Pro-Liberty HOME

Important Information About PGP & Encryption


Last Update: 4/22/98

I have tried to provide mostly external links to keep information more distributed and current. Please let me know if any links break or appear to have changed. I have made local copies of many of the linked documents so I can substitute them in the future, if needed.

Outline

Send Feedback and Additional Information to:


Background History of PGP and PGP, Inc.

A brief chronology is available online: PGP Timeline - by Adam Back

A more detailed historical review can be found in the book:

"PGP: Pretty Good Privacy" by Simon Garfinkel (O'Reilly & Assoc.)

Some links for additional information on encryption are:


Key Escrow, Key Recovery and The Key Recovery Alliance (KRA)

"Key Recovery" is the new term for what was originally called "Key Escrow" and which was generally discredited during years of public debate on "Clipper", "Digital Telephony" and other electronic monitoring schemes. It is old wine in a new bottle.

Key Recovery is the process by which a 'master key' is created and archived, separate from a user's secret encryption key, that would allow messages to be decrypted with or without the user's consent and with or without a court order. Aside from public assurances by alleged 'government officials' that you should trust them to manage these keys responsibly, Key Recovery would compromise both privacy and security.(Except, perhaps, job-security for spooks: if individuals have the power to protect themselves from fraud and other crimes, through encryption, who needs the FBI?)

Federal agencies are trying by every means at their disposal to make Key Recovery mandatory and thereby seize unprecedented new capabilities to monitor all domestic electronic communications.

After having lost the first round of debates over 'Key Escrow' and the NSA-sponsored 'Clipper Chip' (an eavesdropping device intended to become a required 'feature' of ALL electronic communications equipment), the alleged U.S. government changed strategy.

Now, instead of overtly bullying Americans into accepting such pervasive snooping capabilities, they are trying to pressure businesses into 'voluntarily' building Key Escrow into their products, in exchange for export licenses and government contracts. Administration for cryptography export policy was transferred from the State Dept.to the Commerce Dept. and the "Key Recovery Alliance" (KRA) was founded, ostensibly as an 'industry-led' effort (if you believe the propaganda, that is).

From: Crypto crack-up, By Will Rodger, Inter@ctive Week Online

February 20, 1998 2:08 PM PST

Under terms of Commerce Department regulations issued in December 1996, more than 60 software and hardware companies agreed to develop encryption technologies that would give law enforcement access to encoded e-mail, computer disks and telephone calls when presented with a court order. In return, they were promised the ability to export medium-strength encryption without key recovery until the end of this year, at which point the federal government would begin requiring that all exports include the "key recovery" technology.

The overall strategy is the classic 'carrot and stick' approach: KRA speaks of 'voluntary' compliance while actions by the FBI, NSA, CIA represent the other side of the equation. See: CyberWire Dispatch: Shadow Cryptocrats, 2/24/98

While there is some indication that the KRA may not be shaping up exactly the way the alleged US government would like (See also: Encryption Infighting Emerges), those companies which choose to become members are effectively endorsing the government plan by accepting the policy of developing Key Recovery systems when they could alternately "Just Say No To Mandatory Key Escrow".

The following inside information on the KRA is excerpted from the Federal Register [27 February 1998] and is available from: http://www.access.gpo.gov/su_docs/aces/aces140.html

Notice Pursuant to the National Cooperative Research and Production Act of 1993; Key Recovery Alliance (``KRA'')

[ snippage ]

The notifications were filed for the purpose of invoking the Act's provisions limiting the recovery of antitrust plaintiff's to actual damages under specified circumstances.

Interesting...KRA might otherwise be considered a cabal

Pursuant to Sec. 6(b) of the Act, the identities of the parties are: Apple Computer, Inc., Cupertino, CA; Cylink Corporation, Sunnyvale, CA; Data Securities International, Inc., San Diego, CA; Digital Equipment Corporation, Nashua, NH; Golden Star Technology, Inc., Cerritos, CA; Information Resource Engineering, Inc., Baltimore, MD; Intel Corporation, Hillsboro, OR; International Business Machines, Inc., Somers, NY; Motorola, Scottsdale, AZ; NCR, West Columbia, SC; Novell Inc., Provo, UT; Sourcefile, Atlanta, GA; Sun Microsystems, Inc., Mountain View, CA; Trusted Information Systems, Inc., McLean, VA.

Note the absence of Microsoft.

[The current membership list can be found at: http://www.kra.org/roster.html]

KRA was formed for the following purposes:
(a) Stimulate global electronic commerce by encouraging the harmonization of market driven solutions available globally for secure communication using strong encryption;
(b) serve as a focal point for industry efforts to develop commercially acceptable solutions for recovery of encrypted information;
(c) determine interoperability concerns and potential architectural solutions among key recovery technologies and non-key recovery technologies;
(d) support the development of a global infrastructure that supports recovery of encrypted information and
(e) promote the implementation, deployment and use of interoperable key recovery technologies in the market. In furtherance of the foregoing purposes, KRA may undertake research, development, analysis, testing, study, and experimentation concerning or relating to key recovery technologies, and it may engage in the collection, exchange and analysis of research information concerning key recovery technologies.

The following, from: Frequently Asked Questions About the Key Recovery Alliance:

Does key recovery maintain my current legal protections against unlawful search and seizure? Will I have less protection if I use key recovery?

The KRA believes that many of the more recent forms of key recovery offer stronger protection against unlawful search and seizure.

I can't imagine how giving anyone access to your files could make them more secure. And KRA makes no attempt to justify this assertion.

Here is an another KRA publication exerpted from:

CRYPTOGRAPHIC INFORMATION RECOVERY USING KEY RECOVERY: A Working Paper by the Technology Committee of the Key Recovery Alliance, Version 1.2, August 18, 1997

Differing regulations may create different requirements for communications that are multi-national in scope; the capability for key recovery might be required in each jurisdiction involved (rather than just at one end of a communication). Any security infrastructure intended to span the globe must take into account the requirements in each of the affected jurisdictions. Many of the schemes involving various forms of TTP may be modified to support multi-jurisdiction key retrieval without additional overhead.

It is desirable that requirements in more-demanding jurisdictions do not result in undue additional costs, increased complexity, or decreased usability of products in the less-demanding jurisdictions.

[snippage...]

Key Recovery: Desirable Characteristics

[snippage...]

In addition, some technologies may help meet government regulations regarding import/export/use of encryption, when such regulations exist, and these may thereby offer advantages with respect to global deployment of strong encryption.

There is not one word of caution about the political dangers inherent in the technologies they are discussing. KRA is searching for ways to 'comply' with any conceivable government key-escrow law simply in order to make the most money in a global marketplace - they couldn't care less about individual freedom or the dangers of Big Brother.

To its credit, I did find one mention of 'voluntary' use of key recovery on the KRA web site.

In a rebuttal to a New York Times editorial, KRA said the following:

Furthermore, the KRA also believes that use of such systems should be voluntary, not government-mandated, and that government-designed or government-imposed encryption technology solutions will inevitably fail to win marketplace acceptance. The KRA policy paper, Public Policy Requirements for a Global Key Recovery Infrastructure, clearly presents our views on voluntary use of key recovery and on due process, judicial review, and legal standards for government access.

This statement is logically inconsistent: how can something be 'voluntary' if there are 'legal standards' for making it mandatory? I don't know if this rebutall was ever printed by the New York Times but, in any case, it is factually incorrect as well as illogical. (Was it perhaps just a smokescreen?)

In reviewing the document cited above, I discovered that the word 'voluntary' was never used by KRA. The closest I could find was the following statement:

...government-designed or imposed encryption technology solutions will inevitably fail to win marketplace acceptance.

This is quite different from saying that mandatory use is wrong! What KRA is really saying is simply: "pay us to design it for you..."

....The Alliance understands that governments may wish to designate certain encryption product performance expectations to enable them to perform their public safety roles. But in doing so, governments must ensure that such statements of expectations must be independent of any product, design, or underlying technology.

[snippage...]

Legal Issues

Public policy must --

[snippage...]

12. Establish legal access standards for government to Key Recovery information under conditions of due process, including procedures clearly stating the government's accountability and auditability.

This is the same language the anti-freedom-fighters (FBI, NSA, Clinton, Gore, Reno, etc.) use in attempting to force mandatory Key Recovery down our throats. I won't address the fundamental legal problems that wiretapping is a 'general' search and an abridgement of freedom of speech, violating the Constitution in several ways. Which protects you more: arbitrarily applied 'due process' or strong, unescrowed encryption?

