Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
News

PGP's New Release, Source Code, and PRZ 281

In high tech time, the span between Network Associates dropping PGP, its purchase by the purpose-formed PGP Corporation and that company's release today of PGP 8.0 may not be a short stretch, but it's been a busy several months. A product which appeared moribund despite widespread acclaim a few years earlier -- a victim of skewed corporate logic -- has rebounded for another major release, and Philip Zimmermann is doing something he's never done before: actually selling PGP. And as Zimmermann had urged long before NAI forged a deal with PGP Corporation, this time around the full source code is being released, albeit with strings. Read on for the rest of the story.

Would you buy PGP from this man?

Long before Dmitry Sklyarov was arrested for helping people undo e-book encryption, and before DeCSS was unlocking DVDs, Philip Zimmermann was being prosecuted for a nearly opposite endeavor: providing software which allowed ordinary people with a modicum of computer savvy to encrypt their own data in a way impractically difficult even for large government agencies to reverse. His modestly named application Pretty Good Privacy, or PGP, was released in 1991 as freeware and was quickly adopted by privacy seeking computer users.

Export controls then in effect barred international trade in such software; because of PGP's inevitable spread online well past the borders of the U.S., Zimmermann was accused of violating munitions-export laws. For a while, this made Zimmermann a poster boy for the right to create software free of intrusive restraint, and ended up in a three-year battle with the government which Zimmermann eventually won.

Now, in a twist worthy of novelization, Zimmermann has joined a small number of PGP Corporation partners on North America, and will be reselling PGP Corporation's version of PGP. Outside North America, PGP Corporation has sales partners in countries from Germany to Singapore -- in a sense, Zimmermann is simply their most famous salesman. (He also serves on PGP Corporation's technical advisory board and maintains a consulting relationship with the company.)

Sales, though, is really a sideline to Zimmermann's consulting business. "I'm not really switching my career to sales," he says. Zimmermann is nonetheless enthusiastic about his new role selling the software he kick-started more than 11 years ago, though it's a switch from his role in creating it. "I don't write code anymore," he said from his Silicon Valley home office. "As you get further along in your career, you get further away from the things you like to do. I wish I could get back to it, but it's the Peter Principle, and here I am." Zimmermann downplays the Federal government's legal proceedings against him in the first half of the 90s, calling it "old news" and "years in the past."

Like any large organization, in fact, the Federal government has a need to encrypt certain documents, so it's no surprise that the government bodies of every stripe use "a ton" of PGP. It seems likely that his sales venture means that Zimmermann will soon have come full circle, from producer of verboten software to vendor selling his product to government agencies. Zimmermann admits "It would be funny, and there would be a certain irony if that happens ... I'm hoping to sell to enterprise customers, large users, and that includes the government. If the government wants to buy it from me, that would be fine with me."

Something to sell, and source code, too.

PGP's present is finally catching up with its history (try this google search for a number of links): today's release of version 8.0 for Windows and Mac OS X differs not just in name from PGP as it was released under NAI's stewardship, because this time there is full source code to go along with it. (A Linux release is being investigated.)

The 8.0 release doesn't differ in basic purpose from previous versions of PGP: it's still intended as an easy-to-use approach to encryption for both business and personal use, with hooks to a wide range of network operating systems and mail systems; there are several simultaneous releases, actually, from freeware (for non-commercial use) to an Enterprise edition, and the features available vary with the price. There's also a link to download the full source, under certain conditions, from PGP Corporation's home page.

PGP Corporation director of products Stephan Somogyi says he's proud of the way the company has walked the tightrope between source code availability and securing its own interest in the product based on that code.

The license agreement it takes to download source code, however, contains clauses guaranteed to rankle some open-source advocates and security enthusiasts. For instance, part of the third section of the eight-section source code license reads: "You agree that you will not post any information about any bug, problem, deficiency, or weakness in the PGP software on any web site or electronic bulletin board, or otherwise disclose or provide any such information to anyone else, unless you have first reported it to PGP and until at least 30 days after PGP sends its email acknowledgement to you."

Another section carefully lists uses of the code which are explicitly prohibited, including a note that a downloader may not "give (meaning sell, loan, distribute, or transfer) the source code files to anyone else" (except under certain outlined circumstances). Further, those who download the source code may not "use executable code versions of PGP software programs created by compiling these source code files for any purpose or reason other than verifying that there are no unknown vulnerabilities or the like or otherwise making your own assessment of the integrity of the source code and the security features of the PGP software."

