADSI's status as charter member and continuing member; and so on.
Jeroen C. van Gelderen
Why are we all so harh on Mr. Sternlight. I'm always looking forward to his
ridiculous postings. Sure, he's nothing smart to say, but I'm having a laugh
whenever he posts again... ;)
J
David Lesher
FUD Claims:
>>It was source code. It is standard practice to comment out parts of source
>>code and leave them as user options to be chosen before compiling.
g...@clark.net (Greg Hennessy) writes:
>As an overwhelming rule of thumb, users don't recompile.
I wonder when (and what) SternFUD last recompiled an app
on his home machine....
I wonder when he last recompiled ANYTHING? Was it the
the 1950-era stuff he was bragging about?
David Sternlight
In article <66g139$d...@camel19.mindspring.com>, Is...@yellow.submarine.pla
(Isaac) wrote:
>In article <david-07129...@lax-ca66-60.ix.netcom.com>,
>David Sternlight wrote:
>>The fact remains that PGP distributed code with a serious bug in it. It
>>was commented out because it wasn't part of the standard suite. But it
>
>You persist in calling commented out code a bug. The commenting out
>of incomplete, or unused but possibly useful code is a very common practice
>when working on software.
It wasn't incomplete code. It was thought to be complete and usable, to
add a feature to PGP. It turned out to be buggy. End of story.
David Sternlight
>project, it is possible that the practice might be unknown to you, but
>you persist after being corrected.
Listen, sonny, for my first career I was pioneering on the digital
computer you so gracelessly post insults on, before you were a gleam in
your father's eye. I wrote part of the Fortran compiler for IBM, part of
the largest real-time Air Force command and control system (SAGE) of the
time, and one of the first aircraft design routines for NASA's predecessor
the Wright Air Development Center, all in the mid-1950's. The first two
were massive team software development projects; the third a solo act. My
other pioneering system credits include the first major application for
the United Nations Statistical Office, and the first production
engineering-economics systems design package which won my employer three
one-Billion dollar contracts (the FDL, LHA, and DD-963 class ship
construction contracts), with my work being singled out in the Navy award
letter as one of the main reasons.
Don't try to teach your grandmother how to suck eggs, as the Russians say.
NOSPAMd...@iwaynet.net
-----BEGIN PGP SIGNED MESSAGE-----
On 8 Dec 1997 14:21:32 GMT, g...@clark.net (Greg Hennessy) wrote:
:
>>It was source code. It is standard practice to comment out parts of
source
>>code and leave them as user options to be chosen before compiling.
>
>
>It is *NOT* standard practice to do this.
>
>You can't do it with Microsoft code.
>
>You can't do it with Netscape code.
>
>You can't do it with RSADSI code.
>
>As an overwhelming rule of thumb, users don't recompile.
Many software packages for Linux do just that. The header for the C
source to the driver for my Adaptec aha152x card told me exactly how
and where to set IRQ and port numbers to work on my machine. Many
other software packages tell exactly what to uncomment to make the
resulting executable match the capabilities and hardware of the
machine it will run on(or even just features the user WANTS
supported!). I have fewer problems with crashes and software bugs
that I do with Microsoft products and the executables are leaner and
meaner as well since support for a whole lot things I don't have
aren't being included (Gravis soundcards, extraneous SCSI drivers,
etc). I have no problem or fear of making SUPPORTED modifications to
source code. I likewise prefer the ability to recompile since it's
easier to fix something broken.
Also, I can more easily trust crypto that I have compiled myself.
What kind of idiot leaves a trojan horse or virus right in the source
for every Tom, Dick, and Harry who got it from an FTP site to see?
Give me the 'risky' open system any day......
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQCVAwUBNIyCqAUcDdLO4sm1AQEVtAP+P4tbFEjgfbBB9I87mKGEZhZ2UPX6qvR0
/oel7AeqUkIe2HGOPn3a5TpNEd8/pkRkB0uRes4xLOcl4vYaejT4H7A6b9c95tzb
7gae/xHU8LMEs05b6did6mykZxRq7cHPgHuJOpr6ZztXwe5u61IpM3aekrlB1xFH
xVAPyMu4Axs=
=6RUs
-----END PGP SIGNATURE-----
David Sternlight
Anthony E. Greene wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> wrote:
>
> >In article <66fgkt$l...@camel20.mindspring.com>, Is...@yellow.submarine.pla
> >(Isaac) wrote:
> >
> >>As Finney suggests, there is no reason to uncomment the code.
