Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Encryption Security

Philip Zimmermann and 'Guilt' Over PGP 837

Philip R. Zimmermann, creator of PGP, was quoted in a recent Washington Post article as saying he has been "overwhelmed with feelings of guilt" about the use of PGP by suspected terrorists. Zimmermann says the story was not entirely accurate, and has written a response to it (below) that he hopes will clear things up. He has also consented to a Slashdot interview, so please post any questions you have for him. As usual, we'll send 10 of the highest-moderated ones to Zimmermann by email, and post his replies verbatim as soon as we get them back.

No Regrets About Developing PGP

The Friday September 21st Washington Post carried an article by Ariana Cha that I feel misrepresents my views on the role of PGP encryption software in the September 11th terrorist attacks. She interviewed me on Monday September 17th, and we talked about how I felt about the possibility that the terrorists might have used PGP in planning their attack. The article states that as the inventor of PGP, I was "overwhelmed with feelings of guilt". I never implied that in the interview, and specifically went out of my way to emphasize to her that that was not the case, and made her repeat back to me this point so that she would not get it wrong in the article. This misrepresentation is serious, because it implies that under the duress of terrorism I have changed my principles on the importance of cryptography for protecting privacy and civil liberties in the information age.

Because of the political sensitivity of how my views were to be expressed, Ms. Cha read to me most of the article by phone before she submitted it to her editors, and the article had no such statement or implication when she read it to me. The article that appeared in the Post was significantly shorter than the original, and had the abovementioned crucial change in wording. I can only speculate that her editors must have taken some inappropriate liberties in abbreviating my feelings to such an inaccurate soundbite.

In the interview six days after the attack, we talked about the fact that I had cried over the heartbreaking tragedy, as everyone else did. But the tears were not because of guilt over the fact that I developed PGP, they were over the human tragedy of it all. I also told her about some hate mail I received that blamed me for developing a technology that could be used by terrorists. I told her that I felt bad about the possibility of terrorists using PGP, but that I also felt that this was outweighed by the fact that PGP was a tool for human rights around the world, which was my original intent in developing it ten years ago. It appears that this nuance of reasoning was lost on someone at the Washington Post. I imagine this may be caused by this newspaper's staff being stretched to their limits last week.

In these emotional times, we in the crypto community find ourselves having to defend our technology from well-intentioned but misguided efforts by politicians to impose new regulations on the use of strong cryptography. I do not want to give ammunition to these efforts by appearing to cave in on my principles. I think the article correctly showed that I'm not an ideologue when faced with a tragedy of this magnitude. Did I re-examine my principles in the wake of this tragedy? Of course I did. But the outcome of this re-examination was the same as it was during the years of public debate, that strong cryptography does more good for a democratic society than harm, even if it can be used by terrorists. Read my lips: I have no regrets about developing PGP.

The question of whether strong cryptography should be restricted by the government was debated all through the 1990's. This debate had the participation of the White House, the NSA, the FBI, the courts, the Congress, the computer industry, civilian academia, and the press. This debate fully took into account the question of terrorists using strong crypto, and in fact, that was one of the core issues of the debate. Nonetheless, society's collective decision (over the FBI's objections) was that on the whole, we would be better off with strong crypto, unencumbered with government back doors. The export controls were lifted and no domestic controls were imposed. I feel this was a good decision, because we took the time and had such broad expert participation. Under the present emotional pressure, if we make a rash decision to reverse such a careful decision, it will only lead to terrible mistakes that will not only hurt our democracy, but will also increase the vulnerability of our national information infrastructure.

PGP users should rest assured that I would still not acquiesce to any back doors in PGP.

It is noteworthy that I had only received a single piece of hate mail on this subject. Because of all the press interviews I was dealing with, I did not have time to quietly compose a carefully worded reply to the hate mail, so I did not send a reply at all. After the article appeared, I received hundreds of supportive emails, flooding in at two or three per minute on the day of the article.

I have always enjoyed good relations with the press over the past decade, especially with the Washington Post. I'm sure they will get it right next time.

The article in question appears at

-Philip Zimmermann
24 September 2001

(This letter may be widely circulated)

Version: PGP 7.0.3

iQA/AwUBO69F2sdGNjmy13leEQIn+QCg2DjDeyibtRe61tUSplSAobdzAqEAoOMF ir3lRc4c1D/0Mmmv/JtP/E73 =HmRO

This discussion has been archived. No new comments can be posted.

Philip Zimmermann and 'Guilt' Over PGP

Comments Filter:
  • by SuiteSisterMary ( 123932 ) <> on Monday September 24, 2001 @12:53PM (#2341695) Journal
    Only their users. And remember, good and evil are relative. Not everybody thinks like you do.
    • Good and evil are not relative. Moral relativism is a weak and wrong idea.

      There are those who are evil. They desire nothing other than to prey upon their fellow human beings.

      There are those who are good. They do nothing but help fellow human beings.

      • by Derek S ( 19004 )
        It would appear, then, that there are no good or evil people in the world.
      • So, would you say these indivudials have been "possesed" by "agents of Satan?" Absolute morality is a farce- relativism is the only obvious truth simply because there is a range of ideas. Those who did this felt righteous in what they did- or they wouldn't likely have done it. There are no such things as people that are evil and "desire nothing other than to prey upon their fellow human beings." Or maybe we're all these people- after all, we've all done something immoral.

        Absolutism smacks of religion, especially Christianity, which more than most religions, claims that all morals are absolute, and (surprise!) their morals are the absolutely correct ones.

        Just because you think you're right doesn't mean you are- regardless of whether or not your religion justifies it. Nor does it mean those who differ from your are wrong. But such is the purpose of religion- to give people something behind which to rally (absolute morality), and an enemy to against which to fight (those with a different set of absolute morals).

        • Religion is irrelevent to the question of absolute right and wrong. People who mix them -- on either side of the argument -- are off base.

          For example, slavery has been determined to be an absolute wrong by modern society.

          • For example, slavery has been determined to be an absolute wrong by modern society.

            I'm I the only one to get a chuckle out the irony of this statement?

            If something is an absolute it doesn't need to be "determined." It just is. Furthermore, by stating that modern society has determined it to be wrong you imply (correctly) that society at one point thought differently. Again, if something is absolute it has been for all times and under all conditions.
            • If something is an absolute it doesn't need to be "determined."

              Absolutely false.

              Furthermore, by stating that modern society has determined it to be wrong you imply (correctly) that society at one point thought differently.

