PGP's New Release, Source Code, and PRZ

In high tech time, the span between Network Associates dropping PGP, its purchase by the purpose-formed PGP Corporation and that company's release today of PGP 8.0 may not be a short stretch, but it's been a busy several months. A product which appeared moribund despite widespread acclaim a few years earlier -- a victim of skewed corporate logic -- has rebounded for another major release, and Philip Zimmermann is doing something he's never done before: actually selling PGP. And as Zimmermann had urged long before NAI forged a deal with PGP Corporation, this time around the full source code is being released, albeit with strings. Read on for the rest of the story.

Would you buy PGP from this man? Long before Dmitry Sklyarov was arrested for helping people undo e-book encryption, and before DeCSS was unlocking DVDs, Philip Zimmermann was being prosecuted for a nearly opposite endeavor: providing software which allowed ordinary people with a modicum of computer savvy to encrypt their own data in a way impractically difficult even for large government agencies to reverse. His modestly named application Pretty Good Privacy, or PGP, was released in 1991 as freeware and was quickly adopted by privacy seeking computer users.

Export controls then in effect barred international trade in such software; because of PGP's inevitable spread online well past the borders of the U.S., Zimmermann was accused of violating munitions-export laws. For a while, this made Zimmermann a poster boy for the right to create software free of intrusive restraint, and ended up in a three-year battle with the government which Zimmermann eventually won.

Now, in a twist worthy of novelization, Zimmermann has joined a small number of PGP Corporation partners on North America, and will be reselling PGP Corporation's version of PGP. Outside North America, PGP Corporation has sales partners in countries from Germany to Singapore -- in a sense, Zimmermann is simply their most famous salesman. (He also serves on PGP Corporation's technical advisory board and maintains a consulting relationship with the company.)

Sales, though, is really a sideline to Zimmermann's consulting business. "I'm not really switching my career to sales," he says. Zimmermann is nonetheless enthusiastic about his new role selling the software he kick-started more than 11 years ago, though it's a switch from his role in creating it. "I don't write code anymore," he said from his Silicon Valley home office. "As you get further along in your career, you get further away from the things you like to do. I wish I could get back to it, but it's the Peter Principle, and here I am." Zimmermann downplays the Federal government's legal proceedings against him in the first half of the 90s, calling it "old news" and "years in the past."

Like any large organization, in fact, the Federal government has a need to encrypt certain documents, so it's no surprise that the government bodies of every stripe use "a ton" of PGP. It seems likely that his sales venture means that Zimmermann will soon have come full circle, from producer of verboten software to vendor selling his product to government agencies. Zimmermann admits "It would be funny, and there would be a certain irony if that happens ... I'm hoping to sell to enterprise customers, large users, and that includes the government. If the government wants to buy it from me, that would be fine with me."

Something to sell, and source code, too. PGP's present is finally catching up with its history (try this google search for a number of links): today's release of version 8.0 for Windows and Mac OS X differs not just in name from PGP as it was released under NAI's stewardship, because this time there is full source code to go along with it. (A Linux release is being investigated.)

The 8.0 release doesn't differ in basic purpose from previous versions of PGP: it's still intended as an easy-to-use approach to encryption for both business and personal use, with hooks to a wide range of network operating systems and mail systems; there are several simultaneous releases, actually, from freeware (for non-commercial use) to an Enterprise edition, and the features available vary with the price. There's also a link to download the full source, under certain conditions, from PGP Corporation's home page.

PGP Corporation director of products Stephan Somogyi says he's proud of the way the company has walked the tightrope between source code availability and securing its own interest in the product based on that code.

The license agreement it takes to download source code, however, contains clauses guaranteed to rankle some open-source advocates and security enthusiasts. For instance, part of the third section of the eight-section source code license reads: "You agree that you will not post any information about any bug, problem, deficiency, or weakness in the PGP software on any web site or electronic bulletin board, or otherwise disclose or provide any such information to anyone else, unless you have first reported it to PGP and until at least 30 days after PGP sends its email acknowledgement to you."

Another section carefully lists uses of the code which are explicitly prohibited, including a note that a downloader may not "give (meaning sell, loan, distribute, or transfer) the source code files to anyone else" (except under certain outlined circumstances). Further, those who download the source code may not "use executable code versions of PGP software programs created by compiling these source code files for any purpose or reason other than verifying that there are no unknown vulnerabilities or the like or otherwise making your own assessment of the integrity of the source code and the security features of the PGP software."

Somogyi draws a distinction here between the meaning of an End User License Agreement (EULA) and a source code license such as the one required to download the PGP source. The source code is there, he says, because "PGP [Corporation] is making it clear that we don't have anything to hide and that PGP remains a trusted brand, a trusted codebase."

