Slashdot Mirror
PGP's New Release, Source Code, and PRZ
Would you buy PGP from this man? Long before Dmitry Sklyarov was arrested for helping people undo e-book encryption, and before DeCSS was unlocking DVDs, Philip Zimmermann was being prosecuted for a nearly opposite endeavor: providing software which allowed ordinary people with a modicum of computer savvy to encrypt their own data in a way impractically difficult even for large government agencies to reverse. His modestly named application Pretty Good Privacy, or PGP, was released in 1991 as freeware and was quickly adopted by privacy seeking computer users.
Export controls then in effect barred international trade in such software; because of PGP's inevitable spread online well past the borders of the U.S., Zimmermann was accused of violating munitions-export laws. For a while, this made Zimmermann a poster boy for the right to create software free of intrusive restraint, and ended up in a three-year battle with the government which Zimmermann eventually won.
Now, in a twist worthy of novelization, Zimmermann has joined a small number of PGP Corporation partners on North America, and will be reselling PGP Corporation's version of PGP. Outside North America, PGP Corporation has sales partners in countries from Germany to Singapore -- in a sense, Zimmermann is simply their most famous salesman. (He also serves on PGP Corporation's technical advisory board and maintains a consulting relationship with the company.)
Sales, though, is really a sideline to Zimmermann's consulting business. "I'm not really switching my career to sales," he says. Zimmermann is nonetheless enthusiastic about his new role selling the software he kick-started more than 11 years ago, though it's a switch from his role in creating it. "I don't write code anymore," he said from his Silicon Valley home office. "As you get further along in your career, you get further away from the things you like to do. I wish I could get back to it, but it's the Peter Principle, and here I am." Zimmermann downplays the Federal government's legal proceedings against him in the first half of the 90s, calling it "old news" and "years in the past."
Like any large organization, in fact, the Federal government has a need to encrypt certain documents, so it's no surprise that the government bodies of every stripe use "a ton" of PGP. It seems likely that his sales venture means that Zimmermann will soon have come full circle, from producer of verboten software to vendor selling his product to government agencies. Zimmermann admits "It would be funny, and there would be a certain irony if that happens ... I'm hoping to sell to enterprise customers, large users, and that includes the government. If the government wants to buy it from me, that would be fine with me."
Something to sell, and source code, too. PGP's present is finally catching up with its history (try this google search for a number of links): today's release of version 8.0 for Windows and Mac OS X differs not just in name from PGP as it was released under NAI's stewardship, because this time there is full source code to go along with it. (A Linux release is being investigated.)
The 8.0 release doesn't differ in basic purpose from previous versions of PGP: it's still intended as an easy-to-use approach to encryption for both business and personal use, with hooks to a wide range of network operating systems and mail systems; there are several simultaneous releases, actually, from freeware (for non-commercial use) to an Enterprise edition, and the features available vary with the price. There's also a link to download the full source, under certain conditions, from PGP Corporation's home page.
PGP Corporation director of products Stephan Somogyi says he's proud of the way the company has walked the tightrope between source code availability and securing its own interest in the product based on that code.
The license agreement it takes to download source code, however, contains clauses guaranteed to rankle some open-source advocates and security enthusiasts. For instance, part of the third section of the eight-section source code license reads: "You agree that you will not post any information about any bug, problem, deficiency, or weakness in the PGP software on any web site or electronic bulletin board, or otherwise disclose or provide any such information to anyone else, unless you have first reported it to PGP and until at least 30 days after PGP sends its email acknowledgement to you."
Another section carefully lists uses of the code which are explicitly prohibited, including a note that a downloader may not "give (meaning sell, loan, distribute, or transfer) the source code files to anyone else" (except under certain outlined circumstances). Further, those who download the source code may not "use executable code versions of PGP software programs created by compiling these source code files for any purpose or reason other than verifying that there are no unknown vulnerabilities or the like or otherwise making your own assessment of the integrity of the source code and the security features of the PGP software."
Somogyi draws a distinction here between the meaning of an End User License Agreement (EULA) and a source code license such as the one required to download the PGP source. The source code is there, he says, because "PGP [Corporation] is making it clear that we don't have anything to hide and that PGP remains a trusted brand, a trusted codebase."
