PKWare and Winzip Reach A Secure Zip Compromise

richard_za writes "Until now the rival compression software vendors PKWare and Winzip have had different (incompatible) ways of password protecting the ZIP format. In a bid to prevent fragmentation of the standard they have agreed to have their software support opening of the other's files. They have however not agreed to support a single standard. PKZip's encryption is RSA-based while Winzip use an AES approach which is fully documented here. The Register is running this story. PKWare has this press release."

How many people really use encrypted Zip files

[voss]

I find zip files to be a pain in the butt anyway even without encryption.

Re:How many people really use encrypted Zip files

[Zenjive]

My company's email server anti-virus software will block out .exe's and most script files among other file formats even when zipped. The way to get around it if you really needs to send that type of file is to use an encrypted or password protected zip file. So, I use the encryption regularly!

Re:How many people really use encrypted Zip files

[secolactico]

But does it actually look into the files or simply based on the file extension? Whenever I have to send an .exe, I simply rename it to ".foo" or ".ex_" and instruct the recipient as to what to rename it to.

Re:How many people really use encrypted Zip files

[Politburo]

The system that the State of New Jersey uses for environmental air permits uses encrypted zip files to submit data to and from the state. I'm unsure of which method they use to encrypt the files. All of the work is done by the client program.

Re:How many people really use encrypted Zip files

[coyote-san]

In either case manual intervention is required and there is no chance of a viral payload being automatically run. Remember the real issue isn't denying you the ability to send/receive executables, it's keeping the brain-dead POS from automatically running any executable it sees regardless of origin.

Re:How many people really use encrypted Zip files

[Zenjive]

I don't think it can scan if the zip is passworded. We have been able to get around it without passwording by renaming extensions, but I think with ascii files, like scripts, etc. it does actually look at them. It doesn't care about script code in a .txt file. I think the main thing it is concerned with are files that can be run by double-clicking. A renamed exe, on a Windows box at least, can't be run.

no difference as far as the user is concerned

[MrRTFM]

if either program opens the others files the user wont (and shouldn't have to) give a shit which method is used.

"As long as it works"

Re:no difference as far as the user is concerned

[vasqzr]

What about those people who use a version that isn't the latest and greatest?

2 standards only cause confusion. Remember the Word 95/97/2000 confusion?

"Call him back and tell him we need it saved as Word 95!"

Re:no difference as far as the user is concerned

[drinkypoo]

I don't know abot PKWare's windows zip program (the last time I used it, which was only once, their gui was atrocious) but at least in the case of WinZip, upgrades are free, and the serial numbers haven't changed in aeons, so there is no excuse for not upgrading. It's not like winzip is a huge program.

Re:no difference as far as the user is concerned

[DrXym]

Well yes and no. PkZip seems to have licenced RSA BSAFE for their mechanism which make it less likely you'll see versions of InfoZip that support it (at least fully) because it is more complex and possibly proprietary. So there goes portability. And let's hope it doesn't favour some appallingly slow public key based encryption.

Whereas WinZip have chosen an off-the-shelf algorithm, a GPL implementation of that algorithm and published the full specs to how they've extended the zip format.

So a user who knows not about such matters might conclude that PKZip performs like a slug, costs more thanks to licencing or is non-standard while WinZip is none of those things.

Ten years too late

[heironymouscoward]

Zip file management has virtually been absorbed into both Windows and Linux, and even if these two vendors agreed on a standard it would not mean much. PKzip became irrelevant when Infozip's portable zip tool became widely available, around 15 years ago. Further, all archiving tools today already deal with such a variety of formats that I can't see the crying need for a standard.

Re:Ten years too late

[selfabuse]

15 years ago? I don't know about anyone else, but I was using pkzip/unzip well into 1996 or so.

Re:Ten years too late

[f00Dave]

The issue here isn't with that sort of low level interoperability, but with the schism in the encryption standard used. I haven't checked (in true Slashdot style), but I suspect that Infozip's tool won't handle ZIPs encrypted with recent versions of PK's or WZ's software....

Re:Ten years too late

[stuffedmonkey]

Apple has absorbed zip too recently - as of OS X 10.3 zip compression is built into the OS. They look to be moving away from Aladdin's propriatary .sit format...

Re:Ten years too late

[lonb]

Not that I make a standard of ripping people apart, but I'm going to rip your comments apart, they need it:

"Zip file management has virtually been absorbed into both Windows..."
What the crud are you talking about? The first utility that is installed on every Windows box I touch is WinZip; there is no zip file access under windows without it. Not only that, but I asked a few colleagues just now and we all had a quick chuckle about the idea that Windows knows how to make heads or tails of a zip file.

"PKzip became irrelevant...around 15 years ago"
In 1989, PKzip hadn't even become a huge hit yet. It was only in 1990 when BBSes were rampant that the PKzip utility become a smash hit. And I remember in '92, that EVERY file traded (short of video and pics) was zipped. I would guess that it was not until around then (or maybe later, I forget), that WinZip started to gain broad use. I would guess that it was around 93-94 that WinZip really drop-kicked PKzip.

"...all archiving tools today already deal with such a variety of formats that I can't see the crying need for a standard."
That is exactly why there needs to be a standard! There is no reason for archiving tools to support 15 different file formats. A unified standard, perhaps with a few variations (for distinct file types) would make life a lot easier for everyone. Don't worry there will always be outliers like RAR.

Re:Ten years too late

[pr0c]

lonb: "Zip file management has virtually been absorbed into both Windows..." What the crud are you talking about? The first utility that is installed on every Windows box I touch is WinZip; there is no zip file access under windows without it. Not only that, but I asked a few colleagues just now and we all had a quick chuckle about the idea that Windows knows how to make heads or tails of a zip file.

How long has windowsXP been and you still don't know some of the new features it gave windows users? Zip support has been in winXP since day one. It amazes me that not only did you not know this but you also asked colleagues and they didn't either and on top of that you all laughed about your ignorance. How amusing.

Re:Ten years too late

[lonb]

Oh, that's right -- which was the button to create a zip file again?
"Reading is half the battle." - G.I. Joe

Re:Ten years too late

[shadowmas]

windows xp and windows 2003 server both have a "send to Compressed (Zipped) folder" which creates a zip file. xp also displays zip files as folders. though this goes away once u install winzip associate zip files with it.

Re:Ten years too late

[operagost]

Good - because I would really like to stuff "Stuff-it". I hate that software. It wouldn't be anywhere near my Windows boxes except that I've had to move data from them to non-networked Macs.

Re:Ten years too late

[BradleyUffner]

right click menu > new > Compressed (zipped) folder

Re:Ten years too late

[nathana]

Yes; as other posters have pointed out, you can not only open ZIP files in Windows XP natively and use them as if they were normal folders *without installing a third-party piece of software*, but you can add and remove files from these ZIP archives quite easily (drag-'n-drop) and even create new ZIP archives quite easily, too: either right-click file -> Send To -> Compressed Folder, or right-click empty space -> New -> Compressed Folder, and start dragging things into it.