> >>No additional functionality will result. Further, you are not allowed
> >>to distribute the changed version anyway. If you do uncomment the code
> >>the result should be signatures that no one else can verify. Sure
> >>seems silly to me.
> >
> >was commented out because it wasn't part of the standard suite.
>
>
> :Bug (computer), in computer science, an error in software or hardware. In
> :software, a bug is an error in coding or logic that causes a program to
> :malfunction or to produce incorrect results.
> :
> :"Bug (computer)," Microsoft(R) Encarta(R) 96 Encyclopedia. (c) 1993-1995
> :Microsoft Corporation. All rights reserved.
>
> Granted, Encarta is not *the* definitive reference on the English langauge,
> but I think this definition fits what most of us understand as the meaning
> of "bug" in this context.
>
> Since the code in question is commented out, it seems not to fit this
> definition.
Since it was source code intended for compiling, not object code, and since
the "commented out code" was intended to be a feature users could activate if
they wished, it was a bug.
David
David Sternlight
Ed Stone wrote:
>
> In article <66gvum$a...@clarknet.clark.net> of 8 Dec 1997 14:24:22 GMT,
> g...@clark.net says...
> > In article <david-07129...@lax-ca66-51.ix.netcom.com>,
> > David Sternlight <da...@sternlight.com> wrote:
> > >This is an especially serious violation of
> > >netiquette since comp.security.pgp (the one I read among the cross-posts)
> > >is a mainstream newsgroup and not an alt.--where standards are somewhat
> > >looser.
> >
> > This comes with ill grace from somone who recently posted numerous
> > off topic posts to the IETF open-pgp mailing list.
>
> The duality of Mr. Sternlight's standards model is legend,
Actually, it is the malignancy of your distortions that are legend. Because
one speaks on incident "A" but doesn't speak on incident "B", does not reveal
dual standards. It is you who have the dual standards, since you defend free
speech for yourself and your friends, but wish to criticize it when it is
exercised by others. Free speech includes the right to silence, for good
reason or no reason.
If I had undertaken to make public pronouncements on all incidents related to
intellectual property cases, and was silent on a notable one, then I might be
accused of something or other. But I have never made such an undertaking, nor
do I do so now.
Your constant and gratuitous out-of-context harping on the trademark
infringement case won't provoke a discussion of it from me; all you're doing
is revealing your own spamhood. As my Rabbi says, what you are I wouldn't eat.
David
David Sternlight
Greg Hennessy wrote:
>
> In article <348B773D...@sternlight.com>,
> David Sternlight <da...@sternlight.com> wrote:
> >It was source code. It is standard practice to comment out parts of source
> >code and leave them as user options to be chosen before compiling.
>
> It is *NOT* standard practice to do this.
>
> You can't do it with Microsoft code.
>
> You can't do it with Netscape code.
>
> You can't do it with RSADSI code.
>
> As an overwhelming rule of thumb, users don't recompile.
You are simply wrong on the facts. When compilable source is provided it is
common practice. PGP 5.0 provided source for compilation.
In fact if PGP Inc. didn't expect source to be compiled there's have been
little reason for the public warning.
That some others don't provide source is a separate issue. To understand this
matter, you'd better have a look at the UNIX community where the provision of
compilable source is standard practice.
It would seem you are arguing for its own sake, or to do a make-wrong. Come
on, Greg, it's the holiday season and time to turn over a new leaf.
David
David Sternlight
Greg Hennessy wrote:
>
> In article <david-07129...@lax-ca66-51.ix.netcom.com>,
> David Sternlight <da...@sternlight.com> wrote:
> >This is an especially serious violation of
> >netiquette since comp.security.pgp (the one I read among the cross-posts)
> >is a mainstream newsgroup and not an alt.--where standards are somewhat
> >looser.
>
> This comes with ill grace from somone who recently posted numerous
> off topic posts to the IETF open-pgp mailing list.
My posts were no more off topic than Hal Finney's of PGP Inc. when he posted
the warning in question about the bug in PGP 5.0 source code. They were about
aspects of commercial PGP that had implications for the Open PGP group. It was
the plethora of personal attacks on me that were off topic.
