Slashdot Mirror

← Back to Stories (view on slashdot.org)

PGP's New Release, Source Code, and PRZ

Posted by timothy on from the hey-this-stuff-is-just-gibberish dept.

In high tech time, the span between Network Associates dropping PGP, its purchase by the purpose-formed PGP Corporation and that company's release today of PGP 8.0 may not be a short stretch, but it's been a busy several months. A product which appeared moribund despite widespread acclaim a few years earlier -- a victim of skewed corporate logic -- has rebounded for another major release, and Philip Zimmermann is doing something he's never done before: actually selling PGP. And as Zimmermann had urged long before NAI forged a deal with PGP Corporation, this time around the full source code is being released, albeit with strings. Read on for the rest of the story.

Would you buy PGP from this man? Long before Dmitry Sklyarov was arrested for helping people undo e-book encryption, and before DeCSS was unlocking DVDs, Philip Zimmermann was being prosecuted for a nearly opposite endeavor: providing software which allowed ordinary people with a modicum of computer savvy to encrypt their own data in a way impractically difficult even for large government agencies to reverse. His modestly named application Pretty Good Privacy, or PGP, was released in 1991 as freeware and was quickly adopted by privacy seeking computer users.

Export controls then in effect barred international trade in such software; because of PGP's inevitable spread online well past the borders of the U.S., Zimmermann was accused of violating munitions-export laws. For a while, this made Zimmermann a poster boy for the right to create software free of intrusive restraint, and ended up in a three-year battle with the government which Zimmermann eventually won.

Now, in a twist worthy of novelization, Zimmermann has joined a small number of PGP Corporation partners on North America, and will be reselling PGP Corporation's version of PGP. Outside North America, PGP Corporation has sales partners in countries from Germany to Singapore -- in a sense, Zimmermann is simply their most famous salesman. (He also serves on PGP Corporation's technical advisory board and maintains a consulting relationship with the company.)

Sales, though, is really a sideline to Zimmermann's consulting business. "I'm not really switching my career to sales," he says. Zimmermann is nonetheless enthusiastic about his new role selling the software he kick-started more than 11 years ago, though it's a switch from his role in creating it. "I don't write code anymore," he said from his Silicon Valley home office. "As you get further along in your career, you get further away from the things you like to do. I wish I could get back to it, but it's the Peter Principle, and here I am." Zimmermann downplays the Federal government's legal proceedings against him in the first half of the 90s, calling it "old news" and "years in the past."

Like any large organization, in fact, the Federal government has a need to encrypt certain documents, so it's no surprise that the government bodies of every stripe use "a ton" of PGP. It seems likely that his sales venture means that Zimmermann will soon have come full circle, from producer of verboten software to vendor selling his product to government agencies. Zimmermann admits "It would be funny, and there would be a certain irony if that happens ... I'm hoping to sell to enterprise customers, large users, and that includes the government. If the government wants to buy it from me, that would be fine with me."

Something to sell, and source code, too. PGP's present is finally catching up with its history (try this google search for a number of links): today's release of version 8.0 for Windows and Mac OS X differs not just in name from PGP as it was released under NAI's stewardship, because this time there is full source code to go along with it. (A Linux release is being investigated.)

The 8.0 release doesn't differ in basic purpose from previous versions of PGP: it's still intended as an easy-to-use approach to encryption for both business and personal use, with hooks to a wide range of network operating systems and mail systems; there are several simultaneous releases, actually, from freeware (for non-commercial use) to an Enterprise edition, and the features available vary with the price. There's also a link to download the full source, under certain conditions, from PGP Corporation's home page.

PGP Corporation director of products Stephan Somogyi says he's proud of the way the company has walked the tightrope between source code availability and securing its own interest in the product based on that code.

The license agreement it takes to download source code, however, contains clauses guaranteed to rankle some open-source advocates and security enthusiasts. For instance, part of the third section of the eight-section source code license reads: "You agree that you will not post any information about any bug, problem, deficiency, or weakness in the PGP software on any web site or electronic bulletin board, or otherwise disclose or provide any such information to anyone else, unless you have first reported it to PGP and until at least 30 days after PGP sends its email acknowledgement to you."