Somogyi draws a distinction here between the meaning of an End User License Agreement (EULA) and a source code license such as the one required to download the PGP source. The source code is there, he says, because "PGP [Corporation] is making it clear that we don't have anything to hide and that PGP remains a trusted brand, a trusted codebase."

With nothing more than a click-through license protecting it, there will almost certainly be rogue copies of the source code soon, but as Somogyi puts it, "the only place that anyone who cares about their security is going to get PGP is from us -- no one is going to use some randomly compiled version of PGP, because they don't know the provenance. It's all about trust, from our perspective."

Zimmermann, too, takes pains to note a distinction which sounds similar to one made by Microsoft in describing that company's "Shared Source" source code disclosure. "Publishing source code doesn't mean you've giving away the software -- if you think about it, John Grisham publishes his novels in source code form. Does that mean he's giving up his copyright in them? No. If Microsoft published the source code to Office, does that mean they wouldn't still want money for it? There's a difference between letting people look at your source code -- finding bugs, fixing problems -- and giving it away."

Reputation and Propriety.

It's hard to say how much of PGP's reputation is really that of its creator.

Zimmerman's insistence on his right to create troublesome code, and on the freedom to encrypt which his software provided its users, endeared him to crypto-libertarians before most of the current battles of software freedom and philosophy had reached public consciousness.

Whereas Zimmermann famously left Network Associates, PGP Corporation seems much more interested in maintaining the integrity of Zimmermann's connection to PGP, which is if anything a tacit admission of Zimmermann's importance to the company's reputation.

"We would be foolish if we did not seek counsel from people who are the best in their fields," says Somogyi. "It's really important that Phil be involved." Zimmermann's presence on the technical advisory board from its inception will probably serve to reassure users worried about corporate machinations.

Should You Buy PGP from this man?

When PGP was first released, it was cutting edge -- in the sphere of ordinary computer users, it was a runaway hit. Now there are alternatives to PGP; in the Free software world, these include notably the GNU Privacy Guard (GPG), a suite of tools which aims to be a user-friendly equivalent to PGP consisting entirely of Free software.

Neither Zimmermann nor PGP Corporation's Somogyi seems worried about Free software alternatives to their own products, which can after all still be used free of charge.

"There's still a freeware version of PGP, and there's still going to be a free version of PGP, including the version that's coming out, version 8," says Zimmermann, who actually points to GPG and several other products from his sales web page. "I applaud the creation of GPG, we need to have multiple sources for this kind of technology. But you know, PGP is a good product, I think that it's easier to use."

Somogyi echos this line of reasoning. "Fundamentally I think that the people who use PGP is one group, and the people who use GPG are another, and I don't see a heck of a lot of competition between the two efforts," he says.

Zimmermann says that the prospect of selling PGP, though -- and making money from it -- is key to its prospects for success. "Look at what happened last time when nobody paid for PGP. NAI pulled the plug on the product. From February of this year until August, PGP was in limbo. ... Remember the National Lampoon from 70s, 'Buy this magazine or we'll shoot this dog'? That's what happened. They shot the dog!"

"It takes money to pay the engineers, it takes money to do all this stuff. PGP is a big important product, it doesn't just happen for free." And when NAI dropped PGP development, the software "went into an intellectual property black hole. When a company pulls the plugs on a product, it just disappears. All this political posturing about saying that cryptography should be free, that's all very nice, but it doesn't pay the bills."

This discussion has been archived. No new comments can be posted.

PGP's New Release, Source Code, and PRZ

Comments Filter:
  • by BlueAlien.Org ( 82929 ) on Tuesday December 03, 2002 @02:21PM (#4803763) Homepage
    If he can get corporations and individuals to buy his product, then where is the harm? I wish him the best of luck on trying to profit from his creation. Of course, the license is very prohibitive, but I don't see that as being a major factor affecting sales.

    - Rick
    • Good for him if he can pull it off, but GnuPG is free-as-in-your-mom. Who wants to pay for it?
  • by frovingslosh ( 582462 ) on Tuesday December 03, 2002 @02:22PM (#4803773)
    OK, I can now buy the software for personal use, but I can download the source for free (for review, yada yada yada). Anyone see a problem with this logic?
    • by Gemini ( 32631 )
      They're relying on users to either Play Nice or not be technically inclined enough to compile their own copy. It's not that absurd, really. How many people actually compile their own PGP? (How many people *should* is another issue).
      • I didn't see any instructions on how to compile it (then again, I didn't download it, so maybe the instructions are included). I doubt you can compile it with gcc; if it requires Microsoft's Visual Studio it would be cheaper to just buy PGP!

