Symantec To Acquire PGP and GuardianEdge

An anonymous reader noticed the news that Symantec has bought PGP and Guardian Edge for $370 million. They plan to standardize their encryption stuff on PGP keys.

suckitude

[SoupGuru]

Let the soul sucking begin!

Re:suckitude

[sopssa]

It means hold on to your current PGP versions.

I wont be trusting Symantec with it.

What are good open source alternatives?

Re:suckitude

[Virak]

GnuPG is what you're looking for.

Re:suckitude

[Em+Emalb]

Not off-topic at all.

Symantec will more than likely manage to screw this up just like they screw everything else up. Seriously, once upon a time their virus stuff was good. Now, you've gotta jump through hoops to remove it, their enterprise-level customer service is garbage, so I can only imagine how bad their home user support must be, and at some point their code base for the AV stuff grew so bloated you could run a Toyota (poorly) off it.

What's wrong with pointing out that they're simply gonna screw it up?

Re:suckitude

[Locklin]

It *is* uniform if you pick one of the available GUI's and standardize on it.

Re:suckitude

[hairyfeet]

Yeah no crap, and not just their AV. Anybody remember when Norton Utilities was actually good? Man those were the days, we wouldn't hardly let a PC out of the shop until they had bought a copy of Norton Utilities. Hell Norton's Disc Doctor was light years better than anything MSFT had for Win9X! Then Symantec bought it and it went from a "must have" to a tool more likely to cause screw ups than to actually fix them. Norton, Partition Magic, man it seems like every decent tool Symantec gets their hands on turns to big piles o' poo.

Well to the guys that made PGP...it was nice knowing you, thanks for all the encryption. I hope your next business is as successful as your last, but hopefully not successful enough to get bought by Symantec. Oh and for those old timers that miss the AIO goodness of Norton Utilities I would recommend Tuneup Utilities. Great tool for keeping a Windows machine humming nicely. I use it myself as well as sell it to my customers and they couldn't be happier. Registry, broadband, startup, defrags, you name it, Tuneup will automate it. Gotta love their "turbo" button if you are a gamer, as it kills all unnecessary background tasks, turns off any themes, and generally kicks your game a little kick in the pants.

You can get a free key for last year's version here if you just want to give it a spin. I have a feeling once you try it you'll probably buy the latest version like I did, as like Norton before Symantec they get better every year. damned shame about PGP though, this old greybeard hates to see any decent company get swallowed by such a craptastic company.

Re:suckitude

[X0563511]

GnuPG (gpg) is the underlying tools and libraries. As locklin states parralel to me, there are plenty of GUIs out there.

Have a look but realize that there are even more out there, these are just the hilights.

Re:suckitude

[Kozar_The_Malignant]

Short version - Phil Zimmerman wrote PGP. PGP incorporated the RSA algorithm. This got the feds after him for violation of the Arms Export Control Act, because strong crypto was considered munitions. Sanity prevailed after about three years and a bunch of lawyers' bills. A slightly longer version is here in the Wikipedia article on PGP.

Re:suckitude

[fwarren]

Ran Corporate version 9, 10 and 11, then with 12 it all fell apart. The replication database should only grow to 5 gigs in size. But it keeps growing till there is no space on the servers hard drive. We had to literally uninstall it, reinstall it, configure it and run it for 3 months till the database filled a 200 gig hard drive. 3 times. After 9 months and a promised "fix" always soon to be released but never actually seeing the light of day, we switched to Kaspersky.

Not bad

[Mikkeles]

It's Pretty Good Proprietory!

Re:Not bad

[Seakip18]

But, according to my bosses, that proprietary stuff is better! It has support contracts and since we buy the license, that must mean it's good.

It's not like Opensource stuff comes close, right?

Well, that is true for Outlook email client interfacing, which is a crapshoot anyways. The rest OpenSource handles quite well.

Re:Not bad

[Seakip18]

I was specifically talking about PGP vs. GPG.

Re:Not bad

[JWSmythe]

    You know, I've seen a lot of that in the corporate world. That's why folks have gone with RHEL rather than Fedora. They get to pay for something, so they feel better about it.

    Of course, Microsoft servers are that much better, in that they can pay more for them. :)

    Way back in the day, one boss was interested in going to Linux, but he couldn't find anything that satisfied his needs to pay for it. That was primarily a BSDi shop, but it switched over to Windows because we could pay. Even under BSDi, they had paid for licenses, but didn't want to pay to upgrade to current, so we had quite a few problems, including getting network and SCSI card drivers that worked. It became a quest to find new hardware that was still supported by the older version.

  It was a hosting company, and it broke anyone's sites with CGI's on them, so they grudgingly allowed customers to request to be moved back over to the *nix platform machines.

