Slashdot Mirror
Can GnuPG Deliver?
jso888 writes "After Network Associates decided to halt further development of PGP, I'm sure that many users like myself who use non-CLI platforms most of the time, wondered "what next?" (PGP Freeware is not an option, since it's tied into the Network Associates product). Salon today has a nice article on GnuPG, the Open PGP/GNU alternative. The article highlights one of the problems with Open Source software today: its "by the geek, for the geek" nature, which by and large places barriers to mass adoption of OSS, especially important capabilities like personal encryption. One of the nice things about NAI PGP was its ease of use and commercial polish. It was easy to install and use, and integrated nicely with Windows software like Eudora and ICQ. GnuPG, admittedly, isn't quite there yet, the article concludes. That's too bad; given the privacy-hostile world we live in, the last thing we need is another barrier to widespread cryptography adoption."
No one is building encryption or other security measures directly into products.
Encryption by itself is too difficult and esoteric for normal users. If you want to see it spread, make it easy to use and easy to understand.
How many of us actually have secrets to hide that we go to the bother of encrypting them with PGP any more though? I have only ever sent a few PGP e-mails before I figured it was too fiddly and time consuming to bother with.
Video Game cheats, hints a
The advantage, of course, is that if someone decides it's important to make GPG pretty, it will get done.
Interfacing isn't that hard. What sort of "easy to use" features would be desired in a personal encryption suite?
A graphic display? PerlTK can do that. Simple means to keep track of new keys? I don't know what features would be wanted here. Lets figure it out and write it. Open Source is all about fixing problems you percieve.
-il cylic
Defend Freedom
If you have an account at Mozilla's Bugzilla, vote for this bug here.
http://www.gnupg.org/frontends.html
:)
WinPT is quite good.
http://www.winpt.org/
But I've only found one "free software" package which is up to scrach with it's windows counterparts (in easy to install etc), and thats Apache Tomcat, and that needs some work.
Ahh well, maybe one day.
Wow, I should not post when knackered.
I use gnupg. Not a lot, but with a few people who have it set up right I can just exchange PGP messages without really doing anything, which is the way it must be.
I have tried many, many products to do PGP, and they all have problems. Even GPG with my favorite mailer had some fairly big setup hurdles. Fortunately once I cleared them it was relatively easy. I can only imagine that grandma is never going to use it at the current state of integration.
PGP functionality needs to work perfectly with mailers. You enter a pass phrase, and it just works. Until that happens the masses are not going to use PGP. This is imporant. If it were that easy, 90% of e-mail could be PGP encrypted, by default no questions asked. You can get there now, but only if you know a lot about PGP, and communicate with people in the same boat.
Windows Privacy Tray seems to be the best Windows GPG GUI, I use it as my PGP replacement at the moment. I also have Mozilla, which doesn't have such great PGP integration, so I relay through GPGrelay, which checks all incoming POP mail for PGP stuff, then decrypts and verifies or encrypts and signs behind the scenes. Mozilla only sees the mail after GPGrelay has dealt with it, so it's the closest I get to seamless integration. I don't have any problems with it.
--
"Everybody wants a rock to wind a piece of string around." - They Might Be Giants, "We Want a Rock"
Banks.
I talk to my bank quite a bit, have they ever asked to encript email messages, NO! Should they YES.
Same reason we need encription on http.
Also if everyone SIGNED there message (which I USED to do, untill I moved Endure) email born viruses would not exist (to the degree they do now, your'll still get some fool who opens unsigned email or will type there password when they should not)
Wow, I should not post when knackered.
I love GPG, I use it daily to decrypt PGP encoded files that I receive from several very large companies that I have as clients. It's evident there is a need for usable public encryption on the business level, and GPG/PGP works great for this.
As much as I like GPG, I don't use it for personal emails, however. I believe that S/MIME is a better system for encrypting personal emails, simply because support is already built into the major email clients (Netscape, Outlook Express) already. When there is a button built right into my friends email client, I have a much greater chance of getting them to use that feature, as opposed to having them download a new, seperate piece of software. Now if Evolution would just support S/MIME (they've been teasing me with that grayed out S/MIME panel), I'd be all set.
--It's Pimptastic!--
The UNIX mentality, as far as I can tell, has quite a bit to do with building modular, scriptible components. GPG is no exception-- it comes with TONS of switches, only a few of which are likely to be used on a regular bases.
