pgp.com · Domains · Slashdot Mirror

Re: You're wrong. by Omniscient+Ferret · 2004-12-07 14:37 · Score: 1 · on MD5 To Be Considered Harmful Someday

You know that GPG keys are identified and signed by their MD5 hashes?

I vaguely remember that the short key ID used a flimsy hash, but to avoid that you only had to verify the key length.
Looking around, MD5 looked dubious in 1997, and alternatives - like SHA1 and RIPEMD-160 - got incorporated to PGP.
So. I don't buy this. PGP.com knows about it.

Scott Zimmerman! by TheLibero · 2004-12-07 09:33 · Score: 1 · on Computer Forensics

Are you a relative of Phil Zimmerman the creator of PGP???

Re:What's wrong with... by vinthewrnech · 2004-11-30 00:37 · Score: 1 · on E-commerce Single Sign-On Not Dead Yet

see the article PGP Identity Management: Secure Authentication and Authorization over the Internet at http://www.pgp.com/resources/ctocorner/identitymgm t.html

A better way to make "secure zones" by g_adams27 · 2004-09-14 08:01 · Score: 4, Informative · on Lexar JumpDrive Password Scheme Cracked

I needed a way to make a "secure zone" similar to what Lexar was advertising - a place where I could drop files and have them automatically protected. After doing a fair amount of research, I decided to use PGPDisk. It allows you to create a PGP-encrypted file on any device (hard drive, CD, USB key, etc) which "expands" into a virtual drive (e.g. "C:\Private\SecretStuff.dsk" becomes a new "Removable drive G:" in Windows once you enter the password). Anything you drop into the virtual drive becomes encrypted. It uses 128-bit symmetric CAST algorithm, which is plenty strong enough for anything I'd need. (I believe the newest versions may also have a Twofish algorithm option). PGPdisk virtual drives can be up to 4Gig on a FAT32 machine, or unlimited size under NTFS.

You can check out the commercial version at http://www.pgp.com/, but I would also seriously consider PGPckt 6.58, a forked and free version that works just fine under WinXP (and previous versions of Windows). That's the version I've been using.

pgp and domainkeys by iradik · 2004-09-07 17:01 · Score: 3, Interesting · on OSI And Microsoft Negotiating Over Sender ID

A solution to stopping spam is outlined here:

http://antispam.yahoo.com/domainkeys

I picked up this link from here:

http://www.pgp.com/resources/ctocorner/cryptoandsp am.html

This was a discussion about how pgp alone will not stop spam but how yahoo domain keys might. Due to domainkeys ability to actually verify the domain the e-mail is being sent from.

Re:OT, reply to sig - Math, Feds, and Crypto by iamcf13 · 2004-08-29 22:44 · Score: 1 · on Blade Runner Is The Best Sci-Fi Film

Mathematics is not a crime. -- James Turpin (789479)

Mr. Turpin's signature was likely commenting on the right and ability to use 'strong encryption' to secure ones 'thoughts and posessions' at all times.

Here in America, encryption is treated like a weapon instead of a digital envelope. Added to that, 'real encryption' in its purest form is nothing more than grade-school math applied to very large numbers.

So I guess Mr. Turpin is 'asking':

Is it a crime to use math (via strong cryptography) to have privacy and security?

Just 'ask' PGP creator Phil Zimmerman about his experiences with cryptography and the United States Federal Government....

Light on Privacy? by RyanK · 2004-08-24 10:37 · Score: 1 · on Always Use Protection

From the review, seems like the book goes a long way to giving a good introduction for keeping yourself secure, but does it really leave out keeping communications secure?

It wouldn't take more then a few pages to discuss the need for being able to sign or encrypt things and a short tour of PGP/GPG and how they can use it in their everyday life.

Re:CA's history by questionlp · 2004-08-16 04:50 · Score: 2, Informative · on Ask Sam Greenblatt About CA's $1 Million Open Source Prize

That was Network Associates. The commercial arm of PGP got spun-off into their own company, PGP Corporation.

Re:Why not everyone use PGP ? by Agar · 2004-07-01 10:20 · Score: 1 · on Lead Developer of SPF Anti-Spam Scheme Interviewed

For PGP/GPG to be widely used, major clients must:

* Support automatic key downloading.
* Support automatic encryption/signing.
* Support opportunistic encryption.
* It should be much more transparent than it is today.

