Slashdot Mirror
Command-Line Crypto From Phil Zimmermann, Again
They aren't paying for a pretty logo. The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard) aren't even in the same market.
Casual computer users have never laid out much money for encryption. The widespread use of PGP in its original incarnation (during the era of Zimmermann's prosecution for allowing it to be exported) can be attributed as much to its zero-dollars price as to a generalized interest in privacy. Home and hobby users are not cut out from buying Veridis's software -- for about a hundred dollars, you can buy a personal use version of the command-line version. The real money isn't in individuals keeping their tax records private, though -- Zimmermann and Veridis, like NAI (whose PGP-based product is called E-Business Server) are really aiming at commercial and governmental datacenters, and for customers willing to accept a much higher pricetag.
Insurance companies, banks, credit card processing centers, state records -- anywhere financial or otherwise confidential records are exchanged or stored en masse -- these all need encryption which works at the command-line. More precisely, they need crypto software which can work without direct human intervention at all. Instead, massive data centers need tools which can be called by scripts and other programs, so servers, or server farms, can spend their time crunching numbers rather than drawing pictures.
The name is familiar ... The commercial competition FileCrypt faces is familial -- it's the same product from NAI (sold from their McAffee division) that prevents Zimmermann and Veridis from calling their software PGP, even though NAI now labels their product E-Business Server. And though many companies have homegrown cryptographic solutions, Zimmermann says he knows of no other packaged software offering the high-volume encryption that the products from NAI or Veridis do.
And, he emphasizes, what they do is very similar. He says of the Veridis command-line product compared to NAI's, "It's drop-in compatible, identical in operation ... you could run the same perl scripts, the same command-line arguments."
If you want to buy Veridis' encryption software licensed for electronic commerce (not one-person use), hold onto your wallet: the price jumps about 50 times, to a shade under $5000, which Zimmermann describes as a bargain -- at least compared to the competition.
(Prices on the McAfee website show a one-year subscription-based license for E-Business Server starting at $6,875; $14,375 buys a perpetual license, with no included support.)
Both sides of that fence. And of competing in this case with a product that originated from his own crypto software (and his own company, PGP Inc.), Zimmermann says "I just don't really think of that as my product any more. It's in the hands of NAI, all the engineers have been fired. I just don't feel psychologically connected to that product." To look and not to sell. Especially when it comes to cryptographic software, code openness is considered not just a virtue but a near necessity. Peer-review and independent auditing, after all, are about the only ways you can tell that software isn't shuttling credit card numbers to the wrong person.The business model of selling high-priced crypto software at thousands of dollars per processor doesn't mesh well with gratis software, though. To that end, Zimmermann says the FileCrypt code will be soon be available for download and inspection under terms which he says will be similar to those under which users can download the code for PGP Corporation's version of the PGP-based desktop software. (PGP Corporation's terms are available though their source code page).
Does this mean that I can now encrypt my ASCII pr0n?
The reason command line tools are very useful is for cron jobs. I dont know how many times on a windows machine I wish that there was an command line tool to do something.
GUI is nice and all, but a command line one would work much better with procmail filters..
As well as just about every other kind of script I would assume...
im outside of the us and i just used it to encrypt "hah".( as per subject )
[I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
Game " grapple superhuman
" for Xbox in inadequate expression from entire world collection
Contribution
of the Saturday February 08, @03:44AM with the Oliver,
Whether or not
excessive reaction from section.
It has been said the Sakura Avalon, " according
to the GAME SPOT
JAPAN NEWS article of the ZDNet Japan it became that Microsoft collects the
game software " grapple superhuman " for the xbox at entire world levels so is.
As for the reason thing because the inadequate expression for part religion is
included.
With the similar case, the weapon of front the Matsumoto zero
loyal retainer of the original author offers the TV televising discontinuance
from the fact that you have drawn in star type of the f_frff which is symbol of the
judaism in the past captain * Ha - in the new work animation of the lock, there
was also a kind of thing where after all the work becomes recreating. (
Particular article )
In addition conversely in category of fCf`ffff", it is
used and in the fgfOEfJ of the f|fPff" as the sign of the temple and the temple it
is symbol of little forest temple fist method, when " (TM)Â " it has been
similar especially or the Hakenkreuz which probably will be, at the point where
the American Judean human group makes a noise, if originally there was also a
case, where the place where it is attached on smile even as for that fgfOEfJ becomes
revision politely and old house exultaion. Furthermore as for the fgfOEfJ which has
protest in Japanese edition, in America only those which the trader imports
selfishly in parallel the fIf}fP being attached, it is not.