    {sigh} I hate it when the misguided interests of the bosses are in conflict with the customers. Needless to say quite a few customers jumped ship when their sites broke and the migration path back to a *nix platform was very slow and manual.

    Another place I was at was bent on support contracts. They refused to believe that a free version of Linux could run their custom software. They still refused to believe it when I demonstrated on my Slackware workstation. When I asked how many times they had requested support, they admitted it had never happened. It's not a matter of *using* the contract, it's a matter that it's there to make them feel warm and fuzzy.

Re:Not bad

[mlts]

If I want top notch security and not trusting some firm (possibly a CA that is offshore and is hostile to anything the country I reside in anyway), I will be using a PGP/gpg web of trust. I will either get a copy of the public key of someone face to face printed physically with a fingerprint (and will download and verify the public key and has from a keyserver), or I will agree on a passphrase that is used only once, and that is to send and receive a copy of the public key.

I also don't like keeping my public key that would be needed for S/MIME on an online machine. My secure private key resides on a machine that isn't Internet connected, it will reside on a smart card, or it will be on a smart card and used on an offline machine, so an attack would have to be done on a physical/local level in order to compromise my private key material. I do use S/MIME and a client key, but that is mainly a stopgap, better than nothing measure, compared to actual end to end manual encryption of data with gpg or PGP.

PGP WOTs were in use a lot in the early to mid 1990s by cypherpunks, but for the most part, convenience won over security and it is extremely rare for someone to use a public key of someone to send mail. A good WOT is far better than a CA. I have more trust in a public key claimed to be someone that is 3-4 links out from me on my PGP/gpg keyring than I do a key that is signed by a CA and told "hey, trust us." Of course, creating a WOT is a lot harder than just letting a CA do the work, but like Phil Zimmermann said, it is better to pack your own parachute when security is critical.

Another use for PGP over S/MIME is signing of files. A signed E-mail is difficult to forward and keep the integrity intact. However, if I have a file and a PGP/gpg signature of it (or just a PGP signed file), I can forward it, archive the two files, back them up to whatever backup media, and all it takes is a validation in the future to ensure that the file and the signature were not tampered with, assuming I have the public key in my keyring, and that hasn't been tampered with. Of course, I can use facilities like the file signing capabilities built into Acrobat, Word, or other software, but again, I have to use a third party CA, or pay for a special signing key, as opposed to a secure WOT. Plus, some files (archives and such) can't be signed internally, so having a separate .sig file is needed.

S/MIME is decent, built into most dedicated E-mail clients, and is better than nothing. However, if you want reliable E-mail security, you are best off using a PGP/gpg WOT.

Re:Not bad

[ToasterMonkey]

Arg... this is so painful to read. What is with the mods? +1 Long post?

If I want top notch security and not trusting some firm (possibly a CA that is offshore and is hostile to anything the country I reside in anyway), I will be using a PGP/gpg web of trust.

I'm not a big defender of the big CAs, but trust chains serve a purpose. In a WOT, who first decides that someone really is associated with a given name, and why on Earth do you trust _them_? Sure, you will all be talking to the same person, but who is that? The point of the chain model is that at least someone is responsible for verifying a certificate holder's identity in some minimal way. To what length they go depends on what the next link in the chain of trust requires.. MS, Apple, Firefox, etc, then you trust them, and so on.

I will either get a copy of the public key of someone face to face printed physically with a fingerprint (and will download and verify the public key and has from a keyserver),

An in person key exchange is the best you could possibly do, and does away with the other complex trust models. This is what the financial industry mostly does, a bunch of P2P symmetric key exchanges. You do have to change keys now and then (you do right?) so P2P gets very expensive. This is why your debit cards have different processor logos on them, because each bank only talks to a couple big processors, and not every other bank in the world. There is no need to use a public keyserver (why would you trust _that_?) if you meet the message recipient in person...

or I will agree on a passphrase that is used only once, and that is to send and receive a copy of the public key.

Uh.. why a passphrase? You were only going to give the passphrase over a secure channel or in person right? Then you'd only need to send the key. Try to think all that through..

I also don't like keeping my public key that would be needed for S/MIME on an online machine.

Im not going to explain PKI here. Just wow.

My secure private key resides on a machine that isn't Internet connected, it will reside on a smart card, or it will be on a smart card and used on an offline machine, so an attack would have to be done on a physical/local level in order to compromise my private key material.

Good. At least you understand the important half of PKI I guess..

I do use S/MIME and a client key, but that is mainly a stopgap, better than nothing measure, compared to actual end to end manual encryption of data with gpg or PGP.

Just wow.

PGP WOTs were in use a lot in the early to mid 1990s by cypherpunks, but for the most part, convenience won over security and it is extremely rare for someone to use a public key of someone to send mail.

Yah...?