While some people characterize this as "by geeks for geeks" I don't think that is really the case. Having an extensible, scriptible component makes it REALLY EASY to build whatever frontend you want with whatever capabilities you want, and it also means that one can have the same capabilities available from a script.
Now, I agree that GPG is not yet ready for widespread adoption, but it is not the open source or UNIX mentalities that are broken. The tool just needs some time to mature.
LedgerSMB: Open source Accounting/ERP
If you have a bugzilla account, head on over to
http://bugzilla.mozilla.org/show_bug.cgi?id=22687 and vote for what is probably the singles most popular bug there is. They need a framework which allows folks to plug in something like GPG at will. Plenty of work went into trying to get somewhere without any luck.
Uh, think 9/11. Think "encryption is only used for terrorism and illegal pornography." Think "there's a ph@t defense contract in it for you if you make that product go away."
write our own guis to interface with the command-line
While this is all well and good, it didn't seem to help in the face of Microsoft and Netscape going with S/MIME. Possible reasons for this choice are left as an exercise for the reader.
What do I regularly encrypt?
1: Financial information (bank acct transactions, credit card accounts, tax information, etc).
2: Information I need to get past the casual check (such as viruses I am analyzing for possible harm) so that my AV software or mailer won't balk at it.
3: Confidential business information.
Here is another application to Assymetric Encryption: Digital Signatures (basically encryption in reverse). I digitally sign all:
1: Confidential business information (also encrypted).
2: Security-related emails to people who depend on my security skills (and need to be able to trust that the email really came from me-- social engineering IS a real threat).
I also sign emails that contain attachments so that the reader knows that I knowingly sent them.
OK. So is this enough of a reason why Citizen Joe would need good strong public key encryption (note that symetric encryption like 3DES will NOT provide for digital signatures).
LedgerSMB: Open source Accounting/ERP
why should we not look for an improved alternative
Because encryption needs cooperation from both sender and receiver and is therefore subject to the 'critical mass' rule. People are going to be reluctant to move to new technologies because they won't be able to communicate with anyone until those people adopt too.
0xB
The article stringly infers that PGP (I use the NAI Freeware distro) does not work with OSX or WinXP. I can't speak to OSX, but I know that 6.5.8 works just fine with Windows XP Pro.
Ummm, err, say what, now?
I wanted to get some PGP licenses at work.
:) ).
Went on their website
It was so weirdly organized, I mean you could get a "single user" license, okay cool, "i need 10 of that" wrote down the price... sent an email to get a PO
Went back a few days after, couldn't find that product, felt on the desktop security thing for buisness, ok, 5x more, wrote down the price, went to get approval, came back a day or two later, price/license switch again... couldn't find the exact same thing that I saw the day before...I just dropped it (I don't have time to waste an hour or even minutes on a badly designed website that will make me swear and kill the next person asking me for support
That's ineffective E-Commerce, and I thought it was sometime hard to find a specific download or older bulletin on microsoft's web site (and google helping more than most websites's own search engine), but this was ridiculous, not to mention all the license type and so on. If I dropped it, a lot of people probably did the same. My question is, why the heck not having something CLEAR and a decent price list, why putting things in 5+ click deep or changing stuff left and right just so the bookmarks don't work anymore and have a nightmare to find that specific thing again?
They can blame the lack of sales, but they are to blame. I mean, when I go and buy a systemworks license (to name an example), I know the price for 1, I know the price for a 5 pack, it's clear, it's constant and they don't have a gazilion difference licensing of the same thing doing the same function exept worded differently thus giving you a different result at every searches if you change a space somewhere.
All this said, it's a shame that there are not many alternatives, the freeware version does the job but the problem is "it's not legit for buisness to run this", I wonder what will happen if the product isn't sold anymore... does it make it obsolete and unavailable thus legit to use the freeware version? it does the job on the windows platform at least.
--- Metamoderating abusive downgraders since my 300th post.
If people do not know what they are doing, they should not do anything on their computers that require any level of security.
If people do not know what they are doing, they have no way of knowing that something should require encryption, such as a credit card transaction online, etc. Ignorance does not beget caution!
