Slashdot Mirror
PGP's New Release, Source Code, and PRZ
Would you buy PGP from this man? Long before Dmitry Sklyarov was arrested for helping people undo e-book encryption, and before DeCSS was unlocking DVDs, Philip Zimmermann was being prosecuted for a nearly opposite endeavor: providing software which allowed ordinary people with a modicum of computer savvy to encrypt their own data in a way impractically difficult even for large government agencies to reverse. His modestly named application Pretty Good Privacy, or PGP, was released in 1991 as freeware and was quickly adopted by privacy seeking computer users.
Export controls then in effect barred international trade in such software; because of PGP's inevitable spread online well past the borders of the U.S., Zimmermann was accused of violating munitions-export laws. For a while, this made Zimmermann a poster boy for the right to create software free of intrusive restraint, and ended up in a three-year battle with the government which Zimmermann eventually won.
Now, in a twist worthy of novelization, Zimmermann has joined a small number of PGP Corporation partners on North America, and will be reselling PGP Corporation's version of PGP. Outside North America, PGP Corporation has sales partners in countries from Germany to Singapore -- in a sense, Zimmermann is simply their most famous salesman. (He also serves on PGP Corporation's technical advisory board and maintains a consulting relationship with the company.)
Sales, though, is really a sideline to Zimmermann's consulting business. "I'm not really switching my career to sales," he says. Zimmermann is nonetheless enthusiastic about his new role selling the software he kick-started more than 11 years ago, though it's a switch from his role in creating it. "I don't write code anymore," he said from his Silicon Valley home office. "As you get further along in your career, you get further away from the things you like to do. I wish I could get back to it, but it's the Peter Principle, and here I am." Zimmermann downplays the Federal government's legal proceedings against him in the first half of the 90s, calling it "old news" and "years in the past."
Like any large organization, in fact, the Federal government has a need to encrypt certain documents, so it's no surprise that the government bodies of every stripe use "a ton" of PGP. It seems likely that his sales venture means that Zimmermann will soon have come full circle, from producer of verboten software to vendor selling his product to government agencies. Zimmermann admits "It would be funny, and there would be a certain irony if that happens ... I'm hoping to sell to enterprise customers, large users, and that includes the government. If the government wants to buy it from me, that would be fine with me."
Something to sell, and source code, too. PGP's present is finally catching up with its history (try this google search for a number of links): today's release of version 8.0 for Windows and Mac OS X differs not just in name from PGP as it was released under NAI's stewardship, because this time there is full source code to go along with it. (A Linux release is being investigated.)
The 8.0 release doesn't differ in basic purpose from previous versions of PGP: it's still intended as an easy-to-use approach to encryption for both business and personal use, with hooks to a wide range of network operating systems and mail systems; there are several simultaneous releases, actually, from freeware (for non-commercial use) to an Enterprise edition, and the features available vary with the price. There's also a link to download the full source, under certain conditions, from PGP Corporation's home page.
PGP Corporation director of products Stephan Somogyi says he's proud of the way the company has walked the tightrope between source code availability and securing its own interest in the product based on that code.
The license agreement it takes to download source code, however, contains clauses guaranteed to rankle some open-source advocates and security enthusiasts. For instance, part of the third section of the eight-section source code license reads: "You agree that you will not post any information about any bug, problem, deficiency, or weakness in the PGP software on any web site or electronic bulletin board, or otherwise disclose or provide any such information to anyone else, unless you have first reported it to PGP and until at least 30 days after PGP sends its email acknowledgement to you."
Another section carefully lists uses of the code which are explicitly prohibited, including a note that a downloader may not "give (meaning sell, loan, distribute, or transfer) the source code files to anyone else" (except under certain outlined circumstances). Further, those who download the source code may not "use executable code versions of PGP software programs created by compiling these source code files for any purpose or reason other than verifying that there are no unknown vulnerabilities or the like or otherwise making your own assessment of the integrity of the source code and the security features of the PGP software."
Somogyi draws a distinction here between the meaning of an End User License Agreement (EULA) and a source code license such as the one required to download the PGP source. The source code is there, he says, because "PGP [Corporation] is making it clear that we don't have anything to hide and that PGP remains a trusted brand, a trusted codebase."
With nothing more than a click-through license protecting it, there will almost certainly be rogue copies of the source code soon, but as Somogyi puts it, "the only place that anyone who cares about their security is going to get PGP is from us -- no one is going to use some randomly compiled version of PGP, because they don't know the provenance. It's all about trust, from our perspective."
