Slashdot Mirror
DMCA Attacks: NAI Tells Sites To Remove PGP (Updated)
daecabhir writes: "I am on Declan McCullough's excellent policy and technology mailing list, and received this article on Declan's Politech web site. Basically, Network Associates now appears to be using the DMCA to force sites that provide access to the "free" versions of PGP to cease and desist, if this is any indication. Unfortunately, I think that Network Associates may well be within their rights with regards to 'their' intellectual property, even if I disagree with the manner in which they are going about things." Update: 05/22 13:55 GMT by T : Looks like this wasn't the whole story, and in fact NAI was only objecting to a site with the commercial version of its software -- read below for more.
Grant Bayley writes: "The hype being generated by the "NAI pulls out the DMCA stick" postings and the spectre of PGP being "removed from the Internet" is entirely
bogus, and provably so with a little bit of fact checking.
Looking through the Google cache, it becomes very clear very quickly that crypto.radiusnet.net was hosting a copy of the commercial version of the software - not a copy of the PGPi (aka freeware) version of the PGP product. Given that this is the case, NAI is well within their rights to demand the removal of the files.
You can confirm this in the Google Cache.
Good thing there's GPG...
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
at http://web.mit.edu/network/pgp.html, but you can bet that i'm gonna download it again right now and burn the installer onto a CD.
I purchased several copies of NAI's PGP for Unix version 5. The CD had a standard license agreement with it. Two years later, I receive a letter from NAI telling me that my license was revoked and I could no longer use the software.
Somehow, I do not think I received my $1500 worth.
I should have known, I asked NAI's sales department for a price quote on NAI virus protection products for the "enterprise" and I never did receive a straight answer.
Thank God for GPG! Works with NAI's PGP plug-ins and it's truly free.
The google cache of the directory in question (that incited NAI to send the cease and desist) can be found at http://www.google.ca/search?q=cache:2PdJtPM6n0QC:c rypto.radiusnet.net/archive/pgp/+&hl=en. Immediately I see products that were in the NAI distribution of PGP (commercial) but aren't in the freeware version (such as PGP Disk). Is this just a case of a copyright violation (and possible outright piracy to the tune of "warez" sites) being defended as something else? I could be very much mistaken, but not all of PGP was made freeware, and even no longer sold products maintain intellectual property that the company has every right to maintain control of for future use.
Sure:
Wealthy Client: I want that stuff down.
Lawyer: Okay.
[to host] Take that down. Or else.
Host: F*ck that. I've got First Amendment rights.
Lawyer: Ha. [sends obscure legalese email] Here's a ridiculously vague DMCA notice.
Host: I don't understand this crap.
Lawyer: Good. You're not supposed to. But I'll be generous and tell you anyway. It says that if you take this stuff down, you won't be liable for [insert Carl Sagan voice] billions and billions of dollars for copyright infringement.
Host: Oh. Okay.... I guess. [deletes information]
Lawyer: Muahahaha.
I could be mistaken, but I think that GPG plays just fine with NAI's plug-ins. And as for frontends, I don't think you have looked hard enough. Also, Kmail has effortless integration with GPG, and I hear that Evolution does too, although I've heard that there were a couple of bugs in it. Perhaps they've been fixed by now.
:Peter
PGP versions 6 and 7 had both Freeware (free beer, for noncommercial use only) and Professional versions. If NA is trying to shut down PGP Freeware downloads, it's bogus. This is sections 1 and 3 from the PGP Freeware 6.5.8 license. Section 1.b grants the right to distribute unmodified copies. Section 3 states the term of the agreement, forever as long as the user violates the license. I was half expecting to find it, but they do NOT say "We reserve the right to change these licensing terms at any time without notice".
1. License Grant. Subject to the terms and conditions of this Agreement, Network Associates hereby grants to you a non-exclusive, non-transferable right to use, copy and distribute solely for Non-Commercial Purposes (as defined below) the specified version of the Software and the accompanying documentation (the "Documentation").
a. For purposes of the foregoing, "non-commercial purposes" means non-commercial, non-governmental use, including, without limitation, home use for personal correspondence, student or academic use, or use by non-profit human rights organizations. The Software is "in use" when it is loaded into the temporary memory (i.e., RAM) or installed into the permanent memory (e.g., hard disk, CD ROM, or other storage device) of a computer for the purpose of being accessible in client-mode by an end user.
b. You may make exact, unmodified copies of the Software and distribute such copies solely (i) by electronic means; (ii) for Non-Commercial Purposes; and (iii) with all proprietary notices (including without limitation all copyright notices and this End User License Agreement) intact and unmodified or obscured.
