Slashdot Mirror
PGP's New Release, Source Code, and PRZ
Would you buy PGP from this man? Long before Dmitry Sklyarov was arrested for helping people undo e-book encryption, and before DeCSS was unlocking DVDs, Philip Zimmermann was being prosecuted for a nearly opposite endeavor: providing software which allowed ordinary people with a modicum of computer savvy to encrypt their own data in a way impractically difficult even for large government agencies to reverse. His modestly named application Pretty Good Privacy, or PGP, was released in 1991 as freeware and was quickly adopted by privacy seeking computer users.
Export controls then in effect barred international trade in such software; because of PGP's inevitable spread online well past the borders of the U.S., Zimmermann was accused of violating munitions-export laws. For a while, this made Zimmermann a poster boy for the right to create software free of intrusive restraint, and ended up in a three-year battle with the government which Zimmermann eventually won.
Now, in a twist worthy of novelization, Zimmermann has joined a small number of PGP Corporation partners on North America, and will be reselling PGP Corporation's version of PGP. Outside North America, PGP Corporation has sales partners in countries from Germany to Singapore -- in a sense, Zimmermann is simply their most famous salesman. (He also serves on PGP Corporation's technical advisory board and maintains a consulting relationship with the company.)
Sales, though, is really a sideline to Zimmermann's consulting business. "I'm not really switching my career to sales," he says. Zimmermann is nonetheless enthusiastic about his new role selling the software he kick-started more than 11 years ago, though it's a switch from his role in creating it. "I don't write code anymore," he said from his Silicon Valley home office. "As you get further along in your career, you get further away from the things you like to do. I wish I could get back to it, but it's the Peter Principle, and here I am." Zimmermann downplays the Federal government's legal proceedings against him in the first half of the 90s, calling it "old news" and "years in the past."
Like any large organization, in fact, the Federal government has a need to encrypt certain documents, so it's no surprise that the government bodies of every stripe use "a ton" of PGP. It seems likely that his sales venture means that Zimmermann will soon have come full circle, from producer of verboten software to vendor selling his product to government agencies. Zimmermann admits "It would be funny, and there would be a certain irony if that happens ... I'm hoping to sell to enterprise customers, large users, and that includes the government. If the government wants to buy it from me, that would be fine with me."
Something to sell, and source code, too. PGP's present is finally catching up with its history (try this google search for a number of links): today's release of version 8.0 for Windows and Mac OS X differs not just in name from PGP as it was released under NAI's stewardship, because this time there is full source code to go along with it. (A Linux release is being investigated.)
The 8.0 release doesn't differ in basic purpose from previous versions of PGP: it's still intended as an easy-to-use approach to encryption for both business and personal use, with hooks to a wide range of network operating systems and mail systems; there are several simultaneous releases, actually, from freeware (for non-commercial use) to an Enterprise edition, and the features available vary with the price. There's also a link to download the full source, under certain conditions, from PGP Corporation's home page.
PGP Corporation director of products Stephan Somogyi says he's proud of the way the company has walked the tightrope between source code availability and securing its own interest in the product based on that code.
The license agreement it takes to download source code, however, contains clauses guaranteed to rankle some open-source advocates and security enthusiasts. For instance, part of the third section of the eight-section source code license reads: "You agree that you will not post any information about any bug, problem, deficiency, or weakness in the PGP software on any web site or electronic bulletin board, or otherwise disclose or provide any such information to anyone else, unless you have first reported it to PGP and until at least 30 days after PGP sends its email acknowledgement to you."
Another section carefully lists uses of the code which are explicitly prohibited, including a note that a downloader may not "give (meaning sell, loan, distribute, or transfer) the source code files to anyone else" (except under certain outlined circumstances). Further, those who download the source code may not "use executable code versions of PGP software programs created by compiling these source code files for any purpose or reason other than verifying that there are no unknown vulnerabilities or the like or otherwise making your own assessment of the integrity of the source code and the security features of the PGP software."
Somogyi draws a distinction here between the meaning of an End User License Agreement (EULA) and a source code license such as the one required to download the PGP source. The source code is there, he says, because "PGP [Corporation] is making it clear that we don't have anything to hide and that PGP remains a trusted brand, a trusted codebase."
With nothing more than a click-through license protecting it, there will almost certainly be rogue copies of the source code soon, but as Somogyi puts it, "the only place that anyone who cares about their security is going to get PGP is from us -- no one is going to use some randomly compiled version of PGP, because they don't know the provenance. It's all about trust, from our perspective."
Zimmermann, too, takes pains to note a distinction which sounds similar to one made by Microsoft in describing that company's "Shared Source" source code disclosure. "Publishing source code doesn't mean you've giving away the software -- if you think about it, John Grisham publishes his novels in source code form. Does that mean he's giving up his copyright in them? No. If Microsoft published the source code to Office, does that mean they wouldn't still want money for it? There's a difference between letting people look at your source code -- finding bugs, fixing problems -- and giving it away."
Reputation and Propriety. It's hard to say how much of PGP's reputation is really that of its creator.
Zimmerman's insistence on his right to create troublesome code, and on the freedom to encrypt which his software provided its users, endeared him to crypto-libertarians before most of the current battles of software freedom and philosophy had reached public consciousness.