With nothing more than a click-through license protecting it, there will almost certainly be rogue copies of the source code soon, but as Somogyi puts it, "the only place that anyone who cares about their security is going to get PGP is from us -- no one is going to use some randomly compiled version of PGP, because they don't know the provenance. It's all about trust, from our perspective."

Zimmermann, too, takes pains to note a distinction which sounds similar to one made by Microsoft in describing that company's "Shared Source" source code disclosure. "Publishing source code doesn't mean you've giving away the software -- if you think about it, John Grisham publishes his novels in source code form. Does that mean he's giving up his copyright in them? No. If Microsoft published the source code to Office, does that mean they wouldn't still want money for it? There's a difference between letting people look at your source code -- finding bugs, fixing problems -- and giving it away."

Reputation and Propriety. It's hard to say how much of PGP's reputation is really that of its creator.

Zimmerman's insistence on his right to create troublesome code, and on the freedom to encrypt which his software provided its users, endeared him to crypto-libertarians before most of the current battles of software freedom and philosophy had reached public consciousness.

Whereas Zimmermann famously left Network Associates, PGP Corporation seems much more interested in maintaining the integrity of Zimmermann's connection to PGP, which is if anything a tacit admission of Zimmermann's importance to the company's reputation.

"We would be foolish if we did not seek counsel from people who are the best in their fields," says Somogyi. "It's really important that Phil be involved." Zimmermann's presence on the technical advisory board from its inception will probably serve to reassure users worried about corporate machinations.

Should You Buy PGP from this man? When PGP was first released, it was cutting edge -- in the sphere of ordinary computer users, it was a runaway hit. Now there are alternatives to PGP; in the Free software world, these include notably the GNU Privacy Guard (GPG), a suite of tools which aims to be a user-friendly equivalent to PGP consisting entirely of Free software.

Neither Zimmermann nor PGP Corporation's Somogyi seems worried about Free software alternatives to their own products, which can after all still be used free of charge.

"There's still a freeware version of PGP, and there's still going to be a free version of PGP, including the version that's coming out, version 8," says Zimmermann, who actually points to GPG and several other products from his sales web page. "I applaud the creation of GPG, we need to have multiple sources for this kind of technology. But you know, PGP is a good product, I think that it's easier to use."

Somogyi echos this line of reasoning. "Fundamentally I think that the people who use PGP is one group, and the people who use GPG are another, and I don't see a heck of a lot of competition between the two efforts," he says.

Zimmermann says that the prospect of selling PGP, though -- and making money from it -- is key to its prospects for success. "Look at what happened last time when nobody paid for PGP. NAI pulled the plug on the product. From February of this year until August, PGP was in limbo. ... Remember the National Lampoon from 70s, 'Buy this magazine or we'll shoot this dog'? That's what happened. They shot the dog!"

"It takes money to pay the engineers, it takes money to do all this stuff. PGP is a big important product, it doesn't just happen for free." And when NAI dropped PGP development, the software "went into an intellectual property black hole. When a company pulls the plugs on a product, it just disappears. All this political posturing about saying that cryptography should be free, that's all very nice, but it doesn't pay the bills."

Good for Zimmermann

[BlueAlien.Org]

If he can get corporations and individuals to buy his product, then where is the harm? I wish him the best of luck on trying to profit from his creation. Of course, the license is very prohibitive, but I don't see that as being a major factor affecting sales.

- Rick

GPG?

How well does PGP 8 compare to GPG (or vice versa).

I know GPG cant do some forms of encryption/de-encryption because of copyright schemes, but if this has the source being released maybe we will see some more competition between GPG and PGP, or is the license for PGP too restrictive?

Re:I can buy it but ....

[BlueAlien.Org]

The vast majority of potential buyers of PGP will not want to fiddle around with the source code. This way Zimmermann's company can satisfy its core customer base along with the majority of geeks who like to mess around with the source code of a great piece of software. Its actually a pretty good idea IMO.

- Rick

Re:I can buy it but ....

[Night+Goat]

They explain it in the article. The makers of PGP feel that some guy compiling the source code and making it available or using it himself isn't going to cut into their profits too much because most people interested in using cryptography aren't going to use some shady, homebrewed, perhaps compromised program, they're going to buy it straight from PGP so they can trust it.

PGP is overrated

[Hairy_Potter]

so is GPG. If the government really wants to get you, they'll surround you with Tempest vans, put a key sniffer in your keyboard, grab all your traffic through your ISP and monitor your phone calls. Uncrackable files don't mean much when traffic analysis shows email to the Cali cartel and cyber-cafe's in Pakistan.

But, just like the NRA sorts, who cling to the illusion that their pre-ban AR-15 will protect them against the black helicopters, PGP users delude themselves into thinking they're making a heroic stand for freedom, when in reality, no one cares about their encrypted plans to sleep in line for the Two Towers premiere.

