PKWare and Winzip Reach A Secure Zip Compromise

richard_za writes "Until now the rival compression software vendors PKWare and Winzip have had different (incompatible) ways of password protecting the ZIP format. In a bid to prevent fragmentation of the standard they have agreed to have their software support opening of the other's files. They have however not agreed to support a single standard. PKZip's encryption is RSA-based while Winzip use an AES approach which is fully documented here. The Register is running this story. PKWare has this press release."

How many people really use encrypted Zip files

[voss]

I find zip files to be a pain in the butt anyway even without encryption.

Re:How many people really use encrypted Zip files

I find zip files to be a pain in the butt

WindowsXP Power User

Re:How many people really use encrypted Zip files

[Zenjive]

My company's email server anti-virus software will block out .exe's and most script files among other file formats even when zipped. The way to get around it if you really needs to send that type of file is to use an encrypted or password protected zip file. So, I use the encryption regularly!

Re:How many people really use encrypted Zip files

[secolactico]

But does it actually look into the files or simply based on the file extension? Whenever I have to send an .exe, I simply rename it to ".foo" or ".ex_" and instruct the recipient as to what to rename it to.

Re:How many people really use encrypted Zip files

[Politburo]

The system that the State of New Jersey uses for environmental air permits uses encrypted zip files to submit data to and from the state. I'm unsure of which method they use to encrypt the files. All of the work is done by the client program.

Re:How many people really use encrypted Zip files

[coyote-san]

In either case manual intervention is required and there is no chance of a viral payload being automatically run. Remember the real issue isn't denying you the ability to send/receive executables, it's keeping the brain-dead POS from automatically running any executable it sees regardless of origin.

Re:How many people really use encrypted Zip files

[Zenjive]

I don't think it can scan if the zip is passworded. We have been able to get around it without passwording by renaming extensions, but I think with ascii files, like scripts, etc. it does actually look at them. It doesn't care about script code in a .txt file. I think the main thing it is concerned with are files that can be run by double-clicking. A renamed exe, on a Windows box at least, can't be run.

no difference as far as the user is concerned

[MrRTFM]

if either program opens the others files the user wont (and shouldn't have to) give a shit which method is used.

"As long as it works"

Re:no difference as far as the user is concerned

[vasqzr]

What about those people who use a version that isn't the latest and greatest?

2 standards only cause confusion. Remember the Word 95/97/2000 confusion?

"Call him back and tell him we need it saved as Word 95!"

Re:no difference as far as the user is concerned

IT also makes it harder for another vendeor to enter the market.

"As long as it is proprietary"

Re:no difference as far as the user is concerned

[Dogers]

well you know what they say about standards - theres so many to choose from! :)

Re:no difference as far as the user is concerned

[drinkypoo]

I don't know abot PKWare's windows zip program (the last time I used it, which was only once, their gui was atrocious) but at least in the case of WinZip, upgrades are free, and the serial numbers haven't changed in aeons, so there is no excuse for not upgrading. It's not like winzip is a huge program.

Re:no difference as far as the user is concerned

[DrXym]

Well yes and no. PkZip seems to have licenced RSA BSAFE for their mechanism which make it less likely you'll see versions of InfoZip that support it (at least fully) because it is more complex and possibly proprietary. So there goes portability. And let's hope it doesn't favour some appallingly slow public key based encryption.

Whereas WinZip have chosen an off-the-shelf algorithm, a GPL implementation of that algorithm and published the full specs to how they've extended the zip format.

So a user who knows not about such matters might conclude that PKZip performs like a slug, costs more thanks to licencing or is non-standard while WinZip is none of those things.

Re:no difference as far as the user is concerned

WINZIP FOR WINDOWS SERIALZ

just use:

name: x
serial: 0002000

Greetz to Phr0z3n Cr3W

Ten years too late

[heironymouscoward]

Zip file management has virtually been absorbed into both Windows and Linux, and even if these two vendors agreed on a standard it would not mean much. PKzip became irrelevant when Infozip's portable zip tool became widely available, around 15 years ago. Further, all archiving tools today already deal with such a variety of formats that I can't see the crying need for a standard.

Re:Ten years too late

[selfabuse]

15 years ago? I don't know about anyone else, but I was using pkzip/unzip well into 1996 or so.

Re:Ten years too late

[f00Dave]

The issue here isn't with that sort of low level interoperability, but with the schism in the encryption standard used. I haven't checked (in true Slashdot style), but I suspect that Infozip's tool won't handle ZIPs encrypted with recent versions of PK's or WZ's software....

Re:Ten years too late

[stuffedmonkey]

Apple has absorbed zip too recently - as of OS X 10.3 zip compression is built into the OS. They look to be moving away from Aladdin's propriatary .sit format...

Re:Ten years too late

[lonb]

Not that I make a standard of ripping people apart, but I'm going to rip your comments apart, they need it:

"Zip file management has virtually been absorbed into both Windows..."
What the crud are you talking about? The first utility that is installed on every Windows box I touch is WinZip; there is no zip file access under windows without it. Not only that, but I asked a few colleagues just now and we all had a quick chuckle about the idea that Windows knows how to make heads or tails of a zip file.

"PKzip became irrelevant...around 15 years ago"
In 1989, PKzip hadn't even become a huge hit yet. It was only in 1990 when BBSes were rampant that the PKzip utility become a smash hit. And I remember in '92, that EVERY file traded (short of video and pics) was zipped. I would guess that it was not until around then (or maybe later, I forget), that WinZip started to gain broad use. I would guess that it was around 93-94 that WinZip really drop-kicked PKzip.

"...all archiving tools today already deal with such a variety of formats that I can't see the crying need for a standard."
That is exactly why there needs to be a standard! There is no reason for archiving tools to support 15 different file formats. A unified standard, perhaps with a few variations (for distinct file types) would make life a lot easier for everyone. Don't worry there will always be outliers like RAR.

Re:Ten years too late

[pr0c]

lonb: "Zip file management has virtually been absorbed into both Windows..." What the crud are you talking about? The first utility that is installed on every Windows box I touch is WinZip; there is no zip file access under windows without it. Not only that, but I asked a few colleagues just now and we all had a quick chuckle about the idea that Windows knows how to make heads or tails of a zip file.

How long has windowsXP been and you still don't know some of the new features it gave windows users? Zip support has been in winXP since day one. It amazes me that not only did you not know this but you also asked colleagues and they didn't either and on top of that you all laughed about your ignorance. How amusing.

Re:Ten years too late

[lonb]

Oh, that's right -- which was the button to create a zip file again?
"Reading is half the battle." - G.I. Joe

Re:Ten years too late

[shadowmas]

windows xp and windows 2003 server both have a "send to Compressed (Zipped) folder" which creates a zip file. xp also displays zip files as folders. though this goes away once u install winzip associate zip files with it.

Re:Ten years too late

[operagost]

Good - because I would really like to stuff "Stuff-it". I hate that software. It wouldn't be anywhere near my Windows boxes except that I've had to move data from them to non-networked Macs.

Re:Ten years too late

[BradleyUffner]

right click menu > new > Compressed (zipped) folder

Re:Ten years too late

Are you done embarrassing yourself yet?

Re:Ten years too late

[nathana]

Yes; as other posters have pointed out, you can not only open ZIP files in Windows XP natively and use them as if they were normal folders *without installing a third-party piece of software*, but you can add and remove files from these ZIP archives quite easily (drag-'n-drop) and even create new ZIP archives quite easily, too: either right-click file -> Send To -> Compressed Folder, or right-click empty space -> New -> Compressed Folder, and start dragging things into it.

Of course, if you want to verify this yourself, you are going to have to make sure that you test it on a virgin XP box that you haven't raped yet by installing WinZip on it...that'll kill the built-in ZIP "folder" class as WinZip messes with the file associations.

Oh, and by the way, the Windows ZIP folder class has been around since Windows 98, when it came with the Windows 98 Plus! pack. The first version of Windows to include it as part of the operating system was Windows ME. And if you look hard enough, you can actually find a copy of it on Microsoft's web site (disguised as an update/bug fix for the ZIP folder; it won't install if you don't have it already, but you can extract the files from the self-extracting CAB and install it manually). It runs on virtually every Win32-based Microsoft OS. Heck, I have managed to install and use the Microsoft ZIP folder on Windows NT 4.0 (regsvr32 zipfldr.dll), and it ran perfectly fine.

Infinitely superior to WinZip in every way (except for the fact that it doesn't do disk spanning). It even has an encryption feature.

Re:Ten years too late

Zip isn't a really good option as a general Mac archiver due to the lack of resource fork support.

Apple's preferred format seems to be compressed disk images. I also would love to see Stuffit go away completely.

Re:Ten years too late

it doesnt completely go away

do a search that finds a file in a zip

then do open containing folder

it doesn't matter whe program is associated with zip files it will still open the zip in a normal folder window

Re:Ten years too late

[ncc74656]

15 years ago? I don't know about anyone else, but I was using pkzip/unzip well into 1996 or so.