With nothing more than a click-through license protecting it, there will almost certainly be rogue copies of the source code soon, but as Somogyi puts it, "the only place that anyone who cares about their security is going to get PGP is from us -- no one is going to use some randomly compiled version of PGP, because they don't know the provenance. It's all about trust, from our perspective."
Zimmermann, too, takes pains to note a distinction which sounds similar to one made by Microsoft in describing that company's "Shared Source" source code disclosure. "Publishing source code doesn't mean you've giving away the software -- if you think about it, John Grisham publishes his novels in source code form. Does that mean he's giving up his copyright in them? No. If Microsoft published the source code to Office, does that mean they wouldn't still want money for it? There's a difference between letting people look at your source code -- finding bugs, fixing problems -- and giving it away."
Reputation and Propriety. It's hard to say how much of PGP's reputation is really that of its creator.
Zimmerman's insistence on his right to create troublesome code, and on the freedom to encrypt which his software provided its users, endeared him to crypto-libertarians before most of the current battles of software freedom and philosophy had reached public consciousness.
Whereas Zimmermann famously left Network Associates, PGP Corporation seems much more interested in maintaining the integrity of Zimmermann's connection to PGP, which is if anything a tacit admission of Zimmermann's importance to the company's reputation.
"We would be foolish if we did not seek counsel from people who are the best in their fields," says Somogyi. "It's really important that Phil be involved." Zimmermann's presence on the technical advisory board from its inception will probably serve to reassure users worried about corporate machinations.
Should You Buy PGP from this man? When PGP was first released, it was cutting edge -- in the sphere of ordinary computer users, it was a runaway hit. Now there are alternatives to PGP; in the Free software world, these include notably the GNU Privacy Guard (GPG), a suite of tools which aims to be a user-friendly equivalent to PGP consisting entirely of Free software.
Neither Zimmermann nor PGP Corporation's Somogyi seems worried about Free software alternatives to their own products, which can after all still be used free of charge.
"There's still a freeware version of PGP, and there's still going to be a free version of PGP, including the version that's coming out, version 8," says Zimmermann, who actually points to GPG and several other products from his sales web page. "I applaud the creation of GPG, we need to have multiple sources for this kind of technology. But you know, PGP is a good product, I think that it's easier to use."
Somogyi echos this line of reasoning. "Fundamentally I think that the people who use PGP is one group, and the people who use GPG are another, and I don't see a heck of a lot of competition between the two efforts," he says.
Zimmermann says that the prospect of selling PGP, though -- and making money from it -- is key to its prospects for success. "Look at what happened last time when nobody paid for PGP. NAI pulled the plug on the product. From February of this year until August, PGP was in limbo. ... Remember the National Lampoon from 70s, 'Buy this magazine or we'll shoot this dog'? That's what happened. They shot the dog!"
"It takes money to pay the engineers, it takes money to do all this stuff. PGP is a big important product, it doesn't just happen for free." And when NAI dropped PGP development, the software "went into an intellectual property black hole. When a company pulls the plugs on a product, it just disappears. All this political posturing about saying that cryptography should be free, that's all very nice, but it doesn't pay the bills."
If he can get corporations and individuals to buy his product, then where is the harm? I wish him the best of luck on trying to profit from his creation. Of course, the license is very prohibitive, but I don't see that as being a major factor affecting sales.
- Rick
www.bluealien.org
Prophets of the Blue Alien
OK, I can now buy the software for personal use, but I can download the source for free (for review, yada yada yada). Anyone see a problem with this logic?
I'm an American. I love this country and the freedoms that we used to have.
I'd be more comfortable with this if there was an absolute cap that did not depend on the acknowledgement. As written, it would seem to allow PGP to freeze the clock indefinitely by simply not responding.
/. If the government wants us to respect the law, it should set a better example.
OK, as a corporate user with a Win2k machine using Outlook, is there any significant reason to upgrade to 8.0 from whatever I'm using now and have used for a year or so? I know the article says there aren't significant changes, but I'd be interested in what specifically is better / improved.
I plunked down my cash first thing this morning.
It looks like they're pretty swamped. The download failed, and, after the third try told me that the link had expired.