3. Term. This Agreement is effective unless and until earlier terminated as set forth herein. This Agreement will terminate automatically if you fail to comply with any of the limitations or other requirements described herein. Upon any termination or expiration of this Agreement, you must destroy all copies of the Software and the Documentation.
it's too bad that people don't pay more attention to rms when he talks about freedom.
and it's also too bad that people kept doing dev on possibly not free pgp versions instead on truly free implementations of pgp (ie gnupg).
how many times are we going to learn this lesson?
US Citizen living abroad? Register to vote!
A quick look at the documentation that came with my version of PGP Freeware:
Network Associates Freeware End User License Agreement
(Non-Commercial Use and Distribution Only)
1. License Grant. Subject to the terms and conditions of this Agreement, Network Associates hereby grants to you a non-exclusive, non-transferable right to use, copy and distribute solely for Non-Commercial Purposes (as defined below) the specified version of the Software and the accompanying documentation (the "Documentation").
a. For purposes of the foregoing, "non-commercial purposes" means non-commercial, non-governmental use, including, without limitation, home use for personal correspondence, student or academic use, or use by non-profit human rights organizations. The Software is "in use" when it is loaded into the temporary memory (i.e., RAM) or installed into the permanent memory (e.g., hard disk, CD ROM, or other storage device) of a computer for the purpose of being accessible in client-mode by an end user.
b. You may make exact, unmodified copies of the Software and distribute such copies solely (i) by electronic means; (ii) for Non-Commercial Purposes; and (iii) with all proprietary notices (including without limitation all copyright notices and this End User License Agreement) intact and unmodified or obscured.
3. Term. This Agreement is effective unless and until earlier terminated as set forth herein. This Agreement will terminate automatically if you fail to comply with any of the limitations or other requirements described herein. Upon any termination or expiration of this Agreement, you must destroy all copies of the Software and the Documentation.
11. Miscellaneous. This Agreement is governed by the laws of the United States and the State of California, without reference to conflict of laws principles. The application of the United Nations Convention of Contracts for the International Sale of Goods is expressly excluded. This Agreement sets forth all rights for the user of the Software and is the entire agreement between the parties. This Agreement supersedes any other communications with respect to the Software and Documentation. This Agreement may not be modified except by a written addendum issued by a duly authorized representative of Network Associates. No provision hereof shall be deemed waived unless such waiver shall be in writing and signed by Network Associates or a duly authorized representative of Network Associates. If any provision of this Agreement is held invalid, the remainder of this Agreement shall continue in full force and effect. The parties confirm that it is their wish that this Agreement has been written in the English language only.
Quick overview of the sections not included:
2. Restictions: no renting/leasing/loading/reselling.
4. Updates: No tech support.
5. Ownership Rights: They still own all the copyrights.
6. Warrant Disclaimer: "As is" software.
7. Limitation of Liability: I can't hold them liable.
8. US Government:
9. Export Controls: Don't let it cross a border! oh no!
10. High Risk Activities: Don't use this inconjunction with life-support, etc.
So, section 1 grants me the right to use, copy and distribute PGP. Section 3, there is no expressed limit on the amount of time I can use it. The only limiting factor is section 11, which gives them the right to modify by a written addendum.
Damn. Guess I'll just have to switch to GPG.
- SignalFreq
I think we'll all find that this ends up being less of a problem than it seems to be, and certainly one unworthy of Declan's attention. The first thing to consider is that of the couple of security/crypto archives out there (Wiretapped, munitions.vipul.net, the old zedz.net site, Packetstorm), the crypto.radiusnet.net one is the only one of the group that is out of date, disorganised and discourages mirroring. Look over the site, and you'll see what I mean. The second thing to consider is that (as another poster has already mentioned) PGPi.org has the explicitly freeware versions of the software available on a number of mirrors worldwide, and does not appear to have been made a target here.
Conspiracy theories aside, if they were mirroring commercial versions of the product, NAI is well within their rights to pursue them, and I'm sure the other legitimate crypto/security archive sites will be glad to see crypto.radiusnet.net stop sullying their good names by association.