LedgerSMB: Open source Accounting/ERP
The article highlights one of the problems with Open Source software today[...]
I can finish that sentence: "just because the writers at large popular online magazines can download something for free (and for Free), they feel that it's ok for them to bitch about how Open Source software isn't up to snuff, and yet they never try to make things better."
I'd bet he hasn't entered one "enhancement" bug report, reported one request to the mailing list, or done anything else to make gnupg better.
I work for a company whose product is open source. We have only so many developer hours to devote to feature enhancements. Guess which things get priority first? Either suggestions from support customers, or requests for features on our discussion list. If no one asks for it, it doesn't show up on our list of things to do.
Just because you can't code doesn't mean you can't contribute. Make docs, try to find bugs, make feature requests. Shut up or put your money where your mouth is.
WWJD? JWRTFM!!!
Sig: What Happened To The Censorware Project (censorware.org)
I use it to encrypt/decrypt files I don't want others to read. .
And it's quite easy: gpg -c and -d
First off we sometimes use PGP for file transfers at work. We get census data, 401kdata, lots of data with special numbers in it that people should never see. Why do we use PGP at all? Because most of the older large institutions move like the slow behomths they are. They take forever to evaluate something, much less actually roll it out. Commericial PGP was great because it gave us somewhere to point these people who still require us to allow FTP for these files and other early/mid 90s transfer methods. The commercial site offered a nice packaged product, but more importantly, SUPPORT. Support is key to large companies, they buy it for everything, regardless of need.
Now why the decline? Thanks to the widespread usage of SSL and now SSH we have convinced many of these old guard companies to go with real time data that is sent over SSL connection or through SSH tunnels (or even with scp). This is great! No more pesky FTP around. Easy key management. Easy to setup and watch. Sure the data isn't as secure in transit but really if it is secure enough to give this user the data, it is secure enough to transfer it with. Of course the best thing about realtime data is we can throw it away instantly meaning there is nothing laying around for the average village idiot script kiddie to pick up.
The only downside is we have some users that actually SCP PGP encrypted files over to us. It will be a shame when that type of security has to go away because they will dump PGP the second they can't purchase support for it.
--- I do not moderate.
Why can't you just continue to use PGPFreeware 7.02 (whatever the latest is?) It's not like they can stop you from using it. Unless it gets "broken" somehow (I doubt it).
Epicware's Fire for Mac OS X has well integrated PGP support (via the GPGME Framework for Mac OS X). It supports the usuall slew of services (AIM, ICQ, etc). It's GPLed and works quite nicely (though, not quite as nice a client as Adium, which unfortunately doesn't support encrypted communications yet...)
All editorial writers ever do is come down from the hill after the battle is over and shoot the wounded.
GnuPG functionality is available for Mozilla through the Enigmail plugin. It finally made it out of development and is apparently ready for production use. You'll need Mozilla 0.9.9.
All editorial writers ever do is come down from the hill after the battle is over and shoot the wounded.
Surely there must be more reasoning behind the "(PGP Freeware is not an option, since it's tied into the Network Associates product)." qoute.
I have actually just installed PGP 7 Freeware on my NT4/Win2000 box, and was a bit worried when I saw that qoute.. I want PGP 7 Freeware to be secure. Is it not so?
Can somebody please explain ?
I will probably get moded down to -50 Troll or Flamebait for this but here it goes....
Open Source has many problems but "by the geek for the geek" is NOT one of them. For some reason people seem to think that Open Source exists to serve the greater of humanity, and end human strife, etc.....(Whatever noble cause you can think of) But Open Source software is not primarily "by the geek for the geek".
It is primarily "by the geek for him/herself". The reason that there are not a bunch of pretty GUI front-ends that really wow people is because the people who code them don't need/want a GUI front-end.
If people want pretty front-ends then they should code them themselves.... It is easy to stand back and lambast the Open Source community for not being more user friendly but I have a news flash for ya.
Most Open Source developers don't care.... Open Source is about coding: what you want. Build a front-end yourself.
OSS developers code for fun, for their own sense of accomplishment, and for personal use.
As far a "mass adoption", If people are too lazy to spend the time to work through and figure out a CLI then too bad for them. If your privacy is really that important to you then you will have to "tough it out" like the rest of the geeks.