Unless Stone and Hennessy are different personas of the same writer, it's time
you stopped being influenced by his posts here.
Note that most of Lesher's posts (and more and more of yours and Stone's
lately) are personal attacks devoid of substantive content. I have not posted
personal attack posts to the IETF list. You guys must be getting pretty
desperate here, as PGP attempts to become more and more mainstream to compete
with S/MIME--and the contradictions start showing up in droves.
David
Ed Stone
In article <david-08129...@lax-ca69-39.ix.netcom.com> of Mon, 08 Dec
1997 19:26:22 -0800, da...@sternlight.com says...
> >
> >You persist in calling commented out code a bug. The commenting out
> >of incomplete, or unused but possibly useful code is a very common practice
> >when working on software.
>
> It wasn't incomplete code. It was thought to be complete and usable, to
> add a feature to PGP. It turned out to be buggy. End of story.
>
------------
"It would appear that David is not familiar with the mundane occurrence
of, e.g.,
#ifdef notdef
/* XXX - to be addressed when Big Important Feature comes along */
...a dozen lines of currently unusable or buggy code...
#endif
This is not the work of "slovenly programmers," but rather the work of
studious and publicly-minded programmers who are headed somewhere
useful and important, but who haven't had the time, or haven't been
provided the resources or interfaces, to finish the problem. Not
fixed (or finished, as the case may be), not removed, and often barely
commented upon.
This is positively routine in the field of publicly-available
software. *Positively routine*. Go grep a BSD source tree for
"notdef" sometime. I just did so in an OSF/1 kernel tree and found
100+ occurrences of "notdef" code.
Come back when you've discovered how the real world works."
----------
But the core issue is not the obvious practice of commenting out sections of
source code, and the fact that it is not a bug for source to contain such
commented out sections, rather is is that Mr. Sternlight continues to call
source with such commented out code buggy on that basis, titling the post
"Yet another PGP bug", and distorting and intentionally misrepresenting thru
the selective quoting of another. Specifically:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Specifically, the words found in Mr. Finney's post, that were not repeated by
Mr. Sternlight in his post:
"Peter Gutmann, pgu...@cs.auckland.ac.nz, writes:
> To get around this, you could use Elgamal for
> signatures (although the current PGP doesn't support
> this, the code is commented out)."
"(I don't know of any reason to use ElGamal signatures
in place of DSS signatures though.)"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Specifically, the words found in Mr. Sternlight's post, that were not found
in Mr.Finney's post"
"(Topher Belknap please also note, in the context of who
one trusts to do crypto programming, and the subtleties
involved.)"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I submit that in the "context of who one trusts" to provide fair, honest,
balanced, "whole-truth" advice on crypto software, Mr. Sternlight is not to
be so trusted, and as support for that, I have submitted the content above as
demonstration of documented distortion and intentional misrepresentation on
his part.
Ed Stone
In article <348D46B9...@sternlight.com> of Tue, 09 Dec 1997 05:25:19 -
0800, da...@sternlight.com says...
> Ed Stone wrote:
<snip>
> >
> > The duality of Mr. Sternlight's standards model is legend,
>
> Actually, it is the malignancy of your distortions that are legend. Because
> one speaks on incident "A" but doesn't speak on incident "B", does not reveal
> dual standards. It is you who have the dual standards, since you defend free
> speech for yourself and your friends, but wish to criticize it when it is
> exercised by others. Free speech includes the right to silence, for good
> reason or no reason.
And a good looking straw man he is, indeed. ;-) Watch Davy hit the straw man!
;-)
>
> If I had undertaken to make public pronouncements on all incidents related to
> intellectual property cases, and was silent on a notable one, then I might be
> accused of something or other. But I have never made such an undertaking, nor
> do I do so now.
Just seems pretty strange, that in the face of thousands of words in hundreds
of posts critical of PGP Inc/Phil Zimmermann vis a vis accusations of them
(mostly by you) of intellectual property infringement (against RSADSI/Bidzos)
by a crypto firm/software, and your association (as stated in your posts)
with Mr. Bidzos, and your frequent accolades for VeriSign and RSADSI's moral
highground, that you might spare a sentence of rebuke for VeriSign's $2
million intellectual property infringement settlement. (VeriSign's chairman
is Bidzos, and RSADSI owns prox 28% of VeriSign.) ;-)
You have yet to explain away the absence of such statement. A reasonable
interpretation of events is that you rebuke A on the basis of it being
accused of intellectual property infringement, but you do not rebuke B on the
basis of it paying out $2 million to settle an intellectual property
infringement lawsuit.
