Domain: ipgpp.com
Stories and comments across the archive that link to ipgpp.com.
Comments · 9
-
Re:AwesomeThe question is, how long until the XP version of PGP is released?
This exists, and includes a working PGP Disk Driver under Windows XP. Check out Imad's PGP PageThe latest Build 9, Beta 3 includes XP compatability. Imad's sources are the Publicly release 6.58 branch fom NAI. His fork includes numerous bug-fixes, platform-compatibility enhancements, additional plug-ins (ICQ), and improved interoperability with GnuPG/Open PGP.
Joe-Bob says, "Check it out."
-
Legitimise the CKT builds?
The CKT builds http://www.ipgpp.com/ (get 6.5.8ckt08, *not* the beta version unless you actually want to help test) of PGP have been around for a while.
They haven't always been popular with prz, because they permit the use of monstrous public key sizes (which meant little without a monstrous symmetric algo and big hash algorithm to back them up), and monstrous public keys are slow and of insignificant practical use without the accompanying Faraday cage, dedicated terminal and tinfoil hat.
They are, however, the "best" version of PGP out there and the only one that's still being worked on.
GnuPG is another implementation of OpenPGP (RFC2440), of course, as many other people have mentioned - but that isn't terribly suitable for Windows, not having a GUI of it's own (for philosophical reasons - it is, after all, a command line utility) and lacking a good, stable GUI to the standards of PGP (they're new - give them time and support and they will get better). Also, GPG has no support for locking pages of memory which contain security-critical data against being swapped out under Windows (and currently relies on being suid root under Linux for this too, before you all cry victory - don't start beaming until it starts using capabilities - suid applications make me nervous).
The CKT builds of PGP 6.5.8 work under XP, and there are no (as far as I am aware) reported problems with the Outlook and Bat plugins. They just suck a bit less than the vanilla builds. I know of no vulnerabilities in the current CKT build (don't use the beta in production environments though, it's broken on a few things).
Their copyright is probably a bit dodgy. I'm only saying probably because I'm not a lawyer; it's moot - trying to shut them down would be a Bad Idea (because of the million mirrors theorem) and a Bad Thing (because Encryption Is Good(tm) and what else is there of the same quality now?). It would be lovely if that could be resolved - if the CKT builds could be legitimised, and more people worked on them.
I can't speak for the third-party licensing situation though. It could be too complex to resolve - as I said above, I'm no lawyer.
As for the command line version being saleable, NAI are in a fantasy world. The PGP command line pales next to GnuPG for so many reasons I don't even have to list them (besides, it'd start an argument if I did).
The loss of the PGP command line would be frankly non-critical. The OpenPGP crypto core could be replaced or rewritten, probably more easily than you think, especially as there are independent, clean implementations to crib notes from (i.e., GPG). The GUI and SDK (and the plugins) are the important bits. It'd be a shame if they were lost... not to mention all the ancillary bits like PGPnet (did that ever get stable?... OTOH, there's SSH port forwarding so I can do without it), PGPdisk (not a panacea, but useful - I just plain don't like Scramdisk, but that's a viable option too) and so on.
By getting the SDK and GUI back you'd get all the really important stuff that PGP has over what, were it to be commercialised again, would be its competitors. You might have to rewrite the actual cryptography because of excess legal baggage, but given quite large revisions in the OpenPGP standard like MDC support, and for the sake of cleaner code, would that be such a bad thing?
Best of luck, Phil. Oh, and by the way - thanks. Probably too few people remember to say that. -
PGP 6.5.8 CKT is still up with Source
Imad's PGP Page
He's been updating the latest source release of PGP (6.5.8), adding features, and fixing bugs. The latest solid release if Build 08
Imad is based in Lebanon (so you can guess what he thinks of US IP Lawyers' threats) -
Re:PGPFreeware? So what?
About once or twice a year a bug of security significance is uncovered in PGP (e.g. the ADK bug, the RNG on UNIX bug, the keystorage bug etc) and this would render the latest 7.02 next to useless.