You mean like this?

"PGP Universal. . .shift[s] the burden of securing email messages and attachments from the desktop to the network in a way that is automatic and entirely transparent to users."

* Two-way policy enforcement
* Automatic and transparent
* Comprehensive and self-managing (automatic key generation)

Three letters..... by p.rican · 2004-07-01 06:23 · Score: 1 · on Appeals Circuit Ruling: ISPs Can Read E-Mail

PGP

Re:Use spymac.com by Zephiris · 2004-06-18 12:31 · Score: 2, Informative · on Gmail in the News

Don't forget...gmail currently doesn't require personally identifiable information, such as address, zip code, name of first born, social security number, size of anatomy elements. Spymac requires all info, including demographic information, and if I remember correctly phone number. At least if gmail doesn't ask in the future, that means my ISP still remains the 'bottleneck' for any real identity linking. I could still just use transparent anonymous proxies who don't care who I am to access gmail...which makes that even nicer. All someone in the government would have to do is send one email to spymac.com, and if they cave...it means exactly one thing: The government gets everything in about 75 miliseconds. ;p Of course, this is just a Big Encouragement for encrypted emails that the email service can't really touch, like GnuPG and PGP. It's not a matter of gmail linking 'certain information' with 'other certain information' if it becomes harder than it's worth to track you down for exercising your right to free speech.

OpenPGP plugins by aat · 2004-05-17 11:44 · Score: 1 · on Email Authentication Schemes - Friends or Foes?

OpenPGP is a standard implemented by a few programs including PGP (non-free), and GnuPG (aka GPG) (Free). GnuPG support is either integrated into or supported via plugins on Kmail, Eudora, Mutt, Outlook, and many other clients. See http://www.gnupg.org/(en)/related_software/fronten ds.html for more details. There are a couple of Mac related links there. About the last two, GPG's privacy lies in the key, and thus you wouldn't want anyone else to be able to use your key -- they could sign messages as you otherwise. A hackish way to use GPG with these would be to manually use gpg to sign (and possibly encrypt a message) on the commandline, and then pasting them in. Someone could write client side code for dealing with webmail (Browser plugins that allow one to replace the current contents of a text input field with a signed message, but they could easily be security holes if not written correctly).

Re:OK. What do you recommend? by Sanat · 2004-05-11 17:34 · Score: 1 · on Life-Ruining Browser Hijackers

PGP does this. (information is from the PGP Help File)

Start PGPmail.

Click the Wipe Free Space button in the PGPmail window. The PGP Free Space Wiper Welcome screen appears.

The PGP Free Space Wiper prompts you to select the volume you want to wipe and the number of passes you want to perform.

In the Volume box, select the disk or volume that you want PGP to wipe. Then, select the number of passes that you want PGP to perform.

As many as 28 passes can be made to ensure no spurious magnetic domains exist.

Version 8.0.3 is the latest freeware. Be sure you qualify for the freeware version

PGP Freeware

Re:Yeah right... by Anonymous Coward · 2004-04-07 10:45 · Score: 0 · on Passive E-Mail Monitoring Leads To Arrest

http://www.pgp.com/products/sourcecode.html

All for the low, low price of... by gumpish · 2004-03-17 05:55 · Score: 2, Informative · on Time Warner To Comply With Wiretap Law

Fifty bucks.

Perhaps PGP Freeware would fit the bill for the budget-minded slashdotter. (Also integrates with popular mail clients.)

Re:PGP by corbettw · 2004-03-17 05:34 · Score: 2 · on Time Warner To Comply With Wiretap Law

I haven't found any good drop-in PGP (or gpg) plugin for Outlook Express

That's odd, since according to this page, PGP Personal "includes the personal versions of PGP Mail and PGP Disk, which integrate with mainstream email applications (Outlook, Outlook Express, Eudora, Entourage, and Apple Mail)...."

It would seem your search is at an end, grasshopper.

That is why PGP/GPG is your friend! by MikeCapone · 2004-03-07 10:10 · Score: 2, Informative · on ICQ Universe

PGP

gnuPG

Re:I have a better idea by qtp · 2004-03-05 11:47 · Score: 1 · on Gates on Spam

Who would issue the certificates?
Would it be a central authority (VeriSign?)?
Would a certificate holder need to provide extensive personal info to the issuer or pay a periodic fee to the issuer in order for the certificate to remain valid?