Absence of such a sentence of rebuke upon that payout just last month for
infringing is quite contrasting with the thousands of words of rebuke for an
*accused* IP infringer. ;-)
>
> Your constant and gratuitous out-of-context harping on the trademark
> infringement case won't provoke a discussion of it from me; all you're doing
> is revealing your own spamhood. As my Rabbi says, what you are I wouldn't eat.
Glad to learn of your rejection of cannabalism. And it wasn't just a case, it
was a 2 million dollars in stock settlement of infringement of intellectual
property. ;-)
Ed Stone
In article <348D498F...@sternlight.com> of Tue, 09 Dec 1997 05:37:26 -
0800, da...@sternlight.com says...
> Greg Hennessy wrote:
> >
> > In article <david-07129...@lax-ca66-51.ix.netcom.com>,
> > David Sternlight <da...@sternlight.com> wrote:
> > >This is an especially serious violation of
> > >netiquette since comp.security.pgp (the one I read among the cross-posts)
> > >is a mainstream newsgroup and not an alt.--where standards are somewhat
> > >looser.
> >
> > This comes with ill grace from somone who recently posted numerous
> > off topic posts to the IETF open-pgp mailing list.
>
> My posts were no more off topic than Hal Finney's of PGP Inc. when he posted
> the warning in question about the bug in PGP 5.0 source code. They were about
> aspects of commercial PGP that had implications for the Open PGP group. It was
> the plethora of personal attacks on me that were off topic.
>
> Unless Stone and Hennessy are different personas of the same writer, it's time
> you stopped being influenced by his posts here.
I suspect that Mr. Hennessy is influenced by that which he chooses to be
influenced by. Don't know how anyone could resist the fairness of your
arguments, nor the consistency of your perspective, not to mention the
seductiveness of your endearing, gentle wording. ;-)
>
> Note that most of Lesher's posts (and more and more of yours and Stone's
> lately) are personal attacks devoid of substantive content.
Darn, those cites to URL's are being snipped somewhere again. ;-)
> I have not posted
> personal attack posts to the IETF list. You guys must be getting pretty
> desperate here, as PGP attempts to become more and more mainstream to compete
> with S/MIME--and the contradictions start showing up in droves.
>
> David
No, I think the benchmarks of shrill, personal, and desperate continue to be
Mr. Sternlight's now famous, "You are a shit.", and his "He's not only a
moron but an arrogant ass to think that he can take something like "Plonk!"
and pretend it's a permanent promise so he can cry "Liar!" when someone
decides to read a few messages. I'll plonk whom I wish when I wish and for
how long I wish. Let him take his petty little game to the elementary school
playground where it belongs.". Message IDs on request. ;-)
David Lesher
FUD bawls:
>My posts [To the IETF Working Group lists]
>were no more off topic than Hal Finney's of PGP Inc. when he posted
>the warning in question about the bug in PGP 5.0 source code.
"Mommie, he hit me first..."
I suggest those interested in the facts go review the archives
available at http://www.ietf.org
Note the reactions of the other in the WG to his spew.
{Since FUD was bragging how he'd invented FORTRAN, etc; why have we
NOT seen HIS public key cryptosystem offering yet? Maybe he's
working on the #ifdef's for it?}
David Lesher
FORTRAN II Programmer SternFUD proclaims:
>> You can't do it with Microsoft code.
>>
>> You can't do it with Netscape code.
>>
>> You can't do it with RSADSI code.
>>
>> As an overwhelming rule of thumb, users don't recompile.
>You are simply wrong on the facts. When compilable source is provided it is
>common practice. PGP 5.0 provided source for compilation.
Strange, FUD has not answered the last question:
When did he last recompile any crypto code?
When did he last recompile any Mac code?
When did he last recompile any Unix code?
When did he last recompile any of his code?
When did he last recompile any C code?
When did he last recompile ANY code?
>That some others don't provide source is a separate issue. To understand this
>matter, you'd better have a look at the UNIX community where the provision of
>compilable source is standard practice.
