Can GnuPG Deliver?

jso888 writes "After Network Associates decided to halt further development of PGP, I'm sure that many users like myself who use non-CLI platforms most of the time, wondered "what next?" (PGP Freeware is not an option, since it's tied into the Network Associates product). Salon today has a nice article on GnuPG, the Open PGP/GNU alternative. The article highlights one of the problems with Open Source software today: its "by the geek, for the geek" nature, which by and large places barriers to mass adoption of OSS, especially important capabilities like personal encryption. One of the nice things about NAI PGP was its ease of use and commercial polish. It was easy to install and use, and integrated nicely with Windows software like Eudora and ICQ. GnuPG, admittedly, isn't quite there yet, the article concludes. That's too bad; given the privacy-hostile world we live in, the last thing we need is another barrier to widespread cryptography adoption."

What's holding back security

No one is building encryption or other security measures directly into products.

Encryption by itself is too difficult and esoteric for normal users. If you want to see it spread, make it easy to use and easy to understand.

Re:What's holding back security

[mlk]

SMIME, and Outlook.
It's dam easy to set up and free to get a key (and a nice button on Outlook).
No, the reason people don't use it is there is little point, not even my BANK recomends sending emails with personal data encripted!

(alas not all email clients or mail servers support S/MIME yet)

Re:What's holding back security

It should be completely transparent and on by default.

If I have to press a button or navigate a menu, forget it. (speaking as a normal user, of course)

Re:What's holding back security

[mlk]

true, but you need work out a way of getting a digital ID thingy.
I guess MS could include it with Password :-)

Re:What's holding back security

I've watched many movies that involve very secure work stations (MI, for example) and I know that I can break into any of those systems if I can gain physical access to the system.

Your GPG is no match for the power of the PASSWORD.

Re:What's holding back security

[mlk]

Bugger, ment Passport. :(

Re:What's holding back security

Customs is holding back encryption.

Have you ever tried to ship something with encryption around the world? First getting permission from the US is a pain. Then your encryption better not be more than 64 bits or you can't send it to Isreal. Oh and if it's shorter than 40, don't try France. Some countries require a consular letter. Its a real headache.

Re:What's holding back security

[Shiny+Metal+S.]

Encryption by itself is too difficult and esoteric for normal users. If you want to see it spread, make it easy to use and easy to understand.

You mean, like... ROT13?

Re:What's holding back security

[twickham]

I agree completely.

Easy to use is what its all about. People who say things like PGP are easy to use for the average user are dreaming(and when I say average Im talking about grandma here).

What you want is something that integrates seemlessly and is extremely esy to setup and configure. The closest Ive seen to achieving this(and this is Win32 only :( ) security wise(hard disk encryption) is a product called Black Whole. Integrates tighly in windows and a breeze to configure.

Re:What's holding back security

[psamuels]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't mean to sound elitist (ok, maybe I do) but....

Easy to use is what its all about. People who say things like PGP are easy to use for the average user are dreaming(and when I say average Im talking about grandma here). What you want is something that integrates seemlessly and is extremely esy to setup and configure.

The problem is that PKI is not easy. Key exchange is relatively easy, sure - just have the application upload and download from a keyserver. But what about key signing, and the web of trust? How do you make that part easy? To maintain security, users must understand exactly how the process works. Signing a key is a multi-step process and each step must be done with regard to absolute security. I can't imagine how you could wrap the web of trust into a slick GUI without completely negating the point.

And what about key revocation? Do you really think that when an office worker moves from one department to another, and gets a new computer, that he will think to copy his private key to a floppy and delete it from his original computer? Or, failing that, will he issue a revocation certificate when he realises that someone else now has access to the private key? For that matter, will he encrypt the private key so that he has to type a passphrase every time he accesses it?

These are not things you can easily abstract away. The user must understand the whole process, or he will never get it right. In turn, not getting it right would dilute the web of trust. And remember, the users we're talking about are the same ones who fail to understand why you don't just launch untrusted applications out of your e-mail, and why your password really needs to be at least five characters long. Does anyone think the average corporate user will have any grasp at all on how and why to use PKI in the way it was designed (i.e. securely)?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8oxyBXk7sIRPQRh0RAm/RAKC1wm0wzc/WH+vyRrC5dd b0hcKENgCeO5rH
WjQJECmQ2hIL5axm0jo0lOU=
=CuR1
-----END PGP SIGNATURE-----

Re:What's holding back security

[psamuels]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If anyone tried to verify that last message, slashcode seems to uppercase all the HTML tags, so you have to convert them back to lowercase (and remove the <BR>s from the metadata). Oh well.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8oyohXk7sIRPQRh0RAgcXAKDdKgOARqKYF67IhA42W0 3en9diOQCgqlN7
jRRCrWVGqeOQx7j0jJntb1U=
=aLHt
-----END PGP SIGNATURE-----

Re:What's holding back security

[cabalamat2]

Encryption by itself is too difficult and esoteric for normal users. If you want to see it spread, make it easy to use and easy to understand.

That's why I'm developing Herbivore, a zero-effort mail encryption system.

Re:What's holding back security

[Matey-O]

And that's the Rub! When you sign a check, the burden is on the bank and the vendor to verify that you signed it...and all it says is that you signed it. That's good enough for buying some very expensive things (cars, houses, small countries)

Yes, with a digital signature, you get proof of identity, and along with it, non-repudiation, date stamping, window of validity, revocation lists and a TON of 'useful' stuff that you don't get with an ink signature.

But if you CAN'T make it as EASY as an ink signature, you're not going to get much adoption.

Re:What's holding back security

[DrXym]

I disagree that it's easy to get a key in OE. Yes it will ask if you want to get a key and open a browser to a start page listing some key vendors but from there one it becomes increasingly confusing. For example, click on the Verisign link and it tells you must pay $15 (yeah right) for a year long key or get a 60 day trial key (useless). Global Sign charges 16 euros or get a 30 day trial key (worse than fucking useless), BT dumps you in their order catalogue, Thawte dumps you in a sales pitch. I gave up trying with the last two after a few links.

In short none of these options makes it easy to get a key. And even assuming you want one, they'll ask for your life history and passport/social security/credit card numbers before they'll hand one over. That's too bad for anyone under 18 or in a repressive country.

And in a years time your certificate expires. And your certificate is not signed in any meaningful sense (Verisign et al disavow any knowledge of your actions) so the signature means nothing at all.

Aside from that, SMIME is just too damned slow compared to PGP/GPG which use mostly symmetric encryption and are therefore much faster than asymmetric SMIME.

So no, Outlook Express doesn't make it damned easy and SMIME just stinks anyway.

Easy to me means having something akin to PGP's Key Generation Wizard built into the mail software. When I sign and send a message without a key it should launch the wizard ask me a few simple questions, ask for a password, generate the key, ask me if I want to publish it and that is it. Mail is signed and sent. If I receive messages containing an X-pgp-ID header, my email software should be able to look up and retrieve their public key from the server.

Now that would be easy.

Re:What's holding back security

Do you really think that when an office worker moves from one department to another, and gets a new computer, that he will think to copy his private key to a floppy and delete it from his original computer?

god, i hope she doesn't trust her private key to a floppy disk, the least reliable magnetic storage medium still in mass production. anyway, what was her private key doing on her office computer's hard drive anyway? it should be on her solid state USB-dongle keyring (with a backup copy locked in the safe at home).

Re:What's holding back security

[4of12]

You're quite right and, well, the obstacles you describe are depressingly formidable.

I think there's room for making things much easier than they are now. Things like email clients that will use the recipient list to start looking for public keys in a local LDAP server or some bigger, web-wide repository, or local cache.

And friendlier front ends to deal with some of the issues, like generating fingerprints of keys and warning the user to call and verify that this key really belongs to Alice or Bob.

But while much progress can be made over where we are now, there will be an inescapable gap between the current level of common public understanding of encryption and what needs to exist.

This will be one of those things that gets fixed either by necessity (just as people had to learn how to use cars and telephones and how to run a checking account), or by education. I believe, with simple tools and some demonstations, it should be possible to teach school children the rudiments of PKI.

I think they're going to have to, as networked devices become ubiquitous and the consequences of shoddy security knowledge become more dire.

Re:What's holding back security

[aureliano]

The whole concept of security for data in a public network is flawed.Security on a public network like the Internet cannot be guaranteed. The Internet was built not for security but for decentralised redundancy. If I have *really* sensitive data which I want no one to look at , I would not put it in a Email, on the Web or wherever. Ofcourse if you wanted to hide something from corporate spiers use PGP etc can serve the purpose.

Re:What's holding back security

[psamuels]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

And that's the Rub! When you sign a check, the burden is on the bank and the vendor to verify that you signed it...and all it says is that you signed it. That's good enough for buying some very expensive things (cars, houses, small countries)

One point: usually when you buy these expensive items, there are independent ways used to verify your identity. For buying cars and real estate (at least in Kansas), you have to have the title notarized, which of course implies that the notary, who is licensed by the state, is supposed to check your ID.

This sort of thing doesn't really scale to e-commerce easily. On the Internet, it is much more difficult to verify someone's identity than it is in the Real World. Thus, digital signatures are trying to solve a much harder problem, in the common case, than ink signatures are. Unfortunately the hard problems don't go away by throwing technology and GUI interfaces at them. A command-line switch for "trust this signature even though we have no way of knowing if the owner is who he says he is" is just as bad as a GUI check-box saying the same thing.

One might say that certificate authorities and KDCs are the digital equivalent of a notary public. The web of trust is the digital equivalent of a bank asking you for ID when you open an account, and keeping your signature on file for later comparison.

Yes, with a digital signature, you get proof of identity, and along with it, non-repudiation, date stamping, window of validity, revocation lists and a TON of 'useful' stuff that you don't get with an ink signature.

Nonsense - most of these features can only be implemented if there is a trusted third party, aka certificate authority (CA). How is this different from a notary public? In the Real World you can get every single signature notarized, providing the same non-repudiation, date stamping, and so forth. People don't usually do this because it represents a lot of time and money.

And then there's the issue of whether you trust the notary, or the CA. The notary is licensed by the State, the CA isn't really licensed by anyone but gets credibility from the number of people who recognise it (rather like the value of paper currency). In both cases, how do you know for sure that it can be trusted? You don't, you can only assume.

But if you CAN'T make it as EASY as an ink signature, you're not going to get much adoption.

As I've said, if you want the real benefits of PKI and digital signatures, you either need an extensive web of trust (hard to achieve) or a trusted third party (CA). This isn't something you can just hand-wave away with better interfaces. I really don't see how the ease-of-use problem can be solved. It's easy to get people to use SSL with https: web sites. It's hard to ensure that their e-commerce transactions are actually secure against MITM attacks and various sorts of spoofing. Without identity verification (in both directions (sure, the web site has a CA-issued certificate, but do you?), the great benefits of PKI and digital signatures are largely a myth.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8o0tbXk7sIRPQRh0RAuBYAJ9DVmv2jxgv2jC6EeihXp jsAWraMQCff6ic
B/PfLLMNGphv+UzaKcUZmaE=
=8uVU
-----END PGP SIGNATURE-----

Re:What's holding back security

[wishus]

I looked at Herbivore, and you have a great idea, but your key exchange algorithm is vulnerable to a man-in-the-middle attack.

For instance, let's say Alice sends an email to Bob, and it's the first time they've emailed each other. Her Herbivore-compliant MUA automatically attaches her public key. I intercept the email and replace her public key with a different public key - one that appears to be from her, but for which I have the private key. Then I send this email on to Bob.

Because Bob's MUA automatically accepts Alice's key, he doesn't think to verify the key fingerprint with Alice, and he fires off an encrypted response. I intercept the response, decrypt it, read it, and then re-encrypt it (or anything I want, really) with Alice's real public key and send it on to her.

I now have the power to read or change any email that Bob sends to Alice. You can extend this example to see how I could gain the same power over email sent from Alice to Bob.

There is really no way to escape the need to check fingerprints and sign keys. Eventually, the user can build up a web of trust, so that he may not have to personally verify a new key. When he starts, though, he's going to have to check some fingerprints.

If you can make fingerprint checking and webs of trust easy to understand for the nontech, then you will change the world. Good luck!

Re:What's holding back security

[zummythegreat]

Most user have no idea how insecure email and don't see the point encrypting it. Until someone is caught stealing credit card numbers by reading email, most people aren't going to give it any thought.

More people are considering with credit card numbers been stolen from a web site, not from being sent. After all, I have yet to here the media any cases of credit cards number been stolen from emails. Has anyone else?

Re:What's holding back security

[mlk]

Thawte was quite easy. (and free).

Re:What's holding back security

[babykong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The big problem is not the UI. It is ordinary people getting the
concept of encryption, especially public key. Hell, when public key
encryption was first proposed, a lot of very smart people had a
problem wrapping there brains around what would back then have been
considered and oxymoron "public key"

I am currently working on a document to explain basic concepts to
grand mothers and liberal arts majors. It sould appear on my new and
currently lame web site next week.

Also, I plan to post some ideas for community based web of trust
scenarios.

http://www.jpschultz.com
(currently lame, wait a week)

I have switched from PGP to GnuPG with a WinPT front end. WinPT is a
little rough around the edges (ver 0.5.5) but it's basically easy to
use.

PT stands for privacy tray. You can do operations on the current
window or in the clipboard either from the privacy tray window or
using hot keys. It's not all there yet so there or still things that
need to be done from the command line. Once set up, however, the
interface is fairly easy to use for a novice (at least as easy as
PGP) IF there is a basic understanding of the concepts.

Another cool thing, you can get it with an install program which will
allow a user an easy install wizard which includes the GnuPG
install.

I am getting a usability consultant to give me a freebie and evaluate
the software from a non geek perspective. I would like to put this
into some professional offices along with training and support.

You can get the software here.
http://www.winpt.org/

Also, check this out.
http://www.gnupg.org/frontends.html

I really believe that all that is needed is documentation and
training that talks to real people.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.5
Comment: For info see http://www.gnupg.org

iD8DBQE8pQ5h4pZu5iaCvIARAr9ZAJsHCvaGi7o2SvrbR0ir hj dD/K+DygCfV3tl
dqRqZbrvgrFus8Yk3pBWG1w=
=O4yY
- ----END PGP SIGNATURE-----

secrets and PGP

[56ker]

How many of us actually have secrets to hide that we go to the bother of encrypting them with PGP any more though? I have only ever sent a few PGP e-mails before I figured it was too fiddly and time consuming to bother with.

Re:secrets and PGP

[Sc00ter]

I agree.. And I don't understand the concept of PGP Sigs either.. How does that prove anything? What's to prevent me from smacking a PGP Sig on my email? Does anybody verify those?

Re:secrets and PGP

[theNote]

Good email clients will automatically check the signature for you and display the identity verification.
So, yes, in a way I check them all the time.

Re:secrets and PGP

[ilcylic]

The point isn't whether you have secrets now, it's whether you'll ever have secrets. If you only send one encrypted email, and "someone" is watching, they know to devote all of their effort to breaking that one message. It's not a matter of "having secrets to protect", it's a matter of ideologically being a thorn in the side of people who want to be able to read your email.

The other point is that it's better to use encryption because you can. It's like always using ssh, instead of "just when you don't want someone to snoop your connection". Use encryption all the time, because protecting your privacy is always a good thing.

-il cylic

Re:secrets and PGP

[0xB]

Everyone has secrets .. financial information for example.

Do you use secure websites to order online, or do you use sites with no encryption?

Do you email your bank account information to family members using PGP, or in plain text?

Re:secrets and PGP

[Purificator]

actually, consider global corporations that use email and IM for communication. i'm sure easier encryption (even over icq!) would ease a lot of minds in their legal departments as people discuss sensitive information over the internet. i know where i work it's pretty rare to pick up a phone; we tend to use email and IM almost exclusively.

i think the point of the post, too, is the "go to the bother" part of your reply. if encryption weren't a bother (consider just selecting a checkbox for "use encryption") people wouldn't need as much of a reason to use it.