Another section carefully lists uses of the code which are explicitly prohibited, including a note that a downloader may not "give (meaning sell, loan, distribute, or transfer) the source code files to anyone else" (except under certain outlined circumstances). Further, those who download the source code may not "use executable code versions of PGP software programs created by compiling these source code files for any purpose or reason other than verifying that there are no unknown vulnerabilities or the like or otherwise making your own assessment of the integrity of the source code and the security features of the PGP software."

Somogyi draws a distinction here between the meaning of an End User License Agreement (EULA) and a source code license such as the one required to download the PGP source. The source code is there, he says, because "PGP [Corporation] is making it clear that we don't have anything to hide and that PGP remains a trusted brand, a trusted codebase."

With nothing more than a click-through license protecting it, there will almost certainly be rogue copies of the source code soon, but as Somogyi puts it, "the only place that anyone who cares about their security is going to get PGP is from us -- no one is going to use some randomly compiled version of PGP, because they don't know the provenance. It's all about trust, from our perspective."

Zimmermann, too, takes pains to note a distinction which sounds similar to one made by Microsoft in describing that company's "Shared Source" source code disclosure. "Publishing source code doesn't mean you've giving away the software -- if you think about it, John Grisham publishes his novels in source code form. Does that mean he's giving up his copyright in them? No. If Microsoft published the source code to Office, does that mean they wouldn't still want money for it? There's a difference between letting people look at your source code -- finding bugs, fixing problems -- and giving it away."

Reputation and Propriety. It's hard to say how much of PGP's reputation is really that of its creator.

Zimmerman's insistence on his right to create troublesome code, and on the freedom to encrypt which his software provided its users, endeared him to crypto-libertarians before most of the current battles of software freedom and philosophy had reached public consciousness.

Whereas Zimmermann famously left Network Associates, PGP Corporation seems much more interested in maintaining the integrity of Zimmermann's connection to PGP, which is if anything a tacit admission of Zimmermann's importance to the company's reputation.

"We would be foolish if we did not seek counsel from people who are the best in their fields," says Somogyi. "It's really important that Phil be involved." Zimmermann's presence on the technical advisory board from its inception will probably serve to reassure users worried about corporate machinations.

Should You Buy PGP from this man? When PGP was first released, it was cutting edge -- in the sphere of ordinary computer users, it was a runaway hit. Now there are alternatives to PGP; in the Free software world, these include notably the GNU Privacy Guard (GPG), a suite of tools which aims to be a user-friendly equivalent to PGP consisting entirely of Free software.

Neither Zimmermann nor PGP Corporation's Somogyi seems worried about Free software alternatives to their own products, which can after all still be used free of charge.

"There's still a freeware version of PGP, and there's still going to be a free version of PGP, including the version that's coming out, version 8," says Zimmermann, who actually points to GPG and several other products from his sales web page. "I applaud the creation of GPG, we need to have multiple sources for this kind of technology. But you know, PGP is a good product, I think that it's easier to use."

Somogyi echos this line of reasoning. "Fundamentally I think that the people who use PGP is one group, and the people who use GPG are another, and I don't see a heck of a lot of competition between the two efforts," he says.

Zimmermann says that the prospect of selling PGP, though -- and making money from it -- is key to its prospects for success. "Look at what happened last time when nobody paid for PGP. NAI pulled the plug on the product. From February of this year until August, PGP was in limbo. ... Remember the National Lampoon from 70s, 'Buy this magazine or we'll shoot this dog'? That's what happened. They shot the dog!"

"It takes money to pay the engineers, it takes money to do all this stuff. PGP is a big important product, it doesn't just happen for free." And when NAI dropped PGP development, the software "went into an intellectual property black hole. When a company pulls the plugs on a product, it just disappears. All this political posturing about saying that cryptography should be free, that's all very nice, but it doesn't pay the bills."