Of course, if you want to verify this yourself, you are going to have to make sure that you test it on a virgin XP box that you haven't raped yet by installing WinZip on it...that'll kill the built-in ZIP "folder" class as WinZip messes with the file associations.

Oh, and by the way, the Windows ZIP folder class has been around since Windows 98, when it came with the Windows 98 Plus! pack. The first version of Windows to include it as part of the operating system was Windows ME. And if you look hard enough, you can actually find a copy of it on Microsoft's web site (disguised as an update/bug fix for the ZIP folder; it won't install if you don't have it already, but you can extract the files from the self-extracting CAB and install it manually). It runs on virtually every Win32-based Microsoft OS. Heck, I have managed to install and use the Microsoft ZIP folder on Windows NT 4.0 (regsvr32 zipfldr.dll), and it ran perfectly fine.

Infinitely superior to WinZip in every way (except for the fact that it doesn't do disk spanning). It even has an encryption feature.

Re:Ten years too late

[ncc74656]

15 years ago? I don't know about anyone else, but I was using pkzip/unzip well into 1996 or so.

The copyright notice at the top of unzip.c says 1990...not quite 15 years, but close enough. I think I first used it with some pre-1.0 version of Linux back in '93 or '94 (or maybe with DR DOS 6 before that).

Re:Ten years too late

[moreati]

Back in the days (when Windows 98 was the best of the bunch) I used a great tool called ZipMagic. It turned zip files into folders, just as you describe, I could even share the zip file/folder using SMB and other people could connect directly to \\mycomp\stuff.zip\.

I always wondered how the magic was done, thanks for a very informative post.

Alex

PS Might you have a link to that 'update'?

Who's running PKWare

Since the PKZip guy killed himself?

Re:Who's running PKWare

[vasqzr]

Here's a brief history of Phil Katz

Re:Who's running PKWare

[FattMattP]

Here's the rest of the story.

The issue is encryption standards

[aheath]

The real issue here is that PKWARE and PKZIP chose to use RSA encryption to secure ZIP files. A digital certificate or a password can be used to encrypt the file. WinZip is use AES encryption to encrypt ZIP files. PKWARE products will now be able to read WinZIP encrypted ZIP files. WinZip products will now be able to read PKWARE encrypted ZIP files.

There is still a problem with interoperability at the level of creating encrypted ZIP files. There is no longer a problem with interoperability at the level of reading encrypted ZIP files. The best way for this problem to go away would be for PKWARE to expand the SecureZIP standard to include RSA and AES encryption.

Re:The issue is encryption standards

[tttonyyy]

Both formats still allow you to view the filenames contained within the protected archives, and the only way around that is to zip the protected zip file again to hide this information. This is inelegant - they'd be better off agreeing an improved third standard.

Re:The issue is encryption standards

[delus10n0]

Or just use an archiving format that can encrypt filenames as well, and give you much better compression.

Re:The issue is encryption standards

[geirt]

A reason for not encrypting the file name in a zip file is that this would in some cases enable a known plaintext attack.

Still no unified standard

[Ilex]

I thought I'd highlight the point that they still haven't unified their encryption. They've just agreed to support each others "proprietary" encryption. So we effectively have 2 different encrypted zip formats.

However with most people using Winzip I don't think the PKWare version is going to be very common, at least on the windows platform anyway.

Try PowerArchiver

[dzorz]

PowerArchiver is shareware and supports lots of encryption standards (and file formats). Extracted from http://www.powerarchiver.com/features/ >Encryption of files and archives using 5 different methods: Blowfish (128-bit), DES (64-bit), Triple DES (128-bit), AES 128-bit, and AES 256-bit

Re:Easy to crack?

[Troed]

Old zip-encryption used three internal 32-bit keys - which by today's standard is quite easy to break. You need 11 bytes (or was it 14?) of known cleartext though when searching.

The breaking of zip-encryption was considered to be quite a feat when it happened in the middle of the 90's, if memory serves me correctly.

Zip is ooold!

Call me a Troll, but I think the ZIP standard is outdated and bloated.
As for me I'm happy with the RAR compression.
It's smaller and well protected when it comes to encryption (AES).

Re:Zip is ooold!

[macmaxbh]

The thing is about Zip is that both Windows XP (not sure about older versions) and Mac OS X 10.3 have zip compression built into the system--XP will open it up on the fly, and Mac OS X can compress/expand using tools built into the system.. so it's not going away anytime soon..

Re:Zip is ooold!

[macmaxbh]

No, but Panther has a "Create archive of selected files" option when you control/right click on a file or a group of files, and it zips them up--and it has a app (X, not UNIX) in the core system that'll decode them.

Symmetric vs. asymmetric

[kasperd]

I doubt that PKZip is based only on RSA. RSA is an asymmetric encryption. For some purposes this is nice, but it is inefficient. For that reason you almost always use asymmetric encryption together with a symmetric encryption. You generate a one time symmetric encryption key. The data is encrypted with the symmetric key, typically in CBC or CFB mode. Then only the symmetric encryption key is encrypted asymmetrically, which means much better speed.

Actually I think this is one of the cases, where there is no need for asymmetric encryption at all. So AES sounds like a better idea. Can anybody explain why PKZip use RSA? And which symmetric cipher is it combined with?

Re:Symmetric vs. asymmetric

[hey!]

Actually I think this is one of the cases, where there is no need for asymmetric encryption at all.

That's only true if you are interested in creating an archive for your own future use. However, if you are interested in exchanging archives with other people, then you have the headache of key exchange, and assymetric encryption is quite useful. Probably most people who need to do this would prefer a solution that handles e-mail and other kinds of documents as well. However if you already have the public key infrastructure in place, it is probably going to be nice to use it for your zip archives too, in a belt-and-suspenders kind of way. I haven't looked at the PKZIP product, but the assymetric encryption should allow for digial signatures on archives as well, which would provide authentication and non-repudiaiton.

I'd say that the PKZip way would be more attractive to companies that need enteprise wide security and may have built it around RSA, and the WinZip way would be adequate for users who simply want to avoid having people poke around in their files.

Re:Symmetric vs. asymmetric

[jaavaaguru]

According to this apge, RAR uses AES-128 encryption (see the last paragraph).

Re:Symmetric vs. asymmetric

I always use asymmetric crypto in my backups.

This way I do not have to remember or type (i.e. expose) my COMPLEX password each type I make a backup (quite often). Only when I use it (rarely).

I time factor is irrelevente, in MOST machines, since only a password is incrypted, using GnuPG.

Re:Symmetric vs. asymmetric

[anethema]

I was actually also suprised to hear they use RSA. How does this even work ? Do you have to get peoples public key before sending them a zip file? While digital signatures are nice, it doesnt make up for the huge inconvenience of having to tailor each zip file for the person you are sending it to.

The parent is right talking about a combo of asymmetric and symmetric combinations in common use. With SIMP (transparent MSN encryption) the public keys are sent automatically, and you are supped to verify the hashes over a secure channel (in person, etc). Once verified it sends the symmetric key over the secure channel for the AES-128 and uses that for the rest of the conversation.

For zip files it seems that JUST aes would be the best idea, since all you want is a password.