Because especially
it is not announced, being well not to understand, it does, the concrete primary
factor of the latest grapple superhuman collection, but collecting, whether
considerably from the fact that they are massive rock forcing ones which do not
ship later, the core it is problem in the part, the êÜñ. Private the
development company of the " To val No.1 "? The hand stopping at the Á Ä place,
it was not bought, it is is, but even weekend per old house the combining which
you will try searching -. "
Interesting for sure, but is this a hype piece?
It doesn't look like a normal submission to me. Proper grammer, objective opinion instead of random flames, and bulleted titles to visually seperate paragraphs instead of the shitty formatting job Slashdot forced me to get used to.
Me suspects there is more than meets the eye here...
Whenever I get a new computer, I expect a Command Line Interface (or shell as some are wont to call it) I must be old school, but I don't feel I'm totally in control if I have layers of GUI-fication and de-GUI-fication between me and processes.
Though that's probably not their reasoning, it's probably more of a spite thing, or keeping a finger in the pie, anyway.
A feeling of having made the same mistake before: Deja Foobar
Insurance companies and health care organizations are increasingly relying on PGP in its various forms to met requirements for confidentiality and security of data imposed by the HIPAA legislation. Zimmermann's latest work has a potentially huge market this year, and potentially next year too, if there are more delays with implementing the "enforcement" aspects of the law.
I find with any GUI program, if there is no command line control, it becomes half as useful. Scripting and automation are what make computers beautiful.
The command line is much quicker too. Don't want to type out a million options and flags? Then make an alias... one word is all it takes to run enormous computations.
In the case of PGP, the only GUI integration I need is in e-mail, and thankfully Evolution provides it. The rest of its use is on the command line, making encrytped tar archives, and saving other information.
The look on his face is so smug, like, ha ha, "I have no such non-compete agreement with NAI", so I'm gonna screm 'em!
--naked
Very popular slashdot journal for adul
And what is wrong with gnuPG? Its Free and free.
I am a little confused. Yes, mod me down for
this, but I could not resist.
I thought that the last time I used my pgp
(the oldie from MIT, now updgraded to GPG),
the whole darn thing is command line.
I get encryped email. I save it to a file (using
pine, my mua). I copy the file to my home machine.
I decrypt it using gpg, which is a command line
action. I read the message. I make my reply. I
encrypt it using my command line GPG. I ftp it
back to my email account. I use pine to include
the file into the reply email messages.
Now, I have been doing this both for my personal
use. I have also been using it to communicate
with one of my customers who is buying fetish
clothing from me, but who lives in a place that
he has to be careful.
Now, you are saying that I have to pay $5,000
for the privilege of using this, especialy for
my business?
Cleara
I guess banks want to pay for software so they have someone to moan at or something, perhaps the commercial software runs really quick?
Apart from this I can't think of a reason not to use GNUPG, or am I missing something fundamental here?
Check out MKDoc a mod_perl CMS
GPG can be called from the command line too!
[dan@dimension dan]$ gpg --help
gpg (GnuPG) 1.0.7
Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to
redistribute it
under certain conditions. See the file COPYING for details.
Home: ~/.gnupg
Supported algorithms:
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192,
AES256, TWOFISH
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
Hash: MD5, SHA1, RIPEMD160
Syntax: gpg [options] [files]
sign, check, encrypt or decrypt
default operation depends on the input data
Commands:
(...)
And it doesn't cost $100...
Daniel
Carpe Diem
Therefore it is my advice to completely trust PGP on all your sensitive data transmissions. After all, if you can't trust the largest government in the free world, who can you trust?
PGP is great. It's the strongest freely available crypto for the geek masses out there. However, it's still pretty much for the geek masses, or at least people who can get their minds around the difference between signing and encrypting and which key is used when. My mom can't use PGP, even though with all the Homeland Security and Total Information Awareness stuff going on, she'd like to just have 100% of her email encrypted and not have to worry about her sense of humor going into her federal permanent record.
For some of us, there's the other problem - we use Pine or FringeMail 1.0003 or something for which the multiple-megabyte SMTP client plugins PGP GUI monster is just too unwieldy. Perhaps Phil Zimmerman sees that as a niche that got left behind as the giant GUI version evolved, and recognizes a need for the simple command line version.
Works for me; I'll always cut n' paste my ciphertext. I still use PGP 2.6.2. What's needed is a very simple cut n' paste Windows app that can generate or accept PGP-style blocks of ASCII.
libmcrypt offers all the functionality you need. I believe there are bindings for perl, php, python and plenty more It can use most common ciphers including RSA, Blowfish, etc. If you need command line compatibility with your existing code that calls pgp, a simple shell (or perl) wrapper can provide the syntactic sugar. Things like easy to use key storage, drag and drop encryption, etc. are not an issue in the kinds of setups described in the article.
y pt .html
It's so easy that one time I need a encryption for some data from php, and I couldn't get libmcrypt installed. So, I wrote a simple cgi to stream the text through and then save the encrypted contents.
