PGP's New Release, Source Code, and PRZ 281
Would you buy PGP from this man?
Long before Dmitry Sklyarov was arrested for helping people undo e-book encryption, and before DeCSS was unlocking DVDs, Philip Zimmermann was being prosecuted for a nearly opposite endeavor: providing software which allowed ordinary people with a modicum of computer savvy to encrypt their own data in a way impractically difficult even for large government agencies to reverse. His modestly named application Pretty Good Privacy, or PGP, was released in 1991 as freeware and was quickly adopted by privacy seeking computer users.Export controls then in effect barred international trade in such software; because of PGP's inevitable spread online well past the borders of the U.S., Zimmermann was accused of violating munitions-export laws. For a while, this made Zimmermann a poster boy for the right to create software free of intrusive restraint, and ended up in a three-year battle with the government which Zimmermann eventually won.
Now, in a twist worthy of novelization, Zimmermann has joined a small number of PGP Corporation partners on North America, and will be reselling PGP Corporation's version of PGP. Outside North America, PGP Corporation has sales partners in countries from Germany to Singapore -- in a sense, Zimmermann is simply their most famous salesman. (He also serves on PGP Corporation's technical advisory board and maintains a consulting relationship with the company.)
Sales, though, is really a sideline to Zimmermann's consulting business. "I'm not really switching my career to sales," he says. Zimmermann is nonetheless enthusiastic about his new role selling the software he kick-started more than 11 years ago, though it's a switch from his role in creating it. "I don't write code anymore," he said from his Silicon Valley home office. "As you get further along in your career, you get further away from the things you like to do. I wish I could get back to it, but it's the Peter Principle, and here I am." Zimmermann downplays the Federal government's legal proceedings against him in the first half of the 90s, calling it "old news" and "years in the past."
Like any large organization, in fact, the Federal government has a need to encrypt certain documents, so it's no surprise that the government bodies of every stripe use "a ton" of PGP. It seems likely that his sales venture means that Zimmermann will soon have come full circle, from producer of verboten software to vendor selling his product to government agencies. Zimmermann admits "It would be funny, and there would be a certain irony if that happens ... I'm hoping to sell to enterprise customers, large users, and that includes the government. If the government wants to buy it from me, that would be fine with me."
Something to sell, and source code, too.
PGP's present is finally catching up with its history (try this google search for a number of links): today's release of version 8.0 for Windows and Mac OS X differs not just in name from PGP as it was released under NAI's stewardship, because this time there is full source code to go along with it. (A Linux release is being investigated.)The 8.0 release doesn't differ in basic purpose from previous versions of PGP: it's still intended as an easy-to-use approach to encryption for both business and personal use, with hooks to a wide range of network operating systems and mail systems; there are several simultaneous releases, actually, from freeware (for non-commercial use) to an Enterprise edition, and the features available vary with the price. There's also a link to download the full source, under certain conditions, from PGP Corporation's home page.
PGP Corporation director of products Stephan Somogyi says he's proud of the way the company has walked the tightrope between source code availability and securing its own interest in the product based on that code.
The license agreement it takes to download source code, however, contains clauses guaranteed to rankle some open-source advocates and security enthusiasts. For instance, part of the third section of the eight-section source code license reads: "You agree that you will not post any information about any bug, problem, deficiency, or weakness in the PGP software on any web site or electronic bulletin board, or otherwise disclose or provide any such information to anyone else, unless you have first reported it to PGP and until at least 30 days after PGP sends its email acknowledgement to you."
Another section carefully lists uses of the code which are explicitly prohibited, including a note that a downloader may not "give (meaning sell, loan, distribute, or transfer) the source code files to anyone else" (except under certain outlined circumstances). Further, those who download the source code may not "use executable code versions of PGP software programs created by compiling these source code files for any purpose or reason other than verifying that there are no unknown vulnerabilities or the like or otherwise making your own assessment of the integrity of the source code and the security features of the PGP software."
Somogyi draws a distinction here between the meaning of an End User License Agreement (EULA) and a source code license such as the one required to download the PGP source. The source code is there, he says, because "PGP [Corporation] is making it clear that we don't have anything to hide and that PGP remains a trusted brand, a trusted codebase."