I guess this means I've got to call their customer service deptartment today. So, you may want to wait a bit before buying. The beta I've got for OS X doesn't expire until 12/06/2002, so I'm not totally screwed yet.
--
the strongest word is still the word "free"
PGP must be good encryption. I've been trying to brute force decrypt the phrase "zimmermann" and I've had no luck at all so far.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Check out RedHat. You can download everything for free, even in ISO image format. Or you can go to Fry's and plunk down $50 for the exact same thing. This business model actually works. Not everyone wants to go get a compiler and compile the source from scratch.
so is GPG. If the government really wants to get you, they'll surround you with Tempest vans, put a key sniffer in your keyboard, grab all your traffic through your ISP and monitor your phone calls. Uncrackable files don't mean much when traffic analysis shows email to the Cali cartel and cyber-cafe's in Pakistan.
But, just like the NRA sorts, who cling to the illusion that their pre-ban AR-15 will protect them against the black helicopters, PGP users delude themselves into thinking they're making a heroic stand for freedom, when in reality, no one cares about their encrypted plans to sleep in line for the Two Towers premiere.
Bugs have been found in previous versions of PGP. Hopefully the source code release will allow the bugs in PGP 8.0 to be found sooner rather than later.
I sure hope the pending SDK has support for the latest version of Java. I have yet to get the latest version of Cryptix OpenPGP to work with the J2SE v 1.4.1.
The source code to PGP has been available for a long time from pgpi.com. Indeed, there is the freeware copy (it actually links you back to the main PGP page) of PGP 8.0 available there.
I fail to see how the PGP vs. GPG question isn't settled on this very point. PGP won't even run on many platforms, so any ease-of-use claims should be dimissed out of hand on that basis alone. The choice is really between GPG (which is being actively developed) and freeware PGP (which looks to be getting pretty old). That isn't much of a choice.
Go ahead and flame away...
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
... PGP 7.0 had the annoying problem that the firewall / network filtering stuff it wanted to install would completely hose XP's network stack.
Oh, and if you ran the un-installer, trying to fix it, it would remove the TCP/IP stack from XP altogether (even though that's not supposed to be possible).
If you rolled back using the XP Configuration tool, it was all OK. If you tried to reinstall XP's TCP/IP stack alone, or repair it using the install disk, you got mightily screwed by the fact that XP doesn't do a proper TCP/IP reinstall, coupled with the fact that when you run this reinstall/repair, it blows away your ability to roll back to a good configuration.
OUCH...
Of course, if you installed it without the network stuff, it was OK, and just makes XP occasionally pop up messages saying that the SDK driver is unavailable.
Eloi, Eloi, lema sabachtani?
www.fogbound.net
and the utilities and credit card companies get pissed if you staple the check to the bill.
Christmas time and ebaying are about the only time of year I mail non-bill stuff.
If they have an automated reply-thingie that goes something like "Thank you for your mail. We'll be looking into it as soon as possible. Your reference no for this mail is #34524" and the 30 day limit starts there, I like it. If they can arbitrarily delay it or pretend they didn't get it, I don't.
Kjella
Live today, because you never know what tomorrow brings
Yes. An easy to find example. I believe there was a weakness way back in the early 2.1 - 2.3 versions as well. PGP (USA version) was probably also vulnerable due to some of the RSAref.lib bugs. Source for PGP up to 5i is available.
PGP has been shown to be good secure code. Makeing the source available won't lessen the security. That is the point: peer review will strengthen the code. Phil Zimmerman knows what he is doing.
I'm CONSTANTLY reading about how MS's EULA are so terrible, yet this one prohibits what you can and cannot say about the product and *this* is acceptable? Talk about truly restricting free speech (I don't even know if this is legal). Anyone who buys this has got to be out of their fucking minds. I buy MS stuff (licenses and all), but I wouldn't touch this with a 10 foot pole.
That is Phil Zimmermann. My appologies.
Anyone else have a problem with this? OK, I download source code, verify it looks fine, but if I want to use the program, I need to buy/download the binary from them -- whose binaries may not necessarily be compiled from the source code I verified to my satisfaction.