I'll sell it for $5 a copy for personal use and $500 a seat for commercial. I can customize the interface at my normal rates. But you really should just check out:
http://www.gnu.org/directory/security/crypt/mcr
There are actually many of us who still *prefer* to handle our purely text based tasks, such as email, from the command line.
I have nothing against GUI's, I'm running KDE right now, but to have to fire one up just to encrypt text when I'm already in text mode is not only annoying, it's doofey.
KFG
why pay for a cli version when the gui version .. maybe because gui's are nearly .. i detest guis ..
is mature?
worthless for scripting?
icewm forever for allowing total keyboard control.
this is not a flamebait.
"Confusingly enough, this software is produced by a company called (Veridis), and doesn't say PGP on the box, because legally it can't. Network Associates, which acquired PGP Inc. in 1997, still holds the rights to that name..."
.. maybe I can sneak out past Milton...
I'm sure PGP is important, but I can't remember what the acronym stands for --don't drift, don't drift off, focus buddy you can hang in there...
"...when NAI spun off PGP to PGP Corporation in 2002, they held onto the command-line version. OpenPGP, for whom Zimmermann serves as a technical advisor (as well as a reseller),..."
Almost five, it's about time to pack up and leave here, I wonder what's on TV tonight, probably nothing, Friday night blows. Need to get Road to Rome, but the flunky at Best Buy, who doesn't know his ass from a hole in the ground, said they're getting another shipment today, so probably need to go by there after work...maybe pick up mgs2 for xbox while I'm at it. mmmm xbox....
"...is contractually unable to sell a command-line version. (He is on the board of Veridis as well.) But why introduce a text-only version of utility software, anyway, when the GUI-fied desktop version has been maturing for years and costs less?
"actually, if I send Bill Lumberg my tps reports now
"This isn't a study in computer science, its a study in human behavior"
I don't really understand why Phil is doing this. Perhaps some commercial customers feel more comfortable with a commercial package. However, GPG has had (German) government money funding its development and is thought to be quite good. The German Govt liked PGP as well, but it was complicated to licence. The old PGP commercial licence only permitted you to use the supplied binary, not to compile from source. The Germans supported the rewrite and AFAIK it is a standard there.
To me this seems like another of the recnt /. advertorials. An article about a product that isn't really newsworthy and there is a good Open Software and free equivalent.
Sad really isn't it!
See my journal, I write things there
That Slashdot chose to include the entire press release (since that is what this clear was) as part of the slashdot article. A pointer to a web page, perhaps --- the fact that Phil Zimmerman is behind a new commercial product that competes with original commercial version of PGP, perhaps. But the entire press release? Please! Why give them free advertising? (I'm assuming here that this wasn't a new way for the OSDN to raised revenues by getting an entire Slashdot article with arbitrary content from a marketing organization in exchange for $$$).
In any case, it's not really clear this story is all that interesting as news anyway, for the very simple reason that it is very doubtful that commercial versions of PGP will succeed, simply becuase for the naive user, PGP is Just Too Hard to use. The moment you have to explain certification chains to users, you've lost. The naive user (the ones who can't figure out how to set the time on their VCR's) simply won't be able to cope. And for the expert users, they'll just simply download GPG, or perhaps the old version of PGP 2.6.2. Why should they pay $$$ for a commercial command-line version?
A GUI isnt always desired - why WOULDNT you have a command line version of a utility like this? If you're going to be doing batch jobs, it would be a lot easier to have something that would be easily scriptable that doesnt require a bloated GUI version (or any GUI for that matter - Im not implying that the given product has a bloated GUI, before you flame). Not all users have a need for a graphical windowing system.
Do you think he'll mind if we screen scrape it?
In Soviet Russia, Chuck Norris will still kick your ass.
But why introduce a text-only version of utility software, anyway, when the GUI-fied desktop version has been maturing for years and costs less?
Or more to the point, why post the article at all?
o/~ Join us now and share the software
Riiight, go ahead, punk.
Let's be honest here. No-one in their right mind would use the PGP command line since something much better - GnuPG - came along, and this has been a while ago (they aren't migrating, they've often completed migration).
What Phil's trying to do here is sell a piece of software for an extremely high price which competes directly - directly, not just on the same turf but on the actual same blade of grass - with now well-proven software which is entirely free (beer and speech).