Zimmermann, too, takes pains to note a distinction which sounds similar to one made by Microsoft in describing that company's "Shared Source" source code disclosure. "Publishing source code doesn't mean you've giving away the software -- if you think about it, John Grisham publishes his novels in source code form. Does that mean he's giving up his copyright in them? No. If Microsoft published the source code to Office, does that mean they wouldn't still want money for it? There's a difference between letting people look at your source code -- finding bugs, fixing problems -- and giving it away."
Reputation and Propriety. It's hard to say how much of PGP's reputation is really that of its creator.
Zimmerman's insistence on his right to create troublesome code, and on the freedom to encrypt which his software provided its users, endeared him to crypto-libertarians before most of the current battles of software freedom and philosophy had reached public consciousness.
Whereas Zimmermann famously left Network Associates, PGP Corporation seems much more interested in maintaining the integrity of Zimmermann's connection to PGP, which is if anything a tacit admission of Zimmermann's importance to the company's reputation.
"We would be foolish if we did not seek counsel from people who are the best in their fields," says Somogyi. "It's really important that Phil be involved." Zimmermann's presence on the technical advisory board from its inception will probably serve to reassure users worried about corporate machinations.
Should You Buy PGP from this man? When PGP was first released, it was cutting edge -- in the sphere of ordinary computer users, it was a runaway hit. Now there are alternatives to PGP; in the Free software world, these include notably the GNU Privacy Guard (GPG), a suite of tools which aims to be a user-friendly equivalent to PGP consisting entirely of Free software.
Neither Zimmermann nor PGP Corporation's Somogyi seems worried about Free software alternatives to their own products, which can after all still be used free of charge.
"There's still a freeware version of PGP, and there's still going to be a free version of PGP, including the version that's coming out, version 8," says Zimmermann, who actually points to GPG and several other products from his sales web page. "I applaud the creation of GPG, we need to have multiple sources for this kind of technology. But you know, PGP is a good product, I think that it's easier to use."
Somogyi echos this line of reasoning. "Fundamentally I think that the people who use PGP is one group, and the people who use GPG are another, and I don't see a heck of a lot of competition between the two efforts," he says.
Zimmermann says that the prospect of selling PGP, though -- and making money from it -- is key to its prospects for success. "Look at what happened last time when nobody paid for PGP. NAI pulled the plug on the product. From February of this year until August, PGP was in limbo. ... Remember the National Lampoon from 70s, 'Buy this magazine or we'll shoot this dog'? That's what happened. They shot the dog!"
"It takes money to pay the engineers, it takes money to do all this stuff. PGP is a big important product, it doesn't just happen for free." And when NAI dropped PGP development, the software "went into an intellectual property black hole. When a company pulls the plugs on a product, it just disappears. All this political posturing about saying that cryptography should be free, that's all very nice, but it doesn't pay the bills."
If he can get corporations and individuals to buy his product, then where is the harm? I wish him the best of luck on trying to profit from his creation. Of course, the license is very prohibitive, but I don't see that as being a major factor affecting sales.
- Rick
www.bluealien.org
Prophets of the Blue Alien
OK, I can now buy the software for personal use, but I can download the source for free (for review, yada yada yada). Anyone see a problem with this logic?
I'm an American. I love this country and the freedoms that we used to have.
on publishing vulnerabilities or bugs, but at least they're making it possible, as long as you let them know, etc. Some of the more radical "full-disclosure at any cost instantly" types will rankle at this, but I think most will look at as it is- the company that has to maintain the software covering their butts as well as they can.
It could have just said "you're not allowed to publish any problems you find, period."
I'd be more comfortable with this if there was an absolute cap that did not depend on the acknowledgement. As written, it would seem to allow PGP to freeze the clock indefinitely by simply not responding.
/. If the government wants us to respect the law, it should set a better example.
OK, as a corporate user with a Win2k machine using Outlook, is there any significant reason to upgrade to 8.0 from whatever I'm using now and have used for a year or so? I know the article says there aren't significant changes, but I'd be interested in what specifically is better / improved.
Has PGP *ever* been broken, hacked? Could it now that the source code has been released?
"Mother, should I run for President? Mother, should I trust the government?"
I plunked down my cash first thing this morning.
It looks like they're pretty swamped. The download failed, and, after the third try told me that the link had expired.