How are certificates better than signing with PGP/GPG/OpenPGP?
PGP signing is an easy, effective way of identifying a sender that relys on an established web of trust rather than a commercial agreement. It allows for persons to remain anonymous if they need to while providing information on who it is that has signed the senders key as being authentic. The same technology also provides for very effective encryption (using the recipients public key)that can be automated to ensure the maximum level of available privacy without being unneccessarily difficult to implement.

How is this better than rejecting emails that do not originate at a mailserver that has a mx reccord in dns?
Emails can be sent through your providers server using smtp_auth, smtp_after_pop, etc. from anywhere on the internet. This would not prevent you from sending when you are on an unfamiliar network such as when you are traveling. Rejected emails could be bounced back to the sender explation of why it was rejected and asking the sender to contact their provider or system administrator if they have any questions.

I get very wary of certificate based solutions, as I tend to prefer decentralized systems over central authorities. The recent behavior of VeriSign is a good sign of what can happen to any company that is permitted to set itself up as an "official authority", and I cannot help but believe that there will be certificate issuers that abuse their position. Also, I do not like the idea of requiring registration with centralized databases of users personal information, when it is entirely unneccessary for sender identification.

when it's 20 by va3atc · 2004-03-05 06:11 · Score: 2, Funny · on Celebrating Spam's Ten-Year Anniversary

It will be taking your keys when its twenty!

What PGP Corporation has to say about it by Betabug · 2004-01-16 02:50 · Score: 5, Informative · on USPS Providing Electronic Postmarks

There is an article by PGP Corporations CTO Jon Callas about it. His tagline is "Do we need another version of digital timestamps?"

What he has to say looks like plain common sense to me:

requires Windows xP/Office 2003 - expensive
requires purchasing a certificate, which is not really necessary for a timestamping service
the price seems high

His conclusion: "To me, this seems like a solution in search of a problem." He even mentions open standard file formats. Nice read.

Should have just bought PGP-Universal by Nonesuch · 2003-12-02 05:08 · Score: 5, Interesting · on North Korea Introduces 'Secure' E-mail

All that work, and they could have just installed one of these on the DMZ and been done with it.

PGP.Com products are notoriously overpriced, but I bet North Korea could negotiate a nice discount on a 22,000,000 seat license with A.T.M. Networks Inc, the South Korean sales agent...

One hitch -- I tried completing the "free download" form with "N.Korea" as the country code, and got this popup:

'In accordance with current US Export restrictions, PGP 8.0 products may be downloaded by individuals throughout the world except those in the following countries: Cuba, Libya, Iran, Iraq, North Korea, Sudan, and Syria. If you are in one of these countries, you may not download PGP software'."

Ah well, GPG doesn't have these petty restrictions!

Anti-PGP FUD by Nonesuch · 2003-11-29 11:01 · Score: 1 · on Javascrypt

EmCeeHawking writes:

I can't imagine people really trust PGP anymore. No longer open source, no longer affiliated with Phil Zimmerman... and his statement when he left was scary.

PGP is not "open source", but like Solaris, source code is published, anybody can download full source at no charge.

Phil Zimmermann is on the "Technical Advisory Board", along with Bruce Scheier and others.

What statement are you referring to?

Phil Zimmerman Profiled
Philip Zimmermann's personal response to the ADK bug,
2003 Defcon interview
Phil Zimmermann & Associates LLC

For those who don't know, Phil stated when he left that every PGP product released while he was there contained no hidden back doors. Knowing that companies like PGP were being pressured, it makes me think the creative differences were them wanting to build something in that he thought shouldn't be in.

Interesting claim. Care to document it?

It seems to me that if Zimmermann felt that way, he wouldn't be on the PGP.Com technical board, and he wouldn't be reselling their products on his web site.

To quote Phil Zimmermann, "There is no backdoor in PGP. Get a life."

A satisfied PGP customer.

What I do by cavemanf16 · 2003-10-08 01:23 · Score: 1 · on Securing Files in a Hostile Workplace?