        So, any idea if/when we'll see a *nix version, with source code the customer can compile on Linux, *BSD, Solaris, HP-UX, AIX, etc. etc.?

    • The vast majority of potential buyers of PGP will not want to fiddle around with the source code. This way Zimmermann's company can satisfy its core customer base along with the majority of geeks who like to mess around with the source code of a great piece of software. Its actually a pretty good idea IMO.

      - Rick
    • Check out RedHat. You can download everything for free, even in ISO image format. Or you can go to Fry's and plunk down $50 for the exact same thing. This business model actually works. Not everyone wants to go get a compiler and compile the source from scratch.
      • Not exactly.

        The product at Fry's comes with support and documentation that is otherwise not included. It may be a highprice to pay for information which is otherwise available all over the net, but for some it is simply a matter of convenience.

        -R
        • A high price to pay? OK...start by putting a price on your time. Print the information that's otherwise available on the net. Now cut those pages to size and bind them together. The books that come with the $50 retail package are starting to look pretty inexpensive. =)
      • Re:RedHat too (Score:2, Insightful)

        This business model actually works.

        No, this business model actually causes a negative cashflow [yahoo.com]

    • by Night Goat ( 18437 ) on Tuesday December 03, 2002 @02:27PM (#4803827) Homepage Journal
      They explain it in the article. The makers of PGP feel that some guy compiling the source code and making it available or using it himself isn't going to cut into their profits too much because most people interested in using cryptography aren't going to use some shady, homebrewed, perhaps compromised program, they're going to buy it straight from PGP so they can trust it.
    • by ergo98 ( 9391 ) on Tuesday December 03, 2002 @02:29PM (#4803840) Homepage Journal
      You can buy a copy of Windows at Best Buy, or you can download it from a warez channel, or you can go to a friends and rip an ISO of his copy. Doe sanyone see a problem with this logic?

      Phil has always advocated that it is very important that there is peer review of security products, and I entirely agree with him on that point, but he is not An open source advocate (which is why I find the nitpicking about the license absurd: It's not GPLd, folks, it's peer review. The release of the source is only intended to allow for particularly paranoid folks to ensure that there aren't any backdoors in the code). They are two entirely different things, and it's completely reasonable for him to release those products as he has.

      If someone builds the source and distributes the binary, they are no different from someone ripping an ISO and distributing warez.
      • by mmol_6453 ( 231450 ) <short DOT circui ... OT grnet DOT com> on Tuesday December 03, 2002 @04:01PM (#4804723) Homepage Journal
        While I applaud your distinction between peer review and open source, I have to ask: How do we know that a binary we're given, and some source code we're given, amount to the same product?

        Take "main(){printf("Hello!\n")}" and "main(){printf("%s","Hello!\n")}"

        While functionally identical, gcc will compile them into two very different binaries.

        In short, there's no way to verify that the source code and the program are the same. Even if the two programs appear to respond to every interaction in the same manner, there's no way to know that there isn't a back door in the pre-compiled version.

        And we're prohibited from using the provided source code for anything but verifying a lack of flaws. Legally, we can't buy the program and compile the accomanied source for personal use.

        I'm not saying "Don't trust PGP." I'm just pointing out a flaw in their peer-review logic. If they allowed you to use the compiled source for personal use, then all would be well. (Aside from moral compunctions, of course.)
        • by ergo98 ( 9391 )
          I would back it up by pointing to the site, however right now it appears to be completely slashdotted. As such I'll have to say this without reference, but I'm pretty sure that the source code disclaimer list specifically mentions that it can be used to compile into a binary to compare with the binary that they give to ensure that there are no back doors, etc. If it's like prior versions, they'll give a specific list of versions of software (i.e. Visual Studio version XYZ) to compile it with, and truly the result will be a perfect clone of the distribution binary.
        • by Anonymous Coward
          Now -that's- some serious paranoia. How do you know the compiler you're using doesnt add some backdoors to your exe? Did you read through all the code of your compiler and then compile your compiler itself? Or maybe you wrote your own compiler? What if someone swapped out the compiler on your computer with a trojan'd version while you were on lunch-break!? Snakes! Snakes! All over me!
        • by Tassach ( 137772 ) on Tuesday December 03, 2002 @05:23PM (#4805426)
          In short, there's no way to verify that the source code and the program are the same.
          Nonesense. You download the source and compile it in a build enviornment that matches the one used to produce the official executable.

          If the MD5 and SHA1 checksums of the code you compiled locally matches those of the distributed version, you have a very high degree of confidance that the distributed executable was indeed compiled from the published source code. If they don't match, tampering is a possibility.