This is not a smart business plan. Only chance Veridis has is fast talking, name leverage and selling good support - trouble is, GPG doesn't actually need support as such, the software doesn't need to be, and isn't, really all that complex. Documentation should be enough, because it works already. The source is even friendly enough to adapt and build around for your own purpses, unless you're a moron, and morons should really not be adminning boxes you wanted to use strong crypto on.
I can't see a single reason you'd want to actually use Filecrypt over gnupg, especially given the high price tag... anyone?
A lot of the "old school" stuff works more reliably in more situations with less hassle.
.jpg files in my web directory that I own with a single command.
/usr/games/fortune to the web, winshit/wine, OS X, and OS 9, I still keep the console version on every box of mine (all of them are Linux, even the palmtops.)
I primarily prefer command line interfaces, as opposed to GUI or curses/ncurses, because it is so damn easy to script it. I can encrypt all
Another example of "old school" being the better choice is in security. I have the logger daemon piping output to a dumb terminal so that I can watch what's going on. I'm about to add a second that displays httpd logs.
Old school games are also better; even after porting
Maybe we should have a no-GUI holiday in which we don't use curses, X11, Aqua, or winshitgui.
Please note that the winshit download has yet to be tested.
You can't judge a book by the way it wears its hair.
GPG is freeware, as is the old PGP 2.X. Zimmermann's new product and the NAI version are commercial software. When you pay the big bucks for these programs what you are really buying is support and hand-holding. Many companies still prefer to pay for the privilege of having another company they can go to when things go wrong, rather than relying on the user community.
One reason for this is psychological; Republicans like to pal around with Republicans, Democrats like to hang with Democrats, and companies like to do business with companies.
Our company has been evaluating KeyMatix for file encryption. It seems to work quite well, and allows for remote key storage. With the remote key storage you can disable access to the keys when your data has been compromised. Has anyone implemented a solution with KeyMatix?
Whoa.. I read twice the artice. I must be really stupid.. but whoa! what the hell the article says?!? xD ;)
__
Sig: Marine Stock Photos
You might want to check out nmrc's ncrypt.
Another ability of a command line version could be in clusters.
Imagine someone wants to have strong key based encryption for a growing database with sensitive information. That someone could use huge muliprocessor, or clusters of smaller (or even just as large) computers to ecrypt that data, and archive it for another party or even themselves. Normally such a thing would take a while on a single computer, but with many computers working together, it could conceivably instantaneous.
A robust command line application could easily do that with currently availble cluster systems non-prepiertary to PGP. Someone with a cluster already built wouldn't even consider a GUI program.
This guy has legitmately been a martyred hero to freedom. In my book that should afford him a lot of goodwill in his business ventures. Plus, it's interesting to see where his later life is taking him. Like, we don't chat about how Linus is making out at Transmeta? And not even any martyrdom points for him. Jeeze.
"with their freedom lost all virtue lose" - Milton
The web form to purchase the product does not appear to be an ssl secured form...
http://www.veridis.com/openpgp/en/buy2.asp
Well, there's PGPTray's menu choices of {Encrypt, Sign, Encrypt&Sign, Decrypt&Verify}{Current Window, Clipboard}. It still asks you what key to use, but that's hard to avoid :-).
Good point. I typeset press releases fairly often as fillers for a newspaper that I'd probably be best off not mentioning (heh, at least I have a job, like it, and work in an office with a 1:10 male:female ratio... okay, that's a mixed blessing) and this does have the certain, familiar aroma of preset copy on crinkly fax paper to it, almost as if it belongs in a box of its own with "ADVERTISEMENT FEATURE" set across the top in discreet Helvetica Roman 10. The bold titles are probably the outline the copywriters used. Yup, I call filler too.
We might like prz, but this just seems a bit out of place. Just like the recent "hardware reviews" focusing strangely specifically on hardware that is neither commonly interesting, or geekily obscure - stuff that I'm not even certain any of the slashdot team are interested in, that positively screams "paid ad" so loudly you wonder where the company logo got to.
What's up? Is the cashflow running dry? Are the ads not paying the bandwidth bills and the backers backing away so Slashdot is having to offer "discreet" paid ads? Or are the slashdot team now so insanely lazy they're approving random press releases just like we do at work, when we've got a half-page to fill and nothing to put in it?
Let's be fair though. Slashdot may have "news" in the title, but it's more of a discussion site. No-one in their right mind would accuse Slashdot of journalistic objectivity, which is fine because that's not why we read it. I think the editors grok this now. What we're (collectively) actually going to do in this article is karma whore (say, namedrop gpg, that's a given), go off on some wildly offtopic tangent (aka friendly flamewar), and/or troll (the /. trolls evolved into special trickster creatures, that are as often amusing and off the wall as they are droll, sarcastic or comically gross) posts.
