Command-Line Crypto From Phil Zimmermann, Again

A few months ago, PGP creator Phil Zimmermann became a reseller for the current graphical version of the software he originally spawned, produced by PGP Corporation. Now, Zimmermann has just started selling through his own website a modern command-line encryption product called FileCrypt, which has its roots in an older version of PGP. Confusingly enough, this software is produced by a company called (Veridis), and doesn't say PGP on the box, because legally it can't. Network Associates, which acquired PGP Inc. in 1997, still holds the rights to that name; when NAI spun off PGP to PGP Corporation in 2002, they held onto the command-line version. PGP Corporation, for whom Zimmermann serves as a technical advisor (as well as a reseller), is contractually unable to sell a command-line version. (He is on the board of Veridis as well.) But why introduce a text-only version of utility software, anyway, when the GUI-fied desktop version has been maturing for years and costs less? Update: 02/07 23:07 GMT by T : Here are three instant clarifications: PGP Corporation was misrendered as "Open PGP" in this paragraph; Veridis' command line product was inspired by PGP but independently created; its codebase is separate from NAI's version of PGP; and the rights holder to the PGP name is PGP Corporation, not NAI.

They aren't paying for a pretty logo. The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard) aren't even in the same market.

Casual computer users have never laid out much money for encryption. The widespread use of PGP in its original incarnation (during the era of Zimmermann's prosecution for allowing it to be exported) can be attributed as much to its zero-dollars price as to a generalized interest in privacy. Home and hobby users are not cut out from buying Veridis's software -- for about a hundred dollars, you can buy a personal use version of the command-line version. The real money isn't in individuals keeping their tax records private, though -- Zimmermann and Veridis, like NAI (whose PGP-based product is called E-Business Server) are really aiming at commercial and governmental datacenters, and for customers willing to accept a much higher pricetag.

Insurance companies, banks, credit card processing centers, state records -- anywhere financial or otherwise confidential records are exchanged or stored en masse -- these all need encryption which works at the command-line. More precisely, they need crypto software which can work without direct human intervention at all. Instead, massive data centers need tools which can be called by scripts and other programs, so servers, or server farms, can spend their time crunching numbers rather than drawing pictures.

The name is familiar ... The commercial competition FileCrypt faces is familial -- it's the same product from NAI (sold from their McAffee division) that prevents Zimmermann and Veridis from calling their software PGP, even though NAI now labels their product E-Business Server. And though many companies have homegrown cryptographic solutions, Zimmermann says he knows of no other packaged software offering the high-volume encryption that the products from NAI or Veridis do.

And, he emphasizes, what they do is very similar. He says of the Veridis command-line product compared to NAI's, "It's drop-in compatible, identical in operation ... you could run the same perl scripts, the same command-line arguments."

If you want to buy Veridis' encryption software licensed for electronic commerce (not one-person use), hold onto your wallet: the price jumps about 50 times, to a shade under $5000, which Zimmermann describes as a bargain -- at least compared to the competition.

(Prices on the McAfee website show a one-year subscription-based license for E-Business Server starting at $6,875; $14,375 buys a perpetual license, with no included support.)

Both sides of that fence. And of competing in this case with a product that originated from his own crypto software (and his own company, PGP Inc.), Zimmermann says "I just don't really think of that as my product any more. It's in the hands of NAI, all the engineers have been fired. I just don't feel psychologically connected to that product." To look and not to sell. Especially when it comes to cryptographic software, code openness is considered not just a virtue but a near necessity. Peer-review and independent auditing, after all, are about the only ways you can tell that software isn't shuttling credit card numbers to the wrong person.

The business model of selling high-priced crypto software at thousands of dollars per processor doesn't mesh well with gratis software, though. To that end, Zimmermann says the FileCrypt code will be soon be available for download and inspection under terms which he says will be similar to those under which users can download the code for PGP Corporation's version of the PGP-based desktop software. (PGP Corporation's terms are available though their source code page).

Story, or advertisement?

Interesting for sure, but is this a hype piece?

It doesn't look like a normal submission to me. Proper grammer, objective opinion instead of random flames, and bulleted titles to visually seperate paragraphs instead of the shitty formatting job Slashdot forced me to get used to.

Me suspects there is more than meets the eye here...

Re:Story, or advertisement?

[KDan]

Mod parent up. I think (s)he's on the money here. GPG is a command-line tool, so wtf are they going on about with their "pgp and gpg are pointy-clicky-stuff that you can't use for heavy duty shiznit" crap? Sounds like a publicity stunt to me, unfortunately they've tried it on the wrong crowd (ie people who actually have a clue about what the soft on their computer does).

Go back to the drawing boards, ad-bot!

Daniel

I'm Confused?

[mrs+clear+plastic]

I am a little confused. Yes, mod me down for
this, but I could not resist.

I thought that the last time I used my pgp
(the oldie from MIT, now updgraded to GPG),
the whole darn thing is command line.

I get encryped email. I save it to a file (using
pine, my mua). I copy the file to my home machine.
I decrypt it using gpg, which is a command line
action. I read the message. I make my reply. I
encrypt it using my command line GPG. I ftp it
back to my email account. I use pine to include
the file into the reply email messages.

Now, I have been doing this both for my personal
use. I have also been using it to communicate
with one of my customers who is buying fetish
clothing from me, but who lives in a place that
he has to be careful.

Now, you are saying that I have to pay $5,000
for the privilege of using this, especialy for
my business?

Why not sell the banks GPG?