              Well, frankly, duh. All "rights" and "morals" are artificial constructions of human society. We decide as a society what is right and wrong in order to enhance and maximize civilization. For example, when murder was determined to be wrong, civilization was enhanced. When slavery was outlawed, stable civilization was enhanced.

              Or do you think slavery should be allowed as a "cultural difference"? If some African country decided to start selling its citizens to another country, is it none of our business and it's just a "private transaction"?

        • You are running a logical circle. Saying that good and evil are relative is an absolute in and of itself. Now, just because good and evil are absolute, doesn't mean that we KNOW what those absolutes are... our interpretations are relative - "absolutists" think that they "KNOW" the absolute truth. This is the real problem.
    • by slackr ( 228760 ) on Monday September 24, 2001 @01:31PM (#2341933)
      No! Tools are definitely evil! The Wright brothers should have ben executed immediately for inventing their flying building-knocker-down contraption!
    • Right. But if good and evil are relative, then who's to say that murder is wrong? It's all relative right?
  • by Stickster ( 72198 ) on Monday September 24, 2001 @12:58PM (#2341739) Homepage
    We who live in the D.C. area are very familiar with the Post's penchant for "manufacturing" stories where none exist. Mr. Zimmerman unfortunately was the party on the receiving end of the editorial foul play in this particular case.

    As a community, we should recognize that the Post as well as other news media outlets are NOT in their line of work to provide complete and unbiased coverage of events. They are in business to make MONEY, and that is a goal that creates in and of itself conflict of interest with reporting the truth in most (if not all) cases.

    I wish the readership of the Post was going to be privy to Mr. Zimmerman's clarifications in the same way we /.ers are.
    • I wish the readership of the Post was going to be privy to Mr. Zimmerman's clarifications in the same way we /.ers are

      Agreed! I know it's not really a good discussion question, but we should ask Mr. Zimmerman if we can forward his letter to the Post's editorial board. What he wrote should definitely be published.

      • The end of Zimmerman's message says it can be freely distributed, so forward away.

        • Yes, I saw that, but I wonder if the Post would print something they got from a third party. That is, would a non-computer saavy editor recognize the PGP signature and see it as valid, or just assume that I'm some wacko saying, "Yeah, Phil told me this on the street yesterday. Publish it and attribute it to him."

          I'll send it in though.
          • My apologies for responding to my own post. Here is the Post's policy on publishing letters:
            Letters must be exclusive to The Washington Post, and must include the writer's home address and home and business telephone numbers. Because of space limitations, those published are subject to abridgment. Although we are unable to acknowledge those letters we cannot publish, we appreciate the interest and value the views of those who take the time to send us their comments.
            Source: 01-2000Mar5.html [].
            Thus, Mr. Zimmerman needs to send it himself.
            • would a non-computer saavy editor recognize the PGP signature and see it as valid, or just assume that I'm some wacko saying, "Yeah, Phil told me this on the street yesterday. Publish it and attribute it to him."

            As opposed to manufacturing quotes falsely and deliberately? They'd have to get some integrity before this would become an issue.

            That said... I blindly trusted that the letter above is from Phil. More fool me.

  • Now that the encryption tools, which are not evil, but can be used for such just like a car or a hammer or a computer or virtually any other useful thing, are out there with full source code and all, does anyone seriously think the nasty bad men

    1) will upgrade to the new CIA-approved encryption technologies, should they pass, or
    2) will not be able to extend the previous technology as computers get faster

    The genie is out of the bottle. All we can do is allow government to pry into the lives of honest, law abiding citizens with new back doors.

    It's the same as *strict* gun control - criminals already won't follow the law, so they aren't going to suddenly turn in their guns if they become illegal. Oh, guess I'll have to find a new way to break the law, now that guns are illegal.
  • So, let's blame Babbage for the computer, Ford for the everyday automobile, Bell for the telephone, ...

    Everyone's been lashing-out at the wrong people lately (all Islamics, Zimmerman, ...). They just don't know where to direct their anger. But as long as we know they're not justified, it's not so bad.

    • someone else always has to take the blame.

      at least w/the recent bullshit about a national ID I can blame it on that idiot from Oracle and not the government. ;)
  • What do you think about the idea of having government backdoors in crypto standards?
  • If they hadn't invented the airplane, none of this would have happened, right?

    In fact, it's clearly Bernoulli's fault - if he hadn't told everybody all that business about particles in motion exerting less pressure to the sides, none of this would have happened.

    No, Phil, if you hadn't invented it, someone else would have. You're on the right side. Tools are not evil and privacy is important, even when abused. Don't give it another thought. Be strong.
  • Future of pgp (Score:5, Interesting)

    by Darkstorm ( 6880 ) <lorddarkstorm@ h o t m a> on Monday September 24, 2001 @01:01PM (#2341762)
    Although I don't use pgp on a daily basis I do occasionally use it and wish that more businesses supported it for use in email. I would much rather encrypt personal information being sent to a company but they don't support it.

    Is there any plans for improving pgp's ability to incorporate itself into email programs and other forms of internet communications that will make it easier for companies and end users to use?
    • Re:Future of pgp (Score:3, Interesting)

      by tim_maroney ( 239442 )
      Is there any plans for improving pgp's ability to incorporate itself into email programs and other forms of internet communications that will make it easier for companies and end users to use?

      Take a look at this usability study on PGP []. The design hasn't moved forward much since the study was done. PGP is so difficult to use that it may have created a new category: "insecurity through obscurity."

  • Hotmail? Internet Cafes? Who needs encryption when you can walk into a cafe and log on to and use keywords instead of blatant text?

    Sheesh. I mean there may be a lot of guilt to spread around, but this is ridiculous.

  • backdoor shit. (Score:2, Redundant)

    by garcia ( 6573 )
    It is obvious (at least to me) that you do not support adding backdoors to encryption software.

    My question is: is this a true statement (in light of recent events) and do you personally believe that the current maintainers of the PGP software will be against such actions (even though they will have to comply)?

    Also: how "clean" do you believe the software is (after you left)?

    I am sorry to see that you were misquoted, they seem to like to do that to make their stories seem more interesting. Reminds me of Good Morning Vietnam.
      • the current maintainers of the PGP software will [...] have to comply [with putting in back doors]

      Only the people working on or selling versions in a jurisdiction that mandates it.

