Slashdot Mirror

I've used Earthlink as an ISP for going on 6 years now, and I must say, I've never dealt with better. For one thing, in the years that I've had my earthlink address, I'd say I never get more than 3 or 4 spams per week. What is my secret? For starters, if I need to provide an e-mail address for something that may result in unsolicited messages, I use one of the free webmail providers (Hotmail, Yahoo!, etc.) I can check those to confirm what I wanted, then never check it again, and my Outlook (with my primary e-mail) doesn't fill up with useless crap.

Another way to stop the spam before it starts is to keep your e-mail address from getting on those lists in the first place. When posting to Usenet, BBSes, forums, even Slashdot, use some sort of clever cloaking (Slashcode does this already), or even a fake email. Encryption for e-mail such as using a free personal certificate from Thawte or a GPL encryption such as GNU Privacy Guard is always a good idea.

In addition, Earthlink's Spaminator is a Godsend. With that baby enabled, I'm lucky if I get one spam a month. Case in point: my mother has an Earthlink address that she uses for her business contact. She complained that she's getting hundreds of porn spam and "enlarge your penis"-type e-mails (no idea how these got here.) Setting up a few Outlook Express filters and enabling Spaminator cut the dirty messages by about 90%, and she is grateful she no longer has to wade through such filth to get to her real mesages.

The bottom line is, the fewer spammers that have your address, the fewer spams you're gonna get. I have a Hotmail that gets 1000+ spams a day. My real e-mails get next to none. It's just like telemarketers, they get your number from companies who need a contact info for whatever reason. However, Hotmail address are free, whereas extra phone numbers to give the telemarketers, and then never answer, are not. Well, we do have Caller-ID for that, but that's another post...

Gnutella
Bit Torrent
Freenet
Reiserfs
Linux Kernel
Open SSH
Encrypted Filesystems
GnuPG

At least in my opinion p2p and crypto are the edges in coding right now. Both can be hugely successful if you succeed in writing them properly. They can also be a huge failure if done improperly. Personally, I'm amazed that there aren't more p2p worms/remote exploits out there. Every now and then there are a few breaks in crypto from a weird angle, but in general they have been very successful as well.

Right -- and guess who's going to make money off of charging 'email taxes' for everybody who wants to send a message? This is like the big kerflufle over the (false) claims that Canada was going to charge a $.05/email tax to help cover the losses to Canada Post.
So now we're going to pay more money to NSI/Verisign for an email cert when they're refusing to deny DNS to prolific spammers? We'd still need a grey-market method of keeping track of which of those certs were sold to spammers.

Before we get too deep into the idea of using PKI to 'secure' email, I'd suggest that people look at the rather interesting article pointed to by the GnuPrivacyGuard site about The Ten Risks of PKI.

A more interesting question is whether this could be done in an open-source manner, with peer-to-peer authentication servers, webs of trust etc.

The protocol wouldn't be so much a drop-in replacement for sendmail as it would be a parallel delivery mechanism. As (and if) it became proven and trusted, I expect that such a system would slowly overtake SMTP as the preferred method of accepting email (with the 'old' method being less and less trusted). Once 'enough' people started using such a system, the critical mass would result in a flip-over in emphasis by the bigger players.

At my (large) company we are Veritas Netbackup which works well.

At home until recently I had been using one of those rsync/hard link backup systems with good results (links to that quoted here elsewhere).
I'd been looking for a somewhat simple solution that I could run on a low end linux box at my kids school to backup 1 linux box and 1 NT server. After a bunch searching I finally settled on flexbackup because it is fairly simple, and can use tar in incremental mode, emulating dump's levels. Since I'm just using tar and bzip2, restores can be done just on a Windows box. I have it backup the NT box by using the smbfs to mount it, and then have the backups stored compressed on another harddisk. After the backups are complete, the system uses (http://www.gnupg.org) to encrypt a copy of the files, and puts them in a "pickup" directory. After that, the system sends a signal to a couple of home boxes via http/syslog, upon which the home boxes use rsync to copy those files down over peoples cable modems.
While this solution is obviously only useful for small amounts of data (the downloading to home part), it does allow for secure offsite backups, and even the home backup machines cannot decrypt the data because they don't have the required private key.
The home backup box doesn't have any access to the school server other than the ability to do rsync's, as I'm using a ssh/rsync "forced-command" setup, so even if the home boxes are rooted they cannot get back into the school.

