PKWare Zips to Growth

Rob Kennedy writes "The Milwaukee Journal Sentinel has a story about PKWare's new business plan. It talks about the investment group that bought the company after founder Phil Katz's death in 2000, and the plan for PKWare to produce what president and COO Timothy H. Kennedy (no relation) calls 'the next generation of zip' by adding various security features."

What kind of Security features?

[Qender]

Might these security features include paying per zip file or something?

Doesn't PGP do this?

[yatest5]

When I PGP a file, it shrinks to same or smaller than when I standard zip it. Isn't that secure / small? Or am I horribly confused?

Re:Doesn't PGP do this?

[sql*kitten]

When I PGP a file, it shrinks to same or smaller than when I standard zip it. Isn't that secure / small? Or am I horribly confused?

Yes, encryption benefits from compression because it makes the data look more random - there are fewer repeating patterns in the plaintext once it's compressed so there are fewer patterns in the ciphertext too(i.e. it's harder to do a dictionary attack).

I get great compression results from creating archives as .tar.pgp, slightly better than .tgz and much better than .zip with "encryption" turned on, and much more secure too.

Encryption and compression make a lot of sense...

[Max+Romantschuk]

Since a Zip has to be decompressed anyway it makes a lot of sense to integrate encryption. It's easier to unzip once compared to unzipping and then unencrypting or vice versa.

Now, integrate this with email attachments and we're on a roll :)

Are zips still relevent?

[91degrees]

Most of the files I want to send are not going to compress to well in the fisrt place. Nowhere near enough entropy. The only files that will actually benefit are source code and binary executeables.

Okay, there may be some specialised industry data formats for microchips and the like, but the really large files tendto be things like pictures and videos. These are already compressed using standard lossy techniques. zipping these won't work.

Re:Are zips still relevent?

[knuurius]

I use zip for the ease of sending hundreds of files in one file and not very often for compression reasons.

Re:Are zips still relevent?

[Surak]

You know all those foosetup.exe InstallShield and similar formats? Most of those are either CAB compressed (Microsoft), but many of them are still PKZIP compressed.

Re:Are zips still relevent?

[AKnightCowboy]

(Although maybe someone will prove me wrong and say 'I update existing zipfiles every day, it's an essential feature, what I do is...'.)

It IS an essential feature and I do use it all the time. Being able to pop up Winzip and read individual files in an archive without extracting the whole thing (which can be hundreds of megs) is much better than the tar/gzip approach that's standard on UNIX systems. Hell, even Sun realizes that. Their recommended cluster patches are distributed in a zip archive so you can easily pull out individual patches without unarchiving the whole 50+ megs and thousands of files.

Re:Are zips still relevent?

[tswinzig]

IMHO, since 99% of the time all you do with archives is create them or extract them, it's not worth implementing features like 'add to archive', 'delete from archive' or 'update archive'.

You are crazy. Those features were made and are perfect for automated processes. Every day I have an AT process that runs (like a cron job for NT), and ADDS a single web server logfile to an existing monthly zip file. The log files are each around 80MB in size. At the end of the month, I archive the zip to CDROM.

Therefore the Unix model of tar and then a separate compression program makes more sense

What exactly does it offer over zip? You want something like tar, use zip without compression. You want something like .tar.gz, use zip with compression. We got it covered. How often do you create uncompressed Tape ARchives in the windows world?

Great

[e8johan]

This seems like a good plan. I'd like zips to have:

• global password (for the filelist)
• per file(s) password(s) (for groups or individual files)
• version management (store changes, but keep the original)
• signing (both global and for file(s))
• execution abilities (oops, could trigger viruses, must be signed, but for example decompress files and compile 'em)

What I would also like is for them to go open source and actively support *nix (including Linux and MacOS X).

Cool moment.

[Soulslayer]

One of the coolest moments of the many GenCon Game Fair's that I attended in Miwaukee, WI was when a panel consisting of most of the premiere Origin producers including Richard Garriot and Warren Spector took a question from the crowd during the Q&A session and when the nervous speaker said, "Well I have a programming question...and...um.. well I'm from a little company in town...do you know PKWare?"

And all the members of the panel looked at one another and then started doing the Wayne's World bow and chanting, "We're not worthy! We're not worthy!"

Then Warren (if I remember correctly) made a mildly sarcastic and admonishing comment towards the poor PKWare dude along the lines of, "Hey man you guys have saved us tons of money on media. We use Zip all the time. Of course we know your company." (games of the era were beginning to approach some 30 floppy discs compressed and CD-ROM had not yet become an affordable alternative)

It's nice when a little mostly unkown (at the time) company making software compression utilities gets recognition from a (at the time) powerhouse game development company like that.