My
I finished a W2K upgrade to all desktops in 2001. The schedule is that we don't do anything till 2005. I've already verified that I can use pgp in outlook to encrypt something that gpg from the shell can decrypt. Though I like the NA product, if they're done, they're done, and I have something workable for 3 more years, after which I'll just switch to a gpg infrastructure. End of problem.
The problem isn't S/MIME per se. Anyone who can use OpenPGP libraries can easily use S/MIME, and vice versa. The problem is Outlook, pure and simple.
I don't remember the details, but it's been discussed on the OpenSSL lists recently. Outlook has totally dropped the ball on multi-part S/MIME messages. Because they're the 800-pound special-ed gorilla their incompetence means that few people are interested in using correctly working multi-part S/MIME tools that can't interoperate with the majority of people, while the coders understand how much damage is being done by the broken Outlook implementation and refuse to be involved in any effort that gives it credence.
I'm rarely see black hats hiding in shadows, but this is one of those exceptions. It's too easy to imagine some spook taking advantage of the fact that MS can kill the market for secure communications, while ensuring that the tools are still available for their users.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Many, if not most, Linux apps are by-geeks-for-geeks, and there's nothing wrong with that. Can't configure sendmail? RTFM. HOWEVER, GPG is an exception. Why? Because your security is only as good as that of the person you're communicating with. GPG is useless if you have mastered its arcane commands, but none of the people you know can encrypt or decrypt messages.
GPG is different because, unlike most software, it's not something you use by yourself. Crypto is something you must use in concert with other people, and not just other geeks, but possibly your boss, clients, family, etc. This isn't just by-us-for-us: for once, it MATTERS what other people think of the software. Therefore, an easy-to-use interface is not just a matter of aesthetics, it's an essential feature -- and since it's the only way to facilitate widespread adoption of crypto, anything else is a security hole.
Cheers,
IT
Power corrupts. PowerPoint corrupts absolutely.
> Uh, think 9/11. Think "encryption is only used for terrorism and illegal pornography."
/., but it will *always* look suspicious due to both timing and unbelievably short notice.
/., who get busted for writing anti-globalization websites or for other minor matters.
> Think "there's a ph@t defense contract in it for you if you make that product go away."
*Exactly*. This isn't the first, either--far more suspicious was the untimely death of the ZKS' Freedom Network, which the respected founder insisted was planned before 9/11, but which was never announced until a a short time after 9/11 and which left users with practically no advance notice. One suspects that either the founders of the Freedom network got a good talking to with some sticks and carrots, or they got worried that theyr network was or could be used by terrorists, and shut it down out of "conscience." A rebuttal was even posted here on
Encryption for the masses is exactly what the U.S. government doesn't want, because it would render their unbelievably involved Carnivore/Echelon/UKUSA electronic eavesdropping network useless if we all started seamlessly using PGP or encrypting all our traffic through Freedom servers.
It is, however, the only way we can guarantee our Constitutional rights to privacy and freedom of expression in the electronic aether. It will always be trivial to the dedicated criminal or terrorist to communicate covertly over the Net, no matter how many carnivorous hubs may be weeding through traffic. It's the little guys caught in the crossfire we have to worry about--the kind of guys who are posted about every couple of weeks on
Face it: governments *always* want more power, and when unchecked they take it. That's why our system was deliberately created with a lot of checks and balances to impose a sort of "gridlock" to prevent sudden sweeping changes to governmental authority. 9/11 removed those deliberate obstacles and got everyone working together to impinge our freedoms with USA/PATRIOT and the FBI's larger scope for its surveillance projects and busts. People really need to start considering getting encryption integrated into everything they can, seamlessly, before they're no longer allowed to. Don't think it couldn't happen--the likelihood of the Court allowing various limited encryption bans does have a correlation with the number of people using encryption...
Chasing Amy
(We all chase Amy...)
"The more corrupt the state, the more numerous the laws"-Tacitus
Ech.
Some great concepts but still a cranky idiosyncratic bastard of a program. Trivial to use? Sure, after reading far too many poorly written manual pages. Easy to interact with? When it didn't hopelessly mangle what it was supposed to secure (we didn't want one-way!) Integrated - as long as you didn't do this or that or...