The version hosted on radiusnet was not a freeware version nor public domain, or whatever. It was PGP corporate desktop and other various COPYRIGHTED materials. I visited that sight every month or so for updated versions. Of course, now I use gpgp ;)
---------- Forwarded message ---------- ,
4 C: crypto.radiusnet.net/archive/pgp/+&hl=en
Date: Wed, 22 May 2002 14:41:59 +1000 (EST)
From: Grant Bayley
To: Declan McCullagh , R. A. Hettinga
Meyer Wolfsheim , peter_beruk@nai.com
Subject: Re: NAI pulls out the DMCA stick.
Hi Declan, others.
The hype being generated by the "NAI pulls out the DMCA stick" postings and the spectre of PGP being "removed from the Internet" is entirely bogus, and provably so with a little bit of fact checking.
Looking through the Google cache, it becomes very clear very quickly that crypto.radiusnet.net was hosting a copy of the commercial version of the software - not a copy of the PGPi (aka freeware) version of the PGP product. Given that this is the case, NAI is well within their rights to demand the removal of the files.
You can confirm this in the Google Cache, here:
http://216.239.33.100/search?q=cache:QA-H5VtPvP
Keep in mind that of the couple of crypto/security archives out there, the radiusnet one is basically the "abortion" of the bunch. It's disorganised and out of date in so many places as to be dangerous.
By "crypto/security archives", I'm referring to Wiretapped (www.wiretapped.net, which I operate), munitions.vipul.net, the zedz.net archives (ftp://ftp.zedz.net/) and Packetstorm (www.packetstormsecurity.org).
If this is the straw that breaks the radiusnet camel's back, I for one won't be complaining, if only because of the old and out of date material
on the site. In the case of tools that perform a security function using crypto (IPSec, ssh etc), being updated is critical, as a number of the older versions of the software have contained serious security problems.
Grant
We tried to buy a site license at work. We needed something that would plug into Outlook Exchange and work with everyone inside and outside the company. But after NAI killed PGP, we tried GPG but there was no plugin for Outlook Exchange (client).
Good product, lots of people wanting to buy it, and no alternative program. If someone came out with a windows office plugin, maybe they could make/start a software company.
Richard Stallman was (once again) criticized by some of the slashdot crowd today in this article, about being pedantic, purist, impracticle etc. PGP/GPG is an excellent example of RMS being pedantic and purist, and rightly so.
RMS and the FSF have always been refusing to use PGP, because of its license. They have been critiziced along the same lines for this, since PGP was "free in a practical sense" i.e. free as in free beer, even though it had been written by "good guy" Phil Zimmermann. Today we may be glad that the FSF refused to use PGP, started to write GPG as soon as the RSA patent expired (i.e. as it was legally possible to write a clone without infringing on patents).
If somebody comes up with a new encryption algorithm, they shouldn't have to write code to support Evolution, Eudora, Outlook Express, so forth and so on.
They don't. RFC2440 (plus RFC2015, 3156, etc.) are extensible; they support a broad variety of algorithms and are designed to support future algorithms. RTFFAQ.
Likewise, somebody should be able to write a front-end for a email application according to a specific API and expect to see every available encryption algorithm thus far implemented available from within that email application.
Microsoft CAPI provides just this. GPG Made Easy (GPGME) also makes it almost trivial to incorporate crypto support into your application. (ObDisclosure: I'm working on C++ bindings for GPGME, so I'm biased.)
gnupg is great, but it presumes a single algorithm, doesn't it?
RTFFAQ. OpenPGP supports more algorithms than you can shake a stick at. For instance:
Wouldn't it be much better to make it easier to introduce new algorithms into the mix?
No. In fact, I personally dislike the fact that most PGP implementations (including GnuPG) support so many algorithms. Every implementation must support 3DES, and y'know, 3DES has a twenty-five year track record of turning brilliant cryptanalysts into burned-out alcoholic wrecks. Anyone who wishes to use AES256 for "security" is missing the point--the most trusted algorithms aren't the latest sexy things. The most trusted algorithms are the ones which are older than God and uglier than a Soviet worker's housing bloc.
If he gets to *assume* that the encryption being used is pgp-style, his workload is modest, he just needs to feed the file to the program.
