Backdoor or Security flaw in PGPDisk

125 views
Skip to first unread message

Robert M.

unread,
Jun 24, 2003, 6:34:22 AM6/24/03
to
Hello,
I want to inform you about my experience with PGPDisk security.

For many years i have been working at governmental agency. Over time i
was collecting sensisitve documents from my work and storing copies at
home. Due to status of documents i stored them on PGP encrypted
volume, passphrase length 28 characters, algorythm CAST 128bit,
passphrase was kept only in my mind, it was not written down.
The agency i was working for once, by accident, discovered that i was
making copies of confidential documents. So agency reported to police
and police visited my house.
Police connected laptop to my desktop computer and within fraction of
seconds they got access to all the files i stored on encrypted volume.
It is not possible to crack 128bit key within 60 seconds with today's
laptop computers, neither it's possible to exaust all combinations of
28 character passphrase. The only explanation is that there is a
SERIOUS BACKDOOR, a SECURITY FLAW in PGP.
I trusted PGP because it claimed that it can prevent major governments
from accesing my files, but what i got....?

Sincerely,
Robert

Peter

unread,
Jun 24, 2003, 6:53:43 AM6/24/03
to
Robert M. wrote:
| Hello,
| I want to inform you about my experience with PGPDisk security.
| [...]

| Police connected laptop to my desktop computer and within fraction of
| seconds they got access to all the files i stored on encrypted volume.
| [...] The only explanation is that there is a

| SERIOUS BACKDOOR, a SECURITY FLAW in PGP.

I strongly suspect that you will have to come up with quite a lot more
detail to convince the group that there is no other explanation.

| I trusted PGP because it claimed that it can prevent major governments

| from accesing my files [...]

And so it does, as all the evidence so far suggests.

But if you're looking for an alternative, you might want to give
[http://www.drivecrypt.com] a try.

--
Peter

Ron B.

unread,
Jun 24, 2003, 8:14:55 AM6/24/03
to
Robert M. wrote:

If this is not a troll, are you sure that a keylogger was not installed on
your laptop? This seems the more likely explanation.

Poop Dogg

unread,
Jun 24, 2003, 1:44:13 PM6/24/03
to
"Robert M." wrote in message <280cb468.03062...@posting.google.com>...

>Police connected laptop to my desktop computer and within fraction of
>seconds they got access to all the files i stored on encrypted volume.
>It is not possible to crack 128bit key within 60 seconds with today's
>laptop computers, neither it's possible to exaust all combinations of
>28 character passphrase. The only explanation is that there is a
>SERIOUS BACKDOOR, a SECURITY FLAW in PGP.
>I trusted PGP because it claimed that it can prevent major governments
>from accesing my files, but what i got....?

But if it were crackable that easily by local police then surely
the information would have leaked already. I mean, it's possible
that a backdoor exists, but such information would likely be
tightly guarded by intelligence agencies and the FBI, not revealed
to local police (was it the FBI or police that accessed your
computer?). Still, your story is interesting. Are you sure that
they actually cracked the encryption or is it possible that you
might have left the PGPdisk mounted?

The government has a vested interest in making the public believe
that PGP encryption is uncrackable, even if it is. If the public
lost confidence in PGP they would simply switch to another
product using a different algorithm which may actually be
uncrackable. Perhaps this is the story behind the case where
the government claimed it planted a keylogger on a suspect's
computer. That may have been a lie to cover up the fact that
the encryption had been broken or there was a backdoor.

Poop Dogg

unread,
Jun 24, 2003, 1:47:19 PM6/24/03
to
"Skulking Rogue" wrote in message ...
>"Robert M." <robe...@navigators.lv> wrote in message
>news:280cb468.03062...@posting.google.com...

>>For many years i have been working at governmental agency. Over time i
>>was collecting sensisitve documents from my work and storing copies at
>>home. Due to status of documents i stored them on PGP encrypted
>>volume, passphrase length 28 characters, algorythm CAST 128bit,
>>passphrase was kept only in my mind, it was not written down.
>
>That would make you a criminal. How much time did you spend in prison?

No worse than Wen Ho Lee who copied shitloads of classified Los Alamos
data to his personal storage tapes. But Wen Ho Lee was given special
treatment because he was a Chinese spy and we all know how Bill Clinton
was on the payroll of the Chinese government.