      Hmm. If I develop PGP-ish code (i.e. do the typing) inside the USA, but it's stored entirely on servers outside the USA ((barely) workable with current technology), and sold and marketed entirely outside the USA, will I still go to jail under the proposed legislation? Or if I go outside of the US to work on it, then re-enter the country, do I get Sklyarov'd? Questions to ask of any proposed bill.

      The worst part is that if I were forced to put in backdoors, I'd want to leak the details during development to make it absolutely clear that the whole idea is flawed and unworkable before it even rolls out. But by doing so, I'd cut the throat of my own company. What a bind.

  • Thanks Phil (Score:5, Insightful)

    by sulli ( 195030 ) on Monday September 24, 2001 @01:04PM (#2341771) Journal
    I was very skeptical of that article. My question: Has the Washington Post apologized or printed a correction? Better yet, have they offered to run your comment as an op-ed? They really should.
    • Re:Thanks Phil (Score:2, Informative)

      by reynaert ( 264437 )
      Here in Belgium, if you're named in a newspaper article and feel misrepresented, the newspaper is required by law to publish your reply.

      Apparently, no such law exist in the U.S.
      • Re:Thanks Phil (Score:3, Insightful)

        by j7953 ( 457666 )
        Here in Belgium, if you're named in a newspaper article and feel misrepresented, the newspaper is required by law to publish your reply.

        We have a similar law in Germany, but the reply the newspaper is forced to publish is limited to a reply only to the statement that you felt was wrong. So making use of this law wouldn't be appropriate in this case -- Mr. Zimmermann couldn't write anything beyond "The statement made by the Washington Post is wrong. I am not feeling guilty." I guess this wouldn't make him appear as one of the good guys.

  • by Bruce Perens ( 3872 ) <> on Monday September 24, 2001 @01:06PM (#2341776) Homepage Journal
    PGP empowers people to exchange secrets. Computers empower people to run flight simulators and much else. The internet empowers people to meet each other, organize, and exchange data. All are used for great good, and some evil. One of the things that threaten government and large industry the most is the fact that these technologies empower the individual in a way that only government and industry were empowered before. They would like to use the excuse that these technologies can be used for crime to remove them from everybody's hands.

    What strikes me about this tragic disaster is the way government is targeting technologies that are not connected with the crime, simply because the implication that they could be used is there, using the need to protect the people as a hollow justification to remove our rights.


    • OK... let's carry this out to the logical end. What if everybody had The Bomb?

      I mean, right now "only government and large industry" can build the The Bomb. Wouldn't life be better if everybody had it?

      Oh wait... somebody just went postal in the next county over. The news is telling me I have 2 minutes before the fallout hits.

  • by shomon2 ( 71232 ) on Monday September 24, 2001 @01:10PM (#2341787) Journal
    I'm sorry to hear about the misrepresentation. I'm sure as well that they will do better next time. It's very important that your reaction to this mistake wasn't anger, which is what I'd have expected of a lot of people. Anyway, here's my question:

    To what point would you go with PGP? For example, if it were outlawed, or you considered your life to be threatened through some government's outlawing of it, would you stop working with it, or supporting strong crypto? And if you would actually "go underground" if you sincerely believed that it would help people's freedom, do you think it would matter?

    What I mean is... do you think the internet(email, freenet, www, etc) could still be seen as a place where people can somehow communicate and share information, even under a regime that tried hard to stop that information being shared?
  • by doomicon ( 5310 ) on Monday September 24, 2001 @01:10PM (#2341789) Homepage Journal
    Couple honest questions I would like to ask within this thread for clarification on this issue?

    1. What are the uses of cryptography as a "Human Rights Tool"?

    2. If in fact tools such as PGP are used by terrorists, how do governments protect against this?

    Any information provided would be greatly appreciated.

    • by Bonker ( 243350 ) on Monday September 24, 2001 @01:29PM (#2341922)
      This is probably a troll, so mod me down for biting.

      1. What are the uses of cryptography as a "Human Rights Tool"?

      Okay, say you live in China, where the government is known to imprison members of certain religous groups using rather spurious claims that these groups are 'terrorist groups'. You've heard of the Faulan Gaun (sp?).

      How else do you meet and exchange information and be free in your religion (which the U.S. considers a 'human right') without the aid of data encryption. There are a few ways to do it, but data encryption is the safest and fastest way to do so.

      By the same token, look at Amnesty International's website. You won't be able to in China, or other certain countries, unless you use a proxy that bypasses the national filtering. Then, you won't be able to do it safely unless unless your connection to that proxy is encrypted so that you can't be spied upon. Safeweb rocks for surfing pr0n at work. It is essential tool for individuals in China who want to learn about the world around them without seeing it filtered through the prejudices of the Communist Party.

      One last example. Say you are an Amnesty International worker in a country where your work is only barely tolerated, like Afghanistan. If you're smart, you'll hide evidences of human rights abuse behind strong encryption so that the collection of that evidence can't be used against you by a hostile court. Bescrypt is the first tool that comes to mind, but I know that there are equally good open source tools that will do the same job.

      I could go on and on. Remember that these 'belligerant' governments aren't the only governments that try to violate human rights. The U.S. government will do it if they can get away with it. You've heard of Echelon? Carnivore? These privacy invading tools are completely useless in the face of 2048-bit strength DSS encryption, which is the default key-length in PGP.

      Kevin Mitnick's laptop, which is still in posession of the Fed, has *yet* to yeild up any of his secrets that could be used against him because the data inside was encrypted. I think many /.ers feel like Kevin's rights were repeatedly violated. The data in his laptop cannot be used against him to further violate his rights after he's finally out and about to be able to work again.

      Encryption is a wondrous power. Let's *not* give it up just because it rubs LEO's the wrong way. The police already have enough power to solve even the most heinous of crimes, just as they are *currently* doing in the WTC attack. Let's not give them more than they need.
      • Okay, I posted the above as a mental excerise and then switched over to Wired News where I read the following:,1283,47074,00 .html []

        ISLAMABAD, Pakistan -- The Taliban have threatened to execute any U.N. worker who uses computers and communications equipment in Afghanistan, forcing a near halt to the remaining relief work in the country, U.N. officials said Monday.

        The militia raided U.N. offices in Kabul, the capital, and Kandahar, where the Taliban leadership is based, during the weekend and sealed their satellite telephones, walkie-talkies, computers and vehicles to bar them from use, according to U.N. spokeswoman Stephanie Bunker.
    • 1. What are the uses of cryptography as a "Human Rights Tool"?