The copyright notice at the top of unzip.c says 1990...not quite 15 years, but close enough. I think I first used it with some pre-1.0 version of Linux back in '93 or '94 (or maybe with DR DOS 6 before that).

Re:Ten years too late

[moreati]

Back in the days (when Windows 98 was the best of the bunch) I used a great tool called ZipMagic. It turned zip files into folders, just as you describe, I could even share the zip file/folder using SMB and other people could connect directly to \\mycomp\stuff.zip\.

I always wondered how the magic was done, thanks for a very informative post.

Alex

PS Might you have a link to that 'update'?

Re:Ten years too late

Congratulations on continuing to make yourself look like a complete fucking moron! Keep up the good work!

Re:Ten years too late

google zipfldr.dll site:microsoft.com

One of those pages has a link to both the xp version and the 98/me version. Once you have the version you want to try, run the updater and watch your temp folder. When the files show up in the temp folder, move zipfldr.dll into %windir%\system and follow nathana's instructions. Note, the w98 version I tried to install also included versions of dunzip32.dll and dzip32.dll, but I already had them in the system directory (different, chronologically older versions with higher version numbers than the ones included in the update), and I didn't copy them. Basic features like compressing and decompressing files/directories still worked fine, although I didn't do much testing with any other features.

I still prefer to use Info-Zip's free command-line tools. They preserve file creation dates, whereas many other zip/unzip programs (like this one) don't. Plus, I am guaranteed not to be using any proprietary extensions to the format such as the encryption implementations detailed in this /. story. I find this important, since I always try to avoid platform and version incompatibilities when it comes to the documents and archives I create.

Re:Ten years too late

regsvr32 /u zipfldr.dll

should eliminate this as well, though I can't test it right now. I've just posted this elsewhere as a means of disabling zip files from populating the directory tree list in explorer.

Re:Ten years too late

Obviously you know nothing.. it's been in WinME since day 1.. XP being the bastard child of 2K and ME, it has support by heredity :-)

-- vranash

Re:Ten years too late

I want my zip files to stay as zip files, not pretend to be folders.
XP has compressed folders, no reason to use zips for that.
What, next ppl will email folders around thinking they were zips - woops, they already do that.

Who's running PKWare

Since the PKZip guy killed himself?

Re:Who's running PKWare

[vasqzr]

Here's a brief history of Phil Katz

Re:Who's running PKWare

Interesting article, too bad really that he died.

I am glad he released it into the public domain.

Re:Who's running PKWare

[FattMattP]

Here's the rest of the story.

The issue is encryption standards

[aheath]

The real issue here is that PKWARE and PKZIP chose to use RSA encryption to secure ZIP files. A digital certificate or a password can be used to encrypt the file. WinZip is use AES encryption to encrypt ZIP files. PKWARE products will now be able to read WinZIP encrypted ZIP files. WinZip products will now be able to read PKWARE encrypted ZIP files.

There is still a problem with interoperability at the level of creating encrypted ZIP files. There is no longer a problem with interoperability at the level of reading encrypted ZIP files. The best way for this problem to go away would be for PKWARE to expand the SecureZIP standard to include RSA and AES encryption.

Re:The issue is encryption standards

[tttonyyy]

Both formats still allow you to view the filenames contained within the protected archives, and the only way around that is to zip the protected zip file again to hide this information. This is inelegant - they'd be better off agreeing an improved third standard.

Re:The issue is encryption standards

[delus10n0]

Or just use an archiving format that can encrypt filenames as well, and give you much better compression.

Re:The issue is encryption standards

[geirt]

A reason for not encrypting the file name in a zip file is that this would in some cases enable a known plaintext attack.

Re:The issue is encryption standards

You have the sequence wrong.

You don't zip, protect, zip. You zip, zip, protect. Or, you zip, protect, zip, protect, but that's going overboard.

Any alternative that disallows the viewing of a zip file's central directory is no longer zip, nor - for sanity's sake - should any such bastard be referred to as such, or any derivative of such. It's basically a handicap of the format, which is very archaic in its current implementations and limitations. RAR and ACE are much better in every conceivable way other than popularity/legacy-compatibility, with RAR having the advantage over ACE on both points. (ACE is supposedly a more efficient compressor than RAR, however.)

Meh..

WinRAR, need i say more?

Re:Meh..

No! ARJ is the master compression format.

Re:Meh..

[jaavaaguru]

.tar.bz2.asc

Encrypted (open PGP), and uses less disk space/bandwidth than RAR files.

It's easy as well. In Konqueror 3.2, right click on a file or folder, and choose "Create bzipped archive", then right click on the .bz2 file and choose "Encrypt file".

Re:Meh..

[pr0c]

Check out 7-zip http://www.7-zip.org/. It supports rars, zips etc but I use its own 7zip format most of the time which USUALLY is much smaller than a rar even.

Re:Meh..

[mattgreen]

WinRAR has the most horrid UI of most any program out there.

Re:Meh..

[darth_silliarse]

I agree fully with this comment although I find it hard to compress with anything other than gzip :o)

Re:Meh..

[Haeleth]

.tar.bz2.asc ...uses less disk space/bandwidth than RAR files.

Um, no. For all the files I've ever archived, RAR ends up about 5-8% smaller than tar + bzip2.

Bzip2's advantage that it's free and open (and compresses better than the archaic zip and gzip). It does not compress better than RAR.

If you want to champion a free compression tool, I suggest 7-zip, which does often do better than RAR, but has a rather pathetically small user base.

Re:Meh..

[edwdig]

The problem with WinRAR is it looks like the UI hasn't been updated since the Windows 3.1 days. The artwork is all ugly & low color. The dialogs all just look out of place. There's something I just can't place about it that feels wrong.

Technology wise WinRAR is a good program. But it's about as usable as a circa 1995 app for X11.

Re:Meh..

[jaavaaguru]

I played with both of them a while ago when a friend was going on about how good Win ACE is at compression. I can't remember what sort of files I was compressing when I came to that conclusion. Perhaps we needs some good old benchmarks to give people an idea of what differences there are (compression ration, time taken to compress, etc). If I find some spare time I'll give it a shot.

Re:Meh..

[gnu-generation-one]

".tar.bz2.asc"

Outlook: One attachment was deleted for potentially containing a virus (RULE 354: "more than one file extension")...

Re:Meh..

[jasonwea]

So now we can't use multiple periods in our filenames? These blocked attachments everywhere are getting annoying.

Really, what's wrong with a filename such as "linux-2.6.1.tar.bz2"? Oh, Microsoft considers that a virus you say? :)

Re:Meh..

ACE > RAR > CAB > .TAR.BZ2 > TGZ > ZIP for multiple small files in my tests.

BZIP2, using any of the possible settings, completely sucks at large files compared to ACE and RAR. Haven't put in enough time with 7zip to say anything positive about it, although I'm not happy with the program's usability.

GZIP/ZIP isn't particularly excellent at anything other than speed and low resource utilization any more, not to mention ubiquity.

As far as I'm concerned, RAR is king. I use BZIP2 for individual files that have to remain portable to multiple platforms and for which preserving file dates is unimportant, and I use ZIP for archives that have to remain portable, since it's so compatible and convenient. I also use Info-Zip ZIP whenever I need to maintain file creation and modification dates, something which on Windows is pathetic compared to behavior on other OS, like Mac OS.

Re:Meh..

[Space_Soldier]

Don't know what you are talking about. 1995? Are you blind? The icons aren't that great, but they are 32 bit and every dialog and window is where it is supposed to be.

Easy to crack?

Isn't the Winzip encyption one of the lamest around, even by PC standards? I'm sure last time I checked (forgot my password) I was disgusted by how easy it was, and have certainly never used it since. I'd like to use it, however?

Re:Easy to crack?

[Troed]

Old zip-encryption used three internal 32-bit keys - which by today's standard is quite easy to break. You need 11 bytes (or was it 14?) of known cleartext though when searching.

The breaking of zip-encryption was considered to be quite a feat when it happened in the middle of the 90's, if memory serves me correctly.

Re:Easy to crack?

[mwilliamson]

I don't care even if zip is using 2046 bit RSA keys...it's fairly easy to crack when all you have is a few dozen bits of entropy derived from a lame password. Remember, why bother brute forcing the key when is's easier to brute force the password used to generate the key. I'd bet most people using zip for encrypting their files choose dictionary passwords. Easy to crack? What do you think?

BTW, the same doesn't quite hold true for PGP/GPG users because they use a key that includes much more entropy than which is derived from the password. Also, the password itself is useless in generating the key. If they choose lame passwords (or none at all), you'd still have to steal their key.

Re:Easy to crack?