Paul Henrichsen

unread,
Jun 24, 2003, 7:04:18 PM6/24/03
to
robe...@navigators.lv (Robert M.) wrote in message news:<280cb468.03062...@posting.google.com>...

> Hello,
> I want to inform you about my experience with PGPDisk security.
[snip]

> and police visited my house.
> Police connected laptop to my desktop computer and within fraction of
> seconds they got access to all the files i stored on encrypted volume.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It sounds to me like you left the disk mounted, and then shared the mounted
volume. Just in case you weren't aware, when a PGPdisk is mounted, it is
effectively NOT encrypted. (PGP takes care of encrypting/decrypting on the fly
so the OS can access the volume just like any other non-encrypted disk).

- --Paul
- -----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GS d(-) s-; a C++(+)$ U L+ E? W+(+) N++ o? w++ !O M V PS+(--)
PE++ Y+ PGP++$ t+ 5 X+ R+(++) tv(--) b++(+) DI++ D G e h r% y
- ------END GEEK CODE BLOCK------

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBPvjY48AKPcpjJcATEQKCAQCgjSH2XpC6JDlssk1jgU0gNBX5bqIAn1DH
2GLe64VLGlnSOB1YZBdV09Zm
=ng0b
-----END PGP SIGNATURE-----

ms

unread,
Jun 24, 2003, 10:12:25 PM6/24/03
to
In article <48lhfv44c2orsafeb...@4ax.com>, Beretta <no_...@please.com> wrote:

>Oh please. If you were copying "sensitive documents", the agency you worked for
>would not have contacted the police. They would have contacted the FBI. The
>Federal Goverment does not use local police departments to handle matters of
>national security. Nice try.
>

I think you are blindly assuming the original poster is in the USA

Robert M.

unread,
Jun 25, 2003, 6:08:43 AM6/25/03
to
Peter <HumbleSer...@web.de> wrote in message news:<bd9ajo$qe22r$1...@ID-197699.news.dfncis.de>...

> Robert M. wrote:
> | Hello,
> | I want to inform you about my experience with PGPDisk security.
> | [...]
> | Police connected laptop to my desktop computer and within fraction of
> | seconds they got access to all the files i stored on encrypted volume.
> | [...] The only explanation is that there is a
> | SERIOUS BACKDOOR, a SECURITY FLAW in PGP.
>
> I strongly suspect that you will have to come up with quite a lot more
> detail to convince the group that there is no other explanation.

Ask what you want to know and i'll answer.

Robert M.

unread,
Jun 25, 2003, 6:12:55 AM6/25/03
to
"Ron B." <zyp...@spamcop.net> wrote in message news:<3hXJa.6252$R73.2020@sccrnsc04>...

> Robert M. wrote:
>
>
> If this is not a troll, are you sure that a keylogger was not installed on
> your laptop? This seems the more likely explanation.

It wasn't Laptop, it was Desktop computer kept at home.
Documents were taken from work, scanned, copied to PGP volume and
wiped with 9-pass PGP wipe.
Every 6 months Computer was completely reinstalled from scratch with
Hard drive formatting, operating system was fresh new, programs also.
Passphrase has never been written down, systematic keylogger check was
done once in every two weeks, No pagefile was used (640mb ram), no
public key to avoid cracking all volumes with one passphrase.
Documents were never copied to unencrypted drives, only migrated
sometimes to 650mb volumes to write backup CD's.

Robert

Robert M.

unread,
Jun 25, 2003, 6:19:34 AM6/25/03
to
"Poop Dogg" <nos...@nospam.com> wrote in message news:<SN2dneD-3uN...@bravo.net>...

> "Robert M." wrote in message <280cb468.03062...@posting.google.com>...
>
> But if it were crackable that easily by local police then surely
> the information would have leaked already. I mean, it's possible
> that a backdoor exists, but such information would likely be
> tightly guarded by intelligence agencies and the FBI, not revealed
> to local police (was it the FBI or police that accessed your
> computer?). Still, your story is interesting. Are you sure that
> they actually cracked the encryption or is it possible that you
> might have left the PGPdisk mounted?

I was sending some documents overseas to USA to my friends. Documents
were sent PGP-encrypted with public key of recipient.
On court order was said that they got information from FBI that
confidential documents were distributed. (Maybe recipient made leak,
but anyway, i have never exposed my passphrase to anyone). Possibly
there was some cooperation between FBI and local police departament.
They got thru encryption, because computer was switched off at the
moment of police visit. I monitored the procedure how they were
accesing my data. Policeman tooked his laptop, took a device, which he
connected to my pc , then switched on my pc, switched on laptop,
pressed some keys... and reported "Here we have what we are looking
for" and then police told me that i have a lot of documents on my
pc...