      Perhaps you wish to speak out about about something which the government of your country forbids. People who are oppressed in certain ways by their government cannot improve their situation if discussion of improvement can lead to death.

      2. If in fact tools such as PGP are used by terrorists, how do governments protect against this?

      They cannot, they have to find another way. Not only can gavernments not see what a terrorist group might be saying if they encrypt it, but they cannot stop the terrorists from using the encryption. Remove the words "such as PGP" from your question and think about it more.
      • 1. What are the uses of cryptography as a "Human Rights Tool"?

      To pass information, opinions and political speech around or into and out of oppressive regimes (e.g. China, Afghanistan) without being prosecuted for the content. For example, in China, any criticism of the government is punishable, while in Afghanistan, you can be locked up for the heinous crime of organising a makeover for a female friend.

      The only option left to the regime is to then make it illegal to use unbreakable encryption at all, so they can just assume guilt and lock you up for that. Horribly, the UK has already done that, and now (potentially) the USA is going to join them. Sure, if you just prove your innocence, you probably won't currently be punished for the content of the message, but before the Taliban took power in Afghanistan, nobody expected that they'd ever be locked up for discussing lipstick.

      A truly benevolent government will go out of its way to protect against excesses by a future corrupt government, c.f. the US Constitution. That begs the question of whether the current UK and US governments are already corrupt, or whether they're just astonishingly stupid. Either way, it's not good news.

      • 2. If in fact tools such as PGP are used by terrorists, how do governments protect against this?

      Same way that they protected against 'phone calls, letters, dead letter drops, personals ads, and face to face meetings. By using intelligence services. Specifically, by having real people working on the inside. The CIA has been tied up in red tape in this regards since 1995, and we've just seen the results of that. The tools have changed, but the solution is the same.

    • If in fact tools such as PGP are used by terrorists, how do governments protect against this?

      I think they must come up with better ways of finding terrorists than looking through everyones email, or listening to everyones phone calls. In reality if it wasn't for the fact that computers can parse and match words very fast the government wouldn't even bother. Since there is no way they could possibly listen to millions of phone calls a day they don't try. Who is to say that they are even using email? I can still write anything I want on paper and for some change can send it anywhere in the country. Although not as fast no one will open it and read it. PGP just keeps the government from mass looking for keywords in email and other internet traffic. Why should they have the right to do something just because it is possible? I agree that terrorism is a problem, but by putting a backdoor in legitimate software does not stop them from hiring someone to create illegal software that will do the same thing. Might not be as good, but by the time someone figures it out it would probably be too late.

      I don't use pgp allot, but if I wish to send information to a friend it is nice to know I can make it private if I want. Its not that I NEED pgp everyday, but I want the choice. Same as I want a choice of whether I want to buy a gun to protect my home. I don't own a gun, but I would like to have that choice. If we don't protect the rights we have, even if we are not using them, they will take them away.
    • "1. What are the uses of cryptography as a 'Human Rights Tool'?"

      If Nostradamus had PGP way back when he would have never had to write his predictions in his own made-up language (and even then in cryptic generalities) and we wouldn't have to deal with all this spam mail about him predicting S11's events.

    • by ajs ( 35943 )
      If in fact tools such as PGP are used by terrorists, how do governments protect against this?

      Ignoring the Tom Clancy-esque view of our intelligence service as a jewel of freedom, what you describe is not a desirable goal. "Protecting" the government from the privacy of its citizens (and those of other nations) is about as awful as protecting them from my freedom to vote.

      It's a disturbing reality that when you give people privacy, some will discuss how to blow up your cities. Revoking their freedom to discuss such things is called law enforcement, and it happens by punishing them for committing acts of agression, not for having privacy.

      If my mother had been in the WTC, and it were CLEAR that PGP had been used to communicate how to attack, I would still fight to MY death to protect our right to use it. Terrorism can be stopped, but if we give up our freedom to do it, we've defended nothing.

    • Hey,

      What are the uses of cryptography as a "Human Rights Tool"?

      On Phil Zimmerman's website, he has some letters from human rights groups []. You might consider looking at them.

      If in fact tools such as PGP are used by terrorists, how do governments protect against this?

      They don't, to put it simply. There would be no beneift - I don't think the terrorists would send e-mails saying "Ready for the WTC attack on 09/11, I have brought knives and plane tickets". They would use a code of some sort, or maybe even phone calls, postal mail or even face-to-face meetings.

  • This isn't a question for Zimmermann, it's a question for anybody who knows. What can you do when, like him, you're misquoted in by a journalist?

    From the sounds of it, he did everything you could expect someone to do to avoid being misquoted. He emphasized to her he did not feel "overwhelmed with guilt", had her read the article to him over the phone before it was published, and was still misquoted thanks to an editor.

    I imagine in certain circumstances you could sue the newspaper for libel, but what else can you do? What are your rights to: 1) not sound like a complete moron, 2) not be quoted out of context, 3) not be misquoted, 4) not have words put in your mouth.

    And while we're on the topic, another question for the masses. From what the DoJ and others are doing, I'm getting less and less willing to send my email in plain text. The problem is that my technically unsophisticated friends don't have PGP, and I'm afraid it might be too tough for them. I know I could point them at hushmail ( []), but are there any other good options? Also, what good arguments can I use to convince them it's worth the effort?

    Btw, by "technically unsophisticated" I mean one until a couple of months ago was using a 486 and windows 3.1. I can't expect them to switch to Linux yet, but I want to help them find a good way to use pgp.

    • What can you do when, like him, you're misquoted in by a journalist?

      Assuming you really were misquoted (and this is a pretty egregious case), you should do the following:

      1. Talk to the journalist directly. Find out what happened, and tell the journalist that you won't be a source again unless it's corrected. Responsible papers run corrections routinely.

      2. If it's not corrected that way, write a letter to the editor explaining how you were misquoted and setting the record straight.

      If, however, you did make the comment and it was taken out of context, or you gave him/her the response he/she was looking for ("Are you angry that Microsoft is shipping XP?" "Yes" can lead to unfavorable press, for example) you don't have much recourse as this really is the prerogative of the journalist. In this case you just need to be more careful, and if possible pick a fairer reporter to give your story to next time.

    • Actually, the changes the paper made make me think of semantically engineered propaganda. I have yet to ever hear of anyone Ive ever known get quoted right in any paper. I strongly suspect that standard practice in media is to modify 'quotes' to support whatever political agenda the journalist or paper has. The solution, of course, is never ever talk to a journalist for any reason. They will never help get _your_ message out, they'll use you to get _their_ message out.

