Slashdot Mirror
Zimmermann Suggests Freeing PGP Source
broody writes "NewsForge has an interesting article detailing Phillip R Zimmermann's lament at selling PGP. Since he cannot afford to buy it back outright, he is pushing for Network Associates to 'open source' it. Well, the GUI and SDK anyway. I'll say this, he's an interesting little capitalist."
Why bother? Its gone, sold, IP traded for cash. He knew what hw was doing when it was traded for money. If he really wants to do something, GnuPGP would probably welcome him with open arms...
+++ UGUCAUCGUAUUUCU
What sucks is they dropped the commercial VPN client totally, the freeware version is still around (or was a couple weeks ago) but it only supports machine to machine, no machine to network connectivity, that was only in the commercial version.
If they can't make money with it, and they don't plan on it, it could be used to build will and advertising. Part of the requirement would be to leave in the advertsing banners. Or require some form of license for inclusion into other commercial software.
Note that they have not conceeded that PGP cannot be sold off, yet.
Fight Spammers!
No, they probally wouldn't. The IP belongs to NA, and I think he has probally seen the source code, so Gnu couldn't claim their code was a clean room implimentation.
>Why should we care what Network Assosciates's
>proprietary privacy software does? There's no good
>reason one can't write their own Public Key >Encryption software
Because another Free implementation - of anything - will always be useful.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
His idea for a Dead Man's Switch license would be very interesting to see implemented. It would be nice to see something like that used in a lot of commercial software.
Think of all the software that might still be available if they had such a clause in their license. Hell, just the games!
-Pete
Soccer Goal Plans
> If this guy sold PGP five years ago, what authority
> does he have now to suggest the change?
"This guy" developed the PGP protocol, and it's first implementation, then released it freely on the Internet when it seemed likely the US Govt. was about to criminalise *all* personal encryption.
So, only moral authority... which doesn't seem to be worth much on the free market, these days.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Uh, that's great, but they still own it. Yes, you can look at the code, but you can't use or modify it without their consent - which I don't think that they intend to give. Open source means that you get those benefits.
SIG: HUP
PGP being sold out was the inspiration for the OpenPGP project which generated GPG, a perfectly good alternative to PGP.
The only real problem with GPG is the comparative lack of high quality "mere end user" facilities such as a good GUI.
Let's all dump PGP, it's served its purpose and its time is done. Put your effort into making GPG (real open source!) widely accepted and used.
Since he developed PGP, why not develop a RGP, or Really Good Privacy. He can keep this one open, and it can compete with the closed source version.
.0199999999
It offers the liberty of being Free and Free.
Just my
If we don't fight for ourselves no one will.
When Zimmerman sold PGP, what did he expect? That people would start paying
Network Associates money to use something that most people still don't
see the need for?
Forget it Phil. You killed PGP when you sold it. GPG is there take over from
PGP and make sure that those who understand the need for good encryption still
have some reviewable source to trust.
GnuPG (not GnuPGP) dont work in Windows
6 -2.zip
GnuPG _does_ work on Windows: http://ftp.gnupg.org/gcrypt/binary/gnupg-w32-1.0.
But it's not graphical. For that, I've been using WinPT for some time. It's a pretty good replacement for PGPtray, not as pretty though. And it imported all my PGP 6.x/Win Keys fine too. Download with all dependencies here
I've read on numerous occasions that NA has versions of PGP updated to run on OS X and XP, but aren't releasing them. Something to do with 9/11 maybe? It seems stupid to simply throw away a defacto standard.
Let's hope the geeks here make that problem irrelevant. So far the Mac side is doing *OK* with tools like GPG Tools, GPGMail, and Apple's own AES encrypted volumes using Disk Copy. However, syncing with key servers, file wiping and other functionality available in PGPFreeware is sorely missed. Maybe Phil Z should start a company focused on GPG rather than wasting his energy trying to get PGP open sourced...
We'd really like you to join the work on GnuPG, and on GUI projects like GNOME. I think it would be most productive to write off the PGP code base and continue your work on the existing Free Software projects. We've gotten most of the hard work done already.
Thanks
Bruce
Bruce Perens.
but the article states that you can modify it and run the modified version on your machine, you just can't redistribute the modified code.