With nothing more than a click-through license protecting it, there will almost certainly be rogue copies of the source code soon, but as Somogyi puts it, "the only place that anyone who cares about their security is going to get PGP is from us -- no one is going to use some randomly compiled version of PGP, because they don't know the provenance. It's all about trust, from our perspective."
Zimmermann, too, takes pains to note a distinction which sounds similar to one made by Microsoft in describing that company's "Shared Source" source code disclosure. "Publishing source code doesn't mean you've giving away the software -- if you think about it, John Grisham publishes his novels in source code form. Does that mean he's giving up his copyright in them? No. If Microsoft published the source code to Office, does that mean they wouldn't still want money for it? There's a difference between letting people look at your source code -- finding bugs, fixing problems -- and giving it away."
Reputation and Propriety.
It's hard to say how much of PGP's reputation is really that of its creator.Zimmerman's insistence on his right to create troublesome code, and on the freedom to encrypt which his software provided its users, endeared him to crypto-libertarians before most of the current battles of software freedom and philosophy had reached public consciousness.
Whereas Zimmermann famously left Network Associates, PGP Corporation seems much more interested in maintaining the integrity of Zimmermann's connection to PGP, which is if anything a tacit admission of Zimmermann's importance to the company's reputation.
"We would be foolish if we did not seek counsel from people who are the best in their fields," says Somogyi. "It's really important that Phil be involved." Zimmermann's presence on the technical advisory board from its inception will probably serve to reassure users worried about corporate machinations.
Should You Buy PGP from this man?
When PGP was first released, it was cutting edge -- in the sphere of ordinary computer users, it was a runaway hit. Now there are alternatives to PGP; in the Free software world, these include notably the GNU Privacy Guard (GPG), a suite of tools which aims to be a user-friendly equivalent to PGP consisting entirely of Free software.Neither Zimmermann nor PGP Corporation's Somogyi seems worried about Free software alternatives to their own products, which can after all still be used free of charge.
"There's still a freeware version of PGP, and there's still going to be a free version of PGP, including the version that's coming out, version 8," says Zimmermann, who actually points to GPG and several other products from his sales web page. "I applaud the creation of GPG, we need to have multiple sources for this kind of technology. But you know, PGP is a good product, I think that it's easier to use."
Somogyi echos this line of reasoning. "Fundamentally I think that the people who use PGP is one group, and the people who use GPG are another, and I don't see a heck of a lot of competition between the two efforts," he says.
Zimmermann says that the prospect of selling PGP, though -- and making money from it -- is key to its prospects for success. "Look at what happened last time when nobody paid for PGP. NAI pulled the plug on the product. From February of this year until August, PGP was in limbo. ... Remember the National Lampoon from 70s, 'Buy this magazine or we'll shoot this dog'? That's what happened. They shot the dog!"
"It takes money to pay the engineers, it takes money to do all this stuff. PGP is a big important product, it doesn't just happen for free." And when NAI dropped PGP development, the software "went into an intellectual property black hole. When a company pulls the plugs on a product, it just disappears. All this political posturing about saying that cryptography should be free, that's all very nice, but it doesn't pay the bills."
Good for Zimmermann (Score:3, Insightful)
- Rick
Re:Good for Zimmermann (Score:2)
Re:Good for Zimmermann (Score:2)
Re:Good for Zimmermann (Score:4, Informative)
GnuPG ignores ADK packets, incidentally.
Re:Good for United States Residents: +1, Patriotic (Score:2, Insightful)
Guess what dude, this comes under the heading of freedom of speech and last time I looked, the Constitution allowed me to just that. And does that make my unpatriotic? Not in my book, dissenting views ultimately created this Nation. Remember?
Oh, if you want to make a point, then do so with a reasoned and intelligent response. Why is dissention bad? How is speaking your mind in disagreement with leadership un-American? Because you said so? Hmmm.
I can buy it but .... (Score:3, Interesting)
Re:I can buy it but .... (Score:2, Interesting)
Re:I can buy it but .... (Score:2)
So, any idea if/when we'll see a *nix version, with source code the customer can compile on Linux, *BSD, Solaris, HP-UX, AIX, etc. etc.?
Re:I can buy it but .... (Score:2, Insightful)
- Rick
RedHat too (Score:2)
Re:RedHat too (Score:2)
The product at Fry's comes with support and documentation that is otherwise not included. It may be a highprice to pay for information which is otherwise available all over the net, but for some it is simply a matter of convenience.