I guess this means I've got to call their customer service deptartment today. So, you may want to wait a bit before buying. The beta I've got for OS X doesn't expire until 12/06/2002, so I'm not totally screwed yet.
--
the strongest word is still the word "free"
How well does PGP 8 compare to GPG (or vice versa).
I know GPG cant do some forms of encryption/de-encryption because of copyright schemes, but if this has the source being released maybe we will see some more competition between GPG and PGP, or is the license for PGP too restrictive?
PGP must be good encryption. I've been trying to brute force decrypt the phrase "zimmermann" and I've had no luck at all so far.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Shouldn't PGP be labeled as evil, since it isn't open source?
Managing disclosures of security flaws may be a good thing if you intend to fix them, but their policy doesn't mention what happens if they decide to sit on the problem instead.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Sure, why not? Especially in an enterprise solution, where the PGP Corporation can personalize the software for each customer.
Open source != Open source, though?
While a lot of OSSes are going to get their panties in a bunch, note that it is still possible to study the code and write new code based on the *concepts* that you learned about encryption. I don't know how to write encryption, but if I were to learn, I'd love to study robust professional code for free.
Voodoo Girl is the bomb!
Check out RedHat. You can download everything for free, even in ISO image format. Or you can go to Fry's and plunk down $50 for the exact same thing. This business model actually works. Not everyone wants to go get a compiler and compile the source from scratch.
so is GPG. If the government really wants to get you, they'll surround you with Tempest vans, put a key sniffer in your keyboard, grab all your traffic through your ISP and monitor your phone calls. Uncrackable files don't mean much when traffic analysis shows email to the Cali cartel and cyber-cafe's in Pakistan.
But, just like the NRA sorts, who cling to the illusion that their pre-ban AR-15 will protect them against the black helicopters, PGP users delude themselves into thinking they're making a heroic stand for freedom, when in reality, no one cares about their encrypted plans to sleep in line for the Two Towers premiere.
Thank you. I'll be here all week. Remember to tip your waiting staff.
Do not click
I sure hope the pending SDK has support for the latest version of Java. I have yet to get the latest version of Cryptix OpenPGP to work with the J2SE v 1.4.1.
The source code to PGP has been available for a long time from pgpi.com. Indeed, there is the freeware copy (it actually links you back to the main PGP page) of PGP 8.0 available there.
I fail to see how the PGP vs. GPG question isn't settled on this very point. PGP won't even run on many platforms, so any ease-of-use claims should be dimissed out of hand on that basis alone. The choice is really between GPG (which is being actively developed) and freeware PGP (which looks to be getting pretty old). That isn't much of a choice.
Go ahead and flame away...
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
... PGP 7.0 had the annoying problem that the firewall / network filtering stuff it wanted to install would completely hose XP's network stack.
Oh, and if you ran the un-installer, trying to fix it, it would remove the TCP/IP stack from XP altogether (even though that's not supposed to be possible).
If you rolled back using the XP Configuration tool, it was all OK. If you tried to reinstall XP's TCP/IP stack alone, or repair it using the install disk, you got mightily screwed by the fact that XP doesn't do a proper TCP/IP reinstall, coupled with the fact that when you run this reinstall/repair, it blows away your ability to roll back to a good configuration.
OUCH...
Of course, if you installed it without the network stuff, it was OK, and just makes XP occasionally pop up messages saying that the SDK driver is unavailable.
Eloi, Eloi, lema sabachtani?
www.fogbound.net
..to thwart Total Information Awareness
Be Patriotic: Impeach George W. Bush
Cheers,
Woot
and the utilities and credit card companies get pissed if you staple the check to the bill.
Christmas time and ebaying are about the only time of year I mail non-bill stuff.
If they have an automated reply-thingie that goes something like "Thank you for your mail. We'll be looking into it as soon as possible. Your reference no for this mail is #34524" and the 30 day limit starts there, I like it. If they can arbitrarily delay it or pretend they didn't get it, I don't.
Kjella
Live today, because you never know what tomorrow brings
I'm CONSTANTLY reading about how MS's EULA are so terrible, yet this one prohibits what you can and cannot say about the product and *this* is acceptable? Talk about truly restricting free speech (I don't even know if this is legal). Anyone who buys this has got to be out of their fucking minds. I buy MS stuff (licenses and all), but I wouldn't touch this with a 10 foot pole.
