 There's some video cameras back there. Are you guys videotaping this? Does that mean that I can't paste back and forth like I usually do? All right. You know, I usually have to actually be there before I can figure out what I'm gonna talk about. I have to kind of smell the room. And last night in a taxi, I kind of got the impression that the demographics of this conference are kind of younger than a lot of other conferences. So these kids in the taxi were asking me all kinds of outlandish questions about the history of PGP and there were urban myths about it. So I realized that all these stories that I've told over the years that a lot of people here haven't heard them because they were watching Saturday morning cartoons during this. So maybe I could tell some of those stories again. So this is not really a technical presentation. It's gonna be more like telling you PGP war stories. Although I can certainly answer technical questions. The question I get asked the most is, are there any backdoors in PGP? How many people here were going to ask that question? Yeah? How many people here believe in black helicopters? Yeah, the same hands, you see. No, there's no backdoors in PGP. There never have been any backdoors in any version of PGP that I've been connected with. You look puzzled. The reference for this is a spy school on TV two days ago in the NEET School of Signets. They said that the government or the entity or whatever said it to have a backdoor in the latest version of PGP, we can believe in version six. However, version five said it's not. First of all, the latest version is version 8.0.2. Secondly, do you think that if there was a backdoor in tech TV, that somebody at NSA would tell tech TV? You know? You never know these things. I don't know. The questions that I get like this, it sort of reminds me of comic book man in The Simpsons. These are people that believe that the X files is a documentary. No, there is no backdoor in PGP. Get a life, come on. I get email from people that say, here's email that appears on my in-basket, right? And it says, I've heard that there's a backdoor in PGP. Is this true? You can tell me. And so I have to actually sit on my hands to restrain myself from the it. Because you know how email is? There's this kind of impulsive nature of email that this is actually what causes flame wars. It's the psychology of emailers, that kind of itchy trigger finger video game response and email that you don't get back in the old days when we used to write letters by hand or even by typewriter. There's the urge to say something right now. And I had to fight, I always have to fight that urge when I get letters like that. To answer the question at so many levels, I usually don't try this question this early in the talk. Usually that comes later because I try to talk about something more important, but I want to do it now because this is DEF CON and there's a lot of comic book men in the audience. You know, in World War II, when the Allies could break the Enigma machine, there was that story about Coventry, the town in Britain that was going to be bombed. But and the Brits knew it, but because they broke the Enigma code, but they didn't want to evacuate the city because then the Germans would know that they could break the code. So they kept it a secret and they let it be bombed. Well, that's what happens when they can break it, right? So they're not going to tell tech TV, you know? They're not going to tell their brother-in-law, who's going to tell it in some rumor mill at some black t-shirt conference. That's just not going to happen, right? So that's one level I'd like to answer, but that's really not even the right level to answer it. The right level to answer it is it's impossible to put a backdoor in PGP because all the engineers who work on it, work on it because they believe the same things that I believe, you know? They believe in privacy and civil liberties, you know? The reason why they signed up to work there is because of that. And they're not going to, you know, they would notice in the CVS logs that there's, you know, that somebody's putting backdoors in it. It's so, there's too many people involved. It couldn't be kept a secret, you know? Conspiracies can't get that big, you know? If I wanted to put a backdoor in PGP, I have no clue how I would do it, you know? So there's never been a backdoor in any version of PGP in the entire 12 years since 1991. And I certainly wouldn't stand by and allow anybody to put one in. Not after everything I've been through, you know? I mean, you become invested in, you know, you put so much of yourself in investing in fighting the good fight and, you know, you're not going to stand by and allow somebody like Network Associates, for example, everybody thought, oh, Network Associates is going to put a backdoor in it. Network Associates wouldn't have a clue how to put a backdoor in PGP. They wouldn't know how to put a frontdoor in PGP. The great relief that we have is that PGP has been rescued from Network Associates about a year ago. And so there was a lot of dancing in the streets. PGP is back, you know? We're, you know, it's out of the land of Mordor where the shadows lie. It's now, you know, you got a question. The engineers that are working on the code are, you know, they're close to the code. They're, you know, they're focused on the code. You know, they're not, nobody could change their code without them knowing it. There's just too many redundant eyes on it. You know, you're not going to have somebody break in in the middle of the night and put a backdoor in it. Because it just, it wouldn't work. It's just, it's not how things work in the real world. There's no, you know, there's no, what is it, the, what's the name of that vast conspiracy that the New World Order was supposed to come from? The, what, something commission? The trilateral commission, yeah. Sometimes I get email asking about the trilateral commission. For some reason, everybody who is really paranoid about that seems to be attracted to cryptography, you know, and they all write to me asking about this. You know, and I have to tell you that I can't review the code like I used to when I was, you know, back in the old days, I used to read every line of code. And then as it got bigger and bigger, then I used to just do things like read the random number generator, you know. And the key spots were, you know, where it was most sensitive. But it's just too big. You know, I can't read all the GUI code and C++ classes and all that stuff. I just can't. So I can't realistically do that. And it's very hard to do, you know. We publish the source code and hope that people will look at it. You know, and sometimes people find bugs. There are, there have been bugs. There have been some embarrassing bugs in PGP. Not as many as you find in other products like Microsoft Windows or something like that. Especially security related bugs. It seems like every couple of weeks there's another security related bug in Microsoft Windows. So, PGP actually started out as a human rights project. I was a peace activist in the 1980s. And during the 1980s, the peace groups were kind of in a very adversarial relationship with the White House. We were accused of being KGB puppets, you know, and offices were burglarized by the FBI to get the floppy disk containing their contributors and mailing lists. And I figured back then that there was a need to protect grassroots political organizations from the government. And that in other governments around the world, other countries around the world in impressive countries that human rights groups, human rights workers, or just ordinary people that needed to protect their human rights needed to have this kind of tool. Now, the business, excuse me, the threat model that business encryption software had at that time was protecting your business secrets from your competitors. But your business competitors don't have any significant crypt analytic capabilities. 56-bit DES was just fine for that because some other company wasn't gonna break 56-bit DES. They weren't gonna break it. They weren't gonna have a key exhaustion attack on 56-bit DES or any other attack. So, you know, the software of that time in 1991 kind of reflected that. Privacy enhanced mail was used 56-bit DES. But PGP had a different threat model. In that threat model, the national technical means of major governments could be used to attack files that were gonna be encrypted with PGP because it was for human rights applications. And then the Cold War, you know, even the smaller countries, the smaller oppressive countries were sort of client states of the superpowers. And so, major governments could be called upon to try to break this stuff. And so that drove the design of PGP. Now, after PGP was published, the decade after that, which was the decade after the Cold War, the end of the Cold War, the world changed. And the intelligence agencies kind of were looking for new things to do after the end of the Cold War. And so, their governments kind of reassigned them to new things to do, including economic espionage. And so, to compete in a global economy, businesses began to have the need to protect their stuff from the same thing, the major governments. So, the business population of users started to have the same requirements as the human rights workers. Not exactly, I mean, nobody was gonna die if their stuff wasn't decrypted, but at least it was the same assets attacking it. So, PGP became a business tool. And now it's a commercial product. But the original purpose was that it was a human rights project. And during the three-year criminal case, my defense lawyers wouldn't allow me to say that it was a human rights project, because if I said that, that would be important for the prosecution's case, which they were trying to show intent, that I intended it to be exported. And if I said that it was for human rights, that it was a human rights project, that's almost the same as saying that I wanted it to be exported. So, I wasn't allowed to say that at that time, the statute of limitations are over, so now I can say that. So, you don't take a human rights tool and put a back door on it. People could die. So, during the AES conference, there were three AES conferences. Brian Snow, who was this senior cryptographer at NSA, got up and said that when he listens to companies talk about their attitude toward data security, they always talk about it in terms of liability. They think about liability. How much will I be sued for? How much could I lose financially if I screw up in this encryption stuff? And he said that he never thinks of it that way, because Brian makes stuff at NSA that protects secrets that lives are on the line. He said, if he makes a mistake, somebody dies. And that's a totally different attitude than thinking of it in terms of liability. And he said to me during the break that he really liked my attitude about PGP because I had the same attitude. And so, that's what drove PGP and that's what makes PGP so different from other commercial products that do encryption. So, anyway, let's see. Let me open it up for questions to kind of give me an idea of what you're interested in. Yeah. Quantum computers, a lot of people ask about quantum computers. It's very hard to build a