Re:secrets and PGP

[mlk]

Your email client *should* do that for you, but o/c due to the fact no of the front ends are any good, they dont :)

Re:secrets and PGP

[56ker]

Using secure websites to order online doesn't use PGP & they *certainly* don't e-mail you your credit card details.
As to e-mailing my bank account information - I never have and I never will because they'll never need it because it's *my* bank information - not theirs!

Re:secrets and PGP

[Citizen+of+Earth]

And I don't understand the concept of PGP Sigs either.. How does that prove anything? Signing e-mails sounds more like a liability than anything else.

Re:secrets and PGP

[CharlieG]

yes,
Every time I get an email with a sig - and my email is always signed

Re:secrets and PGP

[base3]

i'm sure easier encryption (even over icq!)

Check out Trillian, which claims to do this. Caveat: it's not open source, and I haven't looked to hard at its security features, but it does list encryption over ICQ and AIM as features. I use it more because it's a unified client that does ICQ, AIM, Yahoo!, MSN, and IRC all in one.

Re:secrets and PGP

[tzanger]

And I don't understand the concept of PGP Sigs either.. How does that prove anything? What's to prevent me from smacking a PGP Sig on my email? Does anybody verify those?

I use KMail; it has very nice GnuPG integration, the only missing feature is for *it* to go through and encrypt my attachments instead of making me do it. At any rate, any email with a PGP sig is automatically checked and since I have the colour bar enabled signed messages with keys I trust (and that pass) are in a green border. Good sigs with keys I don't know/trust are in a yellow border and bad signs are in a red border. Very eye-catching and very nice.

I generally sign messages (not encrypt) if I want to give the person on the other end a way of verifiying that what I sent didn't get altered. I encrypt when I don't want anyone else reading it. It's perhaps a subtle difference, but I use it quite often.

Re:secrets and PGP

[Junta]

Well, plus, with ssh versus telnet, telnet transmits your passwortd in plaintext, so it is even more crucial to use ssh to protect logins than normal mail. The problem with always using encrypted email is that you have to basically add a prompt to send a message to ask wheteher to encrypt or not. It isn't to the point where you can shoot off encrypted emails to anyone with the expectancy their mail reader can handle it.. I look forward to days like that..

Re:secrets and PGP

[Anonymous+DWord]

Licq has an encrypted session module. You have to use Licq at both ends though (not ICQ).

Re:secrets and PGP

[Waffle+Iron]

And I don't understand the concept of PGP Sigs either..

So what is this "PGP sig"? Is it a witty quip, or is it just some spam message you can't remove unless you upgrade from the free version?

I'd rather use a product that lets me write my own sig.

Re:secrets and PGP

[tftp]

igning e-mails sounds more like a liability than anything else.

One day someone receives an email from his parents, asking for urgent money transfer because of some disaster; the bank account is provided. The guy goes to the bank and transfers almost all he has.

A week later this person might be very upset that he did not demand a digital signature on the email because his parents never sent him any requests for money, are in perfect health and have no idea whose bank account it was...

Re:secrets and PGP

[tftp]

Using secure websites to order online doesn't use PGP

But the SSL/TLS uses the same ciphers and the same technologies, only in a different "wrapper".

Re:secrets and PGP

[UberChuckie]

Would you not just pick up the phone, confirm they asked for the money and that the bank account information is correct?

Re:secrets and PGP

[Ian+Bicking]

Without some form of automated (and presumably secure) key exchange, you can't really send automatically encrypted email to someone anyway. You first have to get their public key, which should also imply that they can accept encrypted mail.

Re:secrets and PGP

Use Jabber - It has support for encrypted messages and signed presence.

Re:secrets and PGP

Why would you use the phone? The Internet will solve all of our problems! I'm going to go check out some porn and pretend to have sex.

Re:secrets and PGP

[Christ-on-a-bike]

Gabber, the GNOME Jabber client, has excellent gpg support built in, SSL to the server and so on. Both your 'presence' on the network amd your individual messages can be seamlessly signed (and messages encrypted). This would make Jabber a really secure corporate IM system.

It seems there are always people coming up with good ideas for gpg in free software.

Re:secrets and PGP

[arivanov]

How many of us actually have secrets to hide that we go to the bother of encrypting them with PGP any more though?

All of us. I do not consider the information on my accounst, short term and long term debt to be a matter for the public domain

My bank uses PGP (Nationwide in the UK, one of the 5 largest banks here). For all customer related communications. All email is signed (no exemption) and encrypted if needed. You should expect no less from your bank. If it does not I suggest you change it. To a bank with a clue. I know it may be problematic in some countries suffering from acute terrorism paranoia. Problematic, but not impossible.

That is just one example. We can extend the list with personal health (yours or of family members abroad), internal business matters where you work, to be continued ad naseum.

Re:secrets and PGP

Digital "trust" measures can only make "trust, the human way" posible in the digital world, no more. Someone who send money to bank acount without even checking *why* his/her parent need it would not check out who signed the signature anyway.

Re:secrets and PGP

[yatest5]

How many of us actually have secrets to hide that we go to the bother of encrypting them with PGP any more though? I have only ever sent a few PGP e-mails before I figured it was too fiddly and time consuming to bother with.

Er, those of us who work in industries with competitors? And for fiddly, see 'clicking a button at the top right' in that nasty, nasty, horrible, no good at all MS product Outlook.

Re:secrets and PGP

[Erik+Hensema]

A public key can be signed by others. For instance: person A meets B IRL. They can now confirm they are who they say they are. So, A signs the key of B, B signs the key of A.

A while later, A meets C, both sign their keys.

Now B can trust C, because B trusts A.

When a PGP sign is not trusted, pgp or gpg will always tell you about it.

Signing at the very least means subsequent mails can't be forged. If you trust somebody who sends you a signed message, you can trust all mail signed by his signature is his.

A one-time message with an untrusted key means exactly nothing.

Personally I check all signatures automatically because I use mutt and gpg. gpg automatically fetches keys from a keyserver.

Re:secrets and PGP

[Zapdos]

We are not hiding secrets, we are protecting privacy. Anyone including spamers can read your mail. Anyone including child molesters can read that little girls mail. Anyone can read your email. Does it happen? Yes!

Privacy is worth protecting.

Re:secrets and PGP

[psamuels]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Without some form of automated (and presumably secure) key exchange, you can't really send automatically encrypted email to someone anyway. You first have to get their public key, which should also imply that they can accept encrypted mail.

There is - it's called a keyserver, and there are lots of them (which synchronise their keys periodically). You can upload your key to one, and set your software to automatically download a key when needed (to verify a signature).

The keyserver itself it not secure - the security lies in a so-called "web of trust". In essence, you can sign someone else's key once you have verified its veracity by face-to-face meeting or phone call (assuming you trust your ability to recognise his/her voice on the phone). If enough people sign each other's keys, you can trace a path of key signatures (no pun intended) from you to an arbitrary key you downloaded, and you know there is some assurance that the key is genuine. Of course, this relies on everyone in the chain being very careful only to sign keys they know for sure they can trust. (That is not something you can build into a software product - you can only document how the process works, and the user has to take responsibility to get it right.)

The advantage of the web of trust is that it is free and decentralised. The alternative is to use certificate authorities (CAs) who are centralised and well-known. This is how SSL web sites usually work. The process is similar, except that the web is very shallow in that everybody implicitly trusts those few CAs. And CAs generally don't sign your keys for free - it's a service they sell. As such, it is quite practical for e-commerce, but in my opinion not at all practical for individuals.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8oyFcXk7sIRPQRh0RAmvRAJkBb304Qw9HbF/obB+nyN duk/6NdQCdFhel
lZI4CNAroR8RxG3ZmGkFf30=
=32AC
-----END PGP SIGNATURE-----

Re:secrets and PGP

[psamuels]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

But the SSL/TLS uses the same ciphers and the same technologies, only in a different "wrapper".

Some of the same ciphers and some of the same technologies. Notable differences:

• key exchange: in PGP you exchange keys out-of-band, usually by means of a keyserver, or mundane means such as having your public key on a web page or Slashdot user profile. With SSL you use a Diffie-Hellman exchange, in-band (i.e. you negotiate a temporary pair of keys for each transaction).
• identity verification: in PGP it is the web of trust, tied to the public keys themselves. You sign people's keys which you have personally verified as genuine, and they in turn sign other keys, until there is an entire network of "trust relationships". With SSL each party can be certified by a Certificate Authority, which is a similar process except that the web of trust only goes one level deep: everyone implicitly trusts the CA. This is much more like the Kerberos model. Also, CAs cost money so individuals don't usually use them. Thus, in most SSL transactions, the web surfer can verify the web site, but not vice versa. Also, the CA model relies on a separate certificate which is not part of the key used for actual data transfer, but is passed as in-band data.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8oyStXk7sIRPQRh0RAj7xAJ9mjZCbQmFz+aj5PWY1Z0 N3zA0vXQCdFO/f
v2d4FQ9bqUhJRXFCcR8NbNA=
=8qbj
-----END PGP SIGNATURE-----

Re:secrets and PGP

[stilwebm]

You might also be surprised at the number of smaller businesses that use SSL on their outsourced web site, but then use PGP to send the collected form data via email to the person processing the orders. It is an inexpensive method that many non-profits use to accept donations, for example.

Re:secrets and PGP

[elandal]

Like "No plaintext email" in the customer's communication requirements?

I routinely send email with company confidential data in them. And I do encrypt those emails.

Re:secrets and PGP

[stevey]

I have secrets.. Things I don't want others to see.

I virtually never use PGP/GPG to encrypt email - but I use them both to encrypt files on my local machine, and the machines I have access to at work.

For example .. I have lots of online accounts with places like slashdot, my bank, etc, all of these accounts have different passwords - I can remember them mostly.

But, in case I forget, I have a file 'accounts.txt.pgp', and 'accounts.txt.pgp', which contains the usernames + passwords for all of them. This is obviously something that I don't want others to read - but the comfort of having it around is big.

Another reason for using GPG is that I can sign software releases I make - I'll be honest I've never done this yet, but the next release of my MP3 streaming server will have its releases signed by my public key. (I'll also add MD5Sums for people who check those..).

Re:secrets and PGP

[56ker]

Well as far as I'm concerned if anyone wants to read my e-mail they can - it never contains anything of any use to them because I know it's as secure as a postcard.

Re:secrets and PGP

Very well said.

This is why everyone should run an anonymous remailer.

---

Anonymity is freedom!

Re:secrets and PGP

[vansloot]

I see your point, but if I'm going to make a large money transfer, it is going to be _after_ I actually talk to the person over the phone and get the information.

This is true about any major financial or business decision I would make.

Re:secrets and PGP

[tftp]

You are wise; but there are many trusting people. Even worse, there are many experienced con artists who can easily invent a believable scenario when the victim's moves are forced (as in chess, when the player has only one way to respond.) Even if the victim receives a "contact phone number" in the email, there is no guarantee that this phone number is really what it purports to be.

For example, someone is injured in a road accident, transported into private hospital X, but this hospital X requires $10,000 for admission, as security deposit, and if no money is sent within 20 minutes they will bounce the patient to another hospital, with great risk to his life. The phone number is provided, and a hospital's receptionist answers it, and confirms the story. What would a normal person do in this case? I guess, he'd break out his Visa card, while his relative is still alive; there is simply no time to investigate, no time to ask for hospital's license, no time to call the state and check that the license really exists, and all the time later to wonder why the hospital's bank is in Nigeria.

Re:secrets and PGP

[maxpublic]

So how is this a problem? You send one email asking for the public key, then encrypt the second and send. One additional step at the beginning of the conversation.

So long as you're fairly certain that email address A belongs to person A and isn't being accessed by anyone else I don't see why this presents a difficulty.

Max

Something to work on.

[ilcylic]

The advantage, of course, is that if someone decides it's important to make GPG pretty, it will get done.

Interfacing isn't that hard. What sort of "easy to use" features would be desired in a personal encryption suite?

A graphic display? PerlTK can do that. Simple means to keep track of new keys? I don't know what features would be wanted here. Lets figure it out and write it. Open Source is all about fixing problems you percieve.

-il cylic

Re:Something to work on.

Interfacing is not hard?
Hoho
So go write a GOOD interface.

Re:Something to work on.

Actually the Interface is usually the most difficult part of a project - if it's done correctly. The interface is second only to functionality - make sure the project meets its design goals, then make a clean, simple interface that will do what the user *wants* and *needs*.

Slapping together something in TK isn't going to cut it - you need something nice and integrated where you install 1 bundle and it's all there - not install 4 different .rpm files + 20 depencies and pray it will work.

Re:Something to work on.

[Malc]

Interfacing might not be hard, but hasn't been done yet. Integrating is probably the problem. When I looked at it some time ago (18 mos, 2 yrs?), it didn't plug in to my mail tool (Netscape), nor did it support HTML or RTF emails in Outlook, which I use with work.

Re:Something to work on.

[Kirruth]

I don't know what features would be wanted here. Lets figure it out and write it. Open Source is all about fixing problems you percieve.

So, not trusting the corporations with our security means we have to write our own crypto and make it easy to use? Heh, cool. We can do this.

GnuPG in Mozilla

[CanadaDave]

Slightly offtopic - Getting GnuPG into Mozilla would help it spread its use to more people.

If you have an account at Mozilla's Bugzilla, vote for this bug here.

Re:GnuPG in Mozilla

http://enigmail.mozdev.org/

Re:GnuPG in Mozilla

[Gogo+Dodo]

Getting GPG seamless support into Outlook or Eudora would help a whole lot more than getting it into Mozilla. There are far more Outlook and Eudora users out there than Mozilla users.

The whole point is getting GPG to "the masses." The masses don't use Mozilla. "By the geek, for the geek".

I used the PGP Eudora plug-in on the Mac and it was slick. Select Decrypt/Encrypt, done. No front-end, no copy and paste into a helper app, just a single menu selection.

Try the many front ends

[mlk]

http://www.gnupg.org/frontends.html

WinPT is quite good.
http://www.winpt.org/

But I've only found one "free software" package which is up to scrach with it's windows counterparts (in easy to install etc), and thats Apache Tomcat, and that needs some work. :)

Ahh well, maybe one day.

Re:Try the many front ends

[tooth]

WinPT is pretty good, but at the moment all i (and others?) really want is just buttons added to their mail client, *click* encrypt, *click* passphrase, decrypt...

Re:Try the many front ends

[Sc00ter]

You could go here and get some. I just got G-Data for Outlook and it works great.. I like it better then the PGP Freeware thing, and it's right there in my Outlook.

Re:Try the many front ends

[mlk]

Have you tried Outlook, and it's S/MIME, it's quite good (alas the rest out Outlook gets on my nerves :)

Re:Try the many front ends

[Sc00ter]

Is that compatible with anything besides Outlook clients? Wouldn't do much good when people I would be sending stuff to use Evolution, Mutt, or Eudora

Re:Try the many front ends

[Juggle]

Check out the latest version of WinPT. It now has "encrypt/Decrypt current window" from hot-keys.

I just installed it for a client today and wow does it make it all easier. Just hit ALT-SHIFT-D and enter your passphrase to decrypt e-mail. Just hit ALT-SHIFT-E to encrypt before sending.

Re:Try the many front ends

[mlk]

It's an Open standard, and Opera are looking into supporting it.
Some Linux email clients support it as well I beleive.

Re:Try the many front ends

[pete-classic]

Apache Tomcat? Easy to install? I swear that thing is packaged by Rain Man or some acid freak or something.

Who even knows what the fucking things correct name is? Is it Tomcat? Jakarta? Catalina?

What kind of server program depends on enviornment variables? I'll tell you, Apache Jakarta Tomcat freaking Catalina with Ant on the side.

Oh, and make sure you put the correct 500 lines of crap about "workers" in the apache config file.

Yeah, it's a breeze.

-Peter

Re:Try the many front ends

That was exactly the point. It was as difficult to install on Win as on any other platform. You didn't got the irony.

Re:Try the many front ends

[dattaway]

What kind of server program depends on enviornment variables?

