Slashdot Mirror

← Back to Stories (view on slashdot.org)

Command-Line Crypto From Phil Zimmermann, Again

Posted by timothy on from the will-smite-thee-is-a-command-line dept.

A few months ago, PGP creator Phil Zimmermann became a reseller for the current graphical version of the software he originally spawned, produced by PGP Corporation. Now, Zimmermann has just started selling through his own website a modern command-line encryption product called FileCrypt, which has its roots in an older version of PGP. Confusingly enough, this software is produced by a company called (Veridis), and doesn't say PGP on the box, because legally it can't. Network Associates, which acquired PGP Inc. in 1997, still holds the rights to that name; when NAI spun off PGP to PGP Corporation in 2002, they held onto the command-line version. PGP Corporation, for whom Zimmermann serves as a technical advisor (as well as a reseller), is contractually unable to sell a command-line version. (He is on the board of Veridis as well.) But why introduce a text-only version of utility software, anyway, when the GUI-fied desktop version has been maturing for years and costs less? Update: 02/07 23:07 GMT by T : Here are three instant clarifications: PGP Corporation was misrendered as "Open PGP" in this paragraph; Veridis' command line product was inspired by PGP but independently created; its codebase is separate from NAI's version of PGP; and the rights holder to the PGP name is PGP Corporation, not NAI.

They aren't paying for a pretty logo. The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard) aren't even in the same market.

Casual computer users have never laid out much money for encryption. The widespread use of PGP in its original incarnation (during the era of Zimmermann's prosecution for allowing it to be exported) can be attributed as much to its zero-dollars price as to a generalized interest in privacy. Home and hobby users are not cut out from buying Veridis's software -- for about a hundred dollars, you can buy a personal use version of the command-line version. The real money isn't in individuals keeping their tax records private, though -- Zimmermann and Veridis, like NAI (whose PGP-based product is called E-Business Server) are really aiming at commercial and governmental datacenters, and for customers willing to accept a much higher pricetag.

Insurance companies, banks, credit card processing centers, state records -- anywhere financial or otherwise confidential records are exchanged or stored en masse -- these all need encryption which works at the command-line. More precisely, they need crypto software which can work without direct human intervention at all. Instead, massive data centers need tools which can be called by scripts and other programs, so servers, or server farms, can spend their time crunching numbers rather than drawing pictures.

The name is familiar ... The commercial competition FileCrypt faces is familial -- it's the same product from NAI (sold from their McAffee division) that prevents Zimmermann and Veridis from calling their software PGP, even though NAI now labels their product E-Business Server. And though many companies have homegrown cryptographic solutions, Zimmermann says he knows of no other packaged software offering the high-volume encryption that the products from NAI or Veridis do.

And, he emphasizes, what they do is very similar. He says of the Veridis command-line product compared to NAI's, "It's drop-in compatible, identical in operation ... you could run the same perl scripts, the same command-line arguments."

If you want to buy Veridis' encryption software licensed for electronic commerce (not one-person use), hold onto your wallet: the price jumps about 50 times, to a shade under $5000, which Zimmermann describes as a bargain -- at least compared to the competition.

(Prices on the McAfee website show a one-year subscription-based license for E-Business Server starting at $6,875; $14,375 buys a perpetual license, with no included support.)

Both sides of that fence. And of competing in this case with a product that originated from his own crypto software (and his own company, PGP Inc.), Zimmermann says "I just don't really think of that as my product any more. It's in the hands of NAI, all the engineers have been fired. I just don't feel psychologically connected to that product." To look and not to sell. Especially when it comes to cryptographic software, code openness is considered not just a virtue but a near necessity. Peer-review and independent auditing, after all, are about the only ways you can tell that software isn't shuttling credit card numbers to the wrong person.

The business model of selling high-priced crypto software at thousands of dollars per processor doesn't mesh well with gratis software, though. To that end, Zimmermann says the FileCrypt code will be soon be available for download and inspection under terms which he says will be similar to those under which users can download the code for PGP Corporation's version of the PGP-based desktop software. (PGP Corporation's terms are available though their source code page).

12 of 165 comments (clear)

  1. Automated jobs by rawgod0122 · · Score: 5, Informative

    The reason command line tools are very useful is for cron jobs. I dont know how many times on a windows machine I wish that there was an command line tool to do something.

    1. Re:Automated jobs by lor3 · · Score: 3, Informative

      Erm cron for windows, and what about cygwin?

    2. Re:Automated jobs by jd142 · · Score: 1, Informative
      You mean like "at" available since NT 4?
      The AT command schedules commands and programs to run on a computer at
      a specified time and date. The Schedule service must be running to use
      the AT command.