quantum computer of any size. You have to isolate it from the rest of the universe. And I mean really isolated. I can't have any kind of quantum mechanical interaction with gravity waves or photons or anything else. It has to be isolated from the rest of the universe. And that's not an easy thing to do. You know, they have built quantum computing devices of just a couple of bits, but there's not anything that can attack, you know, operational cryptography. You don't have, I tend to think of it as a science fiction technology. I'm not gonna base my career plans on them building quantum computers. Call me when it works. Yeah. Oh sure, quantum cryptography is not really, doesn't really have anything to do with quantum computing. It's sending photons through glass fibers that one photon at a time to, and you look at it whether it's polarized this way or that way. And if anybody intercepts it, they're gonna change the way it's polarized and you can tell whether it's been intercepted or not. It's a cool idea, but I mean, you could rely on cryptography instead. You can't do it over enormous distances. They do it over a few kilometers of fiber optics. Well, it's a good question. Will encryption always be legal? You know, I think that if we just hang on to what we have and not let them take it away, we can do that. Right after 9-11, there was a lot of discussion about are we gonna lose the gains that we had fought so hard to win in the 1990s. And nothing happened, you know? Nobody tried to make, or I think there was some legislation that was talked about to bring back the export controls. But it never happened. One reason why it never happened was that John Ashcroft, who I disagree with on just about everything, was a senator during the debate that we had in the 1990s and he was on our side of the debate. So, okay, on that one thing, you know, he was on our side and he seems to have stayed that way. I mean, he became attorney general. And also, you know, the NSA gave up years ago on this. The FBI did. The FBI fought it to the bitter end. Well, that's because the FBI doesn't really have any cryptographers working for them. The NSA does. And so the NSA saw the handwriting on the wall years ago and kind of woke up and smelled the coffee before any of the other federal agencies. And they knew that they were gonna lose it. And they fought it for a little while, but they didn't fight it hard because they just knew it was inevitable. I don't think it's gonna come back. Somebody told me that the new draft of, rather, the Patriot Act II had something in it about that. And I haven't seen that. But if it does, then we'll have to fight it again. But remember, it's now entrenched. The whole computer industry exports photography all the time. It's not easy to just take that away. They might try to impose some domestic controls, but that's also entrenched. It's a very hard thing for them to do. We don't wanna get too complacent, but I don't think we should be too worried about it. If it comes up, we'll fight it. Yeah. Well, it wasn't treason. It was actually the charge would have been the violation of the Arms Export Control Act, which was exporting munitions. In other words, if I exported Stinger missiles to Libya, I would be violating the same law and be charged with the same crime for exporting PGP. Okay, how I heard about this was I got a call from a US customs agent, Robin Sturtzer, called me up on the phone and said, this is special agent Robin Sturtzer of US Customs. We'd like to ask you some questions about PGP. And I thought that maybe they needed some help on, maybe they'd seized a computer and maybe there were files encrypted with PGP and they wanted my advice, you know. I was gonna tell her to call psychic friends. But you know, I tried to be helpful and answered whatever questions and tried to explain her what PGP was. And then she said she'd like to fly out to Boulder. I lived in Boulder, Colorado at the time from their office in San Jose, send two agents of US Customs, put them on an airplane, fly out to Boulder. That's when I realized that there was something going on here that they weren't just looking for a tutorial on PGP. So I contacted the criminal defense lawyer, Phil Dubois. He's kind of a street-wise criminal lawyer in Boulder, Colorado. He actually is in Colorado Springs now, but anyway, so I walked into his office and I saw on the floor a box that said discovery documents for Michael Bell, which was, he was a murderer, you know. And I was so freaked out by this, you know. I thought, oh my God, this guy defends criminals. What am I doing here? So if you're in that situation, you don't go to your family lawyer who does your will and your business advisor, you know. You go to a criminal lawyer. You go to somebody with street smarts, preferably somebody with drug experience, you know. Somebody who has experience with the feds, you know. Somebody who's had to fight in the trenches, somebody who's maybe who was served in the public defender's office so they know how to do it with minimal resources. Phil Dubois was that kind of lawyer. And so I told him what happened and so we put together an appeal for funds, for legal defense fund, and we got contributors from all over the world sending money in. And I got other lawyers on the legal defense team who volunteered to do it for free. Phil had to be paid because he didn't work for this big law firm like the other lawyers. So he had, you know, he lived by his wits every day so he had to be paid for his work. But the other lawyers were pro bono. And I had four lawyers on the core defense team. I had Kurt Carnow in San Francisco who was a former federal