          In order to do this successfully, you need two things that seem to be lacking in this case: the makefile used to compile the official executable, and all the pertinent details about the build enviornment (compiler version, versions of statically-linked libraries, and so forth). If you can't exactly duplicate the build enviornment, it's probable that there will be differences in the executable code even if it was compiled from the same source code.

  • Turnaround Time (Score:5, Interesting)

    by Steve B ( 42864 ) on Tuesday December 03, 2002 @02:22PM (#4803777)
    You agree that you will not post any information about any bug, problem, deficiency, or weakness in the PGP software on any web site or electronic bulletin board, or otherwise disclose or provide any such information to anyone else, unless you have first reported it to PGP and until at least 30 days after PGP sends its email acknowledgement to you.

    I'd be more comfortable with this if there was an absolute cap that did not depend on the acknowledgement. As written, it would seem to allow PGP to freeze the clock indefinitely by simply not responding.

    • Re:Turnaround Time (Score:5, Interesting)

      by Cyclometh ( 629276 ) on Tuesday December 03, 2002 @02:27PM (#4803823)

      It's a good point, but they know as well as anyone that an unacknowldeged problem becomes an embarrassing public one when the problem is posted anonymously, which is what would happen if they "froze the clock" in the manner you speak of.

      I'm willing to extend them the benefit of the doubt on this one... they'd be hurt more than most of the software producers by having a security bug go unacknowledged/unpatched. It's not like a license agreement is going to stop the spread of any vulnerability info at any rate.

    • If they have an automated reply-thingie that goes something like "Thank you for your mail. We'll be looking into it as soon as possible. Your reference no for this mail is #34524" and the 30 day limit starts there, I like it. If they can arbitrarily delay it or pretend they didn't get it, I don't.

      Kjella
      • The problem is, that they CAN do that. Even if they don't do that originally, a change in management can change a policy. So if they CAN delay responding indefinitely, then one must operate under the assumption that at some point they WILL.

        This is the same reason that corporations are reluctant to become dependant on single-source providers. Once you become dependant on someone, even if you trust totally the people you originally dealt with, there can be a change.

        So this part of the licens renders the program unuseable. The rest of it makes sense. I wouldn't do it that way, but I'm not trying to run a company around a product. But the "until we acknowledge" limitation is too big a lump to swallow.

    • Re:Turnaround Time (Score:5, Interesting)

      by dillon_rinker ( 17944 ) on Tuesday December 03, 2002 @02:55PM (#4804049) Homepage
      allow PGP to freeze the clock indefinitely by simply not responding
      Precisely. And what happens if they go out of business? This is one of the key things that many otherwise well-intentioned source code license agreements fail to recognize: the software may outlast the the company that created it. It would likely be problematic even if some other corporation bought the PGP vendor. It is not uncommon for someone to buy the ASSETS of an insolvent corporation, but the obligation to respond to queries about source code could would logically be considered a LIABILITY.

      Anyway, I think they had good intentions with this clause but they've paid too much attention to their lawyers. Perhaps, if the clause as written turns out to be a problem, (good) hackers could merely post "I have some interesting information about the product, but I am legally prevented from disclosing it by Section X, Paragraph Y of the source code licensing agreement. Please encourage the PGP vendor to acknowledge my emails"
  • by masonbrown ( 208074 ) on Tuesday December 03, 2002 @02:22PM (#4803779) Homepage
    OK, as a corporate user with a Win2k machine using Outlook, is there any significant reason to upgrade to 8.0 from whatever I'm using now and have used for a year or so? I know the article says there aren't significant changes, but I'd be interested in what specifically is better / improved.
  • by SweetAndSourJesus ( 555410 ) <JesusAndTheRobot AT yahoo DOT com> on Tuesday December 03, 2002 @02:23PM (#4803791)

    I plunked down my cash first thing this morning.

    It looks like they're pretty swamped. The download failed, and, after the third try told me that the link had expired.

    We are sorry that we are unable to complete your download at this time. This download link expires three weeks from purchase and after three downloads.

    I guess this means I've got to call their customer service deptartment today. So, you may want to wait a bit before buying. The beta I've got for OS X doesn't expire until 12/06/2002, so I'm not totally screwed yet.

  • by Kenja ( 541830 ) on Tuesday December 03, 2002 @02:24PM (#4803800)
    PGP must be good encryption. I've been trying to brute force decrypt the phrase "zimmermann" and I've had no luck at all so far.
  • PGP is overrated (Score:4, Insightful)

    by Hairy_Potter ( 219096 ) on Tuesday December 03, 2002 @02:28PM (#4803831) Homepage
    so is GPG. If the government really wants to get you, they'll surround you with Tempest vans, put a key sniffer in your keyboard, grab all your traffic through your ISP and monitor your phone calls. Uncrackable files don't mean much when traffic analysis shows email to the Cali cartel and cyber-cafe's in Pakistan.