With the source code able to be modified, it might be easy for some people to think of PGP as Open Source. "You could modify it if you wanted to, and run it on your own computer, but you could not distribute a modified version," Zimmermann explains
Anyways, i dont think NA has any obligation to do as Zimm asks, he sold it to em, and it's now their's to do with as they please, even if that means that they let it just die basically. It's a shame but it is their right to do so.
he's an interesting little capitalist.
right now he seems to be a slashdoted little capitalist.
Not only that, but he was involved in a legal quagmire for quite some time, thanks to the U.S. government classifying encryption as a munition. It is hard to blame the man for selling PGP when his legal expenditures probably placed him in quite a bit of debt.
We should all be thankful that Phil was willing to stand up for something like this.
[you@someterminal you]# cd pgp-source
[you@someterminal you]# grep -c -r -i "nsa"
27
Religion is a gateway psychosis. -- Dave Foley
> Or from Outlook, FWIW
Ah, actually there a plugin for Outlook _Express_ available now. GPGOE. Outlook will take some time -- and hacking on the office dev kit -- I guess. But yes, I get what you mean about "dont work well", but I can tell you it's getting better fast! And if you can, do give WinPT a try. You may be surprised.
It does work in OutLook. I'm using it right now.
Go get it here:
http://www3.gdata.de/gpg/
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
BSD unix was a non-cleanroom reimplimentation of AT&T unix. BSD won when it went to court.
But only an organization like BSD, backed by the University of California and their lawyers, had the resources to stand up to AT&T in court. I wouldn't suggest being cavalier about clean-room issues to any random Open Source project.
It's not immoral at all for him to request this, anymore than it's immoral for anyone else to request it.
He sold it to them, yes, but now they've effectively killed it, and don't plan to do anything with it.. so it's fair enough that the pgp using world want's to see it opened. Zimmerman is one of those.
That being said I tend to think that the push towards GnuPG isn't as great of an idea as some think.
While there is many "free" or open source projects out there that are great on multiple platforms, GnuPG hasn't yet been fully (if at all) accepted by the Windows users.
Before you flame me; encryption needs to be open, and it needs to be easy to use in some respects. If my grandma (or male lover) has to go to the command line to encrypt his/her e-mail - it isn't happening. Now I see one project to bring it to the Windows desktop but it's being developed by linux developers.
If people expect Phil to come over to the GnuPG camp then you have to be ready to develop as much time to the Windows product as *nix.
Maybe I'm just not making sense because I'm typing fast... but simply: Gui, Gui, Gui. Equal time on all systems. Then I'll put my support behind GnuPG.
Otherwise Network Ass. should release their control over a product they raped.
Get your Unix fortune now!
The only piece I really use is the PGPdisk feature. Creating a totally encrypted virtual harddrive is very cool.
I create 649 / 699 MB PGPdisks, fill them with my 'backups', "unmount" them, and then burn them onto CD. Voila, encrypted CD contents. Works beautifully.
It would be the coolest thing in the world if GPG was able to mount the same PGPdisks. Heck, even using other filesystems should be possible.
It's great for keeping data private (as long as the encryption will hold, a couple of years longer maybe).
Once GPG can at least mount and hopefully also create "GPGdisks", I'll ditch PGP.
Fact is, we need him with us more than ever. If not as GnuPG contributor, then as a speaker of technology/crypto and the freedom of the people. In both the U.S. and Europe, the 1984 ghost is materializing.
Looks like a fish, drives like a fish, steers like a cow.
You mean something like the KDE Free Qt Foundation? Qt is triple licensed: GPL, QPL, proprietary. If TrollTech discontinues the free edition of Qt, then the last available version will be released under the BSD license. (I'm not sure whether that's with the advertising clause.)
Some ethics would be in place, this guy SOLD it to network associates, it's quite immoral for him to request them to open source it now!
How is it immoral for him to make that request? Suppose that you sold a car to your neighbor. Two years later, you find it rusting on blocks in their front lawn. Would it be immoral of you to politely suggest that they donate it to a worthy charity? I think not.
Admittedly, it's not the latest and greatest - but this is open source folks, surely some talented hackers out there can expand on what is already open?
Try reading the article before you post. The article tells you why this couldn't happen.
-a
How to rationalize theft.
Then use one of the many GUI's or email clients / plugins that support GnuPG.