      What the free press gives us today is propaganda. It has been for a long time. The only chance anyone has to get informed is to listen to all available views and try to sift out the truth somewhere. If there is a truth.

      It's rather hard to convince people to encrypt mail; there simply isnt enough reason for most people. Even the more technically sophisticated people I know rarely use crypto, simply because most of their email is either company internal or jokes. Neither of which qualifies for encryption for various reasons. Important company communications going to external parties would qualify, but not many below management level sends that kind of info (and management... well, raise your hand anyone whose corporate management has any clue about security...).

  • by JPMH ( 100614 ) on Monday September 24, 2001 @01:12PM (#2341798)
    The idea is seriously being canvassed in the UK, of making it a criminal offence to send strongly encrypted material by email, or to put it up on a web page. Could such a law be enforced ?
    • Could such a law be enforced ?

      Not without making criminals of tens of millions of law-abiding users. I for one think that alone makes it unrealistic.

      Maybe Slashdot should do a poll: Would you knowingly violate a law that bans strong encryption without backdoors? I bet "Yes" would be >90%, and "CowboyNeal" would be well in excess of "No."

      • The idea is seriously being canvassed in the UK, of making it a criminal offence to send strongly encrypted material by email, or to put it up on a web page. Could such a law be enforced?

      Unlikely. A better response would be to increase the penalties under RIPA for not disclosing your encrpytion keys, to 20 years or so. That way, you have a targetted weapon to use against people who you genuinely believe are Really Bad.

      By the way, I think RIPA is vile and reprehensible, I'm just saying that it's slightly less vile - and more useful as the tool of a still slightly honest government - than a blanket ban.

  • Obviously after developing one of the most profound applications in the computer world (take all the complex problems of high-speed encryption over insecure channels and bundle them into an easy to use program), we have come to a self-evident belief that you support cryptography. But with the US government already in over react mode, and consider weakening crypto after years of progress in the other direction, we find ourselves in a nasty situation. And though the answer is obvious that we need to persuade a vote against anything like this, I am led to believe that you have more experience in such things than the majority of the people on this site. So we ask, exactly what is the best method to ensure that your complaints are both heard and regarded as something other than raving lunacy.
  • by ddstreet ( 49825 ) <> on Monday September 24, 2001 @01:15PM (#2341814) Homepage
    I'll admit I'm not extremely knowledgable about government regulation of encryption. But it seemed to me that previous US Governement crypto was basically focusing on controlling the exportation of 'strong' (large key?) encryption, not on the internal (by US citizens) use of encryption.

    My question is, will export regulations help at all? By 'help', I mean 'accomplish what the US Government wants to happen', which I assume would be reducing the strength of encryption available outside the US. The only way I can see export regulations helping is if the large majority of R&D into encryption is done inside the US. Do you know how much work is done inside and/or outside the US in the field of encryption, and would cutting off US encryption research from the outside world (assuming that is possible via regulation) have a major impact on encryption available out of the US, or an impact on the field of encryption itself?

  • Wanting to put back doors in crypto is just like a lot of the firearm control laws to me. What the people that want them don't realize is that criminals DO NOT follow laws. If I'm going to go shoot someone do you really think I'm going to get a gun the legit way and fill out the paperwork? If I'm going to encrypt my email for terroristic purposes, am I really going to use a tool with a back door?

    NO! So it just wastes time and costs everyone money.
  • A Related Question (Score:5, Interesting)

    by jalefkowit ( 101585 ) <.moc.ztiwokfelnosaj. .ta. .nosaj.> on Monday September 24, 2001 @01:16PM (#2341824) Homepage

    I wonder why the reporter didn't think to ask the CEO of Boeing [] if he is tormented by feelings of guilt? After all, the attacks showed us that he makes his living selling giant flying bombs that Very Bad People can use to kill thousands of our people in one fell swoop. Surely he must agree that he and his company have blood on their hands, right?

    Of course not. Boeing isn't responsible for this tragedy, and neither is Phil Zimmerman (and kudos to Phil for standing up and saying so). Boeing's aircraft have contributed immensely to our national economy by helping make easy commercial air travel possible. Strong crypto has contributed immensely to the economy by helping make the online world a safe, secure place to do business. Both have been misused by evil men to do a great wrong; but they are just tools, with no moral implications beyond those transferred to them through the hands of those who wield them. To place the blame anywhere else is to absolve the monsters behind the attack of the full weight of their crimes.

    -- Jason Lefkowitz

    • I instantly disagreed with your analogy but had to think for a while before deciding why:

      I think the difference is that an aircraft is designed to transport passengers and cargo through the air, and in this case was transformed into a destructive tool. (Same for the box cutters used in the hijackings.) Cryptography, on the other hand, is designed to conceal information. If PGP or other crypto was used in the WTC attacks (which I haven't seen anything conclusive saying it was) it was used in precisely the job for which it was intended.

      A better analogy is to guns. They make individuals less vulnerable and more powerful, which can be used for all sorts of good and bad purposes.

      I've had similar conversations with my father-in-law about working on scientific research that could potentially make for bad uses. I appreciate the importance of ethical oversight in all firelds of science and engineering, but I feel a lot better about my biomedical research, even with the potential for abuse, than about his work on H-bombs that in his opinion (and mine) contributed to the preservation of democracy.
  • What's worse than encryption in the wrong hands? No encryption for anyone. That leaves everything a free for all for all terrorists and crackers.

    I'm happy that I can use encryption to communicate, especially when dealing with my computer's security. Regretfully, these tools may have been used by bad people, but encryption has prevented many magnitudes of more trouble from being possible. Its good that we have these tools and I have many great thanks to those who advocate their use and security.
  • What's your current experience with US law enforcement like? I know that you were harassed for some time just for developing PGP, are you still harassed? How do you feel about the US law enforcement in general?

    I know a lot of questions, but I'm curious to know how you feel after all that you have been through.

  • Since the NYC tragedy I've found that the media has gone berzerk; losing all ability to provide rational and impartial coverage of the situation.
    Despite lacking confirmation from official sources that encryption played a pivotal role and (more worrisome!) despite lacking proof, it seems that the collective mind of the media has fixated on encryption as the reason the terrorists were successfull.