prosecutor and an intellectual property lawyer. At that time we thought there were intellectual property elements to the case. Eben Moglin, a Columbia Law School professor who wrote an APL interpreter before he became a lawyer. And he clerked for Thurgood Marshall. And there was Ken Bass who was, used to be a work in the justice department on national security matters and worked for a big law firm in Washington. And then we had a couple of other lawyers that helped out from time to time. The gang of four was who did most of the heavy lifting. And it was a great team. And I wanted to talk to the press but they were telling me don't talk to the press because lawyers don't want their clients talking to the press. They never do. But my instincts told me that if we were gonna get through this I would need the press. So I said I'm gonna talk to the press. After all, the lawyers work for me, you know. And so I talked to the press almost every day for the entire three years, about five times a week. And the press I think had a lot to do with why the government dropped the case. Now, I'm sure if you asked the justice department that they would deny that, but I just have a feeling that the press made the political climate difficult for the government to proceed in the case. Every one of the press articles of the period was sympathetic to me and critical of the government. Not 99% every last one. So that's a great asset to have. And sometimes during critical parts of the case we knew when the decision of whether to indict me was gonna be handed off from the local prosecutor to Maine Justice in DC. And so at that time we got the press on the East Coast, the Washington Post, New York Times, the U.S. News and World Report, the news magazines all cranked up to write about me during that critical time when policy people at justice were making a decision of whether to proceed. And the press was actually the press was sort of, they kind of tossed all semblance of objectivity out the window. They would say to me during the press interviews, okay, I'm all yours, what do you want me to say? What do you want me to do? I mean, I'm exaggerating a little bit, but the press was firmly behind me because this was a First Amendment case. If I can be put in prison for publishing something, then that hits close to home for the press. There's no way that the press is gonna be against me in that case. So they turned up the heat at just the right time. Now, early in the case, it looked really bad because early in the case, well, early in the case, I was told of this in September of 93. And in October of 93, I went to Washington to testify in front of Congress in favor of some legislation to get rid of these export controls. So I went to Washington, and while I was in Washington, I went to EFF, the Electronic Frontier Foundation, where they had assembled a team of lawyers. There were 10 lawyers in the room. They were all lawyers, nobody but lawyers, because it was, so I could tell them about it, and it would all be a privileged attorney for client communication. And so there were people from EFF, there were lawyers from EFF, the Electronic Privacy Information Center, the American Civil Liberties Union, a couple of private law firms in Washington, Phil Dubois, my criminal lawyer, and I don't know, I can't remember all of them. But they all sat and listened to me tell them what the case was, and I had some real vulnerabilities in the case. The biggest vulnerability was not what happened in June of 91 when I published PGP on the internet, but rather what happened later when I helped in the development of PGP 2.0, because then I was actively involved in managing the development of a crypto product overseas. I had, in fact, and there was so much audit trail to show that I had an $800 phone bill one month because of just talking to the software engineers in New Zealand, in Amsterdam, in Southern California, coordinating this handoff of code from continent to continent on a daily basis. And so there was all kinds of proof that I was violating the Arms Export Control Act for that. That's where I thought the vulnerability was, the subsequent development. So I told the lawyers this, they listened to it, and they shook their heads and they said, here's nothing we can do to help you. You're dead. I mean, they didn't say it quite as succinctly as that. It wasn't quite as black and white as that. They said a whole lot of things, but that was the checksum of what they said. And so, the feeling in the pit of my stomach of hearing 10 lawyers all in the same room, I mean, what a concentration of legal skill, all saying that. Phil Dubois was the only criminal lawyer in the room. Phil Dubois was not worried, you know? Because when it comes down to it, when it comes in the courtroom, he knows what to do. But the other lawyers, they had other specialties, and they were all saying, you have no chance, you know? So that was my darkest day, that was the worst day. And it's a good thing that meeting happened after my congressional testimony, instead of before, because I would have been the basket case in front of Congress. So we mounted this defense effort, and it worked, you know? People contributed from all over the world, and we kicked their ass. One of the things that we did was, we went to MIT, I went to MIT, and got them to put it on their FTP site. Actually, I ran into them at a computer street in the privacy conference, and we kind of came up with the idea at the same time. They would publish the source code in a book with MIT Press. It was a high profile, high prestigious academic press, would publish the source code. And export the books. And