[Troed]

My passwords are usually >16 characters long, some are more than 30 (depends on the strength of the algorithm they're used in). While I agree that a lot of people use easy to guess passwords, the old zip encryption was most easily broken through the internal key - NOT by brute forcing the password. Do the math if you don't believe me ;)

A-Z,a-z,0-9 and a few special chars makes a 24 char password contain 128 bits of entropy. That's secure enough for everyone using symmetric ciphers.

Re:Easy to crack?

[Prof.Phreak]

a lot of people use easy to guess passwords

Actually, my password is: "easy to guess".

Nobody seems to have guessed it yet.

Still no unified standard

[Ilex]

I thought I'd highlight the point that they still haven't unified their encryption. They've just agreed to support each others "proprietary" encryption. So we effectively have 2 different encrypted zip formats.

However with most people using Winzip I don't think the PKWare version is going to be very common, at least on the windows platform anyway.

Zip open public domain standard?

Isn't the zip compression standard in the public domain now after the death of its creator? I do not see why people even bother using (and paying for) either, there must be an open sourced version out there.

Re:Zip open public domain standard?

[Rosco+P.+Coltrane]

I do not see why people even bother using (and paying for) either

When was the last time you payed for Winzip? They have this great feature call "evaluation period", with an endlessly renewable period.

Re:Zip open public domain standard?

Info-ZIP has an open-sourced zip and unzip. It's command-line but it does the job well. Loads of different computer systems are supported.

Re:Zip open public domain standard?

[Zaiff+Urgulbunger]

It does nag though doesn't it! You'd when you're in day 1254545 of your 30 day evaluation it might give up, but oh no, it just nags you some more!!

Re:Zip open public domain standard?

[Zork+the+Almighty]

Wow, you've been using Winzip for almost 35000 years!

Re:Zip open public domain standard?

How but because it's illegal to not pay for it. Or how about because the people who work for WinZip deserve to make a living. But maybe you need that $29 for your next drug fix

Try PowerArchiver

[dzorz]

PowerArchiver is shareware and supports lots of encryption standards (and file formats). Extracted from http://www.powerarchiver.com/features/ >Encryption of files and archives using 5 different methods: Blowfish (128-bit), DES (64-bit), Triple DES (128-bit), AES 128-bit, and AES 256-bit

Zip is ooold!

Call me a Troll, but I think the ZIP standard is outdated and bloated.
As for me I'm happy with the RAR compression.
It's smaller and well protected when it comes to encryption (AES).

Re:Zip is ooold!

[Rosco+P.+Coltrane]

I think the ZIP standard is outdated and bloated.
As for me I'm happy with the RAR compression.

I'll second that : ZIP disks only contain 250M, while RAR disks contain up to 500M. Iomega really belongs to the past ...

Re:Zip is ooold!

[macmaxbh]

The thing is about Zip is that both Windows XP (not sure about older versions) and Mac OS X 10.3 have zip compression built into the system--XP will open it up on the fly, and Mac OS X can compress/expand using tools built into the system.. so it's not going away anytime soon..

Re:Zip is ooold!

I still don't have Panther, but, Apple has supported gzip since OS X came out, thru the command line.

Re:Zip is ooold!

what Ive seen ZIP = RAR + about 2KB.
RAR is NOT an open standard, thus SUX SHIT.

Re:Zip is ooold!

[macmaxbh]

No, but Panther has a "Create archive of selected files" option when you control/right click on a file or a group of files, and it zips them up--and it has a app (X, not UNIX) in the core system that'll decode them.

Symmetric vs. asymmetric

[kasperd]

I doubt that PKZip is based only on RSA. RSA is an asymmetric encryption. For some purposes this is nice, but it is inefficient. For that reason you almost always use asymmetric encryption together with a symmetric encryption. You generate a one time symmetric encryption key. The data is encrypted with the symmetric key, typically in CBC or CFB mode. Then only the symmetric encryption key is encrypted asymmetrically, which means much better speed.

Actually I think this is one of the cases, where there is no need for asymmetric encryption at all. So AES sounds like a better idea. Can anybody explain why PKZip use RSA? And which symmetric cipher is it combined with?

Re:Symmetric vs. asymmetric

Can anybody explain why PKZip use RSA?

A shot in the dark: PKZip uses RSA because that's what the US gov't wanted for an encryption standard at the time?

(Anon 'cause I'm guessing... =] )

Re:Symmetric vs. asymmetric

[hey!]

Actually I think this is one of the cases, where there is no need for asymmetric encryption at all.

That's only true if you are interested in creating an archive for your own future use. However, if you are interested in exchanging archives with other people, then you have the headache of key exchange, and assymetric encryption is quite useful. Probably most people who need to do this would prefer a solution that handles e-mail and other kinds of documents as well. However if you already have the public key infrastructure in place, it is probably going to be nice to use it for your zip archives too, in a belt-and-suspenders kind of way. I haven't looked at the PKZIP product, but the assymetric encryption should allow for digial signatures on archives as well, which would provide authentication and non-repudiaiton.

I'd say that the PKZip way would be more attractive to companies that need enteprise wide security and may have built it around RSA, and the WinZip way would be adequate for users who simply want to avoid having people poke around in their files.

Re:Symmetric vs. asymmetric

[jaavaaguru]

According to this apge, RAR uses AES-128 encryption (see the last paragraph).

Re:Symmetric vs. asymmetric

I always use asymmetric crypto in my backups.

This way I do not have to remember or type (i.e. expose) my COMPLEX password each type I make a backup (quite often). Only when I use it (rarely).

I time factor is irrelevente, in MOST machines, since only a password is incrypted, using GnuPG.

Re:Symmetric vs. asymmetric

[anethema]

I was actually also suprised to hear they use RSA. How does this even work ? Do you have to get peoples public key before sending them a zip file? While digital signatures are nice, it doesnt make up for the huge inconvenience of having to tailor each zip file for the person you are sending it to.

The parent is right talking about a combo of asymmetric and symmetric combinations in common use. With SIMP (transparent MSN encryption) the public keys are sent automatically, and you are supped to verify the hashes over a secure channel (in person, etc). Once verified it sends the symmetric key over the secure channel for the AES-128 and uses that for the rest of the conversation.

For zip files it seems that JUST aes would be the best idea, since all you want is a password.

DISCLAIMER: I am an encryption noob, so if RSA can be done another way, or this isnt how it works at all, let me know.

Re:Symmetric vs. asymmetric

"Hi, I read the first 5 Chapters of 'Applied Cryptography, and I think I'm really smart."

Re:Symmetric vs. asymmetric

[kirkjobsluder]

Sometimes, you need to send sensitive files among a small workgroup. For example, in the project I work for we have to share files that include confidential information. Asymetric encryption is designed for this kind of thing.

Re:Symmetric vs. asymmetric

[kasperd]

I always use asymmetric crypto in my backups.

Good point. But then you must need to store your key somewhere. Actually each archive you create should contain the secret key encrypted under your password, because you don't want to eventually lose your secret key and then be unable to decrypt your backup copies. So on your harddisk you must keep the encrypted secret key along with the public key. Could you explain in a litle more detail how you do this? And is that the same as PKZip does?

Re:Symmetric vs. asymmetric

[coyote-san]

Just how many people do you expect to have access to the encrypted files?

In any case, you can specify multiple recipients. The encrypted session key is provided for each recipient's public key.

Re:Symmetric vs. asymmetric

[anethema]

I understand what asymmetric encryption is for, I just dindt know if there was another way to use it since this sounds fairly useless for a zipped file. Very involved just to password protect your zip file.

Re:Symmetric vs. asymmetric

[anethema]

I dont know, maybe I want to hose a file on a public server and only tell certain people the password, in person say. Might not want to have to collect all their public keys. Seems much smarter to just use a symmetric encryption and just password protect the file. Like RAR, which uses AES-128 IIRC. Having to get a public key for everyone who you might want to send this to seems cumbersome.

so-bad-it's-good joke of the day

both sides have their lips zipped over their trade secrets ;)

An issue for Windows users mainly

[Space+cowboy]

.. so it concerns me not a lot. Now if there was a competing 'tar' standard, I'd take more notice :-) Since they've agreed to play nice, this is surely just a "it's ok folks, use whichever you want" moment ? Great. Next.

Simon

Re:An issue for Windows users mainly

[JohnFluxx]

um a better equivalent would be gzip. And there is a competing standard to that - bzip :)

(but they both have their uses. bzip is 'better', but doesn't work on streams like gzip can. It uses blocks.)

Re:An issue for Windows users mainly

[caluml]

tar cvO /home/yourfiles | gpg -c > /home/yourfiles.gpg

Or of course you cuold encrypt to your public key, if you have one setup.

Re:An issue for Windows users mainly

[Space+cowboy]

I thought of that before I posted, but came to the conclusion that I don't really care much about compression any more - the convenience is using a bundle of files rather than that it's 25% of the size of the original...

