Slashdot Mirror
Can GnuPG Deliver?
jso888 writes "After Network Associates decided to halt further development of PGP, I'm sure that many users like myself who use non-CLI platforms most of the time, wondered "what next?" (PGP Freeware is not an option, since it's tied into the Network Associates product). Salon today has a nice article on GnuPG, the Open PGP/GNU alternative. The article highlights one of the problems with Open Source software today: its "by the geek, for the geek" nature, which by and large places barriers to mass adoption of OSS, especially important capabilities like personal encryption. One of the nice things about NAI PGP was its ease of use and commercial polish. It was easy to install and use, and integrated nicely with Windows software like Eudora and ICQ. GnuPG, admittedly, isn't quite there yet, the article concludes. That's too bad; given the privacy-hostile world we live in, the last thing we need is another barrier to widespread cryptography adoption."
No one is building encryption or other security measures directly into products.
Encryption by itself is too difficult and esoteric for normal users. If you want to see it spread, make it easy to use and easy to understand.
If you have an account at Mozilla's Bugzilla, vote for this bug here.
The point isn't whether you have secrets now, it's whether you'll ever have secrets. If you only send one encrypted email, and "someone" is watching, they know to devote all of their effort to breaking that one message. It's not a matter of "having secrets to protect", it's a matter of ideologically being a thorn in the side of people who want to be able to read your email.
The other point is that it's better to use encryption because you can. It's like always using ssh, instead of "just when you don't want someone to snoop your connection". Use encryption all the time, because protecting your privacy is always a good thing.
-il cylic
Defend Freedom
I use gnupg. Not a lot, but with a few people who have it set up right I can just exchange PGP messages without really doing anything, which is the way it must be.
I have tried many, many products to do PGP, and they all have problems. Even GPG with my favorite mailer had some fairly big setup hurdles. Fortunately once I cleared them it was relatively easy. I can only imagine that grandma is never going to use it at the current state of integration.
PGP functionality needs to work perfectly with mailers. You enter a pass phrase, and it just works. Until that happens the masses are not going to use PGP. This is imporant. If it were that easy, 90% of e-mail could be PGP encrypted, by default no questions asked. You can get there now, but only if you know a lot about PGP, and communicate with people in the same boat.
The UNIX mentality, as far as I can tell, has quite a bit to do with building modular, scriptible components. GPG is no exception-- it comes with TONS of switches, only a few of which are likely to be used on a regular bases.
While some people characterize this as "by geeks for geeks" I don't think that is really the case. Having an extensible, scriptible component makes it REALLY EASY to build whatever frontend you want with whatever capabilities you want, and it also means that one can have the same capabilities available from a script.
Now, I agree that GPG is not yet ready for widespread adoption, but it is not the open source or UNIX mentalities that are broken. The tool just needs some time to mature.
LedgerSMB: Open source Accounting/ERP
Uh, think 9/11. Think "encryption is only used for terrorism and illegal pornography." Think "there's a ph@t defense contract in it for you if you make that product go away."
write our own guis to interface with the command-line
While this is all well and good, it didn't seem to help in the face of Microsoft and Netscape going with S/MIME. Possible reasons for this choice are left as an exercise for the reader.
why should we not look for an improved alternative
Because encryption needs cooperation from both sender and receiver and is therefore subject to the 'critical mass' rule. People are going to be reluctant to move to new technologies because they won't be able to communicate with anyone until those people adopt too.
0xB
I wanted to get some PGP licenses at work.
:) ).
Went on their website
It was so weirdly organized, I mean you could get a "single user" license, okay cool, "i need 10 of that" wrote down the price... sent an email to get a PO
Went back a few days after, couldn't find that product, felt on the desktop security thing for buisness, ok, 5x more, wrote down the price, went to get approval, came back a day or two later, price/license switch again... couldn't find the exact same thing that I saw the day before...I just dropped it (I don't have time to waste an hour or even minutes on a badly designed website that will make me swear and kill the next person asking me for support
That's ineffective E-Commerce, and I thought it was sometime hard to find a specific download or older bulletin on microsoft's web site (and google helping more than most websites's own search engine), but this was ridiculous, not to mention all the license type and so on. If I dropped it, a lot of people probably did the same. My question is, why the heck not having something CLEAR and a decent price list, why putting things in 5+ click deep or changing stuff left and right just so the bookmarks don't work anymore and have a nightmare to find that specific thing again?
