Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Encryption Security

Can GnuPG Deliver? 286

jso888 writes "After Network Associates decided to halt further development of PGP, I'm sure that many users like myself who use non-CLI platforms most of the time, wondered "what next?" (PGP Freeware is not an option, since it's tied into the Network Associates product). Salon today has a nice article on GnuPG, the Open PGP/GNU alternative. The article highlights one of the problems with Open Source software today: its "by the geek, for the geek" nature, which by and large places barriers to mass adoption of OSS, especially important capabilities like personal encryption. One of the nice things about NAI PGP was its ease of use and commercial polish. It was easy to install and use, and integrated nicely with Windows software like Eudora and ICQ. GnuPG, admittedly, isn't quite there yet, the article concludes. That's too bad; given the privacy-hostile world we live in, the last thing we need is another barrier to widespread cryptography adoption."
This discussion has been archived. No new comments can be posted.

Can GnuPG Deliver?

Comments Filter:
  • by Anonymous Coward on Wednesday March 27, 2002 @11:13PM (#3238562)
    No one is building encryption or other security measures directly into products.

    Encryption by itself is too difficult and esoteric for normal users. If you want to see it spread, make it easy to use and easy to understand.
    • by mlk ( 18543 ) <michael.lloyd.le ... NO@SPAMgmail.com> on Wednesday March 27, 2002 @11:22PM (#3238602) Homepage Journal
      SMIME, and Outlook.
      It's dam easy to set up and free to get a key (and a nice button on Outlook).
      No, the reason people don't use it is there is little point, not even my BANK recomends sending emails with personal data encripted!

      (alas not all email clients or mail servers support S/MIME yet)
      • by coyote-san ( 38515 ) on Thursday March 28, 2002 @02:43AM (#3239258)
        The problem isn't S/MIME per se. Anyone who can use OpenPGP libraries can easily use S/MIME, and vice versa. The problem is Outlook, pure and simple.

        I don't remember the details, but it's been discussed on the OpenSSL lists recently. Outlook has totally dropped the ball on multi-part S/MIME messages. Because they're the 800-pound special-ed gorilla their incompetence means that few people are interested in using correctly working multi-part S/MIME tools that can't interoperate with the majority of people, while the coders understand how much damage is being done by the broken Outlook implementation and refuse to be involved in any effort that gives it credence.

        I'm rarely see black hats hiding in shadows, but this is one of those exceptions. It's too easy to imagine some spook taking advantage of the fact that MS can kill the market for secure communications, while ensuring that the tools are still available for their users.
      • I disagree that it's easy to get a key in OE. Yes it will ask if you want to get a key and open a browser to a start page listing some key vendors but from there one it becomes increasingly confusing. For example, click on the Verisign link and it tells you must pay $15 (yeah right) for a year long key or get a 60 day trial key (useless). Global Sign charges 16 euros or get a 30 day trial key (worse than fucking useless), BT dumps you in their order catalogue, Thawte dumps you in a sales pitch. I gave up trying with the last two after a few links.


        In short none of these options makes it easy to get a key. And even assuming you want one, they'll ask for your life history and passport/social security/credit card numbers before they'll hand one over. That's too bad for anyone under 18 or in a repressive country.


        And in a years time your certificate expires. And your certificate is not signed in any meaningful sense (Verisign et al disavow any knowledge of your actions) so the signature means nothing at all.


        Aside from that, SMIME is just too damned slow compared to PGP/GPG which use mostly symmetric encryption and are therefore much faster than asymmetric SMIME.


        So no, Outlook Express doesn't make it damned easy and SMIME just stinks anyway.


        Easy to me means having something akin to PGP's Key Generation Wizard built into the mail software. When I sign and send a message without a key it should launch the wizard ask me a few simple questions, ask for a password, generate the key, ask me if I want to publish it and that is it. Mail is signed and sent. If I receive messages containing an X-pgp-ID header, my email software should be able to look up and retrieve their public key from the server.


        Now that would be easy.

    • Encryption by itself is too difficult and esoteric for normal users. If you want to see it spread, make it easy to use and easy to understand.
      You mean, like... ROT13?
    • Encryption by itself is too difficult and esoteric for normal users. If you want to see it spread, make it easy to use and easy to understand.

      That's why I'm developing Herbivore [demon.co.uk], a zero-effort mail encryption system.

  • secrets and PGP (Score:3, Interesting)

    by 56ker ( 566853 ) on Wednesday March 27, 2002 @11:13PM (#3238563) Homepage Journal
    How many of us actually have secrets to hide that we go to the bother of encrypting them with PGP any more though? I have only ever sent a few PGP e-mails before I figured it was too fiddly and time consuming to bother with.
    • I agree.. And I don't understand the concept of PGP Sigs either.. How does that prove anything? What's to prevent me from smacking a PGP Sig on my email? Does anybody verify those?

