Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phil Zimmerman and PGP at CNN.com

Posted by CmdrTaco on from the stuff-to-encrypt dept.

rick_campbell writes "CNN is carrying an article about Phil Zimmerman and the fact that Network Associates is dropping support for the commercial version of Pretty Good Privacy. The article includes a little bit of Phil's take on the situation, a little history and some discussion of why this happened and what alternatives exist."

14 of 141 comments (clear)

  1. PGP can be saved by lw54 · · Score: 5, Informative
    PGP inventor Phil Zimmermann says PGP can be saved, and has outlined how in this interviw.

    "Anyone interested in helping should contact me," he added.

  2. All these interviews and headlines by joshtimmons · · Score: 5, Funny

    Can't we just give the poor guy a little privacy?

    That's all he wants.

  3. Cool information on article by fabiolrs · · Score: 4, Funny

    "But so far, PGP is limited primarily to niche markets, like human rights and organized crime -- authorities say mob suspect Nicodemo S. Scarfo Jr. used it to encode gambling records."

    Nice, nice! :)) I never knew they were SO organized!!

    --
    Fabio - Sumare/Sao Paulo/Brazil/South America/Earth/Solar System/Milky Way/Universe
    http://www.morroida.com.br
  4. As someone who should know better, by cbensinger · · Score: 5, Interesting

    I looked at PGP a while back and actually installed it. Unfortunately -- and perhaps because of my own carelessness -- it started causing issue(s) with my network connection and I ended up removing it. As the person responsible for the web/email servers where I work I know first hand how unsecure and public email is; yet I've not found a solution that I'm comfortable using. PGP seemed (at least to my knowledge) to be the most widespread, but even at that I couldn't name 3 people who I regularly exchange emails with who use it -- in fact I'm not sure if I could name anyone other than my wife who did. The only way I could ever see something like this widespread were if it were integrated into Outlook/Outlook Express/AOL/etc. and I don't see that happening. :(

    1. Re:As someone who should know better, by cduffy · · Score: 4, Insightful

      That would be an issue with the IPsec adapter included with NAI's product. It's a separate and disablable component -- and GnuPG has nothing like it, so you need not fear any problems stemming from use of the latter product.

      Plugins exist for Outlook integration, FYI.

  5. The End User Still Doesn't Care by Greyfox · · Score: 5, Interesting
    The biggest problem is the end user just doesn't care about E-mail security. You'd think with corporate privacy concerns and all that crap that they'd at least look into the technology.

    I was talking to a company about orders the other day and one of the ways you could place an order with them was to E-Mail them your credit card number. I told them I wasn't sending my credit card number over the open internet and asked if they had a PGP key I could encrypt to. They had no idea what I was talking about. After that I wasn't particularly willing to entrust my credit card number to them at all...

    The old US Crypto regulations did a pretty good job of stunting crpto-enabled mailers in the US, too. Since you couldn't export encryption or even an "Encryption enabling API" there wasn't a lot of integration work going on. Sure you could get a set of scripts to use PGP or GPG with Pine, Mutt or XEmacs, but most of the people using those mailers didn't even go to the effort. We won't even go into the happy fun GUI mailers that Joe Average User wants to use. PGP did do a good job of integrating into Outlook, at least.

    The upshot of all that is I think it'll be a long while before encrypted E-mail is the norm.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    1. Re:The End User Still Doesn't Care by Lumpy · · Score: 5, Interesting

      GPG integrates to Outlook, Slypheed(linux GTK email client that BLOWS AWAY KDE mail) and I believe there's even a pegasusmail plugin now.

      It makes signing and encrypting AND decrypting email pretty darn easy. If a user cant figure it out today they need to be beaten over the head with the keyboard... the HARDEST thing about GPG is creating your own private key.

      --
      Do not look at laser with remaining good eye.
    2. Re:The End User Still Doesn't Care by -tji · · Score: 5, Insightful

      No, the problem is that it is still too difficult to use secure e-mail.

      If they select a check box to "Secure E-Mail" when sending e-mail to someone, and the details of how it happened were hidden, people would do it.

      But, if it requires you to exchange keys with someone & manually manage the process, only the techies will do it.

      It's a tough nut to crack.. To do it right, you need a trusted authority to manage identities & keys. I don't see any sign of this happening.