DISCLAIMER: I am an encryption noob, so if RSA can be done another way, or this isnt how it works at all, let me know.

Re:Symmetric vs. asymmetric

[kirkjobsluder]

Sometimes, you need to send sensitive files among a small workgroup. For example, in the project I work for we have to share files that include confidential information. Asymetric encryption is designed for this kind of thing.

Re:Symmetric vs. asymmetric

[kasperd]

I always use asymmetric crypto in my backups.

Good point. But then you must need to store your key somewhere. Actually each archive you create should contain the secret key encrypted under your password, because you don't want to eventually lose your secret key and then be unable to decrypt your backup copies. So on your harddisk you must keep the encrypted secret key along with the public key. Could you explain in a litle more detail how you do this? And is that the same as PKZip does?

Re:Symmetric vs. asymmetric

[coyote-san]

Just how many people do you expect to have access to the encrypted files?

In any case, you can specify multiple recipients. The encrypted session key is provided for each recipient's public key.

Re:Symmetric vs. asymmetric

[anethema]

I understand what asymmetric encryption is for, I just dindt know if there was another way to use it since this sounds fairly useless for a zipped file. Very involved just to password protect your zip file.

Re:Symmetric vs. asymmetric

[anethema]

I dont know, maybe I want to hose a file on a public server and only tell certain people the password, in person say. Might not want to have to collect all their public keys. Seems much smarter to just use a symmetric encryption and just password protect the file. Like RAR, which uses AES-128 IIRC. Having to get a public key for everyone who you might want to send this to seems cumbersome.

so-bad-it's-good joke of the day

both sides have their lips zipped over their trade secrets ;)

An issue for Windows users mainly

[Space+cowboy]

.. so it concerns me not a lot. Now if there was a competing 'tar' standard, I'd take more notice :-) Since they've agreed to play nice, this is surely just a "it's ok folks, use whichever you want" moment ? Great. Next.

Simon

Re:An issue for Windows users mainly

[JohnFluxx]

um a better equivalent would be gzip. And there is a competing standard to that - bzip :)

(but they both have their uses. bzip is 'better', but doesn't work on streams like gzip can. It uses blocks.)

Re:An issue for Windows users mainly

[caluml]

tar cvO /home/yourfiles | gpg -c > /home/yourfiles.gpg

Or of course you cuold encrypt to your public key, if you have one setup.

Re:An issue for Windows users mainly

[Space+cowboy]

I thought of that before I posted, but came to the conclusion that I don't really care much about compression any more - the convenience is using a bundle of files rather than that it's 25% of the size of the original...

Sure, there are times when I will compress something for transfer over the net with time-saving in mind, but this is rare compared to "I have 2500 class files and source files and it needs to be on that machine"...

Simon

Re:An issue for Windows users mainly

[harmonica]

Every time someone sends you a zip archive that you need and that doesn't work because you don't have that particular Windows zip program X it will concern and annoy you.

Re:An issue for Windows users mainly

[Space+cowboy]

Whereas you'll probably be moderated up because my original post seems dismissive, it really doesn't affect me, or to be more accurate, it hasn't ever affected me.

I use Linux almost exclusively. Even when using windows, I tend to just have VNC onto a linux box. Interoperation with Windows isn't a priority for me, that's all I'm saying...

Simon

Re:An issue for Windows users mainly

[adamjaskie]

Yeah, if it wasn't for the ability to have tar run the archive through b/gzip for me with the -g or -j flag, I would probably just use plain tar files. However, it is convenient enough to just stick the j in, so I bzip all my archives.

That said, when I used to use Windows, if I needed an encrypted ZIP file, I zipped it up with 7-zip, and ran the resulting zip archive through PGP to encrypt it. Archiving and encryption are separate. However, a flag for tar to run the final archive (after bzipping) through GPG would be nice. Otherwise, I would have to be un-lazy and type out a longer command, or be really un-lazy and make a wrapper script. And I am too lazy for that.

Re:An issue for Windows users mainly

[Quill_28]

Not to flame, but do you post on every article that concerns you not a lot?

Re:An issue for Windows users mainly

[harmonica]

But that doesn't change the situation when you receive such an archive. It's even harder to get to its content because you have to switch to Windows for a while, maybe even reboot (if you have only one computer) and install that program.

If it's not important you can ignore the mail or request an archive in some other format. But there are cases where that's not an option.

What's good in this?

[Rosco+P.+Coltrane]

In a bid to prevent fragmentation of the standard they have agreed to have their software support opening of the other's files. They have however not agreed to support a single standard. PKZip's encryption is RSA-based while Winzip use an AES

In other words, the standard is still fragmented, the new thing here is that both software now support both standard fragments, both double in size, and neither is more interesting for the end user than the other.

Not Open

Win Rar isn't an open standard so if you use it commercially (like small software companies, game companies, artists, etc.) then you pay.

Re:Zip open public domain standard?

[Rosco+P.+Coltrane]

I do not see why people even bother using (and paying for) either

When was the last time you payed for Winzip? They have this great feature call "evaluation period", with an endlessly renewable period.

I wonder if 7zip will support both?

[Daath]

7zip is pretty cool - much better compression than ordinary zip. So I wonder if 7zip will support PKZip/WinZip encryption... From the looks of their fileformat page, they support AES encryption...
Oh yeah and 7zip is under the LGPL license :)

Re:I wonder if 7zip will support both?

[tomstdenis]

Meh use tar/bzip2. That gets better compression than 7zip.

Re:I wonder if 7zip will support both?

[fredrikj]

Meh use tar/bzip2. That gets better compression than 7zip.

Well, no. 7zip's 7z format is generally FAR superior to bzip2 in terms of compression ratio.

A few examples:
doom2.wad: 14604584 bytes
doom2.wad.bz2: 5868846 bytes
doom2.7z: 4560296 bytes

All MIDI files I've made: 8146186 bytes
music.tar.bz2: 1007529 bytes
music.7z: 630357 bytes

The Python-2.3.2 source code:
unpacked: 33378982 bytes
python.tar.bz2: 7216151 bytes
python.7z: 6034907 bytes

Those might not even be optimal values. 7z lets you customize a number of parameters (dictionary size, etc) at the expense of compression and decompression speed.

Also note that the 7z format is modular and can use any compression method supported by the program, including bz2. More info on Wikipedia.

Re:I wonder if 7zip will support both?

[tuffy]

But until 7zip makes an implementation that runs on some platform other than Windows, I won't be using it for anything. The source code is open, to be sure, but it has so many Windows API calls and hooks that there's simply no way to compile and run it anywhere else without a total rewrite.

Re:I wonder if 7zip will support both?

[eXtro]

Sure you can extract individual files.

habanero-88% tar tfz ../pdf.tgz
./
./pdf.tgz
./Delta_comprehensive_t est_report.pdf
./DT28.pdf
./eurion.pdf
./How.pd f
./hw6.pdf
./morris_chair.pdf
./recitation1a.p df
./SER_AppNote.pdf

To extract a single file:

habanero-104% tar xfvz ../pdf.tgz ./morris_chair.pdf
habanero-105% ls
morris_chair.pdf

Re:I wonder if 7zip will support both?

