Slashdot Mirror
PRZ Announces Depature From NAI
The message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A note to PGP users:
As most PGP users know, Network Associates Inc (NAI) acquired my company, PGP Inc, in December 1997. For three years after that, I stayed on with NAI as Senior Fellow, to provide technical guidance for PGP's continued development, and to ensure PGP's cryptographic integrity. But I can't stay on forever. In the past three years, NAI has developed a different vision for PGP's future, and it's time for me to move on to other projects more fitting with my own objectives to protect personal privacy.
Let me assure all PGP users that all versions of PGP produced by NAI, and PGP Security, a division of NAI, up to and including the current (January 2001) release, PGP 7.0.3, are free of back doors. In all previous releases, up through PGP 6.5.8, this has been proven by the release of complete source code for public peer review. New senior management assumed control of PGP Security in the final months of 2000, and decided to reduce how much PGP source code they would publish. If NAI ever publishes the complete PGP 7.0.3 source code, I am confident that the public will be able to see that there are still no back doors. Until that time, I can offer only my own assurances that this version of PGP was developed on my watch, and has no back doors. In fact, I believe it to be the most secure version of PGP produced to date.
While it is true that NAI holds the PGP trademark and the source code for the NAI implementation of PGP, I'd like to point out that PGP is defined by an IETF open standard called OpenPGP, embodied in IETF RFC 2440, which any company may implement freely into its products. I will be working with other companies to support implementations of the OpenPGP standard, to turn it into a real industry standard supported by multiple vendors. I think the emergence of more than one strong commercial implementation of the OpenPGP standard is necessary for the long term health of the PGP movement, and will, incidentally, ultimately benefit NAI.
To this end, I will be assisting the makers of HushMail, Hush Communications (http://www.hush.com), to implement the OpenPGP standard in their future products. They will be doing their own announcement of this new relationship.
In addition, I will be assisting Veridis (http://www.veridis.com), a recent spin-off of Highware (http://www.highware.com), to create other OpenPGP compliant products, including software for certificate authorities for the OpenPGP community.
I am also launching the OpenPGP Consortium (http://openpgp.org), to facilitate interoperability of different vendors' implementations of the OpenPGP standard, as well as to help guide future directions of the OpenPGP standard.
This coming June marks the 10 year anniversary of the 1991 release of PGP to the public. PGP was originally designed for human rights applications, and to protect privacy and civil liberties in the information age. By proliferating the OpenPGP standard, we can renew that promise, and continue the commitment to personal privacy that captured the imagination and participation of millions around the world.
Philip Zimmermann
19 Feb 2001
prz@mit.edu
http://web.mit.edu/prz
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQA/AwUBOpDtWmPLaR3669X8EQLv0gCgs6zaYetj4JwkCiDSzQ JZ1ugMhqsAoMgS
me78KR5VEfCVEUFpwOCCk8Tx
=JVF2
-----END PGP SIGNATURE-----
--
--------------------------------------------------
I get a feeling of "the PGP spirit will move on in OpenPGP not PGPclassic" from the letter though that NAI won't be happy at at all - I would say the real world value of PGP just halved for them....
--
-=DaveHowe=-
__________________
you might want to check the plaintext version of it on the pgpi website then.
--
-=DaveHowe=-
...is posted at http://www.pobox.com/~agreene/pgp/prz_leaves_nai.t xt
I was hoping the same thing.
It should also be noted that GnuPG is really coming along, and that the Gnu Privacy Assistant is under heavy development right now and is weeks away from some pretty stable releases.
Werner ported Sylpheed to Windows and will soon release a security suite which will include GPG, GPA (kinda like PGP Keys), WinPT (like PGP Tray), and Sylpheed. These will be all within one install program and will finally make using GnuPG under Windows more accessable to non-geeks.
Rich...
Ignore Alien Orders
Errr... no. The last thing that an industry consortium would want to do is write a competitor to the products of its member. The most they would do in this regard is produce a reference implementation (like the one I wrote when I was reviewing RFC 2440 prior to IETF submission) which while correct isn't practical, or to serve as a test-bed for new features before they're implemented properly in a real product like GPG.
