FC: Pretty Good Bug found in Windows versions of PGP

[Declan McCullagh <declan () well com>]

**********

Background:
http://www.politechbot.com/p-00067.html
http://cgi.pathfinder.com/time/digital/daily/0,2822,12854,00.html
http://www.wired.com/news/print/0,1294,16219,00.html

**********

Pretty Good Bug Found in PGP
by Declan McCullagh (declan () wired com)

3:00 a.m. Aug. 25, 2000 PDT
A bug in newer versions of Network Associates' popular
PGP software exposes purportedly scrambled
communications to prying eyes.

Network Associates (NETA) Thursday confirmed the
vulnerability, discovered by a German cryptanalyst, which
allows malicious attackers to hoodwink Windows versions
of PGP into not encoding secret information properly.

The bug appeared in controversial features that the
company included to satisfy government and corporate
demands for key recovery, a technology that allows a
third party to read encrypted communications.

[...]

In December 1996, the company that became Network
Associates joined the Key Recovery Alliance, a group of
dozens of companies trying to promote the idea of key
recovery and key escrow technologies. Federal
government regulations at the time gave preferential
treatment to such products.

Because of PGP's long history of institutional opposition
to key recovery, Network Associates dropped out after
buying the smaller software company. But in February
1998 they purchased Trusted Information Systems, a
founder of the Key Recovery Alliance.

"Trusted Information Systems has been a pioneer in key
recovery and the Key Recovery Alliance where over 60
companies and systems vendors like IBM,
Hewlett-Packard, Sun Microsystems, Boeing and Motorola
are supporting their key escrow capability that allows for
the export of strong encryption under U.S. Commerce
laws," Network Associates CEO Bill Larson said in an
interview on CNNfn at the time.

Months later, Network Associates had quietly rejoined the
Key Recovery Alliance.

[...]