Re:PGP is overrated

[SweetAndSourJesus]

I can't remember where I read this analogy, but I'm pretty sure Zim came up with it:

You use envelopes, right? Why? Becuase you don't want everyone in the post office reading your mail. If you didn't care, you'd use postcards. Sure, the envelope isn't bulletproof, but it's enough to keep the casual snooper out. Same deal with PGP.

You're right, if the Man wants to read your email, he's going to do it. PGP isn't designed to be a totally secure system, just a mostly secure one.

Re:PGP is overrated

[WanderingGhost]

If the government really wants to get you, they'll surround you with Tempest vans, put a key sniffer in your keyboard, grab all your traffic through your ISP and monitor your phone calls. Uncrackable files don't mean much when traffic analysis shows email to the Cali cartel and cyber-cafe's in Pakistan.

And that's great. They'll get the terrorists they want, and nobody will know what I've been discussing with my fiancée, or with my friends, or whoever. And they'll not know what my company has been discussing with some other business out there. (Commercial secrets are still secrets)

Doesn't sount too bad after all.

You can still get evidence to take a criminal to court -- and that's good. But people won't read yout e-mails and know what you've been discussing (they won't know too much about your private life).

Not that tere aren't other problems, of couse, but then, there is always a problem... :-)

Re:PGP is overrated

[SweetAndSourJesus]

Yes, you can crack PGP. It's completely unsafe to presume that it can't be done. You can't open an envelope without tampering with it, which is where PGP signatures come in.

I guess if you want to look at the utility aspects, PGP isn't designed to keep multiple items together, that's why we have tar.

Even if it is a bad analogy, isn't this a more reasonable viewpoint than the "fuck it, Uncle Sam's got us by the nuts, I give up" attitude espoused in the original post?

Re:PGP is overrated

[RealAlaskan]

If the government really wants to get you, they'll surround you with Tempest vans, put a key sniffer in your keyboard, grab all your traffic through your ISP and monitor your phone calls. ....

So, given that's true, why bother encrypting anything? Answer: if a lot of innocent traffic is encrypted, it significantly raises the effort level required to identify the non-innocent traffic, and thus makes it much less likely that the government WILL decide that it ``really wants to get you''.

Is that a good idea? Even after the events of the last year, government in general still seems to have the resources to be a greater threat to us than all the Islamic malcontents in the the world put together. Some of those governments definitely have the will to do us harm; after all, some of them are run by those same Islamic malcontents. Some of us are living under the power of those evil governments. PGP and its successors have been used by human rights groups operating in countries like Yugoslavia, to keep records secret.

Don't forget, also, that while a despot might tire of amusing himself by persecuting you, the bureaucrats who persecute decent folks in the western world are doing it for our own good, and their self-image as good people and hard workers depends on putting Dimitry in jail, or busting down the doors of prople who have violated a contract with their cable company by uncapping a modem, or what-not. The people who are probably the greatest threat to us in the US and Europe are these well-intentioned, honest, hardworking idiots, who honestly believe that they are protecting us all. Sometimes they ARE protecting us all, and sometimes they are doing quite the opposite, but they are always trying to earn their pay by doing their job, no matter how destructive that may be.

Overall, I think it is an excellent idea to make it as difficult as possible for the government to keep tabs on us, or to single us out, even when our government is NOT deliberately evil, as is the case in the US.

... PGP users delude themselves into thinking they're making a heroic stand for freedom, when in reality, no one cares about their encrypted plans to sleep in line for the Two Towers premiere.

It isn't just governments that have secrets. Most companies have marketing plans, customer lists, and so on that their competition would give big bucks to get. If only the sensitive email is sent encrypted, it's obvious which messages need to be cracked. It's also obvious when there is a flurry of sensitive activity. If you also encrypt your non-sensitive email at work, that eliminates that sort of problem.

Finally, personal, frivolous users of encryption ARE helping folks who have a serious need for it, at least indirectly. See my first paragraph. If they are deluded, well, that's good for the rest of us. We can't afford to have things reach the point that using PGP makes you a suspect. The world is full of folks who are eager to do bad things to good people, some of them with the very best of intentions for the very people they'd harm.

Re:PGP is overrated

PGP isn't designed to be a totally secure system, just a mostly secure one.

One might even say a Pretty Good one.

Re:I can buy it but ....

[ergo98]

You can buy a copy of Windows at Best Buy, or you can download it from a warez channel, or you can go to a friends and rip an ISO of his copy. Doe sanyone see a problem with this logic?

Phil has always advocated that it is very important that there is peer review of security products, and I entirely agree with him on that point, but he is not An open source advocate (which is why I find the nitpicking about the license absurd: It's not GPLd, folks, it's peer review. The release of the source is only intended to allow for particularly paranoid folks to ensure that there aren't any backdoors in the code). They are two entirely different things, and it's completely reasonable for him to release those products as he has.