> The government has a vested interest in making the public believe
> that PGP encryption is uncrackable, even if it is. If the public
> lost confidence in PGP they would simply switch to another
> product using a different algorithm which may actually be
> uncrackable. Perhaps this is the story behind the case where
> the government claimed it planted a keylogger on a suspect's
> computer. That may have been a lie to cover up the fact that
> the encryption had been broken or there was a backdoor.

Robert

Robert M.

unread,
Jun 25, 2003, 6:21:39 AM6/25/03
to
"Poop Dogg" <nos...@nospam.com> wrote in message news:<NLidnWLjA8Q...@bravo.net>...

> "Skulking Rogue" wrote in message ...
> >"Robert M." <robe...@navigators.lv> wrote in message
> >news:280cb468.03062...@posting.google.com...
> >>For many years i have been working at governmental agency. Over time i
> >>was collecting sensisitve documents from my work and storing copies at
> >>home. Due to status of documents i stored them on PGP encrypted
> >>volume, passphrase length 28 characters, algorythm CAST 128bit,
> >>passphrase was kept only in my mind, it was not written down.
> >
> >That would make you a criminal. How much time did you spend in prison?

I had good lawyer. 2 weeks actually in prison, 1 year +3 months for
each document distribution case * 35 cases = 10 years on probation.

> No worse than Wen Ho Lee who copied shitloads of classified Los Alamos
> data to his personal storage tapes. But Wen Ho Lee was given special
> treatment because he was a Chinese spy and we all know how Bill Clinton
> was on the payroll of the Chinese government.

Robert

Robert M.

unread,
Jun 25, 2003, 6:23:26 AM6/25/03
to
woef...@hotmail.com (Paul Henrichsen) wrote in message news:<cd66622.03062...@posting.google.com>...

> It sounds to me like you left the disk mounted, and then shared the mounted
> volume. Just in case you weren't aware, when a PGPdisk is mounted, it is
> effectively NOT encrypted. (PGP takes care of encrypting/decrypting on the fly
> so the OS can access the volume just like any other non-encrypted disk).

I'm not a newbie in computers.
PGP volumes weren't mounted because computer was off at the arrival of police.

Robert


>
> - --Paul

Robert M.

unread,
Jun 25, 2003, 6:25:17 AM6/25/03
to
lav...@cygnus.uwa.edu (ms) wrote in message news:<bdb0e3$s76$1...@enyo.uwa.edu.au>...


I am located in Europe.

Robert

Gamma3000

unread,
Jun 25, 2003, 2:09:24 PM6/25/03
to
"Robert M." <robe...@navigators.lv> wrote in message
news:280cb468.03062...@posting.google.com...
> "Poop Dogg" <nos...@nospam.com> wrote in message
news:<SN2dneD-3uN...@bravo.net>...
> <snip>

> I was sending some documents overseas to USA to my friends. Documents
> were sent PGP-encrypted with public key of recipient.
> On court order was said that they got information from FBI that
> confidential documents were distributed. (Maybe recipient made leak,
> but anyway, i have never exposed my passphrase to anyone). Possibly
> there was some cooperation between FBI and local police departament.
> They got thru encryption, because computer was switched off at the
> moment of police visit. I monitored the procedure how they were
> accesing my data. Policeman tooked his laptop, took a device, which he
> connected to my pc , then switched on my pc, switched on laptop,
> pressed some keys... and reported "Here we have what we are looking
> for" and then police told me that i have a lot of documents on my
> pc...
> <snip>

If the evidence was used in court, then surely the method the police used to
access the data would have been revealed. Did you 'fess up without checking
that they wern't calling your bluff, saying they had the documents to see
how you'd react?
Have you got any details about the case so that it can be checked?


Ardeacinco

unread,
Jun 25, 2003, 2:24:10 PM6/25/03
to
Uh this guy isn't American. What is he Latvian? Yeah ok. Thus the local
police angle. Local police are government police in such places. Good
lawyers my ass, though. I would say key logger and you probably never knew
at all.
I would just love to know how you got out. Really and who else besides the
USA(supposedly) where you selling documents too, hmmmmmm? We don't pay
enough for humint anymore to be able to pay for good lawyers.