[Krunch]

Does anyone know of a *nix software that can handle 7z format ?

Re:I wonder if 7zip will support both?

[Crag]

That's impressive, but not enough to be worth the trouble of switching for most people.

14604584
-> 5868846 (60%)
-> 4560296 (69%)
Another 9% of the original space was saved.

8146186
-> 1007529 (88%)
-> 630357 (92%)
Another 5% was saved

33378982
-> 7216151 (78%)
-> 6034907 (82%)
Another 4% was saved

Certainly if space is all that matters, the smaller size is better, but relative to the original size and .bz2 compression, these improvements are not significant. When .bz2 is shrinking files to a third of their original sizes, there's not a whole lot of room left to be interesting.

These figures look more impressive than they are because we are tempted to compare the second and third number, and (in the case of the second example) we see what looks like an additional 37% compression because 63 is 37% less than 100, but 100 - 63 is 5% of 814.

This is why bz2 still has a hard time pushing out gz. It takes more CPU, and it's not THAT much of an improvement.

Re:I wonder if 7zip will support both?

[fredrikj]

If you expect to serve 100 000 file downloads and you can choose between a 6MB and a 7MB version, there will be a bandwidth difference of 100GB. It might be worth it ;)

Re:I wonder if 7zip will support both?

[fredrikj]

The command-line version of 7-zip works in Wine. And since it's open source... feel free to port it.

Re:I wonder if 7zip will support both?

[qbwiz]

But it takes 37% less time to download the second example as a 7z than as bz2. On my modem, that's 78 seconds less, that I would prefer not to wait. I doubt that decompressing the file takes that much longer.

Re:I wonder if 7zip will support both?

[Kris_J]

I recently tripped over a very interesting 7z and RAR compatible archiving package that also does HEAPS of other formats: IZArc. It's free. I'm going to test it up against 7zip some time soon. I found it because I needed to unarc something.

WinRAR

[BoomerSooner]

RarLabs.com

I love it, use it and bought it!

Re:WinRAR

[jrockway]

bzip2 in.bz2.encrypted

That's the best compression/encryption you can get. And for $0, the cost/benifit ratio is infinite!

Re:WinRAR

[wastaz]

Not really, if you take Benefit divided by Cost and Cost = 0 then you get a Divide by Zero error. That doesnt count as infinite.

If you take Cost divided by Benefit, then you get 0 divided by some number, which becomes...0! So thats not infinite either :)

However, I see the point you're trying to make, I just had the urge to troll a bit ;)

Merry Poppins Encryption

They should name the one ecryption scheme:
Zip-a-dee-do-da

and the other encryption scheme:
Zip-a-dee-day

They could even create new encryption algorithms based on finding the primes of "supercalifragelisticexpealidocious" in various base-N counting systems...

Ooohhh.. what fun. Makes me want to dance on the rooftops with a bunch of chimney sweeps, seeing songs about PKWare and WinZip... Next thing I know, I'm going to get hired as a Window cleaner...

Re:Easy to crack?

[mwilliamson]

I don't care even if zip is using 2046 bit RSA keys...it's fairly easy to crack when all you have is a few dozen bits of entropy derived from a lame password. Remember, why bother brute forcing the key when is's easier to brute force the password used to generate the key. I'd bet most people using zip for encrypting their files choose dictionary passwords. Easy to crack? What do you think?

BTW, the same doesn't quite hold true for PGP/GPG users because they use a key that includes much more entropy than which is derived from the password. Also, the password itself is useless in generating the key. If they choose lame passwords (or none at all), you'd still have to steal their key.

Why bother?

[Ckwop]

I have PGP to encrypt the zip files.. This software has recieved a lot attention and we know that it's probably okay!

The new standard these guys may agree will have recieved little public analysis when it is fielded.. Not something to trust at all!

Simon.

Re:Why bother?

[axxackall]

I have PGP to encrypt the zip files

What a bizzar combination! Why bother about zip, if you can use along with tar either gzip or bzip?

Re:Why bother?

[Hatta]

IIRC PGP/GPG zip their input by default. Less redundancy means better encryption. I just checked my gpg and it uses zlib by default. No point on zipping it twice. Though if you're using bzip2 you'll probably save some space.

Re:Why bother?

[coyote-san]

zlib can be run in stream mode, bzip2 can't. Even if you're willing to operate in block mode (and I'm not sure the OpenPGP specification allows this) the block size of a cipher will be far smaller than the block size of the bzip2 engine.

How is Zip related to BZ2 and GZ

[MountainMan101]

I never use zip (I do use unzip) on my computer (Linux). Any compressed archive I want I use TAR and then either Gzip or Bzip. Are these better?

Re:How is Zip related to BZ2 and GZ

[WWWWolf]

As I've understood it, ZIP compresses files one by one. "Tar and feather" compression, on the other hand, is based on merging the files in an archive and then compressing the whole lot. This may result in a slightly better compression ration because multiple files can be examined at single time (for example, if you're compressing text files, like source code, the similarities in two files might be picked up in a single compressed block).

Also, tar and the future formats are "native" *NIX formats, so the file system metadata is more likely stored correctly. Not necessarily so in formats born in non-*NIX worlds. (ZIP file format, I think, now supports owner/permission info, sorta, I think, at least in infozip's *NIX port; not sure if RAR format does.)

Re:How is Zip related to BZ2 and GZ

[zonix]

Any compressed archive I want I use TAR and then either Gzip or Bzip. Are these better?

Depends on how you look at it?

Gzip is GNU's version of zip and was made - as in most cases - as a Free alternative to avoid problems with patents (LZW, I believe in this case). Gzip can only create archives with single files, which is okay, because this is where Tar comes in.

Tar (the Tape Archiver), as you know simply stores multiple files in a single file. You could create the file on a tape drive (hence the name), but these days you'd probably just pipe it into your archive program of choice.

Bzip is a more sophisticated archiver and uses a block-sorting algorithm, like RAR, which generally allows for better compression.

So basically, I'd say Bzip is most certainly better than your average zip programs. As for Gzip, I haven't compared it to PkWare's zip, but I would expect similar compression ratios.

When you need and archiver that works as a filter, both Gzip and Bzip - as opposed to most other archivers - will provide this. Say:

ls /home/some_user -la | gzip | uuencode file_list.gz | mail -s "Here's directory listing of your home dir" some_user@domain.com

You can probably think of a better example. :-)

z

Re:How is Zip related to BZ2 and GZ

[coyote-san]

The flip side is that ZIP archivers may be smart enough to recognize images or previously compressed files and skip the effort of recompressing them. You don't have that option when compressing a tarball.

I also doubt that there's that much opportunistic compression occuring. I have a special-purpose tarball engine that resets the compression engine for each file. (Why? It also maintains a separate index file mapping filename to file offset - searchable compressed tarballs!) The cost of resetting the compression engine has been modest, never more than a 5% increase in file size.