Sure, there are times when I will compress something for transfer over the net with time-saving in mind, but this is rare compared to "I have 2500 class files and source files and it needs to be on that machine"...

Simon

Re:An issue for Windows users mainly

[harmonica]

Every time someone sends you a zip archive that you need and that doesn't work because you don't have that particular Windows zip program X it will concern and annoy you.

Re:An issue for Windows users mainly

[forgotmypassword]

So not at all.

Re:An issue for Windows users mainly

[Space+cowboy]

Whereas you'll probably be moderated up because my original post seems dismissive, it really doesn't affect me, or to be more accurate, it hasn't ever affected me.

I use Linux almost exclusively. Even when using windows, I tend to just have VNC onto a linux box. Interoperation with Windows isn't a priority for me, that's all I'm saying...

Simon

Re:An issue for Windows users mainly

[adamjaskie]

Yeah, if it wasn't for the ability to have tar run the archive through b/gzip for me with the -g or -j flag, I would probably just use plain tar files. However, it is convenient enough to just stick the j in, so I bzip all my archives.

That said, when I used to use Windows, if I needed an encrypted ZIP file, I zipped it up with 7-zip, and ran the resulting zip archive through PGP to encrypt it. Archiving and encryption are separate. However, a flag for tar to run the final archive (after bzipping) through GPG would be nice. Otherwise, I would have to be un-lazy and type out a longer command, or be really un-lazy and make a wrapper script. And I am too lazy for that.

Re:An issue for Windows users mainly

[Quill_28]

Not to flame, but do you post on every article that concerns you not a lot?

Re:An issue for Windows users mainly

This isn't even an issue for windows users. Windows XP has native zip support. I'd like to know why these two companies even still exist.

Re:An issue for Windows users mainly

Do you routinely comment on stories that don't concern you?

Re:An issue for Windows users mainly

[harmonica]

But that doesn't change the situation when you receive such an archive. It's even harder to get to its content because you have to switch to Windows for a while, maybe even reboot (if you have only one computer) and install that program.

If it's not important you can ignore the mail or request an archive in some other format. But there are cases where that's not an option.

What's good in this?

[Rosco+P.+Coltrane]

In a bid to prevent fragmentation of the standard they have agreed to have their software support opening of the other's files. They have however not agreed to support a single standard. PKZip's encryption is RSA-based while Winzip use an AES

In other words, the standard is still fragmented, the new thing here is that both software now support both standard fragments, both double in size, and neither is more interesting for the end user than the other.

Not Open

Win Rar isn't an open standard so if you use it commercially (like small software companies, game companies, artists, etc.) then you pay.

I wonder if 7zip will support both?

[Daath]

7zip is pretty cool - much better compression than ordinary zip. So I wonder if 7zip will support PKZip/WinZip encryption... From the looks of their fileformat page, they support AES encryption...
Oh yeah and 7zip is under the LGPL license :)

Re:I wonder if 7zip will support both?

[tomstdenis]

Meh use tar/bzip2. That gets better compression than 7zip.

Re:I wonder if 7zip will support both?

The problem with 7zip's compression is it's not mature. At least with the deflate algorithm, it's time-tested and rock solid. I wouldn't entrust my important files to 7zip.

Re:I wonder if 7zip will support both?

tar/bzip2 does not let one extract individual files, so it's not suitable for all applications where zip is used.

Re:I wonder if 7zip will support both?

[fredrikj]

Meh use tar/bzip2. That gets better compression than 7zip.

Well, no. 7zip's 7z format is generally FAR superior to bzip2 in terms of compression ratio.

A few examples:
doom2.wad: 14604584 bytes
doom2.wad.bz2: 5868846 bytes
doom2.7z: 4560296 bytes

All MIDI files I've made: 8146186 bytes
music.tar.bz2: 1007529 bytes
music.7z: 630357 bytes

The Python-2.3.2 source code:
unpacked: 33378982 bytes
python.tar.bz2: 7216151 bytes
python.7z: 6034907 bytes

Those might not even be optimal values. 7z lets you customize a number of parameters (dictionary size, etc) at the expense of compression and decompression speed.

Also note that the 7z format is modular and can use any compression method supported by the program, including bz2. More info on Wikipedia.

Re:I wonder if 7zip will support both?

[tuffy]

But until 7zip makes an implementation that runs on some platform other than Windows, I won't be using it for anything. The source code is open, to be sure, but it has so many Windows API calls and hooks that there's simply no way to compile and run it anywhere else without a total rewrite.

Re:I wonder if 7zip will support both?

[eXtro]

Sure you can extract individual files.

habanero-88% tar tfz ../pdf.tgz
./
./pdf.tgz
./Delta_comprehensive_t est_report.pdf
./DT28.pdf
./eurion.pdf
./How.pd f
./hw6.pdf
./morris_chair.pdf
./recitation1a.p df
./SER_AppNote.pdf

To extract a single file:

habanero-104% tar xfvz ../pdf.tgz ./morris_chair.pdf
habanero-105% ls
morris_chair.pdf

Re:I wonder if 7zip will support both?

The grandparent was referring to tar/bzip files. So in your example use the -j option.

Re:I wonder if 7zip will support both?

But the whole archive is decompressed everytime you do that, no?

Re:I wonder if 7zip will support both?

[Krunch]

Does anyone know of a *nix software that can handle 7z format ?

Re:I wonder if 7zip will support both?

It decompresses up until it finds and extracts the desired file. It's the same thing with zip, 7zip, rar, etc... This process is just transparent.

Re:I wonder if 7zip will support both?

Nope, PKZIP at least can pull out individual files without decompressing anything but that file. This was an essential feature back on 1980s hardware.

Re:I wonder if 7zip will support both?

[Crag]

That's impressive, but not enough to be worth the trouble of switching for most people.

14604584
-> 5868846 (60%)
-> 4560296 (69%)
Another 9% of the original space was saved.

8146186
-> 1007529 (88%)
-> 630357 (92%)
Another 5% was saved

33378982
-> 7216151 (78%)
-> 6034907 (82%)
Another 4% was saved

Certainly if space is all that matters, the smaller size is better, but relative to the original size and .bz2 compression, these improvements are not significant. When .bz2 is shrinking files to a third of their original sizes, there's not a whole lot of room left to be interesting.

These figures look more impressive than they are because we are tempted to compare the second and third number, and (in the case of the second example) we see what looks like an additional 37% compression because 63 is 37% less than 100, but 100 - 63 is 5% of 814.

This is why bz2 still has a hard time pushing out gz. It takes more CPU, and it's not THAT much of an improvement.

Re:I wonder if 7zip will support both?

[fredrikj]

If you expect to serve 100 000 file downloads and you can choose between a 6MB and a 7MB version, there will be a bandwidth difference of 100GB. It might be worth it ;)

Re:I wonder if 7zip will support both?

[fredrikj]

The command-line version of 7-zip works in Wine. And since it's open source... feel free to port it.

Re:I wonder if 7zip will support both?

[qbwiz]

But it takes 37% less time to download the second example as a 7z than as bz2. On my modem, that's 78 seconds less, that I would prefer not to wait. I doubt that decompressing the file takes that much longer.

Re:I wonder if 7zip will support both?

[Kris_J]

I recently tripped over a very interesting 7z and RAR compatible archiving package that also does HEAPS of other formats: IZArc. It's free. I'm going to test it up against 7zip some time soon. I found it because I needed to unarc something.

WinRAR

[BoomerSooner]

RarLabs.com

I love it, use it and bought it!

Re:WinRAR

[jrockway]

bzip2 in.bz2.encrypted

That's the best compression/encryption you can get. And for $0, the cost/benifit ratio is infinite!

Re:WinRAR

That's the best compression/encryption you can get.

Actually, I hear lzip is better at the compression and offers encryption inasmuch as you can make it computationally infeasible to reconstruct the original message without knowledge of it.

Re:WinRAR

[wastaz]

Not really, if you take Benefit divided by Cost and Cost = 0 then you get a Divide by Zero error. That doesnt count as infinite.

If you take Cost divided by Benefit, then you get 0 divided by some number, which becomes...0! So thats not infinite either :)

However, I see the point you're trying to make, I just had the urge to troll a bit ;)

Merry Poppins Encryption

They should name the one ecryption scheme:
Zip-a-dee-do-da

and the other encryption scheme:
Zip-a-dee-day

They could even create new encryption algorithms based on finding the primes of "supercalifragelisticexpealidocious" in various base-N counting systems...

Ooohhh.. what fun. Makes me want to dance on the rooftops with a bunch of chimney sweeps, seeing songs about PKWare and WinZip... Next thing I know, I'm going to get hired as a Window cleaner...

Why bother?

[Ckwop]

I have PGP to encrypt the zip files.. This software has recieved a lot attention and we know that it's probably okay!

The new standard these guys may agree will have recieved little public analysis when it is fielded.. Not something to trust at all!

Simon.

Re:Why bother?