If someone builds the source and distributes the binary, they are no different from someone ripping an ISO and distributing warez.

It's not just encryption

[Gemini]

A lot of people have posted comments to the effect of "If they want to get at your secret email, they will anyway despite PGP". Don't forget that GnuPG/PGP has a huge other use as well. OpenPGP signatures are what protects a huge number of software packages from tampering.

The recent trojanings of OpenSSH, etc, would have been caught even earlier if users had checked the OpenPGP signature distributed along with the tarball.

Re:Only can use source code to verify integrity?

[aridhol]

Erm...no.

Differences in the compiler used will cause small differences in the binary. Used a different optimization setting? Oops, the code is different.

What you can do is build the sources, and use that to verify the signature on the binaries.

Re:Turnaround Time

[javatips]

You can actually BCC yourself.

That way, you can prove that you sent the message at some point in time (you have the header added by the SMTP server).

This can protect you to some extent. It would probably be better if you use a third party SMTP server to do it.

Note that will only prove that you sent the message, not that they received it.

There's a more important use of PGP than privacy!

[aquarian]

To me, there's a more important, significant use of PGP than privacy. One of the biggest obstacles to *really* doing business over the internet is being able to verify where messages come from. PGP provides this. A PGP signed message is as good as a signed piece of paper.

I never cease to be amazed at how this aspect of PGP is never discussed. I guess all the stupid, nose-picking, trainspotting geeks all over the world really can't see beyond the government prying into their porn collections.

Re:Good for United States Residents: +1, Patriotic

[fsharp]

Hmmmm, lets see. I'm an American and if I want to I can say whatever I want to about the President. I can critique, disagree, agree, and even (gasp) not respect or support him.

Guess what dude, this comes under the heading of freedom of speech and last time I looked, the Constitution allowed me to just that. And does that make my unpatriotic? Not in my book, dissenting views ultimately created this Nation. Remember?

Oh, if you want to make a point, then do so with a reasoned and intelligent response. Why is dissention bad? How is speaking your mind in disagreement with leadership un-American? Because you said so? Hmmm.

Source available not as good as open source

[ChaosDiscord]

There's a difference between letting people look at your source code -- finding bugs, fixing problems -- and giving it away.

Great, I was looking for an opportunity to debug someone elses commercial software for free!

I applaud his efforts toward transparency, and restricted source is better than no source. But if I'm thinking of putting some effort into improving some software for me own use, it's an easy choice between GPG and PGP. With GPG, I know that my changes and the code that my changes are based on will be available to myself forever, and I can share my changes with others if the official source goes away.

Re:RedHat too

[larry+bagina]

This business model actually works.

No, this business model actually causes a negative cashflow

Re:Turnaround Time

[larry+bagina]

after all, we all know how hard it is to fake an email header.

Re:I can buy it but ....

[Tassach]

In short, there's no way to verify that the source code and the program are the same.

Nonesense. You download the source and compile it in a build enviornment that matches the one used to produce the official executable.

If the MD5 and SHA1 checksums of the code you compiled locally matches those of the distributed version, you have a very high degree of confidance that the distributed executable was indeed compiled from the published source code. If they don't match, tampering is a possibility.

In order to do this successfully, you need two things that seem to be lacking in this case: the makefile used to compile the official executable, and all the pertinent details about the build enviornment (compiler version, versions of statically-linked libraries, and so forth). If you can't exactly duplicate the build enviornment, it's probable that there will be differences in the executable code even if it was compiled from the same source code.

Re:One thing I've noticed:

[Sheetrock]

That was kind of my point. If you send them an e-mail or two and get absolutely nothing back, you can't publish -- therefore, you're subject to their whims.

This provision renders dubious the actual security benefits gained from open examination of the source code, and I'll explain why:

If the corporation is on the top of its game and follows up on each and every report, sending an acknowledgement whether or not they actually decide to fix the flaw, we'll have a situation not unlike GPG or other open source projects. Anyone who agrees to a set of restrictions can examine the code and point out flaws in addition to offering fixes.

On the other hand, if they fail to acknowledge some of the issues being submitted to them, then the situation may actually be worse than not having the source code available at all. People with less-than-pure interests can find the flaws in the program much more easily, however those who actually want to help the community (perhaps making a name for themselves as well in the process) can neither disclose the vulnerability nor offer a patch.

No doubt this policy has been introduced as an attempt to encourage bugfinders to use more community-friendly methods of disclosure. My only problem with it as a potential customer would be that it fails to take into account the possibility that the company could be less than perfect with dealing with bug reports... and thirty days of operating a product of this nature with a known flaw is bad enough. Isn't RFP's policy fair?

Re:Turnaround Time

[cookiepus]

." OK, so why are you asking for it? And even if I trust you, if you get bought by someone else, guess what? THEY can sell my house.

Jesus, just don't download the source if it stresses you SO badly.