RAR

[Jugalator]

I couldn't care less about WinZip. WinRAR came in version 3.30 today, for the same price as WinZip and a lot more features. IMHO, it would be better than WinZip even if it didn't support RAR, simply from its arhiver support and features. :-)

That it happens to use the superior RAR format makes the decision easy for me. We're installing it at our company too, since it isn't even a hard to use archiver for geeks in any way. I know about for example bzip2 and 7-zip, but 7-zip still seems like a rather immature archiver, although it's interesting. The problem is the lack of a good feature set besides the core archiving part. And the official bzip2 package compiled for Windows doesn't come with a GUI so that makes it a bit less useful to me at least, especially when RAR has a comparable compression ratio. Sure, I can use a command line archiver, but I wouldn't like to. :-)

The only downside I can see is that RAR is a closed source format, with only the decompressor being open.

Sometimes, I think it's better to not have two different companies trying to get control over a single format. :-P

Re:RAR

The downside to RAR is that the format isn't stable.

Since I don't keep up with the warez scene, on the very rare occasion that I download a RAR it's invariably incompatible with whatever version of WinRAR I have installed. Then I need to go download and install their new shareware crapola, fight with it's file assocations and explorer plugins and so on.

Nice thing about Zip is that it hasn't really changed since the early 90s.

Re:RAR

[drinkypoo]

The appearance of winzip might be superior (though imo they both look about like a goofy windows app to me) but the functionality of WinRAR's gui is superior, making WinRAR a better choice even if it didn't support just about every archive format under the sun.

Re:RAR

[jandrese]

Are you using a rar program from 1995? I don't think I've ever run across a rar archive I couldn't open with plain vanilla RAR.

Re:RAR

[Jeff+DeMaagd]

The problem is that it is a very uphill battle. Even far superior products fall by the wayside because of established user base. Saving maybe 10% more space & bandwidth and having a slightly better UI isn't enough for most people.

RAR is used so (relatively) rarely that the download tine and bytes saved by RAR is wasted because I have to find the decomressor, even if I have a local copy.

I'm not sure if it would save much on the server side because the webmaster would have to deal with complaints that the download is incompatible with the standard program they have. I've only seen RAR on websites that try to be the esoteric of esoteric.

Re:RAR

[Chester+K]

That it happens to use the superior RAR format makes the decision easy for me.

See how "superior" the RAR format is when you want to extract a single file from the end of a 5 GB archive file.

ZIP is O(1) -- you can extract that file almost instantly, no matter where in the physical file it resides. RAR is O(n), where n is number of bytes in the archive before the target file -- be prepared for a long wait to get to that file.

Re:Easy to crack?

[Troed]

My passwords are usually >16 characters long, some are more than 30 (depends on the strength of the algorithm they're used in). While I agree that a lot of people use easy to guess passwords, the old zip encryption was most easily broken through the internal key - NOT by brute forcing the password. Do the math if you don't believe me ;)

A-Z,a-z,0-9 and a few special chars makes a 24 char password contain 128 bits of entropy. That's secure enough for everyone using symmetric ciphers.

monolithic

[Moderation+abuser]

Course this is what you run into when you build monolithic applications.

Do one thing...

[Ed+Avis]

I don't really see why it makes sense for zip and unzip programs to care about encryption. If you want to encrypt the whole archive, it's simple to use GPG on the whole thing. If you want encryption on a per-file basis - again, use GPG on individual files before or after archiving. This is true on Windows too, using whatever your preferred GUI encryption program might be.

The only reason to stuff both functions into a single program seems to be the perennial problem of installing anything on Windows systems (you can't assume that an encryption tool is available) and marketing - why should users pay $20 twice for two different pieces of tacky shareware when they could pay Winzip $40 for one?

Re:Do one thing...

[ergo98]

"This is true on Windows too, using whatever your preferred GUI encryption program might be."

Generally you're transferring these files between users rather than using them just for personal archives, so interoperability is the key. You can't willy nilly choose to use whatever encryption program you feel like if you expect your recipient to be able to open it without significant hassle.

"The only reason to stuff both functions into a single program seems to be the perennial problem of installing anything on Windows systems"

Yes, people like convenience, and as mentioned in the prior point you'd generally like one interoperability hurdle rather than two.

"why should users pay $20 twice for two different pieces of tacky shareware when they could pay Winzip $40 for one?"

The source code for AES, and RSA for that matter, has been available for some time, and the replacement of the native ZIP encryption (i.e. crap) I doubt was more than a one day task -- this is a tiny value-add, not some big price doubler. The only problem is that the ZIP format wasn't dynamic and there were too many chefs in the kitchen -- nothing good was happening, so this is a great step forward.

Re:Do one thing...

[Webmonger]

That's three pieces of tacky shareware.

Remember that on Unix-likes, you actually use three tools: tar, gzip and pgp. Zip handles both the file-archiving and file-compression concerns, and now the encryption too.

I can see definite positives in making it easy for GUI users to create secure compressed archives. It would be nice if there could be three best-of-breed tools that had a united GUI. But that would be cooperation, and that's not the Windows way.

Re:Do one thing...

If you want encryption on a per-file basis - again, use GPG on individual files before or after archiving.

Compression after encryption = 0 bytes saved. There's too much random data to compress anything.

However, encrypting after compression is a different story...

Re:Do one thing...

[coyote-san]

It comes down to why you're putting the files into an archive in the first place. If you're just using an archive to transport files from one system to another the classic Unix approach works great.

But a lot of programs now use archive formats to bundle related files in a single place. Think of Unix archives (.a) files that used to just hold object files in software libraries - now we have Java archives (.jar) files that contain class files and properties, web archives (.war) that contain .jar files, images, html and jsp pages, etc. The last two formats (and other variants like .sar and .ear) are basically ZIP files with some specific entries.

It's a bit odd to work with archives directly at first, but after a while you find yourself thinking in terms of everything as archives. E.g., most image formats can also be thought of as specialized archives - it's perfectly reasonable to ask to read/write comments, thumbnails, etc.

I've written code to read and write archives directly, and I can tell you from first-hand experience that it's much easier to work with an archive format that handles compression and encryption on a per-file basis (e.g., ZIP format) than one that does it on a file-wide basis (e.g., encrypted, compressed tarballs). The same idea applies to "resource bundles" on Windows systems or Palm OS apps, although they're handled differently.

If the issue is security...

[WegianWarrior]

...then both share a common flaw: you have to unpack the container to work on the files within, and that leaves the unpackaged files open to interception.

I've been using ScramDisk to store my critical data. For those using a newer OS than I do, there is an updated version called DriveCrypt. Both gves you the choice of what sort of encryption to use and you can use up to four passwords on any given file. It also supports stegnography.

In short, I don't give a rats ass about what sort of encryption PKZIP or WinZip supports - if the file contains things I want protected, I'll zip it as normal and then drop it into a ScramDisk container.

Re:If the issue is security...

[jetmarc]

> flaw: you have to unpack the container to work on the files within, and that
> leaves the unpackaged files open to interception.
>
> I've been using ScramDisk to store my critical data.

Bad news: your files may still be open to interception. When you open them with applications like Photoshop or MS Office or WinZIP, temporary copies are created outside of the container. Usually this is C:\WINDOWS\Temp\ or a temporary folder within your user home directory (for Win2K/XP).

If your computer crashes with the file still "open", the temporary copy is usually not deleted. If you closed them, they may still be recoverable by an UNDELETE utility (they are deleted when no longer needed).

Apart from this (annoying) behaviour of (usually large) applications, your files may also leak through the swapfile. When they are loaded to memory and stay there for long time, the OS might decide to swap them out to the swapfile (usually C:\win386.swap or C:\pagefile.sys). There they are not directly accessible, but tools like WinHEX (which read the harddrive sector-per-sector) can reveal the data.

Note also, that sophisticated attackers (let's say the FBI on their hunt for Osama) may even recover data that has been overwritten! The harddrives magnetic head doesn't follow the track by 100%. If you take apart the harddrive and "view" at the magnetic platters with a special instrument, you can visualize the big fat new data track and remainders of multiple previous versions of this track's data. Data recovery companies have those instruments. If you face attackers of this high degree, it is dangerous to write temporary data to the harddrive even when you MAKE SURE that they are "overwritten" afterwards.

The conclusion is that the only really safe way of handling this, is to NEVER EVER write ANYTHING to the harddrive without prior encryption. When no sector of the harddrive ever receives unprotected data, there is (by definition) absolutely no way to find unprotected data anywhere on it (no matter how sophisticated the recovery instruments).

DCPP is a product that does this, Safeboot is another. I even made one myself (for Win9x/DOS).

Marc

Re:If the issue is security...

[coyote-san]

It took me a while to figure out what you're talking about... and you're wrong. It's not that hard to write your own library (or simply buy one) that allow you to access a file in a ZIP file as easily as with fopen(). It's even part of the standard Java libraries - see the java.util.zip package. There's no need to unpack the archive first.

At a prior job I even pulled this trick on an embedded system without any filesystem at all. (Before you ask, the network layer worked a lot like mmap() - we told it what URL we wanted and some seconds later would get a notify event with a pointer. No real or virtual filesystems anywhere.)

Creeping Featurism

[irw]

As plugins to existing applications are so popular these days, I see this issue as an irrelevance.

Both sides are competing using incompatible creeping featurism. Last I looked, Zip applications where supposed to combine and squash files (and that was enough).

What should be done is to separate the operations:
- file browsing (WinRAR's interface trumps both)
- archiving (combining files)
- compression
- encryption

and implement the latter three as functions of the first using plugins (and let the user choose).

Incidentally, Zip's file format (directory last) sucks. It is practically impossible to do the following using zip:

tar Bcf - . | gzip -1c | rsh -n over_there gzip -dc | tar -C /path -Bxvf -

To this end, plugins suggested above should be written as filters where possible.

I have no problem with browser-like interfaces combining other functions, but the Golden Rule still stands: One Tool, One Job.

Re:Creeping Featurism

[irw]

Oops. For the script kiddies that should be:

tar Bcf - . | gzip -1c | rsh -n over_there 'gzip -dc | tar -C /path -Bxvf -'

And YES, I know there are Good Reasons why zip has the directory last. I just don't see they're universally necessary.

Re:Creeping Featurism

[kirkjobsluder]

What should be done is to separate the operations:
- file browsing (WinRAR's interface trumps both)
- archiving (combining files)
- compression
- encryption

I can see two good cases where combining these funcions ala zip is preferred: random access and dealing with already compressed content. Tar+gzip/bzip sucks from a performance standpoint for random access. Also Zip is at least somewhat intelligent about recognizing and skipping over non-compressible content. If you want random access to encrypted content, then you need to encrypt before archiving as well (and then, encrypt the archive directory.)

90% of the time, I do tar+bzip2. But I can see why Zip is preferred for things like java, OpenOffice and Compressed Folders for Windows.

Re:Creeping Featurism

[kirkjobsluder]

I should add, it is only creeping featurism if the combination of features working together don't create new functionality. In this case, the advantage you gain is random access to your archive. What you loose is the ability to work with streams.

Re:Meh..

[jaavaaguru]

.tar.bz2.asc

Encrypted (open PGP), and uses less disk space/bandwidth than RAR files.

It's easy as well. In Konqueror 3.2, right click on a file or folder, and choose "Create bzipped archive", then right click on the .bz2 file and choose "Encrypt file".

Trapped by pkware!

A very dumb company I once worked for chose pkware to archive (and sell) many terabytes of text and images. Unfortunately this was done through a binary only pkware library (for SCO but running on Sequent).. This decision was made around '92 (when many superior alternatives available), before my arrival.

In the mid-90's they wanted to migrate off of their crap sequent boxes to something better.. Unfortunately, pkware refused to accomodate them by porting the library version to SGI.

The company was in a bit of a panic as the sequent gear was no longer a viable solution. New customers and scalability problems were rapidly increasing..

I suggested that they simply decompress on the Sequent and re-compress on the SGI with a better algorithm (source). Forget using pkware. The migration could have been automated such that customer requests resulting in a de-compress would re-file the data in the new system. Requests would check the new servers first. Pretty simple. Batch conversions could occur during off-peak times.

Nope. Too easy. That would not have been a sufficient crisis.. People would not have looked busy enough.

The amount of money they were offering pkware finally became sufficient for them to do a version for SGI. So they kept using pkware.

Oh yeah.. They re-hired the guy who originally decided to use pkware (as a consultant).

Unicode

[Midnight+Thunder]

A little off topic, but it would be nice if the decided to start supporting unicode filenames in Zip files. With unicode becoming more common in OSs ( this inclues MacOS X, Linux and MS-Windows), I find it ridiculouse that this doesn't even seem to be on their scopes. Well at least it seemed that way when I contacted PKware.

7 Zip

[Nurseman]

Isn't the zip compression standard in the public domain now after the death of its creator?.... there must be an open sourced version out there.

I use 7 Zip

Very easy and straight forward for me.

Patches are welcome

[tepples]

I suspect that Infozip's tool won't handle ZIPs encrypted with recent versions of PK's or WZ's software....

That's because Info-ZIP is waiting for volunteers to produce a patch to read and write WinZip's fully documented encryption.

gpg or pgp

[axxackall]

The article was about encryption, not about compression. Both Cgzip and Bzip are compressing, not encrypting.

But if you need content protection of your archives in Linux, then consider either pgp or gpg (or both - gpg is just a modern and open re-implementation of the famous in the past pgp). I used both and never had any problem.

more like Smash Bros.

[tepples]

Screw Disney. I'd rather use Super Smash Bros. Melee encryption, where Ness can "PK Zip" or "PK Unzip" a file and possibly "PK Unzip" his opponents' pants during battle.

Symmetric, asymmetric... public!

[axxackall]

With gpg I can encrypt with your key even without asking you to send me your key if it's already in PKI. All I need is your ID in PKI (typically that would be your email) and "ta-da!" - my tar.gz is encrypted and sent by email to you (or published on the web for you). You don't have to know my password or to get any my key - instead you use just your own password to decrypt and (optionally) my ID to verify the signature.