[snippage...]
15. Develop a common understanding among governments around the world on the language of Key Recovery in an effort to promote clarification and consistency in terms of policy treatment.

Again, KRA shows its true colors in being in favor of global adoption of key recovery, by governments (contrary to the NYT 'rebuttal').


Can PGP Be Trusted?

I explore this question from two general directions:


How strong are PGP's products, technically?

General Security Issues Concerning Public Key Encryption:

Here is a well-worded statement from Network Associates Prospectus of February 11, 1998

The Company's PGP network security products are dependent on the use of public key cryptography technology, which depends in part on the application of certain mathematical principles known as "factoring." The security afforded by public key cryptography technology is predicated on the assumption that the factoring of the composite of large prime numbers is difficult. Should an easy factoring method be developed, then the security afforded by encryption products utilizing public key cryptography technology would be reduced or eliminated. Furthermore, any significant advance in techniques for attacking cryptographic systems could also render some or all of the Company's existing products and services obsolete or unmarketable. There can be no assurance that such developments will not occur. Moreover, even if no breakthroughs in factoring or other methods of attacking cryptographic systems are made, factoring problems can theoretically be solved by computer systems significantly faster and more powerful than those presently available. If such improved techniques for attacking cryptographic systems are ever developed, it could have a material adverse effect on the Company's business, operating results and financial condition.

Speaking of potential breakthroughs in factoring, here's an example of something interesting, taken from the cypherpunks mailing list:

Date: Tue, 21 Apr 1998 11:38:22 +0000 (GMT)
From: Dan McGuirk <djm@indirect.com>
Subject: Re: quantum computers (fwd)

[...]

Here is one place to start:

http://chemphys.weizmann.ac.il/~schmuel/comp/comp.html

Particularly the sections "period of a sequence" and "factoring numbers". Quantum computation can result in an exponential increase in factoring speed. If you can build a proper quantum computer, you can factor a number of any size in basically constant time.

If you're talking about the real world, though, I would think that any current implementations have way too few gates and bits to be of any use. (But what if the NSA is twenty years ahead of the rest of the world on quantum computers the way they apparently were with differential cryptanalysis? Probably impossible, but it's an idea, anyway.)


Specific Security Issues of the PGP Implementation

This question is really the bottom line, if you are using PGP.

Unfortunately, I have not been able to find any good documentation of and independent testing of any versions of PGP. That is not to say that such testing has not occured - the source code for PGP version 2.6.2 has been publicly available for several years now and I am not aware of any serious flaws that have been discovered in that version, although there have been improvements in some of the algorithms it uses. Recently, PGP, Inc. has published version 5 and source code is available for version 5.3i, the International version (maybe also for the USA version but I couldn't find it...). I have not heard of any flaws found so far in version 5, but it has only been available for scrutiny for a short amount of time.

From: PGP ATTACKS ( A more recent, multi-page, version is available at: PGP Attack FAQ)

Introduction:

PGP is a hybrid cryptosystem. It is made up of 4 cryptographic elements: It contains a symmetric cipher (IDEA), an asymmetric cipher (RSA), a one-way hash (MD5), and a random number generator (Which is two-headed, actually: it samples entropy from the user and then uses that to seed a PRNG). Each is subject to a different form of attack.

[...]

Conclusion:

I have presented factual data, statistical data, and projected data. Form your own conclusions. Perhaps the NSA has found a polynomial-time (read: *fast*) factoring algorithm. But we cannot dismiss an otherwise secure cryptosystem due to paranoia. Of course, on the same token, we cannot trust cryptosystems on hearsay or assumptions of security. Bottom line is this: in the field of computer security, it pays to be cautious. But it doesn't pay to be un-informed or needlessly paranoid. Know the facts.

The only way to 'know the facts' is to study the source code and test it and provide financial incentives for people to try and crack it!

I believe that PGP, Inc. (or maybe I'm thinking of RSA Data Security) has offered 'challenges' - financial rewards - for people who can crack competitive products, but I am not aware of any challenges for cracking PGP.

If PGP, Inc. really wanted people to trust its products, it would offer rewards to anybody who can crack it. PGP, Inc's. parent company has enormous financial resources - it spends hundreds of millions of dollars buying up other companies, but apparently has none to spend on challenging the security of PGP, or for simply putting a link to the free source code on its web site so you could examine and compile it for yourself.


Who Owns and Controls PGP, Inc.?

Much of the information below was taken from: SEC web site

From: http://www.sec.gov/Archives/edgar/data/890801/0000891618-98-000744.txt

Network Associates, Inc. (the "Company") was formed in December 1997 as a result of the strategic business combination of McAfee Associates, Inc. ("McAfee") and Network General Corporation ("Network General"). Pursuant to this strategic combination, Network General merged with a wholly owned subsidiary of McAfee, and McAfee changed its legal name.

[...]

On December 1, 1997, the Company acquired Network General Corporation ("Network General"), a provider of network fault and performance management solutions for approximately 17.9 million shares of the common stock.

From: http://www.sec.gov/Archives/edgar/data/890801/0000891618-98-000826.txt

On December 9, 1997, the Company acquired Pretty Good Privacy, Inc. ("PGP") through the merger of a wholly-owned subsidiary of the Company with and into PGP. The aggregate consideration payable in the acquisition was approximately $35 million (payable in cash and the assumption of certain liabilities) and warrants to acquire approximately 250,000 shares of Company Common Stock.

[Does anybody know how much of that $35 million when to Phil Zimmerman?]

To what extent was PGP taken over?

From: http://www.sec.gov/Archives/edgar/data/890801/0000891618-98-000878.txt [PGP 8-K form]

(b) The Bylaws of Merger Sub, as in effect immediately prior to the Effective Time, shall be the Bylaws of the Surviving Corporation until thereafter amended.

[ Ed. Note: See the full document for more legalese - Merger Sub refers to an 'acquisition company' wholly owned by Network Associates, Inc.- no information is available about this company at the SEC but I suspect the Bylaws and Directors and Officers are identitcal to those of Network Associates, the Parent company. You would probably have to go to the corporate records in Delaware to learn more...]

[...]

1.5 Directors and Officers. The director of Merger Sub immediately prior to the Effective Time shall be the initial director of the Surviving Corporation, to hold office in accordance with the Certificate of Incorporation and Bylaws of the Surviving Corporation. The officers of Merger Sub immediately prior to the Effective Time shall be the initial officers of the Surviving Corporation, each to hold office in accordance with the Bylaws of the Surviving Corporation.

So, PGP was taken over completely - Bylaws, Directors and Officers.

From: http://www.wired.com/news/news/politics/story/8906.html

Phil Dunkelberger, PGP's former president and CEO, was named general manager of Network Associates' Total Network Security Division. [Neither he, nor Phil Zimmerman, are voting members of the Board of Directors.]

And PGP was not the only, nor the largest, company gobbled up by NAI...

From: http://www.sec.gov/Archives/edgar/data/890801/0000891618-98-000558.txt

[Network Associates Prospectus of February 11, 1998]

The Selling Stockholders acquired the Shares and such Company warrants in private transactions in which the Company acquired Schuijers Holding B.V., a Dutch corporation ("Schuijers"), FSA Combination Corp., a Delaware corporation ("FSA"), Kabushiki Kaisha Jade, a Japanese corporation ("Jade"), Helix Software Company, Inc., a Georgia corporation ("Helix"), and Pretty Good Privacy, Inc., a Delaware corporation ("PGP").

[...]

NUMBER OF SHARES OF COMMON STOCK BENEFICIALLY OWNED PRIOR PERCENTAGE OF NAME OF SELLING STOCKHOLDER TO THE OFFERING OUTSTANDING SHARES

I really don't understand what that means. I believe that this is a list of shares of Network Associates stock that were offered for SALE, as a result of the merger - it does not, therefore, indicate the current stock held by any of these parties; the list is long - I'm just including the largest shareholders here....

Daniel Freedman 325,062 *

Michael L. Spilo 326,408 *

Tami Spilo 39,718 *

Daniel Spilo 19,859 *

Attachmate Corp. 98,059 *

Cornerstone Properties I, LLC 62,955(1) *

[...and way down on the list...]