See above...and Karl's post. Also look at the Linux kernel source
tree.
>It would seem you are arguing for its own sake, or to do a make-wrong.
Is there not a term for someone who constantly attaches his
behaviour to others; to avoid having to own up to it himself?
Jim Gillogly
> In article <66g139$d...@camel19.mindspring.com>, Is...@yellow.submarine.pla
> (Isaac) wrote:
>
> >You persist in calling commented out code a bug. The commenting out
> >of incomplete, or unused but possibly useful code is a very common practice
> >when working on software.
David Sternlight wrote:
> It wasn't incomplete code. It was thought to be complete and usable, to
> add a feature to PGP. It turned out to be buggy. End of story.
You're mistaken. It was plainly marked as an experiment. Here's a "fair usequote" of the relevant section of code from pgpElGKey.c:
--------------------snippage----------------------
* $Id: pgpElGKey.c,v 1.9.2.3 1997/06/07 09:51:25 mhw Exp $
*/
/* Experiment with El Gamal signatures */
#undef ELGSIGS
--------------------snippage----------------------
Any reasonable person who removed the #undef would perforce
have read the comment preceding it and been forewarned that
they were now participating in an experiment rather than using
tried and tested code. Someone reading further in the code
would find the comment:
--------------------snippage---------------------
/*
* Return 1 if (sig,siglen) is a valid MPI which signs
* (hash, hashlen).
* Not implementing ElGamal signatures, using DSS.
*/
--------------------snippage----------------------
The clue phone is ringing, and any sensible person will answer it.
Even if it were a bug, big deal. New versions of programs have bugs,
even code from members of the Key Recovery Alliance, and even from
Microsoft (despite a Gates interview that suggests Microsoft leaves no
important bugs in their code on a new release). The scanned PGP 5.0
did indeed have bugs, but only a Grade-A nitpicker would consider
this to be one of them.
--
Jim Gillogly
19 Foreyule S.R. 1997, 16:48
12.19.4.13.7, 10 Manik 5 Mac, Sixth Lord of Night
Greg Hennessy
In article <348D47E9...@sternlight.com>,
David Sternlight <da...@sternlight.com> wrote:
>>
>> You can't do it with Microsoft code.
>>
>> You can't do it with Netscape code.
>>
>> You can't do it with RSADSI code.
>>
>> As an overwhelming rule of thumb, users don't recompile.
>
>You are simply wrong on the facts.
A bald assertion. None of my comments above are wrong.
> When compilable source is provided it is
>common practice.
It isn't common practice with Linux.
>In fact if PGP Inc. didn't expect source to be compiled there's have been
>little reason for the public warning.
The warning is to make sure people understand the consequences of
modifying crypto code.
>To understand this
>matter, you'd better have a look at the UNIX community where the provision of
>compilable source is standard practice.
I know the UNIX community far better than you do.
To have code that is not compiled in by default, but can be turned on
by compile time options UNIX programmers use
#ifdef OPTION
#endif
not
#ifdef 0
#endif.
The first can reasonably expected to be turned on with a compile time
option. The second can't be. The code in PGPV5.0 (which *I* have
looked at and *you* have not) is of the second form.
>It would seem you are arguing for its own sake, or to do a make-wrong. Come
>on, Greg, it's the holiday season and time to turn over a new leaf.
Dr. Sternlight, heal thyself.
Greg Hennessy
In article <348D3E30...@sternlight.com>,
David Sternlight <da...@sternlight.com> wrote:
>Since it was source code intended for compiling, not object code, and since
>the "commented out code" was intended to be a feature users could activate if
>they wished, it was a bug.
What is the evidence that it was intended to be a feature users could
activate?
Putting code around "#ifdef 0 #endif" as in
src/lib/pgp/pgpkey/pgpElGKey.c doesn't sugguest to me that it is meant
to be activated. Expecially with the comment warning of it being
experimental.
Greg Hennessy
In article <david-08129...@lax-ca69-39.ix.netcom.com>,
David Sternlight <da...@sternlight.com> wrote:
>It wasn't incomplete code. It was thought to be complete and usable, to
>add a feature to PGP. It turned out to be buggy. End of story.
David is now fabricating things out of whole cloth.
The comment clearly says "Experiment".
David, it is one thing be stubborn over the definition of what
constitutes a bug. But to misrepresent PGPInc like you did is
reprehensible.