    Obviously without the airplane this tragedy could never have happened, yet nobody blames the Wright brothers. Why do you think a double standard is being applied to your work and encryption tools in general- when (like the airplane) the potential for good *far* *far* outweighs any potential for bad?
  • I would like to ask PKZ a question that I have struggled with. Is it appropriate for governments to engage in electronic snooping at all? Is there an appropriate role for organizations like the NSA? If the answer to the first question is "yes", then why should the object of that snooping be limited to only fools too folish to not use something like PGP?

    My own position is confused and contradictory. I see personal communication mechanisms and security a force for good. I think that US interests would actually be served if everyone in Central Asia had the ability to communicate privately and securely with anyone they wish to. I also believe that it is a proper part of the job of governments to spy. I have problems reconciling these views.

    • why should the object of that snooping be limited to only fools too folish to not use something like PGP?

      So the government can do something radical, like say *gasp* get a warrant and install a keylogger on the source machine, or get a warrant for the key. Why does the fact the communication is electronic make it any different from anything else?

  • by regexp ( 302904 ) on Monday September 24, 2001 @01:29PM (#2341918)
    Rather than just clarifying his views for the Slashdot audience, Zimmermann should bring this up with the Washington Post's ombudsman. []

    Situations like this are pretty much the reason the Post has an ombudsman.

    As Zimmermann says, the Washington Post usually takes accuracy very seriously. I'm sure they will give this the attention it deserves.

  • by neo ( 4625 ) on Monday September 24, 2001 @01:31PM (#2341934)
    Privacy of communication appears to be extremely important. My private conversations should only involve the persons intended to hear them, or many ideas might never be expressed.

    Privacy for citizens carries much more weight than privacy for organizations. Government agents who wish secrecy can afford many levels of secrecy to ensure private communication. Political groups, like terrorists, can also hide their actions through secrecy. Removing secure communications from normal citizens in an attempt to discover political groups is horrible doomed to only remove private speach from the citizens.

    There is, however, one divide where people are lost from this equation. Currently private communication requires money. PGP is not available to the vast majority of those under the poverty line. What, if anything, are you doing to bridge this gap?
  • by weslocke ( 240386 ) on Monday September 24, 2001 @01:33PM (#2341952)
    >PGP users should rest assured that I would still not acquiesce to any back doors in PGP.

    It's really good to have a veteran with the possibility of being a champion for privacy issues. Afterall, we all know for a fact that Phil's willing to run the gauntlet in defense of what he thinks is right... I would think that's been proven.

    I just hope it won't be necessary to go to the lengths that happened last time.
  • The PGP signature at the end of this article is unverifiable. Can you please link to a version of the article with proper begin/end borders and whitespace preserved?
  • Crypto doesn't kill people.
    People kill people.
    Encrypt Bears!
  • Do you have any wish or intent to have the Post make a correction to their article? I don't know any of the numbers, but it seems to me that a lot more people read the Post than Slashdot. Personally I would want the Post readers to know what I really said, and I also think that the Post would be obligated to make such a statement, to maintain their own 'integrity' and accuracy.
  • Let's assume that Congress passes a law making it illegal to use any encryption software without a 'back-door'. One of the solutions to the ordinary user is to hide his/her encrypted text using steganography. There's been a little bit published about detecting whether an image/music/video file has secret information hidden in it, I believe via the use of statistical analysis. Are you familiar with this? I haven't seen anything authoritative as to whether it's possible and I'm wondering whether you have some insights.

    Specifically, if I were to take a picture with my digital camera, then bury my encrypted text in it using steganography, then send that picture to my friend via e-mail, is it possible for a third party who's intercepted that email to determine whether or not it has encrypted information in it? I'm not talking about the possibility of breaking it, just whether or not they can detect that I've done something ostensibly illegal.


      • Let's assume that Congress passes a law making it illegal to use any encryption software without a 'back-door'. One of the solutions to the ordinary user is to hide his/her encrypted text using steganography

      Why bother even hiding it? Just encrypt your plaintext with any old pre-backdoor package, then backdoor encrypt that, and send it. To even look inside the backdoor encrypted version, the gubmint needs to get a court order, and if it's come to that, you're already in a world of shit.

      Mind you, they could just claim that they got a FISA warrant, and how are you going to prove otherwise? Erk. OK, your idea has a fair bit of merit after all.

  • by Zwack ( 27039 ) on Monday September 24, 2001 @01:44PM (#2342043) Homepage Journal
    Thank you Phil for producing PGP, for standing up for what you really believe, and for re-evaluating your beliefs after this tragic event.
    Given the use of techniques like steganography and Chaffing and Winnowing to hide messages with or without encryption, and the many ways of communicating without openly passing a message (codes, one time pads,...) laws on cryptography are obviously pointless as far as stopping terrorism is concerned.
    So, What would you like to see being done? What measures do you think might be effective against terrorism?
    I don't have any answers, but I haven't seen any that seem effective to me either.

  • > I can only speculate that her editors must have taken some inappropriate liberties in abbreviating my feelings to such an inaccurate soundbite.

    You can speculate what you like, but the fact remains that the paper blatantly misrepresented Phil's opinions in order to further the current agenda of cracking down on civil liberties.

    This distortion is not a coincidence, it's probably not deliberate either, but people who are sufficiently indoctrinated hear what they want to. Mainstream media is even more laughably distored than normal at the moment. Suddenly the media is full of convenient statistics "80% of US population favors back-doors in encryption". And what percentage of the US population has any idea what the hell that means ? What was the queston "Do you favor laws that make it harder for terrorists to communicate in private ?" or "Should it be illegal for people to try to stop others from monitoring their communication ?"

    The media is just as accurate about other stuff. They laud George Jr's "bravery" without a trace of irony, like the jester in the Holy Grail "When danger reared its ugly head,
    He bravely turned his tail and fled...." Meanwhile the cowardly terrorists were cowardly
    giving their lives for their beliefs. Fanatical assholes, sure, but cowardly ?

    The distortion is much worse than you think. The entire language is adjusted in a thoroughly Orwellian fashion. When people on our side die, the "terrorists" cause the "murder of innocent, men, women and children". Fine, this is accurate. However, when we do start beating up on Afghanistan. "Military commanders" will replace "terrorists" and "inevitable collateral damage during surgical strikes" will replace "bombing civilans". It's very difficult to reason about something when the terms are properly loaded.

    The language molesters will be hard at work over the next few months. The funny thing is that when we hear blatant distortions in the other direction, (eg "The great satan") we laugh at the stupidity and talk about how these people have been brainwashed into believing all sorts of nonsense. There is a widespread belief that the terrorists killed themselves because they believed they would be rewarded with 72 virgins in heaven. It's time to reconsider who has been brainwashed.