"Robert M." <robe...@navigators.lv> wrote in message
news:280cb468.03062...@posting.google.com...

Nomen Nescio

unread,
Jun 26, 2003, 12:30:01 AM6/26/03
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My response is inline, and the following assumptions are made:

1. The PGP program is secure and safe.
2. All cipher algorithms are secure and safe.
3. The user read the manual and understands signing, encrypting,
decryption, verifying, and how public key cryptography works (and
doesn't work).

On 24 Jun 2003 03:34:22 -0700, robe...@navigators.lv (Robert M.)
wrote in <news:280cb468.03062...@posting.google.com>:

>
>Hello,
>I want to inform you about my experience with PGPDisk security.
>
>For many years i have been working at governmental agency. Over time
>i was collecting sensisitve documents from my work and storing
>copies at home. Due to status of documents i stored them on PGP
>encrypted
>volume, passphrase length 28 characters, algorythm CAST 128bit,
>passphrase was kept only in my mind, it was not written down.
>The agency i was working for once, by accident, discovered that i
>was making copies of confidential documents. So agency reported to
>police and police visited my house.
>Police connected laptop to my desktop computer and within fraction
>of seconds they got access to all the files i stored on encrypted
>volume.
>

After an anonymous tip, the agency you worked for kept close
surveillance on you, since they control their own equipments (and
placed a hidden camera in your office) it was easy for them to know
exactly what file(s) you took.

Knowing that you might have PGP (or other encryption) the agency gave
a copy of one of these files to the police, and when you got home,
the cop placed the file on your PC and you got "busted". You can't
say you got "framed" since the agency has you "on tape" taking the
files.

>
>It is not possible to crack 128bit key within 60 seconds with
>today's laptop computers, neither it's possible to exaust all
>combinations of 28 character passphrase. The only explanation is
>that there is a
>SERIOUS BACKDOOR, a SECURITY FLAW in PGP.
>I trusted PGP because it claimed that it can prevent major
>governments from accesing my files, but what i got....?
>

You downloaded a copy of PGP (source or binary) from an un trusted
location, an illegal FTP or Warez site (or maybe your friend gave you
his "hacked" version).

This copy of PGP automatically included several "back doors" such as,
encrypting your data to your government's "master PGP key", sending
your secret keys and pass phrase to a remote server, making a clear
text copy of all encrypted data etc..

If you compiled your own version from a trusted source code, then you
might need to update your programming skills, since you may have
created the flaw in the PGP disk you where using.

On 25 Jun 2003 03:12:55 -0700, robe...@navigators.lv (Robert M.)
wrote in <news:280cb468.03062...@posting.google.com>:

<snip>

>
>Documents were taken from work, scanned, copied to PGP volume and
>wiped with 9-pass PGP wipe.
>Every 6 months Computer was completely reinstalled from scratch with
>Hard drive formatting, operating system was fresh new, programs
>also. Passphrase has never been written down, systematic keylogger
>check was done once in every two weeks, No pagefile was used (640mb
>ram), no
>public key to avoid cracking all volumes with one passphrase.
>Documents were never copied to unencrypted drives, only migrated
>sometimes to 650mb volumes to write backup CD's.
>

Even after taking these precautions, a key logger was still placed on
the ports of your mouse, keyboard, speakers, microphone, sound card,
camera, monitor, modem, NIC card, printer, etc.. you may have failed
to check all input/output devices.

Knowing that you format your drive, all of your operating system's CD
ROMs where replaced with a copy that automatically included a key
logger.

If you have surveillance cameras in your home (to prevent the
tampering of your PC). It is possible that the police used your own
equipment against you, and they watch you enter your pass phrase with
your own camera.

On 25 Jun 2003 03:19:34 -0700, robe...@navigators.lv (Robert M.)
wrote in <news:280cb468.03062...@posting.google.com>:

>
>I was sending some documents overseas to USA to my friends.
>Documents were sent PGP-encrypted with public key of recipient.
>On court order was said that they got information from FBI that
>confidential documents were distributed. (Maybe recipient made leak,
>but anyway, i have never exposed my passphrase to anyone). Possibly
>there was some cooperation between FBI and local police departament.
>They got thru encryption, because computer was switched off at the
>moment of police visit. I monitored the procedure how they were
>accesing my data. Policeman tooked his laptop, took a device, which
>he connected to my pc , then switched on my pc, switched on laptop,
>pressed some keys... and reported "Here we have what we are looking
>for" and then police told me that i have a lot of documents on my
>pc...
>
>

The police took the secret key of your recipient (or FBI agent posing
as your trusted friend), and was able to decrypt all of the data on
the "sent" folder of your email program.