that's a kind of a in-your-face kind of gesture to the government. We took the actual source code, byte-for-byte from PGP 262, which was the current version at that time, and put it in a book, and tried to put it in a nice, scannable font. And then the author's preface to the book, which I have on my website if you want to read it, go to philzererman.com, and you can read the preface to this book. Spells Zimmerman the right way with two Ns, the German spelling, because there's another guy who named Phil Zimmerman, and he's got a website too, and he spells it with one N. But anyway, in this preface, I said, why we're doing this book? And you could scan this book in in Europe. So the strategy here was that we were gonna ask permission to export the book. We were gonna ask the State Department for a Commodities Jurisdiction. Now, some of you may have been at the Black Hat Conference. How many people here saw my talk at the Black Hat Conference? Okay, so some of you have heard this already. But we, and I apologize for repeating myself for that. But the reason why we were gonna do this was because Phil Karn had taken Bruce Schneider's book, Applied Cryptography and Applied for CJ, a Commodities Jurisdiction for that book. And of course they gave it to him because there's nothing wrong with exporting books. And they laughed, you know, why are you asking such a stupid question? Of course you can export this book. Don't bother us with silly things like this. We don't have any export controls on books. And so then he then applied for a Commodities Jurisdiction for a floppy disk containing the source code that was in the book. And so they freaked out, you know, they realized that they've been had. And he said, well, you said yes to the book. Well, here's the floppy disk with the book on it. In fact, it's not even the whole book. It's just the appendices with the source code, you know? How could you object to that? And of course they said no. And so then he appealed it. There's administrative appeals you can do. And they kept saying no, no, no because the NSA said no, no, no. The NSA told the State Department. I had, years later I did a FOIA lawsuit and I got some documents from the State Department from NSA, from other agencies. And you could see the conversation going on between NSA and the State Department about these books. And so he sued them. And so the State Department was actually defendants in a lawsuit at the time that they got the Commodities Jurisdiction application from MIT Press for my book. And also they'd already been suckered once. They knew what was gonna follow if they said yes to that book. So they never said anything. They didn't say yes, they didn't say no. They just sat on it. But MIT Press didn't wait. They just exported the book immediately. So it was already, and besides, you know, the software was already available in Europe. Which was, we didn't actually do the book with MIT Press because we wanted to export the source code. The source code was already exported. We did it because it was part of our defense strategy. We wanted to use it at trial. And then years later we did another book with the source code after I started a company. And the purpose of that book was really to export source code. And we came up with these special tools for scanning the book. We had checksums on every line. We had OCRB font. We had modified the OCR font to make some of the characters less ambiguous. And we were able to scan it in tremendously fast. And so I even had a book with all the software tools that we developed. The name of this book was Tools for Publishing Source Code via OCR. And it was really slick. But it blew a hole a mile wide in the export regime of the Clinton administration. And they just realized how futile it was. And that had a lot to do with them of breaking down their will to fight. And eventually along, you know, the rest of the computer industry is putting pressure on them too. They gave up and they dropped the export controls. We had a multi-front war going on. We had litigation going on in the courts. We had the Congress acting to try to turn it around. And the executive branch decided that they weren't gonna be flanked by the courts and the Congress, the other two branches of government. So they just made an executive decision to lift the export controls. So that's how we won that battle. And I don't think we're gonna, I don't think we're gonna have to fight it again. Yeah. Yeah, a lot of people recognize that it was silly. But the FBI didn't. The FBI hung on to it. They, you know, this is not a black and white issue. I mean, certainly, you know, they had their points. You know, criminals do use this. Terrorists do use this. Al-Qaeda uses PGP. You know, I'm sorry that that's the case, but that's the, you know, that's the trade-off we make. You know, either we have nobody have crypto or we have everybody have crypto. And I think that the world is better off if we have strong crypto. You know, the internet works a lot better. And as we move our lives from the physical analog world to the digital world, we need crypto to enjoy the same protections we had in the analog world. We had envelopes for postal mail. Why can't we have envelopes for digital mail, you know? So, you know, we have financial transactions. We have medical records. We need, you know, the case was clear that we needed this. But it wasn't, you know, but there were arguments to be made on the other side. And that's why it took so many years. We fought this debate for years in the courts, in academia, in the, you know, journalists, Congress. Okay, sure. The FBI, the NSA, the press, everybody participated