PGP Partners 5,223(1) *

[Total shares offered for sale: 1,309,477]

PGP Partners is the group of private venture-capitalists who originally financed the creation of PGP, Inc. I suspect that Phil Zimmerman probably held some stock in PGP Partners, which would have been converted into NAI stock after the merger. I doubt that Zimmerman currently holds enough NAI stock to influence corporate policy in any significant way. He may not have held enough interest in PGP Partners to block the merger, even if he had wanted to.

I include the following to help anyone considering going through the trouble I went through in trying to unravel the legalese of such SEC forms. The following language appears typical of how mergers are filed at with the SEC...

AGREEMENT AND PLAN OF REORGANIZATION

This AGREEMENT AND PLAN OF REORGANIZATION is made and entered into as of October 13, 1997, among McAfee Associates, Inc., a Delaware corporation ("PARENT"), Mystery Acquisition Corp., a Delaware corporation and a wholly-owned subsidiary of Parent ("MERGER SUB"), and Network General Corporation, a Delaware corporation ("COMPANY").

[...]

1.1 The Merger. At the Effective Time (as defined in Section 1.2) and subject to and upon the terms and conditions of this Agreement and the applicable provisions of Delaware Law, Merger Sub shall be merged with and into Company (the "MERGER"), the separate corporate existence of Merger Sub shall cease and Company shall continue as the surviving corporation. Company as the surviving corporation after the Merger is hereinafter sometimes referred to as the "SURVIVING CORPORATION."

[...]

1.3 Effect of the Merger. At the Effective Time, the effect of the

Merger shall be as provided in this Agreement and the applicable provisions of Delaware Law. Without limiting the generality of the foregoing, and subject thereto, at the Effective Time all the property, rights, privileges, powers and franchises of Company and Merger Sub shall vest in the Surviving Corporation, and all debts, liabilities and duties of Company and Merger Sub shall become the debts, liabilities and duties of the Surviving Corporation.

In other words, Network General takes over Mystery Acquisition Corp. (which has no forms on file at the SEC since it is not publicly traded), but it also assumes the 'liabilities and duties' and becomes wholly controlled and owned by the Network Associates, Inc. [Network General still exists, technically, as a separate Delaware corporation.]

[...]

1.4 Certificate of Incorporation; Bylaws.

[...]

(b) The Bylaws of Merger Sub, as in effect immediately prior to the Effective Time, shall be, at the Effective Time, the Bylaws of the Surviving Corporation until thereafter amended.

So, the parent dictates the Bylaws of the company being taken over...

[...]

1.5 Directors and Officers. The directors of Company immediately prior to the Effective Time shall continue as directors of the Surviving Corporation (together with such additional directors as may be elected by Parent effective as of or after the Effective Time). For transition purposes, Parent intends that such directors shall continue to serve as directors of the Surviving Corporation for 180 days or more following the Effective Time.

Notice that this quite different from the way in which PGP, Inc. was taken over!

Because Network General is so large, a political deal has been struck in which the directors continue to hold power after the merger. PGP, Inc., on the other hand, surrendered ALL ownership and control to NAI and none of PGP, Inc's. directors became directors of NAI.


Who runs PGP's parent company, Network Associates, Inc. (NAI)?

From: About Network Associates [downloaded on 3/16/98]

[...]

Network Associates Facts

  • World's largest independent network security and management software company
  • Tenth largest independent software company
  • More than 30 million users worldwide
  • $ 600+ million in revenue
  • 97% of Fortune 1000 use network management solutions
  • 80% of Fortune 100 use network security solutions
  • 34 registered quarters of consecutive revenue growth
  • #1 Provider of network security and management software
  • #1 third-party software provider for Microsoft/Intel-based clients, servers and networks
  • Operations on 6 continents with over 1,500 employees

This is not the full story.

To find out who the Directors of NAI currently are, I had to dig back into the SEC filings on McAfee & Associates (the name of NAI, prior to the merger)

From: http://www.sec.gov/Archives/edgar/data/890801/0000898430-97-004621.txt [Form S-4, Oct. 31, 1997]

Pursuant to the Reorganization Agreement, the Board of Directors of the Combined Company following the Merger will initially consist of six members, four of whom are designees of McAfee, and two of whom are designees of Network General. The designees of McAfee will be John C. Bolger, Virginia Gemmell, Edwin L. Harper and William L. Larson, and the designees of Network General will be Leslie G. Denend and Harry J. Saal. Mr. Bolger will be leaving the Board of Directors of the Combined Company effective April 30, 1998, at which time the size of the Board will be reduced to five members.

In addition, following the Merger, the principal executive officers of the Combined Company will be as follows: William L. Larson, currently Chairman of the Board and Chief Executive Officer of McAfee, will be Chairman of the Board and Chief Executive Officer of the Combined Company; Leslie G. Denend, currently President and Chief Executive Officer of Network General, will be President of the Combined Company; and Prabhat K. Goyal, currently Chief Financial Officer, Vice President of Finance and Administration, Treasurer and Secretary of McAfee will hold the same positions in the Combined Company.

The McAfee Board by unanimous vote of the directors present and voting at a special meeting of the McAfee Board on October 13, 1997 (which included all directors except Mr. Denend, who did not participate in this or any other McAfee Board meetings with respect to the Merger due to his status as President, Chief Executive Officer and a director of Network General) approved the Reorganization Agreement and the transactions contemplated thereby and determined that the Merger is fair to, and in the best interests of, McAfee and its stockholders.

[...]

At the Effective Time, each outstanding share of common stock of Network General, par value $0.01 per share ("Network General Common Stock"), will be converted into the right to receive 0.4167 of a share (the "Exchange Ratio") of McAfee Common Stock.

[...]

Following the Merger, based on the number of shares of Network General Common Stock and McAfee Common Stock outstanding as of October 28, 1997, and the Exchange Ratio, the stock of Network General prior to the Merger will be converted into approximately 25.7% of the common stock of the Combined Company, and the stock of McAfee outstanding prior to the Merger will represent approximately 74.3% of the stock of the Combined Company.

In summary, here is the list of 5 Directors and where they came from, effective May 1, 1998:

Leslie G. Denend, Chief Operating Officer and President (Network General & McAfee)

William L. Larson, Principal Executive Officer and Chairman of the Board (McAfee)

Harry J. Saal (Network General)

Virginia Gemmell (McAfee)

Edwin L. Harper (McAfee)

 

[JOHN C. BOLGER Director - resigns April 30, 1998]

[Prabhat K. Goyal Vice, Chief Financial Officer, Treasurer and Secretary ( not a Director )]

[...]

Now, here are the biggest stockholders of NAI

STOCK OWNERSHIP OF CERTAIN BENEFICIAL OWNERS AND MANAGEMENT OF MCAFEE
                                                            NUMBER   PERCENTAGE
NAME AND ADDRESS OF BENEFICIAL OWNER(1)                    OF SHARES  OF CLASS
- ---------------------------------------                    --------- ----------
<S>                                                        <C>       <C>
Putnam Investments, Inc.(2)............................... 1,104,487    2.1%
 One Post Office Square
 Boston, MA 02109
American Century Companies, Inc.(3)....................... 3,375,900    6.6%
 Twentieth Century Tower
 4500 Main Street
 Kansas City, MO 64111
Pilgrim Baxter & Associates(4)............................ 3,596,237    7.0%
 1255 Drummers Lane, Suite 300
 Wayne, PA 19087
Nicholas-Applegate Capital Management(5).................. 2,603,036    5.1%
 600 West Broadway, 29th Floor
 San Diego, CA 92101
FMR Corp.(6).............................................. 2,505,837    4.9%
 82 Devonshire Street
 Boston, MA 02109
   William L. Larson(7).............................   356,407     *
   Harry J. Saal.............................................         0     *
John C. Bolger(8).........................................       875     *
   Leslie G. Denend(8)..............................     3,750     *
Virginia Gemmell.................................    16,875     *
Edwin L. Harper..................................    15,950     *
   Dennis L. Cline(9)........................................    50,263     *
R. Terry Duryea(10).......................................    10,138     *
Peter R. Watkins(11)......................................    72,113     *
Mark Woodward(12).........................................     7,851     *
   Executive officers and directors as a group (10
 persons)(13).....................................   588,909    1.1%
   Former Executive Officers
Richard D. Kreysar(14)....................................     1,868     *
   - --------
  *  Less than 1%
 
   [...]
 