Did you remember to turn off or disable options like "hibernation
mode", "restore settings nextime i log on", "save system state", or
"resume on power-on" all of these setting dump or save everything of
the RAM to the harddisk, including your PGP passphrase.

On 25 Jun 2003 03:23:26 -0700, robe...@navigators.lv (Robert M.)
wrote in <news:280cb468.03062...@posting.google.com>:

<snip>

>
>I'm not a newbie in computers.
>

You are still "Human" , and can (or will) make a mistake.


-----BEGIN PGP SIGNATURE-----

iQEVAwUBPvp0KmhaeGJBIvoqAQKLawf9FQYrAjPH0Hep29L+YXsAr/7gbLncKOub
jOSkfdOeqzyIRsbp+ymjdIgggb5s8cfmEvqDBmVzLk3mqlBFUQak31PMRAX72V+Q
/ytFANu7bEHwjMA1crq2/8h8liiKJ2EGZkt8gIjiM7iWKfHsS70HpsFG+9JEaLIh
Q0MQhtxm6D93hUBDgQ1xjOI1S0b8p8D48nvNbjcJ493OZmqjOOU/w2bkfBJmXCdn
9vrdKXZO8GGy+XNQkNnsRhsCXRkXJiIdziIxQZZmurbUlrThmWwffYmai82I5lI2
o9PbEB/BvjsGCgDE6/KNIWwfxgzF0tDETbCKM3ogsKfeK2glnwjLVQ==
=iK/P
-----END PGP SIGNATURE-----

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus

Frode

unread,
Jun 26, 2003, 2:32:21 AM6/26/03
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nomen Nescio wrote:
> Even after taking these precautions, a key logger was still placed on
> the ports of your mouse, keyboard, speakers, microphone, sound card,
> camera, monitor, modem, NIC card, printer, etc.. you may have failed
> to check all input/output devices.

I assume you have a good reason to put soundcard/speakers/camera as likely
places for keyloggers to be placed. How would a modified soundcard be able
to log keystrokes? Or a camera for that matter (not counting visually)? Or
speakers? The printer? Unless he prints his password what good would that
do?

- --
Frode


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBPvqTdOXlGBWTt1afEQInigCgjb+bwoa9HPUFetJG2ZLXl4vXj5wAoOnX
Tmj1gv2W4PAAJg3ikgyNPbN0
=g/3P
-----END PGP SIGNATURE-----


r00tkid

unread,
Jun 26, 2003, 9:01:07 AM6/26/03
to
robe...@navigators.lv (Robert M.) wrote in message news:<280cb468.03062...@posting.google.com>...

> The only explanation is that there is a
> SERIOUS BACKDOOR, a SECURITY FLAW in PGP.
> I trusted PGP because it claimed that it can prevent major governments
> from accesing my files, but what i got....?


No, a backdoor is *not* the only explanation. You may have been a
victim of a "tempest attack". Your computer equipment emits enough
electromagnetic radiation (especially the monitor) to catch eveything
that is shown on your screen or what you type on the keyboard.

You may have been under observation for quite some time and so they
were able to mount their intercepting equipment veeeery veeeery near
your home and your working room.

For "normal" people there's hardly any protection available against
tempest attacks, there is special hardware available that is immune,
but that's not available in your favourite computer shop... Use Google
to learn more about tempest attacks.

Tempest attacks are a bitter lesson for us all, because we see, that
if "they" really want to get the information they want to have, "they"
*will* be able to get it, no matter how safe your encryption is.

Unfortunately many people are not aware of this kind of attack and if
you contact monitor vendors they don't give any answer what they would
do to protect customers. Of course, no governemnt on this planet would
allow wide spread availability of hardware immune against this kind of
attack.