I've started using flexbackup on my home network as well, and it works great, although I wish it had the ability to push the tar files across a SSH connection (it CAN run dump/etc over SSH, but I just want tar backups of files dumped over the ssh connection).

I hadn't see backuppc yet though, and it looks pretty good, and looks like it could easily work in a small replicated environment.

Encryption simply protects data in transit from interception and alteration. It dosn't verify the data being sent actually is the data it claims to be.

Public/Private key encryption is an excellent form of authentication. Check out PGP. Or better yet, GPG.

Oh, and I forgot to mention, GPG doesn't use IDEA because it requires a hefty license for commercial use.

It doesn't include it by default because of patent issues, but if you need it, it's available. (There's even a precompiled Windows DLL.) Of course, depending on where you live, it may be against the law for you to use this code. You may even care. You might even be able to negotiate a license from the patent-holders to use the code, and still save money compared to what a commercial IDEA-based system might cost. And that might even help you begin a gradual migration away from IDEA and it's associated licensing fees, if an abrupt transition isn't possible. Just a thought.

The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard) aren't even in the same market.

The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard) aren't even in the same market.

The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard) aren't even in the same market.

Let's be honest here. No-one in their right mind would use the PGP command line since something much better - GnuPG - came along, and this has been a while ago (they aren't migrating, they've often completed migration).

• GnuPG is gratis - no cost. $0. PGP command line and other commercial command line OpenPGP products (like this Filecrypt) cost a shedload of money (they start at $99 - there may not even be an end) for such a simple, albeit effective, program.
• GPG can be tweaked to your own needs legally - you can even redistribute your tweaks. Hell, you can give your friends copies. Not so with Filecrypt.
• GPG can do everything that Filecrypt can do, with two exception - firstly, it can't work on X.509 certificates. Noooo, that's OpenSSL's job (which, you will notice, is also free of charge, open-source software). Secondly, if you need IDEA (blech, implies PGP2 which uses MD5 signatures, becoming a bad idea today) you need to install a module or merge a patch but that's simple if you're a command line hacker - and if you're not a personal user, you do need a patent licence from MediaCrypt AG, but that is still likely to be much cheaper than the equivalent copy of Filecrypt. [Caveat - I'm not sure if Filecrypt can use IDEA either.]

What Phil's trying to do here is sell a piece of software for an extremely high price which competes directly - directly, not just on the same turf but on the actual same blade of grass - with now well-proven software which is entirely free (beer and speech).

This is not a smart business plan. Only chance Veridis has is fast talking, name leverage and selling good support - trouble is, GPG doesn't actually need support as such, the software doesn't need to be, and isn't, really all that complex. Documentation should be enough, because it works already. The source is even friendly enough to adapt and build around for your own purpses, unless you're a moron, and morons should really not be adminning boxes you wanted to use strong crypto on.

I can't see a single reason you'd want to actually use Filecrypt over gnupg, especially given the high price tag... anyone?

I don't really understand why Phil is doing this. Perhaps some commercial customers feel more comfortable with a commercial package. However, GPG has had (German) government money funding its development and is thought to be quite good. The German Govt liked PGP as well, but it was complicated to licence. The old PGP commercial licence only permitted you to use the supplied binary, not to compile from source. The Germans supported the rewrite and AFAIK it is a standard there.

To me this seems like another of the recnt /. advertorials. An article about a product that isn't really newsworthy and there is a good Open Software and free equivalent.

Sad really isn't it!

The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard)

I guess banks want to pay for software so they have someone to moan at or something, perhaps the commercial software runs really quick?

Apart from this I can't think of a reason not to use GNUPG, or am I missing something fundamental here?