IMHO bot PKzip and WinZip are sticking their technologies somewhere in mid 90s, while we are living here what? mid 00'? password protected archive... What's wrong with those guys? Have they ever heard about PKI?

Re:Meh..

[pr0c]

Check out 7-zip http://www.7-zip.org/. It supports rars, zips etc but I use its own 7zip format most of the time which USUALLY is much smaller than a rar even.

Re:Meh..

[mattgreen]

WinRAR has the most horrid UI of most any program out there.

Correction ...

[zonix]

ls /home/some_user -la | gzip | uuencode file_list.gz | mail -s "Here's directory listing of your home dir" some_user@domain.com

Of course, that should have been: 'gzip -c'. As in compress to stdout. Sorry. :-)

Re:Meh..

[darth_silliarse]

I agree fully with this comment although I find it hard to compress with anything other than gzip :o)

Re:Meh..

[Haeleth]

.tar.bz2.asc ...uses less disk space/bandwidth than RAR files.

Um, no. For all the files I've ever archived, RAR ends up about 5-8% smaller than tar + bzip2.

Bzip2's advantage that it's free and open (and compresses better than the archaic zip and gzip). It does not compress better than RAR.

If you want to champion a free compression tool, I suggest 7-zip, which does often do better than RAR, but has a rather pathetically small user base.

Re:Meh..

[edwdig]

The problem with WinRAR is it looks like the UI hasn't been updated since the Windows 3.1 days. The artwork is all ugly & low color. The dialogs all just look out of place. There's something I just can't place about it that feels wrong.

Technology wise WinRAR is a good program. But it's about as usable as a circa 1995 app for X11.

Re:Meh..

[jaavaaguru]

I played with both of them a while ago when a friend was going on about how good Win ACE is at compression. I can't remember what sort of files I was compressing when I came to that conclusion. Perhaps we needs some good old benchmarks to give people an idea of what differences there are (compression ration, time taken to compress, etc). If I find some spare time I'll give it a shot.

RAR is a retarded closed format.

[Ayanami+Rei]

I actively dissuade people from using it. Winzip handles tar.bz2 just fine, so I don't feel bad for pushing that alternative.

And remember kids, you get the best results when you bzip2 -9!!!

Re:RAR is a retarded closed format.

[True_Seeker]

> Winzip handles tar.bz2 just fine

Don't suppose you could share how to do that, could you? This is the one feature I have been wanting (and requesting from winzip.com) for a couple of years, but it still isn't there, as of the 9.0 beta. It handles tar.gz files just fine, but doesn't recognize tar.bz2 at all.

Re:RAR is a retarded closed format.

[Jugalator]

I actively dissuade people from using it. Winzip handles tar.bz2 just fine, so I don't feel bad for pushing that alternative.

Unfortunately, WinZip misses so many features I find useful and doesn't support RAR, which is, once again, rather common in the Windows community.

And I can't say I've met another that gives a shit about it being closed. I agree that it's a downside though.

Re:Zip open public domain standard?

[Zaiff+Urgulbunger]

It does nag though doesn't it! You'd when you're in day 1254545 of your 30 day evaluation it might give up, but oh no, it just nags you some more!!

I think you're a little confused.

[Ayanami+Rei]

The reason why WinZIP doesn't improve compression ratios with each version is because the format is a fixed standard... you can't compress any better if you implement it according to spec.

Meanwhile, WinRAR can do whatever they damn well please.

The reason why WinZIP is so popular is because it integrates well into the OS, although that market is dwindling since XP has built in support for it, and InfoZIP does just a good a job on the *nix side (as do the GNOME/KDE parts that integrate it into each respective GUI). The formats are compatible... always. A specific RAR file may necessistate downloading a new version of WinRAR in some cases if certain features are enabled when it was created. This is kind of a pain.

Frankly, I'm not fond of having to download binary compression utilities and/or archives. WinRAR will always suck compared to bz2 or (in the future) 7z in that respect.

And as to the bandwidth issue? Man, I feel for you if you're still on dialup.

I'm at the point where whatever I send over the wire is either already compressed enough that an extra layer won't help (music, video, compressed images), or that gzip -1 and/or lzo is actually BETTER for throughput because otherwise the compress/decompress takes too long compared to transit time!

BZ2 for archival purposes. At least I don't have to rely on the graces of WinRAR to get my data back in the future.

moderator abuse

[voss]

Im getting redundant rankings even though Im the first post on the topic, and Im offtopic even though 5 people have responded on the same thread with topic relevant replies. Thats a load of bullcrap.

Compromise?

[mindriot]

PKWare and Winzip Reach A Secure Zip Compromise

Somehow, the word compromise looks wrong in this place... but maybe it describes the security level appropriately? :)

Winzip used encypted passwords?

[Snipet]

Either I've gone crazy or I rememeber "cracking" early versions of password protected zipfiles by opening them in notepad. Does this sound familiar / likely?

It's about time...

[Major_Small]

...that two big tech groups decide to work together... pretty much all you hear about is how x is sueing y because y took z's code, which was bought from n, who outsourced it from x...

even though they won't decide on a single standard, at least they'll meet halfway...

Is Pkware still around?

[Darth23]

Seriously.

Don't do this!

[pclminion]

With gpg I can encrypt with your key even without asking you to send me your key if it's already in PKI. All I need is your ID in PKI (typically that would be your email) and "ta-da!"

Sounds like you don't really "get" PKI then. Would you seriously encrypt an important message using a public key that you received attached to an email?

How do you know that email from "Alan Cox" with his public key is actually from Alan Cox? The last time you got a penis enlargement spam from "Bill Clinton" did you actually believe where it came from? How do you know the mail hasn't been tampered with to replace his key with Bill Gates' key? Do you actually consider email a secure medium? What planet are you on?

This is why certificates were invented. And it's why PKI is more difficult to use (at least, to use correctly) than you seem to think it is.

And for God's sake, stop "explaining" an incorrect, insecure way of using PKI to everyone. What you've just described is a security joke.

Re:Don't do this!

[axxackall]

Sounds like you don't really "get" PKI then. Would you seriously encrypt an important message using a public key that you received attached to an email?

Sounds like you don't really "get" PKI then. Sending a public key through non-reliable channels is against PKI.

Well, if your email channel is already protected by signing all content with trusted keys then no problem to trust the key sent through such email.

Alternatively, I prefer to use keys signed by trusted CA servers.

When last time have you get spam signed by keys signed by trusted CA?

So, go back and read agian to learn what is PKI before criticizing others.

Do you actually consider email a secure medium? What planet are you on?

And RTFC (comment) before answering it. In which words did I say that email per se is secure medium?

Re:Don't do this!

[pclminion]

Alternatively, I prefer to use keys signed by trusted CA servers.

That's what I was suggesting, also. I may have misinterpretted your post.

Some people who use PKI systems have a habit of attaching their unsigned public key to their emails, either as a sig or a mail attachment. Obviously these keys can't be trusted because they haven't been signed. I thought you were implying that using keys in such a way is okay, but clearly I've misunderstood what you said. Sorry.

Re:Zip open public domain standard?

[Zork+the+Almighty]

Wow, you've been using Winzip for almost 35000 years!