Stop now before you damage your reputation more!
Ron Heiby
David sure seems to spend a lot of energy worrying about bugs in PGP that
get fixed before most people notice that they were there and bugs in
COMMENTS that DO NOT AFFECT the executables in any way. Seems like a
terrible waste of time, to me. I sure wish he would spend the same energy
worrying about the bugs in products that millions of people use every day,
and which do not get fixed, version after version.
--
Ron.
Greg Hennessy
In article <348D498F...@sternlight.com>,
David Sternlight <da...@sternlight.com> wrote:
>My posts were no more off topic than Hal Finney's of PGP Inc. when he posted
>the warning in question about the bug in PGP 5.0 source code.
The issue is what you post, and your ill grace of compaining that
others are off topic when you are posting off topic on a list.
When Hal Finney complains here about off topic posts, you may have a
point. Till then, nope.
>I have not posted
>personal attack posts to the IETF list.
You can stick with that story if you want, but I dont' see how
"anonymous coward" is anything but a personal attack.
Ron Heiby
si...@msh.xs4all.nl wrote:
>About half of the traffic in the pgp groups comes from this annoying idiot,
>year after year after year after year, and another 25% is wasted refuting
>this kook. Useful traffic is often hard to find.
Maybe what we need is some stuff added to the FAQ for the newsgroup(s), to
the effect that a certain person will say anything he wants and distort
anything he wants if it will cast PZ or PGP in a bad light.
While we're at it, we can add some stuff to the effect that a certain other
person takes every opportunity to go on about gun control and the suspension
of the constitution and how Abraham Lincoln was a minion of Satan.
Then, everyone would know everything that those two people say, and can
easily kill-file them without missing anything of substance.
--
Ron.
Anthony E. Greene
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 09 Dec 1997 05:37:26 -0800, David Sternlight <da...@sternlight.com>
wrote:
>Greg Hennessy wrote:
>>
>> In article <david-07129...@lax-ca66-51.ix.netcom.com>,
>> David Sternlight <da...@sternlight.com> wrote:
>> >This is an especially serious violation of
>> >netiquette since comp.security.pgp (the one I read among the
>cross-posts)
>> >is a mainstream newsgroup and not an alt.--where standards are somewhat
>> >looser.
>>
>> This comes with ill grace from somone who recently posted numerous
>> off topic posts to the IETF open-pgp mailing list.
>
>My posts were no more off topic than Hal Finney's of PGP Inc. when he
>posted
>the warning in question about the bug in PGP 5.0 source code.
In the interest of clarity, I must point out that *you* characterized the
code in question as a "bug", not Mr. Finney.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: cp850
Comment: Anthony E. Greene PGP-RSA-KeyId: Pub 1083 0x78CD4329
iQCdAwUBNI2ThERUP9V4zUMpAQFMqwQ5Adri01iozhAJLhfE6HmVc4+20cw4cHRI
RE/xoe59JAsnsN851HiwKA00u2DmaQg/QlN7ZEvr5o9/M+2e+W9lbmZIc5d6t8Tr
FHEwXrQuseGurXjlyqZFlut9IzySnWED6jiLXHEIOFtMnhoEHNtw6LS1wKaVy8iO
ZEFS4FobTb0409pKnGjsHw==
=PUV+
-----END PGP SIGNATURE-----
-------------------------------------------------------------
Anthony E. Greene <NoS...@pobox.com> NoSpam=agreene
Use PGP -- Envelopes and Signatures for Email
What is PGP? <http://www.pobox.com/~agreene/pgp/>
My PGP Key: <http://www.pobox.com/~agreene/pgp/agreene.key>
FREEWARE Win95 PGP 5.0: <http://web.mit.edu/network/pgp.html>
-------------------------------------------------------------
Matthew Burry
David Sternlight wrote:
> Listen, sonny, for my first career I was pioneering on the digital
> computer you so gracelessly post insults on, before you were a gleam
> in
> your father's eye. I wrote part of the Fortran compiler for IBM, part
> of
> the largest real-time Air Force command and control system (SAGE) of
> the
> time, and one of the first aircraft design routines for NASA's
> predecessor
> the Wright Air Development Center, all in the mid-1950's.