That is Phil Zimmermann. My appologies.
The opposite of this post would be a very short post with lots of pictures about writing a novel.
Anyone else have a problem with this? OK, I download source code, verify it looks fine, but if I want to use the program, I need to buy/download the binary from them -- whose binaries may not necessarily be compiled from the source code I verified to my satisfaction.
(Thank god for GNU and gpg, no strings attached beyond that "nasty" "viral" (sarcasm) GPL)
p.s. I guess we won't be seeing THIS product as part of gentoo! :)
Tempest is the technology to protect you from Van Eck Monitoring, which is the term describing using electromagnetic emission reproduction with big assed antenna setups and a monitor. Key sniffers operate from the OS, not "in your keyboard". Unless you think that "H4X0rz STLOE MY MEGAHURTZ!!1" like JeffK would say.
A lot of people have posted comments to the effect of "If they want to get at your secret email, they will anyway despite PGP". Don't forget that GnuPG/PGP has a huge other use as well. OpenPGP signatures are what protects a huge number of software packages from tampering.
The recent trojanings of OpenSSH, etc, would have been caught even earlier if users had checked the OpenPGP signature distributed along with the tarball.
Umm no. Not that I use letters much anymore, e-mail / IM / phone covers most of my informal contact need. When I send a letter in an envelope it's because:
- I'm sending something too long to fit on a postcard
- I'm attaching something (photos, birthday card)
- It's typed up on my computer, and my printer doesn't handle postcards well
- The reciever expects a letter (say a job application)
Granted, there are a few times when I want an envelope for privacy reasons. But that's far from the only reason.Kjella
Live today, because you never know what tomorrow brings
Impeachment is for holders of public office. Dubya is just a squatter and should be evicted.
You know - when PGP was owned by NAI I had no qualms just warezing it. I loved PGP disk and a few other PGP things. Just quick encryption of files was nice. A little tighter encorporation with Outlook and taking up less recourses would be very cool.
Now that its PGP not owned by NAI, I really want to own and use and promote this product. I however have no money as a college student. However, as a college student I think I would REALLY benefit from PGP. Not only keeping email between advisors and other students encrypted but also just keeping my personal records safe on the "wonderfully" secure campus network.
Anyhoo, just my thought trinkles.
The ultimate network admin tool needs HELP!
Cheers,
F.
Notepad specialist & FAT administrator, group training available
The objective is not to create perfect security (which is, as you correctly say, not possible). The objective is to make your security good enough for most practical purposes.
Yes, the government can use various sorts of surveillance measures to get your messages anyway. However, requiring trained personnel to set up monitoring vans or do black-bag jobs limits the total number of surveillance targets. That makes wide-ranging fishing expeditions impractical, and inhibits abuse by bored or vindictive individuals. Also, it leaves a bigger trail (more memos, more people directly involved) to be traced if -- OK, when -- the government does break the law.
/. If the government wants us to respect the law, it should set a better example.
back in the 90's. Does this mean I get a discount?
Anyone else think it's expensive? $80 for Windows for one year, or $165 for a perpetual license. Ouch!
PGP Desktop (Windows) Price: $80.00 and that entitled you to "own" the license for a single year FFS. That's a lot of money IMO $30=$40 I'd gladly pay, afterall it's a great product and Phil is clever bloke. but $80 is too much when I can get the same functionality from the old free version or the completely free GNU version.
To me, there's a more important, significant use of PGP than privacy. One of the biggest obstacles to *really* doing business over the internet is being able to verify where messages come from. PGP provides this. A PGP signed message is as good as a signed piece of paper.
I never cease to be amazed at how this aspect of PGP is never discussed. I guess all the stupid, nose-picking, trainspotting geeks all over the world really can't see beyond the government prying into their porn collections.
If you compile your own version, you have a program based on the PGP source code that understands the PGP file formats and protocols, but by trademark law you can't actually call it "PGP"-- the trademark name is reserved for the official distribution only. That's the same reason CheapBytes has to sell their copy of Red Hat's Linux distribution images under the name "Pink Tie Linux"-- so people know up front that it's not the official Red Hat distribution.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
Iggy Pop for President!
we use (or advocate the use of) gpg to encrypt and auth sensitive data for our servers. this is not to protect the files from the gov't, it's to stop data with a high monetary value from being stolen. most of us at work at least have gpg configured.
we usually recommend pgp for less technical users - of which there are far more then on the server side. so pgp would get more sales from us due to gpg. i hope they sell lots of their s/w and make it even easier to use - it would really help us if less technical people were more exposed to pgp.
US Citizen living abroad? Register to vote!
You could say the same thing about Windows. Granted, for the people who know of them, PGP Corp has a better reputation.
What's this Submit thingy do?
From reading their site, it sounds like they are now using XP like product activation. You enter your license key, then it contacts their servers to validate your license.
OK, maybe this is wrong place to ask this question, but I've searched the web and have not found what I'm looking for. Has anyone ported the newer PGP (6.5.8+) to Java using JNI? I'd really like to programmatically use PGP in Java without using a command-line.
And I'm a lazy bastard who doesn't want to port it myself. I've got enough other coding on my plate to work on...
TIA...
"You cannot find out which view is the right one by science in the ordinary sense." - C.S. Lewis on Intelligent Design
Wow, I'm impressed with their sense of business!
If you just had one ounce of brain matter, you'd realize that this link points to Amazon. Would Amazon ever put up filthy pictures on their site?
Shut the fuck up you un-American bastard. I've had enough of America-bashing and Bush-bashing on Slashdot. It's time your kind was put in its place!
Support America, support our duly elected President! We may not agree with everything he does or says, but he is our leader, and we will give him the respect that he deserves! Anything less is unpatriotic, and un-American.
My father fought in World War II. My older brother fought in Korea. I served in the Army-- as a Ranger-- but was never called upon to fight for my country. I have personally shown my commitment to fight and, if necessary, sacrifice my own life to defend your right to make these kinds of statements. But that doesn't mean I have to like it!
SO SHUT THE FUCK UP YOU UNGRATEFUL PRICK!
when I can get the same functionality from the old free version or the completely free GNU version.
Yes, but PGP is a GUI app that can talk to to Outlook Express, and last time I checked, GnuPG was a command-line app.
( /me checks the list of front-ends for Windows )
Apparently, somebody has made a GnuPG frontend for Outlook Express since I last looked. But what about about Mozilla? Does enigmail work with Mozilla 1.2.1?
Will I retire or break 10K?
Hey, Bill Clinton used up a lot of my upload bandwidth. I simply had to do something about it.
I can't think of any reason to prefer PGP to GnuPG, and there are some reasons (already pointed out) for preferring GnuPG to PGP.
So, overall, I can't why anyone would use PGP.
Zimmerman made a great contribution, deserves tremendous credit for what he did, but as he says himself, it's all history.
Guess what dude, this comes under the heading of freedom of speech and last time I looked, the Constitution allowed me to just that. And does that make my unpatriotic? Not in my book, dissenting views ultimately created this Nation. Remember?
Oh, if you want to make a point, then do so with a reasoned and intelligent response. Why is dissention bad? How is speaking your mind in disagreement with leadership un-American? Because you said so? Hmmm.
I appreciate your comments and have only one comment
You state:
We may not agree with everything he does or says, but he is our leader, and we will give him the
respect that he deserves! Anything less is unpatriotic, and un-American.
Would you please point out the "disprect" in my
comments. My desire to have him impeached does not
necessarily mean I disprect him even though I know
he is a moron and has difficulty completing a sentence.
Thank you and have an Afghan heroin-inspired
evening.
Yours very truly,
Woot
PGP may be keeping with a freeware version in name, but not in form. The beta version had PGPDisk and Outlook integration.
"PGP Freeware does not include any plug-ins for integration with electronic mail or instant messaging clients, nor does it include PGP Disk."
Too bad, too...even though I'm running WinXP, I was able to use the older freeware version with Outlook. Maybe I'll be reverting back to it.
Well, duh. However, PGP might just protect my trade secrets from being intercepted by a competitor. PGP might also protect my medical information from a private detective trying to dig up some dirt on me for a bitter ex-spouse. Competitors and private detectives don't have the resources of the United States government and PGP works just fine against them. Furthermore, PGP has most certainly been successfully used to protect human rights workers from clumsy oppressive governments. If that's not a great accomplishment, I don't know what is.
Search 2010 Gen Con events
Great, I was looking for an opportunity to debug someone elses commercial software for free!
I applaud his efforts toward transparency, and restricted source is better than no source. But if I'm thinking of putting some effort into improving some software for me own use, it's an easy choice between GPG and PGP. With GPG, I know that my changes and the code that my changes are based on will be available to myself forever, and I can share my changes with others if the official source goes away.