(Thank god for GNU and gpg, no strings attached beyond that "nasty" "viral" (sarcasm) GPL)
p.s. I guess we won't be seeing THIS product as part of gentoo! :)
A lot of people have posted comments to the effect of "If they want to get at your secret email, they will anyway despite PGP". Don't forget that GnuPG/PGP has a huge other use as well. OpenPGP signatures are what protects a huge number of software packages from tampering.
The recent trojanings of OpenSSH, etc, would have been caught even earlier if users had checked the OpenPGP signature distributed along with the tarball.
Umm no. Not that I use letters much anymore, e-mail / IM / phone covers most of my informal contact need. When I send a letter in an envelope it's because:
- I'm sending something too long to fit on a postcard
- I'm attaching something (photos, birthday card)
- It's typed up on my computer, and my printer doesn't handle postcards well
- The reciever expects a letter (say a job application)
Granted, there are a few times when I want an envelope for privacy reasons. But that's far from the only reason.Kjella
Live today, because you never know what tomorrow brings
Competition by looking at your "competitor's" code and using what you've learned in your own product? I think the term you are looking for is "cooperation".
Karma: Incomprehensible (Mostly affected by posting at +5, reading at -1, and metamoderating everything unfair.)
It's only reasonable for them to require 30 days to fix any bugs you might find, lest their customer's secrets be compromised in the meantime. Would you buy PGP if you knew any loopholes would be revealed before they could be closed, potentially exposing the secrets you're buying it to protect?
I wish Mr. Zimmerman success.
If all this should have a reason, we would be the last to know.
You know - when PGP was owned by NAI I had no qualms just warezing it. I loved PGP disk and a few other PGP things. Just quick encryption of files was nice. A little tighter encorporation with Outlook and taking up less recourses would be very cool.
Now that its PGP not owned by NAI, I really want to own and use and promote this product. I however have no money as a college student. However, as a college student I think I would REALLY benefit from PGP. Not only keeping email between advisors and other students encrypted but also just keeping my personal records safe on the "wonderfully" secure campus network.
Anyhoo, just my thought trinkles.
The ultimate network admin tool needs HELP!
"At least 30 days after PGP sends its email acknowledgement" is a bit worrying, since they haven't committed to ever acknowledge reports of weaknesses that aren't "serious". I have great respect for Zimmerman, but any corporation is required to act in the interests of its shareholders....
The objective is not to create perfect security (which is, as you correctly say, not possible). The objective is to make your security good enough for most practical purposes.
Yes, the government can use various sorts of surveillance measures to get your messages anyway. However, requiring trained personnel to set up monitoring vans or do black-bag jobs limits the total number of surveillance targets. That makes wide-ranging fishing expeditions impractical, and inhibits abuse by bored or vindictive individuals. Also, it leaves a bigger trail (more memos, more people directly involved) to be traced if -- OK, when -- the government does break the law.
/. If the government wants us to respect the law, it should set a better example.
back in the 90's. Does this mean I get a discount?
Anyone else think it's expensive? $80 for Windows for one year, or $165 for a perpetual license. Ouch!
A software key sniffer is more vulnerable. Hardware versions are widely rumored to be seeing field use. Hell, ThinkGeek sells one, though it's too big to conceal easily.
To me, there's a more important, significant use of PGP than privacy. One of the biggest obstacles to *really* doing business over the internet is being able to verify where messages come from. PGP provides this. A PGP signed message is as good as a signed piece of paper.
I never cease to be amazed at how this aspect of PGP is never discussed. I guess all the stupid, nose-picking, trainspotting geeks all over the world really can't see beyond the government prying into their porn collections.
The implication seems to be they just want a 30 day grace period. Does not seem to be unreasonable to me. After the 30 day grace period I guess it is open season. The only part that bothers me is that the terms seem to indicate that the 30 day period starts from their acknowledgement that you submitting a flaw, not from the time of acknowledgement. If they chose to not acknowledge responses in a timely manner, that could be a problematic loophole.
