Symantec To Acquire PGP and GuardianEdge
An anonymous reader noticed the news that Symantec has bought PGP and Guardian Edge for $370 million. They plan to standardize their encryption stuff on PGP keys.
← Back to Stories (view on slashdot.org)
Let the soul sucking begin!
What doesn't kill you only delays the inevitable
Just another enterprise company that Symantec will acquire, make a half-hearted attempt to integrate it into their company, then systematically lay off all the workers, outsource product development to India, release a nearly completely nonfunctional successor to it, and eventually cancel it outright after the support contract revenue dries up. I've seen this worthless company pull this stunt too many times to expect anything different.
Note to CEOs: getting acquired by Symantec is corporate suicide. If you care at all about your employees or your product, the correct answer is not "no", but rather "hell f**king no". Just saying.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Regardless, I would assume the NSA has its fingers everywhere. Backdoors are not trivial to catch in the source code, like the famous if (uid = 0) test on an obscure flag combination on an obscure call.
Don't get me wrong, I'll trust OSS a lot more if the code can be read by anyone,but what good is the potential if no one actually does it?
The beauty is the I don't do anything the NSA cares about, I just like my privacy. Anyone powerful enough to get my personal data has bigger fish to fry.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
If I want top notch security and not trusting some firm (possibly a CA that is offshore and is hostile to anything the country I reside in anyway), I will be using a PGP/gpg web of trust. I will either get a copy of the public key of someone face to face printed physically with a fingerprint (and will download and verify the public key and has from a keyserver), or I will agree on a passphrase that is used only once, and that is to send and receive a copy of the public key.
I also don't like keeping my public key that would be needed for S/MIME on an online machine. My secure private key resides on a machine that isn't Internet connected, it will reside on a smart card, or it will be on a smart card and used on an offline machine, so an attack would have to be done on a physical/local level in order to compromise my private key material. I do use S/MIME and a client key, but that is mainly a stopgap, better than nothing measure, compared to actual end to end manual encryption of data with gpg or PGP.
PGP WOTs were in use a lot in the early to mid 1990s by cypherpunks, but for the most part, convenience won over security and it is extremely rare for someone to use a public key of someone to send mail. A good WOT is far better than a CA. I have more trust in a public key claimed to be someone that is 3-4 links out from me on my PGP/gpg keyring than I do a key that is signed by a CA and told "hey, trust us." Of course, creating a WOT is a lot harder than just letting a CA do the work, but like Phil Zimmermann said, it is better to pack your own parachute when security is critical.
Another use for PGP over S/MIME is signing of files. A signed E-mail is difficult to forward and keep the integrity intact. However, if I have a file and a PGP/gpg signature of it (or just a PGP signed file), I can forward it, archive the two files, back them up to whatever backup media, and all it takes is a validation in the future to ensure that the file and the signature were not tampered with, assuming I have the public key in my keyring, and that hasn't been tampered with. Of course, I can use facilities like the file signing capabilities built into Acrobat, Word, or other software, but again, I have to use a third party CA, or pay for a special signing key, as opposed to a secure WOT. Plus, some files (archives and such) can't be signed internally, so having a separate .sig file is needed.
S/MIME is decent, built into most dedicated E-mail clients, and is better than nothing. However, if you want reliable E-mail security, you are best off using a PGP/gpg WOT.