Uh oh. This world is in trouble. You know, kids these days are tought how to move a mouse, not speak the language of a command line. Environment variables and basic scripting should be compulsary education for students at the elementary school level. So many young minds lack logic skills and critical thinking, you'd think it was the greed of some evil corporation behind all of these "difficult to install" applications.

Those 500 lines of "crap" config file could be an worthwhile alternative to an often repeated lame 500 word essay on the social implications of World War III and people who have been long dead.

Re:Try the many front ends

[mlk]

Windows: Double click install exec, see it in 'Services', I like. A lot.
Look in Start->Programs->Tomcat, ohh look links for all the config files.

I've also installed in on UNIX-alikes twice(FreeBSD & Linux), and (for me anyway) it was:
* Unzip
* set TOMCAT_HOME (The README had the evil commands for most Shells)
* Run 'start.sh'.

Yeah the config file (a very neet XML file) could do with a prity front end, but it's NEET XML?!

I guess one mans pleasure and all that

mlk

Re:Try the many front ends

Is it Tomcat? Jakarta? Catalina?

Jakarta:
The Apache Java System (i.e. everything the Apache Group does thats Java-y)
Catalina:
Is that the _OLD_ version of Tomcat, or one of the componets, you know I really can't remember.
Tomcat:
That is the HTTP servlet implementation (THE SERVER).

From your lack of knollage, we can assume you are a prat.

Re:Try the many front ends

[pete-classic]

Well, I think it is more that different people see the world differently and that "the Java people" and I are 180 degrees out of phase.

Everything with Java freaks me out for some reason. Every time I delve into something Java related I fell inundated with so much jargon that it is easier to just not use it.

Catalina:
Is that the _OLD_ version of Tomcat, or one of the componets, you know I really can't remember.

This is really funny. My point was that the Jakarta stuff has way to many shifting labels for a freaking servelet engine and your response is basically "no it doesn't, it's quite simple . . . now how the hell does it go again?" (BTW, I take it that it is the new new servelet container . . . whatever that means.)

Does lack of knollage mean lack of hillyness?

Why do you feel you need to resort to name calling?

Have I fallen prey to feeding a troll?

-Peter

Re:Try the many front ends

[pete-classic]

You assume too much, dear lady.

I was not fortunate enough to be exposed to *NUX until about four years ago, but I did take Applesoft Basic in the eighth grade. And I happen to have just polished off a little bash script today. That's not the issue.

The issue is that I think it is a fundamentally bad idea to have a server service depend on a special environment variable. IMO it is too fragile a way of doing things. Think "This f-ing thing starts fine from the command line, but fails to start by the init script."

You are, of course, free to disagree with me, but I think your "these kids today" attitude reflects on you far more than it does on me.

Oh, and I was in high school by the time I had any sort of regular access to computer equipped with a mouse.

So, I stand behind my statement that Tomcat (actually, Jakarta as I understand it) was unnecessarily difficult to install at the time I first attempted it (about a year ago, it may be a snap now). I'm not saying that I need a "wizard" to wipe my backside during an install, but Jakarata was too far the other way IMO.

Just as a note for perspective, it took me about four hours and two Mt. Dews to install Apache with SSL and all the trimmings the first time. It took me the better part of three days and a case of the Dew to install Jakarta the first time.

Finally, maybe I am just a dumb kid, but the last paragraph of your reply didn't make any sense to me at all. I'd really like to know what you meant and I hope you will offer a bit of an explanation.

-Peter

Re:Try the many front ends

[pete-classic]

I don't think it was XML at the time. It's been about a year, but as I remember it it was a shitload of extra Apache config stuff.

Yeah, it can't have been XML because it was full of impossible to follow comments surrounded by hashes. You know the kind:

##########
# comment #
##########

I had a better example, but the lamness filter wouldn't let it by. Anyway, it had these huge comment blocks that really didn't shed any light on things. I'm sure they were really meaningful to people who already knew what the stuff did, but that doesn't help me much, does it?

Anyway, I hope it is better now. Maybe a lot of guys like me kept harassing them and they made the install a little nicer.

I'm totally with you on the "one man's pleasure" thing. As I said in another post in this thread, Java stuff always gives me the heebie-jeebies, but I know lots of guys who are smarter than me who love it. Go figure.

-Peter

Re:Try the many front ends

[Llanfairpwllgwyngyll]

The front end doesn't solve the problem that *corporate* users face.

GnuPG doesn't support ADKs (additional decryption keys). A lot of people don't LIKE the whole idea of ADKs. But look at it calmly. I would NOT have an ADK in my personal PGP key under any circumstances. But the PGP key I use for work - that has a designated revoker (so if I'm sacked the key can be revoked without my cooperation), and an ADK that *requests* (it cannot enforce) that items encrypted to my work PGP key can be read by one of our Corporate PGP keys (whose use is very highly controlled - and is held split anyway).

I have encrypted disk partitions - but if I'm hit by a bus, the Corporate disk ADK can recover the data that belongs to the business.

GPG doesn't inherently support key splitting, or disk partition encryption. The key splitting allows proper auditable control over particularly powerful keys. For example, our Root Corporate Signing Key is split amongst 8 trustworthy people and at least 4 of those 8 must cooperate to bring that key together for use.

GPG is great, but it won't replace PGP in the Corporate setting (where it is used a lot more than you might expect...) even WITH a nice frontend until it can support such features. I look forwards to the time when it does!

A business cannot risk losing access to data which is encrypted, so these facilities are required.

Re:Try the many front ends

[HiThere]

You are right. GPG only tries to do what the designers intended it to do. And if what they wanted wasn't what the business wanted ...

If businesses want to use open source for something that the open source programmers don't feel like doing, then they will need to subsidize the development. That's the way it works. But if they do, then they get the options they want.

If they choose to go with a closed source product, then they get what the developer provides, until the developer decides to stop providing it. If it's open source, then they get it with no time limits, but if the project stops supporting it, and they want maintenance, then they will need to pay for it, in some way or other.

TANSTAAFL? Well, not really. But if your menu is the same as the other guys, then you can sure get a cheaper rate. And if you need a specially selected choice of wine with your dinner, then you pay extra.

OTOH, if you go closed source, you probably don't have any choice as to what will be provided on the major products (that's a result of what they call a monopoly). And for the lesser products, you still don't have much choice after you make your purchase.

Nothing's perfect. Open Source has it's flaws, and some of them are a bit excessive. But in my mind they pale in comparison to the flaws of closed source with a central monopoly.

Back to GPG and the need for added features. If businesses want the product that you describe they can:

1) write it from scratch or hire a consultant to do so

2) modify an existing open source program as permitted by the license. If they are modifying GPG, then the GPL determines their choices. Which includes keeping everything secret, but also include forking the GPG into (say) the GPGC and just adding the features that were missing. This would probably also make modifying the existing GUI shells relatively simple.

3) do without

4) do something illegal, and count on chance and their lawyers

5) do something I haven't thought of

The features that you mention all seem quite reasonable for a commercial group to want, but it is quite unreasonable to expect an agglomeration of individuals to be in favor of them. E.g., if I were to have an encrypted disk partition, then it would be to my benefit if nobody could read it without my permission. And if I quit in anger, or was fired, then I wouldn't want the company to be able to read my disk. It would (perhaps) be to their benefit to be able to do so, but it's not at all clear that it would be to my benefit.

This reasoning applies to all levels of the company from the secretary to the general manager. And this may in some measure explain why no significant effort is put into features of benefit to the company but not to the individuals. (Of course, computer techs will be most aware of this, but then they would also need to be the ones initiating the argument for funding the project.)

A closed source company would be more likely to provide these functions, but they would also be more likely to keep their code secret and unmaintained if they went out of business. Perhaps leaving you with disks they were unreadable (what is the most likely cause of their going out of business?).

PGP Value?

So, if PGP is valuable, and the company doesn't want it.... how big a tax deduction could they get from donating it to GNU?

Re:PGP Value?

Duh. The inherent value of software is zero. Haven't you learned anything here?

i dont' think the "geek factor" is the real barrie

[tongue]

PGP never caught on *DESPITE* having a slick user interface--or else NAI wouldn't have dropped it. We'll end up doing the same thing we did circa pgp2.6... write our own guis to interface with the command-line... i think we'll probably do it even better now than we did then. some other company may even make a commercial product out of it and give pgp its just due. when all is said and done, this is hardly a death-knell for consumer encryption.

Re:what have YOU got to hide ?

[0xB]

Everyone should use encryption for all messages so that when you need to send a message that is encrypted it doesn't stand out. Until "they" can decrypt everything, everything should be encrypted. Security through obscurity isn't as bad as it's made out to be.

to high a barrier

[wyndigo]

Is the learning curve to high or do you just not value your privacy enough to learn it. Everything has a price, and some of us are willing to pay it.

--wyn

Oh, No!

Hey, you can't say that in public, even in code!

Make it Seamless, Silly.

[Above]

I use gnupg. Not a lot, but with a few people who have it set up right I can just exchange PGP messages without really doing anything, which is the way it must be.

I have tried many, many products to do PGP, and they all have problems. Even GPG with my favorite mailer had some fairly big setup hurdles. Fortunately once I cleared them it was relatively easy. I can only imagine that grandma is never going to use it at the current state of integration.

PGP functionality needs to work perfectly with mailers. You enter a pass phrase, and it just works. Until that happens the masses are not going to use PGP. This is imporant. If it were that easy, 90% of e-mail could be PGP encrypted, by default no questions asked. You can get there now, but only if you know a lot about PGP, and communicate with people in the same boat.

Re:Make it Seamless, Silly.

[possible]

There is a list of GPG mailer plugins and modules for common mailers, including Eudora, Outlook, Netscape, KMail, emacs, Pine, Mutt, etc. Failing that, you can always write your own.

Re:Make it Seamless, Silly.

[Above]

Until the plugins ship with the mailer, it is not seamless.

Re:Make it Seamless, Silly.

[possible]

That's a retarded philosophy. The whole idea of a plugin is YOU PLUG IT IN. Qualcomm does not ship NAI Inc.'s PGP plugin with its Eudora email client, yet I'd say it's pretty seamless (you install PGP and it automatically installs and configures the Eudora plugin for you).

Re:Make it Seamless, Silly.

Any action on the user's part above and beyond hitting the OK button is not seamless and will not catch on.

Re:Make it Seamless, Silly.

[Anonynnous+Coward]

That's a retarded philosophy.

Call your users what you want, but that's their philosophy. The only things normal users can be bothered to download are god-awful spyware laden crap like RealPlayer, Webshots, and the Weather Bug. I hardly think they're going to take even more of their employers' time downloading and installing something that might enhance their privacy.

Re:Make it Seamless, Silly.

[Picass0]

I've been using Gnu Privacy Assistant(GPA) for key maintenance and Evolution for email. Evolution has seamless GPA and PGP support.

GPA features a GUI and is very straightforward to use. I'm an encryption retard and I figured it out.

Re:Make it Seamless, Silly.

[Dwonis]

Mutt has built-in PGP support. All you have to do is configure it.

Re:Make it Seamless, Silly.

[Above]

No, it's not. Grandma installs a mailer. She
sends an e-mail to her grandchild. If it works,
she's happy, if not, she will do something else.
She's not going to install a plug in.

Plug ins are fine to make things upgradable,
and flexable. But let's face it, web browers
ship with plug ins because they know 99%
of the people want them. If everyone was moving
PGP e-mail, that would be true of mailers too.

I don't care if it's an RPM, a FreeBSD Port,
or a package to download. It must auto-install
the plug in. It can come with the mailer, or
be installed as a dependancy, but until it's
automatic on all platforms it won't be
used by the masses.

Re:Make it Seamless, Silly.

apt-get install mutt gpg

It just works. Of course, mutt is a console based MUA. Let's see kmail or something understand gpg PROPERLY.

Re:Make it Seamless, Silly.

[TonyGreene]

Qualcomm does not ship NAI Inc.'s PGP plugin with its Eudora email client...

They used to. The usage of PGP grew fast during that time. You definitely have a point. But OE and Netscape ship with S/MIME and it is barely ever used. So it's not as simple as shipping the client with the capability included.

Re:Make it Seamless, Silly.

Try konqueror 2.2.x

Re:Make it Seamless, Silly.

[MrMickS]

Having switched to Mac OS X I'm using a Chat (AIM/MSN/Yahoo/IRC/Jabber) called Fire.

This has seemless GPG integration. You select the key you want to use, enter your pass phrase on startup and it's ready to work.

Key exchange is managed from within the chat windows. There is an option to send your public key to your "buddy" and it automatically inserts the key into their keychain.

This is as seemless a use of encryption tech that I've seen in software and would make a good model of how to integrate into other applications.

BTW. I've had some experience in using PGP in a commercial environment being responsible for adding mandatory PGP signing to the UK domain registry in 1996.

Re:Make it Seamless, Silly.

[FooBarWidget]

And after we make it automatic installable suddenly 1000s of people blame us for "automatically installing viruses on our computers".

No matter how easy auto-install is, it's simply not safe.
Security DOES matter, especially because we're talking about GnuPG here.
Imagine how angry people got when they find out that a virus fsck up half of their Windows installation?

There's plenty of alternatives!

[willybur]

Windows Privacy Tray seems to be the best Windows GPG GUI, I use it as my PGP replacement at the moment. I also have Mozilla, which doesn't have such great PGP integration, so I relay through GPGrelay, which checks all incoming POP mail for PGP stuff, then decrypts and verifies or encrypts and signs behind the scenes. Mozilla only sees the mail after GPGrelay has dealt with it, so it's the closest I get to seamless integration. I don't have any problems with it.

Why is PGP Freeware not an option?

I'm not sure if I understand this statement:

"(PGP Freeware is not an option, since it's tied into the Network Associates product)."

Why is PGP Freeware not an option? You can still download, install, and use it, yes? If so, then it seems to remain a viable option to me.

Re:Why is PGP Freeware not an option?

Because it's not maintained, so if a bug is found in it, NAI is the only one who can fix it (and they probably won't).

Isn't closed source security software fun?

Re:Why is PGP Freeware not an option?

Ahh, got it. So as soon as a bug is found it's dead. So sad.

Re:Why is PGP Freeware not an option?

[pkplex]

Surely there must be more reasoning behind the "(PGP Freeware is not an option, since it's tied into the Network Associates product)." qoute.

I have actually just installed PGP 7 Freeware on my NT4/Win2000 box, and was a bit worried when I saw that qoute.. I want PGP 7 Freeware to be secure. Is it not so?

Can somebody please explain ?

Re:Why is PGP Freeware not an option?

[ewan9]

Read what Philip Zimmermann wrote when he quit his job at NAI.

Here's a quote:

Let me assure all PGP users that all versions of PGP produced by NAI, and PGP Security, a division of NAI, up to and including the current (January 2001) release, PGP 7.0.3, are free of back doors.

Re:Why is PGP Freeware not an option?

[Chasing+Amy]

Umm, PGP isn't *exactly* closed-source--only the latest versions 7.x truly are. Up through 6.5.8 the source is available free for non-commercial use according to its own license. http://www.pgpi.org/ for details and source code. In fact, most PGP fans don't use version 7 precisely because the code hasn't been released and reviewed yet, while many of the earlier builds have undergone a good deal of scrutiny.

In fact, there are several unofficial forks. I myself use 6.0.2ckt Build 07 from http://www.ipgpp.com/ , which seems to be popular with a lot of folks. The real hardcore PGP zealots are still using 2.6.x branches. Personally, I have no idea what the submitter of the story was thinking when he used that phrase. Most PGP users will continue to use PGP, and if bugs are found they will be fixed, just as the unofficial 6.0.2ckt version has gone through 7 build releases as has 6.5.8ckt. If a bug is found, someone will fix it, no problem.

Re:what have YOU got to hide ?

[mlk]

Banks.
I talk to my bank quite a bit, have they ever asked to encript email messages, NO! Should they YES.

Same reason we need encription on http.

Also if everyone SIGNED there message (which I USED to do, untill I moved Endure) email born viruses would not exist (to the degree they do now, your'll still get some fool who opens unsigned email or will type there password when they should not)

GPG works fine

[marcs]

GPG does have frontends and such, however you can also use the --openpgp flag to make output compatible with the vast majority of newer PGP software. This allows people to use their current PGP software without a problem.