But the actual purpose of the consortium is to ensure that PGP, GPG and your hypothetical browser plugins all worked together, and to put a more formal face behind the IETF OpenPGP working group to push the standard forward even further, as well as related projects which PGP enthusiasts want to see happen like PGP/MIME, PGP/Ticket, integration of PGP with biometrics and so on. This is a good thing for the PGP standard.
sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
Even if he does stay on, and there are no back doors, NAI have him as a figurehead to say "There are no back doors", and many people will believe him, who whould not believe any other NAI employee. By resigning, he is denying NAI the fallback plan of having a PRZ to rubber-stamp a closed-source product as being back-door free. Therefore, his best option for making NAI release the source is to resign.
True. PRZ is a well-known figure, and with his background, (some) people are going to trust him when he says "There are no back-doors". But that's a bad policy, and I'm sure he understands it, after all he could be locked in a dark cupboard and replaced by an android. Leaving doesn't look like a cop-out in that light.
However, since the message was changed in formatting to HTML, the signature cannot be easily verified. You'd have to get back to the original file contents exactly, line breaks and all. Did he submit those URLs with [a href=""] tags, or did the slashdot editor insert them?
Not that it's likely very useful for Slashdot itself, but Slash and other should probably have a mechanism for "submit by file upload" and "read original submission file," so that more people can use signed content on the web. Slash already has a place for you to announce your PGP key [mine is posted], but the lame word-wrapping feature inserts a column of spaces.
It would also avoid some of that ugly "id so-and-so is the real User; everyone else is an impostor" check, by the way. Bruce Perens and anyone else who thought they were being forged could digitally sign their submissions.
[
And as for whether or not he should stick around: There's only so much you can do at a job you don't like/enjoy any more (whatever that job is) before you're simply not in the mood to try anymore -- at which point your effectiveness is going to head 'way down, and you might as well just leave anyway. There was the article here a while back with the question from the CTO of a sinking company: Do I stick around to save my friends, since everything is riding on me, or do I leave this job that I no longer enjoy and head for greener pastures? The response was pretty much unanimous then: Go, 'cos sticking around in a job you don't like is no fun, and you won't be any good anyway. I'd say the same advice applies here.
And anyway, if you've trusted him on the no-backdoors thing this long, why switch now to less-secure products just because he's leaving? He's already given his word (which presumably you've already trusted, in combination w/code reviews, peer opinions, etc) on version whatever-it-was -- why not just keep using that? Or is NAI going to reach out and put some kind of backdoor in your already-downloaded, already-compiled software?
He hasn't "cut and run at the first hurdle". The guy was gonna get sued by the US Gov't for publishing his software. If you require more of him, I suggest you at least provide the crucifix yourself.
Carousel is a lie!
Surely he'd be better off staying within NAI and fighting to ensure that the code remains free from backdoors?
;)
Well, that may be best for us (the community), but Phil is entitled to a rewarding life of his own. Maybe he just felt he was pissing into the wind at NAI, and that he'd be happier and more productive elsewhere.
It is after all -his- life, not ours
EZ
'The truth is out there.. but the lies are all in your mind.'
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
Now that is interesting wording. Zimmerman doesn't actually say that 7.0.3 doesn't have back doors. Is he being coy, or does he just consider "trust me on this" to be too hypocritical?
It seems to me that Zimmerman is being about as rude as he can be without getting sued. Closed-source encryption software is seriously out of fashion, and probably every reputable security expert, including Zimmerman, thinks NAI just shot themselves in the foot. As a recent NAI employee, Zimmerman can't express himself freely, but he can lay out some objective facts and let people draw their own conclusions.
__________________
I don't see the problem here - Phil is sufficiently well-known that everyone knows who PRZ is when we use that appreviation..
--
-=DaveHowe=-
He's not saying that they're putting in back doors, he's just saying that they could do it, since they aren't going to disclose the full source code. And when dealing with security, the merest possibility that something can happen, must be treated as though it will happen.