                AGGREGATE OPTION EXERCISES IN LAST FISCAL YEAR
                       AND FISCAL YEAR-END OPTION VALUES
 
NUMBER OF SECURITIES      VALUE OF UNEXERCISED
                                                     UNDERLYING UNEXERCISED    IN-THE-MONEY OPTIONS AT
                           SHARES                    OPTIONS AT 12/31/96(#)        12/31/96($)(1)
                         ACQUIRED ON     VALUE      ------------------------- -------------------------
NAME                     EXERCISE(#) REALIZED($)(2) EXERCISABLE UNEXERCISABLE EXERCISABLE UNEXERCISABLE
- ----                     ----------- -------------- ----------- ------------- ----------- -------------
   William L. Larson.....   728,760    $22,610,478     386,876     1,246,875   $15,548,836  $45,527,779

[...]

Now the scoop on Network General...

                          NETWORK GENERAL CORPORATION
 
                           NETWORK GENERAL BUSINESS
 
INTRODUCTION
 
  Network General Corporation was incorporated in California in May 1986 and
reincorporated in Delaware in December 1987. Network General designs,
manufactures, markets and supports software-based fault and performance (also
known as analysis and monitoring) solutions for managing computer networks. 

[...]

Network General's flagship portable product is the Expert Sniffer Network Analyzer.

[...]
 
STOCK OWNERSHIP OF CERTAIN BENEFICIAL OWNERS AND MANAGEMENT
                              OF NETWORK GENERAL
 
AMOUNT AND PERCENT OF NETWORK
                                                 NATURE OF    GENERAL COMMON
NAME OF BENEFICIAL OWNER(1)                        SHARES   STOCK OUTSTANDING
- ---------------------------                      ---------- ------------------
A I M Management Group Inc.(2).................. 4,008,500         9.4%
 11 Greenway Plaza, Suite 1919
 Houston, Texas 77046
T. Rowe Price Associates, Inc.(3)............... 3,247,450         7.6%
 100 E. Pratt Street
 Baltimore, MD 94111
RCM Capital Management, L.L.C.(4)............... 3,043,300         7.2%
 Four Embarcadero Center, Suite 2900
 San Francisco, CA 94111
McAfee Associates, Inc.(13)..................... 2,725,484         6.4%
 2805 Bowers Avenue
 Santa Clara, CA 95051
   Harry J. Saal(5)....................... 1,845,400         4.3%
Leslie G. Denend(6).....................   423,694          *
   Laurence R. Hootnick(7).........................    58,666          *
Gregory M. Gallo(8).............................    56,166          *
David M. Carver(9)..............................    78,750          *
James T. Richardson(9)..........................    78,123          *
Howard Frank(9).................................    41,666          *
John R. Stringer(9).............................    55,020          *
Charles J. Abbe(10).............................    36,833          *
Douglas C. Chance(11)...........................    24,500          *
Janet L. Hyland(9)..............................    24,166          *
   All executive officers and directors as a group
 (13 persons)(12)........................ 2,725,484         6.3%
   - --------
  *  Less than 1%

According to the above tables, and the Exchange Ratio for the merger, we can see that the approximate ownership of NAI stock among the NAI Directors, after the merger is as follows (totals of NGC and McAfee stock are combined for those individuals holding shares in both companies prior to the merger):

Harry J.Saal(5).................    756,614    1.1 %
   William L. Larson(7)....................   356,407     *
   Leslie G. Denend(6).....................   177,464     *
   Virginia Gemmell........................    16,875     *
Edwin L. Harper.........................    15,950     *
[John C. Bolger(8)......................       875     *]
   - --------
  *  Less than 1%
 

So the bottom line is that none of the NAI directors hold a large share of stock; NAI appears to be typical of most really big companies where investment companies own most of the stock.


I have searched the web, but found nothing of great concern (i.e., neither pro nor anti-privacy) on the following:

William L. Larson, Virginia Gemmell, Harry J.Saal, Prabhat K. Goyal

But then it gets interesting...


Leslie G. Denend, President and Director of Network Associates, Inc. / PGP, Inc.; President and CEO of Network General Corporation

The following was gathered from: http://www.geekweek.com/denend.html

President and CEO of Network General: Leslie G. Denend

EDUCATION
U.S. Air Force Academy; MBA and Ph.D in Economics, Public Policy and Business from Stanford University, Fulbright Scholar in Economics at Bonn University in Germany

PREVIOUS EMPLOYERS
Network Systems Corporation, Vitalink Communications Corporation, 3Com Corporation, The White House, the Air Force

Here's some more from: http://www.rmi.net/racc/San_Jose_'97_Breakfast.html

"CEO Global Breakfast Series" presented by the
SILICON VALLEY DEFENSE/SPACE CONSORTIUM

[stuff deleted...]

Mr. Denend's career includes top-level policy experience in three presidential administrations. He served on the economic policy staff, on the Joint Chiefs of Staff, and as Special Assistant to NSC [National Security Council] Advisor Zbigniew Brzezinski.

Mr. Denend is a distinguished graduate of the U.S. Air Force Academy, and received his M.B.A. and Ph.D in economics, public policy, and business from Stanford University. He was a Fulbright Scholar in Economics at Bonn University and has received the Arthur S. Fleming Award.

He flew 194 combat missions in Southeast Asia.

[In case anyone forgot, the NSC is the same organization that Oliver North worked for...]

For those who still associate "PGP" with Phil Zimmerman's anti-war activism, think again.

Some additional backround on Denend ...

From: http://www.sec.gov/Archives/edgar/data/890801/0000898430-97-004621.txt [Form S-4, Oct. 31, 1997]

  Mr. Denend was promoted to President and Chief Executive Officer of Network
General and was elected a director of Network General in June 1993. He served
as Network General's Senior Vice President of Products from February 1993 to
June 1993. Prior to joining Network General, he was President of Vitalink, a
manufacturer of internetworking products, from October 1990 to December 1992.
From 1989 to 1990, Mr. Denend served in a variety of positions at 3Com
Corporation, a data networking company, most recently as Executive Vice
President for Product Operations. From 1983 to 1989, he was a principal with
McKinsey & Company, a management consulting firm.


Edwin L. Harper, Director of Network Associates, Inc.

From: http://commdocs.house.gov/committees/trans/hpw10410.000/hpw10410_2.HTM

Harper, Edwin L., President and CEO, Association of American Railroads,

From: http://gopher.nara.gov:70/0/inform/library/nixon/avail1.txt

NIXON PRESIDENTIAL MATERIALS AVAILABLE FOR RESEARCH

December 1994

[...]

EDWIN L. HARPER 1970-73 (1 cubic foot)

Dr. Edwin Harper served as a Special Assistant to the President and as Assistant Director of the Domestic Council. The Harper Special Files include information on revenue sharing and Presidential appearances.


What Are the Business Interests of Network Associates, Inc.?

Let's look at the products which NAI produces...

Again, from the SEC: http://www.sec.gov/Archives/edgar/data/890801/0000891618-98-000744.txt

[...]

NET TOOLS SECURE NET TOOLS MANAGER

The ISS [Internet Security Suite] products are designed to capture both known and new viruses before they infect multiple users on the network. Servers are scanned in real-time as messages pass through and downloads occur. Viruses discovered are automatically cleaned, quarantined, or deleted as configured. In addition to viruses, ISS products also scan for hostile Java and Active-X applets. Java and Active-X applets offer a powerful way to make web sites more interactive for visitors, but can also be used to execute destructive commands. ISS includes: (i) WebShield SMTP which is designed to scan all inbound and outbound e-mail passing through the SMTP gateway; (ii) WebShieldX Proxy which provides protection for HTTP and FTP traffic and scans for hostile Java and Active-X applets; and (iii) WebScanX which protects against virus infected Internet downloads and e-mails, as well as emerging hostile Java and Active-X applets, by filtering them out before they can cause damage to users on desktop or mobile PC's.

[...]

CyberCop.[developed by Network General - Ed.] The CyberCop intrusion detection system is designed to safeguard networks from external and internal attacks by performing real-time surveillance of network traffic and sending out an alarm when intrusion is detected. The CyberCop product's sensors are placed at key locations throughout a network, from LAN segments and dial-up modem servers to connection to the internet or other wide area networks. CyberCop is not sold as part of a suite. The current list price for the CyberCop product is $35,700 per unit.

[...]