Search 2010 Gen Con events
Get over it and get a real mail client.
What do you define as a "real mail client" on the Microsoft Windows platform?
Anyone who uses OE has no right to whine about anything.
That's why I asked about Mozilla. There's apparently a well-known Mozilla plug-in, called "enigmail", that provides PGP services in Mozilla's mail component, but it doesn't work with all versions of Mozilla. My question was whether or not there was a way to use GnuPG with recent releases of Mozilla, such as 1.2.1.
Will I retire or break 10K?
mod this one up...absolutely captures the essence of /.
Regardless of the wording of the click-through license, they would have a VERY hard time convincing a court that you were not acting in good faith if you can produce hard physical evidence that you did in fact notify them N days in advance of disclosing the bug publicly.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
A PGP signed message is as good as a signed piece of paper
Possibly in the legal sense where you have the authority to take action, like billing the person or shipping a product, but not in terms of real authentication. Forging a signature (expecially one unfamiliar to you) is easy, but a PGP signed message requires knowledge of a passphrase. I have more trust in the PGP signed message.
(from a person whose mother "signed" a lot of notes to excuse him from days in high school)
-- Solaris Central - http://w
Yes, I know the whole idea of key escrow and ADK are seen as horrible invasions of privacy by personal users, however, these features have a valid business purpose in a corporate enterprise deployment and are mandatory for certain types of business communication.
I do not deploy Linux. Ever.
I bought it. Not for me. GPG is good for me. I bought it for a group of morons i call the dream team, because even they can use it successfully. I applaud the effort, and I too wish him the best of luck. What a fantastic product.
The problem with PGP is that it has a very robust freeware alternative. No one in the Linux/Free Software world is going to end up paying for PGP when they can have GnuPG. As far as the difficulty of the command line goes, I came across a script that makes GnuPG much more usable when compared to the plain command line version. It is in Perl and runs on Windows and Linux. See http://www.geocities.com/jvenu/software/gpgd.pl for it. My guess is that PGP will only get used in large corporations where the need to "sue someone" is paramount over all else.
I got the email with the link, but the page the link points to says "No Download" where I presume the download link should be.
Well, they say anything worthwhile is worth waiting for, right?
Wook
George W. Bush can't even say "functionally illiterate".
For signatures to work, you need to trust the other persons key, that means both that it really is who it says it is (which requires a web of trust, which presents significant problems and scalability issues), plus the other person must be trusted to keep their private key safe and their password protected. That is hard enough on a single user machine, but becomes almost impossible if you want to send a message while you're mobile (e.g. an Internet cafe is right out).
The two are interlinked as well, if someone in your web of trust is not secure, by trusting their key to some degree, you are also potentially tainting the authenticity of other keys.
If OpenPGP were a more widely used standard, it would be nice to be able to get your keys signed by respectable authorities (i.e. the functional equivalent of SSL authorities). Many of the SSL key vendors also do personal certificates, but they aren't really in an especially useful form for PGP type stuff.
Chris "Ng" Jones
cmsj@tenshu.net
www.tenshu.net
If you encrypt a file, then scramble the bytes, then encrypt that result with another encryption method, there is no way to crack the result. "Cracking" depends on playing by the rules and using only a known encryption method. Cryptographers use mathematical methods to try to break encryption; these methods are not available when chaining is used.
To use the chain encryption method, you must secretly communicate the scramble-descramble method and encryption process to anyone who is allowed to decrypt the file, and the method and process must be kept secret. That's a big drawback in some cases, and not in others.
Zimmerman sounds reasonable, but I'd dearly love to hear what RMS has to say about this.
I think that both Zimmerman and Stallman are Good Guys.
There's daylight between Zimmerman's source release and the GPL. I think Zimmerman's license intends to accomplish something different than the GPL. "There's no NSA backdoors in here." is different than "Here's the source, send back any improvements you find."
I think the GPL is more realistic in that it acknowledges that (healthy) software is not static. The proof of this conjecture will come when PGP and GPG have been out there for a few years and we see which one has more useful features and fewer bugs.
We'll see.
So you are saying that PGP signatures aren't foolproof. That may be true, but neither are pen and ink signatures. Furthermore, PGP secret keys can be password protected, while anyone can use a copy machine or tracing paper.