Why can't people amend the source code and recompiler themselves? They don't have access to the source code.
Also remember that PGP is now very (over-) complicated and includes various drivers and kernel hooks. Every new version of an MS operating system (Win2k, WinME, WinXP) breaks compatibility.
The best current hope is the CKT builds of PGP, that are based on the 6.5.8 code. These have all known bugs fixed and still work on all Win32 operating systems. This is also the only version that is actively maintained!
-
Use PGP CKT
I don't believe someone hasn't posted this. I use PGP CKT and am VERY happy with it. It is built off of the last version of PGP that came with the source (6.5.8 Desktop Security, if i'm not mistaken), and they are currently on their 6th build (Build 07, which will fix XP problems is in Beta).
PGP CKT, comes fully loaded with PGPDisk, and PGP4ICQ, and the plugins for Outlook/Outlook Express, I'm not sure about PGPNet, I don't use it. -
Re:used in PGP?
RFC2440, which defines the OpenPGP standard, already reserves 3 AES keys sizes (128, 192, 256-bit).
Gnupg already supports AES in all 3 block sizes and so does 'official' PGP v7.0x.
PGP since v7.x hasn't been open source, so you won't find any details at www.pgpi.org. The best way to add AES support to previous 'open source' versions is to use the CKT builds by Imad. These are still based upon the v6.58 code base but contains dozens of fixes and improvements.
-
Correction to URL in parent
A correction to the above: http://www.ipgpp.com/ is the correct URL for Imad's PGP Page, where the CKT builds of PGP may be found.
-
My Opinion:
Well I have been reading a few webpages and I follow BUGTRAQ and a pgp newsgroup, so I feel I qualify as a Slashdot Expert(tm).
I'm going to go out on a limb here and assume that you are talking about Email security. If you use windows, you want to use one of the PGPckt builds found at http://www.ipgpp.com These are pretty much the standard in the Windows PGP world, as commercial PGP has gone closed-source and GPG isnt perfect on windows. *nix/*BSD users should use GPG.
What you want to avoid with the recent PGP's and GPG is an interoperability problem. GPG doesnt ship with IDEA encryption, and that was the standard in PGP for years. It can be added easily, and I suggest you do that. If you do use GPG, please enable all of the PGP compatability options, or it will come back to bite you later. As for choice of algorithm, there is no reason not to use the RSA/IDEA combo that has been used with PGP for years, just boost up the length of your public key to 2048 or so. Oh, and dont bother going past 3000 or so, as that key would be harder to break that the 100(?) byte IDEA key that is actually used to encrypt the message.
As for computer security, there isn't much you can do asside from patching regularly, reading BUGTRAQ, choosing secure passwords, and never allowing unsecured logins. It also helps if you get to know your system and check up on anything that starts acting different that what you are used to.
Disk encryption under windows is best done by ScramDisk (found at http://www.scramdisk.clara.net), which is a disk encrypter that whose source code is available online. OpenBSD people should enable encrypted swap partitions, though that may be done by default, I dont know. Linux has several encrypted filesystems. Use One. -
Zimmermann leaves NAI, PGP 7.x.x closed source
Well I just created my 1st Slashdot user account, because I hope this post will get read and moderated up.
Phil Zimmermann has left Network Associates, citing "philosophical differences", and NAI PGP has just become closed source software. PGP without source is not PGP. Slashdot readers know why. Please avoid Network Associates PGP version 7.x.x, and spread the word.
Cyber Knights Templar PGP 6.5.8 is open source PGP for Windows users, and includes a security patch for a very nasty remote exploit against "official" NAI PGP 6.5.8., the ascii armor parsing bug.
GPG is the wave of the future, but in the present, user friendly Windows support for strong crypto is still important. This support is provided by the Cyber Knights Templar builds, which also include the AES cipher (Rijndael 256) and large key support.
Please publicise this address, where Win32 binaries and full source code are posted for download:
There is no charge for CKT PGP, and BTW, I am not afilliated in any way with the CKT folks.
99 buckets of bits on the wall...