Ten years too early

[Caractacus+Potts]

I'm not ready for Windows XP to handle my Zip files yet. I zip up files because I DON'T WANT THEM HANDLED! Does anyone here have a procedure for thoroughly disabling Windows support of Zip files? I've unregistered zipfldr.dll, but I still see them appear as folders. Somebody help me.

Re:Ten years too early

[Tackhead]

> I'm not ready for Windows XP to handle my Zip files yet. I zip up files because I DON'T WANT THEM HANDLED! Does anyone here have a procedure for thoroughly disabling Windows support of Zip files? I've unregistered zipfldr.dll, but I still see them appear as folders. Somebody help me.

<AOL>Me too</AOL>

Virgin XP install. Got a pile of .zip files in a directory. Click on directory, expect to see only the directory open in the left-hand pane. Instead, see big pile of .ZIP cluttering directory navigation pane.

From another poster:
>>
>> Of course, if you want to verify this yourself, you are going to have to make sure that you test it on a virgin XP box that you haven't raped yet by installing WinZip on it...that'll kill the built-in ZIP "folder" class as WinZip messes with the file associations.

If I read the other poster correctly, all I have to do is install WinZip on XP and the MSFT "feature" goes away?

Can anyone verify? I don't have an XP box nearby to test this on.

Re:Ten years too early

[CWCheese]

If I read the other poster correctly, all I have to do is install WinZip on XP and the MSFT "feature" goes away? Can anyone verify? I don't have an XP box nearby to test this on.

Yes, this does happen. I bought a Compaq laptop with XP Home preloaded and found that built-in zip handler to be annoying. I loaded up WinZip 8.0 from the install file on my other PC and it reassociated .zip files to WinZip.

how was that a troll?

[elf]

Maybe I'm not in the right circles to understand the in-politics, but why was the parent to this reply modded a troll?

I'm probably not up to date on all this stuff, I just use tar and gzip.

Re:how was that a troll?

[axxackall]

Get to use it. Half of moderators here are 12-year old nuts earning their karma by bushing obvious things (such as "Microsoft is bad" and so on) on their first week after creating their /. account.

I propose Slashdot owners to sell moderating karma while keeping meta-moderating karma being earned. That would keep random boys from disturbing serious discussions.

Alternatively, I recommend to change the karma earning rules. Now it's easier to get karma on fresh account then when you are a veteran here. For example my karma always says "positive" but last time I had a moderating points was recently after I've created my account here. I guess veterans do not have any moderating points here.

Zip is basis of Java .jar/.war/.sar/.ear/...

[coyote-san]

ZIP is also the basis for the various Java archive formats. What you call "outdated" others may call time-proven, what you call "bloated" others may call flexible. A lot of the "bloat" is anything but once you realize that the file is designed to work in both streaming and random-access modes. TAR is a pure-streaming format and a real bitch to use in random access mode.

Re:Zip is basis of Java .jar/.war/.sar/.ear/...

[ostrich2]

TAR is a pure-streaming format and a real bitch to use in random access mode.

I just thought I'd mention that tar stands for tape archive, so it makes sense that it's good for streaming data--that's exactly what it was designed for.

Re:Zip is basis of Java .jar/.war/.sar/.ear/...

[coyote-san]

Sure, and I don't think any format that requires random access can be a serious contender for an archive format. For the times you need them streaming protocols are just too powerful.

But TAR missed some obvious and cheap ways to support random access. The POSIX standard is technically extensible so I could add my own fields to support random access, but the standard tools then chitter at you about unrecognized flags and you might not be able to retrieve your data. At the end of the day I decided it was a better engineering decision to stick with standard ZIP & extensions (flaws and all) instead of shoehorning the same functionality into TAR.

Try Visio

[halr9000]

2 standards only cause confusion. Remember the Word 95/97/2000 confusion? "Call him back and tell him we need it saved as Word 95!"

Yup, it's still happening. I sent a Visio 2003 doc to a co-worker the other day and they could not open it using Visio 2002. I had to re-save it.

who cares

[eneville]

zip is shit. everyone move to .tar.bz2. .rar is ok since it has file recovery.

Re:Easy to crack?

[Prof.Phreak]

a lot of people use easy to guess passwords

Actually, my password is: "easy to guess".

Nobody seems to have guessed it yet.

Stuffit

[Master+Of+Ninja]

Just to say, i think stuffit archives are a good alternative. It's for mac and windows, and a lot of mac software is compressed with it. It can do 512-bit security as well as having error correction. Plus it does have better compression (although there is a small performance penalty for it).

Re:Meh..

[gnu-generation-one]

".tar.bz2.asc"

Outlook: One attachment was deleted for potentially containing a virus (RULE 354: "more than one file extension")...

Re:Meh..

[jasonwea]

So now we can't use multiple periods in our filenames? These blocked attachments everywhere are getting annoying.

Really, what's wrong with a filename such as "linux-2.6.1.tar.bz2"? Oh, Microsoft considers that a virus you say? :)

Proof?

[pilkul]

So this guy claims that Phil Katz got rich by stealing his work. Well, I don't know anything about the story of PKZIP, but I'm not sure I'd take his word for it. The guy's biased, doesn't give many details in his story, and just from that text doesn't strike me as a particularly nice guy (Katz's early death was "a fitting demise"? He may be bitter but IMHO this is going too far.) Is there any independent proof to back up these claims?

Even taking the guy's story at face value, it doesn't sound like Katz necessarily did anything really objectionable. Here's a plausible Katz-favorable reading of the text. So this guy writes a compressor/decompressor for an open format called ARC, but it's as slow as a brain-damaged slug so it's not a big success. Katz comes along and writes a fast assembly program for the same format (the guy claims it "was basically my ARC program" --- but was code actually ripped here or is it just that Katz's program has the same functionality? He's suspiciously vague on this point.). Katz's program becomes wildly popular. This guy sees his business collapsing under the competition, so he panics and sues Katz. But the only effect is to push him to the similar but incompatible ZIP format --- which screws the guy even more since no one uses ARC anymore! The guy's business goes under because he was outmaneuvered by the competition. Fifteen years later, he is still complaining bitterly and claiming Katz stole his stuff.

I don't know the true story here, but until I see more evidence I wouldn't believe claims that Katz is a thief.

Let me rephrase it for you.

[Ayanami+Rei]

WinRAR doesn't work on my various flavors of *nix. So it doesn't get used.
EVER.
End of story.
Especially on my server where I care about upload (I've got 192k up myself, quite dreadful). I think bz2 works quite nicely, thank you. And I can actually write the encoder and decoder for that one. (You should have read the Dr. Dobbs article on the algorithm, it was quite interesting)

I'm not lazy nor a bastard. Elitist, bitchy, maybe. I think you need to rethink your adjectives.

70s? Hah.

[Ayanami+Rei]

Is there anything in particular that you're doing right now that I can't do? I mean, name it. Be honest.

And the Apples are far-and-away ahead in the "usability" game. Guess which archiver they don't have support for... hmmm. Guess which ones are bundled with the OS and integrate right in. I'll leave that to your imagination. It's a good excercise.