Then two days later we can read about it again, in the rerun - er, I mean dupe - when the editors reveal just how little they communicate with each other, or actually read the site. Hell, we don't mind... it's just a website, and it's kind of funny. It doesn't do to take things too seriously, does it?
Yet... I think someone would have to be very uninformed to pay a lot of money for PGP-that-isn't-called-PGP, when GPG is available for free. Good luck, Phil, your business model is going to be selecting customers based on dumbness. I'd hate to be working the support phone line; the people who call will be of the "cup holder" variety.
Yeah, PGP is good... but I'll be damned if anyone can break these cryptic slashdot ramblings...
A lot of comments point to the free GPG program. The problem is not that GPG doesn't already have all the functionality of PGP--it does. But what it can't do is be a drop in replacements for PGP-- in terms of command syntax and output file format.
In Soviet Russia, articles before post read *you*!
you jesus freak stop this at once!
your such a karma whore!
Some Slashdot readers complained that FileCrypt appears to compete with GPG, which is free. Let me make it clear that my intention was not to compete with GPG, but to compete with McAfee E-business Server, for which NAI charges over $14000 per copy. I wouldn't dream of suggesting that GPG users should switch to FileCrypt. In fact, I think GPG is a nice product. But some companies prefer to do busines with companies selling commercial products. That's why NAI makes millions of dollars selling their product. There's no reason why I shouldn't try to compete in that market. And, unlike the NAI product, FileCrypt can also be licensed at a far cheaper price for users who want it on their (command-line) desktop instead of a server.
GnuPG is a great encryption program, and it is compatible with PGP. I am not certain why this product is needed at all, unless it is due to licensing problems.
Go check out the
p t
crypto++ library.
It's got lots of classes that make it easy to incorporate a whole bunch of algorithms into your programs.
Look what I did with it last week...http://sourceforge.net/projects/winfilecry
FileCrypt was discussed on the Cryptography list a few months ago, and concerns were voiced about its security. Look at this exchange between PGP gurus Peter Gutmann and Len Sassaman. Can we trust this product? Is its source code available for review?
The office is a NAI eBusiness Server customer. But since we're a Windows shop, I had to write a COM interface to eBusiness Server, which was a real pain to do. Our 2-year license comes up for renewal in April. If you want our money, Phil, you'll offer COM and .NET versions that not only works on files, but works in memory as well.
I just heard some sad news on talk radio - Horror/Sci Fi writer Stephen King was found dead in his Maine home this morning. There weren't any more details. I'm sure everyone in the Slashdot community will miss him - even if you didn't enjoy his work, there's no denying his contributions to popular culture. Truly an American icon.
Command line tools can also be "GUI-fied": I've used exmh for a few years, and it's a prime example of "GUI-fying". And, yes, exmh supports PGP and GPG.
This is a tautology.
You walk into a bank that needs this sort of thing, and they don't necessarily *like* the fact that their tools are open and free for everyone in the world to use.
... Here's how that meeting goes:
... and occasional 'tweaks' for our own purposes. Plus, their licensing is better, and he's not code-bound like all these other junkies. At this point he's done this twice."
Yes, there are customers - and a big market - for encryption. But there are other reasons for obscurity than implied security! Sometimes you just don't want people to know the tools you're using.
Either way, I believe Phil need only get himself 3 or 4 relatively big customers - the kind for whom an included security surcharge per-transaction is a *welcome* one - and away he goes. His license is pretty tight - he can set pretty good terms at corporate levels.
So, we've got Filecrypt vs. gnupg vs. E-Whateve(pgp)
CEO: "What do you recommend?"
CTO: "Play it safe, go with Phil - good name strength - and throw a few hundred thousand at his company for good measure
CEO: "Good idea. Do it."
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Available at gnuwin32.sf.net, unxutils.sf.net and other places.
I am glad there is a product out there that will let me do this. I've been trying to encourage electronic privacy among my friends and family for a couple years; and they cannot afford or are unwilling to pay for products. If they can use this to learn and expose themselves to encryption; that is great!
I think with the interesting people, their lives can't possibly be wrapped up into a nice little package.
It doesn't look like a normal submission to me. Proper grammer, objective opinion instead of random flames, and bulleted titles to visually seperate paragraphs instead of the shitty formatting job Slashdot forced me to get used to.
I'll pass your feedback to the guys in ad copy writing, thank you. Who would have thought that the rules for advertising in Slashdot are reverse of everwhere else.
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu