Slashdot Mirror

← Back to Stories (view on slashdot.org)

Command-Line Crypto From Phil Zimmermann, Again

Posted by timothy on from the will-smite-thee-is-a-command-line dept.

A few months ago, PGP creator Phil Zimmermann became a reseller for the current graphical version of the software he originally spawned, produced by PGP Corporation. Now, Zimmermann has just started selling through his own website a modern command-line encryption product called FileCrypt, which has its roots in an older version of PGP. Confusingly enough, this software is produced by a company called (Veridis), and doesn't say PGP on the box, because legally it can't. Network Associates, which acquired PGP Inc. in 1997, still holds the rights to that name; when NAI spun off PGP to PGP Corporation in 2002, they held onto the command-line version. PGP Corporation, for whom Zimmermann serves as a technical advisor (as well as a reseller), is contractually unable to sell a command-line version. (He is on the board of Veridis as well.) But why introduce a text-only version of utility software, anyway, when the GUI-fied desktop version has been maturing for years and costs less? Update: 02/07 23:07 GMT by T : Here are three instant clarifications: PGP Corporation was misrendered as "Open PGP" in this paragraph; Veridis' command line product was inspired by PGP but independently created; its codebase is separate from NAI's version of PGP; and the rights holder to the PGP name is PGP Corporation, not NAI.

They aren't paying for a pretty logo. The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard) aren't even in the same market.

Casual computer users have never laid out much money for encryption. The widespread use of PGP in its original incarnation (during the era of Zimmermann's prosecution for allowing it to be exported) can be attributed as much to its zero-dollars price as to a generalized interest in privacy. Home and hobby users are not cut out from buying Veridis's software -- for about a hundred dollars, you can buy a personal use version of the command-line version. The real money isn't in individuals keeping their tax records private, though -- Zimmermann and Veridis, like NAI (whose PGP-based product is called E-Business Server) are really aiming at commercial and governmental datacenters, and for customers willing to accept a much higher pricetag.

Insurance companies, banks, credit card processing centers, state records -- anywhere financial or otherwise confidential records are exchanged or stored en masse -- these all need encryption which works at the command-line. More precisely, they need crypto software which can work without direct human intervention at all. Instead, massive data centers need tools which can be called by scripts and other programs, so servers, or server farms, can spend their time crunching numbers rather than drawing pictures.

The name is familiar ... The commercial competition FileCrypt faces is familial -- it's the same product from NAI (sold from their McAffee division) that prevents Zimmermann and Veridis from calling their software PGP, even though NAI now labels their product E-Business Server. And though many companies have homegrown cryptographic solutions, Zimmermann says he knows of no other packaged software offering the high-volume encryption that the products from NAI or Veridis do.

And, he emphasizes, what they do is very similar. He says of the Veridis command-line product compared to NAI's, "It's drop-in compatible, identical in operation ... you could run the same perl scripts, the same command-line arguments."

If you want to buy Veridis' encryption software licensed for electronic commerce (not one-person use), hold onto your wallet: the price jumps about 50 times, to a shade under $5000, which Zimmermann describes as a bargain -- at least compared to the competition.

(Prices on the McAfee website show a one-year subscription-based license for E-Business Server starting at $6,875; $14,375 buys a perpetual license, with no included support.)

Both sides of that fence. And of competing in this case with a product that originated from his own crypto software (and his own company, PGP Inc.), Zimmermann says "I just don't really think of that as my product any more. It's in the hands of NAI, all the engineers have been fired. I just don't feel psychologically connected to that product." To look and not to sell. Especially when it comes to cryptographic software, code openness is considered not just a virtue but a near necessity. Peer-review and independent auditing, after all, are about the only ways you can tell that software isn't shuttling credit card numbers to the wrong person.

The business model of selling high-priced crypto software at thousands of dollars per processor doesn't mesh well with gratis software, though. To that end, Zimmermann says the FileCrypt code will be soon be available for download and inspection under terms which he says will be similar to those under which users can download the code for PGP Corporation's version of the PGP-based desktop software. (PGP Corporation's terms are available though their source code page).

9 of 165 comments (clear)

  1. Automated jobs by rawgod0122 · · Score: 5, Informative

    The reason command line tools are very useful is for cron jobs. I dont know how many times on a windows machine I wish that there was an command line tool to do something.

    1. Re:Automated jobs by Anonymous Coward · · Score: 5, Informative

      > You mean like "at" available since NT 4?