-R
Re:RedHat too (Score:2)
Re:RedHat too (Score:2, Insightful)
No, this business model actually causes a negative cashflow [yahoo.com]
Re:I can buy it but .... (Score:5, Insightful)
You could say the same thing about Windows. (Score:2)
Re:I can buy it but .... (Score:5, Insightful)
Phil has always advocated that it is very important that there is peer review of security products, and I entirely agree with him on that point, but he is not An open source advocate (which is why I find the nitpicking about the license absurd: It's not GPLd, folks, it's peer review. The release of the source is only intended to allow for particularly paranoid folks to ensure that there aren't any backdoors in the code). They are two entirely different things, and it's completely reasonable for him to release those products as he has.
If someone builds the source and distributes the binary, they are no different from someone ripping an ISO and distributing warez.
Re:I can buy it but .... (Score:5, Informative)
Take "main(){printf("Hello!\n")}" and "main(){printf("%s","Hello!\n")}"
While functionally identical, gcc will compile them into two very different binaries.
In short, there's no way to verify that the source code and the program are the same. Even if the two programs appear to respond to every interaction in the same manner, there's no way to know that there isn't a back door in the pre-compiled version.
And we're prohibited from using the provided source code for anything but verifying a lack of flaws. Legally, we can't buy the program and compile the accomanied source for personal use.
I'm not saying "Don't trust PGP." I'm just pointing out a flaw in their peer-review logic. If they allowed you to use the compiled source for personal use, then all would be well. (Aside from moral compunctions, of course.)
Re:I can buy it but .... (Score:2, Interesting)
Re:I can buy it but .... (Score:2, Funny)
Re:I can buy it but .... (Score:3, Informative)
Re:I can buy it but .... (Score:3, Informative)
Re:I can buy it but .... (Score:4, Insightful)
If the MD5 and SHA1 checksums of the code you compiled locally matches those of the distributed version, you have a very high degree of confidance that the distributed executable was indeed compiled from the published source code. If they don't match, tampering is a possibility.
In order to do this successfully, you need two things that seem to be lacking in this case: the makefile used to compile the official executable, and all the pertinent details about the build enviornment (compiler version, versions of statically-linked libraries, and so forth). If you can't exactly duplicate the build enviornment, it's probable that there will be differences in the executable code even if it was compiled from the same source code.
Re:I can buy it but .... (Score:2)
Turnaround Time (Score:5, Interesting)
I'd be more comfortable with this if there was an absolute cap that did not depend on the acknowledgement. As written, it would seem to allow PGP to freeze the clock indefinitely by simply not responding.
Re:Turnaround Time (Score:5, Interesting)
It's a good point, but they know as well as anyone that an unacknowldeged problem becomes an embarrassing public one when the problem is posted anonymously, which is what would happen if they "froze the clock" in the manner you speak of.
I'm willing to extend them the benefit of the doubt on this one... they'd be hurt more than most of the software producers by having a security bug go unacknowledged/unpatched. It's not like a license agreement is going to stop the spread of any vulnerability info at any rate.
Depends on how they implement it... (Score:2)
Kjella
Re:Depends on how they implement it... (Score:2)
This is the same reason that corporations are reluctant to become dependant on single-source providers. Once you become dependant on someone, even if you trust totally the people you originally dealt with, there can be a change.
So this part of the licens renders the program unuseable. The rest of it makes sense. I wouldn't do it that way, but I'm not trying to run a company around a product. But the "until we acknowledge" limitation is too big a lump to swallow.
Re:Turnaround Time (Score:5, Interesting)
Precisely. And what happens if they go out of business? This is one of the key things that many otherwise well-intentioned source code license agreements fail to recognize: the software may outlast the the company that created it. It would likely be problematic even if some other corporation bought the PGP vendor. It is not uncommon for someone to buy the ASSETS of an insolvent corporation, but the obligation to respond to queries about source code could would logically be considered a LIABILITY.
Anyway, I think they had good intentions with this clause but they've paid too much attention to their lawyers. Perhaps, if the clause as written turns out to be a problem, (good) hackers could merely post "I have some interesting information about the product, but I am legally prevented from disclosing it by Section X, Paragraph Y of the source code licensing agreement. Please encourage the PGP vendor to acknowledge my emails"
Re:Turnaround Time (Score:2)
I'm willing to believe that intentions are pure in this case, but the agreement needs to be edited slightly.