      AT [\\computername] [ [id] [/DELETE] | /DELETE [/YES]]
      AT [\\computername] time [/INTERACTIVE]
      [ /EVERY:date[,...] | /NEXT:date[,...]] "command"

      \\computername Specifies a remote computer. Commands are scheduled on the
      local computer if this parameter is omitted.
      id Is an identification number assigned to a scheduled
      command.
      /delete Cancels a scheduled command. If id is omitted, all the
      scheduled commands on the computer are canceled.
      /yes Used with cancel all jobs command when no further
      confirmation is desired.
      time Specifies the time when command is to run.
      /interactive Allows the job to interact with the desktop of the user
      who is logged on at the time the job runs.
      /every:date[,...] Runs the command on each specified day(s) of the week or
      month. If date is omitted, the current day of the month
      is assumed.
      /next:date[,...] Runs the specified command on the next occurrence of the
      day (for example, next Thursday). If date is omitted, the
      current day of the month is assumed.
      "command" Is the Windows NT command, or batch program to be run.
    3. Re:Automated jobs by Anonymous Coward · · Score: 5, Informative

      > You mean like "at" available since NT 4?

      No, he means the commands called by 'at'. Some Windows functions have no commandline equivalents.

    4. Re:Automated jobs by evilviper · · Score: 2, Informative

      Ever heard of cygwin? All the tools on Unix can be yours on Windows.

      In addition, for the simpler GUI jobs, there's PTFB ("Push the Freaking Button"), which will allow you to have a certain button or location clicked-on a certain amount of time after the window appears.

      In fact, I setup many a batch file, that would lauch PTFB with a certain config file, then start a software installer. In case you haven't caught on yet, PTFB was configured to push the buttons automatically, so you didn't have to click a single button. (If I hear one person comment on how this nullifies EULAs, I may be forced to beat them to a bloody pulp.)

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  2. Advantage of command line... by Sir_Ace · · Score: 5, Informative

    GUI is nice and all, but a command line one would work much better with procmail filters..
    As well as just about every other kind of script I would assume...

  3. GNU Privacy Guard isn't graphical by lovelaceAtWork · · Score: 5, Informative
    The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard)
    Last time I checked, GNU Privacy Guard, also known as GPG, was a command line program. You're probably talking about the GNU Privacy Assistant (http://www.gnupg.org/(en)/related_software/gpa/in dex.html).
  4. Or you could just use mcrypt by Anonymous Coward · · Score: 1, Informative

    libmcrypt offers all the functionality you need. I believe there are bindings for perl, php, python and plenty more It can use most common ciphers including RSA, Blowfish, etc. If you need command line compatibility with your existing code that calls pgp, a simple shell (or perl) wrapper can provide the syntactic sugar. Things like easy to use key storage, drag and drop encryption, etc. are not an issue in the kinds of setups described in the article.

    It's so easy that one time I need a encryption for some data from php, and I couldn't get libmcrypt installed. So, I wrote a simple cgi to stream the text through and then save the encrypted contents.
    I'll sell it for $5 a copy for personal use and $500 a seat for commercial. I can customize the interface at my normal rates. But you really should just check out:

    http://www.gnu.org/directory/security/crypt/mcry pt .html

  5. GPG is /not/ graphical... by Hobart · · Score: 3, Informative
    The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard) aren't even in the same market.
    Uh... no. GPG is a command line utility. You /might/ mean GPA or one of the other frontends...
    --
    o/~ Join us now and share the software ...
  6. Re:Neither Version Is Usable By Mom by wurp · · Score: 3, Informative

    If your mom wants encrypted email but doesn't know jack about computers, set her up with a free account on Hushmail (https://www.hushmail.com). Your browser must have good java support (on Linux, it seems to require Sun jvm 1.3+ and a recent version of Mozilla or Netscape). You have to wiggle your mouse around some when setting up the account to generate randomness. Then you pick a passphrase, and from there on out it's just like any other web based email, except your data is encrypted from before it leaves your computer until after it gets to the target computer.

    It interoperates with GPG/PGP compatible mail clients. Of course, your email to people who have no encryption support is not encrypted, but that's pretty much unavoidable ;)

    It has Bruce Schneier's stamp of approval, and for a crypto product, that's really saying something.

    Check it out.

  7. ncrypt by Anonymous Coward · · Score: 1, Informative

    You might want to check out nmrc's ncrypt.

  8. FileCrypt comptetes with NAI product, not GPG by prz · · Score: 4, Informative

    Some Slashdot readers complained that FileCrypt appears to compete with GPG, which is free. Let me make it clear that my intention was not to compete with GPG, but to compete with McAfee E-business Server, for which NAI charges over $14000 per copy. I wouldn't dream of suggesting that GPG users should switch to FileCrypt. In fact, I think GPG is a nice product. But some companies prefer to do busines with companies selling commercial products. That's why NAI makes millions of dollars selling their product. There's no reason why I shouldn't try to compete in that market. And, unlike the NAI product, FileCrypt can also be licensed at a far cheaper price for users who want it on their (command-line) desktop instead of a server.