in this debate. And there was a lot of expert participation from all these quarters, a lot of legal scholars. Everybody was involved. And it took years and we came to a decision collectively that we should get rid of the export controls, that we should not have domestic controls. And I think it was a good decision. And to try to turn that decision back in the sort of heat of the moment after 9-11 would have been a tragic mistake. Pardon me? Oh, you mean, the question is, I think you're asking about that maybe the courts could force you to give up your private key. Yeah, that's something that I think we're probably gonna see some effort to do that here. And I think that that's gonna be, you know, a fight that we're gonna have to make. There's fifth amendment problems with that, but self-incrimination. There's also the idea that what are they gonna do if you forget your passphrase, you know? In the stress of being a criminal defendant. It could happen. Now, maybe it wouldn't happen for something you're using every day, but you know, not everybody uses the same passphrase all the time for all their crypto needs. I mean, I actually have some PGP disc volumes from years ago that I got creative and used different passphrases for those. What a stupid thing, you know? Because I forgot what they were. And now for the life of me, I don't even remember what's in them anymore, you know? It's like in five years. I can't open those and I, you know, I guess I should throw them away. Yeah, but the NSA. Yeah, different to the NSA, yeah. I was thinking what you could do for that is if you wanna find out if the NSA can break PGP, is you hire a comedian to write a really, really funny joke and not tell it to anyone else. Commission them, you know, to do this. And you encrypt it with PGP and then you put it out somewhere in a channel that, you know, they're gonna intercept, hope that they intercept. Try to make, try to convince them that they ought to intercept it and break it. And then wait for several years and see if the joke shows up in the population. Yeah, yeah, deniable encryption. The problem with that is that the message size is limited by how much information is in the message. You know, if you're gonna put two messages in there, it's gonna be twice as big. So it's hard to do that. I mean, you could do that if you had one-time pads because then you have this one-time pad will turn it into the real message and this other one-time pad will turn it into, you know, the Simpsons, you know, or whatever. So you could do it that way, but nobody uses one-time pads and if you started using them, then they would know why you were doing it, you know. Yeah, steganography, you mean? Yeah, well, you know, the problem with steganography is that it works okay for once in a while when somebody is trapped behind enemy lines and they gotta get this one message out to get picked up by the helicopters, you know. That's fine, but you can't have a hundred million people do it every day because it depends on the enemy not knowing you're doing it. You know, I had a guy call me up. People actually call me up about this. They don't just write to me, they call me up. And it was early in the morning, you know. I think he was on the East Coast and he said that he had this cool idea of hiding information in a picture, you know. And I said, well, congratulations, you've just reinvented steganography. And he said, he thought it was such a cool idea that he wanted to create a standard. He wanted to propose a standard for the standards bodies for this. And I thought, oh, this is great, you know. This is like Samsonite luggage having a standardized compartment for smuggling cocaine. You know. Every suitcase would have it in the lower left corner. You know. A lot of advantages in adhering to standards. Yeah. Well, there's a lot of, there's several implementations of the OpenPGP standard. GNU Privacy Guard is an open source version and it doesn't have any patented algorithms in it. I applaud that. I unfortunately did use patented algorithms in the original PGP. And in fact, it doesn't use the idea cipher because they have a patent on that. The idea cipher is a really good cipher but I stopped using it because it had this patent. And they did too. Actually, we still have it in there for legacy reasons. But Hush Mail or Hush Communications has a product, a web-based email encryption service called Hush Mail that is OpenPGP compliant. It's really nice. It doesn't work on a Macintosh for some reason but and I use a Mac so I can't really use it that much but it's really nice on browsers that support it on the PC. There's another company up in Seattle called Thora. They also have a web-based encrypted email service. I have it till 12, right? 10 minutes, okay. And then there's Veritas in Belgium which has several OpenPGP compliant products including a Unix command line product. Now, network associates, when they sold the intellectual property of PGP to PGP Corp, they retained the command line version for some period of time. So PGP can't sell that. This is not interesting enough I see. I try to get interesting in the last 10 minutes or I'm gonna lose the audience. Yeah, what? Why would there be a risk if it's open standards? Well, somebody could implement their own version that has a backdoor and I encourage people to publish the source code of their implementation. So I would recommend that you only use products that publish their source code. Network associates doesn't publish their source code anymore. Yeah. Oh, the Washington Post story. I got this interview from this reporter who talked to me just a few days after 9-11. And we were talking