Look, you want a well integrated NAI program look at how NAV interacts with Outlook. Yeah it's a big pig and lots of folks hate it but to the user it's *not an issue*. It scans for nasties. It scans incoming & it scans outgoing. It can be configured with a few clicks in a clean interface written in simple language. It just works.
Personally I ask any ambitious developer to take the same strategy NAI does for NAV and don't try to build yourself into the apps and instead become a proxy. I'd love a local PGP proxy app that my mail could go through. The only interface I'd need would be a tiny plug-in to set a header on messages for the proxy to read and act on. That sort of plugin should be simple enough to write for all of the popular email apps, let the engine remain consistant across everything.
With how to talk to the engine simplified then the effort can be moved to making PGP as an installation easier, more intuitive, and less of a jerk. For one thing default to a minimal install, go the install-on-demand route if need be, but DON'T dump a half-dozen applications into a system by default. Firewalls and VPNs are lovely but make sure the customer knows what they're getting into first, leave it as a second phase install by default. Plug-ins? Drop folks to a web-page where plugs for each app can be listed. Include some default plugs in the install for the most common uses but still encourage the ambitious to check out the newer/more featureful/not-in-the-distrib versions.
Finally, why isn't there yet a standard for PGP-certifying and/or encoding web-pages?
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
http://community.wow.net/grt/qdgpg.html
http://community.wow.net/grt/nsdpgp.html
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Umm, PGP isn't *exactly* closed-source--only the latest versions 7.x truly are. Up through 6.5.8 the source is available free for non-commercial use according to its own license. http://www.pgpi.org/ for details and source code. In fact, most PGP fans don't use version 7 precisely because the code hasn't been released and reviewed yet, while many of the earlier builds have undergone a good deal of scrutiny.
In fact, there are several unofficial forks. I myself use 6.0.2ckt Build 07 from http://www.ipgpp.com/ , which seems to be popular with a lot of folks. The real hardcore PGP zealots are still using 2.6.x branches. Personally, I have no idea what the submitter of the story was thinking when he used that phrase. Most PGP users will continue to use PGP, and if bugs are found they will be fixed, just as the unofficial 6.0.2ckt version has gone through 7 build releases as has 6.5.8ckt. If a bug is found, someone will fix it, no problem.
Chasing Amy
(We all chase Amy...)
"The more corrupt the state, the more numerous the laws"-Tacitus
I sign nearly all of my outgoing emails, but seriously, encryption will remain a geek toy until AOL or another big player decides to provide public key infrastructure (PKI, keys signed by eidey trusted authorities, or sufficiently many people that are minimally seperated from you) for its users. There are plenty of GUI encryption email clients out there. I believe there's a GPG plugin for Eudora. However, finding your friend's public key is hte big problem right now. Once everyone's ISPs ste[ in and sign the user's keys and proide key servers, then signed and encrypted email will be the norm. After a short bit, you will be able to filter out SPAM by doing good checks on signatures, or prosecuting those spammers that actually sign their emails with valid and registered keys. Encryption will also greatly increase CPU demands for mass emailing. This is why ISPs will like crypto: it deters spam and reduces thier bandwidth requirements. The big question is: how long will it take for a major ISP to start providing PKI.
Key generation isn't hard. Once AOL starts signing all of their users' public keys, then it will be common practice for you email client to go the all of the recipients' ISPs, verify their Verisign certificate, and verify theirsignature on the user's public key, then encrypt everything at transmit time.
Key generation isn't all that tough. Nearly everyone trusts Verisign.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
> I use KMail; it has very nice GnuPG integration,
p ment.en.htmlo pment.de.htmle gypten/
> the only missing feature is for *it* to go through
> and encrypt my attachments instead of making me do it.
I use kmail, too and this lack of total encryption has bothered me, too. kmail ATM only signs the text of the mail itself.
BUT, thanks to the German sponsored project AEGYPTEN, the next version of kmail will have openpgp specified mime multipart encryption and also full S/MIME support. [And also LDAP support and so on, mutt will get S/MIME support out of this.]
By the next version I mean KDE3.1, which will be there end of summer.
You can already check out the AEGYPTEN branch of kdenetwork:
http://www.gnupg.org/aegypten/develo
http://www.gnupg.org/aegypten/devel
ftp://ftp.gnupg.org/gcrypt/alpha/a
Moritz
Here is the gpg Outlook plugin, German and English version:
http://www3.gdata.de/gpg/download.html
Moritz
The thing is, good programs are extensible because they just provide the core of doing things the right way. So does gpg. In easiest form, it can create keys and it can en/decrypt data.