Granted, I don't have GB sized files, but I do maintain some of my own files on my work computer that I DO NOT want some random admin to have access to, especially if I were to be "let go" one day without warning or time to backup/wipe said files.

I use PGP - the 'freeware' version - because I'm only securing personal files, not work files. For work files I'm sure you'd need an enterprise license or some such thing, but I've found it to be really easy to use. I also haven't tested out how actually secure it is, but it's Good Enough for my purposes. Plus, if you needed to, you can assign different 'trusted' sources when you encrypt your files, allowing other engineers to access those special files without involving the IT dept's help.

Great for Spammers by hysma · 2003-09-15 07:39 · Score: 5, Interesting · on PGP Universal - Usable Email Security?

This would be a great way for spammers to send their junk and bypass any server-side spam filters.

The spam can't be scanned while in PGP form, and according to their diagram it won't be decrypted until AFTER hitting the mail server.

I suppose one point up for security, one point down for preventing spam :(

Re:No passphrases? by Anonymous Coward · 2003-09-15 07:27 · Score: 1, Informative · on PGP Universal - Usable Email Security?

The FAQ has a good amount of information.

Trusted Identity by Anonymous Coward · 2003-07-13 15:19 · Score: 0 · on Howard Dean to Guest Blog for Lawrence Lessig

Any thoughts as to how to answer the issue of trusted identity would be appreciated. It is something we have been really trying to figure out -- as I have pointed out -- how do you know this is really me?

While I very much doubt you are Dean's campaign manager, I'll give you two ideas anyway.

You could sign your messages with a digital signature (try out PGP). The smart thing to do is to keep a separate machine with the secret key. Keep this machine off of all networks since it will be a major target for crackers. You would type the message on that machine, sign it with the secret key, and transfer it to a networked machine using a floppy or CD. From there, you post the message any place you want.
You could use your website to confirm your identity. Suppose you post message A at site WA. When you post the message, you include a link to a page, B, at your own website (page B doesn't actually exist at this point). Right after posting A, you put up page B at your site. Page B includes a link back to message A.

Note that neither approach proves that Howard Dean himself posted the message rather than delegating the task to one of his campaign members. However, it does prove that someone in the Dean campain posted the message. The digital signature approach lasts longer and is more resistant to attacks. The website approach is simpler and easier for the average Joe to understand.

Finally, you could combine the two approaches and simply sign page B.

While I'm posting, has the Governor considered placing his advertisements under a Creative Commons license?

ICQ and PGP by 216pi · 2003-06-08 10:20 · Score: 1 · on New AIM Offering "end to end" Encryption

PGP delivers an icq plugin that uses your key-ring to cummunicate pgp-encrypted if your vis-a-vis has installed pgp/icq/that plugin, too.

ICQ and PGP by 216pi · 2003-06-08 10:20 · Score: 1 · on New AIM Offering "end to end" Encryption

PGP delivers an icq plugin that uses your key-ring to cummunicate pgp-encrypted if your vis-a-vis has installed pgp/icq/that plugin, too.

Re:Oh for fucks sake! Who gives a shit? by Anonymous Coward · 2003-05-08 13:32 · Score: -1, Troll · on Revising the Internet Email Infrastructure

incase you idiots forgot to check, PGP sourcecode is available for all to see.
Incase you're a complete dumb idiot that means no fbi back door.

PGP by Richardsonke1 · 2003-05-08 07:45 · Score: 5, Informative · on Revising the Internet Email Infrastructure

Until this comes out, PGP is a great way to keep your email private and secure. It also deals with forged headers using email signing. MIT has a great client here

Re:PGP by Anonymous Coward · 2003-03-31 03:46 · Score: 0 · on Why ICANN Needs Fresh Blood

It was my understanding that PGP was now owned by PGP corporation, which bought the rights to PGP from NAI... Because of this, I don't believe that your second statement is correct anymore.

Re:Vague on Details by keyslammer · 2003-03-04 08:13 · Score: 1 · on British Telecom Pushes Universal ID Check System

Encryption simply protects data in transit from interception and alteration. It dosn't verify the data being sent actually is the data it claims to be.

Public/Private key encryption is an excellent form of authentication. Check out PGP. Or better yet, GPG.

Re:How many other programs do this? by JoeF · 2003-02-16 07:53 · Score: 1 · on TurboTax DRM Writes to Your Boot Sector?!