15 of 263 comments (clear)

  1. I can buy it but .... by frovingslosh · · Score: 3, Interesting

    OK, I can now buy the software for personal use, but I can download the source for free (for review, yada yada yada). Anyone see a problem with this logic?

    --
    I'm an American. I love this country and the freedoms that we used to have.
    1. Re:I can buy it but .... by Gemini · · Score: 2, Interesting

      They're relying on users to either Play Nice or not be technically inclined enough to compile their own copy. It's not that absurd, really. How many people actually compile their own PGP? (How many people *should* is another issue).

    2. Re:I can buy it but .... by ergo98 · · Score: 2, Interesting

      I would back it up by pointing to the site, however right now it appears to be completely slashdotted. As such I'll have to say this without reference, but I'm pretty sure that the source code disclaimer list specifically mentions that it can be used to compile into a binary to compare with the binary that they give to ensure that there are no back doors, etc. If it's like prior versions, they'll give a specific list of versions of software (i.e. Visual Studio version XYZ) to compile it with, and truly the result will be a perfect clone of the distribution binary.

    3. Re:I can buy it but .... by Demonspawn · · Score: 2, Interesting

      Laugh if you want, but that actually happened (or I'm remembering some urban legand). Story goes that a certian someone added code a a login utility (Unix, Linux? I don't remember all the details unfortuantly) so that he could log into a machine with root privlages even if he didn't have an account on the machine. He then modified the compiler to recognize if it was compiling the login program to automatically re-inject the code into the program. He then also modified the compiler to recoginize if it was compiling the compiler and again re-inject the malacious code.

      One hell of a hack job. I'd give a link, but a quick google of what I remember isn't turning up anything. Anyone else who remembers this throw a link (or prove this an urban legand)? I think it was some distro of Linux but I'm not 100% sure.

      --Demonspawn

  2. Turnaround Time by Steve+B · · Score: 5, Interesting
    You agree that you will not post any information about any bug, problem, deficiency, or weakness in the PGP software on any web site or electronic bulletin board, or otherwise disclose or provide any such information to anyone else, unless you have first reported it to PGP and until at least 30 days after PGP sends its email acknowledgement to you.

    I'd be more comfortable with this if there was an absolute cap that did not depend on the acknowledgement. As written, it would seem to allow PGP to freeze the clock indefinitely by simply not responding.

    --
    /. If the government wants us to respect the law, it should set a better example.
    1. Re:Turnaround Time by Cyclometh · · Score: 5, Interesting

      It's a good point, but they know as well as anyone that an unacknowldeged problem becomes an embarrassing public one when the problem is posted anonymously, which is what would happen if they "froze the clock" in the manner you speak of.

      I'm willing to extend them the benefit of the doubt on this one... they'd be hurt more than most of the software producers by having a security bug go unacknowledged/unpatched. It's not like a license agreement is going to stop the spread of any vulnerability info at any rate.

    2. Re:Turnaround Time by Anonymous Coward · · Score: 1, Interesting

      Also makes damn sure they got the message you sent them. It becomes your duty to prove they sent a reply rather then thiers to prove that they didn't get the message outlining the bug you submitted.

      I really doubt thier intention with this is to "stop time" but rather simply offer no one an excuse out of it. "I sent you an email 31 days ago didn't ya get it?" will not cut it.

    3. Re:Turnaround Time by dillon_rinker · · Score: 5, Interesting

      allow PGP to freeze the clock indefinitely by simply not responding
      Precisely. And what happens if they go out of business? This is one of the key things that many otherwise well-intentioned source code license agreements fail to recognize: the software may outlast the the company that created it. It would likely be problematic even if some other corporation bought the PGP vendor. It is not uncommon for someone to buy the ASSETS of an insolvent corporation, but the obligation to respond to queries about source code could would logically be considered a LIABILITY.