GPG with the above flag powers encryption for the shopping cart technology we provide without any compatibility issues to date.

Niche market.

[TheFlu]

I love GPG, I use it daily to decrypt PGP encoded files that I receive from several very large companies that I have as clients. It's evident there is a need for usable public encryption on the business level, and GPG/PGP works great for this.

As much as I like GPG, I don't use it for personal emails, however. I believe that S/MIME is a better system for encrypting personal emails, simply because support is already built into the major email clients (Netscape, Outlook Express) already. When there is a button built right into my friends email client, I have a much greater chance of getting them to use that feature, as opposed to having them download a new, seperate piece of software. Now if Evolution would just support S/MIME (they've been teasing me with that grayed out S/MIME panel), I'd be all set.

I agree

[einhverfr]

The UNIX mentality, as far as I can tell, has quite a bit to do with building modular, scriptible components. GPG is no exception-- it comes with TONS of switches, only a few of which are likely to be used on a regular bases.

While some people characterize this as "by geeks for geeks" I don't think that is really the case. Having an extensible, scriptible component makes it REALLY EASY to build whatever frontend you want with whatever capabilities you want, and it also means that one can have the same capabilities available from a script.

Now, I agree that GPG is not yet ready for widespread adoption, but it is not the open source or UNIX mentalities that are broken. The tool just needs some time to mature.

Re:I agree

[jso888]

It strikes me as ironic that the Slashdot crowd complains about feature bloat on PC software, all the while extolling the virtues of having a gazillion switches for a single command line program.

I'm aware that I've just made a vague, sweeping generalization about just who would complain about Windows bloatware, and that I'm being slightly inflammatory. But bear with me.

My point is that both complaints really amount to criticizing the other side's mental model of How Software Should Work. Bloatware on the one hand, and having a gazillion command line switches on the other, are software developers' different approches to dealing with the same issue: meeting the needs of the user. It's just that the user they have in mind has a different profile in terms of how they expect computers should work. Strange that I should ever agree with Spolsky 100% on this.

So I stand by my characterization of the "by geeks for geeks". Switch that phrase to "by lusers for lusers", and hey presto, you're criticizing Windblows.

And that's the problem I have with this vague non-declared goal of OSS taking over the desktkop, and it's why I think losing NAI PGP is such a big deal.

You -- the Slashdot crowd "you", not the "einhverfr" you -- extol the virtues of "anyone" being able to put together a front end on top of the actual encrypt/decrypt model. Well, that's not what Joe in accounting is willing or able to do. You -- again, the Slashdot crowd "you" -- talk about the importance of encryption evangelization. Well, Joe in accounting thinks it's a pretty good idea, but can't for the life of him figure out what he needs to do to sign his Eudora-sent email in the first place.

In the end, I don't think at all that the UNIX mentality is broken, nor is Winblows' (well, not fundamentally broken, anyway).

I do think that there's a huge userbase demanding (in the economics sense) a package that will fill the gap caused by the loss of NAI PGP, or a non-MS product, or what have you.

It's just a question of whether those with the so-called UNIX mentality are willing to approach the problem from the other point of view. I'm cautiously optimistic.

Re:I agree

[jso888]

extol the virtues of "anyone" being able to put together a front end on top of the actual encrypt/decrypt model

Er, that should be "encrypt/decrypt module." So much for previewing before posting.

Re:I agree

[soloport]

It strikes me as ironic that the Slashdot crowd complains about feature bloat on PC software, all the while extolling the virtues of having a gazillion switches for a single command line program.

But doesn't "bloatware" refer to Megs of memory required? No one's complaining about mega-options (in closed-arch. s/w). Whereas most closed-architecture providers throw features together, thus creating "bloatware", most hackers pride themselves in the fact that each added feature of their swiss-army-knife-ware cost little to add -- by design.

Even the GUI s/w (e.g. KDE, GNOME, et al) is built with carefully crafted pride. It may be somewhat more bloated than CLI code, but by comparison (to the crap that exists behind closed "architecture" apps.), it's good stuff.

Your complaint seem to be grounded more in impatience, not good logic. Good code takes time. I'd say that, not only is your observation about finger-pointing unfounded and illogical, it's also complementary to OSS hacks ;-)

I think we've been hearing this same sort of complaint a lot, lately. "Why does it take seven years for Wine to match the Win95 API?". To me, this means that people are hanging their hopes on OSS to save (or at least better) their future. But the waiting game is something we're not used to having to play, either.

A glacier is a good analogy for OSS progress as well as market impact. Moves really slow, but is absolutely unstoppable! (Oh, and it eventually destroys everything in its path, too.)

Re:I agree

[jgerman]

It strikes me as ironic that the Slashdot crowd complains about feature bloat on PC software, all the while extolling the virtues of having a gazillion switches for a single command line program

I think you're missing the distinction between flexibility and "bloatware". Software only becomes bloatware when all those additional feature impede the everyday use of the software. Command line switches don't cause this problem, regardless of whether of not it's a command line Unix program or a command line Windows (I know, I know). The reason being that most command line programs use few switches for normal operations. Bloatware is usually a GUI problem. When anything and everything is configurable in a GUI it's easy to design the interface poorly so that it's difficult to do common things without all of the different options getting in the way.

There's also the problem with poor performance in bloatware, but that's more of a problem with poor coding and programmers taking the crap they heard in school "hardware is cheap so you don't need to worry about performance" as scripture. That mentality can apply equally to any software regardless of platform.

Re:I agree

It's just a question of whether those with the so-called UNIX mentality are willing to approach the problem from the other point of view. I'm cautiously optimistic.


I'm a little less optimistic, unless it evolves into something like ssl, or is picked up and incorporated into apps like email clients. It could be totally transparent in an email client. On install, it could offer to register the public key with a key server and warn that others might not be able to exchange encrypted email with you if you don't. That's critical, because you don't want people to even have to exchange public keys, if applications don't have the keys they need on the local ring, they get them automatically. Data is stored encrypted, but always displayed unencrypted (with options for the kind of users who go looking for options, a lot of people don't). Basically it needs to be as invisible as possible, but that only really seems possible at the level of the application that uses it. Ask people to encrypt or decrypt using content copied to the clipboard, and more than a few will ask "what's the clipboard?". The intricacies of copy and paste are complicated for some users, so it really does need to be that simple, IF what we're talking about is wide scale adoption.

Tell them it's something you do from the command line, and they will regard you as a computer genius doing arcane stuff they have no desire to learn whatsoever.

Re:I agree

[ratboy666]

Where do I begin?

First, repeat the phrase "It is _not_ the user's
job to administrate". Over and over until it
sinks home.

So who's job is it? It's either the "geeks" job,
or its the software designers job.

If the task is left to the software designer,
we end up with "bloat-ware". The designer had
to _anticipate_ every possible usage and
interconnection, and then had to present that
as "user-friendly". Not an easy task, and
(in my humble opinion) not very doable.

If its left to the "geek", you want a set of
small tools that can be assembled for the user
to accomplish the desired function. A set of
"cookbook" recipies for handling administration.

This is the crux of the Windows/Unix philosophy
difference. I am one of those "geeks" and I do
administer for other people. I find it difficult
to administer if they insist on running Windows,
but I do it anyway. It's my role. Others in the
group are far better at gardening, auto mechanics,
etc., but I am the technology guy.

And yes, I update, de-spam, automatically encrypt
emails, for my clients, and all they have is a
pleasant computer experience. The "lots of
switches" problem doesn't affect my clients,
but a proliferation of slightly different GUI
programs on Windows would drive *me* completely
nuts. The hardware and OS are merely an means
to an end and as such shouldn't interfere with
the USE of the computer.

One such use is PRIVATE communication. The
programs are available, and they can be hooked
up to accomplish this goal. My clients do
understand "physical security", either of the
system, or some media. And that's _all_ they
have to understand. If they ask, I am willing
to disclose details, but generally the only
question (after trust has been established),
is "does it work?".

Ratboy.

Re:I agree

[DrXym]

Part of the problem with GPG, is that there is no library version of it. If you want to stick a front-end on it you have to talk with the gpg process to do anything. That means constructing a command line string that runs gpg with the appropriate switches, processes the results and returns.

There is a wrapper library called GPGME that simplifies the process but it is still a cumbersome system.

Re:I agree

[einhverfr]

First, repeat the phrase "It is _not_ the user's
job to administrate". Over and over until it
sinks home.

I respectfully disagree. I think that, especially for home users, administration is a necessary skill, unless they can outsource that. (My parents outsource that to me, but they WANT to learn.) The user SHOULD have control over what the computer is allowed to do, within the limits of their "space" in the system (esp. in a multiuser system, that space may be fairly limited).

The problem is not that people are stupid or that they don't want to learn. My experience is that people are either afraid that they cannot learn OR that they want to learn but no one is doing a good job of offering assistance (comments like "1inux 1s 0n1y f0r 31337 hax0rz and 1f J00 cann07 r3ad 7h15 7h3n J00 cann0t J002 17!" really don't help, nor do comments like "LUsers are stupid and don't want to learn").

Re:I agree

[Firehawke]

Bloatware also can refer to the size of a program, which is another common reference.

e.g. Microsoft Windows, for the best example.

Each revision in the Win9X series seems to have all but doubled in size, yet there's minimal improvement in stability or features per additional meg.

THAT is definitely bloatware.

Re:I agree

[ratboy666]

I _never_ said "LUser", or made the claims
that people are "stupid or that they don't want
to learn". Really. I have made posts that
refer to "Windows" as "Windoze", because it
is my professional opinion that Windows (up to
Windows 98) is a piss-poor f*cked up excuse
for an Operating System. However, my wife
uses Windows 98, and I _do_ administer for
her. Yes, my wife has _complete_ control over
what her computer can or cannot do. My job
is merely to facilitate.

And, you just provided evidence for my case.
_You_ administer your parents computer.
And why is that? [A small hint -- computers
are more complicated than cars, and we
generally defer to auto mechanics].

And if you have the role of administrator,
it is _your_ responsibility to ensure that
computer services are delivered appropriately.

Did you configure your parents computer to
encrypt email? If not, why not? And, what about
attacks on your parents computer system to
aquire the private key sets? Other security
issues? [see second paragraph].

Ratboy.

Re:I agree

[jgerman]

True enough, I tend to categorize that under the "hardware is cheap" mindset, MS being a particular abuser of that notion.

What we need is a universal preprocess API

[brooks_talley]

It's simply not feasible to expect every encryption / logging / whatever product to hook into every application.

What we need is some kind of cross platform API for data transformation that would allow products ranging from ICQ to Sendmail to seamlessly transform data for purposes of encryption, filtering, you name it.

As a middleware layer, of course it won't be as robust as dedicated implementations, but it could still be pretty strong. The API calls could include data about whether the information is being sent to another local application, via LAN, or via WAN/internet.

Think of it as SDML for data handling applications. 99% of the time, most users might not have it do anything. But if/when the requirement arises, existing apps would be automatically part of the picture.

Cheers
-b

Re:What we need is a universal preprocess API

[Plasmoid]

Minor problem, if your .so is compromised neutured then *every* program on your system has the same problem. It is also possible to override library paths by using LD_LIBRARY_PATH. I think having a stand-alone app where data is piped in and out is much more secure than a .so.

Re:What we need is a universal preprocess API

[brooks_talley]

Hey, I said API, not pipe. If it's part of the kernel or a kernel module, then if it's compromised, you have much bigger concerns.

Cheers
-b

GnuPG has many problems

Using GnuPG 1.0.6, I've been encrypting files and sending them to somebody else who is decrypting them with the same version of the software. I use the Public Key of the other person to encrypt. About 75% of the time, they are not able to decrypt the file. I don't believe the problem is caused by corruption of the encrypted file during transmission. Has anybody else experienced this problem? Is there any solution available?

Re:GnuPG has many problems

I know the newest Outlook does some funky shiate with linefeeds. Don't know if that could cause a problem with decoding.

Re:GnuPG has many problems

[josh+crawley]

Actually, if it's Outhouse (err hmm outlook), it WILL corrupt binary data. We see idiots posting mime base64 data on newsgroups that dont want them however, we also used encryption to secure our private group talk. What otlook does is mainly screw with 's and adding http:// whenever it sees in binary data :// . Hint: PGP does this about 1-2 times per 100k.

Get PGP encryption into Mozilla

[augustz]

If you have a bugzilla account, head on over to
http://bugzilla.mozilla.org/show_bug.cgi?id=22687 and vote for what is probably the singles most popular bug there is. They need a framework which allows folks to plug in something like GPG at will. Plenty of work went into trying to get somewhere without any luck.

Re:Get PGP encryption into Mozilla

[GadgetMountainMan]

Ah, enigmail does the trick for me.

Re:Get PGP encryption into Mozilla

[kronstadt]

What should be the most popular bug is this one, as it is preventing the moz team from cleaning up this other one.

understanding prerequisite for security

If people do not know what they are doing, they should not do anything on their computers that require any level of security.

Re:understanding prerequisite for security

[einhverfr]

If people do not know what they are doing, they should not do anything on their computers that require any level of security.

If people do not know what they are doing, they have no way of knowing that something should require encryption, such as a credit card transaction online, etc. Ignorance does not beget caution!

GnuPG is lame; it should be a library

I'm glad that Werner has put in all this work, but he doesn't actually understand security design. He is under the brain-dead notion that if gpg were a library that could be linked in to other programs, it would somehow be less secure. This is obviously not the case, but it is creating a huge barrier to gpg usage. We should be able to link that program in to mail readers, web browsers, databases, all kinds of things, but none of that is possible to do easily because it needs to run as a separate program. Anyway, I hope it gets more support now, and I hope someone who knows a bit more about security takes up the challenge.

Re:i dont' think the "geek factor" is the real bar

[Anonynnous+Coward]

PGP never caught on *DESPITE* having a slick user interface--or else NAI wouldn't have dropped it.

Uh, think 9/11. Think "encryption is only used for terrorism and illegal pornography." Think "there's a ph@t defense contract in it for you if you make that product go away."

write our own guis to interface with the command-line

While this is all well and good, it didn't seem to help in the face of Microsoft and Netscape going with S/MIME. Possible reasons for this choice are left as an exercise for the reader.

Re:what have YOU got to hide ?

[einhverfr]

What do I regularly encrypt?

1: Financial information (bank acct transactions, credit card accounts, tax information, etc).

2: Information I need to get past the casual check (such as viruses I am analyzing for possible harm) so that my AV software or mailer won't balk at it.

3: Confidential business information.

Here is another application to Assymetric Encryption: Digital Signatures (basically encryption in reverse). I digitally sign all:

1: Confidential business information (also encrypted).
2: Security-related emails to people who depend on my security skills (and need to be able to trust that the email really came from me-- social engineering IS a real threat).

I also sign emails that contain attachments so that the reader knows that I knowingly sent them.

OK. So is this enough of a reason why Citizen Joe would need good strong public key encryption (note that symetric encryption like 3DES will NOT provide for digital signatures).

DMCA

[Ssrit]

Wouldn't personal encryption be great? If we encrypt all our traffic, everything, on top of services such as AIM, ICQ, and anything else? That way when a coorporation or government breaks our encryption to monitor our traffic, we can sue them under the DMCA. =)

Re:DMCA

The government (When? *snort* They can do it now, or my tax dollars are going to waste.) would use the 'national security' clause, which trumps everything else.

A corporation, though.. Now there's something to really be frightened of. Those .. trading .. trade secrets have obvious concerns, but I wonder if there's not some vile corporation out there matching keywords in mail with addresses somewhere.. And letting lose the spam. :P

out with PGP

[BigFootApe]

I remember back when PGP was a fairly new thing; no integration with anything.

Now that PGP is corporately passe, why should we stick with the standard? Considering that public/private key encryption schemes are looking more and more vulnerable, even with large keys, why should we not look for an improved alternative?

So, what alternatives do exist for public key schemes?