    But, just like the NRA sorts, who cling to the illusion that their pre-ban AR-15 will protect them against the black helicopters, PGP users delude themselves into thinking they're making a heroic stand for freedom, when in reality, no one cares about their encrypted plans to sleep in line for the Two Towers premiere.
    • by SweetAndSourJesus ( 555410 ) <JesusAndTheRobot AT yahoo DOT com> on Tuesday December 03, 2002 @02:32PM (#4803874)
      I can't remember where I read this analogy, but I'm pretty sure Zim came up with it:

      You use envelopes, right? Why? Becuase you don't want everyone in the post office reading your mail. If you didn't care, you'd use postcards. Sure, the envelope isn't bulletproof, but it's enough to keep the casual snooper out. Same deal with PGP.

      You're right, if the Man wants to read your email, he's going to do it. PGP isn't designed to be a totally secure system, just a mostly secure one.
      • and the utilities and credit card companies get pissed if you staple the check to the bill.

        Christmas time and ebaying are about the only time of year I mail non-bill stuff.
      • I can open an envelope - no prob.
        But I can't crack PGP.
        plus envlopes keeps multiple items niceley together.
        Close but bad analogy.
        • Yes, you can crack PGP. It's completely unsafe to presume that it can't be done. You can't open an envelope without tampering with it, which is where PGP signatures come in.

          I guess if you want to look at the utility aspects, PGP isn't designed to keep multiple items together, that's why we have tar [gnu.org].

          Even if it is a bad analogy, isn't this a more reasonable viewpoint than the "fuck it, Uncle Sam's got us by the nuts, I give up" attitude espoused in the original post?
          • I never said it couldn't be done. I just said "I" couldn't crack PGP, but I can open an envelope. I beleave the majority of people are about like me when it comes to that situation. :-) I agree with you that it does keep things together which is nice as well.

            Its a close analogy, maybe not entirely bad. And yes I do agree with you about the other post. Why would I worry about the gov listening to my phone converstations when all of the communciation I want kept private are done encrypted on the net. Its possible for a slip up, but I think it can be done.
          • It's called "Pretty Good Privacy" for a reason. It's not perfect, but it's good enough for most purposes.
      • You use envelopes, right? Why? Becuase you don't want everyone in the post office reading your mail. If you didn't care, you'd use postcards.

        Umm no. Not that I use letters much anymore, e-mail / IM / phone covers most of my informal contact need. When I send a letter in an envelope it's because:
        • I'm sending something too long to fit on a postcard
        • I'm attaching something (photos, birthday card)
        • It's typed up on my computer, and my printer doesn't handle postcards well
        • The reciever expects a letter (say a job application)
        Granted, there are a few times when I want an envelope for privacy reasons. But that's far from the only reason.

        Kjella
      • Who cares about the man??? I do nothing that they would care about anyway.
        What I do care about is that the owner of the company I work for let someone get the password for his email box. Someone has been reading his email. So on goes PGP and I just hope he does not give that password to someone.
    • If the government really wants to get you, they'll surround you with Tempest vans, put a key sniffer in your keyboard, grab all your traffic through your ISP and monitor your phone calls. Uncrackable files don't mean much when traffic analysis shows email to the Cali cartel and cyber-cafe's in Pakistan.

      And that's great. They'll get the terrorists they want, and nobody will know what I've been discussing with my fiancée, or with my friends, or whoever. And they'll not know what my company has been discussing with some other business out there. (Commercial secrets are still secrets)

      Doesn't sount too bad after all.

      You can still get evidence to take a criminal to court -- and that's good. But people won't read yout e-mails and know what you've been discussing (they won't know too much about your private life).

      Not that tere aren't other problems, of couse, but then, there is always a problem... :-)

      • They'll get the terrorists they want, and nobody will know what I've been discussing

        Yeah, except that these days they'll profile you into the same category as those sending email to the Cali cartel and to Pakistani ISPs just because you're bothering to use PGP.