      • Re:secrets and PGP (Score:4, Informative)

        by theNote ( 319197 ) on Wednesday March 27, 2002 @11:18PM (#3238589)
        Good email clients will automatically check the signature for you and display the identity verification.
        So, yes, in a way I check them all the time.
      • yes,
        Every time I get an email with a sig - and my email is always signed
      • Re:secrets and PGP (Score:3, Interesting)

        by tzanger ( 1575 )

        And I don't understand the concept of PGP Sigs either.. How does that prove anything? What's to prevent me from smacking a PGP Sig on my email? Does anybody verify those?

        I use KMail; it has very nice GnuPG integration, the only missing feature is for *it* to go through and encrypt my attachments instead of making me do it. At any rate, any email with a PGP sig is automatically checked and since I have the colour bar enabled signed messages with keys I trust (and that pass) are in a green border. Good sigs with keys I don't know/trust are in a yellow border and bad signs are in a red border. Very eye-catching and very nice.

        I generally sign messages (not encrypt) if I want to give the person on the other end a way of verifiying that what I sent didn't get altered. I encrypt when I don't want anyone else reading it. It's perhaps a subtle difference, but I use it quite often.

        • > I use KMail; it has very nice GnuPG integration,
          > the only missing feature is for *it* to go through
          > and encrypt my attachments instead of making me do it.

          I use kmail, too and this lack of total encryption has bothered me, too. kmail ATM only signs the text of the mail itself.

          BUT, thanks to the German sponsored project AEGYPTEN, the next version of kmail will have openpgp specified mime multipart encryption and also full S/MIME support. [And also LDAP support and so on, mutt will get S/MIME support out of this.]

          By the next version I mean KDE3.1, which will be there end of summer.

          You can already check out the AEGYPTEN branch of kdenetwork:
          http://www.gnupg.org/aegypten/develop ment.en.html
          http://www.gnupg.org/aegypten/develo pment.de.html
          ftp://ftp.gnupg.org/gcrypt/alpha/ae gypten/
      • And I don't understand the concept of PGP Sigs either..

        So what is this "PGP sig"? Is it a witty quip, or is it just some spam message you can't remove unless you upgrade from the free version?

        I'd rather use a product that lets me write my own sig.

      • A public key can be signed by others. For instance: person A meets B IRL. They can now confirm they are who they say they are. So, A signs the key of B, B signs the key of A.

        A while later, A meets C, both sign their keys.

        Now B can trust C, because B trusts A.

        When a PGP sign is not trusted, pgp or gpg will always tell you about it.

        Signing at the very least means subsequent mails can't be forged. If you trust somebody who sends you a signed message, you can trust all mail signed by his signature is his.

        A one-time message with an untrusted key means exactly nothing.

        Personally I check all signatures automatically because I use mutt and gpg. gpg automatically fetches keys from a keyserver.
    • Re:secrets and PGP (Score:5, Insightful)

      by ilcylic ( 44476 ) on Wednesday March 27, 2002 @11:21PM (#3238597)
      The point isn't whether you have secrets now, it's whether you'll ever have secrets. If you only send one encrypted email, and "someone" is watching, they know to devote all of their effort to breaking that one message. It's not a matter of "having secrets to protect", it's a matter of ideologically being a thorn in the side of people who want to be able to read your email.

      The other point is that it's better to use encryption because you can. It's like always using ssh, instead of "just when you don't want someone to snoop your connection". Use encryption all the time, because protecting your privacy is always a good thing.

      -il cylic
      • Well, plus, with ssh versus telnet, telnet transmits your passwortd in plaintext, so it is even more crucial to use ssh to protect logins than normal mail. The problem with always using encrypted email is that you have to basically add a prompt to send a message to ask wheteher to encrypt or not. It isn't to the point where you can shoot off encrypted emails to anyone with the expectancy their mail reader can handle it.. I look forward to days like that..
        • Without some form of automated (and presumably secure) key exchange, you can't really send automatically encrypted email to someone anyway. You first have to get their public key, which should also imply that they can accept encrypted mail.

          • -----BEGIN PGP SIGNED MESSAGE-----
            Hash: SHA1
            Without some form of automated (and presumably secure) key exchange, you can't really send automatically encrypted email to someone anyway. You first have to get their public key, which should also imply that they can accept encrypted mail.