Re:Turnaround Time (Score:2)
Fair enough -- if they don't respond in a reasonably timely manner, the license can't prevent that fact from getting out.
Re:Turnaround Time (Score:2, Insightful)
That way, you can prove that you sent the message at some point in time (you have the header added by the SMTP server).
This can protect you to some extent. It would probably be better if you use a third party SMTP server to do it.
Note that will only prove that you sent the message, not that they received it.
Re:Turnaround Time (Score:2)
Re:Turnaround Time (Score:2, Insightful)
Differences from previous releases? (Score:5, Interesting)
Re:Differences from previous releases? (Score:2, Informative)
Re:Differences from previous releases? (Score:2)
Re:Differences from previous releases? (Score:2)
Unfortunately, they seem to have decided it's an Outlook issue rather than something they can implement.
don't order it this morning... (Score:5, Informative)
I plunked down my cash first thing this morning.
It looks like they're pretty swamped. The download failed, and, after the third try told me that the link had expired.
I guess this means I've got to call their customer service deptartment today. So, you may want to wait a bit before buying. The beta I've got for OS X doesn't expire until 12/06/2002, so I'm not totally screwed yet.
PGP must be good encryption. (Score:5, Funny)
Re:PGP must be good encryption. (Score:2)
PGP is overrated (Score:4, Insightful)
But, just like the NRA sorts, who cling to the illusion that their pre-ban AR-15 will protect them against the black helicopters, PGP users delude themselves into thinking they're making a heroic stand for freedom, when in reality, no one cares about their encrypted plans to sleep in line for the Two Towers premiere.
Re:PGP is overrated (Score:5, Insightful)
You use envelopes, right? Why? Becuase you don't want everyone in the post office reading your mail. If you didn't care, you'd use postcards. Sure, the envelope isn't bulletproof, but it's enough to keep the casual snooper out. Same deal with PGP.
You're right, if the Man wants to read your email, he's going to do it. PGP isn't designed to be a totally secure system, just a mostly secure one.
I use envelopes because I pay bills (Score:2)
Christmas time and ebaying are about the only time of year I mail non-bill stuff.
Re:PGP is overrated (Score:2)
But I can't crack PGP.
plus envlopes keeps multiple items niceley together.
Close but bad analogy.
Re:PGP is overrated (Score:3, Insightful)
I guess if you want to look at the utility aspects, PGP isn't designed to keep multiple items together, that's why we have tar [gnu.org].
Even if it is a bad analogy, isn't this a more reasonable viewpoint than the "fuck it, Uncle Sam's got us by the nuts, I give up" attitude espoused in the original post?
Re:PGP is overrated (Score:2)
Its a close analogy, maybe not entirely bad. And yes I do agree with you about the other post. Why would I worry about the gov listening to my phone converstations when all of the communciation I want kept private are done encrypted on the net. Its possible for a slip up, but I think it can be done.
Re:PGP is overrated (Score:2)
Failing assumption... (Score:2)
Umm no. Not that I use letters much anymore, e-mail / IM / phone covers most of my informal contact need. When I send a letter in an envelope it's because:
- I'm sending something too long to fit on a postcard
- I'm attaching something (photos, birthday card)
- It's typed up on my computer, and my printer doesn't handle postcards well
- The reciever expects a letter (say a job application)
Granted, there are a few times when I want an envelope for privacy reasons. But that's far from the only reason.Kjella
Re:PGP is overrated (Score:2)
What I do care about is that the owner of the company I work for let someone get the password for his email box. Someone has been reading his email. So on goes PGP and I just hope he does not give that password to someone.
Re:PGP is overrated (Score:2, Insightful)
And that's great. They'll get the terrorists they want, and nobody will know what I've been discussing with my fiancée, or with my friends, or whoever. And they'll not know what my company has been discussing with some other business out there. (Commercial secrets are still secrets)
Doesn't sount too bad after all.
You can still get evidence to take a criminal to court -- and that's good. But people won't read yout e-mails and know what you've been discussing (they won't know too much about your private life).
Not that tere aren't other problems, of couse, but then, there is always a problem...
Re:PGP is overrated (Score:2)
They'll get the terrorists they want, and nobody will know what I've been discussing
Yeah, except that these days they'll profile you into the same category as those sending email to the Cali cartel and to Pakistani ISPs just because you're bothering to use PGP.