Nomen Nescio

unread,
Jun 26, 2003, 9:21:06 AM6/26/03
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 26 Jun 2003 08:32:21 +0200,
"Frode" <ne...@mascot.REMOVETOREPLY.dyndns.org> wrote in
<news:3efa...@news.broadpark.no>:

>
>> Nomen Nescio wrote:
>> Even after taking these precautions, a key logger was still placed
>> on the ports of your mouse, keyboard, speakers, microphone, sound
>> card, camera, monitor, modem, NIC card, printer, etc.. you may
>> have failed to check all input/output devices.
>>
>I assume you have a good reason to put soundcard/speakers/camera as
>likely places for keyloggers to be placed. How would a modified
>soundcard be able to log keystrokes? Or a camera for that matter
>(not counting visually)? Or speakers? The printer? Unless he prints
>his password what good would that do?
>

Ok, you got me, I guess I went to far. Sorry.

Maybe my "assumption #4" should have been: "The agency spares no
expense to catch you" and maybe, just maybe, those other devices
would have been valid?

Anyway, since I can't prove it (not yet) I'll change that to:

"Even after taking these precautions, a key logger was still placed
on

the ports of your mouse, keyboard, monitor ("tempest attack" see:
<news:afda6f0b.03062...@posting.google.com>),
microphone (they can hear the keys when you type?),

<sarcasm> speakers, sound card,
camera, modem, NIC card, printer, etc.. </sarcasm>

you may have failed to check all input/output devices."


-----BEGIN PGP SIGNATURE-----

iQEVAwUBPvrx32haeGJBIvoqAQL9sQf/Ujb3DD0yTSNwiBiA9hgu+A18TTV7caJL
/43yOcsPNluk3SH+t4KD9B/tdrb8hM2HbxONFURE7j++eg2PNB92hEG+75WFr0Vk
4MUWEAo1Go0NJQXesmHS++fOqYIL+IsAj45rt2hXhcvfTJ6qlrMIdzuDaUJRRr+c
vb7rpxhOcRkmnDS3YjnLEBSHDMoyZlYcNdnjQSz0QGLML3fB35UB3ahhRcZmUhFo
NVC06fo1urjH7TPxm02QjiqKsP0SDh/VXQbKkYHim5RMyY+8g9wZpEjqMbQTvNQg
sFAxnmJliFX9gEm5vkhiIbxjx8ZBvypj4k481YOZFlcLzXDHpvEdTw==
=AEQ8
-----END PGP SIGNATURE-----

_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail

Frode

unread,
Jun 26, 2003, 9:46:48 AM6/26/03
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nomen Nescio wrote:
>> I assume you have a good reason to put soundcard/speakers/camera as
>> likely places for keyloggers to be placed. How would a modified
>> soundcard be able to log keystrokes? Or a camera for that matter
>> (not counting visually)? Or speakers? The printer? Unless he prints
>> his password what good would that do?
> Ok, you got me, I guess I went to far. Sorry.

Hehe, I was hoping that was the reason :)

> the ports of your mouse, keyboard, monitor ("tempest attack" see:
> <news:afda6f0b.03062...@posting.google.com>),
> microphone (they can hear the keys when you type?),

Dunno about that last one. I'm having a hard time imagining they can figure
out what key you just pushed based on nothing more than the sound of it.
Possibly if the mic was special and the position of the keyboard relative
to the mic was known, I guess. Anyways, the point is the one several have
made: The guy that claims PGP is flawed almost certainly either messed up
or was monitored in such a way that his passphrase was made available to
law enforcement.


- --
Frode

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBPvr5Q+XlGBWTt1afEQKHNwCeKJVQnF+0/lH7e1LjJ1nGJIwrxCoAnAwH
awKd+3ExsrnAx5PerdKJvF7k
=dGY2
-----END PGP SIGNATURE-----


Paul Rubin

unread,
Jun 26, 2003, 11:07:19 AM6/26/03
to
robe...@navigators.lv (Robert M.) writes:
> Police connected laptop to my desktop computer and within fraction of
> seconds they got access to all the files i stored on encrypted volume.

They would not do that in front of you, idiot.

> It is not possible to crack 128bit key within 60 seconds with today's
> laptop computers, neither it's possible to exaust all combinations of
> 28 character passphrase. The only explanation is that there is a
> SERIOUS BACKDOOR, a SECURITY FLAW in PGP.

The obvious explanation is your story is fiction.

Robert M.

unread,
Jun 26, 2003, 12:46:33 PM6/26/03
to
OK, i won't try to convince you anymore.
It's because PGP is a legend. And legends cannot be destoryed. It's
like Robin Hood or bin Laden. Government can catch him, execute him,
but in people's minds it will still remain as "uncatchable", and any
"Bin Ladens" or "Robin's" will be counterattacked, called as
falsificated, called as decoys, etc...