This is what it does and that it does well.
Now, if you want bell and whistles, go find a software that you like and ask nicely the authors to include support for gpg.
For example, ive used gpg for allmost a year now, since gpg support was first published in Evolution mailer. I created my keys (3 commands, i have 3 emails and i wanted to use different keys), and put the date into Evolution. Since that day, i havent invoked gpg directly at all. I have some gui tools to import/scan keyservers for keys that im missing and evolution itself does the rest. So, in my eyes, gpg is as good as it can get.
yush
The german government(!) is sponsoring a project to use GNUPG. Details (Achtung! German!) can be found here:
0 91 -eng.exe
http://www.gnupp.de/start.html
Roughly translated:
Security for e-mail, e-commerce and e-government. The goal of this project is to deliver free encryption software that's easy to use.
The fun thing is this:
http://www3.gdata.de/gpg/download.html
and if you don't understand those strange words, you can download here:
http://gdataspace.de/download/gpg/GDATA_plugin_
This is an Outlook-Plugin for GnuPG. Using this plugin GNUPG is easy as 1-2-3.
HTH
Jan Wildeboer
Go to www.gnupp.org, home of the GNU Privacy Project. GnuPP is (currently) only for Windows and consists of an easy installer for GPA, GPG and WinPT. This is being sponsored by the German government (like GnuPG itself too), fully GPL'ed, and at least for us Germans, there's a good manual available from the Wirtschaftsministerium too. Anybody can order it for _free_. They gave printed documentations including an installer CD away for free at CeBIT. Anybody who can get this, should. The page there is still in German, but there's an english version of GnuPP too.
Often people say that "GPG needs a frontend before non-geeks can use it". That point is probably true, but even though NAI PGP has had a "mature" GUI based front end for several revisions, normal users are still incapable of getting their head around creating keys, the difference between public and private keys, the difference between signing and encryption etc etc.
A usability study was undertaken by researchers at Carnegie Mellon in which they found that virtually 0 non geeks managed to use PGP successfully anyway.
Sure, OpenPGP based programs need to achieve better reach, but simply copying the NAI PGP design won't achieve this goal....
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
I'm one of those many recent OS X converts who just bought my first Mac, after years of having used Unix and Windows.
PGP is something I've played with over the years, like a lot of geeks, but never used religiously. But I decided a few months ago that it was something I should start using regularly, so I sought out a mail client with built-in PGP (or variant) support. I found a neat little (non-free) Windows e-mail client called The Bat! (that's their exclamation point, not mine), which had not only built-in support, but you can configure it to use PGP, GnuPG, and even their own OpenPGP implementation. That and many other cool features persuaded me to buy that e-mail client, after which time I decided to throw the switch and begin signing all e-mail that I send.
Along the way I discovered WinPT (Windows Privacy Tray), which is a decent little frontend for GPG. Remember, GPG is a backend -- how you interface with it is up to you.
The came my Titanium PowerBook. I got it for all the reasons mentioned around Slashdot and elsewhere, but I didn't really expect to find cool things like a good GPG frontend, let alone e-mail with GPG support. Boy was I wrong! I went to the GPG site and found a link to the Mac GPG site, which ports GPG to OS X. Not only the backend, but a frontend that integrates with the "Finder" (that's Mac-speak for the "Explorer" equivalent), right in the "Services" menu (which is much like the global right-click menu in Windows Exploror.
But that's not all! I saw further down on the same page that somebody else has written an extension to the OS X default mail client (which ain't as bad as you might think) that provides very good GUI GPG support for mail.
So, even though switching over to the Mac isn't the easiest thing in the world (I say that as I sit here typing on my Windows machine for reasons I won't go into), I can say that GPG is among the least of my problems.
RP
Oh, I forgot to mention....
There's also a great little instant messaging client available for OS X (called Fire) that connects you to all the major services at once, and it has built-in GPG support. And very good support, too.
I'm not yet to the point that I feel I need to either sign or encrypt my instant messages, but that time may come, and it's nice to know that Fire is ready.