[axxackall]

I have PGP to encrypt the zip files

What a bizzar combination! Why bother about zip, if you can use along with tar either gzip or bzip?

Re:Why bother?

[Hatta]

IIRC PGP/GPG zip their input by default. Less redundancy means better encryption. I just checked my gpg and it uses zlib by default. No point on zipping it twice. Though if you're using bzip2 you'll probably save some space.

Re:Why bother?

[coyote-san]

zlib can be run in stream mode, bzip2 can't. Even if you're willing to operate in block mode (and I'm not sure the OpenPGP specification allows this) the block size of a cipher will be far smaller than the block size of the bzip2 engine.

How is Zip related to BZ2 and GZ

[MountainMan101]

I never use zip (I do use unzip) on my computer (Linux). Any compressed archive I want I use TAR and then either Gzip or Bzip. Are these better?

Re:How is Zip related to BZ2 and GZ

[WWWWolf]

As I've understood it, ZIP compresses files one by one. "Tar and feather" compression, on the other hand, is based on merging the files in an archive and then compressing the whole lot. This may result in a slightly better compression ration because multiple files can be examined at single time (for example, if you're compressing text files, like source code, the similarities in two files might be picked up in a single compressed block).

Also, tar and the future formats are "native" *NIX formats, so the file system metadata is more likely stored correctly. Not necessarily so in formats born in non-*NIX worlds. (ZIP file format, I think, now supports owner/permission info, sorta, I think, at least in infozip's *NIX port; not sure if RAR format does.)

Re:How is Zip related to BZ2 and GZ

If portability is a concern, zip is better. Every leading platform, besides early Windows and Mac systems, support zip. Of course, if you're only uncompressing on the Unix platform, then tar with [gb]zip is fine.

Re:How is Zip related to BZ2 and GZ

[zonix]

Any compressed archive I want I use TAR and then either Gzip or Bzip. Are these better?

Depends on how you look at it?

Gzip is GNU's version of zip and was made - as in most cases - as a Free alternative to avoid problems with patents (LZW, I believe in this case). Gzip can only create archives with single files, which is okay, because this is where Tar comes in.

Tar (the Tape Archiver), as you know simply stores multiple files in a single file. You could create the file on a tape drive (hence the name), but these days you'd probably just pipe it into your archive program of choice.

Bzip is a more sophisticated archiver and uses a block-sorting algorithm, like RAR, which generally allows for better compression.

So basically, I'd say Bzip is most certainly better than your average zip programs. As for Gzip, I haven't compared it to PkWare's zip, but I would expect similar compression ratios.

When you need and archiver that works as a filter, both Gzip and Bzip - as opposed to most other archivers - will provide this. Say:

ls /home/some_user -la | gzip | uuencode file_list.gz | mail -s "Here's directory listing of your home dir" some_user@domain.com

You can probably think of a better example. :-)

z

Re:How is Zip related to BZ2 and GZ

[coyote-san]

The flip side is that ZIP archivers may be smart enough to recognize images or previously compressed files and skip the effort of recompressing them. You don't have that option when compressing a tarball.

I also doubt that there's that much opportunistic compression occuring. I have a special-purpose tarball engine that resets the compression engine for each file. (Why? It also maintains a separate index file mapping filename to file offset - searchable compressed tarballs!) The cost of resetting the compression engine has been modest, never more than a 5% increase in file size.

Re:How is Zip related to BZ2 and GZ

FOr you elite command line ppl, maybe not.
For the rest of us who need a GUI, maybe.

RAR

[Jugalator]

I couldn't care less about WinZip. WinRAR came in version 3.30 today, for the same price as WinZip and a lot more features. IMHO, it would be better than WinZip even if it didn't support RAR, simply from its arhiver support and features. :-)

That it happens to use the superior RAR format makes the decision easy for me. We're installing it at our company too, since it isn't even a hard to use archiver for geeks in any way. I know about for example bzip2 and 7-zip, but 7-zip still seems like a rather immature archiver, although it's interesting. The problem is the lack of a good feature set besides the core archiving part. And the official bzip2 package compiled for Windows doesn't come with a GUI so that makes it a bit less useful to me at least, especially when RAR has a comparable compression ratio. Sure, I can use a command line archiver, but I wouldn't like to. :-)

The only downside I can see is that RAR is a closed source format, with only the decompressor being open.

Sometimes, I think it's better to not have two different companies trying to get control over a single format. :-P

Re:RAR

The downside to RAR is that the format isn't stable.

Since I don't keep up with the warez scene, on the very rare occasion that I download a RAR it's invariably incompatible with whatever version of WinRAR I have installed. Then I need to go download and install their new shareware crapola, fight with it's file assocations and explorer plugins and so on.

Nice thing about Zip is that it hasn't really changed since the early 90s.

Re:RAR

And the official bzip2 package compiled for Windows doesn't come with a GUI so that makes it a bit less useful to me at least

If the GUI is such a concern, why is your company rolling out the ass-ugly WinRAR? The superior interface in WinZip would be the better choice.

Re:RAR

[drinkypoo]

The appearance of winzip might be superior (though imo they both look about like a goofy windows app to me) but the functionality of WinRAR's gui is superior, making WinRAR a better choice even if it didn't support just about every archive format under the sun.

Re:RAR

[jandrese]

Are you using a rar program from 1995? I don't think I've ever run across a rar archive I couldn't open with plain vanilla RAR.

Re:RAR

The format last changed in 2002 (winrar 3.0)

Re:RAR

Actually, 2.9

Re:RAR

[Jeff+DeMaagd]

The problem is that it is a very uphill battle. Even far superior products fall by the wayside because of established user base. Saving maybe 10% more space & bandwidth and having a slightly better UI isn't enough for most people.

RAR is used so (relatively) rarely that the download tine and bytes saved by RAR is wasted because I have to find the decomressor, even if I have a local copy.

I'm not sure if it would save much on the server side because the webmaster would have to deal with complaints that the download is incompatible with the standard program they have. I've only seen RAR on websites that try to be the esoteric of esoteric.

Re:RAR

[Chester+K]

That it happens to use the superior RAR format makes the decision easy for me.

See how "superior" the RAR format is when you want to extract a single file from the end of a 5 GB archive file.

ZIP is O(1) -- you can extract that file almost instantly, no matter where in the physical file it resides. RAR is O(n), where n is number of bytes in the archive before the target file -- be prepared for a long wait to get to that file.

Re:RAR

I've never encountered this.

Can you verify that you're dealing with a non-solid RAR archive? Solid RAR archives will obviously display the behavior you describe. RAR archives should not be created as solid archives if you anticipate having to perform the action you describe. Of course, solid archives are just as usable as .TAR.BZ2, with all of the compression benefits over non-solid RAR archives that this implies.

Assuming you actually are dealing with solid archives, the thing you should realize is that ZIP doesn't even offer this as an option. With RAR, you can create a non-solid archive that performs, as far as I can tell, favorably in every way relative to ZIP regarding performance and efficiency.

monolithic

[Moderation+abuser]

Course this is what you run into when you build monolithic applications.

Do one thing...

[Ed+Avis]

I don't really see why it makes sense for zip and unzip programs to care about encryption. If you want to encrypt the whole archive, it's simple to use GPG on the whole thing. If you want encryption on a per-file basis - again, use GPG on individual files before or after archiving. This is true on Windows too, using whatever your preferred GUI encryption program might be.

The only reason to stuff both functions into a single program seems to be the perennial problem of installing anything on Windows systems (you can't assume that an encryption tool is available) and marketing - why should users pay $20 twice for two different pieces of tacky shareware when they could pay Winzip $40 for one?

Re:Do one thing...

[ergo98]

"This is true on Windows too, using whatever your preferred GUI encryption program might be."

Generally you're transferring these files between users rather than using them just for personal archives, so interoperability is the key. You can't willy nilly choose to use whatever encryption program you feel like if you expect your recipient to be able to open it without significant hassle.

"The only reason to stuff both functions into a single program seems to be the perennial problem of installing anything on Windows systems"

Yes, people like convenience, and as mentioned in the prior point you'd generally like one interoperability hurdle rather than two.

"why should users pay $20 twice for two different pieces of tacky shareware when they could pay Winzip $40 for one?"

The source code for AES, and RSA for that matter, has been available for some time, and the replacement of the native ZIP encryption (i.e. crap) I doubt was more than a one day task -- this is a tiny value-add, not some big price doubler. The only problem is that the ZIP format wasn't dynamic and there were too many chefs in the kitchen -- nothing good was happening, so this is a great step forward.

Re:Do one thing...

[Webmonger]

That's three pieces of tacky shareware.

Remember that on Unix-likes, you actually use three tools: tar, gzip and pgp. Zip handles both the file-archiving and file-compression concerns, and now the encryption too.

I can see definite positives in making it easy for GUI users to create secure compressed archives. It would be nice if there could be three best-of-breed tools that had a united GUI. But that would be cooperation, and that's not the Windows way.