        Feds: "Better look into this guy concealing traffic with PGP encryption! He's hiding something!"
        .
        .
        (later)
        .
        Feds: "It's OK! After we installed our Scarfo-nabbing keyboard logger on his PC and glommed onto his passphrase we found out he was just describing an over-bed trapeze with his GF."
        Islamic extremists will have effectively won their biggest victory when they get the U.S. to abandon precious rights and liberties for a society as repressive as anything the Taliban could dream up.
    • they'll surround you with Tempest vans

      Tempest vans? Are they anything like Super Vans? [zylmex.com]
    • by RealAlaskan ( 576404 ) on Tuesday December 03, 2002 @03:01PM (#4804097) Homepage Journal
      If the government really wants to get you, they'll surround you with Tempest vans, put a key sniffer in your keyboard, grab all your traffic through your ISP and monitor your phone calls. ....

      So, given that's true, why bother encrypting anything? Answer: if a lot of innocent traffic is encrypted, it significantly raises the effort level required to identify the non-innocent traffic, and thus makes it much less likely that the government WILL decide that it ``really wants to get you''.

      Is that a good idea? Even after the events of the last year, government in general still seems to have the resources to be a greater threat to us than all the Islamic malcontents in the the world put together. Some of those governments definitely have the will to do us harm; after all, some of them are run by those same Islamic malcontents. Some of us are living under the power of those evil governments. PGP and its successors have been used by human rights groups operating in countries like Yugoslavia, to keep records secret.

      Don't forget, also, that while a despot might tire of amusing himself by persecuting you, the bureaucrats who persecute decent folks in the western world are doing it for our own good, and their self-image as good people and hard workers depends on putting Dimitry in jail, or busting down the doors of prople who have violated a contract with their cable company by uncapping a modem, or what-not. The people who are probably the greatest threat to us in the US and Europe are these well-intentioned, honest, hardworking idiots, who honestly believe that they are protecting us all. Sometimes they ARE protecting us all, and sometimes they are doing quite the opposite, but they are always trying to earn their pay by doing their job, no matter how destructive that may be.

      Overall, I think it is an excellent idea to make it as difficult as possible for the government to keep tabs on us, or to single us out, even when our government is NOT deliberately evil, as is the case in the US.

      ... PGP users delude themselves into thinking they're making a heroic stand for freedom, when in reality, no one cares about their encrypted plans to sleep in line for the Two Towers premiere.

      It isn't just governments that have secrets. Most companies have marketing plans, customer lists, and so on that their competition would give big bucks to get. If only the sensitive email is sent encrypted, it's obvious which messages need to be cracked. It's also obvious when there is a flurry of sensitive activity. If you also encrypt your non-sensitive email at work, that eliminates that sort of problem.

      Finally, personal, frivolous users of encryption ARE helping folks who have a serious need for it, at least indirectly. See my first paragraph. If they are deluded, well, that's good for the rest of us. We can't afford to have things reach the point that using PGP makes you a suspect. The world is full of folks who are eager to do bad things to good people, some of them with the very best of intentions for the very people they'd harm.

    • If the government really wants to get you, they'll surround you with Tempest vans, put a key sniffer in your keyboard, grab all your traffic through your ISP and monitor your phone calls.


      True enough. However, I don't want to publish my travel plans to too many people via unencrypted e-mail every time I send my family the flight number I'm coming in on. I've had my home burglerized once. I don't think anyone who has had that experience wants to go through it again.

      PGP and GPG also provide signatures. In the semi-anonymous world of the web and open source, there's a lot to be said for signing your source code.
    • If the government really wants to get you, they'll surround you with Tempest vans, put a key sniffer in your keyboard, grab all your traffic through your ISP and monitor your phone calls.

      The objective is not to create perfect security (which is, as you correctly say, not possible). The objective is to make your security good enough for most practical purposes.

      Yes, the government can use various sorts of surveillance measures to get your messages anyway. However, requiring trained personnel to set up monitoring vans or do black-bag jobs limits the total number of surveillance targets. That makes wide-ranging fishing expeditions impractical, and inhibits abuse by bored or vindictive individuals. Also, it leaves a bigger trail (more memos, more people directly involved) to be traced if -- OK, when -- the government does break the law.

    • PGP is overrated... so is GPG. If the government really wants to get you [they will]

      Well, duh. However, PGP might just protect my trade secrets from being intercepted by a competitor. PGP might also protect my medical information from a private detective trying to dig up some dirt on me for a bitter ex-spouse. Competitors and private detectives don't have the resources of the United States government and PGP works just fine against them. Furthermore, PGP has most certainly been successfully used to protect human rights workers [philzimmermann.com] from clumsy oppressive governments. If that's not a great accomplishment, I don't know what is.

  • To be or not to be (Score:4, Insightful)

    by Subcarrier ( 262294 ) on Tuesday December 03, 2002 @02:32PM (#4803864)
    "As you get further along in your career, you get further away from the things you like to do. I wish I could get back to it, but it's the Peter Principle, and here I am."