about how upset we all were about what happened. And I told her that I had thought about this whole question of cryptography and terrorism and all that. But I decided that it was still the right thing to do to publish just strong cryptography. But I was also, that I had cried about it like everybody else. But for some reason it got changed by her editors and it was shortened. The article was short. She read it to me over the phone before she ran it because I wanted to make sure she didn't say something that was politically damaging. I wanted to make sure that she was clear that I still felt that PGP was a good thing to do. And she read it to me on the phone and she said that and it was all perfect. And then she gave it to her editors. And the editors shortened the article and they took some of my remarks and just shortened them to, yeah, I don't know what they, they didn't shorten the remarks, they just threw them out. And they said that I felt guilty about that I regretted writing PGP. And this was like completely wrong. She didn't write that, I didn't say that. And I made her say that to me over the phone to make sure that she didn't say that. So I had to issue a denial, which caused thousands of emails to the Washington Post. It was a shitstorm they never experienced. And it damaged her career. It almost, it got her in trouble with her editors, which seems backwards to me because they're the ones that did it. And so, and then I had to write another thing saying it wasn't her fault. She read it to me and it was right before she published it. So, so I had to write something about that why it was a good idea to have strong cryptography and to deny that, that's on my website too, by the way. Yeah. In regards to PGP rocket engines. Rocket engines? What do you mean? What are the classes of rocket engines? Because they contain things that can make them into a bad thing and right now they're in the rocket, probably the rocket industry. Really? Okay, so Homeland Security won't allow people to use rocket engines because they might turn them into missiles. I don't know anything about that. But there's other inroads elsewhere. I think this is a concerted effort where they just. There's constant pressure to maintain our civil liberties against people that wanna respond to national security threats and take them away. We have to always be vigilant. We can never relax, you know? So I guess we must be out of time because everybody's leaving. Since we got eight minutes, so why is everybody leaving? I must not be sufficiently interested. Pardon me? Really? So really the time is gone, huh? I thought I had an hour. I would have talked faster if I'd known. Yeah. Oh yeah, yeah, okay. The first version of PGP used a homegrown encryption algorithm that I had called Bassomatic, which I named after a Saturday Night Live Skip. And I'd spent a couple of years on it, you know? And I took it to the Crypto91 conference and talked to L.E.B.M., who was a noted crypt analyst from Israel, and Adi Shamir. Actually, Adi Shamir said, send it to me and I'll look at it in Israel. It's a good thing I didn't send it to him. But I went to lunch with L.E.B.M. and he spent 10 minutes looking at the source code with me and I explained to him how it worked. Within 10 minutes he found embarrassing weaknesses. It was a very embarrassing experience, you know? And so that was when I realized that even after spending a couple of years on this, I couldn't write, I couldn't design my own block cipher. It was futile. So I gave up. And that was kind of that, you know, it's kind of when you realize how ignorant you are that you achieve enlightenment, you know? I became a much better cryptographer then by knowing how stupid I was. So I used a block cipher, I used the idea cipher, which was a far better cipher. And at that time, even though there was a patent on it, I did get permission to use the patent. So yeah, it's ease of use. The reason why people haven't adopted PGP is ease of use. A couple of years back, somebody at Carnegie Mellon, I think it was, or somewhere, wrote a paper called Why Johnny Can't Encrypt. And it was about the difficulty of grasping all these concepts of public key trust models, public key infrastructure and all that. Your mom can't use PGP. Doesn't matter whether it's got a gooey on it or not. It's not just PGP, it's all the others too, all the other public key encryption products. This whole idea of certifying keys and all that, it's just nothing that your mom is not gonna get. And so we had to come up with something that didn't require you to grasp all that. And now PGP Corporation has a new product that's coming out very soon that lets everybody in an enterprise, thousands of employees in an office building, all encrypt their email without even realizing it. So not only do they not have to be trained, but they don't even have to know it's happening. And so it's a proxy, it's an email proxy. And all the email going in the building and all the email going out of the building gets encrypted and decrypted on the fly. So that lets the great unwashed masses who's never gonna try to learn this stuff get their email encrypted. Meanwhile, the power users, the geeks can still do everything they always did before and manage it on their desktop with the clients running PGP just like they did before. So everybody gets what they want. So it's a cool product and a lot of big companies are really responding well to it. So I recommend if you work for a company, you take a look at this new product coming out from PGP. Johnny can encrypt, can encrypt with that. Yeah. Yeah, except it's for email, you know. I think we're done. Okay.