Re:Do one thing...

If you want encryption on a per-file basis - again, use GPG on individual files before or after archiving.

Compression after encryption = 0 bytes saved. There's too much random data to compress anything.

However, encrypting after compression is a different story...

Re:Do one thing...

[coyote-san]

It comes down to why you're putting the files into an archive in the first place. If you're just using an archive to transport files from one system to another the classic Unix approach works great.

But a lot of programs now use archive formats to bundle related files in a single place. Think of Unix archives (.a) files that used to just hold object files in software libraries - now we have Java archives (.jar) files that contain class files and properties, web archives (.war) that contain .jar files, images, html and jsp pages, etc. The last two formats (and other variants like .sar and .ear) are basically ZIP files with some specific entries.

It's a bit odd to work with archives directly at first, but after a while you find yourself thinking in terms of everything as archives. E.g., most image formats can also be thought of as specialized archives - it's perfectly reasonable to ask to read/write comments, thumbnails, etc.

I've written code to read and write archives directly, and I can tell you from first-hand experience that it's much easier to work with an archive format that handles compression and encryption on a per-file basis (e.g., ZIP format) than one that does it on a file-wide basis (e.g., encrypted, compressed tarballs). The same idea applies to "resource bundles" on Windows systems or Palm OS apps, although they're handled differently.

If the issue is security...

[WegianWarrior]

...then both share a common flaw: you have to unpack the container to work on the files within, and that leaves the unpackaged files open to interception.

I've been using ScramDisk to store my critical data. For those using a newer OS than I do, there is an updated version called DriveCrypt. Both gves you the choice of what sort of encryption to use and you can use up to four passwords on any given file. It also supports stegnography.

In short, I don't give a rats ass about what sort of encryption PKZIP or WinZip supports - if the file contains things I want protected, I'll zip it as normal and then drop it into a ScramDisk container.

Re:If the issue is security...

[jetmarc]

> flaw: you have to unpack the container to work on the files within, and that
> leaves the unpackaged files open to interception.
>
> I've been using ScramDisk to store my critical data.

Bad news: your files may still be open to interception. When you open them with applications like Photoshop or MS Office or WinZIP, temporary copies are created outside of the container. Usually this is C:\WINDOWS\Temp\ or a temporary folder within your user home directory (for Win2K/XP).

If your computer crashes with the file still "open", the temporary copy is usually not deleted. If you closed them, they may still be recoverable by an UNDELETE utility (they are deleted when no longer needed).

Apart from this (annoying) behaviour of (usually large) applications, your files may also leak through the swapfile. When they are loaded to memory and stay there for long time, the OS might decide to swap them out to the swapfile (usually C:\win386.swap or C:\pagefile.sys). There they are not directly accessible, but tools like WinHEX (which read the harddrive sector-per-sector) can reveal the data.

Note also, that sophisticated attackers (let's say the FBI on their hunt for Osama) may even recover data that has been overwritten! The harddrives magnetic head doesn't follow the track by 100%. If you take apart the harddrive and "view" at the magnetic platters with a special instrument, you can visualize the big fat new data track and remainders of multiple previous versions of this track's data. Data recovery companies have those instruments. If you face attackers of this high degree, it is dangerous to write temporary data to the harddrive even when you MAKE SURE that they are "overwritten" afterwards.

The conclusion is that the only really safe way of handling this, is to NEVER EVER write ANYTHING to the harddrive without prior encryption. When no sector of the harddrive ever receives unprotected data, there is (by definition) absolutely no way to find unprotected data anywhere on it (no matter how sophisticated the recovery instruments).

DCPP is a product that does this, Safeboot is another. I even made one myself (for Win9x/DOS).

Marc

Re:If the issue is security...

[coyote-san]

It took me a while to figure out what you're talking about... and you're wrong. It's not that hard to write your own library (or simply buy one) that allow you to access a file in a ZIP file as easily as with fopen(). It's even part of the standard Java libraries - see the java.util.zip package. There's no need to unpack the archive first.

At a prior job I even pulled this trick on an embedded system without any filesystem at all. (Before you ask, the network layer worked a lot like mmap() - we told it what URL we wanted and some seconds later would get a notify event with a pointer. No real or virtual filesystems anywhere.)

Creeping Featurism

[irw]

As plugins to existing applications are so popular these days, I see this issue as an irrelevance.

Both sides are competing using incompatible creeping featurism. Last I looked, Zip applications where supposed to combine and squash files (and that was enough).

What should be done is to separate the operations:
- file browsing (WinRAR's interface trumps both)
- archiving (combining files)
- compression
- encryption

and implement the latter three as functions of the first using plugins (and let the user choose).

Incidentally, Zip's file format (directory last) sucks. It is practically impossible to do the following using zip:

tar Bcf - . | gzip -1c | rsh -n over_there gzip -dc | tar -C /path -Bxvf -

To this end, plugins suggested above should be written as filters where possible.

I have no problem with browser-like interfaces combining other functions, but the Golden Rule still stands: One Tool, One Job.

Re:Creeping Featurism

[irw]

Oops. For the script kiddies that should be:

tar Bcf - . | gzip -1c | rsh -n over_there 'gzip -dc | tar -C /path -Bxvf -'

And YES, I know there are Good Reasons why zip has the directory last. I just don't see they're universally necessary.

Re:Creeping Featurism

tar Bcf - . | gzip -1c | rsh -n over_there gzip -dc | tar -C /path -Bxvf -

Yea. That is SO much simpler than dragging a directory or group of files into a window. I was using Winzip before but, after seeing your fine example, I'm switching right away. NOT!!!

Oh, by the way. Winzip is finished with my files. Your's however failed due to a typo. Go figure!!! So you will need to correct your cryptic attempt at elitism and try the command again. Or maybe you should just give Ark a shot, it's surprisingly like... Winzip.

Re:Creeping Featurism

[kirkjobsluder]

What should be done is to separate the operations:
- file browsing (WinRAR's interface trumps both)
- archiving (combining files)
- compression
- encryption

I can see two good cases where combining these funcions ala zip is preferred: random access and dealing with already compressed content. Tar+gzip/bzip sucks from a performance standpoint for random access. Also Zip is at least somewhat intelligent about recognizing and skipping over non-compressible content. If you want random access to encrypted content, then you need to encrypt before archiving as well (and then, encrypt the archive directory.)

90% of the time, I do tar+bzip2. But I can see why Zip is preferred for things like java, OpenOffice and Compressed Folders for Windows.

Re:Creeping Featurism

[kirkjobsluder]

I should add, it is only creeping featurism if the combination of features working together don't create new functionality. In this case, the advantage you gain is random access to your archive. What you loose is the ability to work with streams.

Re:Creeping Featurism

1) the main point appears to be that both tar and gzip filter whereas the zip format doesn't (not that this really matters)
2) drag'n'drop only works in a windowing environment. Rsh can be replaced with transport-of-your-choice and set over the internet if necessary
3) the gzip -1c supplies fast compression which saves bandwidth and time
4) alternatively, zip, copy across network, unzip, involves 3 sequential operations. the elitist command does the whole thing at once
5) better still that command could be put in cron - unlike drag'n'drop
6) the poster corrected for missing quotes - didn't you read that?

Trapped by pkware!

A very dumb company I once worked for chose pkware to archive (and sell) many terabytes of text and images. Unfortunately this was done through a binary only pkware library (for SCO but running on Sequent).. This decision was made around '92 (when many superior alternatives available), before my arrival.

In the mid-90's they wanted to migrate off of their crap sequent boxes to something better.. Unfortunately, pkware refused to accomodate them by porting the library version to SGI.

The company was in a bit of a panic as the sequent gear was no longer a viable solution. New customers and scalability problems were rapidly increasing..

I suggested that they simply decompress on the Sequent and re-compress on the SGI with a better algorithm (source). Forget using pkware. The migration could have been automated such that customer requests resulting in a de-compress would re-file the data in the new system. Requests would check the new servers first. Pretty simple. Batch conversions could occur during off-peak times.

Nope. Too easy. That would not have been a sufficient crisis.. People would not have looked busy enough.

The amount of money they were offering pkware finally became sufficient for them to do a version for SGI. So they kept using pkware.

Oh yeah.. They re-hired the guy who originally decided to use pkware (as a consultant).

Re:Trapped by pkware!

Hi. I'm that consultant (well, executive consultant to be specific). Who gives a fuck about 'the better solution'? The only thing that matters is who made more money and what's your title. By the way, report to my office 9AM tomorrow. Bring you things in a box.

Unicode

[Midnight+Thunder]

A little off topic, but it would be nice if the decided to start supporting unicode filenames in Zip files. With unicode becoming more common in OSs ( this inclues MacOS X, Linux and MS-Windows), I find it ridiculouse that this doesn't even seem to be on their scopes. Well at least it seemed that way when I contacted PKware.