Self-flattery aside, the software development environment now is much
different than it was in the 1950's. Although I was not an active
programmer during this time I have spoken with professors and engineers
who told stories about one cycle of programming code, compiling code,
and executing program to take up to several days before debugging could
start. In this environment, I can understand that introducing
theoretical and experimental code was not on the minds of engineers, but
rather to build the system as spec'd. But with the power of
workstations and compilers of today, it is a widely practiced method to
experiment at the time of coding, and then to comment out such code for
possible later development. This can hardly be considered a bug when
the program does not even consider the experimental instruction set.
If this is a bug, please explain how this adversely affected the your
software...
Regards,
Matt
W T Shaw
In article <wb8fozEK...@netcom.com>, wb8...@netcom.com (David Lesher)
wrote:
>
> {Since FUD was bragging how he'd invented FORTRAN, etc; why have we
> NOT seen HIS public key cryptosystem offering yet? Maybe he's
> working on the #ifdef's for it?}
>
--
wts...@itexas.net--crypto: maintaining the right to develop,
publish, and distribute works of my own creation.
oddudnwiog iisgudsdds tisdtwwgdu sgowwuodo
uwgnaoswag gwnwoauga--an easy method done
Isaac
In article <david-08129...@lax-ca69-39.ix.netcom.com>,
>In article <66g139$d...@camel19.mindspring.com>, Is...@yellow.submarine.pla
>(Isaac) wrote:
>>project, it is possible that the practice might be unknown to you, but
>>you persist after being corrected.
>
>computer you so gracelessly post insults on, before you were a gleam in
>your father's eye. I wrote part of the Fortran compiler for IBM, part of
I don't consider suggesting someone might not understand software development
an insult but perhaps there was one somewhere in my post.
[snip of possibly relevant accomplishments]
Okay gramps. You've convinced me that you understand what we're discussing,
although I didn't see anything that suggested you'd worked with C code.
I withdraw my suggestion that you were posting out of ignorance.
Apparently you did know better and still insisted that commented out
code is a bug. I really don't know why you think that shows you
in a better light.
My point stands that no one familiar with software development using
C would fail to understand the difference between commented out
code labeled as experimental and a bug. You've simply demonstrated
that your doing so was not a mistake.
Isaac
W T Shaw
In article <66vedv$2...@camel15.mindspring.com>, Is...@yellow.submarine.pla
(Isaac) wrote:
>
> My point stands that no one familiar with software development using
> C would fail to understand the difference between commented out
> code labeled as experimental and a bug.
And, if programming only with C, you do not understand that the same is
true of so many languages. C is new in my range of programming years.
According to Prof. Miller, "Mathematics is necessary to describe physical
phenomena because words are very weak." But, be they weak, they are not
without ability to express anything in mathematics, but with less
efficiency.
I, for one, encourage the expression of complex mathematical ideas,
specifically cryptological algorithms, in words so as to make things more
understandable, since mathematics can seem rather cryptic itself at
times. As Einstein said, "If you can not explain it to a child, you don't
understand it well enough yourself."
The situation at hand is where both are used. It seems those that would
restrict some things to strick mathematics and source code as opposed to
plain language are begging the question, since all of these are
transmutable to each other, be it with differing amounts of difficulty.
What is at stake is expression, nothing less. It is convenient for some to
use a gag order of sorts, but this is only possible for a brief period of
time, and must have some definite goal and purpose with regards to
specific and limited circumstances. Any other is prior restraint.
Mathematics and programming source codes are just forms of language, like
any other spoken or written form.
Executive orders, laws, and any other attack on free speech are just forms
of saying "Shut-Up," rude and inappropriate, revealing their lack of
respect for the rights guaranteed in our society.
Isaac
In article <wtshaw-1412...@207.101.116.47>, W T Shaw wrote:
>In article <66vedv$2...@camel15.mindspring.com>, Is...@yellow.submarine.pla
>(Isaac) wrote:
>>
>> My point stands that no one familiar with software development using
>> C would fail to understand the difference between commented out
>> code labeled as experimental and a bug.
>
>And, if programming only with C, you do not understand that the same is
>true of so many languages. C is new in my range of programming years.
>
Of course I recognize this, but I was searching for some explanation other
than venom for David calling commented out code a bug. As I already
admitted, I failed to find such an explanation.
I really don't understand the point of the rest of your article. It doesn't
seem relavent to the discussion at hand.
Isaac