The Company primarily markets its products directly to large corporate and government customers as well as to resellers and distributors.

[...]

PRODUCT DEVELOPMENT AND ACQUISITION

The software industry has experienced and is expected to continue to experience a significant amount of consolidation. In addition, it is expected that the Company will grow internally and through strategic acquisitions in order, among other things, to expand the breadth and depth of its product suites and to build its professional services organization. The Company continually evaluates potential acquisitions of complementary businesses, products and technologies. In addition to the Network General merger in December 1997, the Company has consummated a series of significant acquisitions since 1994, including the acquisitions of PGP and Helix in December 1997, Cinco Networks, Inc. in August 1997, 3DV Technology, Inc. in March 1997, a controlling interest in FSA Corporation of Canada in August 1996, Vycor Corporation in February 1996, Saber Software Corporation, Inc. in August 1995 and ProTools, Inc. in January 1994. In addition, since 1995 the Company has acquired a number of its international agents and distributors, including agents or distributors in Australia, Brazil, Japan and The Netherlands and is currently investigating acquisitions of additional foreign agents and distributors. Past acquisitions have consisted of, and future acquisitions will likely include, acquisitions of businesses, interests in businesses and assets of businesses.

I have not yet investigated any of the above companies.

[...]

In the encryption portion of the security market, the Company's principal competitors are Security Dynamics Technologies, Inc., Cylink Corporation, Entrust Technologies and VeriSign, Inc.

Are the competitors any better than NAI? I haven't looked closely but Cylink and Entrust are KRA members.

[...]

On February 11, 1998, Symantec filed another motion seeking leave to again amend its complaint to include additional allegations of trade secret misappropriation, interference with economic advantage and business relations and violations of the Racketeer Influenced and Corrupt Organization Act ("RICO"), in connection with the alleged use at the Company by a former Symantec employee of allegedly proprietary Symantec customer information. Symantec also filed a motion for a preliminary injunction relating to these new allegations, and has scheduled both motions for hearing on May 15, 1998. Trial is currently set for September 1998.

[...]

So, NAI is accused of racketeering...


The most recent $100,000,000 acquisition by NAI...

From: http://www.sec.gov/Archives/edgar/data/890801/0000891618-98-001555.txt

[ March 2, 1998 ]

This AGREEMENT AND PLAN OF REORGANIZATION (the "AGREEMENT") is entered into as of March 2, 1998 by and among Networks Associates, Inc., a Delaware corporation ("PARENT"), Merlin Acquisition Corp., a Delaware corporation and a wholly-owned subsidiary of Parent ("MERGER SUB"), Magic Solutions International, Inc., a Delaware corporation (the "COMPANY"), and Igal Lichtman ("FOUNDER").


PGP's Big Brother: Trusted Information Systems (TIS)

Press Release, from pgp.com website:

SANTA CLARA, Calif., February 23, 1998 - Network Associates, Inc. (Nasdaq: NETA) and Trusted Information Systems, Inc. (TIS) (Nasdaq: TISX) announced today that they have signed a definitive agreement where Network Associates will acquire TIS in a stock-for-stock pooling of interest merger valued at over $300 million.

That is roughly 9 times what NAI paid for PGP, Inc.

As we will see below, the business interests of PGP and TIS appear to be diametrically opposed on the question of mandatory key escrow. This is especially illustrated in the differences in background between the founders of these two companies: Phil Zimmerman and Stephen T. Walker.

The following exerpted document contains an amazing amount of information about the NAI - TIS merger.

Although I have ommitted it here, for the sake of brevity, it includes a blow by blow account of meetings between NAI and TIS executives in the days and hours prior to the signing of the merger agreement in which NAI very actively pursued TIS and ended up out-bidding a competitive offer by more than $42 million.

It is clear that NAI greatly values TIS. I think it would be safe to say that TIS is of much greater value to NAI than PGP.

From http://www.sec.gov/Archives/edgar/data/890801/0000891618-98-001255.txt [Form S-4]

[March 25, 1998]

[...]

Prior to 1996, the principal source of TIS's total revenues was from governmental contracts. TIS expects to continue to rely on existing and future research and development contracts with agencies of the U.S. government for a portion of its revenues in the near future.

[...]

TIS further provides research and development and consulting to government agencies, including the National Security Agency ("NSA") and Defense Advanced Research Projects Agency ("DARPA"), in areas such as next generation firewalls, distributed trusted operating systems, Internet domain name services, international cryptography and advanced cryptographic key handling and recovery techniques.

[...]

Prior to founding TIS in 1983, Stephen T. Walker, Chairman and Chief Executive Officer, spent over 20 years working on computer security issues for the U.S. government at the NSA and the Advanced Research Projects Agency ("ARPA"), the predecessor agency of DARPA.

[...]

THE ADVANCED RESEARCH AND ENGINEERING DIVISION

The Advanced Research and Engineering Division (the "AR&E Division") consists primarily of research, development and consulting in computer and related security systems, currently including major contracts with three agencies of the U.S. government: the NSA, Air Force Rome Laboratories ("RL") and DARPA. Revenues from the AR&E Division increased consistently through 1995, but decreased in 1996 and 1997. The aggregate award value of TIS's current active government contracts at December 26, 1997 was approximately $37.5 million.

[...]

Stephen T. Walker, age 54, founded TIS in May 1983 and has continuously served as President, Chief Executive Officer, Chairman of the Board and a Director. From 1980 to 1983, Mr. Walker was the Director of the Information Systems for the Office of the Assistant Secretary of Defense for Communications, Command, Control and Intelligence (C3I), Pentagon. In recognition of Mr. Walker's contributions, he was awarded the Secretary of Defense Meritorious Civilian Service Medal in 1984, and the first National Computer System

[...]

The following are the largest shareholders of TIS

TIS COMMON STOCK BENEFICIALLY OWNED AS OF FEBRUARY 22, 1997(1)

NAME NUMBER OF SHARES - PERCENT

Martha A. Branstad(2).................................. 1,433,462 - 10.3%

Stephen T. Walker(7)................................... 2,859,325 20.6%

Stephen E. Smaha....................................... 876,841 6.3%

TIS Common Stock is traded on Nasdaq under the symbol TISX. On February 20, 1998, the last trading day before public announcement of the execution of the Reorganization Agreement, the closing price of TIS Common Stock as reported on Nasdaq was $12.63 per share. On March 23, 1998, the closing price of TIS Common Stock as reported on Nasdaq was $20 per share.

Stephen T. Walker, TIS President and CEO, appears to have made about $21 million in the month following the merger agreement.

Many have wondered how it will be possible to TIS to exist alongside PGP under the same corporate roof...

RISKS RELATED TO MERGER

Difficulties of Integrating Two Companies.

The successful combination of Network Associates and TIS will require substantial attention from management. The anticipated benefits of the Merger will not be achieved unless the operations of TIS are successfully combined with those of Network Associates in a timely manner. The difficulties of assimilation may be increased by the need to integrate personnel and to combine different corporate cultures and by Network Associates' limited personnel, management and other resources. The successful combination of the two companies will also require integration of the companies' product offerings and the coordination of their research and development and sales and marketing efforts. In addition, the process of combining the two organizations could cause the interruption of, or a loss of momentum in, the activities of either or both of the companies' businesses and could lead certain customers to defer purchasing decisions.

Now, here is a very interesting statement of TIS' financial interests in key recovery and export controls:

[...]

Risks Relating to Cryptography Technology.

[...]

To the extent that the government either decides to prohibit or otherwise restrict the export of such products (including those with key recovery) or decides to permit the export of such products without key recovery, those decisions could have an adverse impact on the development of a market for the RecoverKey-International (or CKE) products TIS plans to introduce in the future.

TIS' interests are clearly on the side of mandatory key recovery.

Even though the above disclosure form indicates that TIS should oppose export controls, it in fact supports export controls also:

Shadow Cryptocrats
by Declan McCullagh
Special to CyberWire Dispatch
 
WASHINGTON, DC, 2/24/98 
 
Some of the firms selected also endorse restrictions. Trusted Information
Systems recently circulated a policy paper calling for "sensible"
legislation to "make the export of 56-bit current interim DES controls
permanent and permit the export of stronger encryption when it is combined
with a key recovery system."
    
More on TIS' position concerning key recovery...
 