7 Zip

[Nurseman]

Isn't the zip compression standard in the public domain now after the death of its creator?.... there must be an open sourced version out there.

I use 7 Zip

Very easy and straight forward for me.

I use Info-Zip...

[mwood]

...you insensitive clod! :-)

Patches are welcome

[tepples]

I suspect that Infozip's tool won't handle ZIPs encrypted with recent versions of PK's or WZ's software....

That's because Info-ZIP is waiting for volunteers to produce a patch to read and write WinZip's fully documented encryption.

gpg or pgp

[axxackall]

The article was about encryption, not about compression. Both Cgzip and Bzip are compressing, not encrypting.

But if you need content protection of your archives in Linux, then consider either pgp or gpg (or both - gpg is just a modern and open re-implementation of the famous in the past pgp). I used both and never had any problem.

more like Smash Bros.

[tepples]

Screw Disney. I'd rather use Super Smash Bros. Melee encryption, where Ness can "PK Zip" or "PK Unzip" a file and possibly "PK Unzip" his opponents' pants during battle.

Symmetric, asymmetric... public!

[axxackall]

With gpg I can encrypt with your key even without asking you to send me your key if it's already in PKI. All I need is your ID in PKI (typically that would be your email) and "ta-da!" - my tar.gz is encrypted and sent by email to you (or published on the web for you). You don't have to know my password or to get any my key - instead you use just your own password to decrypt and (optionally) my ID to verify the signature.

IMHO bot PKzip and WinZip are sticking their technologies somewhere in mid 90s, while we are living here what? mid 00'? password protected archive... What's wrong with those guys? Have they ever heard about PKI?

RAR is better than ZIP and ACE

[Space_Soldier]

I personally don't like zip. WinRAR compresses the files to significantly smaller size than zip. There hasn't been any improvement in WinZIP. The version increments with only new explorer integration, new menus, or other GUI crap, but the most important part which is the compression algorithm has been sucking for years. I find WinRAR to be better than WinACE. RAR has been existence since the early 90's. I might be wrong, it could be late 80's. Right now WinRAR is at version 3.3 beta. RAR with each new significant increment of the version number, the compression has been improved. WinZIP is at 9.0 Beta i believe and it sucks just like the day it came out. The only reason why it is so popular is because users don't know better, heavy marketing, and stupid reviews who praise explorer integration over compression. For those of you who bitch about why the you have to upgrade WinRAR because the format changed are just plain idiots. Download the 981KB app and stop whining. The compression is always improved, unlike zip, that is why a newer version of WinRAR is required. What's wrong with your mentality people? Would you rather waste more time and bandwidth just because you are too lazy to intall a newer version?

Correction ...

[zonix]

ls /home/some_user -la | gzip | uuencode file_list.gz | mail -s "Here's directory listing of your home dir" some_user@domain.com

Of course, that should have been: 'gzip -c'. As in compress to stdout. Sorry. :-)

It's from "Song of the South," not Mary Poppins...

See the subject line...

RAR is a retarded closed format.

[Ayanami+Rei]

I actively dissuade people from using it. Winzip handles tar.bz2 just fine, so I don't feel bad for pushing that alternative.

And remember kids, you get the best results when you bzip2 -9!!!

Re:RAR is a retarded closed format.

[True_Seeker]

> Winzip handles tar.bz2 just fine

Don't suppose you could share how to do that, could you? This is the one feature I have been wanting (and requesting from winzip.com) for a couple of years, but it still isn't there, as of the 9.0 beta. It handles tar.gz files just fine, but doesn't recognize tar.bz2 at all.

Re:RAR is a retarded closed format.

bzip2 -9 fails miserably against RAR and ACE. It is relatively slow and inefficient compared to superior alternatives.

It's still better than GZIP/ZIP for many single-file uses, though. Not completely useless to the non-*nix world, at least.

Re:RAR is a retarded closed format.

[Jugalator]

I actively dissuade people from using it. Winzip handles tar.bz2 just fine, so I don't feel bad for pushing that alternative.

Unfortunately, WinZip misses so many features I find useful and doesn't support RAR, which is, once again, rather common in the Windows community.

And I can't say I've met another that gives a shit about it being closed. I agree that it's a downside though.

I think you're a little confused.

[Ayanami+Rei]

The reason why WinZIP doesn't improve compression ratios with each version is because the format is a fixed standard... you can't compress any better if you implement it according to spec.

Meanwhile, WinRAR can do whatever they damn well please.

The reason why WinZIP is so popular is because it integrates well into the OS, although that market is dwindling since XP has built in support for it, and InfoZIP does just a good a job on the *nix side (as do the GNOME/KDE parts that integrate it into each respective GUI). The formats are compatible... always. A specific RAR file may necessistate downloading a new version of WinRAR in some cases if certain features are enabled when it was created. This is kind of a pain.

Frankly, I'm not fond of having to download binary compression utilities and/or archives. WinRAR will always suck compared to bz2 or (in the future) 7z in that respect.

And as to the bandwidth issue? Man, I feel for you if you're still on dialup.

I'm at the point where whatever I send over the wire is either already compressed enough that an extra layer won't help (music, video, compressed images), or that gzip -1 and/or lzo is actually BETTER for throughput because otherwise the compress/decompress takes too long compared to transit time!

BZ2 for archival purposes. At least I don't have to rely on the graces of WinRAR to get my data back in the future.

Re:I think you're a little confused.

[Space_Soldier]

As I said before, people like you, lazy bastards, don't like to download 900KB of WinRAR, when it can save you a lot. I'm not on dial up. I got a 2MB down/ 128KB up connection. While dowloading speed is average, upload speed still suck. On very large files, with winrar you can save 100-200MB more than zip. Most of the downloads on the warez scene are RAR files. I preffer compression to supporting old versions. Now maybe there is a way for the extraction process to be identical while the compression process changes.

moderator abuse

[voss]

Im getting redundant rankings even though Im the first post on the topic, and Im offtopic even though 5 people have responded on the same thread with topic relevant replies. Thats a load of bullcrap.

Compromise?

[mindriot]

PKWare and Winzip Reach A Secure Zip Compromise

Somehow, the word compromise looks wrong in this place... but maybe it describes the security level appropriately? :)

Winzip used encypted passwords?

[Snipet]

Either I've gone crazy or I rememeber "cracking" early versions of password protected zipfiles by opening them in notepad. Does this sound familiar / likely?

Re:Winzip used encypted passwords?

The encryption being discussed is not the old Zip 2.0 encryption method. You are unlikely to crack either companies new encryption method with notepad.

In 2004...nobody uses zip...

everybody uses RAR. Marginally better than ZIP, supports spanning without special add-ons. Has the ability to add .PAR-like functionality, integrates nicely into the Windows shell.

Oh, and it opens and creates ZIP files too.

Why would anybody use use WinZIP or PKZIP these days?

It's about time...

[Major_Small]

...that two big tech groups decide to work together... pretty much all you hear about is how x is sueing y because y took z's code, which was bought from n, who outsourced it from x...

even though they won't decide on a single standard, at least they'll meet halfway...

Is Pkware still around?

[Darth23]

Seriously.

Don't do this!

[pclminion]

With gpg I can encrypt with your key even without asking you to send me your key if it's already in PKI. All I need is your ID in PKI (typically that would be your email) and "ta-da!"

Sounds like you don't really "get" PKI then. Would you seriously encrypt an important message using a public key that you received attached to an email?

How do you know that email from "Alan Cox" with his public key is actually from Alan Cox? The last time you got a penis enlargement spam from "Bill Clinton" did you actually believe where it came from? How do you know the mail hasn't been tampered with to replace his key with Bill Gates' key? Do you actually consider email a secure medium? What planet are you on?

This is why certificates were invented. And it's why PKI is more difficult to use (at least, to use correctly) than you seem to think it is.

And for God's sake, stop "explaining" an incorrect, insecure way of using PKI to everyone. What you've just described is a security joke.

Re:Don't do this!

[axxackall]

Sounds like you don't really "get" PKI then. Would you seriously encrypt an important message using a public key that you received attached to an email?

Sounds like you don't really "get" PKI then. Sending a public key through non-reliable channels is against PKI.

Well, if your email channel is already protected by signing all content with trusted keys then no problem to trust the key sent through such email.

Alternatively, I prefer to use keys signed by trusted CA servers.

When last time have you get spam signed by keys signed by trusted CA?

So, go back and read agian to learn what is PKI before criticizing others.

Do you actually consider email a secure medium? What planet are you on?

And RTFC (comment) before answering it. In which words did I say that email per se is secure medium?

Re:Don't do this!

[pclminion]

Alternatively, I prefer to use keys signed by trusted CA servers.

That's what I was suggesting, also. I may have misinterpretted your post.