RP
I have WinPT on my corporate Windows desktop: http://www.winpt.org/
I can now use GPG encryption with anything that can cut/paste.
There are similar frontends for Linux/Gnome/KDE etc.
Deleted
...only most people are too blind to notice.
Timo Schultz's WinPT is an all-in-one encryption frontend which sits in the system tray and does EVERYTHING. Even safely wipes data from the drive. And for convenience, he has an Outlook Express plugin (which works!) and a Windows Explorer plugin (which I don't need and thus haven't tried yet).
Give it a try and see...
http://www.winpt.org
We should be able to link that program in to mail readers, web browsers, databases, all kinds of things, but none of that is possible to do easily because it needs to run as a separate program.
What's wrong with creating a library that interacts with gnupg through a pipe or other method of IPC? That's what (e.g.) X11 does: apps talk to xlib, which marshals calls to the X server.
Will I retire or break 10K?
you should check out this message w.r.t. S/MIME support in outlook. it doesnt leave me with a warm fuzzy feeling inside.
-- john
So I stand by my characterization of the "by geeks for geeks". Switch that phrase to "by lusers for lusers", and hey presto, you're criticizing Windblows.
;)
hehe... Well said (in terms of attitudes), but IMO bloatware is a result of trying to create rapid application development environments, not bad code (which is why GNOME and KDE are so "bloated." Not that this is bad. Interestingly, the gazillion switches serve the same purpose-- providing for the rapid development of other programs.
You -- the Slashdot crowd "you", not the "einhverfr" you -- extol the virtues of "anyone" being able to put together a front end on top of the actual encrypt/decrypt model. Well, that's not what Joe in accounting is willing or able to do. You -- again, the Slashdot crowd "you" -- talk about the importance of encryption evangelization. Well, Joe in accounting thinks it's a pretty good idea, but can't for the life of him figure out what he needs to do to sign his Eudora-sent email in the first place.
One thing that my experience in open source software has taught me is that given sufficient time, anything that can be done will be done, whether or not it is a "Good Idea." Think video games that run as LILO splash screens, etc. The idea is that if it is easy for enough people (not everyone), someone will do it because they will want to see it done. But this does take time.
As for evangelization of encryption, I completely agree that there is a need for it, but it is a very difficult thing to do right. Encryption needs to be explained so that everyone can understand it. It does not do enough to say "You Too Should Use Encryption!" One must state why encryption is important, starting with e-commerce, and eventually explain the basics of how it works (so users don't, say, give someone else their private key). And it needs to be in plain English (or whatever vernacular).
I have had occasion to read technical manuals for software from 10 or 15 years ago, and I have always been struck at the QUALITY of the documentation-- it is accessible, technical, and concise. The SCO Unix Administration and Installation Guide (from 1994) started with something like
"Before you begin you should know: How to turn on your computer, how to reset your computer, and how to insert floppy disks into the floppy drive. If you are unsure how to do any of these things, please check your hardware documentation."
And it went of to eventually discuss filesystem maintenance, system security, etc. (even going so far as to give some fairly technical insight into the inner workings of the filesystem). But it was intelligable to someone who wanted to learn, and the book was all of 300 pages.
I credit the fallen state of tech docs to the rise of computer professionals as a large and dominating community-- it is as if we have frogotten how to talk to novices.
What we need to do is come out of our shell and learn how to explain these concepts to our parents and our grandparents, whether or not they have ever seen a computer. I am always amazed at how easy these things are to understand if someone explains them correctly.
OK. Maybe I will have to write a short intro to encryption for laypeople
LedgerSMB: Open source Accounting/ERP
I hope the whole PGP fiasco convinces people why closed source is bad.
I don't think anyone would question Phil Zimmerman's goodness and sincerity, but who ever thought back in the days that PGP would be bought out, backdoored, forced into an ugly business like McAffee, and closed down at the behest of the corporations and government the minute an excuse is provided?
It could happen to you.
FWIW, NAI posted the source for PGP Freeware, for peer review purposes. It is still available from the MIT Distribution center for PGP. It's copyright NAI, of course, but it makes for a good read, if nothing else. IANAL, but I wouldn't think it would be illegal to peruse and learn. Certainly lots of integration tips to glean in there (Eudora, Lotus Bloates, LookOut Express, etc). No cut and pasting tho! :>