Islamic extremists will have effectively won their biggest victory when they get the U.S. to abandon precious rights and liberties for a society as repressive as anything the Taliban could dream up.Re:PGP is overrated (Score:2)
Tempest vans? Are they anything like Super Vans? [zylmex.com]
Re:PGP is overrated (Score:5, Insightful)
So, given that's true, why bother encrypting anything? Answer: if a lot of innocent traffic is encrypted, it significantly raises the effort level required to identify the non-innocent traffic, and thus makes it much less likely that the government WILL decide that it ``really wants to get you''.
Is that a good idea? Even after the events of the last year, government in general still seems to have the resources to be a greater threat to us than all the Islamic malcontents in the the world put together. Some of those governments definitely have the will to do us harm; after all, some of them are run by those same Islamic malcontents. Some of us are living under the power of those evil governments. PGP and its successors have been used by human rights groups operating in countries like Yugoslavia, to keep records secret.
Don't forget, also, that while a despot might tire of amusing himself by persecuting you, the bureaucrats who persecute decent folks in the western world are doing it for our own good, and their self-image as good people and hard workers depends on putting Dimitry in jail, or busting down the doors of prople who have violated a contract with their cable company by uncapping a modem, or what-not. The people who are probably the greatest threat to us in the US and Europe are these well-intentioned, honest, hardworking idiots, who honestly believe that they are protecting us all. Sometimes they ARE protecting us all, and sometimes they are doing quite the opposite, but they are always trying to earn their pay by doing their job, no matter how destructive that may be.
Overall, I think it is an excellent idea to make it as difficult as possible for the government to keep tabs on us, or to single us out, even when our government is NOT deliberately evil, as is the case in the US.
It isn't just governments that have secrets. Most companies have marketing plans, customer lists, and so on that their competition would give big bucks to get. If only the sensitive email is sent encrypted, it's obvious which messages need to be cracked. It's also obvious when there is a flurry of sensitive activity. If you also encrypt your non-sensitive email at work, that eliminates that sort of problem.
Finally, personal, frivolous users of encryption ARE helping folks who have a serious need for it, at least indirectly. See my first paragraph. If they are deluded, well, that's good for the rest of us. We can't afford to have things reach the point that using PGP makes you a suspect. The world is full of folks who are eager to do bad things to good people, some of them with the very best of intentions for the very people they'd harm.
Re:PGP is overrated (Score:2)
True enough. However, I don't want to publish my travel plans to too many people via unencrypted e-mail every time I send my family the flight number I'm coming in on. I've had my home burglerized once. I don't think anyone who has had that experience wants to go through it again.
PGP and GPG also provide signatures. In the semi-anonymous world of the web and open source, there's a lot to be said for signing your source code.
Raising The Bar (Score:2)
The objective is not to create perfect security (which is, as you correctly say, not possible). The objective is to make your security good enough for most practical purposes.
Yes, the government can use various sorts of surveillance measures to get your messages anyway. However, requiring trained personnel to set up monitoring vans or do black-bag jobs limits the total number of surveillance targets. That makes wide-ranging fishing expeditions impractical, and inhibits abuse by bored or vindictive individuals. Also, it leaves a bigger trail (more memos, more people directly involved) to be traced if -- OK, when -- the government does break the law.
PGP is underrated (Score:2)
Well, duh. However, PGP might just protect my trade secrets from being intercepted by a competitor. PGP might also protect my medical information from a private detective trying to dig up some dirt on me for a bitter ex-spouse. Competitors and private detectives don't have the resources of the United States government and PGP works just fine against them. Furthermore, PGP has most certainly been successfully used to protect human rights workers [philzimmermann.com] from clumsy oppressive governments. If that's not a great accomplishment, I don't know what is.
Re:Parent is overrated. Mod down please. (Score:2)
To be or not to be (Score:4, Insightful)
Sounds like he is trying to convince himself that he is happy and it's not quite working.
Re:To be or not to be (Score:2)
Signing source code? (Score:5, Insightful)
(If PGP is not signing the source code that would be a bit odd, not using the very technology that they are selling. Presumably they are in fact signing it and the provenance thing was just marketing BS.)
Re:Signing source code? (Score:2, Insightful)
I wonder why they didn't think of that.
Re:Signing source code? (Score:2)
No, I said they could use an old, trusted copy of PGP to verify the signature on the new version. That's how PGP has done it in the past AFAIK.