The principle issue that faces any developer wishing to integrate GPG is that it is covered by GPL. That means that even if it had an SDK (which the isn't) you couldn't link with it without infecting your own code. Even LGPL libs can't link with it. At present if you wish to use GPG, you must mess around constructing command line arguments, opening pipes etc., invoking it and then parse the results. It is a major pain. There are libraries such as GPGME that hide some of this from you but it is still slower than running in-process and has significant issues running on platforms like Windows or Mac where piping etc. might be done differently.
If PGP were opened up with either a LGPL or BSD style licence I can see it being used in preference to GPG. GPG has the better command-line interface and might be ok for scripts but PGP has an SDK (as well as a great UI on Win32) and would be ultimately faster if software can link directly to it.
PZ should get involved with Mozilla. For literally years I've been waiting for someone to build in some sort of public-key email (and newsgroup) crypto. It's still not there yet, and THAT has prevented several people I know - including myself - from adopting Mozilla as my sole internet access tool. I'd love to be able to dump some of the crap I run for email and usenet.
First it was the export restrictions that were deterring Mozilla crypto. Now it's something else. I guess these projects qualify for some of what's being done today, but I needed Mozilla to do built-in crypto years ago. The standard Mozilla comeback is "do it yourself". Well, I have neither the time nor the skill to do that. But Phil does!
Maybe the NSA will buy it and then open source it, then include it with their SE Linux.
Zoot!
I didn't say it would be a good idea. I just said it would be an ethical one.
I don't believe email encryption will become mainstream unless these things happen.
1) Major email client providers agree on a standard
2) The ability to encyrpt/decrypt is provided with the default install of their product.
Network Associates is sitting on the code to squash it. They don't want to sell it. They don't want to make money off it. They want to keep it unavailable. Texaco owned the patent for fuel injection systems in cars. Until that patent expired (patents used to expire), no cars had fuel injection. If you don't remember, they might want to look back at the date on the press release that Network Associates (a.k.a. McAffee) released, stating that they planned to discontinue PGP. It's pretty close to September 12, 2001.
The generic response was "Open Source does not mean taking a product we don't want any more and throwing it over the wall. It means taking a product we continue to maintain and donating rights to it to the open source community. We can't just give away software without assessing the legal and PI risks. That's an expensive process, and we just won't do it unless it helps us start an OS project with some real potential."
I might be misquoting (that's why I don't name the company), but you can see the issues.
Loop-AES. Assuming you don't have the loopback filesystem module built right into the kernel, but have it as a module or not at all (look for loop.o), no kernel recompile or patching or even a specific kernel version is required. Patching losetup and mount, on the other hand, is required, but it's painless. And Reiser FS is a perfect companion to Loop-AES.
One handy little thing about Loop-AES I love is how the encrypted loopback filesystems can be burned straight onto a CD. The upshot of this is secure backups, like if you've got nosy roommates.
Have you tried to work with Phil Z.? Oh... thought not.
People who end up in the mess Phil did are not always the folk with the best social interfaces...
The problem with PGP is that overall it is tending to hinder the use of crypto than help at this point. There is perfectly good crypto built into Outlook, Outlook Express, Notes, Netscape etc. Only thing is people don't know its there because they are being told that only crypto persecuted by the NSA should be used.
PGP has a somewhat different PKI design, but not all that much different. Anyone can be a CA with X.509, the only technical difference being that certificate signing certs have the key signing bit set.
Rather than attempt to resurect the PGP message formats it would be better to spend time building S/MIME key signing code.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
For a good read w/r/t Crypto in general (including Zimmerman and some of his past,) check out Stephen Levy's book Crypto. It is excellent.
FreeBSD for the impatient.
I was using WinPT for a while, until I stumbled on GPGshell. It calls GnuPG to do the work, so you never have to worry about entering your passphrase into a GUI. IMHO, it's a lot nicer than WinPT. When you install it, you get 3 programs, which don't need each other to work:
So anyway, here's what you do:
So far this setup has had no problem dealing with any PGP messages I've encountered, from 2.6.2 to 7.x, but I haven't tested it extensively.
Zeinfeld writes:
PGP has a somewhat different PKI design, but not all that much different. Anyone can be a CA with X.509, the only technical difference being that certificate signing certs have the key signing bit set.