Re:out with PGP

[0xB]

why should we not look for an improved alternative

Because encryption needs cooperation from both sender and receiver and is therefore subject to the 'critical mass' rule. People are going to be reluctant to move to new technologies because they won't be able to communicate with anyone until those people adopt too.

Re:out with PGP

[ilcylic]

Well, there are several alternatives.

The first is symmetric key crypto, wherein both parties have the same key, which needs to be kept secret. The problem is twofold: exchanging the key, and keeping it secure. The advantage of public key crypto is that you can more easily do key exchange, since you don't need to make any effort to keep your public key a secret. However, there is a set of math rules known as the Diffie-Hellman key exchange which allows you to publicly (unsecured channel) exchange private keys, and then begin using them for secure channel communications.

Once you have exchanged the keys, you need to keep them a secret, but I believe that is not any more difficult than keeping your private PGP key secret, and can use the same manner of encryption.

The advantage of symmetric key crypto is that it is much more efficient. In fact, the efficiency of PKC keys is equivalent to (very approximately) a SKC algorithm using a key size of sqrt(PKC keysize).

Another option is one time pad. But one time pads also have synchronisation problems, and distribution problems, and secrecy problems. You could use Diffie-Hellman to exchange one time pads, but then your security is no better than that of the SKC scheme you use to pass them along with. Also, since you need to have 1 bit of pad for every 1 bit of message you send, it would get really long, and anyone who compromised your SKC session would already have your message anyway.

Personally, I'd be more inclined to think of SKC as a viable option over one time pad.

-il cylic

GnuPG is a backend

Personally, I don't see the big deal. GnuPG is a backend component, and nothing more. There are already some excellent frontends for GnuPG, such as KMail. Here are some old screenshots I took of KMail's GnuPG support in action:

OpenPGP password prompt
Key selection dialog
Viewing an encrypted message
Viewing a signed message

One just sets their public key, and they're done. The compose window has little buttons to enable signing and encryption of a message. I have KMail configured to sign automatically, and it can also be set to automatically enable encryption when you have the recpient's public key.

I will admit that creating a keypair and downloading new keys isn't as easy, but KMail just goes to show that the power of the command-line GnuPG can easily be made accessable

-Ryan

Not quite accurate..

[dcviper]

The article stringly infers that PGP (I use the NAI Freeware distro) does not work with OSX or WinXP. I can't speak to OSX, but I know that 6.5.8 works just fine with Windows XP Pro.

Re:Not quite accurate..

[Sethb]

Yup, 6.5.8 works fine, but 7.0.3 does not work. I spent an entire day hosing my two WinXP boxes trying every possible combination to get it to work. Thank god for DriveImage and the SystemRestore feature of WinXP. You can get 7.0.3 installed, but the VPN stuff hoses your TCP/IP stack, and there's no way to get it back...

Re:Not quite accurate..

[davmoo]

A number of people, me being one of them, had "issues" with previous versions of PGPdisk running on Windows XP. In my case, it just plain wouldn't work. PGP 7.11 took care of that.

I am a heavy user of PGPdisk, having probably 15 - 20 gig of data stored both on disk and CD. Until GNUpgp gets PGPdisk compatibility, it simply is not an option for me.

There was also the "PGP hosed my TCP/IP stack" problem that a number of people experienced prior to 7.0something.

Re:Not quite accurate..

I am a heavy user of PGPdisk, having probably 15 - 20 gig of data stored both on disk and CD.

so is it all kpr0n? hook a nigga up!@@

Re:Not quite accurate..

[sjx]

Try PGP 6.5.8ckt07 from http://www.ipgpp.com/ - you'll find that now works perfectly under WinXP and there is still source available. There were issues with Win95, but switching back to the June 2000 SDK solved those, so a build 08 could appear soon finalising that.

I never trusted PGP 7 simply because there's no source available, and that struck me simply as a dumb move because I've _seen_ how complex the source code for 6 is.

Now, 6.5.8ckt is the only maintained PGP to my knowledge, especially since the sell-off.

I do _like_ GnuPG, but I'm mildly concerned by one thing. Last time I looked, GnuPG wasn't able to lock secure memory under Windows so that it couldn't be paged out - even PGP needs a driver (PGPmemlock) to do it. Anyone know better?

Why did they drop it in the first place...

[tcc]

I wanted to get some PGP licenses at work.

Went on their website

It was so weirdly organized, I mean you could get a "single user" license, okay cool, "i need 10 of that" wrote down the price... sent an email to get a PO

Went back a few days after, couldn't find that product, felt on the desktop security thing for buisness, ok, 5x more, wrote down the price, went to get approval, came back a day or two later, price/license switch again... couldn't find the exact same thing that I saw the day before...I just dropped it (I don't have time to waste an hour or even minutes on a badly designed website that will make me swear and kill the next person asking me for support :) ).

That's ineffective E-Commerce, and I thought it was sometime hard to find a specific download or older bulletin on microsoft's web site (and google helping more than most websites's own search engine), but this was ridiculous, not to mention all the license type and so on. If I dropped it, a lot of people probably did the same. My question is, why the heck not having something CLEAR and a decent price list, why putting things in 5+ click deep or changing stuff left and right just so the bookmarks don't work anymore and have a nightmare to find that specific thing again?

They can blame the lack of sales, but they are to blame. I mean, when I go and buy a systemworks license (to name an example), I know the price for 1, I know the price for a 5 pack, it's clear, it's constant and they don't have a gazilion difference licensing of the same thing doing the same function exept worded differently thus giving you a different result at every searches if you change a space somewhere.

All this said, it's a shame that there are not many alternatives, the freeware version does the job but the problem is "it's not legit for buisness to run this", I wonder what will happen if the product isn't sold anymore... does it make it obsolete and unavailable thus legit to use the freeware version? it does the job on the windows platform at least.

Re:Why did they drop it in the first place...

Ever heard of a phone? They work pretty well when the website is crap.

Re:Why did they drop it in the first place...

[Everybody]

Yeah, I had similar problems with their website. At that time I decided to buy pgp 7.0.3 in a cardboard box in a store (luckily I found one).

Re:Why did they drop it in the first place...

[CynicTheHedgehog]

It took me forever to figure out that their PGP encryption product was McAfee E-Business server or something like that. Price quote for a single CPU license came to something like $15,000. That was the only PGP encryption product (excluding hardware firewalls and such) that I was able to find. By McAfee? E-business Server? That sounds like something similar Lotus. Maybe it is, and PGP is just one small facet of its functionality. Either way I decided to forego the heartburn and try GnuPG (and I'm glad that I did).

Re:Why did they drop it in the first place...

[gilgongo]

I think there might be a few "me too" replies here...

My story is similar - it took about three attempts and about two hours in total to read up and undertand the product line before working out how to actually *buy* some licenses. I'm in the
the UK, I had to deal with a reseller, which in turn had to ship it from Amsterdam. After *six weeks* we finally got 10 licenses boxes and through the post. That was about four months ago.

PGP 7 was a good Windows product in my opinion, and I use a lot of Windows products from similar-sized companies as NAI. What really stood out was their utter inability to effectily market the thing.

Agreed - even among the IT literate...

[Bigger+R]

.. it can be a bit of a challenge.

I was involved with a startup that had quasi-confidential info floating around. Idea - let's all use PGP! Huge headache just getting a Network Associate to talk to us. You'd have trouble finding someone to GIVE money to, it seemed at the time.

And then...
How long until I had the GUI design and Macintosh guys shamefully admitting they'd forgotten their passwords?

Mass adoption might just require the kind of, uhhh... "central guidance" that would defeat the purpose of it anyway.

R.

Don't you mean...

[Ranger+Rick]

The article highlights one of the problems with Open Source software today[...]

I can finish that sentence: "just because the writers at large popular online magazines can download something for free (and for Free), they feel that it's ok for them to bitch about how Open Source software isn't up to snuff, and yet they never try to make things better."

I'd bet he hasn't entered one "enhancement" bug report, reported one request to the mailing list, or done anything else to make gnupg better.

I work for a company whose product is open source. We have only so many developer hours to devote to feature enhancements. Guess which things get priority first? Either suggestions from support customers, or requests for features on our discussion list. If no one asks for it, it doesn't show up on our list of things to do.

Just because you can't code doesn't mean you can't contribute. Make docs, try to find bugs, make feature requests. Shut up or put your money where your mouth is.

Re:Don't you mean...

Wake up dude ! If someone finds your products hard to use but they can't be arsed filling out a bug report, thats likely your problem, not theirs - don't bother bitching about their lack of community spirit. With an attitude like that your company's probably heading the same toilet bowl that so many other open source (read as - "would really like to charge but can't work out how") companies have been flushed down.

Re:Don't you mean...

This argument is another of these problems. I am not a baker, I do not bake. However I do eat bread and I know when it is bad. I DO have the right to say so and bitch and complain when it is obviously not "up to snuff".

Fuckoff or code better.

Re:Don't you mean...

[Ranger+Rick]

OK, yes, you *do* have the right to say whatever you want, but don't expect anything to come of complaining about it without constructive criticism. You don't have to know how to bake bread to tell the baker "I like my bread made such-and-such way."

Re:Don't you mean...

[Ranger+Rick]

So if thousands of people don't find it hard to use, and say so, and hundreds of thousands of people do find it hard to use, but never tell them, what are the developers going to think?

I'm not saying you *have* to have "community spirit", I'm just saying that if you don't, don't complain that the software never gets the features you want.

Re:what have YOU got to hide ?

Pirating software is like stealing crack from a drug dealer and pretending that it makes you free from addiction.