Date: Wed, 25 Feb 1998 13:53:33 -0500
From: nospam@synernet.com (Ed Stone)
Subject: Re: Another Network Associates U-Turn on Key Recovery
To: jy@jya.com
 
PGP Inc's new owner, Network Associates, has announced it is acquiring 
Trusted Informations Systems, Inc. On the TIS web site, the following 
project is detailed, in which Dr. Dorothy Denning was a subcontractor, 
and in which policy-based crypto key release systems were explored, in 
collaboration with the NSA, FBI, etc.:

Source: http://www.tis.com/research/crypto/crypt_krp_projsum.html


Where Does Network Associates, Inc. Stand On the Issue of Key Recovery?

You may have already guessed the answer based on the articles quoted above, but let's back up a minute to savor the embarassment that NAI has experienced and how this issue highlights the irony of PGP and TIS living under the same roof.

It is important to distinguish how Phil Zimmerman feels about Key Recovery, and his past reputation on privacy issues, from the current reality at PGP, Inc. and who owns it. It is also important to distinguish between what corporations and alleged 'government officials' say publicly and what they do, some of which may be classified or otherwise hidden from view.

In Dec, 1997: NAI was a member of KRA at the time PGP, Inc was sold.

Phil Zimmerman says he didn't know - perhaps he was already "out of the loop" at this time.

Keith Dawson (dawson@world.std.com )
Mon, 8 Dec 1997 10:51:37 -0400

McAfee buys PGP, Inc.

  • Phil Zimmermann sells out to a key recovery company. What next, Prometheus suspected of arson?

    Last Monday the news broke [1] that security software pioneer PGP, Inc. was being acquired by McAfee Associates, a company mostly known for its anti-virus products. McAfee was just completing a $1.3B merger with Network General, which specializes in network management products, with the merged entity called Network Associates (NASDAQ: NETA [2]).

    Immediately a backlash [3] began against Phil Zimmermann, PGP hero and winner of the Norbert Weiner award. McAfee, as it turns out, was a member of the Key Recovery Alliance [4]; and Zimmermann was the man who once testified before the Senate that key recovery could "strengthen the hand of a police state."

    Hiawatha Bray's column in the Boston Globe on 12/4 [5] quoted PGP's chief scientist, Jon Callas:

  • [Callas] said yesterday that he would find the person at Net-
    work Associates who was responsible for the firm's membership
    in the Key Recovery Alliance, and persuade this person that
    the firm should resign. "That's my task for today," Callas
    said.
  • When I read this on Thursday morning I wished Callas luck, but held out little hope. But it has come to pass [6]. Network Associates resigned from the Key Recovery Alliance on Friday 12/5/97.

    [1] http://www.news.com/News/Item/Textonly/0%2c25%2c16903%2c00.html?pfv
    [2] http://www.dbc.com/cgi-bin/htx.exe/squote?source=blq/cnet&ticker;=NETA
    [3] http://www.wired.com/news/news/politics/story/8906.html
    [4] http://www.kra.org/
    [5] http://www.boston.com/dailyglobe/globehtml/340/Encryption_hero...
    [6] http://www.pgp.com/newsroom/na-kra.cgi

    TBTF home and archive at http://www.tbtf.com/ . To subscribe send the message "subscribe" to tbtf-request@world.std.com. TBTF is Copyright 1994-1997 by Keith Dawson, <dawson@world.std.com>. Commercial use prohibited. For non-commercial purposes please forward, post, and link as you see fit.

  • This appears to have satisfied the media that Zimmerman's philosophy had prevailed and that NAI had 'seen the light' about key escrow.

    [See also: Pretty good Phil bounces back]

    But, by February, 1998, after the criticism had died down, NAI announced the TIS merger, proudly noting that TIS, was a 'founding member' of KRA

    Exerpted from NAI press release [February 23, 1998]:
    "NETWORK ASSOCIATES TO ACQUIRE TRUSTED INFORMATION SYSTEMS"

    TIS provides a full line of security products and services including: Gauntlet firewalls to protect network connections; Gauntlet Global Virtual Private Networks to secure electronic communications worldwide; Stalker misuse detection solutions to ensure the integrity of servers which, when used in conjunction with Network Associates' CyberCop, extends this level of protection to networks; and TIS Consulting and Training services to facilitate a company's network running smoothly.

    TIS' RecoverKey encryption technology provides flexible, scalable, user-controlled key recovery, and has been implemented by multinational organizations for their global networks. TIS is a founding member of the Key Recovery Alliance, an organization of over 60 international companies working together to facilitate the worldwide commercial use of strong encryption.

    Then, in the same breath, NAI said they probably will rejoin the KRA.

    [The article below also seems like the left hand doesn't know what the right hand is doing.]

    Exerpted from Encryption Infighting Emerges [February 23, 1998]:

    "Our concern is that membership in the KRA at some point is seen as support for strong crypto export under regulations that only support key escrow," Network Associates' executive Gene Hodges said in December. "We don't want to be seen in that light."

    [...]

    "It's highly likely that Network Associates will be a member," Network Associates chief executive Bill Larson said today. "The Key Recovery Alliance is a very important organization...Philosophically, we are bridging two discrete worlds--the PGP-Internet world and the TIS intelligence world." TIS has major consulting contracts with U.S. government agencies.

    Actually, NAI will automatically become a member of KRA, without the embarassment of 're-joining' as soon as the TIS merger becomes finalized.

    More verbal gymnastics from Encryption Infighting Emerges [February 23, 1998]:

    [...]
     
    But major tenets of the government-industry agreement now appear
    unreachable, said Stephen Walker, president and chief executive
    officer of key recovery pioneer Trusted Information Systems Inc. The
    alliance, he said, is no longer developing systems to allow
    eavesdropping on telephone conversations since businesses have little
    use for listening in on their own wiretap-resistant telephones. Also,
    he said, alliance members will not develop systems that hand
    encryption descrambling keys to government agencies without notifying
    the users that their keys have been surrendered to others.
    "We're not building a key recovery specification for Louis Freeh,"
    Walker said. We're building a system for the marketplace."

    Notice that he didn't say TIS would not give your keys to the government. A major portion of TIS' 'marketplace' is government contracts.

    More spin control from NAI: PGP, Inc.: 'Important' Announcement About Key Recovery

    Network Associates and Key Recovery

    With the acquisition of Trusted Information Systems (TIS) by Network Associates, NAI has added a new technology to its product portfolio -- key recovery. This TIS-developed technology addresses the market needs for encryption key recovery and management. NAI will continue to provide this technology to the market.

    NAI's PGP product group already provides the capability for corporations to recover information from PGP products deployed in corporate environments. The requirement for this capability from corporations has been evident and well-known for quite sometime.

    However, NAI does not believe there is a need for key recovery in PGP products for the individual. NAI will develop and market products that its customers need and want but will not include any technology that is not required by its customers.

    Notice what NAI did not say in its 'important' announcement:
    NAI did not take up Phil Zimmerman's stand against mandatory key-escrow.
    NAI's position appears equivalent to the fundamentally amoral attitude of the KRA, noted above.

    Perhaps that is why Phil Zimmerman's position within PGP, Inc. appears to be diminished.


    What is Phil Zimmerman's Current Influence at PGP, Inc?

    As it stands now, PGP, Inc. is a very small part of the NAI conglomerate. I doubt that Phil Zimmerman, in particular, holds a very high percentage of NAI stock or that he has any control over the long-term direction and policies of the company which he founded, although Phil has told me that he beleives he is currently in a good position to influence policy.

    After founding PGP, Inc., I beleive Phil's position was "Chief Technology Officer".

    Phil's current position under NAI is listed as:

    Senior Fellow, and Founder of PGP, Inc.

    The following is exerpted from the Wired article, Pretty Good Privacy Not Looking So Great [12/3/97]:

    Zimmermann's new title at Network Associates is "fellow," but he 
    declined to comment on exactly what authority and responsibility that 
    confers. Meanwhile, Phil Dunkelberger, PGP's former president and CEO, 
    was named general manager of Network Associates' Total Network Security 
    Division. 
     
    "It's going to take some time to figure things out," said Zimmermann. 
     
    EPIC's Banisar was less diplomatic and postulated that Zimmermann's new 
    title reflected a clash of values between him and Network Associates on 
    key recovery. 
     
    "We have a number of fellows here, and they are usually unpaid 
    volunteers," Banisar said. 
     
    "It will require a fundamental examination by human rights groups and 
    others about whether any newer versions of PGP are truly trustworthy," 
    said Banisar. 