Question:
Do anyone of you had real experience, preferably eye-witnessed, with
law enforcement trying to get access to PGP encrypted data?

I had it and i know what i'm talking about.

Have there been any official statements, for example, from FBI, NSA,
BKA, etc that they admit that PGP encryption is uncracable?

I think that your trust in PGP is based only in your experience and
"world's opinion". But basing your opinion on opinions of other people
it is the way how stereotypes and misconceptions are being created.

Sincerely,
Robert

Frode

unread,
Jun 26, 2003, 1:25:47 PM6/26/03
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert M. wrote:
> I think that your trust in PGP is based only in your experience and
> "world's opinion". But basing your opinion on opinions of other people
> it is the way how stereotypes and misconceptions are being created.

I know PGP can be decrypted. I also know it's so far limited to low bit
keys and that's limited to people with security clearances the names of
which are even classified. Your "story" is little more than that. A story.
Not only does it fly in the face of how law enforcement technicians work,
there's been much larger cases than this where the govt has plain given up.
UK law (I've only been told this online so somebody correct me if I'm
misinformed) stipulates punishment buy up to 2 years if you refuse to give
up your password if the court orders you to do so. Would they bother if
they could crack it? I believe Mitnick had substancial amounts of data the
prosecution wanted access to, but that Mitnick denied them the passphrase
to. He was also denied the ability to access the data for his own defense
without also allowing the prosecution said access (memory a bit foggy on
this one, but bar the odd detail I think it's fairly accurate).

It basically boils down to a few things. The details of your story are not
credible. This has nothing to do with myth. Law enforcment computer experts
don't run around with laptops to do forensic analysis of a suspect's
computer in the suspect's home. They just don't, yet you claim so, which
would indicate they were most likely bluffing you if what you're saying is
indeed true. Another thing is that you are so far the only known person
worldwide to have claimed to have had PGP encrypted content compromised
without any possibility of passphrase/key leak. If it was so easy they use
it on an insignificant like you, do you honestly think they wouldn't use it
on captured terrorists' handhelds? It just doesn't gel.

Bottom line. If you are telling the truth, you just fucked up somewhere and
you can't remember it, or you have no way of knowing you were monitored, or
you were bluffed.


- --
Frode

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBPvssmOXlGBWTt1afEQIpmgCdHoiBBnqW8jQ2RWE+iDAU9tL6/CkAmgKL
zYF7b1E4AtQw7ruzYD7wntm9
=gjkA
-----END PGP SIGNATURE-----


Gamma3000

unread,
Jun 26, 2003, 1:58:24 PM6/26/03
to
"Robert M." <robe...@navigators.lv> wrote in message
news:280cb468.03062...@posting.google.com...
> <snip>

> Question:
> Do anyone of you had real experience, preferably eye-witnessed, with
> law enforcement trying to get access to PGP encrypted data?
> <snip>

Was there not a case not so long ago where some people in Spain (I think)
were arrested and had PGP encrypted data on their PDAs, but the police
couldn't access it?
These people were terrorists. If they can decrypt the data, they would have
done.


Paul Rubin

unread,
Jun 26, 2003, 2:41:13 PM6/26/03
to
robe...@navigators.lv (Robert M.) writes:
> Do anyone of you had real experience, preferably eye-witnessed, with
> law enforcement trying to get access to PGP encrypted data?

There has been plenty of such experience, for example the Nicodemo
Scarfo case which was in the news a few months ago. Scarfo used PGP
to encrypt the evidence of some scam he was involved in and the FBI
couldn't crack it. So they got a search warrant and used it to
surreptitiously install a keystroke recorder into his computer to get
his passphrase. They waited a while and then seized his computer and
used the recorded passphrase to unlock the seized secret key and
decrypt his files. They did not "crack" PGP in the sense of
cryptanalyzing it.

> I had it and i know what i'm talking about.

No you haven't. If they did to you what you claim, why aren't you in
jail? Why is all the stuff you're claiming so vague? If you want
your story to have a shred of credibility, start giving some
verifiable evidence, like what agency you were working for, what
police department supposedly raided you, and copies of any police
reports. One assumes also that you have good counsel to defend you
from the kind of prosecution Wen Ho Lee received. What is your
lawyer's name and phone number, so s/he can be contacted for details?

> Have there been any official statements, for example, from FBI, NSA,
> BKA, etc that they admit that PGP encryption is uncracable?