  • In case they decide to change it or post a retraction (everybody contact the editors?), here's the quote right now:

    Like many Americans, Phil Zimmermann, a stocky, 47-year-old computer programmer, has been crying every day since last week's terrorist attacks. He has been overwhelmed with feelings of guilt.

    Zimmermann is the inventor of a computer program called Pretty Good Privacy, or PGP. He posted the tool for free on the Internet 10 years ago; it was the first to allow ordinary people to encrypt messages so only those with a "key" could read them. No government or law enforcement agency has been able to get in.

    ... In a telephone interview from his home in Burlingame, Calif., Zimmermann said he doesn't regret posting the encryption program on the Internet. Yet he has trouble dealing with the reality that his software was likely used for evil.

  • by Frizzled ( 123910 ) on Monday September 24, 2001 @01:48PM (#2342073) Homepage
    what, would you say, is the flaw to backdoor'd crypto and how would you explain this defect to someone who lacks a wide knowledge of computers, especially in light of recent events?

    thanks, _f
  • 1) If I understand correctly, PGP (and other programs of similar nature) use public-key encryption for the secret key, which is then used to decrypt the message. This, IIUC, is because public-key encryption is usually painfully slow. However, elliptic-curve algorithms look to be a lot faster than, say, RSA, which suggests that you could use public-key for the whole thing. Fewer algorithms mean fewer potential holes.

    If you had the time & inclination to write a PPGP (Probably Pretty Good Privacy :), would you opt for the public & secret key approach, or a straight public key?

    2) With regards to those who "artistically" adapted your "guilt" remarks, do you plan on hanging them by their toenails, or using them as shark toys off the Florida coast? :)

  • It appears to me that the US government didn't have the capability to react to unencrypted, even overt acts by these terrorists. After all, they entered the country using their real names (mostly), rented apartments, used credit cards, made airline reservations, and took flight lessons. In some cases they did all this while they were on a "watch list". I suspect that the encryption reaction is a knee-jerk diversion to focus attention away from truly pathetic intelligence processing.

    I've seen reports that they sent email unencrypted, and used information hiding, but I haven't seen anything besides speculation that they actually used encryption.

    Have you seen any specific evidence that indicates these terrorists actually did use PGP (or any other encryption, for that matter)?
  • Wow (Score:3, Interesting)

    by NitsujTPU ( 19263 ) on Monday September 24, 2001 @01:50PM (#2342096)
    This misquoting is absolutely incredible in scope. I've been afraid of being misquoted before, but this quite well takes the cake. The individual writing the article wanted to write ONE THING smacking about the crypto community and perhaps even programmers in general, and took the quotes WAY out of context AND pretty much just took sentences and cut out all the words that he needed.

    This is like me saying

    "So, if I get my girlfriend a cat, this is what she wants for Christmas?"

    and being quoted as

    "My girlfriend" "is" "a cat."
  • Quantum Cryptography (Score:5, Interesting)

    by KjetilK ( 186133 ) <kjetil @ k> on Monday September 24, 2001 @01:52PM (#2342114) Homepage Journal
    We all know that a working quantum computer will make the current algorithms obsolete. Thus, the following questions:
    1. Do you think a quantum computer can be developed in secrecy?
    2. If yes, how can we tell if our encryption needs to be changed?
    3. What are your ideas for a "quantum PGP"?

    Also, I would like to thank you for PGP. Indeed, it is making the world a better place, and to me it is even more apparent in light of recent events.

    Kjetil (Keyid: 6A6A0BBC)

  • by Black Art ( 3335 ) on Monday September 24, 2001 @01:53PM (#2342127)
    The secret keyring in practically every implementation of PGP leaks information off the secret key ring.

    Not the messages, but something that can comprimise the existance of the user.

    The identities on the keyring can be listed without a passphrase.

    This means that if you have a standard keyring with your personal ID and you are also "Chairman X" of the local committee for doing things the State does not like, if they obtain your keyring, they can show that you and "Chairman X" are most likely the same person.

    All it takes is "pgp -kvv secring.pgp" and I can tell you all of the aliases and alternate identities that you use.

    Currently, using multiple secret key rings is a pain. Most implemenations of PGP do not have the ability to add a master passphrase on the keyring.

    BTW, people have been linked to their nyms by just this method. (Ask Carl Johnson. He was a canadian who spent time in an American jail because he said something through a nym that the government found threatening.)
  • Although it is too early to tell, do you support any form of civil disobedience to new laws that restrict cyryptography usage? In essence, if the government orders that the next version of PGP include back doors, do you plan to disregard the law for personal or political reasons? Furthermore, do you believe that the liberty to use encryption is threatened enough that users of PGP should refuse to accept back doors and continue using the current version?
    Hash: SHA1

    You were, of course, correct 10 years ago when you guessed that PGP
    would become a tool of the oppressed. But even huge, lumbering
    totalitarian governments are not so slow as to miss the fact that
    people are avoiding their censors. My guess is that in many of these
    oppressive countries, the use of encryption products like PGP has
    become, in itself, an offense.

    Have you looked into developing steganographic or other concealment
    tools so that such users can veil even the existence of a message?
    Has NAI?

    I understand that with an open, published steganographic method, any
    government could still detect messages, but this would at least
    massively increase their censorship workloads, forcing them to
    process every image, or possibly every text message, looking for a
    palimpsest. What's more, if such a method were designed to forego
    the usual identification headers, so that only the enciphered message
    itself was included, would you not end up with a hidden message
    difficult to detect even when 'looking right at it', so to speak?

    Version: PGPfreeware 6.5.8 for non-commercial use

    iQA/AwUBO69zC5Tq1bXoStsJEQI6GgCgnKR4q9qo9gB8Ohte Li NX+WKIYnsAn2Yw
    -----END PGP SIGNATURE-----
  • Phil,

    It seems that anti-encryption/anti-strong-encryption legislation is coming, whether we want it or not.

    In the emotional need to do *something, anything*, Congressmen are drafting and voting on legislation without review or testimony from folks like yourself who happen to know the technology rather than just want to give Law Enforcement broad powers.

    Do you agree that we're about to be railroaded into a bad spot as far as secure communications/transactions are concerned?

    Will you continue to use PGP or other strong encryption after it's existence is outlawed?