XML is like violence. If it doesn't solve the problem, use more.
we use (or advocate the use of) gpg to encrypt and auth sensitive data for our servers. this is not to protect the files from the gov't, it's to stop data with a high monetary value from being stolen. most of us at work at least have gpg configured.
we usually recommend pgp for less technical users - of which there are far more then on the server side. so pgp would get more sales from us due to gpg. i hope they sell lots of their s/w and make it even easier to use - it would really help us if less technical people were more exposed to pgp.
US Citizen living abroad? Register to vote!
You could say the same thing about Windows. Granted, for the people who know of them, PGP Corp has a better reputation.
What's this Submit thingy do?
From reading their site, it sounds like they are now using XP like product activation. You enter your license key, then it contacts their servers to validate your license.
My question is:
Does it preclude the person from saying "I found a flaw in PGP" without saying what the flaw is. [maybe even only saying THAT 30 days after sending the initial message to PGP corp informing them of the details of the flaw]...
This may put a little pressure on PGP corp to fix the flaw.... And alert others that there may be a flaw that can be found with a little digging on their own so that they can also inform PGP corp thus adding more pressure....
--
Time is on my side
I can't think of any reason to prefer PGP to GnuPG, and there are some reasons (already pointed out) for preferring GnuPG to PGP.
So, overall, I can't why anyone would use PGP.
Zimmerman made a great contribution, deserves tremendous credit for what he did, but as he says himself, it's all history.
Guess what dude, this comes under the heading of freedom of speech and last time I looked, the Constitution allowed me to just that. And does that make my unpatriotic? Not in my book, dissenting views ultimately created this Nation. Remember?
Oh, if you want to make a point, then do so with a reasoned and intelligent response. Why is dissention bad? How is speaking your mind in disagreement with leadership un-American? Because you said so? Hmmm.
Well, duh. However, PGP might just protect my trade secrets from being intercepted by a competitor. PGP might also protect my medical information from a private detective trying to dig up some dirt on me for a bitter ex-spouse. Competitors and private detectives don't have the resources of the United States government and PGP works just fine against them. Furthermore, PGP has most certainly been successfully used to protect human rights workers from clumsy oppressive governments. If that's not a great accomplishment, I don't know what is.
Search 2010 Gen Con events
Great, I was looking for an opportunity to debug someone elses commercial software for free!
I applaud his efforts toward transparency, and restricted source is better than no source. But if I'm thinking of putting some effort into improving some software for me own use, it's an easy choice between GPG and PGP. With GPG, I know that my changes and the code that my changes are based on will be available to myself forever, and I can share my changes with others if the official source goes away.
Search 2010 Gen Con events
This provision renders dubious the actual security benefits gained from open examination of the source code, and I'll explain why:
If the corporation is on the top of its game and follows up on each and every report, sending an acknowledgement whether or not they actually decide to fix the flaw, we'll have a situation not unlike GPG or other open source projects. Anyone who agrees to a set of restrictions can examine the code and point out flaws in addition to offering fixes.
On the other hand, if they fail to acknowledge some of the issues being submitted to them, then the situation may actually be worse than not having the source code available at all. People with less-than-pure interests can find the flaws in the program much more easily, however those who actually want to help the community (perhaps making a name for themselves as well in the process) can neither disclose the vulnerability nor offer a patch.
No doubt this policy has been introduced as an attempt to encourage bugfinders to use more community-friendly methods of disclosure. My only problem with it as a potential customer would be that it fails to take into account the possibility that the company could be less than perfect with dealing with bug reports... and thirty days of operating a product of this nature with a known flaw is bad enough. Isn't RFP's policy fair?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
There are no backdoors in PGP.
Regardless of the wording of the click-through license, they would have a VERY hard time convincing a court that you were not acting in good faith if you can produce hard physical evidence that you did in fact notify them N days in advance of disclosing the bug publicly.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
A PGP signed message is as good as a signed piece of paper
Possibly in the legal sense where you have the authority to take action, like billing the person or shipping a product, but not in terms of real authentication. Forging a signature (expecially one unfamiliar to you) is easy, but a PGP signed message requires knowledge of a passphrase. I have more trust in the PGP signed message.
(from a person whose mother "signed" a lot of notes to excuse him from days in high school)
-- Solaris Central - http://w
Yes, I know the whole idea of key escrow and ADK are seen as horrible invasions of privacy by personal users, however, these features have a valid business purpose in a corporate enterprise deployment and are mandatory for certain types of business communication.