      Anyway, I think they had good intentions with this clause but they've paid too much attention to their lawyers. Perhaps, if the clause as written turns out to be a problem, (good) hackers could merely post "I have some interesting information about the product, but I am legally prevented from disclosing it by Section X, Paragraph Y of the source code licensing agreement. Please encourage the PGP vendor to acknowledge my emails"

  3. Differences from previous releases? by masonbrown · · Score: 5, Interesting

    OK, as a corporate user with a Win2k machine using Outlook, is there any significant reason to upgrade to 8.0 from whatever I'm using now and have used for a year or so? I know the article says there aren't significant changes, but I'd be interested in what specifically is better / improved.

  4. Maybe they'll fix that annoying XP problem by angst_ridden_hipster · · Score: 5, Interesting

    ... PGP 7.0 had the annoying problem that the firewall / network filtering stuff it wanted to install would completely hose XP's network stack.

    Oh, and if you ran the un-installer, trying to fix it, it would remove the TCP/IP stack from XP altogether (even though that's not supposed to be possible).

    If you rolled back using the XP Configuration tool, it was all OK. If you tried to reinstall XP's TCP/IP stack alone, or repair it using the install disk, you got mightily screwed by the fact that XP doesn't do a proper TCP/IP reinstall, coupled with the fact that when you run this reinstall/repair, it blows away your ability to roll back to a good configuration.

    OUCH...

    Of course, if you installed it without the network stuff, it was OK, and just makes XP occasionally pop up messages saying that the SDK driver is unavailable.

    --
    Eloi, Eloi, lema sabachtani?
    www.fogbound.net
  5. Re:I can't believe OSS zealots are taking this... by stratjakt · · Score: 2, Interesting

    This isn't even open source at all. It's just available source. You can't compile, use, alter, distribute or discuss it.

    The only thing you can do is free bugsearching.

    Quite frankly, most OSS zealots I've met wouldn't know what source code was if they saw it. It's just an anti-corporate buzzword they picked up at college.

    --
    I don't need no instructions to know how to rock!!!!
  6. Only can use source code to verify integrity? by weave · · Score: 2, Interesting
    WTF? I can download the source code to audit, but I can't compile it for any other use than to verify it? This means I can't use the compiled source code in daily normal use?

    Anyone else have a problem with this? OK, I download source code, verify it looks fine, but if I want to use the program, I need to buy/download the binary from them -- whose binaries may not necessarily be compiled from the source code I verified to my satisfaction.

    (Thank god for GNU and gpg, no strings attached beyond that "nasty" "viral" (sarcasm) GPL)

    p.s. I guess we won't be seeing THIS product as part of gentoo! :)

  7. gpg can actuall help sell pgp by kevin+lyda · · Score: 3, Interesting

    we use (or advocate the use of) gpg to encrypt and auth sensitive data for our servers. this is not to protect the files from the gov't, it's to stop data with a high monetary value from being stolen. most of us at work at least have gpg configured.

    we usually recommend pgp for less technical users - of which there are far more then on the server side. so pgp would get more sales from us due to gpg. i hope they sell lots of their s/w and make it even easier to use - it would really help us if less technical people were more exposed to pgp.

    --
    US Citizen living abroad? Register to vote!
  8. eBusiness Server by chiph · · Score: 2, Interesting

    FYI: Network Associates kept the rights to their eBusiness Server when they sold the rights to the desktop version of PGP to the new PGP Corporation. eBusiness Server is used by many corporations to automate their PGP encryption for batch processes, SOAP servers, etc.

    Even when (If!) the Gnu GPG group decides to release a library/DLL version of their privacy tool, I suspect a fair number of companies will continue to use the NAI product in order to avoid having to deal with the Bureau of Industry and Security in the US Department of Commerce for exporting their own compiled encryption software.

  9. Paranoia by vadim_t · · Score: 2, Interesting

    That license doesn't make sense. Let's see:

    1. You can use the binary they compiled.
    2. You can compile the source, but not use it.
    3. Source is provided to verify lack of backdoors.
    4. That means that the source should produce the binary you get on their site.
    5. Therefore, both binaries are identical so different use restrictions are nonsense.
    7. Somebody mentioned here that while they provided information about the build environment attempts to get an identical binary weren't successful.
    8. All this seems to indicate there's a quite strong possibility of PGP being backdoored.