1. It's not "pirating"--that's an act of violent takeover of a ship on the high seas.

2. It's more like copying crack from a drug dealer--the drug dealer would have his crack, and you would have yours. While easily reproducible crack would certainly diminish the value of crack, reproducing it would not be stealing.

~~~

GnuPG Rocks.

Where has this guy been? GnuPG has really matured. I use it everyday. It is a snap. No problemo, amigo.

New Acronym Alert!

[Bigger+R]

IANAA but...

//next accountant user, please respond in a better than Enron manner!

R.

Open Source, power users vs. The Masses

[Seth+Finkelstein]

This passage of the article seems particularly insightful to me:

Open-source can also mean "closed climate," with developers working only to meet their own desires and those of a relatively small and stable base of users and fans. The strength of the movement -- distributed development by volunteer programmers worldwide -- isn't geared toward the sudden appearance of clamoring consumers with questions, complaints and wish lists in hand.

Linux is good, for people who are willing to put in the effort to use its power. The same holds for crypto. But marketing to the masses is not a "geek thing".

Sig: What Happened To The Censorware Project (censorware.org)

Re:Open Source, power users vs. The Masses

Hey, aren't you the freak stalking our beloved Michael?

Re:Open Source, power users vs. The Masses

mod this up! seth is a fucking psychopath! he walks like a girl, too!

GPG has delivered for me

[kraf]

I use it to encrypt/decrypt files I don't want others to read.
And it's quite easy: gpg -c and -d .

Decline of PGP.

[juuri]

First off we sometimes use PGP for file transfers at work. We get census data, 401kdata, lots of data with special numbers in it that people should never see. Why do we use PGP at all? Because most of the older large institutions move like the slow behomths they are. They take forever to evaluate something, much less actually roll it out. Commericial PGP was great because it gave us somewhere to point these people who still require us to allow FTP for these files and other early/mid 90s transfer methods. The commercial site offered a nice packaged product, but more importantly, SUPPORT. Support is key to large companies, they buy it for everything, regardless of need.

Now why the decline? Thanks to the widespread usage of SSL and now SSH we have convinced many of these old guard companies to go with real time data that is sent over SSL connection or through SSH tunnels (or even with scp). This is great! No more pesky FTP around. Easy key management. Easy to setup and watch. Sure the data isn't as secure in transit but really if it is secure enough to give this user the data, it is secure enough to transfer it with. Of course the best thing about realtime data is we can throw it away instantly meaning there is nothing laying around for the average village idiot script kiddie to pick up.

The only downside is we have some users that actually SCP PGP encrypted files over to us. It will be a shame when that type of security has to go away because they will dump PGP the second they can't purchase support for it.

Re:Decline of PGP.

What's wrong with SCP'ing PGP encrypted files? They should always be using SCP to prevent plaintext passwords from being exposed and the PGP encrypted file ensures that the data is still secure when it it stored.

Encryption and Mac OS X

[MacDork]

For those wondering about Mac OS X solutions for secure email, refer to: GPGMail and Secure Mail Reading on Mac OS X

Re:Encryption and Mac OS X

Yes, but doesn't it make you incredibly angry that NAI has a finished, polished, beautiful version of PGP for MacOS X ready to ship and yet they are just sitting on it? Something must be done to at least get it released to the public.

PGPFreeware? So what?

[tweakt]

Why can't you just continue to use PGPFreeware 7.02 (whatever the latest is?) It's not like they can stop you from using it. Unless it gets "broken" somehow (I doubt it).

Re:PGPFreeware? So what?

CORPORATIONS CANT USE PGPFreeware!! For the home user its fine but can you see ma and pa taking up PGP? The education of business users and the use of encryption for business purposes is where the widespread use of personal encryption will begin

Re:PGPFreeware? So what?

[ssimpson]

About once or twice a year a bug of security significance is uncovered in PGP (e.g. the ADK bug, the RNG on UNIX bug, the keystorage bug etc) and this would render the latest 7.02 next to useless.

Why can't people amend the source code and recompiler themselves? They don't have access to the source code.

Also remember that PGP is now very (over-) complicated and includes various drivers and kernel hooks. Every new version of an MS operating system (Win2k, WinME, WinXP) breaks compatibility.

The best current hope is the CKT builds of PGP, that are based on the 6.5.8 code. These have all known bugs fixed and still work on all Win32 operating systems. This is also the only version that is actively maintained!

Re:PGPFreeware? So what?

[sjx]

Is GnuPG able to lock memory under Windows? (I know that PGP uses PGPmemlock, and GnuPG has nothing of the kind...?)

Key signing in Syracuse Ny

[dfelznic]

Hello,
Anyone interested in having a key signing in syracuse, ny or close let me know...
dfcanize.org

Seahorse frontend

[punker]

I find that Seahorse is pretty easy to use.

The Most Popular Mozilla Bug

[Lathi-]

While this is a "good" bug and I'm all for getting it fixed, I don't think it's the most popular. The View Source bug probably is. It's certainly the most duplicated. In fact, there are really two bugs filed. I'm not sure which one is getting enough attention. I'm just glad there are murmurings of a fix soon.

Re:The Most Popular Mozilla Bug

[augustz]

Popularity as determined by number of votes...

Actually, one bug that really irritates me since enigma is out is that you can't have reverse sorted by date threaded messages in the newsreader. They've been talking about it endlessly, but it'd be great to have a fix sooner or later.

IM clients w/ encryption

[Cadre]

Epicware's Fire for Mac OS X has well integrated PGP support (via the GPGME Framework for Mac OS X). It supports the usuall slew of services (AIM, ICQ, etc). It's GPLed and works quite nicely (though, not quite as nice a client as Adium, which unfortunately doesn't support encrypted communications yet...)

is anybody considering??

[josh+crawley]

Ok, encryption programs are nice an all, but I want anonomity. There are many others like me, but we show sometimes too much stuff. We have fun erasing all fields in mailers (only stuff that is critical stays in). IP addys are nearly always munged (1 way connection through non open relays). Still we need a good meeting ground.

Well, hiding data in non-obvious places (steganography) is a good way of doing this. Well, I thought about slashdot crap floods. Are they really crap-floods. It's a great way to send messages. And who EVEN reads at -1 let alone understand it.

By the way, if you use a private-key type stego, you still have the strength of the encryption. YOu can also plausibly deny any knowledge. The same holds true for the stegoFS for linux. Fairly complex to set up. Proper usage is VERY difficult.

The Enigmail Plugin

[Cadre]

GnuPG functionality is available for Mozilla through the Enigmail plugin. It finally made it out of development and is apparently ready for production use. You'll need Mozilla 0.9.9.

Re:The Enigmail Plugin

[Cadre]

Oops, it's still in development... I misread, the announce. It isn't done, but it's useable:

"Enigmail, a GnuPG "plugin" for Mozilla which has been under development for some time, has now reached a state of practical usability with the Mozilla 0.9.9 release."

Re:The Enigmail Plugin

[The+Rev]

I've been submitting bug reports and suggesting improvements to Enigmail for a few months now and I like it a lot!

One great thing about it is that it is a cross-platform solution. I can use it under WinBlows and linux; both with GnuPG and the same keyring. <grin>

One thing I like the sound of is Herbivore. Putting transparent, seamless and automatic encryption and signing into MUA's is the best solution to problems like Carnivore.

I urge people in light of the recent "demise" of PGP to lend their time & support to projects like Enigmail and Ägypten. Even if all you do is report bugs or make suggestions for improvements you'll help with getting these products ready for non-geek end users.

Come on guys & gals! Pitch in!

Craig.

Re:The Enigmail Plugin

[baptiste]

Enigmail rocks - it may be in development, but Moz 0.9.9 with 0.39.2 is sweet. I use GPA on linux and WinPT on windows for easy key management. Installation was a snap - click the install button and restart Mozilla. WinPT even bundles GnuPG with it if you want. So it is coming along nicely.

Re:The Enigmail Plugin

[CanadaDave]

Wow, the screenshots looks pretty nice. I can't wait until we are into officially stable versions. Will Mozilla ever include this with Mozilla builds? Actually I guess if it is a straight plugin, this wouldn't matter.

Just a question for you guys. If I use the Mozilla xpi install, as opposed to the RPM version, I should then download the xpi version of Enigmail right?

Salon should get lost

[Pussy+Is+Money]

Bah, why does talk about cryptography always turn into a "for the people, by the people" kind of thing? The general public has just as much use for munitions-grade encryption as it has for bulletproof cars. Let's just say that the moment everybody starts driving around in bulletproof cars I'm getting out of here. What a crock.

Who else will pay for PGP?

If someone will make GPG do all that PGP did, I can probably come up with... oh, at least in the mid five figures. It's not that my Fortune N (N= small enough) company didn't want to PAY for PGP, it's that NAI couldn't figure out how to make the marketing work.

Here's a lot of what it would take to get GPG in my company:

• Someone to provide support. It'd have to be an established company with a reasonable financial picture, not just some geek in a basement. Attention geeks in basements: team up with a consultancy who will guarantee contractual stability, and replace you if you vanish, and get us *support.* I don't give a flying fig if GPG needs support; we pretty much need to have a support contract to consider relying upon it. Internal Audit and other such bean counters demand it.
  
• It should Integrate with LookOut about as good as PGP 6.5.x does. Better would be good.
  
• True cross platform interoperability. None of this discontinuing support for Unix versions.
  
• Legally has the rights to the patents, etc. used throughout the world. We operate in lots of countries, it should too. We'll manage the governmental requirements with escrow and nonsense like that; just give us a product that is free for commercial use.
  

Hmm. That's really all that comes to mind at the moment. Anyone game?

Re:Who else will pay for PGP?

Oh yeah, forgot one: It has to work with LookOut attachment autocompression. If it gets a foo.doc.zip.asp, it needs to figure out how to pass that correctly so that a double click will bring up the passphrase dialogue, and then (assuming successful decryption), seamlessly bring up the underlying foo.doc.

Mutt integration

[YetAnotherDave]

Amazingly, no-one seems to have pointed out that GPG is easily integrated into the mail client that, in the words of the author 'just sucks less' -- mutt.

Get your copy today at http://www.mutt.org/

No, it's not GUI, but it's a damned lot easier to use than Outhouse Express, and it SEAMLESSLY integrates GPG.

"by the geek for the geek...."

[oobeleck]

"The article highlights one of the problems with Open Source software today: its "by the geek, for the geek" nature, which by and large places barriers to mass adoption of OSS"

I will probably get moded down to -50 Troll or Flamebait for this but here it goes....

Open Source has many problems but "by the geek for the geek" is NOT one of them. For some reason people seem to think that Open Source exists to serve the greater of humanity, and end human strife, etc.....(Whatever noble cause you can think of) But Open Source software is not primarily "by the geek for the geek".

It is primarily "by the geek for him/herself". The reason that there are not a bunch of pretty GUI front-ends that really wow people is because the people who code them don't need/want a GUI front-end.

If people want pretty front-ends then they should code them themselves.... It is easy to stand back and lambast the Open Source community for not being more user friendly but I have a news flash for ya.
Most Open Source developers don't care.... Open Source is about coding: what you want. Build a front-end yourself.

OSS developers code for fun, for their own sense of accomplishment, and for personal use.

As far a "mass adoption", If people are too lazy to spend the time to work through and figure out a CLI then too bad for them. If your privacy is really that important to you then you will have to "tough it out" like the rest of the geeks.

My .02

Re:"by the geek for the geek...."

Fair enough. But aren't these geeks the same ones who bash Micro$oft every chance they get? The ones who insist that Linux etc. are so much better? And make great show of wondering why the unwashed masses buy commercial software?

You might not want a GUI on your app, but then again you're a tiny minority and always will be. And Bill Gates is worth $100 Billion.

What's stopping companies from using GPG?

I just don't see what's stopping companies from using GPG. So GPG isn't polished - big deal. It's GNU and if someone wants to use it for ICQ, Eudora, or whatever then the companies are welcome to grab the source and contribute the spit-shine they desire. I'm sure that the GPG project would be excited to receive such contributions.

I just don't understand people that complain that some free software program lacks something. The major work is finished - add your tiney, little piece that you want and quit whining.

GnuPG in the enterprise

I am happy to report that our company has recently set up a secure enterprise authentication system based on GnuPG. It passed the security concerns of our customer, one of the largest technology companies on the planet. Thank Network Associates. We had a PGP based solution until they dropped the bomb on us. It's great GnuPG was there.

Sadly, the integration we had to do with GnuPG is way less than optimal. It isn't a library, it's a command line tool. And the GPL license means we don't even want to consider any integration beyond a system "exec" call. This is a candidate for the Lesser GPL if ever there was one. But hey, it's a good start.

Waiting for the Cryptix team to release the Java library version of OpenPGP.

this assumes you need to change

[gruntvald]

I finished a W2K upgrade to all desktops in 2001. The schedule is that we don't do anything till 2005. I've already verified that I can use pgp in outlook to encrypt something that gpg from the shell can decrypt. Though I like the NA product, if they're done, they're done, and I have something workable for 3 more years, after which I'll just switch to a gpg infrastructure. End of problem.

Re:this assumes you need to change

[foxxtrot]

Actually, you could probably use GnuPG now. There are already GnuPG/Windows integration tools. For instance WinPT . A part of WinPT is WinPTEE, which integrates WinPT into Explorer, so you can right click on files to encrypt and such. Also on this site is a plug-in that allows integration with Outlook Express, GPGOE. I believe all these projects are still considered Beta, and I'll admit that I've not used them (Linux User myself), but I'd suggest looking at them if you're security concious and want to convert to GnuPG.

Thoughts.

First, this guy's whining about the difficulty of open source. He has somewhat of a point - I can think of half a dozen things I could do within five minutes each that'd make everything all pretty and user friendly. However, developers tend to shrug things off - and rightly so. I'd rather have functional, say, encryption, than a pretty interface with anti-aliased fonts and whatnot. If people want pretty, they can use MS products. I prefer usability over pretty.

That said, again, he has a point. I played with PGP once. Once. It was, frankly, far too much a hassle for far too little gain. I don't really care if someone glances at an e-mail to my friend talking about that 'hot chick who uses Linux' in one of my classes.

I'm well aware of the entire envelope/you might want to one day/etc. debate. The problem is, no one else is using it. Why should I? It won't help it catch on. Just because I've got, say, Apache installed on my box, doesn't mean all my friends will install it.

Again, why? Too much difficulty for too little percieved gain. Now, if it was as simple as a few points and clicks, people might consider tacking it on, especially when you make frantic remarks about the Internet shutting down on December 30th for cleaning in reference to it.

Re:Thoughts.

[yatest5]

'hot chick who uses Linux'

ha ha ha HA. Wow, I'm glad you have time to worry about what operating systems hot chicks use.

The Solution is Simple

[xanadu-xtroot.com]

Just ROT13 your mail and no one can break it.

er...

Wait, nevermind...

Re:The Solution is Simple

[Salsaman]

Yes, and for double security, ROT26 it.

Reality check

Wait a minute. Anybody who's actually used GnuPG will know that it's basically no more difficult than cleaning yourself after using the toilet. If you can't do that, then you're just not ready to join grownup society.

Can you drive a car?
Can you make change?
Can you pay your bills?
Can you spell your own name?

If you can answer 'yes' to any of these questions, then don't bother worrying about whether GnuPG is too difficult- it's not.

When did we get to the point that something so _easy_ should be the subject of handwringing and extensive discussion?

Outlook, and outlook alone

[coyote-san]

The problem isn't S/MIME per se. Anyone who can use OpenPGP libraries can easily use S/MIME, and vice versa. The problem is Outlook, pure and simple.

I don't remember the details, but it's been discussed on the OpenSSL lists recently. Outlook has totally dropped the ball on multi-part S/MIME messages. Because they're the 800-pound special-ed gorilla their incompetence means that few people are interested in using correctly working multi-part S/MIME tools that can't interoperate with the majority of people, while the coders understand how much damage is being done by the broken Outlook implementation and refuse to be involved in any effort that gives it credence.

I'm rarely see black hats hiding in shadows, but this is one of those exceptions. It's too easy to imagine some spook taking advantage of the fact that MS can kill the market for secure communications, while ensuring that the tools are still available for their users.

GPG user-friendliness is *essential* to security

[IntelliTubbie]

Many, if not most, Linux apps are by-geeks-for-geeks, and there's nothing wrong with that. Can't configure sendmail? RTFM. HOWEVER, GPG is an exception. Why? Because your security is only as good as that of the person you're communicating with. GPG is useless if you have mastered its arcane commands, but none of the people you know can encrypt or decrypt messages.

GPG is different because, unlike most software, it's not something you use by yourself. Crypto is something you must use in concert with other people, and not just other geeks, but possibly your boss, clients, family, etc. This isn't just by-us-for-us: for once, it MATTERS what other people think of the software. Therefore, an easy-to-use interface is not just a matter of aesthetics, it's an essential feature -- and since it's the only way to facilitate widespread adoption of crypto, anything else is a security hole.

Cheers,
IT

Re:i dont' think the "geek factor" is the real bar

[Chasing+Amy]

> Uh, think 9/11. Think "encryption is only used for terrorism and illegal pornography."
> Think "there's a ph@t defense contract in it for you if you make that product go away."

*Exactly*. This isn't the first, either--far more suspicious was the untimely death of the ZKS' Freedom Network, which the respected founder insisted was planned before 9/11, but which was never announced until a a short time after 9/11 and which left users with practically no advance notice. One suspects that either the founders of the Freedom network got a good talking to with some sticks and carrots, or they got worried that theyr network was or could be used by terrorists, and shut it down out of "conscience." A rebuttal was even posted here on /., but it will *always* look suspicious due to both timing and unbelievably short notice.

Encryption for the masses is exactly what the U.S. government doesn't want, because it would render their unbelievably involved Carnivore/Echelon/UKUSA electronic eavesdropping network useless if we all started seamlessly using PGP or encrypting all our traffic through Freedom servers.