A good WOT is far better than a CA. I have more trust in a public key claimed to be someone that is 3-4 links out from me on my PGP/gpg keyring than I do a key that is signed by a CA and told "hey, trust us." Of course, creating a WOT is a lot harder than just letting a CA do the work, but like Phil Zimmermann said, it is better to pack your own parachute when security is critical.

Look, I'm not going to hawk webs, chains or direct or whatever trust schemes.. the only thing that matters is how keys are exchanged, and why you trust them. Just because a CA makes money, that doesn't make the chain model wrong..

Another use for PGP over S/MIME is signing of files. A signed E-mail is difficult to forward and keep the integrity intact. However, if I have a file and a PGP/gpg signature of it (or just a PGP signed file), I can forward it, archive the two files, back them up to whatever backup media, and all it takes is a validation in the future to ensure that the file and the signature were not tampered with

Open Source Alternative

GPG is out there { http://www.gnupg.org/ } and we should use it.

Privacy is a human right. Democracy can't work if it's citizens are controlled like slaves in the roman empire.

Freedom is ours to take! Long live the RPG!

Re:Open Source Alternative

[wealthychef]

Freedom is ours to take! Long live the RPG!

Rocket propelled grenades?

Re:Open Source Alternative

[jack2000]

And the sniper rifle. I've always been a stay out of harms way type of player:)

Re:Open Source Alternative

[Chris+Mattern]

"...that among these are life, liberty, and the pursuit of BOOM HEADSHOT!"

Re:Open Source Alternative

[JWSmythe]

    Ya, that doesn't quite make sense. An RPG survives until it hits the target. While I like explosions as much as any pyromaniac, they aren't designed to be long lived items unless you never use them. What fun is a box full of RPGs when you don't use it?

I don't trust Symantec

This really sucks. In dial-up days, I used a cool, lightweight firewall application published by WRQ called AtGuard. Symantec licensed the product and incorporated it into their own software; the stand-alone product known as AtGuard then disappeared from the market. I used to use Partition Magic. Again, Symantec bought it and it exists no more.

With that little bit of sample history, I'm sure we can bid PGP farewell.

Re:Scary

[dgatwood]

Just another enterprise company that Symantec will acquire, make a half-hearted attempt to integrate it into their company, then systematically lay off all the workers, outsource product development to India, release a nearly completely nonfunctional successor to it, and eventually cancel it outright after the support contract revenue dries up. I've seen this worthless company pull this stunt too many times to expect anything different.

Note to CEOs: getting acquired by Symantec is corporate suicide. If you care at all about your employees or your product, the correct answer is not "no", but rather "hell f**king no". Just saying.

Re:Lol

[CondeZer0]

> PGP was bloatware before. Now that the most talented producer of bloatware in the world (Symantec) bought it, the PGP software will might soon win the bloatware of the year award.

If Adobe bought Symantec I suspect the massive concentration of bloat would cause the creation of a super massive black hole that would eat instantaneously eat up the whole solar system.

What is this, aquire and merger week?

[frambris]

Everybody seems to buy eachother this week. By the end of the year the Internet is run by three companies: MicroApple (software), HP (hardware) and Ciscoogle (Internet)

Re:What is this, aquire and merger week?

[bipbop]

What do you mean? MicroApple has always been at war with Oceania!

Encrypt file containers, partitions with TrueCrypt

[Futurepower(R)]

TrueCrypt is reliable, reputable, fast, free, open source, and works on Windows, Mac OS X, and Linux.

The TrueCrypt documentation is very good, but not perfect.

TrueCrypt can encrypt a file that contains other files (a drive letter) or encrypt an entire partition, even the boot partition.

No one I know has any connection with TrueCrypt. We are just happy users.

Acronym change

[Limburgher]

Now, it's Pretty Good Privacy. Soon, it will be Poof Gone Permanently.

Re:Oh. My. God.

[Amouth]

I work for a giant TLA. ... We're headed straight to hell, aren't we?

humm I believe you have already arrived

Re:Pretty *Bogus* Privacy

[calmofthestorm]

Regardless, I would assume the NSA has its fingers everywhere. Backdoors are not trivial to catch in the source code, like the famous if (uid = 0) test on an obscure flag combination on an obscure call.

Don't get me wrong, I'll trust OSS a lot more if the code can be read by anyone,but what good is the potential if no one actually does it?

The beauty is the I don't do anything the NSA cares about, I just like my privacy. Anyone powerful enough to get my personal data has bigger fish to fry.

This is fantastic!

[JonJ]

I've always wanted encryption-software from people who can't write a fucking uninstaller properly.

Re:Encrypt file containers, partitions with TrueCr

[X0563511]

Truecrypt is not the same thing as PGP/GPG. Truecrypt is great, mind you, but it is not public key cryptography and signing, with web-of-trust. It's just data encryption and hiding.