Sure, anyone can be an X.509 CA, but that doesn't help much. In order to issue meaningful X.509 certificates, you need to be a widely trusted CA, and that means commercial certificate distribution deals with Verisign, AOL and Microsoft, and that pretty much rules out all but big businesses.
PGP's web of trust has a much lower barrier of entry.
----
Open mind, insert foot.
Anyway, I highly recommend it.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
In MS business environments you don't tend to Admin rights on the box where you are working. I don't even have at home on my Windows box.
I know, I worked on it for a while back in the early days.
x.509 certificates are supported as standard in shitloads of mail clients (inc. Netscape and the ever popular MS Outhouse). Many people regard those as an "industry standard"
However, x.509 is more suited to compannies, as each public key must be signed by a trusted certificate authority to be valid. (e.g. Signed by Thwate.... otherwise use openSSL and set yourself up as a certificate authority and generate your own x.509 certs). This is only really practacle for a large company.
Individuals are better suited to PGP because of its "web of trust" model eliminates the need for certificate authoritys, but will be impractacle for a large organisation. (Its no wonder NA failed to sell PGP to companies.... the existing x.509 standard is mutch more suited)
See this link
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
You need one of the international versions of PGP available from www.pgpi.org you do
Available on a shitload of platforms
And pgpi is a very trusted site
(I could also mention the Cyber Knights Templar builds. Also very trusted + open source)
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
That has nothing to do with the format of the certificate. It is simply basic math.
All the major email programs allow you to install your own trust roots, always have. The problem is getting a trust root widely recognized.
The diameter of a graph is the length of the longest path between two nodes. If the diameter of the graph is small then either the graph cannot be large or there must be at least soe nodes of very high degree. [The Moore bound on the diameter of a graph is k * (k-1)^d where k is the degree of the nodes and d the diameter.
Applied to PGP it means that if you have a Web of trust with a trust chain length of 5 and each person signs ten other keys you can have no more than 90,000 members if the members align themselves perfectly. In practice the size of the graph would be much smaller since the connections would be either random or highly locally connected which gets you down to about 10,000 users.
PGP works largely because people take untrusted keys of key servers and because there are folk like Jeff Schiller who have signed hundreds of keys.
If you want a global PKI then you need intermediaries. PGP is not designed to scale to be a global system. But if you are prepared to put up with the size limitations of the PGP model you can do the same in S/MIME.
Microsoft even ship a mini CA tool with Office and Visual studio - makecert.exe. It is a bit idiosyncratic and you need to get another tool fro the Microsoft site to convert the private key formats to PKCS12 format but it certainly works. The SSLeay code also has a cert signer.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
OK, let's put this one to rest for once and all. I can't even begin to use the code unless I've paid for the right to do so. PGP Freeware exempted yes, but if I'm trying to do something for, say, a company, then I can't do squat with the code. Sure, I could theoritically modify it, but I would be in trouble for using that code until I've bought the license.
SIG: HUP
Conare writes:
Not really. If your only concern is encrypting/signing mail (and other stuff) within your organization, than the CA only needs to be trusted within your organization. Trust in the CA can be enforced as a condition of employment. This makes PKI practical for many mid size businesses as well, although small businesses should look elsewhere due to the large inital outlay required.
X.509 is a clumsy tool for internal encryption. Most programs using it are using it for communications, not storage. A good chunk of any businesses need for secure communications is with other businesses. You can't make your parts supplier trust your internal CA as a condition of employment, and you usually can't even require it as a term of your contract with them.
If you wish to explicitly trust the PKI of another business than your CA's can issue each other Cross-Certificates.
Again using my parts supplier example, that would basically be me going to my parts supplier, and asking them to trust that every certificate we issue is valid. That's a lot of trust. Most people are prone to say "no", particularly if they don't understand the full ramifications of that trust.
With the PGP/GPG "Web Of Trust" model, all I would have to ask them is to trust that my key is validly my key. Much easier to do, the guy at my parts supplier can do this over the phone in many cases. Then he can sign my key and put it on their keyserver. Anyone at my parts supplier who accepts his signature will automatically trust my key. They are only asked to trust themselves, and what they can readily verify; a much more palatable trust model.
only one of the three businesses you mention is in the business of selling commercial certificates (Verisign).
The other two are the leading distributors of X.509 capable products, and therefore the leading distributors of "Here are the trusted Certificate Authorties" lists. To get on those lists takes money.
----
Open mind, insert foot.