Of course not, idiot. They do not comment on such things.

> I think that your trust in PGP is based only in your experience and
> "world's opinion". But basing your opinion on opinions of other people
> it is the way how stereotypes and misconceptions are being created.

I don't need other people to tell me that you are full of shit.

Poop Dogg

unread,
Jun 26, 2003, 3:23:51 PM6/26/03
to
"Frode" wrote in message <3efa...@news.broadpark.no>...

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Nomen Nescio wrote:
>> Even after taking these precautions, a key logger was still placed on
>> the ports of your mouse, keyboard, speakers, microphone, sound card,
>> camera, monitor, modem, NIC card, printer, etc.. you may have failed
>> to check all input/output devices.
>
>I assume you have a good reason to put soundcard/speakers/camera as likely
>places for keyloggers to be placed. How would a modified soundcard be able
>to log keystrokes? Or a camera for that matter (not counting visually)? Or
>speakers? The printer? Unless he prints his password what good would that
>do?

After the Gulf War against Iraq in 1991, I heard about how American
intelligence managed to plant a virus or trojan in a printer they
knew was destined for Iraq. Somehow the printer virus managed to
infect a key Iraqi computer system and compromise or disable it.


Frode

unread,
Jun 26, 2003, 4:57:16 PM6/26/03
to
Juergen Nieveler wrote:
>> After the Gulf War against Iraq in 1991, I heard about how American
>> intelligence managed to plant a virus or trojan in a printer they
>> knew was destined for Iraq. Somehow the printer virus managed to
>> infect a key Iraqi computer system and compromise or disable it.
> A UL based on an April Fools joke...

Although, based on today's two-way communication between printer and driver,
one could presumably exploit a bug in the driver via the printer's
communication with it to install something on the target computer. Or load
the driver with a trojan, of course.


--
Frode


Jason Tik

unread,
Jun 26, 2003, 9:18:37 PM6/26/03
to

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

| Have there been any official statements, for example,


| from FBI, NSA, BKA, etc that they admit that PGP
| encryption is uncracable?

If they said that then I would no longer trust it. It
would obviously mean that it was cracked. <mutters insults
about your stupidity>


GO AWAY YOU PARANOID

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

Comment: My Key: 6ACE DC2C 4C5A 9911 96F3 DDEB C7EC A953 ADE5 0951

iQIVAwUBPvubZMfsqVOt5QlRAQLVAQ/9HH4dkIxSPgkYcKhKm71T/1O6gdde8s2c
whiM3FBc76RfOJcdg03rF0ygWWZNZZFXuX7Bv/f7LXcRkQcLE3VNu56uEpb8+S+/
gd8cufIPrfncZBKjP+E2PlrjYUWFSjG57dOeZODwbCic7VRqVNOlJWTGaWgBuG7W
59eKcTNrEULlLz/KdTjWO2DuEn9HjEEq33tngxkleSDI2IT3fqHYf7PIMpXGA9vb
wqlg0xe93W69DCPeydoZpfLxnyvnyQdSzmblFYmHvr4rX92908RZ8EPgwfiPk0Fn
Zz5NTTlZH7aRB6BW8+6GvDii5lV5cEwE33zdFH/1+8KJBZfhf56hTmjkeHY1jCmT
Yh5WbGy5Sq727O7eP6/8mvQ3tnWIMGUBAc3HH7us+nLFJeJsSXkhGWIjOP3bPf0g
QfDDtxQZESqYYz+6kLVT+kfcygyLmyvKS1sRGTxPCFZ3fLe2e6QIVwgRhwwqCIbp
njLlIAvf8cyBVtn0P99xl95ZDuOUuF0mZ51fkmQSiUUaKzaH0+AWnUqE9fwIjpq5
NnW8H5VSvokf91AtQx78AESyHoFyuh5cZRPJzWspu08FS1iVEpfVkqczBLye4dC7
gEuoQ70KCNNa+dpxfl1GXrJqBTS6M4Z9sISP9Hyd92LoUQlFBBaUmD7srh/eTvZ9
CDi05nw+zZQ=
=BhEb
-----END PGP SIGNATURE-----


John Veldhuis

unread,
Jul 7, 2003, 9:07:40 AM7/7/03
to

In the Wintel world some printerdrivers even turn printjobs into .exe
file, and executes those...

Groetjes,
John

Reply all
Reply to author
Forward
0 new messages