Casual computer users have never laid out much money for encryption. The widespread use of PGP in its original incarnation (during the era of Zimmermann's prosecution for allowing it to be exported) can be attributed as much to its zero-dollars price as to a generalized interest in privacy. Home and hobby users are not cut out from buying Veridis's software -- for about a hundred dollars, you can buy a personal use version of the command-line version. The real money isn't in individuals keeping their tax records private, though -- Zimmermann and Veridis, like NAI (whose PGP-based product is called E-Business Server) are really aiming at commercial and governmental datacenters, and for customers willing to accept a much higher pricetag.

Insurance companies, banks, credit card processing centers, state records -- anywhere financial or otherwise confidential records are exchanged or stored en masse -- these all need encryption which works at the command-line. More precisely, they need crypto software which can work without direct human intervention at all. Instead, massive data centers need tools which can be called by scripts and other programs, so servers, or server farms, can spend their time crunching numbers rather than drawing pictures.

The name is familiar ... The commercial competition FileCrypt faces is familial -- it's the same product from NAI (sold from their McAffee division) that prevents Zimmermann and Veridis from calling their software PGP, even though NAI now labels their product E-Business Server. And though many companies have homegrown cryptographic solutions, Zimmermann says he knows of no other packaged software offering the high-volume encryption that the products from NAI or Veridis do.

And, he emphasizes, what they do is very similar. He says of the Veridis command-line product compared to NAI's, "It's drop-in compatible, identical in operation ... you could run the same perl scripts, the same command-line arguments."

If you want to buy Veridis' encryption software licensed for electronic commerce (not one-person use), hold onto your wallet: the price jumps about 50 times, to a shade under $5000, which Zimmermann describes as a bargain -- at least compared to the competition.

(Prices on the McAfee website show a one-year subscription-based license for E-Business Server starting at $6,875; $14,375 buys a perpetual license, with no included support.) Both sides of that fence. And of competing in this case with a product that originated from his own crypto software (and his own company, PGP Inc.), Zimmermann says "I just don't really think of that as my product any more. It's in the hands of NAI, all the engineers have been fired. I just don't feel psychologically connected to that product." To look and not to sell. Especially when it comes to cryptographic software, code openness is considered not just a virtue but a near necessity. Peer-review and independent auditing, after all, are about the only ways you can tell that software isn't shuttling credit card numbers to the wrong person.

The business model of selling high-priced crypto software at thousands of dollars per processor doesn't mesh well with gratis software, though. To that end, Zimmermann says the FileCrypt code will be soon be available for download and inspection under terms which he says will be similar to those under which users can download the code for PGP Corporation's version of the PGP-based desktop software. (PGP Corporation's terms are available though their source code page).

Anything that helps convince my crypto-less clients to use GnuPG is very, very helpful.

when I can get the same functionality from the old free version or the completely free GNU version.

Yes, but PGP is a GUI app that can talk to to Outlook Express, and last time I checked, GnuPG was a command-line app.

( /me checks the list of front-ends for Windows )

Apparently, somebody has made a GnuPG frontend for Outlook Express since I last looked. But what about about Mozilla? Does enigmail work with Mozilla 1.2.1?

I have an SSH server set up on my DSL-connected Linux machine and pay for FastMail.fm e-mail that offers IMAP. When I want to manage my e-mail, I log on to my server from wherever I am using PuTTY (I changed the SSH port to something that most firewalls allow), and run Mutt.

I have it set up to use GPG for automatic signing -- all I do is type up an e-mail, press the send key, enter my GPG passphrase at the prompt (which is 35 alphanumeric chars,), and press Enter. My e-mail gets signed and mailed. When I receive a PGP-encrypted/signed mail, Mutt automatically decrypts it for me, again using my passphrase.

It's very convenient (setting it up is the hardest part, and that's also easy with online documentation) and very self-reliant: no special provider to go out of business, no browser to block Java, and always encryped.

I would say this qualifies both as news for nerds and stuff that matters. The only thing I question is why this is not in YRO. This is about a bill that would let some agencies have unfettered access to your email (news for nerds) without even probable cause (stuff that matters).

On another note, I think it's time I get GPG and start encrypting my email if/when this bill passes.