It is, however, the only way we can guarantee our Constitutional rights to privacy and freedom of expression in the electronic aether. It will always be trivial to the dedicated criminal or terrorist to communicate covertly over the Net, no matter how many carnivorous hubs may be weeding through traffic. It's the little guys caught in the crossfire we have to worry about--the kind of guys who are posted about every couple of weeks on /., who get busted for writing anti-globalization websites or for other minor matters.

Face it: governments *always* want more power, and when unchecked they take it. That's why our system was deliberately created with a lot of checks and balances to impose a sort of "gridlock" to prevent sudden sweeping changes to governmental authority. 9/11 removed those deliberate obstacles and got everyone working together to impinge our freedoms with USA/PATRIOT and the FBI's larger scope for its surveillance projects and busts. People really need to start considering getting encryption integrated into everything they can, seamlessly, before they're no longer allowed to. Don't think it couldn't happen--the likelihood of the Court allowing various limited encryption bans does have a correlation with the number of people using encryption...

Geeks & Interfaces

[maggard]

NAI PGP for Windows was a good program?! Show me one average person who ever felt it was a slam-dunk. You know, not the ones who read /. but those that had to install it for some reason, were given this fool thing and a sheet of local instructions and told "install this" and weren't found trembling under their desk 3 days later with a pooched PC.

Ech.

Some great concepts but still a cranky idiosyncratic bastard of a program. Trivial to use? Sure, after reading far too many poorly written manual pages. Easy to interact with? When it didn't hopelessly mangle what it was supposed to secure (we didn't want one-way!) Integrated - as long as you didn't do this or that or...

Look, you want a well integrated NAI program look at how NAV interacts with Outlook. Yeah it's a big pig and lots of folks hate it but to the user it's *not an issue*. It scans for nasties. It scans incoming & it scans outgoing. It can be configured with a few clicks in a clean interface written in simple language. It just works.

Personally I ask any ambitious developer to take the same strategy NAI does for NAV and don't try to build yourself into the apps and instead become a proxy. I'd love a local PGP proxy app that my mail could go through. The only interface I'd need would be a tiny plug-in to set a header on messages for the proxy to read and act on. That sort of plugin should be simple enough to write for all of the popular email apps, let the engine remain consistant across everything.

With how to talk to the engine simplified then the effort can be moved to making PGP as an installation easier, more intuitive, and less of a jerk. For one thing default to a minimal install, go the install-on-demand route if need be, but DON'T dump a half-dozen applications into a system by default. Firewalls and VPNs are lovely but make sure the customer knows what they're getting into first, leave it as a second phase install by default. Plug-ins? Drop folks to a web-page where plugs for each app can be listed. Include some default plugs in the install for the most common uses but still encourage the ambitious to check out the newer/more featureful/not-in-the-distrib versions.

Finally, why isn't there yet a standard for PGP-certifying and/or encoding web-pages?

Re:Geeks & Interfaces

NAI doesn't make Norton AntiVirus (NAV). That is a Symantec product. NAI does make MacAfee AntiVirus; and that integration leaves a lot to be desired.

Re:Geeks & Interfaces

[alech]

I'd love a local PGP proxy app that my mail could go through. The only interface I'd need would be a tiny plug-in to set a header on messages for the proxy to read and act on. That sort of plugin should be simple enough to write for all of the popular email apps, let the engine remain consistant across everything.

You definitely want to have a look at premail, which does exactly that (without special headers, but commands in the To:-Header). Replaces sendmail, so what MUA you use does not matter.

Mac OS X support is great!

I'm a first time PGP user and have found using GnuPG for OSX incredibly easy. It interfaces brilliantly with Mail and has great gui features.

Pmail, GPGP, COM Programming

[Arker]

http://community.wow.net/grt/qdgpg.html
http://community.wow.net/grt/nsdpgp.html

Encrypted email will arrive

[karlm]

...as soon as AOL decides it makes business sense to integrate it.

I sign nearly all of my outgoing emails, but seriously, encryption will remain a geek toy until AOL or another big player decides to provide public key infrastructure (PKI, keys signed by eidey trusted authorities, or sufficiently many people that are minimally seperated from you) for its users. There are plenty of GUI encryption email clients out there. I believe there's a GPG plugin for Eudora. However, finding your friend's public key is hte big problem right now. Once everyone's ISPs ste[ in and sign the user's keys and proide key servers, then signed and encrypted email will be the norm. After a short bit, you will be able to filter out SPAM by doing good checks on signatures, or prosecuting those spammers that actually sign their emails with valid and registered keys. Encryption will also greatly increase CPU demands for mass emailing. This is why ISPs will like crypto: it deters spam and reduces thier bandwidth requirements. The big question is: how long will it take for a major ISP to start providing PKI.

Key generation isn't hard. Once AOL starts signing all of their users' public keys, then it will be common practice for you email client to go the all of the recipients' ISPs, verify their Verisign certificate, and verify theirsignature on the user's public key, then encrypt everything at transmit time.

Key generation isn't all that tough. Nearly everyone trusts Verisign.

Re:Encrypted email will arrive

[Everybody]

> then signed and encrypted email will be the norm

Yeah, but then they could not read your mail!

Re:Encrypted email will arrive

[karlm]

Yeah, but then they could not read your mail!

I know you're just making a funny, but the 14 year olds out there don't know this and it's a good point to make.

They and half the internet can read your email now. People already have a false sense of security, so having AOL handle your crypto is a huge step forward for 99.9% of the population.

Also, if it's properly implemented, they don't have to be able to read your email. They couldn't read your email if your private key is generated and encrypted inside the client before being stored on the server. As long as they only get to store an MD5 sum of your password, you can log in without jepordizing the salted hash used to encrypt the ecret key. They only need to sign the public key.

If I were to publish my GPG public key ring, it would most likely take you millions of years to extract my secret key. (Yes, quantum computing is a slight problem, but my public key is morevulnerable to a quantum discrete log attack than my password is vulnerable to a quatum 3DES and MD5 attack, given only a few bytes of known plaintext in the private key.) My passphrase is between 15 and 20 characters, using lower case, upper case, numbers and symbols. If I ever showed my GF my passphrase, she wouldn't be able to remember it because it makes no sense even to people who know me well. Sure, AOL could trojan your login or email client, but if you're that worried about AOL, there's always someone willing to let you use your own client. AOL is plenty trustworthy for the average person, as long as they'd have to trojan your login to get your passphrase (which is less than 40 bits of entropy for the average person, way less).

KMAIL improvements

[Moritz+Moeller+-+Her]

> I use KMail; it has very nice GnuPG integration,
> the only missing feature is for *it* to go through
> and encrypt my attachments instead of making me do it.

I use kmail, too and this lack of total encryption has bothered me, too. kmail ATM only signs the text of the mail itself.

BUT, thanks to the German sponsored project AEGYPTEN, the next version of kmail will have openpgp specified mime multipart encryption and also full S/MIME support. [And also LDAP support and so on, mutt will get S/MIME support out of this.]

By the next version I mean KDE3.1, which will be there end of summer.

You can already check out the AEGYPTEN branch of kdenetwork:
http://www.gnupg.org/aegypten/develop ment.en.html
http://www.gnupg.org/aegypten/develo pment.de.html
ftp://ftp.gnupg.org/gcrypt/alpha/ae gypten/

Encryption or Authentication

[anonymous+cupboard]

I suppose you leave your credit card unsigned as well?

Please remember that in this world, even if you have no need of the privacy functions, it is generally better to have a way of signing electronic documents.

Outlook plugin

[Moritz+Moeller+-+Her]

Here is the gpg Outlook plugin, German and English version:
http://www3.gdata.de/gpg/download.html

Re:Outlook plugin

[bberg]

I use this outlook plug in and have formally recommended it to clients. Works great.

-bernie
www.bernieberg.com

Unix way of doing things.

[rasjani]

Clearly this poster hasnt got a clue how things should be done in the unix-a-like os'es.

The thing is, good programs are extensible because they just provide the core of doing things the right way. So does gpg. In easiest form, it can create keys and it can en/decrypt data.

This is what it does and that it does well.

Now, if you want bell and whistles, go find a software that you like and ask nicely the authors to include support for gpg.

For example, ive used gpg for allmost a year now, since gpg support was first published in Evolution mailer. I created my keys (3 commands, i have 3 emails and i wanted to use different keys), and put the date into Evolution. Since that day, i havent invoked gpg directly at all. I have some gui tools to import/scan keyservers for keys that im missing and evolution itself does the rest. So, in my eyes, gpg is as good as it can get.

Buy up while you can

Thats what we did, placed an order for 27 copies yesterday ...

Re:Grave Wisdom

brainstorming their are we?

Outlook plugin (GPL'ed) available

[Jan0815]

The german government(!) is sponsoring a project to use GNUPG. Details (Achtung! German!) can be found here:

http://www.gnupp.de/start.html

Roughly translated:

Security for e-mail, e-commerce and e-government. The goal of this project is to deliver free encryption software that's easy to use.

The fun thing is this:

http://www3.gdata.de/gpg/download.html
and if you don't understand those strange words, you can download here:

http://gdataspace.de/download/gpg/GDATA_plugin_0 91 -eng.exe

This is an Outlook-Plugin for GnuPG. Using this plugin GNUPG is easy as 1-2-3.

HTH

Jan Wildeboer

Re:Outlook plugin (GPL'ed) available

[sql*kitten]

This is an Outlook-Plugin for GnuPG. Using this plugin GNUPG is easy as 1-2-3.

Nice. Do you know if it works with XP/Outlook 2002? I had the full commercial version of PGP and the Outlook plugin worked fine on Win2K/Outlook 2000 but was mysteriously broken on the XP versions (something about relying on a Service that didn't understand Fast User Switching).

Re:Outlook plugin (GPL'ed) available

I'm happy about that funding. It was a lot of money.

In this case, I'm proud of the german government ;-)

There is a very good frontend available right now!

[calle42]

Go to www.gnupp.org, home of the GNU Privacy Project. GnuPP is (currently) only for Windows and consists of an easy installer for GPA, GPG and WinPT. This is being sponsored by the German government (like GnuPG itself too), fully GPL'ed, and at least for us Germans, there's a good manual available from the Wirtschaftsministerium too. Anybody can order it for _free_. They gave printed documentations including an installer CD away for free at CeBIT. Anybody who can get this, should. The page there is still in German, but there's an english version of GnuPP too.

What about v7.0.4?

[Compact+Dick]

Let me assure all PGP users that all versions of PGP produced by NAI, and PGP Security, a division of NAI, up to and including the current (January 2001) release, PGP 7.0.3, are free of back doors.

Could be true of 7.0.3. Shortly afterwards, two major security flaws [multiple user ID vulnerability and DLL vulnerability] were discovered, and hotfixes quickly issued.

AFAIK, the patches' source is closed and un-vetted by Zimmermann or anyone outside NAI.

Applying them silently upgrades PGP 7.0.3 to 7.0.4. It doesn't show up on the "About" window. Instead, sign or encrypt a text block and note the ID string.

So does his statement of trust still apply? I don't think so.

Yes, we need to make it simple for end users...

Yes. I think the problem is that most users just don't know what the hell a key is, let alone the difference between a public key and private key. Also, there is almost no hope of getting them to back those keys up, so that they can still get email after a crash.

I think what is needed is a simple prompt when installing email software, which asks "This client can keep your messages as private as possible, using PGP. If you want to manage PGP details yourself, which can become complex, choose MANUAL. If you would prefer not to get bogged down in such details, or don't understand what PGP is, then choose AUTOMATIC".

Under automatic, of course, you would need at least five separate stages to be automated. Firstly, you would need to have a keypair generated AUTOMATICALLY (ie, no prompts for passwords, ID, etc -- an email client already asks for this stuff in other places). Secondly, your public key needs to be AUTOMATICALLY publicised. Thirdly, all email should be signed AUTOMATICALLY. The fourth requirement would be that every email going to people with known public keys is encrypted -- again, AUTOMATICALLY. And, lastly, when an email is received which is either encrypted or signed, simply add something at the top/bottom which says something to the effect that "This email was digitally signed. You can trust it a little more than usual, but don't trust it with your life. [Click here], or click the lock icon for more details." and/or "This email was encrypted directly to you. It's doubtful that anyone else was able to read it, unlike most emails. [Click here], or click the lock icon, for more details."

Now, I PGP on windows did a few of these things, IIRC, like the automated encryption to those who had keys on your local keyring. I don't recall it doing much else automatically. Even so, PGP was a whole other software install, with fairly complex questions for a newbie.

Evolution, the MS-Outlook competitor for linux, handles recieved GPG emails quite nicely. It will automatically decrypt/verify emails, and put that nice little paragraph at the bottom, with the lock I was talking about. Unfortunately, it requires GPG to be already working -- although this is to some extent expected on a unix box -- a single point of config, and other programs using it. Not only that, though... you need to manually type in your key fingerprint for each email account you set up.

Anyway... THAT's why it's not popular. How popular would winzip be if it asked people where their previously generated public/private keypair was, or prompted them to type randonly on the keyboard during install? People don't care HOW their email works... they just want to send flippant two-line crap all day, with the odd mission-critical document about once a year. Even home security, arguably much more important, is ignored by most people... at best, they'll call someone out to fit "an alarm". How many people bother to check the security features of said alarm? How many study which alarms use modern technology internally, which hasn't been found wanting?

In summary... computers are made to automate things. For god's sake, get with the program, email client writers!

GnuPG for Windows w/ GUI

[Voidhobo]

At CeBIT this year, I stopped by a little stand in the Future Park, where a poor neglected man with a laptop was trying to give away software for free. He was employed by the German Ministry of Economy and Science, and the software was GnuPP (The Gnu Privacy Project). Basically, it is a GUI for GnuPG under Windows (called the GPA -- Gnu Privacy Assistant), and a plug-in for Outlook. It's completely Free, and works quite well. I think it's not much different from the commercial PGP program. It offered a little lock icon in the tray on the right of the start bar which let you encrypt and/or sign either your clip-board or the currently active window. You can get it here. (click on "herunterladen"). I doubt it will be impossible to use even for those who don't know German.

Good Frontends exist..

[anno1602]

First, Geheimnis is a very good and complete GPG frontend. Then, KMail has integrated gpg/pgp support for signing, signature checking, de-/encryption. I'm sure there are other examples. What is lacking are not good Linux frontends, but good windows frontends, which the german government is currently taking care of (see other posts). BTW, they also plan to extend KMail support.

Non-geeks had trouble with NAI PGP

[ssimpson]

Often people say that "GPG needs a frontend before non-geeks can use it". That point is probably true, but even though NAI PGP has had a "mature" GUI based front end for several revisions, normal users are still incapable of getting their head around creating keys, the difference between public and private keys, the difference between signing and encryption etc etc.

A usability study was undertaken by researchers at Carnegie Mellon in which they found that virtually 0 non geeks managed to use PGP successfully anyway.

Sure, OpenPGP based programs need to achieve better reach, but simply copying the NAI PGP design won't achieve this goal....

Re:Non-geeks had trouble with NAI PGP

Yes. The problem is not using GPG or gnupg, the problem is to understand what to do.

In a Word...

[Captain+Large+Face]

-----BEGIN PGP MESSAGE-----
Version: 2.7.1

hPUDEUi8JOKxuccBB0iZOYpD+moBqlme8h14BafQpYQThtIHyo
Z5oSR0u1rYlUT6EmxWyim4m/wVSUMouBkbcZ4S2nDTg5lA8z6x
mIfLKU1NTWk2EtaKXQKeRRb0tUpJkcmPgzjuQuwC6zylttGvkj
w5Dg3QaVpSzprZliBLOli6pBXX3aE72nUdsOeQLgvmKJQNJ5C1
jKfkY4rxZkptOp2+YTvek9OLEoMoa8fvmcUFps5V+wd1eRJ0qm
jCP7N3lMgvtxdtTekzDDOlvS6GdOdYfPiUx+BkRhPfy6e00RSX
4u5+in8Gl9VwjuetkZLkRRoQx0sfZqYAAADXOtvhsuOFRvn7Vl
96yr2wTb9R0j2ZpQVc8z6fOTC6iK/jl2DuvouAG17ZNudi+3QP
gk6lTnx4yuWqmUgms1miZfuvjZNr8uVgvZYkwFLiKNqN5PKttI
8QYl4HSwELSIwIecoyhAcQI2MfAjeA2vjw1NvbYnXkpWF+ZZMG
QFJIVbcwQa6ALotfQQ0ZmcTCrYajD+wwRbpqIPSjVeyHohYNDF
UO9fi2cNRbC5k28e5qxnXA3E0fAPw1yVFUG0dUnyHbpozEThEd
LwCKGLmsIySn3cp4RGq/v3I==CJeA

-----END PGP MESSAGE-----

Yes..

IPSec

[guinnessnwhiskey]

With IPSec it is possible to encrypt all your traffic. When the IPSec encryption header is used, everthing behind the IP header is encrypted, even the TCP header. So, somebody listening to your connection can't even figure out which port you are using!
On the Freeswan homepage you can get a lot of information.

KDE KMail has excellent GPG integration.,

Well, it does :-).

GPG _on_ _windows_ doesn't work very well. Nothing works very well on windows from my experience...

GPG and MacGPG

[ReadParse]

I'm one of those many recent OS X converts who just bought my first Mac, after years of having used Unix and Windows.

PGP is something I've played with over the years, like a lot of geeks, but never used religiously. But I decided a few months ago that it was something I should start using regularly, so I sought out a mail client with built-in PGP (or variant) support. I found a neat little (non-free) Windows e-mail client called The Bat! (that's their exclamation point, not mine), which had not only built-in support, but you can configure it to use PGP, GnuPG, and even their own OpenPGP implementation. That and many other cool features persuaded me to buy that e-mail client, after which time I decided to throw the switch and begin signing all e-mail that I send.

Along the way I discovered WinPT (Windows Privacy Tray), which is a decent little frontend for GPG. Remember, GPG is a backend -- how you interface with it is up to you.

The came my Titanium PowerBook. I got it for all the reasons mentioned around Slashdot and elsewhere, but I didn't really expect to find cool things like a good GPG frontend, let alone e-mail with GPG support. Boy was I wrong! I went to the GPG site and found a link to the Mac GPG site, which ports GPG to OS X. Not only the backend, but a frontend that integrates with the "Finder" (that's Mac-speak for the "Explorer" equivalent), right in the "Services" menu (which is much like the global right-click menu in Windows Exploror.

But that's not all! I saw further down on the same page that somebody else has written an extension to the OS X default mail client (which ain't as bad as you might think) that provides very good GUI GPG support for mail.

So, even though switching over to the Mac isn't the easiest thing in the world (I say that as I sit here typing on my Windows machine for reasons I won't go into), I can say that GPG is among the least of my problems.

RP

How many of those switches

have been tested to work with each other? For n switches there are 2^n possibilities, and for many unix programs I doubt they have all been tested.

One More Thing about OS X and GPG

[ReadParse]

Oh, I forgot to mention....