    3. Re:The End User Still Doesn't Care by no_l0gic · · Score: 5, Interesting

      "They had no idea what I was talking about. After that I wasn't particularly willing to entrust my credit card number to them at all..."

      I used to carry the same sentiment, complaining if a merchant provided no "secure" means of credit card information transfer.

      The problem is that although email may be a much less secure method of transfer than other commonly accepted means, the generally accepted methods are almost as insecure.

      e.g. - when you patronize the local drive through, realize you don't have enough cash on hand to cover your embarrassingly large order and are subsequently forced to pay with your credit card, do you know what goes on behind the window once you hand your card over? What number of pimply-faced purveyors of fast-food goodness are given the chance to jot down your card number, just as if they were to brows through the inbox of your unsecured merchant?

      Likewise, when you make a purchase at a store such as CompUSA, where they take an imprint of your credit card for their records - how do you know that the storage of the receipt is anything approaching secure; that they shred the receipt sufficiently after its use is fulfilled???

      While I agree that online merchants with decent security policies on buyer CC information may make me fell more secure, it is really only semantics... For all I know, the person receiving my encrypted CC info just decrypts it, jots it down on a sticky note, and sticks it on his monitor for anybody to see so that he remembers to complete my order in the morning. (Very unlikely, yes - but very possible as far as I can tell...)

  6. Tech support going the way of the dodo by Fastball · · Score: 4, Interesting
    A lot of vendors we deal with have significantly raised pricing for their support services, and a few others have quit supporting their software altogether. Struggling to stay in the black, a lot of companies are no longer developing and supporting software for the small shops and home office folks and are instead steering their efforts towards the big corporate money.

    To which I say fine. Alternatives for most of the stuff we use here, messaging systems, web based stuff, etc. can be found in open source projects or written in house. This is just another golden opportunity for open source software. Maybe my boss will hear my pleas now.

  7. Curiosity... by L-Wave · · Score: 4, Interesting

    Do many people truly use this technology? I understand many "geeks" use it, just for the cool factor, but I have yet to send email to someone who refuses to read/accept it because it was not PGP encrypted. I understand the use is for encrypting email and validating that it is, in fact, from the person who sent it...but really, does anyone use this for anything more than sending thier friends email that doesnt really need to be encrypted?

    --
    I SURVIVED THE GREAT SLASHDOT BLACKOUT OF 2002!
  8. Re:No privacy at all by jayant_techguy · · Score: 4, Insightful

    Do you know the biggest problem is the end user just doesn't care about E-mail security or won't know how to handle it.
    If you are really concerned, there still exist free s/w while do pretty decent job with RSA encryption algorithm. Though mind you they might not integrate into Outlook etc. as PGP did.
    The crux is it'll be a long while before encrypted E-mail is the norm of every human. I have to handle mails from 100 different people professionally daily, some containing sensitive information of the sender, but they don't care to encrypt it using PGP or any other tool, and send me their sensitive info. like anything.

    --
    Computer Help
  9. Health Care Regulations and Encryption by stoolpigeon · · Score: 4, Interesting

    HIPPA is some legislation that has portions going into effect now and in the next few years. It requires those who handle medical information electronically to do so in a secure manner.

    I work for a collection agency and since we collect for hospitals sometimes we have been looking at this. We were going to use PGP as clients have specifically mentioned that they require it. Now I am not sure what we will do. Much of what is available out there has restrictions on being used for business.

    The movement towards being more secure information delivery seems slow but it is moving forward.

    I am just real interested in seeing what kind of alternatives surface for businesses like ours.

    .

    --
    It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
  10. Encrypted email alternatives by Beryllium+Sphere(tm) · · Score: 4, Informative

    Hushmail (http://www.hushmail.com) is web-based OpenPGP mail. I'm a customer and sent Crypt-o-Gram a review, but have no other connection.

    The closest thing to the dream of "just press a button" is the S/MIME in Outlook. That still requires users to get a certificate ("a what?!", they will ask). And S/MIME has drawbacks.

    Pushbutton encryption is a delusion anyway. The details of key management are indispensable to security and require out-of-band verification. Unless you've checked a key fingerprint, or totally trust a key signer, you can be attacked by feeding you a fake public key and all the crypto wizardry is irrelevant.