Download gpg from gnupg.org. Build it.

According to the GnuPG web site, building GnuPG on Windows 2000 requires a "special setup," which I take to mean Cygwin. I currently use MinGW because I have had trouble getting Cygwin to work. What OpenPGP compatible software package do you recommend for users of Windows operating systems?

Two words: Gnu PG. ;-)

As most of you desktop users already know, the KDE Project recently released KDE 3.1beta2, which will be the final development release before KDE 3.1. The good news is, KDE 3.1 is scheduled for release in just a few weeks.

KDE 3.1, the strongest KDE release to date, promises new goodies for just about everyone who gets to enjoy the full KDE desktop experience. Here is a sampling of what is in store for you:

Browsing with Tabs. The many fans of tabbed browsing will be delighted by this new addition to the KDE web browser ( Konqueror ) (screenshot). To simplify downloading a large number of files, a new download manager (KGET), which fully integrates into Konqueror, has joined the network package (kdenetwork). It manages any number of downloads in one window, where transfers can be added, removed, paused, resumed, queued or scheduled. A dialog displays transfer status, including progress, size, speed and estimated time to completion.

Eye Candy. The artistically-inclined KDE contributors have showered us with a basket of new eye candy. As shown in this screenshot, KDE 3.1 will ship with the contemporary Crystal icon set as well as the original new Keramik theme. The screenshot also shows the new drop-shadows. To help manage these stunning themes, KDE will provide a new theme manager with improved theme style and color decoration previews (screenshot). Menus and other desktop windows can also use attractive drop shadows, as shown in the screenshot above.

Personal Information Management. On the PIM front, the email client ( KMail ) has gained several privacy and security enhancements - namely S/MIME, PGP/MIME and X.509v3 support - in collaboration with the Aegypten project, an IT security project sponsored by the German government (screenshot). The calendar / scheduling application (KOrganizer) features a new Exchange 2000 plugin. The address book (KAddressbook) has gained the ability to fetch contact information from one or more LDAP servers. It can also print contact information and import industry-standard vCards.

While not included in the 3.1 release, the next quantum jump in KDE's email / groupware architecture is scheduled for KDE 3.2, when KDE will ship a completely copy-lefted, integrated groupware system. Currently known as the Kroupware Project, it is being sponsored by the German government and will integrate the major KDE PIM applications (screenshot, screenshot). More about this project, and some additional screenshots, can be found on the dot. KDE 3.2 will also feature the ability to use Vim as the mail composer (screenshot).

File Management. The file manager (Konqueror) has a number of new goodies, such as folder icons which reflect a folder's contents, a video thumbnail generator and a number of plugins for providing enhanced- or meta-information about various file types (e.g., images, binary packages, source code). The file search utility can now search file meta-information for searching multi-media files.

Desktop Sharing. For those who switch work stations frequently, KDE offers a new VNC-compatible desktop sharing framework. It enables users to share a KDE desktop across multiple machines (screenshot).*

Enterprise. Enterprises, Internet cafes and similar users will appreciate enhancements to the KDE Kiosk framework (the Kiosk framework provides an easy way to disable certain features within KDE to create a more controlled environment). In addition, the panel (Kicker) now supports fully customized menus.

Multimedia. The multimedia framework (kdemultimedia) has a new video decoder based on Xine. Xine is a video framework which provides support for various video formats, such as AVI, DivX, Cinepak, Sorenson Video, MPEG 1/2 and 4, QuickTime / MOV, ASF and others.

Games. For the playful among us, KDE 3.1 will offer a number of new games in the games package (kdegames), including a golf game ( Kolf ) (screenshot), an Atlantik and Monopoly-type game ( Atlantik ), a Blackjack game ( Megami ). and a Same-like game ( Klickery ).

Ease of Use. A number of other improvements are meant simply to make the desktop easier to use and configure. For example, the application finder (KAppfinder) provides a nice tree view for selecting the applications to include in the KDE desktop menu hierarchy. Two new user notification methods have also been added for providing non-obtrusive informational messages: a passive popup window (KPassivePopup), which pops up next to the application's entry in the panel's taskbar (without stealing the focus), as well as messages which appear in an application's title-bar (KWindowInfo). In addition, the control center (KControl) has received a face lift and better organization (screenshot).