Whereas Zimmermann famously left Network Associates, PGP Corporation seems much more interested in maintaining the integrity of Zimmermann's connection to PGP, which is if anything a tacit admission of Zimmermann's importance to the company's reputation.
"We would be foolish if we did not seek counsel from people who are the best in their fields," says Somogyi. "It's really important that Phil be involved." Zimmermann's presence on the technical advisory board from its inception will probably serve to reassure users worried about corporate machinations.
Should You Buy PGP from this man? When PGP was first released, it was cutting edge -- in the sphere of ordinary computer users, it was a runaway hit. Now there are alternatives to PGP; in the Free software world, these include notably the GNU Privacy Guard (GPG), a suite of tools which aims to be a user-friendly equivalent to PGP consisting entirely of Free software.
Neither Zimmermann nor PGP Corporation's Somogyi seems worried about Free software alternatives to their own products, which can after all still be used free of charge.
"There's still a freeware version of PGP, and there's still going to be a free version of PGP, including the version that's coming out, version 8," says Zimmermann, who actually points to GPG and several other products from his sales web page. "I applaud the creation of GPG, we need to have multiple sources for this kind of technology. But you know, PGP is a good product, I think that it's easier to use."
Somogyi echos this line of reasoning. "Fundamentally I think that the people who use PGP is one group, and the people who use GPG are another, and I don't see a heck of a lot of competition between the two efforts," he says.
Zimmermann says that the prospect of selling PGP, though -- and making money from it -- is key to its prospects for success. "Look at what happened last time when nobody paid for PGP. NAI pulled the plug on the product. From February of this year until August, PGP was in limbo. ... Remember the National Lampoon from 70s, 'Buy this magazine or we'll shoot this dog'? That's what happened. They shot the dog!"
"It takes money to pay the engineers, it takes money to do all this stuff. PGP is a big important product, it doesn't just happen for free." And when NAI dropped PGP development, the software "went into an intellectual property black hole. When a company pulls the plugs on a product, it just disappears. All this political posturing about saying that cryptography should be free, that's all very nice, but it doesn't pay the bills."
I plunked down my cash first thing this morning.
It looks like they're pretty swamped. The download failed, and, after the third try told me that the link had expired.
I guess this means I've got to call their customer service deptartment today. So, you may want to wait a bit before buying. The beta I've got for OS X doesn't expire until 12/06/2002, so I'm not totally screwed yet.
--
the strongest word is still the word "free"
The fact that PGP doesn't work in general in Office XP should be a pretty big bonus (actually I think it even had problems with Office 2000).
The source code to PGP has been available for a long time from pgpi.com. Indeed, there is the freeware copy (it actually links you back to the main PGP page) of PGP 8.0 available there.
Yes. An easy to find example. I believe there was a weakness way back in the early 2.1 - 2.3 versions as well. PGP (USA version) was probably also vulnerable due to some of the RSAref.lib bugs. Source for PGP up to 5i is available.
PGP has been shown to be good secure code. Makeing the source available won't lessen the security. That is the point: peer review will strengthen the code. Phil Zimmerman knows what he is doing.
I'm CONSTANTLY reading about how MS's EULA are so terrible, yet this one prohibits what you can and cannot say about the product and *this* is acceptable? Talk about truly restricting free speech (I don't even know if this is legal). Anyone who buys this has got to be out of their fucking minds. I buy MS stuff (licenses and all), but I wouldn't touch this with a 10 foot pole.
While I applaud your distinction between peer review and open source, I have to ask: How do we know that a binary we're given, and some source code we're given, amount to the same product?
Take "main(){printf("Hello!\n")}" and "main(){printf("%s","Hello!\n")}"
While functionally identical, gcc will compile them into two very different binaries.
In short, there's no way to verify that the source code and the program are the same. Even if the two programs appear to respond to every interaction in the same manner, there's no way to know that there isn't a back door in the pre-compiled version.
And we're prohibited from using the provided source code for anything but verifying a lack of flaws. Legally, we can't buy the program and compile the accomanied source for personal use.
I'm not saying "Don't trust PGP." I'm just pointing out a flaw in their peer-review logic. If they allowed you to use the compiled source for personal use, then all would be well. (Aside from moral compunctions, of course.)
What's this Submit thingy do?
GnuPG ignores ADK packets, incidentally.
The story is absolutely true, and the perpetrator was Ken Thompson, co-creator of Unix. You can read all about it here.
spawn_of_yog_sothoth
Zimmerman sounds reasonable, but I'd dearly love to hear what RMS has to say about this.
I think that both Zimmerman and Stallman are Good Guys.
There's daylight between Zimmerman's source release and the GPL. I think Zimmerman's license intends to accomplish something different than the GPL. "There's no NSA backdoors in here." is different than "Here's the source, send back any improvements you find."
I think the GPL is more realistic in that it acknowledges that (healthy) software is not static. The proof of this conjecture will come when PGP and GPG have been out there for a few years and we see which one has more useful features and fewer bugs.
We'll see.
Here's to real tech journalism on the web. You covered the topic with the details that the Slashdot audience wants and polished it to a level of quality that is worthy of any self-respecting newspaper. If this kind of quality keeps up, I'll definately buy a subscription.
Be warned, editors who post shoddy articles here. This is the standard to which you should aspire. If you write well, you shall be rewarded.
You're the first!