      No, he means the commands called by 'at'. Some Windows functions have no commandline equivalents.

  2. Advantage of command line... by Sir_Ace · · Score: 5, Informative

    GUI is nice and all, but a command line one would work much better with procmail filters..
    As well as just about every other kind of script I would assume...

  3. Story, or advertisement? by Anonymous Coward · · Score: 5, Insightful

    Interesting for sure, but is this a hype piece?

    It doesn't look like a normal submission to me. Proper grammer, objective opinion instead of random flames, and bulleted titles to visually seperate paragraphs instead of the shitty formatting job Slashdot forced me to get used to.

    Me suspects there is more than meets the eye here...

  4. HIPAA and PGP by prgrmr · · Score: 5, Interesting

    Insurance companies and health care organizations are increasingly relying on PGP in its various forms to met requirements for confidentiality and security of data imposed by the HIPAA legislation. Zimmermann's latest work has a potentially huge market this year, and potentially next year too, if there are more delays with implementing the "enforcement" aspects of the law.

  5. Command line GUI by geoffrey+crawford · · Score: 5, Interesting

    I find with any GUI program, if there is no command line control, it becomes half as useful. Scripting and automation are what make computers beautiful.

    The command line is much quicker too. Don't want to type out a million options and flags? Then make an alias... one word is all it takes to run enormous computations.

    In the case of PGP, the only GUI integration I need is in e-mail, and thankfully Evolution provides it. The rest of its use is on the command line, making encrytped tar archives, and saving other information.

  6. Are you blind? by KDan · · Score: 5, Insightful

    GPG can be called from the command line too!

    [dan@dimension dan]$ gpg --help
    gpg (GnuPG) 1.0.7
    Copyright (C) 2002 Free Software Foundation, Inc.
    This program comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to
    redistribute it
    under certain conditions. See the file COPYING for details.

    Home: ~/.gnupg
    Supported algorithms:
    Cipher: 3DES, CAST5, BLOWFISH, AES, AES192,
    AES256, TWOFISH
    Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
    Hash: MD5, SHA1, RIPEMD160

    Syntax: gpg [options] [files]
    sign, check, encrypt or decrypt
    default operation depends on the input data

    Commands:
    (...)

    And it doesn't cost $100...

    Daniel

    --
    Carpe Diem
  7. GNU Privacy Guard isn't graphical by lovelaceAtWork · · Score: 5, Informative
    The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard)
    Last time I checked, GNU Privacy Guard, also known as GPG, was a command line program. You're probably talking about the GNU Privacy Assistant (http://www.gnupg.org/(en)/related_software/gpa/in dex.html).
  8. Command Line Crypto? GnuPG, surely? by Anonymous Coward · · Score: 5, Interesting

    Let's be honest here. No-one in their right mind would use the PGP command line since something much better - GnuPG - came along, and this has been a while ago (they aren't migrating, they've often completed migration).

    • GnuPG is gratis - no cost. $0. PGP command line and other commercial command line OpenPGP products (like this Filecrypt) cost a shedload of money (they start at $99 - there may not even be an end) for such a simple, albeit effective, program.
    • GPG can be tweaked to your own needs legally - you can even redistribute your tweaks. Hell, you can give your friends copies. Not so with Filecrypt.
    • GPG can do everything that Filecrypt can do, with two exception - firstly, it can't work on X.509 certificates. Noooo, that's OpenSSL's job (which, you will notice, is also free of charge, open-source software). Secondly, if you need IDEA (blech, implies PGP2 which uses MD5 signatures, becoming a bad idea today) you need to install a module or merge a patch but that's simple if you're a command line hacker - and if you're not a personal user, you do need a patent licence from MediaCrypt AG, but that is still likely to be much cheaper than the equivalent copy of Filecrypt. [Caveat - I'm not sure if Filecrypt can use IDEA either.]

    What Phil's trying to do here is sell a piece of software for an extremely high price which competes directly - directly, not just on the same turf but on the actual same blade of grass - with now well-proven software which is entirely free (beer and speech).

    This is not a smart business plan. Only chance Veridis has is fast talking, name leverage and selling good support - trouble is, GPG doesn't actually need support as such, the software doesn't need to be, and isn't, really all that complex. Documentation should be enough, because it works already. The source is even friendly enough to adapt and build around for your own purpses, unless you're a moron, and morons should really not be adminning boxes you wanted to use strong crypto on.

    I can't see a single reason you'd want to actually use Filecrypt over gnupg, especially given the high price tag... anyone?