Could work

[Anonymous+Cowdog]

The .zip format has great inroads into the corporate world, whereas PGP is still a geek's toy. By leveraging (cough) the massive usage numbers, they could be successful with this. Of course, it remains to be seen what features they want to add. But enough zip files fly around corporate networks without security, that it does make sense to improve PKZip in that area.

On the other hand, WinZip has a a head start, as the preferred way to deal with zip files for most people. And the PKWare website seems to come up blank on Mozilla, not an encouraging sign.

But what I really want is security for my PDA data, so it is secure over the network, and secure on the hard drive of any PC, even a PC that others have access to. Can zip help with this? Not sure.

They are not targeting users anymore.

[Dog+and+Pony]

The company's sales efforts are now focused on corporate customers.

And why companies should listen:

The company has crafted a new partnership with RSA Security Inc., which will lead to merging zip capability with security features in the same programs.

Maybe that'll be enough.

I'm pretty sure the shareware business model for these guys would be dead anyway whatwith some other competitors being so well known and wide spread there days. Can you say "WinZip"? (Yuck, bad, bad program.)

Re:Encryption and compression make a lot of sense.

[akruppa]

Hopefully, if this is what they want to do, they will do better than the embarrasingly insecure "encryption" that the old DOS PKZip included (a cryptographically-weak LFSR-based stream cipher).

Yeah, the cipher was pretty weak. Interested people might like to read the paper A Known Plaintext Attack on the PKZIP Stream Cipher by Biham and Kocher. Esentially, a string of 13 known bytes and a few hours on a good PC will decrypt the rest of the file.

But what's even worse, imho, is the horribly bad implementation. They encrypted only the file contents; file name, size and (what were they thinking?) the CRC were all in the clear. If you were using encryption to hide the fact that you possess a file you're not meant to, Pkzip will do you in real nice.

All in all an excellent example of how crypto works not.

Alex

Hope it has better milage than Winzip

[nighty5]

I remember when Winzip came out and PkZip didnt really have it together in terms of a GUI, when companies started seeing the benefit of using compression Winzip came along and took most of the market only because it had a half decent GUI, Pkzip's was pretty shoddy, if anything Winzip had better icons heheh.

Not being a troll, but ever sick of the woes of the 2 gig limit on zip's data structure. (I'm in data engineering and usually work with files over 6 gig) Other missing features were not being able to easily click on a few files/dirs and select the size of the volumes (disk span) and save the files to the current dir without sticking in floppies one at a time, poor password/encryption security.

Winrar on the other hand has had their features for years including an 8 gig limit on rar's, (one of the major reasons i *had* to switch) you can also setup policies so each time you create a rar it will follow the policy you setup originally in the configs.

Supports multiple NTFS file/permission streams among other things.

I hope the new PK Inc can live up to some of the features in rar, they may have a good chance...

zip & unzip everytime.

[DrXym]

pkzip/pkunzip were great tools, make no mistake but these days there is little reason to use them unless you're DOS bound. Perfectly fine open source versions exist and the likes of WinZip and XP's own zip folder extension cover the GUI side.

On the subject where the zip format should go, I believe it would be nice to see some new compression algorithms - I believe the header has space to define new types. The bzip2 algorithm would be a lead candidate. It would also be nice to see encryption and signing capabilities incorporated, perhaps based on the Java archive (jar) format.

Another thing that would help compression were if there were something akin to the tar / cabinet file mechanism for compression, where the entire contents and manifest are concatenated and compressed as a single entity rather compressed individually. This would allow for some very tight distributables.

Re:Yes

[tomstdenis]

or just support bzip2?

It beats deflate all the time and is free too.

Tom

Re:Encryption and compression make a lot of sense.

[jonathanclark]

Since a Zip has to be decompressed anyway

While until just recently, this was true - now you can create a "ZIP" file that doesn't decompress. The idea is instead of decompressing the files to disk, a tiny user-mode OS is inserted between the application that needs to use the data and the compressed data. The new OS does transparent decompression/decryption and to the application it appears the files reside on the hard drive. The OS provides streaming decompression so only small blocks are decompressed at a time and the memory requirements are very low. Yes, the data is present in memory in unencrypted form at some point so it is possible to hack - but it provides a pretty good level of data security.

The cool thing is that the archive size is usually the same size as a ZIP, but it runs directly with no install and no decompression time. Usually applications load 2x faster in this state.

This is something I've spent the last year working on. Checkout here