Some people who use PKI systems have a habit of attaching their unsigned public key to their emails, either as a sig or a mail attachment. Obviously these keys can't be trusted because they haven't been signed. I thought you were implying that using keys in such a way is okay, but clearly I've misunderstood what you said. Sorry.

Ten years too early

[Caractacus+Potts]

I'm not ready for Windows XP to handle my Zip files yet. I zip up files because I DON'T WANT THEM HANDLED! Does anyone here have a procedure for thoroughly disabling Windows support of Zip files? I've unregistered zipfldr.dll, but I still see them appear as folders. Somebody help me.

Re:Ten years too early

[Tackhead]

> I'm not ready for Windows XP to handle my Zip files yet. I zip up files because I DON'T WANT THEM HANDLED! Does anyone here have a procedure for thoroughly disabling Windows support of Zip files? I've unregistered zipfldr.dll, but I still see them appear as folders. Somebody help me.

<AOL>Me too</AOL>

Virgin XP install. Got a pile of .zip files in a directory. Click on directory, expect to see only the directory open in the left-hand pane. Instead, see big pile of .ZIP cluttering directory navigation pane.

From another poster:
>>
>> Of course, if you want to verify this yourself, you are going to have to make sure that you test it on a virgin XP box that you haven't raped yet by installing WinZip on it...that'll kill the built-in ZIP "folder" class as WinZip messes with the file associations.

If I read the other poster correctly, all I have to do is install WinZip on XP and the MSFT "feature" goes away?

Can anyone verify? I don't have an XP box nearby to test this on.

Re:Ten years too early

You might also try:

regsvr32 /u zipfldr.dll

Re:Ten years too early

[CWCheese]

If I read the other poster correctly, all I have to do is install WinZip on XP and the MSFT "feature" goes away? Can anyone verify? I don't have an XP box nearby to test this on.

Yes, this does happen. I bought a Compaq laptop with XP Home preloaded and found that built-in zip handler to be annoying. I loaded up WinZip 8.0 from the install file on my other PC and it reassociated .zip files to WinZip.

how was that a troll?

[elf]

Maybe I'm not in the right circles to understand the in-politics, but why was the parent to this reply modded a troll?

I'm probably not up to date on all this stuff, I just use tar and gzip.

Re:how was that a troll?

[axxackall]

Get to use it. Half of moderators here are 12-year old nuts earning their karma by bushing obvious things (such as "Microsoft is bad" and so on) on their first week after creating their /. account.

I propose Slashdot owners to sell moderating karma while keeping meta-moderating karma being earned. That would keep random boys from disturbing serious discussions.

Alternatively, I recommend to change the karma earning rules. Now it's easier to get karma on fresh account then when you are a veteran here. For example my karma always says "positive" but last time I had a moderating points was recently after I've created my account here. I guess veterans do not have any moderating points here.

Zip is basis of Java .jar/.war/.sar/.ear/...

[coyote-san]

ZIP is also the basis for the various Java archive formats. What you call "outdated" others may call time-proven, what you call "bloated" others may call flexible. A lot of the "bloat" is anything but once you realize that the file is designed to work in both streaming and random-access modes. TAR is a pure-streaming format and a real bitch to use in random access mode.

Re:Zip is basis of Java .jar/.war/.sar/.ear/...

[ostrich2]

TAR is a pure-streaming format and a real bitch to use in random access mode.

I just thought I'd mention that tar stands for tape archive, so it makes sense that it's good for streaming data--that's exactly what it was designed for.

Re:Zip is basis of Java .jar/.war/.sar/.ear/...

[coyote-san]

Sure, and I don't think any format that requires random access can be a serious contender for an archive format. For the times you need them streaming protocols are just too powerful.

But TAR missed some obvious and cheap ways to support random access. The POSIX standard is technically extensible so I could add my own fields to support random access, but the standard tools then chitter at you about unrecognized flags and you might not be able to retrieve your data. At the end of the day I decided it was a better engineering decision to stick with standard ZIP & extensions (flaws and all) instead of shoehorning the same functionality into TAR.

Try Visio

[halr9000]

2 standards only cause confusion. Remember the Word 95/97/2000 confusion? "Call him back and tell him we need it saved as Word 95!"

Yup, it's still happening. I sent a Visio 2003 doc to a co-worker the other day and they could not open it using Visio 2002. I had to re-save it.

who cares

[eneville]

zip is shit. everyone move to .tar.bz2. .rar is ok since it has file recovery.

Stuffit

[Master+Of+Ninja]

Just to say, i think stuffit archives are a good alternative. It's for mac and windows, and a lot of mac software is compressed with it. It can do 512-bit security as well as having error correction. Plus it does have better compression (although there is a small performance penalty for it).

Proof?

[pilkul]

So this guy claims that Phil Katz got rich by stealing his work. Well, I don't know anything about the story of PKZIP, but I'm not sure I'd take his word for it. The guy's biased, doesn't give many details in his story, and just from that text doesn't strike me as a particularly nice guy (Katz's early death was "a fitting demise"? He may be bitter but IMHO this is going too far.) Is there any independent proof to back up these claims?

Even taking the guy's story at face value, it doesn't sound like Katz necessarily did anything really objectionable. Here's a plausible Katz-favorable reading of the text. So this guy writes a compressor/decompressor for an open format called ARC, but it's as slow as a brain-damaged slug so it's not a big success. Katz comes along and writes a fast assembly program for the same format (the guy claims it "was basically my ARC program" --- but was code actually ripped here or is it just that Katz's program has the same functionality? He's suspiciously vague on this point.). Katz's program becomes wildly popular. This guy sees his business collapsing under the competition, so he panics and sues Katz. But the only effect is to push him to the similar but incompatible ZIP format --- which screws the guy even more since no one uses ARC anymore! The guy's business goes under because he was outmaneuvered by the competition. Fifteen years later, he is still complaining bitterly and claiming Katz stole his stuff.

I don't know the true story here, but until I see more evidence I wouldn't believe claims that Katz is a thief.

Windows XP and Open Office files

Unfortunately, Windows XP refuses to unzip anything not labeled ".ZIP". Open Office.org stresses that their documents are common zip files. I was trying to open a few OO documents on a Word-only XP computer. I knew they were zip files, and I just needed the raw text, so I attempted to unzip them using the Windows XP unzipper, but it refused to open them, something WinZip will do. Attempts to change the extension or run the XP zip program from the command line were not successful. What I gained in integration I lost in flexibility

Let me rephrase it for you.

[Ayanami+Rei]

WinRAR doesn't work on my various flavors of *nix. So it doesn't get used.
EVER.
End of story.
Especially on my server where I care about upload (I've got 192k up myself, quite dreadful). I think bz2 works quite nicely, thank you. And I can actually write the encoder and decoder for that one. (You should have read the Dr. Dobbs article on the algorithm, it was quite interesting)

I'm not lazy nor a bastard. Elitist, bitchy, maybe. I think you need to rethink your adjectives.

Re:Let me rephrase it for you.

[Space_Soldier]

I don't care about your *nix rubbish, I am proud of using windows and it works for me. You have to understand that most of the world does not use that rubbish which is still stuck in the 70s when it comes to usabillity. Linux will never even go passed Apple's marketshare.

Zip file encryption compromise thrashed out

Zip file encryption compromise thrashed out
By John Leyden
Posted: 21/01/2004 at 16:49 GMT

Compression software companies PKWare and WinZip have agreed to make their rival approaches to encrypting zip files more compatible.

The latest beta of WinZip's software is able to read files wrapped up and encrypted using PKWare's PKZip. Meanwhile PKZip, the free reader application, will be able to open up files compressed and encrypted in WinZip's programme.

The agreement eases fears that the ubiquitous Zip standard could become fragmented by incompatible methods of encryption. Both companies have agreed to support the other's password-based decryption.

This is positive for interoperability but shouldn't be confused as an agreement on a single standard for secure zip.

PKWare's PKZip uses an RSA-based encryption algorithm but was allegedly slow in revealing the specs of its technology to WinZip. Because of this alleged delay WinZip implemented a cryptographic approach based on AES, the next generation US government backed encryption standard.

These rival approaches meant that, prior to this week's agreement, compressed files encrypted with one application couldn't be opened by the other - irrespective of whether or not you knew the correct password. Compatibility has never been a problem for unencrypted files.

CBR reports that co-operation on interoperability between secure zip files between the two firms was kick-started by PKWare's new licensing program. This program, announced last October, offers free Secure ZIP licenses to competitors.

Both firms continue to describe the others approach as proprietary, so an agreement for a single standard on secure Zip still looks some way away. (R)

70s? Hah.

[Ayanami+Rei]

Is there anything in particular that you're doing right now that I can't do? I mean, name it. Be honest.

And the Apples are far-and-away ahead in the "usability" game. Guess which archiver they don't have support for... hmmm. Guess which ones are bundled with the OS and integrate right in. I'll leave that to your imagination. It's a good excercise.