I do not deploy Linux. Ever.
For signatures to work, you need to trust the other persons key, that means both that it really is who it says it is (which requires a web of trust, which presents significant problems and scalability issues), plus the other person must be trusted to keep their private key safe and their password protected. That is hard enough on a single user machine, but becomes almost impossible if you want to send a message while you're mobile (e.g. an Internet cafe is right out).
The two are interlinked as well, if someone in your web of trust is not secure, by trusting their key to some degree, you are also potentially tainting the authenticity of other keys.
If OpenPGP were a more widely used standard, it would be nice to be able to get your keys signed by respectable authorities (i.e. the functional equivalent of SSL authorities). Many of the SSL key vendors also do personal certificates, but they aren't really in an especially useful form for PGP type stuff.
Chris "Ng" Jones
cmsj@tenshu.net
www.tenshu.net
If you encrypt a file, then scramble the bytes, then encrypt that result with another encryption method, there is no way to crack the result. "Cracking" depends on playing by the rules and using only a known encryption method. Cryptographers use mathematical methods to try to break encryption; these methods are not available when chaining is used.
To use the chain encryption method, you must secretly communicate the scramble-descramble method and encryption process to anyone who is allowed to decrypt the file, and the method and process must be kept secret. That's a big drawback in some cases, and not in others.
Zimmerman sounds reasonable, but I'd dearly love to hear what RMS has to say about this.
I think that both Zimmerman and Stallman are Good Guys.
There's daylight between Zimmerman's source release and the GPL. I think Zimmerman's license intends to accomplish something different than the GPL. "There's no NSA backdoors in here." is different than "Here's the source, send back any improvements you find."
I think the GPL is more realistic in that it acknowledges that (healthy) software is not static. The proof of this conjecture will come when PGP and GPG have been out there for a few years and we see which one has more useful features and fewer bugs.
We'll see.
I liked your pic on your Magic card. Johan was great too. **sniff** Those were the days.
For the use I've had out of freeware and compiled-from-source versions of PGP over the years, this is a no-brainer. PGP has been invaluable to me for a long time.
Come on PGP users, put your money where your privacy is!
-----
PGP Key ID 0xCB8FF658
The "whole new algorithm" is just changing the byte scrambler. Scrambling the bytes in 512 byte chunks is very easy and fast, and there are a huge number of ways of doing this. Note that the scrambling method can depend on the 326th letter of the last email message received, or something like that.
If the chaining algorithm is compromised, the attacker must still attack the underlying encryption.
Also, your private key is stored somewhere. You can store the scrambling algorithm in the same place.
Note that chaining does not depend on encrypting the file twice. Just encrypting once and scrambling the bytes (and removing the file identifying bytes) is enough to harden an encrypted a file against mathematical attack.
The entire problem with scrambling is that it is not possible to distribute the scrambling method publicly. Public-key encryption allows distributing the public key. The scrambling method requires delivery in person, or by some other trusted manner.
FYI: Network Associates kept the rights to their eBusiness Server when they sold the rights to the desktop version of PGP to the new PGP Corporation. eBusiness Server is used by many corporations to automate their PGP encryption for batch processes, SOAP servers, etc.
Even when (If!) the Gnu GPG group decides to release a library/DLL version of their privacy tool, I suspect a fair number of companies will continue to use the NAI product in order to avoid having to deal with the Bureau of Industry and Security in the US Department of Commerce for exporting their own compiled encryption software.
That license doesn't make sense. Let's see:
1. You can use the binary they compiled.
2. You can compile the source, but not use it.
3. Source is provided to verify lack of backdoors.
4. That means that the source should produce the binary you get on their site.
5. Therefore, both binaries are identical so different use restrictions are nonsense.
7. Somebody mentioned here that while they provided information about the build environment attempts to get an identical binary weren't successful.
8. All this seems to indicate there's a quite strong possibility of PGP being backdoored.
Here's to real tech journalism on the web. You covered the topic with the details that the Slashdot audience wants and polished it to a level of quality that is worthy of any self-respecting newspaper. If this kind of quality keeps up, I'll definately buy a subscription.