Miscellaneous. Of course work under the hood continues for KDE 3.1 as well. It provides a number of speed improvements, such as Konqueror start-up time, a number of usability enhancements by the KDE Usability Project, as well as almost 1,000 critter fixes.

More information about planned KDE 3 features is available for KDE 3.1 and KDE 3.2.

Some interesting KDE statistics: the KDE CVS source code repository consists of about 2.6 million lines of code (LOC) (for comparison, the GNU/Linux kernel version 2.5.29 consists of about 3.1 million lines of code). The KDE Project consists of hundreds of active contributors, with 300 of them translating KDE into over 70 languages (KDE 3.0.4 shipped in 51 languages). In May 2002 over 11,014 CVS commits were executed. The KDE website has 24 official mirrors in 16 countries and the KDE FTP site has 71 official mirrors in 30 countries.

If the gpg folks had any sense they would release an LGPL library version of it. The reasons for not releasing it as a lib (even a GPL one) in their faq are just plain wrong.

GPG is a command line tool. If you want to put a UI on it it involves the very sucky process of constructing a command line with the arguments for the action you wish to perform, invoking gpg and parsing the results. In short it is a big pain in the butt and error prone and is seriously hampering its adoption.

I'm on some mailing lists where people like to GPG (GNU's PGP clone) sign email, and our LUG have had a couple of GPG keysignings.

So, being a OSS supporting Windows user, I thought I'd try this out.

My normal mail client is Outlook Express (don't complain, when used by someone with a clue there's no more security risk than with any other mailer), and the method that PGP plugs into Outlook Express is digusting. There's a GPG Outlook Express plugin that suffers from the same problem. Basically, when a message windows is loaded, the decoder automatically copies all the text from the window into a buffer, runs the text through PGP, and then pastes the results back into the window. In the case of the version of PGP I tried, in 8pt font.

This also doesn't help when you have a Windows mailer that doesn't support MIME types correctly (Evolution especially likes to send mail with the PGP block as an 'attachment', which basically means your message appears blank in OE with two attachments). No PGP verification there.

I hear Outlook isn't much better; Outlook's IMAP support isn't as polished as OE's, and I guess they don't really want to make it better at the expense of Exchange licenses.

What's the answer? Enigmail. You have to use Mozilla Mail, of course, but that's something that can be adjusted to (and if it's too hard to adjust, it can be customized in XUL of course.) But it seems to be the only way to get correct behaivour for PGP email verification in Windows. And it's all OSS, too.

That said, it didn't handle decryption at all. But I was running a beta on a nightly with a 2 day old GPG build, etc. You get what you pay for.

What would I like to see happen? Outlook Express to become a bit more modular, with actual support for PGP (even the free PGP Home edition would be better than nothing). Or Mozilla Mail evolve a little bit more so I can tolerate using it as my mail client ;)

PGP is only for windows and macs, for linux try GnuPG -- complete and free replacement for PGP. There are front-end available for windows as well.

PGP is only for windows and macs, for linux try GnuPG -- complete and free replacement for PGP. There are front-end available for windows as well.

http://www.gnupg.org/aegypten/

• First, download the full WinPT install [v. 0.5.5, 1.2 MB]. This also handles the tricky job of installing and configuring GPG on your system.
• Now, get the incremental WinPT update [v. 0.7.91, 200 KB]. It's a developmental version but contains fewer bugs than 0.5.5 and is quite stable. Unzip its contents into the WinPT install directory.
• Head over to the GPG mirrors page, choose your nearest location, then navigate to /pub/gnupg/binary/ and download gnupg-w32cli-1.2.0.zip [1068 KB]. Unzip its contents into the WinPT install directory.
• Read up on the excellent GPG Manual and HOWTO and WinPT's documentation.

