Slashdot Mirror

← Back to Stories (view on slashdot.org)

PGP 8.0 Beta Released

Posted by timothy on from the pretty-okay-news dept.

James Evans writes "With a release date seemingly scheduled in December, the new PGP Corporation has today released PGP 8.0 Beta. It features Smart Card functionality, Unicode support, Novell Groupwise support, among other things. A Mac OS X Beta is out as well, also with a robust feature set. One word of caution however: On Friday, December 6th, 2002, the beta will expire, at which time access to encrypted data will be prevented."

12 of 122 comments (clear)

  1. I wonder if... by aussiedood · · Score: 5, Funny

    ... they will ever develop "Really Good Privacy", PGP is just too M$'esque for my liking ;)

  2. There will be a free version by pope+nihil · · Score: 5, Informative

    Before everyone gets too riled up, take a look at their web page. They will be releasing a free version of PGP that will do e-mail, files, and instant messaging. This is a BETA and you shouldn't be using the beta after the final version is released.

  3. PGPHone by mmca · · Score: 5, Interesting

    Whatever happend to PGPhone?

    For those of you that dont remember it... it was a secure voice communcations system.

    With the improvements in sound encoders, standarized crypto libs (OpenSSL) and the huge amounts of processing powering that the avg desktop has it would seem to be much easier then it was in the early 90s.

    Are there projects out there?

    -M

  4. Do-do heads by cerenyx · · Score: 5, Informative

    I don't think you guys are reading the website correctly, or understanding what is going on. The release is a BETA one, i.e. it is for testing purposes only: access to encrypted data expires after two months possibly because in later BETAs and perhaps the final version, changes might be made that would render the encrypted data incompatible with the final version; and also because they do not want you to go on using the beta after the final version is released.

    Of course, to look at it from this perspective, it might be a ploy on their part so that people don't get away without paying by simply using the beta instead of paying for the final version: but coming from a closed-sourced, profit-making company, that seems like a typical, perhaps even rational thing that they might do.

    So whats the hullabaloo all about?

  5. Re:That's called "lock-in" by Oculus+Habent · · Score: 5, Insightful

    1) It isn't "forcing" - the public doesn't have to buy it. It isn't like choosing an office suite.

    2) Paying for products isn't "totally against what we stand for here at Slashdot." Did the name change to GNU/Slashdot, or are you just making assumptions. If a product is free, use it. If a product is good, pay for it. If a product is both good and free, all the better.

    3) No one is making them pay to protect themselves. They could use GPG if they really want a free encryption solution.

    4) Paying for security is not like paying for music. Relate PGP to your data as you relate locks to your hardware. If you think everything should be free, you probably aren't in the right country (doesn't matter which one you're in, true communism doesn't exist most places).

    5) I've said it before, but:
    Freedom of information doesn't mean information should be free. Just because you can read the book doesn't mean you don't have to pay for it.

    --
    That what was all this school was for... to teach us how to solve our own problems. -- janeowit
  6. You will not lose your data by Pascal+of+S · · Score: 5, Informative
    Just to put a couple of items straight, after the Beta expires, your data WILL NOT BE LOST. That is, if you do what you should do and backup your keys. It is only the beta program that will not work anymore. PGP keys can be freely interchanged between versions, heck, even accross platforms if you are a bit careful.


    That is precisely what is meant by 'plan accordingly', it could have been worded more carefully though. This beta in not meant for the people who are freaking out in this discussion and say 'watch out, it's a lock in', 'they are trying to screw you!'. As with any beta, people experienced with the product are the prefered beta testers, and they have received the beta, which incidentally has been out since last Thursday, pretty well. There were some glitches upgrading from previous versions, but by what I hear it's pretty good.


    For those still interested, I recommend you grab copy and pound on it. After the beta expires you can decide to buy it if you like it or move your keys over to GnuPG and still have access to all your data and friends.

  7. Re:GPG vs PGP by BurritoWarrior · · Score: 5, Funny

    PGP has two P's, GPG only has one. According to the Gartner Group, 83% of CIO's surveyed said that having 2 P's was vital to their business and something they would implement in the next 18 months. Seriously, though, PGP has a user interface that mere mortals can use. GPG doesn't (or at least didn't last time I tried it).

  8. Re:GPG vs PGP by DrXym · · Score: 5, Informative
    GPG is a command line tool. If you want to put a UI on it it involves the very sucky process of constructing a command line with the arguments for the action you wish to perform, invoking gpg and parsing the results. In short it is a big pain in the butt and error prone and is seriously hampering its adoption. If the gpg folks had any sense they would release an LGPL library version of it. The reasons for not releasing it as a lib (even a GPL one) in their faq are just plain wrong.


    PGP comes with some lovely UI tools and a library for developing more. Speaking from experience of the Win32 impl, the integration with the shell is extremely handy, with encrypt/decrypt/sign options in context menus for example. The PGPDisk utility was also awesome though it doesn't work on XP - hopefully 8.0 will fix that.