They can blame the lack of sales, but they are to blame. I mean, when I go and buy a systemworks license (to name an example), I know the price for 1, I know the price for a 5 pack, it's clear, it's constant and they don't have a gazilion difference licensing of the same thing doing the same function exept worded differently thus giving you a different result at every searches if you change a space somewhere.
All this said, it's a shame that there are not many alternatives, the freeware version does the job but the problem is "it's not legit for buisness to run this", I wonder what will happen if the product isn't sold anymore... does it make it obsolete and unavailable thus legit to use the freeware version? it does the job on the windows platform at least.
--- Metamoderating abusive downgraders since my 300th post.
The article highlights one of the problems with Open Source software today[...]
I can finish that sentence: "just because the writers at large popular online magazines can download something for free (and for Free), they feel that it's ok for them to bitch about how Open Source software isn't up to snuff, and yet they never try to make things better."
I'd bet he hasn't entered one "enhancement" bug report, reported one request to the mailing list, or done anything else to make gnupg better.
I work for a company whose product is open source. We have only so many developer hours to devote to feature enhancements. Guess which things get priority first? Either suggestions from support customers, or requests for features on our discussion list. If no one asks for it, it doesn't show up on our list of things to do.
Just because you can't code doesn't mean you can't contribute. Make docs, try to find bugs, make feature requests. Shut up or put your money where your mouth is.
WWJD? JWRTFM!!!
First off we sometimes use PGP for file transfers at work. We get census data, 401kdata, lots of data with special numbers in it that people should never see. Why do we use PGP at all? Because most of the older large institutions move like the slow behomths they are. They take forever to evaluate something, much less actually roll it out. Commericial PGP was great because it gave us somewhere to point these people who still require us to allow FTP for these files and other early/mid 90s transfer methods. The commercial site offered a nice packaged product, but more importantly, SUPPORT. Support is key to large companies, they buy it for everything, regardless of need.
Now why the decline? Thanks to the widespread usage of SSL and now SSH we have convinced many of these old guard companies to go with real time data that is sent over SSL connection or through SSH tunnels (or even with scp). This is great! No more pesky FTP around. Easy key management. Easy to setup and watch. Sure the data isn't as secure in transit but really if it is secure enough to give this user the data, it is secure enough to transfer it with. Of course the best thing about realtime data is we can throw it away instantly meaning there is nothing laying around for the average village idiot script kiddie to pick up.
The only downside is we have some users that actually SCP PGP encrypted files over to us. It will be a shame when that type of security has to go away because they will dump PGP the second they can't purchase support for it.
--- I do not moderate.
Why can't you just continue to use PGPFreeware 7.02 (whatever the latest is?) It's not like they can stop you from using it. Unless it gets "broken" somehow (I doubt it).
One day someone receives an email from his parents, asking for urgent money transfer because of some disaster; the bank account is provided. The guy goes to the bank and transfers almost all he has.
A week later this person might be very upset that he did not demand a digital signature on the email because his parents never sent him any requests for money, are in perfect health and have no idea whose bank account it was...
> Uh, think 9/11. Think "encryption is only used for terrorism and illegal pornography."
/., but it will *always* look suspicious due to both timing and unbelievably short notice.
/., who get busted for writing anti-globalization websites or for other minor matters.
> Think "there's a ph@t defense contract in it for you if you make that product go away."
*Exactly*. This isn't the first, either--far more suspicious was the untimely death of the ZKS' Freedom Network, which the respected founder insisted was planned before 9/11, but which was never announced until a a short time after 9/11 and which left users with practically no advance notice. One suspects that either the founders of the Freedom network got a good talking to with some sticks and carrots, or they got worried that theyr network was or could be used by terrorists, and shut it down out of "conscience." A rebuttal was even posted here on
Encryption for the masses is exactly what the U.S. government doesn't want, because it would render their unbelievably involved Carnivore/Echelon/UKUSA electronic eavesdropping network useless if we all started seamlessly using PGP or encrypting all our traffic through Freedom servers.