Java (Score:2)
Re:Java (Score:2)
So it's just for Windows and Mac? (Score:2)
I fail to see how the PGP vs. GPG question isn't settled on this very point. PGP won't even run on many platforms, so any ease-of-use claims should be dimissed out of hand on that basis alone. The choice is really between GPG (which is being actively developed) and freeware PGP [mit.edu] (which looks to be getting pretty old). That isn't much of a choice.
Go ahead and flame away...
-B
Re:So it's just for Windows and Mac? (Score:4, Funny)
Re:So it's just for Windows and Mac? (Score:2)
Maybe they'll fix that annoying XP problem (Score:5, Interesting)
Oh, and if you ran the un-installer, trying to fix it, it would remove the TCP/IP stack from XP altogether (even though that's not supposed to be possible).
If you rolled back using the XP Configuration tool, it was all OK. If you tried to reinstall XP's TCP/IP stack alone, or repair it using the install disk, you got mightily screwed by the fact that XP doesn't do a proper TCP/IP reinstall, coupled with the fact that when you run this reinstall/repair, it blows away your ability to roll back to a good configuration.
OUCH...
Of course, if you installed it without the network stuff, it was OK, and just makes XP occasionally pop up messages saying that the SDK driver is unavailable.
Re:Maybe they'll fix that annoying XP problem (Score:2)
Originally, though, it was just fine print in the README.
And who reads that kinda shit?
But that's when Google Groups comes to your aid!
Re:Maybe they'll fix that annoying XP problem (Score:3, Funny)
You're the reason people hate Americans.
I can't believe OSS zealots are taking this... (Score:2, Informative)
Re:I can't believe OSS zealots are taking this... (Score:2, Interesting)
The only thing you can do is free bugsearching.
Quite frankly, most OSS zealots I've met wouldn't know what source code was if they saw it. It's just an anti-corporate buzzword they picked up at college.
Re:I can't believe OSS zealots are taking this... (Score:2)
Re:I can't believe OSS zealots are taking this... (Score:3, Informative)
How's that any better?
Only can use source code to verify integrity? (Score:2, Interesting)
Anyone else have a problem with this? OK, I download source code, verify it looks fine, but if I want to use the program, I need to buy/download the binary from them -- whose binaries may not necessarily be compiled from the source code I verified to my satisfaction.
(Thank god for GNU and gpg, no strings attached beyond that "nasty" "viral" (sarcasm) GPL)
p.s. I guess we won't be seeing THIS product as part of gentoo! :)
Re:Only can use source code to verify integrity? (Score:2)
Further, those who download the source code may not "use executable code versions of PGP software programs created by compiling these source code files for any purpose or reason other than verifying that there are no unknown vulnerabilities or the like or otherwise making your own assessment of the integrity of the source code and the security features of the PGP software."
My interpretation of that is you can compile the source code, and you can use the executable generated from your compile, but only for evaluation means. You can't compile their code and then use that executable as your copy of PGP. But you can still use your compiled binary for verification.
Also, they never claimed this is GPLed code. What's with the animosity? I think this is a good thing - a for profit company showing all of their proprietary source code to their customers.
Re:Only can use source code to verify integrity? (Score:2)
Maybe the very idea of a backdoor in PGP is totally and groundlessly paranoid, but then think about who the product is marketed to.
Re:Only can use source code to verify integrity? (Score:2)
Or they're not the same - you now call and talk to their tech support and find out why they're trying to root you. You have your lawyer send them nastygrams. You do a write-up for slashdot about the experience.
Looks like a win-win scenario to me...
Re:Only can use source code to verify integrity? (Score:3, Insightful)
Differences in the compiler used will cause small differences in the binary. Used a different optimization setting? Oops, the code is different.
What you can do is build the sources, and use that to verify the signature on the binaries.
Re:Only can use source code to verify integrity? (Score:2)
But that still requires that you trust the person who built the binaries in the first place, since they'd be the one who also signs the binary.
I also seem to remember just compiling a simple DOS exe using the same compile settings always produced a different binary, although that might just be some sort of exe preamble or something.
My paranoia may be well unjustified, but what's the big deal about me compiling and then using my own binary rev?
It's not just encryption (Score:5, Insightful)
The recent trojanings of OpenSSH, etc, would have been caught even earlier if users had checked the OpenPGP signature distributed along with the tarball.