  9. PGP support in Windows mail clients by Plug · · Score: 5, Interesting

    I'm on some mailing lists where people like to GPG (GNU's PGP clone) sign email, and our LUG have had a couple of GPG keysignings.

    So, being a OSS supporting Windows user, I thought I'd try this out.

    My normal mail client is Outlook Express (don't complain, when used by someone with a clue there's no more security risk than with any other mailer), and the method that PGP plugs into Outlook Express is digusting. There's a GPG Outlook Express plugin that suffers from the same problem. Basically, when a message windows is loaded, the decoder automatically copies all the text from the window into a buffer, runs the text through PGP, and then pastes the results back into the window. In the case of the version of PGP I tried, in 8pt font.

    This also doesn't help when you have a Windows mailer that doesn't support MIME types correctly (Evolution especially likes to send mail with the PGP block as an 'attachment', which basically means your message appears blank in OE with two attachments). No PGP verification there.

    I hear Outlook isn't much better; Outlook's IMAP support isn't as polished as OE's, and I guess they don't really want to make it better at the expense of Exchange licenses.

    What's the answer? Enigmail. You have to use Mozilla Mail, of course, but that's something that can be adjusted to (and if it's too hard to adjust, it can be customized in XUL of course.) But it seems to be the only way to get correct behaivour for PGP email verification in Windows. And it's all OSS, too.

    That said, it didn't handle decryption at all. But I was running a beta on a nightly with a 2 day old GPG build, etc. You get what you pay for.

    What would I like to see happen? Outlook Express to become a bit more modular, with actual support for PGP (even the free PGP Home edition would be better than nothing). Or Mozilla Mail evolve a little bit more so I can tolerate using it as my mail client ;)

  10. Re:PGPfone by Raetsel · · Score: 5, Informative

    PGPfone still exists. It's not only an IP telephony solution, one can also have two computers dial each other directly and have an encrypted conversation. It was for the severely paranoid; not originally intended as a way to bypass long distance charges, this was intended, first and foremost, for security.

    A quick Google search turns up this MIT site as the first hit, which has pointers to where the program can be found. They're still listing version 1.0 beta 2, not changed since July 11, 1996! (I never saw that much interest in it...) People know there are so many ways to compromise /eavesdrop on a conversation, and a computer (even a laptop) is a bulky way to make a phone call.

    (God, look at how much cellphone tech has changed in 6+ years!)

    The PGPi site lists a PGPfone version 2.1 (Windows and Mac), but notes that NAI has the rights to it:

    "PGPfone 2.x is a commercial product, but NAI has shown no interest in it, so it is probably O.K. to use it anyway."
    I imagine the PGP Corporation owns that now -- did they get everything PGP-related from NAI?

    I think you're right, though. There's OpenSSL -- heck, there's OpenSSH, too! Set up a heavily-encrypted tunnel, run your favorite VoIP program through that. Since you have to worry about your computer being trojan-free in either case (both software and hardware), you can use a program that's a lot more mature than PGPfone.

    --

    "...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
  11. Re:GPG vs PGP by Zeinfeld · · Score: 5, Informative
    The PGPDisk utility was also awesome though it doesn't work on XP - hopefully 8.0 will fix that.

    XP Pro comes with integrated disk encryption. Come to that Outlook Express, Lotus and Netscape email have had encryption for 5 years now.

    The real problem with secure email is that none of the spec ever had a solution for locating encryption keys.

    One of the things we have been pushing lately is the idea that every ISP should set up an XKMS locate service to act as a key repository. The XKMS service would be linked to the DNS via a DNS SRV record.

    So that if you want to send a message to Alice@slashdot.org you first look up _XKMS_SOAP_HTTP._TCP.slashdot.org, that gives you an XKMS service locate.slashdot.org. You then send a message to locate.slashdot.org to locate a key for alice@slashdot.org via either S/MIME or PGP. The service returns the untrusted key which can be validated by a variety of means (e.g. a local XKMS validate service).

    Back in the mists of PKI time people thought that X.500 or LDAP would do this function. Problem being that X.500 has never been viable as a global infrastructure. Trying to propose a similar feature using LDAP ended up in the weeds because the LDAP mafia thought that we were trying to help them with the great conversion to replace DNS with LDAP...

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  12. I'm more worried about the EULA... by wirelessbuzzers · · Score: 5, Informative

    Paragraph 3:

    YOU HEREBY EXPRESSLY CONSENT TO PGP'S PROCESSING OF YOUR PERSONAL DATA (WHICH MAY BE COLLECTED BY PGP OR ITS DISTRIBUTORS)...

    Remind again me why I want that feature in my crypto software...

    And it's not open source anymore... so you can't really tell what they're sending...

    --
    I hereby place the above post in the public domain.