    Given the worst possible future outlook with regard to strong encryption, what will you do/encourage others to do, and what is our best option for securing our communications in this case?
  • Through all the talk of adding government backdoors to crypto-systems, I haven't seen any coverage of how the backdoors would work from a technical standpoint. I've heard all the hand-waving about delivery of sealed documents to the supreme court that would only be opened upon presentation of a warrant, but I want to know the mathematics behind it all.

    Are the proposed backdoors simply blanket weaknesses in the allowed crypto standards, or does this have something to do with how the final encrypted message is constructed? I can see some ways that the users decryption key could be incorporated into the resulting message (as an encrypted sub-message using the government's key) so that the government could recover the user's private key from any message. I'm much less certain of how you would construct an encryption algorithm that would ensure that all messages could be decrypted by both the user's private key and the government's private key.

    Is there some description of how these backdoors are supposed to work?

  • Backdoors? (Score:4, Insightful)

    by YuppieScum ( 1096 ) on Monday September 24, 2001 @02:51PM (#2342607) Journal
    PGP users should rest assured that I would still not acquiesce to any back doors in PGP.
    I seems to remember that, not too long ago, you quite publically left NAI (the owners of the PGP franchise) after they refused to open the source of PGP 7.blah to public scrutiny.

    You also stated that you could only guarantee that version 7.slightly_lower_version_than_above was free of backdoors - in fact, you sign your open letter with version 7.0.3.

    1. How do you reconcile these two, somewhat differing, views?
    2. Which version(s) do you regard as "safe".
    3. Why don't you run the latest version?

    All the relevant versions and statements can be found in stories on /.
  • by wytcld ( 179112 ) on Monday September 24, 2001 @02:55PM (#2342628) Homepage
    Encryption is among the least of a great many modern technologies by which those who are determined and intelligent and lucky can do great evil. At a time when our government admits it doesn't have nearly enough people who can even understand the languages those who've committed the most recent evil speak, concern with encryption seems particularly misplaced.

    Greater individual power for evil requires greater individual conscience for good as counterbalance. Nuturing individual consciences on a vast scale requires analysis of what defeats individual conscience. The main threat to individual conscience is totalitarian ideology. The main method of totalitarian ideologies is to convince those who surrender their natural judgment to them that they are the straight and narrow path to some sort of heaven or utopia, and that their formulas must be adopted because the individual's own native sense of rightness and beauty is fundamentally flawed and cannot be trusted, so the first-hand knowledge of, for instance, the goodness of the female form should be renounced as delusional, while the evil of suicide bombing should be accepted as on the side of heaven.

    The evil manifests in political and religious ideologies which (1) provide specific pseudo-rational formulas to replace individual thought while (2) providing images of some over-the-horizon heaven or worker's paradise to replace vision and the evidence of the eyes in the world.

    In general, the tools of individual empowerment correlate with the development of individual conscience. What was shocking in the WTC case was that totalitarian drones were able to use some of those tools without shaking their totalitarian mindset. Despite that, if we limit the tools, we also limit the further advance and development of individual conscience, whose development in the larger picture is our only hope.

    Rather, we might consider directly attacking what enables evil on this scale: the promulagation of simplistic formulas for and unreal images of heaven. Fundamentalist religion is the main reservoire of such conscience-obliterating evil, particularly since Communist ideology has lost most of its force, and the Thousand Year Reich been vanquished. Fundamentalism consists entirely of simplistic formulas meant to supplant the individual's own native sensibility, which it views as being corrupt by nature, coupled with patently absurd images of rewards beyond, which make up for the removal of motivation by the real rewards we naturally seek in this world - which are incompatible with atrocity.

    Much of religion is quite compatible with conscience - but the problem is people of conscience generally hold to the formula of never criticizing other religions, even those variations whose leaders openly preach suicide bombing, as does, for instance, the highest-ranking Muslim cleric on the Gaza Strip.

    Religion is finally a technology of social control, a way of subverting our natural coding. Our natural coding, as response to the WTC tragedy demonstrates, is strongly altrustic. Religion is a virus evolved and designed to override nature, and the more virulent forms can be identified by their explicit rejection and vilification of nature.

    It is precisely to oppose the potential of religious totalitarianism - which is not a distant prospect when Falwell is a close friend of Bush - that encrption, among other technologies of individual empowerment, is most needed. And we must suspect that this, not the occassional convenience of encryption to terrorists who in any case can communicate in dialects we can barely translate, is the main motivation of those who'd remove such a tool.
  • Gutenberg (Score:4, Funny)

    by IronClad ( 114176 ) on Monday September 24, 2001 @02:55PM (#2342629) Homepage

    In a related story, Gutenberg was "overwhelmed by guilt" when he witnessed recent blatant fabrication of news by manipulative corporate editors. "It caused me to re-evaluate the whole idea....and cry over the heartbreaking tragedy," said the inventor of the surreptitious movable type technology that allowed the evil men to further their aims. "I was sent hate mail ... in the behalf of millions of people," he sobbed.
  • by jhritz ( 191620 ) on Monday September 24, 2001 @03:20PM (#2342806)
    Do we need to come up with new analogies to explain the civil and privacy rights justification for encryption to politicians and the lay public?

    In the past we've used envelopes and locks, but I think these fall short because the reason for encryption is to create a time delay to access sufficient to dissuade the smart and lazy opponent AND allow detection of the stupid but industrious ones.
  • I Like Your Hat! (Score:4, Interesting)

    by 4of12 ( 97621 ) on Monday September 24, 2001 @04:36PM (#2343065) Homepage Journal

    [That would be the "Phil's Pretty Good Software" hat.]


    Do you see any reasonable chances for success for a truly free and open system of certification authorities that would enable large numbers of people to exchange ideas and money in a way they would trust and yet simultaneously permit them privacy and anonymity?

    What is your opinion of Hailstorm?

  • Question for Phil (Score:4, Interesting)

    by merlin_jim ( 302773 ) <James.McCracken@ ... m ['apu' in gap]> on Monday September 24, 2001 @05:18PM (#2343349)
    First off, hats off to a career that has been inspiring to us all. I know that I, for one, cried for joy on the day that cryptographic export was opened up.

    Now, the question:

    It is hard for the public to hear the message "crypto backdoors are bad" without associating it with an anarchist anti-gov't message.

    First off, do you believe it is possible for the gov't to implement a crypto backdoor without "Bad Guys" getting into the backdoor and thereby compromising security?

    Secondly, do you have any positive examples or anecdotes of why strong crypto is good for gov't, or at least not detrimental?

    Thanks, and once again congrats.

I've noticed several design suggestions in your code.