    Sounds like he is trying to convince himself that he is happy and it's not quite working.
  • by SiliconEntity ( 448450 ) on Tuesday December 03, 2002 @02:32PM (#4803869)
    Is the PGP source code signed? If so, then there is no question of provenance as quoted in the article. You can get the source code from anywhere and verify the signature (using an old, trusted copy of the PGP binaries if necessary). That will prove that the source has not been altered and it is just as good as getting it from the company.

    (If PGP is not signing the source code that would be a bit odd, not using the very technology that they are selling. Presumably they are in fact signing it and the provenance thing was just marketing BS.)
    • by Kragg ( 300602 )
      So let me get this straight... you think they should sign the PGP source download... with PGP... so that people can unpack/make/install it, and then use it to verify that it isn't dodgy?

      I wonder why they didn't think of that.
      • you think they should sign the PGP source download... with PGP... so that people can unpack/make/install it, and then use it to verify that it isn't dodgy

        No, I said they could use an old, trusted copy of PGP to verify the signature on the new version. That's how PGP has done it in the past AFAIK.
  • by Yoda2 ( 522522 )
    I sure hope the pending SDK [pgp.com] has support for the latest version of Java. I have yet to get the latest version of Cryptix OpenPGP [cryptix.org] to work with the J2SE v 1.4.1 [sun.com].
    • I ended up resorting to doing Runtime.exec( ) on gpg with all the batch and automatic "yes" flags enabled. Works pretty good, but the feedback is a little crummy (0 on success, != 0 on failure).
  • All I see are Windows and Mac versions on their download page [pgp.com]. That's, um, mostly useless to a lot of folks (as in the kind of folks into crypto who are more likely to be running Linux or Solaris or *BSD than Joe eMachine is).

    I fail to see how the PGP vs. GPG question isn't settled on this very point. PGP won't even run on many platforms, so any ease-of-use claims should be dimissed out of hand on that basis alone. The choice is really between GPG (which is being actively developed) and freeware PGP [mit.edu] (which looks to be getting pretty old). That isn't much of a choice.

    Go ahead and flame away...

    -B

  • by angst_ridden_hipster ( 23104 ) on Tuesday December 03, 2002 @02:37PM (#4803918) Homepage Journal
    ... PGP 7.0 had the annoying problem that the firewall / network filtering stuff it wanted to install would completely hose XP's network stack.

    Oh, and if you ran the un-installer, trying to fix it, it would remove the TCP/IP stack from XP altogether (even though that's not supposed to be possible).

    If you rolled back using the XP Configuration tool, it was all OK. If you tried to reinstall XP's TCP/IP stack alone, or repair it using the install disk, you got mightily screwed by the fact that XP doesn't do a proper TCP/IP reinstall, coupled with the fact that when you run this reinstall/repair, it blows away your ability to roll back to a good configuration.

    OUCH...

    Of course, if you installed it without the network stuff, it was OK, and just makes XP occasionally pop up messages saying that the SDK driver is unavailable.
  • I'm CONSTANTLY reading about how MS's EULA are so terrible, yet this one prohibits what you can and cannot say about the product and *this* is acceptable? Talk about truly restricting free speech (I don't even know if this is legal). Anyone who buys this has got to be out of their fucking minds. I buy MS stuff (licenses and all), but I wouldn't touch this with a 10 foot pole.
  • WTF? I can download the source code to audit, but I can't compile it for any other use than to verify it? This means I can't use the compiled source code in daily normal use?

    Anyone else have a problem with this? OK, I download source code, verify it looks fine, but if I want to use the program, I need to buy/download the binary from them -- whose binaries may not necessarily be compiled from the source code I verified to my satisfaction.

    (Thank god for GNU and gpg, no strings attached beyond that "nasty" "viral" (sarcasm) GPL)

    p.s. I guess we won't be seeing THIS product as part of gentoo! :)

    • I don't think you read it correctly.

      Further, those who download the source code may not "use executable code versions of PGP software programs created by compiling these source code files for any purpose or reason other than verifying that there are no unknown vulnerabilities or the like or otherwise making your own assessment of the integrity of the source code and the security features of the PGP software."

      My interpretation of that is you can compile the source code, and you can use the executable generated from your compile, but only for evaluation means. You can't compile their code and then use that executable as your copy of PGP. But you can still use your compiled binary for verification.