It is, however, the only way we can guarantee our Constitutional rights to privacy and freedom of expression in the electronic aether. It will always be trivial to the dedicated criminal or terrorist to communicate covertly over the Net, no matter how many carnivorous hubs may be weeding through traffic. It's the little guys caught in the crossfire we have to worry about--the kind of guys who are posted about every couple of weeks on
Face it: governments *always* want more power, and when unchecked they take it. That's why our system was deliberately created with a lot of checks and balances to impose a sort of "gridlock" to prevent sudden sweeping changes to governmental authority. 9/11 removed those deliberate obstacles and got everyone working together to impinge our freedoms with USA/PATRIOT and the FBI's larger scope for its surveillance projects and busts. People really need to start considering getting encryption integrated into everything they can, seamlessly, before they're no longer allowed to. Don't think it couldn't happen--the likelihood of the Court allowing various limited encryption bans does have a correlation with the number of people using encryption...
Chasing Amy
(We all chase Amy...)
"The more corrupt the state, the more numerous the laws"-Tacitus
I sign nearly all of my outgoing emails, but seriously, encryption will remain a geek toy until AOL or another big player decides to provide public key infrastructure (PKI, keys signed by eidey trusted authorities, or sufficiently many people that are minimally seperated from you) for its users. There are plenty of GUI encryption email clients out there. I believe there's a GPG plugin for Eudora. However, finding your friend's public key is hte big problem right now. Once everyone's ISPs ste[ in and sign the user's keys and proide key servers, then signed and encrypted email will be the norm. After a short bit, you will be able to filter out SPAM by doing good checks on signatures, or prosecuting those spammers that actually sign their emails with valid and registered keys. Encryption will also greatly increase CPU demands for mass emailing. This is why ISPs will like crypto: it deters spam and reduces thier bandwidth requirements. The big question is: how long will it take for a major ISP to start providing PKI.
Key generation isn't hard. Once AOL starts signing all of their users' public keys, then it will be common practice for you email client to go the all of the recipients' ISPs, verify their Verisign certificate, and verify theirsignature on the user's public key, then encrypt everything at transmit time.
Key generation isn't all that tough. Nearly everyone trusts Verisign.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
Often people say that "GPG needs a frontend before non-geeks can use it". That point is probably true, but even though NAI PGP has had a "mature" GUI based front end for several revisions, normal users are still incapable of getting their head around creating keys, the difference between public and private keys, the difference between signing and encryption etc etc.
A usability study was undertaken by researchers at Carnegie Mellon in which they found that virtually 0 non geeks managed to use PGP successfully anyway.
Sure, OpenPGP based programs need to achieve better reach, but simply copying the NAI PGP design won't achieve this goal....
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
The front end doesn't solve the problem that *corporate* users face.
GnuPG doesn't support ADKs (additional decryption keys). A lot of people don't LIKE the whole idea of ADKs. But look at it calmly. I would NOT have an ADK in my personal PGP key under any circumstances. But the PGP key I use for work - that has a designated revoker (so if I'm sacked the key can be revoked without my cooperation), and an ADK that *requests* (it cannot enforce) that items encrypted to my work PGP key can be read by one of our Corporate PGP keys (whose use is very highly controlled - and is held split anyway).
I have encrypted disk partitions - but if I'm hit by a bus, the Corporate disk ADK can recover the data that belongs to the business.
GPG doesn't inherently support key splitting, or disk partition encryption. The key splitting allows proper auditable control over particularly powerful keys. For example, our Root Corporate Signing Key is split amongst 8 trustworthy people and at least 4 of those 8 must cooperate to bring that key together for use.
GPG is great, but it won't replace PGP in the Corporate setting (where it is used a lot more than you might expect...) even WITH a nice frontend until it can support such features. I look forwards to the time when it does!
A business cannot risk losing access to data which is encrypted, so these facilities are required.
You are all focusing on the wrong problem.
Yes, its nice when everyone uses encryption, whether its PGP or GPG or something else.
But the real goal is not encryption but security. And the real problem is not this or that tool is not friendly enough to use, but that the concept of security is too complex for the average user.
Make the average user aware of the need for security. Enlighten them as to the myriad ways they compromise their security daily and we will be making real progress.
Then we can go on to the much more difficult problem of actually securely using public key crypto, which is not trivial no matter what idiot-proof front end you throw at them. Try to explain practical implications of the web of trust (no, PKIs are not the solution, they will be abused) or how to really keep one's private key secure. The average user will look at you as if you're from Mars.
These educational barriers are the real hurdles we have to overcome. Crypto is one of the hardest things to use _correctly_, because you have grok _security_.