• First, download the full WinPT install [v. 0.5.5, 1.2 MB]. This also handles the tricky job of installing and configuring GPG on your system.
• Now, get the incremental WinPT update [v. 0.7.91, 200 KB]. It's a developmental version but contains fewer bugs than 0.5.5 and is quite stable. Unzip its contents into the WinPT install directory.
• Head over to the GPG mirrors page, choose your nearest location, then navigate to /pub/gnupg/binary/ and download gnupg-w32cli-1.2.0.zip [1068 KB]. Unzip its contents into the WinPT install directory.
• Read up on the excellent GPG Manual and HOWTO and WinPT's documentation.

It [GnuPG] desperately needs a LGPL lib to relieve this burden [of running a CLI program and parsing output].

Have you read the FAQ on this point? Apparently many people have been able to get valuable work done with GnuPG as a CLI app, so saying it "desperately" needs to be an LGPL-covered library doesn't follow.

The only lib so far is gpgme which is GPL making it pretty useless for this task.

This makes it seem like your objection has to do with the license chosen, not whether the program is an executable or a library. And yet I see no argument supporting your desire to switch the license to the Lesser GNU GPL.

depends on what you're running GPG on. on linux, it uses /dev/random (i'm pretty sure; maybe it's urandom, but i doubt it), but if that's not available, it looks for the userspace entropy gathering daemon egd (serves much the same purpose as /dev/[u]random for unices that don't have the kernel functionality for that), and if that too fails, it asks you to type random noise on your keyboard a lot as an entropy source.

on other OSes (i know there's a win32 gpg, for example), i'm not sure what it uses. presumably digging through the GnuPG website would eventually give you an answer, but it's a biggish site and that sort of details might well be buried deep.

It's at gnupg.org, BTW ;-)

the "original" handbook does the job much better.

Nobody seems to have to have noticed that one of the companies doing this was already completed the integration of gpg into KMail. This was another project paid for by the German government. It was a just rolled into kmail for KDE 3.1, and by all accounts works excellently.

They also provided support for mutt.

If the german government continues to provide backing like this, then we can expect great things from the KDE project in the future.

Well, GnuPG is being developed by a similar contract, so I wouldn't be surprised at all if this was all GPLed.

Sure, you can probably arrest a paedophile or two by monitoring his emails, but drug dealers and organised crime in general will be the first people to move to encrypting *all* their emails. Which is something even techies cannot do all the time. Why, you may ask. Well, it's simple: most e-mail users out there has no clue whatsoever about using encryption. When would Outlook Express, Mozilla Mail and Eudora have standard built-in OpenPGP encryption... (yes, I know plugins are available) Encrypt your mail today!

Sir, if you please, have a look at GNU Privacy Guard.
It's no more difficult to use than Word, if you take 15 minutes and learn it.

If joe user would wake up and learn to encrypt his email (GnuPG). Alas, I have ranted about that to many times. No one listens.

After reading some of the posts it seems to me that the most needed feature for a possible Exchange replacement is the group scheduling and calendaring.
It is already possible to use KOrganizer to fullfil that need, it wont replace an existing Exchange installation, but it maybe all it takes to avoid one :-)
Oh ... and lets not forget that the next version of KMail (in KDE 3.1) will have LDAP support, courtesy of the Aegypten project.

Once again I call people's attention to GPG, which can be used to digitally sign source code. Then, if something is trojaned, you know who to blame for including the bum code.

This would not be as much of an issue if everyone used PGP signatures on email. It will tell you if the message has been modified in transit.

More info in the PGP faq

Also, for an excellent GPLed implementation of OpenPGP, use GnuPG.

It might be worth noting that WinPT isn't the usual front-end / GUI shell like the old PGP days. WinPT actually uses GnuPG's new API called GPGME.

Let me second this. (Yes, I'm seconding Bruce Perens. How's that for chutzpah?.)

Most of the Gnu Privacy Guard code base is in place, but we still need a ton of help with GUIs, APIs, Web-based encrypted email, etc. And there is no GnuPGFone as far as I know.