There's also a great little instant messaging client available for OS X (called Fire) that connects you to all the major services at once, and it has built-in GPG support. And very good support, too.

I'm not yet to the point that I feel I need to either sign or encrypt my instant messages, but that time may come, and it's nice to know that Fire is ready.

RP

GnuPG Plugin for Outlook

For all of you, who want to use GnuPG with Outlook there is a plugin at Gdata AG. The latest version includes an english version, too.

Let's buy the desktop security

[jukal]

I find it totally confusing that Network Associates did not find a buyer for the desktop security (PGP) product line. How is this possible. According to my understanding, it was basicly considered THE ONLY commercial PGP solution.

I get for example the message flood of the CISSP forum, and it is not once or twice that this product has been mentioned.

So why not buy the product line and opensource it completely. Is there any association or anything that could do it. This is something in where I could a donate a few dollars. I wonder if anything like this has been done before, some dead commercial product bought by the opensource community?

Somehow I am fearing that the other (inferior?? and not open) solutions will win. PGP is good and we should save it.

As what comes the GnuPG, I use it happily with pine. But it will take a immense amount of good publicity and hard work to get it working as easily with FEAR!! Outlook for example and to get those people convinced that it is something real.
So, what's the quote on this product suite? :)) Well, maybe this is just words, but think about it once more, this was a big loss. .. conspiracy, anyone?

So why did Freeware PGP do stuff with my keyboard?

Yesterday I installed Freeware PGP on Win2k. During the installation my machine crashed. When I rebooted my keyboard and mouse were no longer working (and what good is a computer without a means of input).

My question: What would PGP be doing that would mess with my keyboard drivers/service? Otherwise - what other reason could there be for no input?

I have this feeling I am being paranoid. But then I've never seen the source code. And I have to admit that if I were going to intercept PGP data, the keyboard would be a great place to do it.

Yours - anonymously and slightly paranoically, (name and identity witheld).

GnuPG needs SDK or Java version

PGP is too hard to use, as the Carnegie-Mellon study showed. Users need a simpler metaphor for understanding the roles of public and private keys. For example, in the study, some users emailed their private keys by mistake. Another example, even so-called "geeks" boast about how they frequently change their PGP password. But if their private key is accessible, what good does that do?

The easiest public key solution I've seen is Hushmail http://hushmail.com which now actually adheres to the OpenPGP standards. Using Java, the browser encrypts the message locally. Sure, private keys are stored on the server, requiring an extremely good passphrase to ensure any level of protection. I guess that's always the trade-off, security vs. ease-of-use. The other disadvantage of Hushmail, of course, is that it is a private mail network. You can be notified via SMTP email that you've received a message, but you can't just spontaneously communicate with another person until they have a Hushmail account. Hushmail needs a "password-only" method of encryption where the message is encrypted and a URL is emailed to anyone you like. When they click on the URL, they're given the option to sign up for a full Hushmail account, where only 1 passphrase is needed to decrypt all messages.

Hushmail is in Java. I'd rather see an ActiveX implementation. ActiveX would be faster and also able to encrypt/decrypt files locally on your computer. That's the problem with GnuPG. It does not have an SDK that would allow it to be made into an ActiveX control. A Java version would also be useful. NAI's PGP had a great SDK, which they used to license at $1 per copy and later changed their mind and started extorting much more.

It's already been done. It *is* a doddle to use.

[Colin+Smith]

I have WinPT on my corporate Windows desktop: http://www.winpt.org/

I can now use GPG encryption with anything that can cut/paste.

There are similar frontends for Linux/Gnome/KDE etc.

GPG is delivering!

[zecg]

...only most people are too blind to notice.

Timo Schultz's WinPT is an all-in-one encryption frontend which sits in the system tray and does EVERYTHING. Even safely wipes data from the drive. And for convenience, he has an Outlook Express plugin (which works!) and a Windows Explorer plugin (which I don't need and thus haven't tried yet).

Give it a try and see...

http://www.winpt.org

Re:GPG is delivering!

[haapi]

I'll "me too" that, and also say that I am impressed with the recently announced EnigMail plugin for Mozilla 0.9.9. Pretty damn seamless integration.
http://enigmail.mozdev.org

Should be working with Netscape 6.2.2? soon, also.
Perhaps millions of AOL users will be sending encrypted mail to each other in short order! (Enough to give an NSA man the hives.) Oh, look! a Pig just flew by my windows. I'll be right back....

Choosing Girls by OS.

[Corporate+Troll]

Well....I don't know any girl that uses Linux.... But if I'd had to choose a girl on her OS preferences, I'd take any girl that runs Mac OS X! :-)

Did my copy of PGP stop working?

I'm sorry, did NA have a time bomb set in my software that I bought that once they throw the switch it stops working? Why can't I continue to use what I already have? Are you worried that without open source they won't have version numbers like 0.0.9.1.3b-ac ?

Which is my is still use PGP 2.6.2

[objwiz]

At least when this version was released, the code was included and it provided some security. Whos whats happened in PGP after NA took control of it.

Can GnuPG Deliver....Windows users please....

GnuPG *IS CREATED FOR AND BY UNIX/BSD/LINUX USERS* Support for Windows users is and always will be an afterthought. Get used to this. The vast majority of people creating software like GnuPG and other software for Linux/BSD/Unix are not interested in creating software for your platform. Get over yourselves.

GnuPP from BMWi

[Alpha600]

A ministry in Germany is working on a package around GPG. It's called GnuPP and has a UI and documentation.
The downside: It's german - maybe google helps you translating it =)

http://www.gnupp.de/

b4n

Companies using PGP (OpenPGP), applications

[MagicFab]

It took me a while to understand and be able to explain the differences/roles of PGP (the product), OpenPGP (the standard, as PZ renamed it), OpenPGP (the alliance), and NAI (the Empire ? :). I needed a short path through this story for customers and friend who I wanted to start using this, so I prepared a summary on Thawte X.509 certificates and OpenPGP Encryption.

While doing this, I discovered that quite a few companies do support OpenPGP but it's our job to continue this effort in 2 ways:

1. Educating others about it
2. Participating in development efforts (and this also means bug reporting, translation and documentation, stuff that even I can do!)

For a sample of companies supporting OpenPGP "movement" as Salon calls it, see:
http://www.openpgp.org/members/

It's a shame that the Salon article totally ignored to mention at least two of the easier (although not easiest) ways to use OpenPGP: Enigmail (for Mozilla/Netscape) and WinPT (for Windows/clipboard-based), among others.

They also fail to mention that GnuPG really is the command line application/libraries, and then there's a layer of front end or integration to other products. A thourough visit of GnuPG.org will reveal this.

Finally, for the webmail-oriented crowd, there's also Hush Mail (which is, BTW, a company that PZ joined after leaving NAI). What's so technically difficult about using this ?

How to encourage use of encryption in contracts

[MagicFab]

Here's the wording we use in all our contracts to encourage use of encryption. If somebody has suggestions for improvment, I'd like to hear them.

1. SPECIFIC PROVISIONS
   1. Electronic Communications
      The Parties' representatives may communicate between themselves by electronic means, in which case, the following presumptions shall apply:

   2. The parties have established and verified their respective identities by presenting an electronic signature generated from a trusted OpenPGP key or S/MIME certificate (hereinafter referred to as the "Identification Code")
   3. the presence of an Identification Code in an electronic document shall be sufficient to identify the sender and to establish the authenticity of the said document;
      
   4. an electronic document containing an identification code shall constitute a written instrument signed by the sender; and
      
   5. an electronic document containing an identification code or any printed output of such document, when kept in accordance with usual business practices, shall be considered to be an original.

   The Parties' representatives may also communicate between themselves by fax, provided an original document follows-up any such transmission.

A library opens a pipe

[yerricde]

We should be able to link that program in to mail readers, web browsers, databases, all kinds of things, but none of that is possible to do easily because it needs to run as a separate program.

What's wrong with creating a library that interacts with gnupg through a pipe or other method of IPC? That's what (e.g.) X11 does: apps talk to xlib, which marshals calls to the X server.

check out this message.

[gimpboy]

you should check out this message w.r.t. S/MIME support in outlook. it doesnt leave me with a warm fuzzy feeling inside.

Why I can't use GPG

I need a GPG plugin for Lotus Notes, Eudora, IE-Mail, Outlook and so forth. Until it's done as a package, I can't use it.

I need something simple that I can install into Lotus Notes so that a non-tech person can use this.

Don't give me any crap about you can do this or you can do that... I need this so my mom can use it, she's worse then Eric Raymonds "Aunt Tillie"

Backend Encryption

[CynicTheHedgehog]

I have several applications that require backend batch encryption of files in order to automate processes. GnuPG handles this beautifully; for instance, in Java I can start a new runtime process with the argument "--passphrase-fd 0" and then write the passphrase to the process's standard input stream. I can't fathom how I would go about this with NAI's solution (even if licensing didn't prevent me from using it in a commercial setting).

I also see uses in online E-mail forms (webmail). Someone writes a message, adds attachments, and passes the whole mime encoded mess to a servlet or CGI that runs it through gpg. The user wouldn't even have to be aware of it.

p.s. For those of you who are wondering, yes, I tried Cryptix. I couldn't figure it out (it's not documented *at all*), and it doesn't run with JDK 1.4. GnuPG was a life saver.

Seamlessness

[rpk]

Mac OS X actually comes out looking pretty good in the Salon article, because it's easy to write front-ends to Unix-based tools, and, even better, there is a "Services" hook that allows at least a generic, simple, if not completely seamless, way to integrate a facility with existing programs.

And I had also checked out Mac OS X GPG solutions a few weeks ago too. We use PGP at work and I was looking for both a migration solution (can I use my PGP keys in GPG ?) and an interoperability solution.

Hard to install free software on Windows?

[xmda]

But I've only found one "free software" package which is up to scrach with it's windows counterparts (in easy to install etc), and thats Apache Tomcat, and that needs some work. :)

Ok, I know this is kind of off-topic, but have you ever tried to install, let's say, Mozilla on Windows? The GIMP? Apache webserver? Not especially hard... I'm sure there are more examples of GPL:ed work that is easy to install.

Mee too

I second that, I already had gnupg installed, used it before from the command-line, and then when I went to try out evolution, I wass positively surprised I could encrypt, decrypt, sign, and check signatures with just a click of the mouse.

GPG Working Well

[shinnyo]

We've been using a combination between GPG (on the linux server side) and PGP Freeware in a couple sites we've designed lately. Example: A form is submitted via PHP. We pipe the form through gpg to generate a PGP-encrypted message and then e-mail it to the user. The user is running PGP Freeware on their windows system and uses it to decrypt the e-mails.

A few limitations I've noted is that the default keys that are used are different. To get around this, when generating keys for gpg, use the "DSA and ElGamel (default)" key, and in PGP Freeware use the "RSA" key.

Another difference is that gpg recommends a bit size of 1024, with a "maximum suggested" of 2048, while the version of PGP Freeware that we're using begins at 1024 and goes up to 4096, with 4096 being the default.

Overall, I'm very impressed with gpg so far. I'm glad someone decided to take over this project, and putting it under the GPL will encourage development.

German Goverment handing out GNU Privacy Projekt

[Airon]

There is a good frontend for Windows and Linux and the German government was handing out packages of this project, featured at

http://www.gnupp.org at the CEBIT with discussion and help from officials on how to use and why.

Hey, when's the last time any government did that ? They're actualy paying people to develop this and it's all GPL'ed.

And that frontend ain't bad at all. Check it out.

Tony

What we need:

[einhverfr]

So I stand by my characterization of the "by geeks for geeks". Switch that phrase to "by lusers for lusers", and hey presto, you're criticizing Windblows.

hehe... Well said (in terms of attitudes), but IMO bloatware is a result of trying to create rapid application development environments, not bad code (which is why GNOME and KDE are so "bloated." Not that this is bad. Interestingly, the gazillion switches serve the same purpose-- providing for the rapid development of other programs.

You -- the Slashdot crowd "you", not the "einhverfr" you -- extol the virtues of "anyone" being able to put together a front end on top of the actual encrypt/decrypt model. Well, that's not what Joe in accounting is willing or able to do. You -- again, the Slashdot crowd "you" -- talk about the importance of encryption evangelization. Well, Joe in accounting thinks it's a pretty good idea, but can't for the life of him figure out what he needs to do to sign his Eudora-sent email in the first place.

One thing that my experience in open source software has taught me is that given sufficient time, anything that can be done will be done, whether or not it is a "Good Idea." Think video games that run as LILO splash screens, etc. The idea is that if it is easy for enough people (not everyone), someone will do it because they will want to see it done. But this does take time.

As for evangelization of encryption, I completely agree that there is a need for it, but it is a very difficult thing to do right. Encryption needs to be explained so that everyone can understand it. It does not do enough to say "You Too Should Use Encryption!" One must state why encryption is important, starting with e-commerce, and eventually explain the basics of how it works (so users don't, say, give someone else their private key). And it needs to be in plain English (or whatever vernacular).

I have had occasion to read technical manuals for software from 10 or 15 years ago, and I have always been struck at the QUALITY of the documentation-- it is accessible, technical, and concise. The SCO Unix Administration and Installation Guide (from 1994) started with something like

"Before you begin you should know: How to turn on your computer, how to reset your computer, and how to insert floppy disks into the floppy drive. If you are unsure how to do any of these things, please check your hardware documentation."

And it went of to eventually discuss filesystem maintenance, system security, etc. (even going so far as to give some fairly technical insight into the inner workings of the filesystem). But it was intelligable to someone who wanted to learn, and the book was all of 300 pages.

I credit the fallen state of tech docs to the rise of computer professionals as a large and dominating community-- it is as if we have frogotten how to talk to novices.

What we need to do is come out of our shell and learn how to explain these concepts to our parents and our grandparents, whether or not they have ever seen a computer. I am always amazed at how easy these things are to understand if someone explains them correctly.

OK. Maybe I will have to write a short intro to encryption for laypeople ;)

Let that be your lesson

[ahde]

I hope the whole PGP fiasco convinces people why closed source is bad.

I don't think anyone would question Phil Zimmerman's goodness and sincerity, but who ever thought back in the days that PGP would be bought out, backdoored, forced into an ugly business like McAffee, and closed down at the behest of the corporations and government the minute an excuse is provided?

It could happen to you.

What about trust?

[Joseph+Vigneau]

Key exchange is managed from within the chat windows. There is an option to send your public key to your "buddy" and it automatically inserts the key into their keychain.

Unfortunately, this is a "weak-link" in a trust chain: how can you verify that key is actually owned by that person?

Re:GPG user-friendliness is *essential* to securit

[degradas]

One of the best ideas I've read regarding this article. I have recently thought about using GnuPG, installed it, generated my key, tested it with my favorite mail reader (that's Kmail, by the way, and it works flawlessly with GnuPG), etc. So far, so good.

But the greatest problem I face is that 90% of people I communicate with are simply do not understand what PGP is and why do they need to bother to use it. Hey, most people haven't even heard about PGP, let alone tried using it. I think we need more end user education about security and privacy issues in the first place. Of course, making encryption as easy as 2 mouse clicks and passphrase entering in most popular email clients wouldn't hurt also.

Just my 2 cents.

Q: Can GnuPG Deliver?

A: Yes. Next question.

PGP Freeware Source is available

[moodboom]

FWIW, NAI posted the source for PGP Freeware, for peer review purposes. It is still available from the MIT Distribution center for PGP. It's copyright NAI, of course, but it makes for a good read, if nothing else. IANAL, but I wouldn't think it would be illegal to peruse and learn. Certainly lots of integration tips to glean in there (Eudora, Lotus Bloates, LookOut Express, etc). No cut and pasting tho! :>

This is _not_ "what next?"

This is _not_ a question of "what next?"
This is a question of "where should we have been years and years ago". There is no question but that PGP clearly sold out, and went closed-source, which is the death-toll of security software. GPG was has been the clear choic for years. The fact that it takes the commercial death of PGP for Slashdot to advocate GPG shows how completely out of touch this other sell-out of a site actually is.

You must be kidding (Re:ADKs)

ADK? You must be kidding. It is a compromise in security, pure and simple. This "feature" _will_ be abused. And any product that has it (ie. PGP) and advertises itself as secure is being disingenuous.

Wrong problem!

You are all focusing on the wrong problem.
Yes, its nice when everyone uses encryption, whether its PGP or GPG or something else.

But the real goal is not encryption but security. And the real problem is not this or that tool is not friendly enough to use, but that the concept of security is too complex for the average user.

Make the average user aware of the need for security. Enlighten them as to the myriad ways they compromise their security daily and we will be making real progress.

Then we can go on to the much more difficult problem of actually securely using public key crypto, which is not trivial no matter what idiot-proof front end you throw at them. Try to explain practical implications of the web of trust (no, PKIs are not the solution, they will be abused) or how to really keep one's private key secure. The average user will look at you as if you're from Mars.

These educational barriers are the real hurdles we have to overcome. Crypto is one of the hardest things to use _correctly_, because you have grok _security_.

GnuPG "not quite there yet"

[DaCool42]

I don't know what kinda crack that guy was smoking. GPG has been working quite well for me, and it is very simple to use for those folks that want "user-friendliness". Why would anyone want to use PGP when GPG is available?!

GPGMail works with OS X....

[netsrek]

I use GPGMail, which is a plugin for OSX's Mail.app.

All it requires is that you have gpg installed, which compiles cleanly. I use it every single day, and it works fine... it could do with a few more features, but it is easy to use, even for newbies, once they've had the basic principles of PGP explained to them....

Maybe it can deliver...

[chasec]

...but the REAL question is, can it do so in 30 minutes or less?

/me waits for his fr--
Never mind.