"Even after the events of the last year, government in general still seems to have the resources to be a greater threat to us than all the Islamic malcontents in the the world put together. "
You don't live in New York City do you?
Let's have a vote:
Everyone here from NYC, would you rather trust the government to not crash planes into your remaining skyscrapers, or the terrorists?
Everyone from Oklahoma City, similar question.
Everyone else in the US, who do you trust more, Uncle Sam or Osama?
Everyone not in the US, and not a terrorist?
Finally, all the terrorists reading Slashdot, who do you trust more to ensure you get to live to 100 years old? Osama picked 19 schmucks, and convinced them to not live to 50.
I liked your pic on your Magic card. Johan was great too. **sniff** Those were the days.
For the use I've had out of freeware and compiled-from-source versions of PGP over the years, this is a no-brainer. PGP has been invaluable to me for a long time.
Come on PGP users, put your money where your privacy is!
-----
PGP Key ID 0xCB8FF658
The "whole new algorithm" is just changing the byte scrambler. Scrambling the bytes in 512 byte chunks is very easy and fast, and there are a huge number of ways of doing this. Note that the scrambling method can depend on the 326th letter of the last email message received, or something like that.
If the chaining algorithm is compromised, the attacker must still attack the underlying encryption.
Also, your private key is stored somewhere. You can store the scrambling algorithm in the same place.
Note that chaining does not depend on encrypting the file twice. Just encrypting once and scrambling the bytes (and removing the file identifying bytes) is enough to harden an encrypted a file against mathematical attack.
The entire problem with scrambling is that it is not possible to distribute the scrambling method publicly. Public-key encryption allows distributing the public key. The scrambling method requires delivery in person, or by some other trusted manner.
FYI: Network Associates kept the rights to their eBusiness Server when they sold the rights to the desktop version of PGP to the new PGP Corporation. eBusiness Server is used by many corporations to automate their PGP encryption for batch processes, SOAP servers, etc.
Even when (If!) the Gnu GPG group decides to release a library/DLL version of their privacy tool, I suspect a fair number of companies will continue to use the NAI product in order to avoid having to deal with the Bureau of Industry and Security in the US Department of Commerce for exporting their own compiled encryption software.
That license doesn't make sense. Let's see:
1. You can use the binary they compiled.
2. You can compile the source, but not use it.
3. Source is provided to verify lack of backdoors.
4. That means that the source should produce the binary you get on their site.
5. Therefore, both binaries are identical so different use restrictions are nonsense.
7. Somebody mentioned here that while they provided information about the build environment attempts to get an identical binary weren't successful.
8. All this seems to indicate there's a quite strong possibility of PGP being backdoored.
Here's to real tech journalism on the web. You covered the topic with the details that the Slashdot audience wants and polished it to a level of quality that is worthy of any self-respecting newspaper. If this kind of quality keeps up, I'll definately buy a subscription.
Be warned, editors who post shoddy articles here. This is the standard to which you should aspire. If you write well, you shall be rewarded.
It's a fucking goatse.cx link. Sick fuck.
Anyone notice this co-incidence before?
/ zimmermann_telegram/zimmermann_telegram.html
http://www.archives.gov/digital_classroom/lessons
There was only one point: Scrambling prevents a mathematical attack.
Dear Sir;
I regret to inform you that you have no idea what you are talking about. I am using PGP Freeware version 7.0.3 to communicate with family members. My parents use Office XP (with Outlook XP as their mail client) on Windows 2000, my in-laws use both Office 97 (Outlook 98) and Office 2000 (Outlook 2000) on Windows 98, and I use Office 2000 (yup, Outlook 2000 again) on Windows 2000. There have been no problems -- zero, zilch, none. Encrypting an email is a one-button affair; PGP adds a simple set of three buttons to the taskbar, one of which is "Encrypt Before Sending." Reading a message is as simple as opening it -- you get a dialog for your passphrase, and that's it.
To borrow a phrase, "It just works."
I will occasionally get a phone call to provide tech support for WordPerfect Office, but I have never had a complaint -- or even a question -- about PGP.
I am very curious about exactly what you were thinking when you started the FUD machine.
I have purchased PGP before. Now that NAI is out of the picture, I will do so again -- this ought to make a nice stocking-stuffer, burned onto 3-inch CDs.
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
I regret to inform you that you have no idea what you are talking about.