It's the "No source == 10 backdoors in every line of code" interpretation.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I hope the "OpenPGP consortium" doesn't make it their objective to write yet another version of PGP. We all ready have one - Gnu Privacy Guard - which is both open source and RFC-whatever compliant. Plus it's fully scriptable, so it's easy to hook it up to other programs. And the documentation is even good.
On the other hand, if the OpenPGP consortium works with Hushmail, Zero Knowlege, and all the other companies out there to try to make secure email interoperable, that would be very, very nice.
I'm sure the NSA,CIA,FBI, and others get the giggles every day they decrypt email and think "Damn, these people are dumb! PGP has been out there in the world for years now, and almost nobody uses it!"
But frankly, it's a pain to use because it isn't integrated into enough software. For example, it would be nice if you could attach an OpenPGP signature to the text you put into an on-line form in Mozilla - like I am right now. Then we could have secure-signed Slashdot postings. Why? It's not like Slashdot's cookie-based login system is very secure - not that it was ever claimed to be - but if hacked into Slashdot (again) and managed to steal some username/password combinations, they could do a lot of damage to some people's reputations. I'm not talking about karma loss here - what if posts under your userID started showing up badmouthing the company you work for, and praising kiddie porn, and threatening to kill the president? You would have a rough time fixing that. GPG signatures would make it easy to prove you didn't do it.
And if my W2K box at work supported OpenPGP in Outlook, that would be nice too. So, I wish the best to Phil Katz and the OpenPGP consortium, as long as they don't bother to reinvent the Gnu Privacy Guard wheel. Look for innovative ways to add Open-PGP signatures to everything!
Torrey Hoffman (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
Surely he'd be better off staying within NAI and fighting to ensure that the code remains free from backdoors? It seems as though he's willing to compromise his principles to get out of a difficult situation, and it means that many of us are going to have to switch to other, less secure versions that we at least know are free from holes.
Not necessarily. If he stays on as an employee of NAI, he could continue to fight against the opening of back doors in the software, but if (when) he loses those fights, he would probably be bound by NDAs and non-compete clauses and the like from publicizing them, and the community at large would have no recourse but to assume that since he is an still an employee, that the product remains true to his original vision, which may not be the case.
Phil is smart and seems aware that the public cannot wisely trust a closed-source security program, and he is stating that he does not wish to continue endorsing it by associating himself with the company that publishes it. I congratulate his courage in leaving a (probably) lucrative corporate position on this principle. Instead, by going to work on the OpenPGP standard, and doing consulting services for other companies who wish to integrate open-standards PGP into their products, he is insuring that peer-reviewable privacy software continues to be available to the public at large.
If he was cutting and running at the first hurdle, he'd stay with NAI, and keep his paycheck, despite the fact that they were making the software less free. Instead, he's making a rather large personal sacrifice to ensure that PGP remains a security system we can trust, even if we can't necessarily trust NAI's implementation of it.
Is the message a fake? Is it real?
What does this all mean for the future of privacy on the Internet?
Get your answers straight from the man.
actually, someone removed his phone number from the last line, and invalidated the signature.
Here's the real message...
-- The Funk, The Whole Funk, And Nothing But The Funk
I think he's trying his hardest to force them to release the source code, whether they want to or not. With this announcement, he stresses the importance of seeing the code again and again. If NAI doesn't release the source, people will assume it is untrustworthy, especially since Zimmerman says he doesn't guarantee future versions. NAI basically has no choice now but to keep releasing the source if they want to remain a viable option for serious security.
Hm, it looks like PRZ is saying that while NAI owns the trademark on PGP, since OpenPGP is the name of an internet standard, other people can use it to describe their projects.
Maybe I'm reading that wrong, but I wonder how that plays with the whole "SSH the Product" vs. "SSH the Protocol" debate?
Seems to be as though this letter contains hints of bitterness over having to leave, and that the vision he had for PGP and NAI's vision were somewhat different. The comments about source code and backdoors seem to indicate that he thinks NAI aren't going to be opening the code for review in the future.