    I happen to think that Banisar's comments are a little paranoid and respect Phil enough to give him the benefit of the doubt if he is willing to go on working at NAI for now. That is not to say that the latest PGP software should not be extensively scrutinized to determine its quality.

    If NAI does not make good on Phil's commitment to continue public release of PGP source code, I think this would be the clear signal that he is no longer being listened to.

    More from: Encryption Infighting Emerges [February 23, 1998]

    "Our belief is that you let customers choose," Larson added. "Customers have been asking PGP to put in key recovery. RecoverKey [a TIS product] is a much better system for that."

    SynData Technologies chief executive David Romanoff, whose company markets encryption software that competes with PGP's, sees Larson's comments a sign that Zimmermann has a diminished role inside Network Associates.

    "This news is really consistent with the direction of Network Associates and its position on key recovery," Romanoff said. "I regret that it was not consistent with the old Phil Zimmermann and the old PGP."


    Phil Zimmerman's Public Response to Concerns About the 'New' PGP, Inc.

    Date: Wed, 18 Mar 1998 12:48:48 -0500

    To: jya@jya.com

    From: Ed Stone <estone@synernet.com>

    Subject: PGP/NAI merger and key recovery

     

    I received the following email from Phil Zimmermann, regarding concerns I have expressed about NAI's acquisition of TIS, a substantial contractor to the National Security Agency, and a major developer of key recovery capabilities.

    >>begin PRZ email<<<

    Date: Wed, 18 Mar 1998 01:20:34 -0800

    To: estone@synernet.com

    From: Philip Zimmermann <prz@pgp.com>

    Subject: PGP/NAI merger and key recovery Cc: prz@pgp.com

     

    Ed, I saw your recent remarks in comp.security.pgp.discuss. I'd like to make a few points. You may quote me on this.

     

    -----BEGIN PGP SIGNED MESSAGE-----

    Hash: SHA1

     

    Mergers are complex operations, especially mergers of publicly traded companies of this size. NAI and TIS will not fully close the merger deal for about 60 days. Until then, there are many policy details we cannot discuss in public.

     

    NAI has no plans to incorporate TIS's key recovery technology in any version of PGP, including our business versions. I have discussed this point with NAI management.

     

    I have not changed my political values regarding privacy and crypto. I would not have allowed the sale of my company to NAI if they were going to buy PGP in order to bury PGP, as some have feared. They bought PGP because they value the reputation that PGP has earned in the industry. They want to preserve that reputation by preserving PGP's product integrity. I plan to keep watch over PGP's product integrity for the foreseeable future.

     

    NAI plans to keep publishing our source code for peer review. Source code publication in printed books is a vital part of NAI's business strategy, especially its overseas strategy. There will be an important announcement on this subject on 20 March at CeBit in Hannover Germany.

     

    -Philip Zimmermann

     

    -----BEGIN PGP SIGNATURE-----

    Version: PGP 5.5.5

     

    iQA/AwUBNQ+RzWPLaR3669X8EQLuRwCcDowyBBr32YtbsnYSHy6clTW+7CwAnjpk KnVN0NVreBNuIOyxsAcWIb40

    =vY/q

    -----END PGP SIGNATURE-----


    This is what was announced at CeBit:
    Network Associates Announces Availability of 128bit PGP Encryption Software For Global Customers

    Strong Encryption to Spur Growth of Secure Electronic Communications Worldwide

    [...]

    Network Associates' PGP encryption products for international markets will be fully developed and compiled in Europe by cnlab Software, based upon widely available published source code that was legally exported from the United States. No United States technical assistance has been, or will be provided to cnlab Software or to international offices of Network Associates, ensuring full compliance with United States export laws.

    Network Associates International B.V. will work with technical partners throughout the world to ensure that customers have access to technical support and development expertise throughout the region.

    Network Associates Announces New Security Division

    Network Associates is also announcing a new, dedicated security division headed up by Graham Curme in Windsor, United Kingdom. The new division will work with selected technical partners throughout Europe to provide technical support to customers. At the same time, a dedicated security division will be established in Germany, followed closely by Scandinavia and the rest of Europe.

    NAI outflanked the export regulators!

    The main motivation for publication of source code for NAI seems to be for use as a loophole in getting around export regulations. As absurd as this is, the only way for NAI to expand its market for strong encryption to offices outside of the US is to publish the source, which can then be exported and scanned back into electronic form.

    But keep in mind that mandatory key recovery is a greater threat to privacy than export regulations - NAI has still not made any official statement opposing mandatory key recovery.

    The real test will be to see whether or not NAI continues to release source code after the US export laws are changed and they are able to transmit source in electronic form, privately, to their foreign offices.


    Can PGP, Inc. Be Trusted?

    Even if you think Phil Zimmerman is a trustworthy or moral and pricipled person, that really doesn't matter much in terms of the technical strength or weaknesses of PGP.

    Simon Garfinkel said the following in "PGP: Pretty Good Privacy":

    Evey copy of PGP comes with a copy of Phillip Zimmerman's public key. Nearly everone I have spoken with unconditionally trusts Phil Zimmerman's signature to sign other keys. I have no idea why this is the case. Phil Zimmerman has no idea why this is the case. Should you trust Phil Zimmermann's signature? Beats me. Would you trust him with your wallet?

    The main reason why I tend to trust Phil is that he has consistently been in favor of public release of source code. Actions speak louder than words: although I like Phil's pro-freedom philosophy, and sympathize with the fact that he was attacked by the FBI for it and stood his ground, even more significant are his past actions in releasing source so that individuals can decide for themselves if his product deserves their trust.

    [It's the people who say "trust me" that you should never trust. "Trusted Information Systems" may fall into that category. If a person is truly trustworthy, they will want you to decide for yourself and will not try to persuade you.]


    How The FBI Pressures Industry

    [While I focus here on some specific actions of the FBI, I also use 'FBI' somewhat more generally, as an organization representative of other agencies such as NSA, The White House, Department of Justice, etc.]

    NAI's public statements seem to indicate that it is going to try and wear two hats: to stand up for the privacy of 'individual' customers and PGP, while at the same time going after the government contracts and requirements for key recovery in its other products. It certainly seems apparent that the business interests of KRA members like TIS are not perfectly in accord with the interests of the FBI. But where this all ends up depends on how much power the FBI has to force industry to bow to its will and spend their own money on 'features' that are not in demand.

    Keep in mind the FBI strategy, regarding domestic encryption by individuals:
    1) Get companies to 'voluntarily' implement Key Recovery systems in their products;
    2) Make Key Recovery mandatory and un-escrowed encryption illegal

    There is always the distinction between what the FBI says publicly and what they are doing secretly at any point in time. As an example, consider the current policy on Key Recovery in light of what has recently come to light about the previous machinations of the FBI on the Digital Telephony Act in 1991-92.

    The Electronic Privacy Information Center (EPIC) discovered the following, from previously classified documents obtained through the Freedom of Information Act [gathered from : "PGP: Pretty Good Privacy" by Simon Garfinkel ]:

    EPIC reported that the FBI:

    More recently, CyberWire Dispatch: Shadow Cryptocrats reports the following [2/24/98] :

    [FBI Director] Freeh spent much of last year demanding a ban on programs like PGP. He told Congress in September that the Feds must "have an immediate lawful decryption of the communications in transit or the stored data. That could be done in a mandatory manner. It could be done in an involuntary manner. But the key is that we have the ability." FBI Deputy Director Bob Bryant echoed him last month, and the bureau has offered even more ominous warnings behind closed doors.


    The Ethical Litmus Test

    Given the great difficulty of cracking strong encryption like PGP, and given the tremendous desire of many very powerful agencies to compromise it or outlaw it, the easiest path for spooks to take would be internal subversion or buying PGP. If I were Bill Clinton or Louis Freeh, that's what I would do.

    Currently, there is absolutely no evidence that PGP software has been in any way compromised or that NAI intends to compromise it in the future - indeed, NAI has publicly stated that they do not intent to add key recovery to 'PGP For Personal Privacy' or other versions for individual use, as opposed to corporations.

    Nevertheless, the presence of people like Leslie Denend, NAI President and Chief Operating Officer in control of PGP certainly give one rational cause for concern. Again, if I were Louis Freeh, this is the kind of person I would want - someone with a good track record of loyalty to the U.S. Government - not an activist like Phil Zimmerman.