Well thank you captain for informing me that the fact that PGP 7 does not properly integrate with the Outlook 2002 (Office XP) I'm looking at in front of me is all just an illusion in my head. Indeed, do a search on Google or Deja and it is verified, hundreds of times over, that 7.0.3 in particular is trashed in Outlook XP: They are not compatible. On top of that the problems encountered in the case where I selected PGP and had it installed company wide, to find that it did not properly integrate with Outlook 2002, was again all just an amazing mystery in my head.
I am very curious about exactly what you were thinking when you started the FUD machine.
Interesting seeing that one of the big features of PGP 8 over PGP 7 is support for Office XP. Gee, I wonder why they'd say that?
Normally I'd just ignore an ignorant moron such as yourself, but your righteousness in replying just blows me away. To proclaim FUD is especially laughable when I'm not scaring people away from PGP, but rather saying that PGP 8 is a nice upgrade. Learn when to cry FUD you fool.
Go away.
-
"...the fact that PGP 7 does not properly integrate with the (sic) Outlook 2002 (Office XP)..."
Interesting choice of words ("properly integrate")... are you taking that to mean "works the way I fantasized it would" or "works the way it was designed to"? There's a difference. This "moron", as you are so quick to label me, managed to get PGP 7.0.3 working with Outlook XP without a hitch. That doesn't lend much weight to your assertion that it doesn't work. Denying the facts won't make them go away.- "...in the case where I selected PGP and had it installed company wide, to find that it did not properly integrate with Outlook 2002..."
Am I supposed to assume you're some sort of IT wizard and not question your anecdotal assertions because of that statement? That's not going to happen. Further, you just admitted you're the moron. You deployed it, and then found problems. That's why people use test labs -- even for small businesses, test first, then deploy.Since you were so insistent about it, I searched Google. In the first few pages of hits, I found several articles about PGP 8, some news about (now patched) possible security holes, and what appear to be several warez sites. Odd that I didn't find the numerous tales of woe that you did...
Now, about that Fear, Uncertainty, and Doubt bit... Masonbrown wrote:
- "...as a corporate user with a Win2k machine using Outlook, is there any significant reason to upgrade to 8.0 from whatever I'm using now..."
And you replied:- Your statement offers no supporting facts.
- "...doesn't work in general..." is laughable in light of the ease with which I managed to install and use it.
- If you read his post again, you'll notice he's successfully using a PGP version that is not 8.0.
- Reading it, a user will be uncertain and doubt whether or not their current version of PGP will work -- perhaps spending money on an unnecessary upgrade.
- Further, you're spreading the fear of "problems" with Office 2000. "Gee... I've been using it, God knows what has been going wrong behind my back..."
Congratulations, you've spread FUD.I have demonstrated a working system. You claim it won't work, and call me a moron. You can't dispute the facts, so you attack the messenger. (That's step 2 in the FUD manual.) I suggest you RTFM, install the patches, and try again. (And no, I won't go away.)
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
While functionally identical, gcc will compile them into two very different binaries.
Uh... no. The first will print "Hello!
" and the second will print "Hello!\n".
Well, PGP 8 won't run on my OS X machine (10.1), and I can't fix it myself using the source code because of the stupid license.
GPG works, however.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
I thought I said quite plainly that our government in the US has good intentions for us. They also have the ability to do us far more harm than Osama ever could. Partly that's because we trust our government, partly that's because our government is keeping a lid on Osama and company.
I don't think we should change that second reason: we definitely want our government to continue keeping after the terrorists. I do think that we should never trust our government blindly; not when they're doing us good, not when they're chasing terrorists, in fact, just plain never.
Think about this: if we were in Afganistan before the US invasion, the roles of Osama and the US government would have been reversed, more or less: the US would have seemed threatening but powerless, while the Osamites might have seemed less malevolent, since they professed good intentions, but immediately dangerous. The Afganis couldn't TRUST either, but they had to watch out for the Osamites.
See what I've been reading.
"I have personally shown my commitment to fight and, if necessary, sacrifice my own life to defend your right to make these kinds of statements. But that doesn't mean I have to like it!
SO SHUT THE FUCK UP YOU UNGRATEFUL PRICK!"
Talk about contradictions.
First, you say you are ready to sacrifice your like for the almost unrestricted freedom of speech.
Second, he's exercising that right (what he's saying is irrelevant) but you're asking him to STFU (restrain himself from using that right) !!!
Like you said, you may not like it but you can't ask him to shut up about it.