[Chris+Croome]

I guess banks want to pay for software so they have someone to moan at or something, perhaps the commercial software runs really quick?

Apart from this I can't think of a reason not to use GNUPG, or am I missing something fundamental here?

Re:Why not sell the banks GPG?

[mrseigen]

GPG isn't coming out of a large, monolithic corporation, so other large, monolithic corporations inherently distrust it until shown otherwise.

That, and it's fairly unlikely that the GPG group, as great as they are, has a dedicated corporate relations guy whose sole job is to make banks and corporations see the better value in the open-source world.

It's the same thing with Linux, although, now that there are companies like Red Hat backing it and there are lots of people embracing it and talking about their successes, that people are more likely to pick it up and use it for their installations. Sadly, GPG and a lot of other great projects haven't had this happen to them yet.

Are you blind?

[KDan]

GPG can be called from the command line too!

[dan@dimension dan]$ gpg --help
gpg (GnuPG) 1.0.7
Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to
redistribute it
under certain conditions. See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192,
AES256, TWOFISH
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
Hash: MD5, SHA1, RIPEMD160

Syntax: gpg [options] [files]
sign, check, encrypt or decrypt
default operation depends on the input data

Commands:
(...)

And it doesn't cost $100...

Daniel

Re:Are you blind?

Yes, but as far as commercial customers are concerned it isn't "PGP", nor is it a "commercial product". Sigh.

GPG is great, I just wish corporate customers to which the command-line version of PGP is targeted didn't feel unhappy using software they don't have to spend vast sums of money on.

People still believe in the mantra of "you get what you pay for" even if that saying is blatantly untrue with regards to free software - it's going to take a while before everyone understands that.

Re:Are you blind?

[KDan]

So if this is a marketting piece targetted at corporate IT-budget-droids what the hell is it doing on /.???

Daniel

Neither Version Is Usable By Mom

PGP is great. It's the strongest freely available crypto for the geek masses out there. However, it's still pretty much for the geek masses, or at least people who can get their minds around the difference between signing and encrypting and which key is used when. My mom can't use PGP, even though with all the Homeland Security and Total Information Awareness stuff going on, she'd like to just have 100% of her email encrypted and not have to worry about her sense of humor going into her federal permanent record.

For some of us, there's the other problem - we use Pine or FringeMail 1.0003 or something for which the multiple-megabyte SMTP client plugins PGP GUI monster is just too unwieldy. Perhaps Phil Zimmerman sees that as a niche that got left behind as the giant GUI version evolved, and recognizes a need for the simple command line version.

Works for me; I'll always cut n' paste my ciphertext. I still use PGP 2.6.2. What's needed is a very simple cut n' paste Windows app that can generate or accept PGP-style blocks of ASCII.

Believe it or not

[kfg]

There are actually many of us who still *prefer* to handle our purely text based tasks, such as email, from the command line.

I have nothing against GUI's, I'm running KDE right now, but to have to fire one up just to encrypt text when I'm already in text mode is not only annoying, it's doofey.

KFG

Advertorioal again?

[hughk]

The Gnu Privacy Guard works quite adequately for the standard stuff. Some of the more advanced stuff in PGP isn't there yet such as secret sharing with a quorum, but for file based signature and encryption from the command line, GPG works very well.

I don't really understand why Phil is doing this. Perhaps some commercial customers feel more comfortable with a commercial package. However, GPG has had (German) government money funding its development and is thought to be quite good. The German Govt liked PGP as well, but it was complicated to licence. The old PGP commercial licence only permitted you to use the supplied binary, not to compile from source. The Germans supported the rewrite and AFAIK it is a standard there.

To me this seems like another of the recnt /. advertorials. An article about a product that isn't really newsworthy and there is a good Open Software and free equivalent.

Sad really isn't it!

I'm really disappointed....

[tytso]

That Slashdot chose to include the entire press release (since that is what this clear was) as part of the slashdot article. A pointer to a web page, perhaps --- the fact that Phil Zimmerman is behind a new commercial product that competes with original commercial version of PGP, perhaps. But the entire press release? Please! Why give them free advertising? (I'm assuming here that this wasn't a new way for the OSDN to raised revenues by getting an entire Slashdot article with arbitrary content from a marketing organization in exchange for $$$).

In any case, it's not really clear this story is all that interesting as news anyway, for the very simple reason that it is very doubtful that commercial versions of PGP will succeed, simply becuase for the naive user, PGP is Just Too Hard to use. The moment you have to explain certification chains to users, you've lost. The naive user (the ones who can't figure out how to set the time on their VCR's) simply won't be able to cope. And for the expert users, they'll just simply download GPG, or perhaps the old version of PGP 2.6.2. Why should they pay $$$ for a commercial command-line version?

Re:Automated jobs

[sql*kitten]

The reason command line tools are very useful is for cron jobs. I dont know how many times on a windows machine I wish that there was an command line tool to do something.

Here's a free clue, kid: just because you don't know how to do it, doesn't mean it can't be done. Like the other poster said, at /?. And if you're really into command lines, look up Windows Scripting Host on MSDN.

Commercial vs freeware

[SiliconEntity]

GPG is freeware, as is the old PGP 2.X. Zimmermann's new product and the NAI version are commercial software. When you pay the big bucks for these programs what you are really buying is support and hand-holding. Many companies still prefer to pay for the privilege of having another company they can go to when things go wrong, rather than relying on the user community.

One reason for this is psychological; Republicans like to pal around with Republicans, Democrats like to hang with Democrats, and companies like to do business with companies.