    Aside from this kind of speculation about the integrity of the current leadership, NAI's business interests are equally cause for concern. It is obvious that NAI makes much more money on government and corporate business than on giving away PGP as freeware to individuals. If push comes to shove and mandatory key escrow laws are passed, I don't think NAI would blink at taking a minor loss over PGP when it could turn around and make millions from RecoverKey or similar technology. The PGP source code would probably not go to waste either.

    After having reviewed some of the background of PGP, Inc. we can now consider these issues.

    This page is still under construction.

    I will address each of the above questions in the next update.


    Why You Should Use Encryption Even If It's Not Perfect

    If, after studying this issue, you believe, as I do, that the 'right to bear strong, un-escrowed, encryption' is a natural right, equal to the 'right to bear arms', 'right to freedom of speech', etc. Remember that the Constitution does not grant such rights - they are UNALIENABLE, and cannot be granted nor taken away by any of man's laws, regardless of what the Supreme Court, FBI, or anyone else might say. (Of course, if you use any of these rights to tangibly injure another person, she has the right to kill you for it, if she can catch you :-)

    A couple of other reasons to use strong encryption, even if you don't need it right now are:


    What Version of PGP Should I Use?

    This is a not an easy question to answer since it involves issues which everyone will weigh somewhat differently.

    Perhaps the single most important factor is:

    Do not trust any encryption software for which the source code is not publicly available.

    Otherwise, you can never know that there aren't any 'trap doors' built in for the spooks or other serious security holes. Even if you don't ever plan to read the source code yourself, the fact that it is available allows others to read it and search for problems that might exist.

    Do not trust any executable encryption software that is not PGP-signed by someone you trust - verify the signature before installing it, or compile your own executable from the source code.

    If you cannot say that you have good reason to trust "Jeffrey Schiller", "Phil Zimmerman" or whoever signed the version of PGP that you downloaded, and you have not gone over the source code with a fine tooth comb and compiled your own executable, then you may choose to go ahead and use PGP anyway. But use it at your own risk!

    Here are some other things that matter to me the most, which may also matter to you:

    Some, but not all, of the above questions are discussed in the following pages:

    I use several different version of PGP, on different computers.

    Up until now, my main objection to using newer PGP keys, aside from a distrust of NAI, was the fact that I had been unable to download sources for PGP5+ that included RSA support.

    I recently downloaded the linux sources for PGP5 from www.pgpi.com and compiled my own binary. This version is free since 'outside the US' no RSA royalties/copyrights apply. Inside US, you supposedly can purchase a US version or upgrade that includes RSA support but, if this is true, I could not find it at www.nai.com and, if it exists at all, the sources do not appear to be available either. I suspect that there are copyright issues regarding the use of RSA algorithm in the US that prevents NAI from making sources freely available.

    My feeling at this point is that PGP, Inc. has done a noble job of painstakingly 'exporting' sources to Europe in book form and OCR-ing them just to get around US export laws and make them available to the public. Since these sources have been available since 1997, I think that is probably long enough for someone to have found some secret back-doors or weaknesses, if any exist. In any case, there is also some probability that 2.6.3 has weaknesses that also may have not been uncovered yet.

    Advantages to the old version, 2.6.2 or 2.6.3:

    Advantages to the new version 5.x or later:

    Phil Zimmerman wrote the following in the introduction to his book of sourcecode. Quoted from: http://www.nai.com/products/security/phil/phil-src-intro.asp:

    PGP uses the best encryption algorithms available in the open academic literature -- the algorithms that have withstood the most peer review, and are rooted in the best design principles of modern cryptography. PGP version 2.6.2 uses RSA for key management and digital signatures, the IDEA cipher for bulk data encryption, and MD5 for a secure one-way hash for digital signatures. And it compresses the data before encrypting it, using the ZIP algorithm.

    Although Phil has said he believes it is essential to release source code, and he believes that NAI supports this policy, it remains to be seen if NAI is really sincere about implementing this policy.

    From: WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ

    WHAT COMPATIBILITY ISSUES EXIST BETWEEN PGP 5.x AND EARLIER VERSIONS

    PGP 5.0 introduces some new algorithms for both public key and conventional encryption. These changes are good from both technical (security & efficiency) and political (patent) standpoints. With the death of the Diffie-Hellman key exchange patent, the freeware PGP new algorithms are 100% free of patent problems, and free of legalese such as come with the RSAREF toolkit. The Diffie-Hellman key exchange key size limit is also larger than the old RSA limit, so PGP encryption is actually more secure, now. The new SHA1 hash function is better than MD5, so signatures are more secure, now, too. The conventional encryption used is all sound, and definitely not the weak link in the chain. This much is good news.

    The bad news, of course, is that there will be some interoperability problems, since no earlier versions of PGP can handle these algorithms. How this affects you depends on the PGP version that you have.

    There are really 3 versions of PGP called PGP 5.0. The freeware edition can only generate and use the new (faster, more secure, patent-problem-free) algorithms. There is a really cheap (cheaper than one S/MIME key certificate) upgrade to PGP 5.0 for Eudora users that will let you use the old RSA keys as well. Then, of course, the full commercial version of PGP 5.0 can handle both old and new algorithms and message formats equally well. If you want to handle both, you need to either keep both an old and new freeware PGP around, upgrade to one of the versions of PGP 5.0 that can handle the old keys.


    Conclusion

    Thanks to all the subscribers to the cypherpunks list whose articles and links I have purloined here. You have given me much food for thought!

    The purpose of this essay has been to explore some areas of potential concern regarding the reliability of PGP and to try and provide some resources for better risk-assesment by individuals, many of whom seem to enjoy the illusion that their privacy is invulnerable simply because they use PGP.

    Perhaps the greatest danger to privacy is the unreasonable assumption of security. I generally advise everyone never to say anything in encrypted email that you wouldn't want your most powerful enemy to read. Anything really sensitive should not be written down anywhere, even if it is encrypted with the strongest encryption available. If highly sensitive information needs to be transmitted at all, it should probably only be whispered into the ear of a very highly trusted friend while walking along the seashore, or somewhere far from potential listening devices.

    While I have focused on potential risks, the fact remains that NAI has done nothing so far technically to damage the reputation of PGP and I hope it never does. I believe that Phil Zimmerman will do all that he can to influence NAI policies to continue in the defense of individual privacy but, at the same time, he may not have the power to do much in the long run and he may not be in the best position to assess the situation objectively (especially if he happens to hold any NAI stock options that may not become fully vested for awhile...).

    My feeling is that, as with all really BIG companies, NAI is controlled by raw greed. There is no need to search for a conspiracy: the sad truth is that when a company becomes so large, the only thing that the stockholders really have in common is greed. You doubt if you will ever find a decision of a public corporatation which is founded on ethics, unless it is also profitable.

    Laws create monopoly opportunities - if key recovery is mandatory, then competition by products that do not include this 'feature' are out of business. Since NAI is heavily invested in key recovery technology, it is only reasonable to expect them to promote it and support laws which improve the market demand for this technology. It's the same logic as mandatory auto insurance: "good for business". It will also create lots of new job opportunities for regulators, cops and prison guards.

    I do not expect NAI to secretly install 'trap doors' for government to snoop PGP-encrypted messages. They won't need to when the PGP we now know becomes illegal. (No loss of investment in PGP source code: just add escrow - and charge for it!)

    There is already a growing movement of EU countries to make key recovery mandatory (strong unescrowed encryption is already illegal in France and Belgium). Most people will not complain about this any more than they complain when another gun is banned. I believe that key recovery is probably in the interests of all governments, unless they prefer to outlaw encryption wholesale, along with fax machines and computers.

    But law is irrelevant, in a moral sense. The real issue of the future will be practical: how best to evade enforcement as the nation-state goes through the throes of death and the Supreme Law becomes: "that which is not permitted is forbidden". The future looks interesting. There will be great opportunities for moral people, particularly cypherpunks - known as 'crypto-outlaws' or perhaps 'crypto-terrorists' - to devise better ways of anonymizing unescrowed transfer of illegally encrypted messages and data.

    Now is the time to download PGP binaries and source code (if you haven't already) - and hide them along with your food, guns and ammo.

    Whichever version you choose, I would recommend that your 'survival cache' include one which is RSA compatible.


    Pro-Liberty HOME

    © 1998 by Tom Paine, Perpetual Traveler