      Also, they never claimed this is GPLed code. What's with the animosity? I think this is a good thing - a for profit company showing all of their proprietary source code to their customers.
      • What's with the animosity?
        Because they missed the whole point about why people wanted the source code: to be sure there aren't backdoors. If I send you a binary that that may contain a trojan, and then I also send you this source code:
        10 print "hello world"
        then you can be sure that the binary I sent you, is safe to use. Right?

        Maybe the very idea of a backdoor in PGP is totally and groundlessly paranoid, but then think about who the product is marketed to.

    • So you download the software, you compile the source, and you do a bit-by-bit comparison. They're the same - you have now verified that the binaries are compiled from the source code you verified.

      Or they're not the same - you now call and talk to their tech support and find out why they're trying to root you. You have your lawyer send them nastygrams. You do a write-up for slashdot about the experience.

      Looks like a win-win scenario to me...
      • Erm...no.

        Differences in the compiler used will cause small differences in the binary. Used a different optimization setting? Oops, the code is different.

        What you can do is build the sources, and use that to verify the signature on the binaries.

        • What you can do is build the sources, and use that to verify the signature on the binaries.

          But that still requires that you trust the person who built the binaries in the first place, since they'd be the one who also signs the binary.

          I also seem to remember just compiling a simple DOS exe using the same compile settings always produced a different binary, although that might just be some sort of exe preamble or something.

          My paranoia may be well unjustified, but what's the big deal about me compiling and then using my own binary rev?

  • by Gemini ( 32631 ) on Tuesday December 03, 2002 @02:58PM (#4804073)
    A lot of people have posted comments to the effect of "If they want to get at your secret email, they will anyway despite PGP". Don't forget that GnuPG/PGP has a huge other use as well. OpenPGP signatures are what protects a huge number of software packages from tampering.

    The recent trojanings of OpenSSH, etc, would have been caught even earlier if users had checked the OpenPGP signature distributed along with the tarball.
  • You know - when PGP was owned by NAI I had no qualms just warezing it. I loved PGP disk and a few other PGP things. Just quick encryption of files was nice. A little tighter encorporation with Outlook and taking up less recourses would be very cool.

    Now that its PGP not owned by NAI, I really want to own and use and promote this product. I however have no money as a college student. However, as a college student I think I would REALLY benefit from PGP. Not only keeping email between advisors and other students encrypted but also just keeping my personal records safe on the "wonderfully" secure campus network.

    Anyhoo, just my thought trinkles.
  • back in the 90's. Does this mean I get a discount?

    Anyone else think it's expensive? $80 for Windows for one year, or $165 for a perpetual license. Ouch!
  • by aquarian ( 134728 ) on Tuesday December 03, 2002 @03:40PM (#4804513)
    To me, there's a more important, significant use of PGP than privacy. One of the biggest obstacles to *really* doing business over the internet is being able to verify where messages come from. PGP provides this. A PGP signed message is as good as a signed piece of paper.

    I never cease to be amazed at how this aspect of PGP is never discussed. I guess all the stupid, nose-picking, trainspotting geeks all over the world really can't see beyond the government prying into their porn collections.
  • by kevin lyda ( 4803 ) on Tuesday December 03, 2002 @03:44PM (#4804550) Homepage
    we use (or advocate the use of) gpg to encrypt and auth sensitive data for our servers. this is not to protect the files from the gov't, it's to stop data with a high monetary value from being stolen. most of us at work at least have gpg configured.

    we usually recommend pgp for less technical users - of which there are far more then on the server side. so pgp would get more sales from us due to gpg. i hope they sell lots of their s/w and make it even easier to use - it would really help us if less technical people were more exposed to pgp.
  • From reading their site [pgp.com], it sounds like they are now using XP like product activation. You enter your license key, then it contacts their servers to validate your license.
  • I can't think of any reason to prefer PGP to GnuPG, and there are some reasons (already pointed out) for preferring GnuPG to PGP.

    So, overall, I can't why anyone would use PGP.

    Zimmerman made a great contribution, deserves tremendous credit for what he did, but as he says himself, it's all history.
  • by ChaosDiscord ( 4913 ) on Tuesday December 03, 2002 @05:00PM (#4805211) Homepage Journal
    There's a difference between letting people look at your source code -- finding bugs, fixing problems -- and giving it away.

    Great, I was looking for an opportunity to debug someone elses commercial software for free!

    I applaud his efforts toward transparency, and restricted source is better than no source. But if I'm thinking of putting some effort into improving some software for me own use, it's an easy choice between GPG and PGP. With GPG, I know that my changes and the code that my changes are based on will be available to myself forever, and I can share my changes with others if the official source goes away.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...