I know PGP is your baby .. I can appreciate that, and I know what it's like to lose control of your baby. I'm not going to pretend that GnuPG is the same thing. Nonetheless, GnuPG is working toward (mostly) the same goals, and that's something worth considering. They could also use your help, as you have years and years of hard-won experience in this field. Yeah, they're young punks, but they mean well and they do good.

Just my two cents.

Let me second this. (Yes, I'm seconding Bruce Perens. How's that for chutzpah?.)

Most of the Gnu Privacy Guard code base is in place, but we still need a ton of help with GUIs, APIs, Web-based encrypted email, etc. And there is no GnuPGFone as far as I know.

I know PGP is your baby .. I can appreciate that, and I know what it's like to lose control of your baby. I'm not going to pretend that GnuPG is the same thing. Nonetheless, GnuPG is working toward (mostly) the same goals, and that's something worth considering. They could also use your help, as you have years and years of hard-won experience in this field. Yeah, they're young punks, but they mean well and they do good.

Just my two cents.

not to bash slashdot, but why is it that Linux Today always posts the latest linux stories at least half a day before slashdot does?

anyways, on a side note, i think zimmerman is in the wrong here. if he is so concerned about the concept of pgp, then why isn't he focusing his efforts on GnuPG, which is a completely open version of the PGP concept?

BSI = "Bundesamt fuer Sicherheit in der Informationstechnik" -> "Federal Department for Security in Information Technology". Their mission is comparable to NSA's Information Assurance Directorate. Their site is far more informative than NSA's site, chock full of security advice though as always in all things security I advise to take whatever anybody says with a grain of salt. They've also got that other mission just like NSA does.

They've opensourced Sphinx, formerly a project aimed at providing secure email within German government agencies which is essentially a plugin for various email clients (appa which implements S/MIME as well as an S/MIME incompatible national encrypted email standard called MailTrust (spec available in German only). Apparently they're integrating the Sphinx code in KDE's kMail and in mutt. You can find the Sphinx code here.

Another opensource project I could find right away is DiCop (Distributed Computing in Perl), a GPL'd distributed job execution environment consisting of an administration server and client/worker software. The administration server sends jobs to the client/workers and collects the results. You can get DiCop here.

Please keep in mind that BSI is an agency of a foreign government no longer outright sympathetic to American interests.

GnuPG

ssh
gpg
https://
webdavs://
imaps://
...

Big Brother can watch all they want, but they'll only see my random bits.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
[emphasis me]

well thats interesting, they're not using GNUpg

The sheer size of the source code may prohibit me from distributing the software electronically at all.

So don't distribute your work electronically. Distribute source and binaries together simultaneously by burning both onto CD-Rs. Someone else might volunteer to redistribute the work electronically for you. So much of this issue centers on your erroneous belief that the GNU GPL requires you to distribute electronically.

I am not [the only copyright holder to this work]. Read what I had written...

I did read it, quite carefully. I figured at least one of the following things might have occured to you:

• The last paragraph of section 3 of the GNU GPL says that "offering equivalent access to copy the source code from the same place" will meet your requirement to distribute complete source code to your work. That place can be a CD-R.
• If you really want to contact Oberhumer (which no longer seems necessary), you could try e-mailing plaintext because Oberhumer's "...mailfilter may throw away messages from unknown senders unless you do use this key." (emphasis mine). You may get lucky.
• You could accede to Oberhumer's wishes and try GPG. Contrary to your claim "I cannot contact Mr. Oberhumer because he does not accept mail not encrypted with PGP", there is no requirement to use PGP. Oberhumer supplies information for contact with GPG on the page you pointed me to. GPG is a a Free Software PGP replacement.
• You could see if Oberhumer supplies a postal address with your copy of the software then try sending a letter. Low-tech, yes, but it could work to make initial contact.

This is a non-problem if and only if reversibly concatenating an executable with asset files counts as either "mere aggregation" and/or "just data" under the GPL.

I very much doubt that distributing a single file would count the way you want it to be counted. That's a question for the FSF, albeit a rather academic one considering that this whole issue is a non-problem if you drop the phony electronic distribution requirement (that never really existed) and distribute your program via inexpensive CD-Rs (which have approximately 600MB more capacity than you said you need to distribute your program).