Using fdisk or formatting doesn't overwrite existing data on the disk.
You actually have to wipe the sectors (PGP does that, or use Linux' dd command).

A for the effort... by overbored · 2003-02-07 14:50 · Score: 1 · on Do-Not-Email Registries?

...but there's just no practical way to enforce these laws.

In the meantime, some solutions that actually work (or at least hold back the tide) are SpamNet, a collaborative spam filtering network, and of course the ever-unpopular PGP.

In case it gets Slashdotted... by Anonymous Coward · 2003-02-07 09:54 · Score: -1, Redundant · on Command-Line Crypto From Phil Zimmermann, Again

Here's the article:

A few months ago, PGP creator Phil Zimmermann became a reseller for the current graphical version of the software he originally spawned, produced by PGP Corporation. Now, Zimmermann has just started selling through his own website a modern command-line encryption product called FileCrypt, which has its roots in an older version of PGP. Confusingly enough, this software is produced by a company called (Veridis), and doesn't say PGP on the box, because legally it can't. Network Associates, which acquired PGP Inc. in 1997, still holds the rights to that name; when NAI spun off PGP to PGP Corporation in 2002, they held onto the command-line version. OpenPGP, for whom Zimmermann serves as a technical advisor (as well as a reseller), is contractually unable to sell a command-line version. (He is on the board of Veridis as well.) But why introduce a text-only version of utility software, anyway, when the GUI-fied desktop version has been maturing for years and costs less? They aren't paying for a pretty logo. The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard) aren't even in the same market.

Casual computer users have never laid out much money for encryption. The widespread use of PGP in its original incarnation (during the era of Zimmermann's prosecution for allowing it to be exported) can be attributed as much to its zero-dollars price as to a generalized interest in privacy. Home and hobby users are not cut out from buying Veridis's software -- for about a hundred dollars, you can buy a personal use version of the command-line version. The real money isn't in individuals keeping their tax records private, though -- Zimmermann and Veridis, like NAI (whose PGP-based product is called E-Business Server) are really aiming at commercial and governmental datacenters, and for customers willing to accept a much higher pricetag.

Insurance companies, banks, credit card processing centers, state records -- anywhere financial or otherwise confidential records are exchanged or stored en masse -- these all need encryption which works at the command-line. More precisely, they need crypto software which can work without direct human intervention at all. Instead, massive data centers need tools which can be called by scripts and other programs, so servers, or server farms, can spend their time crunching numbers rather than drawing pictures.

The name is familiar ... The commercial competition FileCrypt faces is familial -- it's the same product from NAI (sold from their McAffee division) that prevents Zimmermann and Veridis from calling their software PGP, even though NAI now labels their product E-Business Server. And though many companies have homegrown cryptographic solutions, Zimmermann says he knows of no other packaged software offering the high-volume encryption that the products from NAI or Veridis do.

And, he emphasizes, what they do is very similar. He says of the Veridis command-line product compared to NAI's, "It's drop-in compatible, identical in operation ... you could run the same perl scripts, the same command-line arguments."

If you want to buy Veridis' encryption software licensed for electronic commerce (not one-person use), hold onto your wallet: the price jumps about 50 times, to a shade under $5000, which Zimmermann describes as a bargain -- at least compared to the competition.

(Prices on the McAfee website show a one-year subscription-based license for E-Business Server starting at $6,875; $14,375 buys a perpetual license, with no included support.) Both sides of that fence. And of competing in this case with a product that originated from his own crypto software (and his own company, PGP Inc.), Zimmermann says "I just don't really think of that as my product any more. It's in the hands of NAI, all the engineers have been fired. I just don't feel psychologically connected to that product." To look and not to sell. Especially when it comes to cryptographic software, code openness is considered not just a virtue but a near necessity. Peer-review and independent auditing, after all, are about the only ways you can tell that software isn't shuttling credit card numbers to the wrong person.

The business model of selling high-priced crypto software at thousands of dollars per processor doesn't mesh well with gratis software, though. To that end, Zimmermann says the FileCrypt code will be soon be available for download and inspection under terms which he says will be similar to those under which users can download the code for PGP Corporation's version of the PGP-based desktop software. (PGP Corporation's terms are available though their source code page).