Student License (Score:2)
Now that its PGP not owned by NAI, I really want to own and use and promote this product. I however have no money as a college student. However, as a college student I think I would REALLY benefit from PGP. Not only keeping email between advisors and other students encrypted but also just keeping my personal records safe on the "wonderfully" secure campus network.
Anyhoo, just my thought trinkles.
I contributed $50 to Phil's legal fund... (Score:2)
Anyone else think it's expensive? $80 for Windows for one year, or $165 for a perpetual license. Ouch!
There's a more important use of PGP than privacy! (Score:5, Insightful)
I never cease to be amazed at how this aspect of PGP is never discussed. I guess all the stupid, nose-picking, trainspotting geeks all over the world really can't see beyond the government prying into their porn collections.
gpg can actuall help sell pgp (Score:3, Interesting)
we usually recommend pgp for less technical users - of which there are far more then on the server side. so pgp would get more sales from us due to gpg. i hope they sell lots of their s/w and make it even easier to use - it would really help us if less technical people were more exposed to pgp.
XP like activation (Score:2)
GnuPG seems a better choice (Score:2)
So, overall, I can't why anyone would use PGP.
Zimmerman made a great contribution, deserves tremendous credit for what he did, but as he says himself, it's all history.
Source available not as good as open source (Score:3, Insightful)
Great, I was looking for an opportunity to debug someone elses commercial software for free!
I applaud his efforts toward transparency, and restricted source is better than no source. But if I'm thinking of putting some effort into improving some software for me own use, it's an easy choice between GPG and PGP. With GPG, I know that my changes and the code that my changes are based on will be available to myself forever, and I can share my changes with others if the official source goes away.
Re:Broken? (Score:2)
The source has been available (Score:3, Informative)
Re:Broken? (Score:5, Informative)
PGP has been shown to be good secure code. Makeing the source available won't lessen the security. That is the point: peer review will strengthen the code. Phil Zimmerman knows what he is doing.
typo: (Score:2)
Re:GPG? (Score:2)
Re:There may be strings... (Score:2)
It's only reasonable for them to require 30 days to fix any bugs you might find, lest their customer's secrets be compromised in the meantime. Would you buy PGP if you knew any loopholes would be revealed before they could be closed, potentially exposing the secrets you're buying it to protect?
I wish Mr. Zimmerman success.
Re:There may be strings... (Score:2)
Re:One thing I've noticed: (Score:2)
Re:One thing I've noticed: (Score:2)
Does it preclude the person from saying "I found a flaw in PGP" without saying what the flaw is. [maybe even only saying THAT 30 days after sending the initial message to PGP corp informing them of the details of the flaw]...
This may put a little pressure on PGP corp to fix the flaw.... And alert others that there may be a flaw that can be found with a little digging on their own so that they can also inform PGP corp thus adding more pressure....
Re:One thing I've noticed: (Score:3, Insightful)
This provision renders dubious the actual security benefits gained from open examination of the source code, and I'll explain why:
If the corporation is on the top of its game and follows up on each and every report, sending an acknowledgement whether or not they actually decide to fix the flaw, we'll have a situation not unlike GPG or other open source projects. Anyone who agrees to a set of restrictions can examine the code and point out flaws in addition to offering fixes.
On the other hand, if they fail to acknowledge some of the issues being submitted to them, then the situation may actually be worse than not having the source code available at all. People with less-than-pure interests can find the flaws in the program much more easily, however those who actually want to help the community (perhaps making a name for themselves as well in the process) can neither disclose the vulnerability nor offer a patch.
No doubt this policy has been introduced as an attempt to encourage bugfinders to use more community-friendly methods of disclosure. My only problem with it as a potential customer would be that it fails to take into account the possibility that the company could be less than perfect with dealing with bug reports... and thirty days of operating a product of this nature with a known flaw is bad enough. Isn't RFP's policy [wiretrip.net] fair?
Re:John Grisham (Score:2)
Re:What about the Linux port?!?!?! (Score:3, Interesting)
There is the market for places that have an unofficial "only if fully supported by someone else" rule when purchasing software. [many companies wouldnt officially use Linux till RH and others had a viable support contract plan availible {and no I mean officially. many companies were using it without realizing they were
PS: I use both myself... It would be different if gpg had a better front end...