Surely he'd be better off staying within NAI and fighting to ensure that the code remains free from backdoors? It seems as though he's willing to compromise his principles to get out of a difficult situation, and it means that many of us are going to have to switch to other, less secure versions that we at least know are free from holes.
When it comes to ensuring freedom you can't just cut and run at the first hurdle...
Something like this should have been done with ssh situation...
He'll be moving on to help other companies produce implementations of the OpenPGP standard. Don't most companies' employment contracts include a provision that you agree not to go into business in direct competition for n years afterwards? And wouldn't a competing implementation of the OpenPGP standard count?
Perhaps he didn't have a contract like that; since he started PGP the company himself, he presumably didn't bother to write himself a daft contract then, and maybe NAI didn't impose one on him when they bought him...
blah.
Karma: Bored. (Thinking about resurrecting the "Anyone else is an imposter" joke.)
NAI treats PGP as mass market consumer software and may think that it will have little impact on ignorant Joe Public whether they release the source or not. Probably they are correct, but it hugely undermimes the reputation that PGP has built up all these years for those that know better. Maybe this is why he left?
But you're not logged in.
So you don't exist.
So there's nothing for me to reply to.
So this comment doesn't exist.
Now i'm confused.
PigPog.
Good on Phil! He should have done this years ago.
Most of the people I know who use PGP stuck with 2.--the last pre-NAI version--until GPG came along. Nobody uses NAI PGP.
Nobody trusts NAI.
Nobody likes the NAI license agreements.
In short, NAI did more to SLOW DOWN the widespread use of PGP than any government ruling or censure. Almost makes one wonder what their agenda _really_ was for all of those years.
Anyways, congrats to Phil for getting away from those bastards.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
If I was NAI, I would take this as a pretty devestating blow - although PKZ is only saying "I can't guarantee future versions won't be backdoored" it *will* be read as "I left because future versions WILL be backdoored" and may well cost NAI major market share. Certainly, an OpenPGP "approved and checked by PKZ" labelled product will have a higher confidence-factor than something PKZ openly turned his back on....
--
-=DaveHowe=-
No matter how well you think you've hidden something, somebody can always find it, and chances are they wouldn't tell you about it. Insisting on privacy just makes it easier for orgs with the resources to watch you in secret with time-honored techniques like traffic analysis and good old fashioned spying.
For more info you should read David Brin's The Transparent Society.
cryptochrome
---If you can't trust a nerd, who can you trust?
...since we all know he is a criminal. I don't trust a guy who illegaly export ammo from the USA, no matter that now he was considered innocent.
;)
I wish it had more of an API for incorporating it into other software though (Maybe it does and I just missed it...)
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Whilst that doesn't rule out a -division- of the NSA working in the opposite direction, I think that (as a whole), they've got the message that security comes from within.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Yes, I was too lazy to look up their middle names. Sue me.
sulli
RTFJ.
Phil posted the message to the newsgroups alt.security.pgp and comp.security.pgp.discuss, and the PGP signature checks out.
Through its decision to withhold source code for PGP versions 7.x and upwards, Network Associates, Inc. has demonstrated that neither it or its products can be trusted.
shg
PGP Keys available at www.nzgames.com/pgp.html
-----
PGP Key ID 0xCB8FF658
Ugh, we seem to be having the same problem with Richard Stallman.
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
PRZ seems to stress on the points that PGP has NO backdoors as of now and that he and NAI have different visions of the product. Could this be somekind of a hint that NAI now wants to build backdoors into their product, probably to appease NSA or something like that ? After all we know that many MS products do have NSA backdoors.
It seems like this is always the result when some idealistic hacker sells out to the corporate hordes. Sure, for awhile they might placate the techie genius, but eventually the lawyers and the shareholders hijack the corporate 'vision' and the hacker is left to wonder what became of his utopian dreams for his software.
At least PRZ has the fact that it is an open standard to fall back on. He can go back and dupilcate the work he has already done - but still, it's seems an unneccessary waste of resources.
-josh