Be warned, editors who post shoddy articles here. This is the standard to which you should aspire. If you write well, you shall be rewarded.
Anyone notice this co-incidence before?
/ zimmermann_telegram/zimmermann_telegram.html
http://www.archives.gov/digital_classroom/lessons
Dear Sir;
I regret to inform you that you have no idea what you are talking about. I am using PGP Freeware version 7.0.3 to communicate with family members. My parents use Office XP (with Outlook XP as their mail client) on Windows 2000, my in-laws use both Office 97 (Outlook 98) and Office 2000 (Outlook 2000) on Windows 98, and I use Office 2000 (yup, Outlook 2000 again) on Windows 2000. There have been no problems -- zero, zilch, none. Encrypting an email is a one-button affair; PGP adds a simple set of three buttons to the taskbar, one of which is "Encrypt Before Sending." Reading a message is as simple as opening it -- you get a dialog for your passphrase, and that's it.
To borrow a phrase, "It just works."
I will occasionally get a phone call to provide tech support for WordPerfect Office, but I have never had a complaint -- or even a question -- about PGP.
I am very curious about exactly what you were thinking when you started the FUD machine.
I have purchased PGP before. Now that NAI is out of the picture, I will do so again -- this ought to make a nice stocking-stuffer, burned onto 3-inch CDs.
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
-
"...the fact that PGP 7 does not properly integrate with the (sic) Outlook 2002 (Office XP)..."
Interesting choice of words ("properly integrate")... are you taking that to mean "works the way I fantasized it would" or "works the way it was designed to"? There's a difference. This "moron", as you are so quick to label me, managed to get PGP 7.0.3 working with Outlook XP without a hitch. That doesn't lend much weight to your assertion that it doesn't work. Denying the facts won't make them go away.- "...in the case where I selected PGP and had it installed company wide, to find that it did not properly integrate with Outlook 2002..."
Am I supposed to assume you're some sort of IT wizard and not question your anecdotal assertions because of that statement? That's not going to happen. Further, you just admitted you're the moron. You deployed it, and then found problems. That's why people use test labs -- even for small businesses, test first, then deploy.Since you were so insistent about it, I searched Google. In the first few pages of hits, I found several articles about PGP 8, some news about (now patched) possible security holes, and what appear to be several warez sites. Odd that I didn't find the numerous tales of woe that you did...
Now, about that Fear, Uncertainty, and Doubt bit... Masonbrown wrote:
- "...as a corporate user with a Win2k machine using Outlook, is there any significant reason to upgrade to 8.0 from whatever I'm using now..."
And you replied:- Your statement offers no supporting facts.
- "...doesn't work in general..." is laughable in light of the ease with which I managed to install and use it.
- If you read his post again, you'll notice he's successfully using a PGP version that is not 8.0.
- Reading it, a user will be uncertain and doubt whether or not their current version of PGP will work -- perhaps spending money on an unnecessary upgrade.
- Further, you're spreading the fear of "problems" with Office 2000. "Gee... I've been using it, God knows what has been going wrong behind my back..."
Congratulations, you've spread FUD.I have demonstrated a working system. You claim it won't work, and call me a moron. You can't dispute the facts, so you attack the messenger. (That's step 2 in the FUD manual.) I suggest you RTFM, install the patches, and try again. (And no, I won't go away.)
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
I thought I said quite plainly that our government in the US has good intentions for us. They also have the ability to do us far more harm than Osama ever could. Partly that's because we trust our government, partly that's because our government is keeping a lid on Osama and company.
I don't think we should change that second reason: we definitely want our government to continue keeping after the terrorists. I do think that we should never trust our government blindly; not when they're doing us good, not when they're chasing terrorists, in fact, just plain never.
Think about this: if we were in Afganistan before the US invasion, the roles of Osama and the US government would have been reversed, more or less: the US would have seemed threatening but powerless, while the Osamites might have seemed less malevolent, since they professed good intentions, but immediately dangerous. The Afganis couldn't TRUST either, but they had to watch out for the Osamites.
See what I've been reading.
Err, how about $39 for life? Did you actually READ anything at pgp.com?
-----
PGP Key ID 0xCB8FF658