The analyst is already going to know what algorithms you're using. The way you plan these things is to assume the analyst has access to tens of thousands of times more computing power than exists in the world, tens of thousands of times more memory than exists in the world, knows you better than your wife does, and knows every last detail of your cryptosystem except what your key is.
Assuming anything else is absolute folly.
And yes, I am a cryptographer.
Especially if there are hundreds if not thousands of algorithms out there, each and every one available to the common man for his use.
There are three symmetric algorithms I would trust my deepest secrets to. IDEA, 3DES and Blowfish. AES isn't on that list (won't be for another couple of years while peer review shakes out). If I'm a professional in this field, and out of the literally thousands of different symmetric block ciphers proposed over the years I can only find three which I recommend without hesitation, and the other 997+ range somewhere between interesting-but-flawed and fatally stupid, I really doubt that you--a layman with no experience whatsoever--will be able to intelligently choose the three good ciphers out of a field which consists, mostly, of spectacularly bad ones.
Something as trivial as taking the output of gnupg and exclusive-or'ing with a Erica Rose Campbell jpeg would add another - if - statement to the NSA's decryption code
Please go read this book: Codebreaking, by Rudolf Kippenhahn. You have a critical misunderstanding of how cryptanalysis works. It doesn't work by a series of "try this, then try that, then try..." It works by looking for redundancies, patterns, in data and then creating a mathematical model which can recreate those same redundancies and patterns. If you're XORing with a JPEG, you're not going to be making it appreciably harder to break. There's a lot of mathematical order in a JPEG.
I would bother responding to your last comment about why PGP is "weak", but really, it's clear that you're talking through your hat. I can believe that you're utterly clueless, or I can believe that you're trolling. If the latter, then HAND, IABT. If the former, then please go off and read up on the subject.
I'd suggest starting with David Kahn's The Codebreakers, from there Rudolf Kippenhahn's Codebreaking, then Schneier's Secrets and Lies. Only then start to work on Applied Cryptography and the Handbook of Applied Cryptography.
Theoretically PGP in the early days could use RSAREF from RSA Labs but it needed some calls that were not in the published interface and thus broke RSA Labs non-commercial licence.
The thing is that Phil requested that none of our software was GPLed as he wanted to try to use parts of it commercially. Fair enough, he would keep the non-commercial version as open as he could. Actually it was pretty open by then because contributors were working in France, Germany, even, I think, Russia.
When the program was first passed to Viacrypt. They had there own licensed RSA engine and could drop it into PGP. However PGP still used another patented algorithm, IDEA. This had to be licensed (about $15) for commercial users.
Viacrypt then got swallowed by NAI or at least PGP was transferred with it together with Phil Zimmerman. PGP moved away from algorithms like RSA and IDEA so didn't have so many patent issues. We ended up through Phil's efforts with a version of PGP free for non-commercial use an a licensed version for the corporates. However, many of the platforms were dropped.
The source code of PGP was printed by MIT in an OCR freindly font and the whole thing was exported legally to Norway, scanned nd put up on the pgpi server. Later, NAI did something similar to get the code to their office in Switzerland and with the availability of commercial PGP in Europe, the free version went non-commercial only.
NAI stopped publishing source code after 6.5.8 so a lot of people stopped there with that release. Strangely, a commercially licensed user was not allowed to recompile from the free source.
Ok, history lesson over. PGP always has had a bit of a chequered past because some people don't like it one little bit. It was a difficult product to sell but NAI seemed to have had a steady business with it. That they dropped it after 9/11 came as no suprise to anyone (it may have been making money but not enough to want to compromise sales of other s/w to the US government). However, in the background we have the OpenPGP standard (well, RFC) being developed that gave a chance for other interoperable programs like GnuPG to be developed. This project has the backing of the German government, who seem to believe in strong encryption for the masses. The software is currently far from perfect (try recompiling the Windows version), but it works and without the patented algorithms. There are some front-ends that make it reasonably user friendly. It isn't there yet, but it will be.
In the mean time, I have seen PGP in use in Central Asia, not by terrorists, but by a Central Bank for interbank money transfers. That terrorists and criminals have used PGP is certain, but so do people like Amnesty and the Red-Cross. The use of PGP to co-ordinate attacks against the US is a massive red-herring to cover up incompetence by the FBI and INS.