            There is - it's called a keyserver, and there are lots of them (which synchronise their keys periodically). You can upload your key to one, and set your software to automatically download a key when needed (to verify a signature).

            The keyserver itself it not secure - the security lies in a so-called "web of trust". In essence, you can sign someone else's key once you have verified its veracity by face-to-face meeting or phone call (assuming you trust your ability to recognise his/her voice on the phone). If enough people sign each other's keys, you can trace a path of key signatures (no pun intended) from you to an arbitrary key you downloaded, and you know there is some assurance that the key is genuine. Of course, this relies on everyone in the chain being very careful only to sign keys they know for sure they can trust. (That is not something you can build into a software product - you can only document how the process works, and the user has to take responsibility to get it right.)

            The advantage of the web of trust is that it is free and decentralised. The alternative is to use certificate authorities (CAs) who are centralised and well-known. This is how SSL web sites usually work. The process is similar, except that the web is very shallow in that everybody implicitly trusts those few CAs. And CAs generally don't sign your keys for free - it's a service they sell. As such, it is quite practical for e-commerce, but in my opinion not at all practical for individuals.

            -----BEGIN PGP SIGNATURE-----
            Version: GnuPG v1.0.6 (GNU/Linux)
            Comment: For info see http://www.gnupg.org

            iD8DBQE8oyFcXk7sIRPQRh0RAmvRAJkBb304Qw9HbF/obB+nyN duk/6NdQCdFhel
            lZI4CNAroR8RxG3ZmGkFf30=
            =32AC
            -----END PGP SIGNATURE-----
    • Re:secrets and PGP (Score:2, Informative)

      by 0xB ( 568582 )
      Everyone has secrets .. financial information for example.

      Do you use secure websites to order online, or do you use sites with no encryption?

      Do you email your bank account information to family members using PGP, or in plain text?
    • How many of us actually have secrets to hide that we go to the bother of encrypting them with PGP any more though?

      All of us. I do not consider the information on my accounst, short term and long term debt to be a matter for the public domain



      My bank uses PGP (Nationwide in the UK, one of the 5 largest banks here). For all customer related communications. All email is signed (no exemption) and encrypted if needed. You should expect no less from your bank. If it does not I suggest you change it. To a bank with a clue. I know it may be problematic in some countries suffering from acute terrorism paranoia. Problematic, but not impossible.



      That is just one example. We can extend the list with personal health (yours or of family members abroad), internal business matters where you work, to be continued ad naseum.


    • We are not hiding secrets, we are protecting privacy. Anyone including spamers can read your mail. Anyone including child molesters can read that little girls mail. Anyone can read your email. Does it happen? Yes!

      Privacy is worth protecting.
  • by ilcylic ( 44476 ) on Wednesday March 27, 2002 @11:15PM (#3238571)
    The advantage, of course, is that if someone decides it's important to make GPG pretty, it will get done.

    Interfacing isn't that hard. What sort of "easy to use" features would be desired in a personal encryption suite?

    A graphic display? PerlTK can do that. Simple means to keep track of new keys? I don't know what features would be wanted here. Lets figure it out and write it. Open Source is all about fixing problems you percieve.

    -il cylic
    • I agree (Score:5, Insightful)

      by einhverfr ( 238914 ) <chris.travers@gm a i l . c om> on Wednesday March 27, 2002 @11:32PM (#3238639) Homepage Journal
      The UNIX mentality, as far as I can tell, has quite a bit to do with building modular, scriptible components. GPG is no exception-- it comes with TONS of switches, only a few of which are likely to be used on a regular bases.

      While some people characterize this as "by geeks for geeks" I don't think that is really the case. Having an extensible, scriptible component makes it REALLY EASY to build whatever frontend you want with whatever capabilities you want, and it also means that one can have the same capabilities available from a script.

      Now, I agree that GPG is not yet ready for widespread adoption, but it is not the open source or UNIX mentalities that are broken. The tool just needs some time to mature.
      • Re:I agree (Score:5, Insightful)

        by jso888 ( 114340 ) on Thursday March 28, 2002 @12:33AM (#3238852) Homepage
        It strikes me as ironic that the Slashdot crowd complains about feature bloat on PC software, all the while extolling the virtues of having a gazillion switches for a single command line program.

        I'm aware that I've just made a vague, sweeping generalization about just who would complain about Windows bloatware, and that I'm being slightly inflammatory. But bear with me.

        My point is that both complaints really amount to criticizing the other side's mental model of How Software Should Work. Bloatware on the one hand, and having a gazillion command line switches on the other, are software developers' different approches to dealing with the same issue: meeting the needs of the user. It's just that the user they have in mind has a different profile in terms of how they expect computers should work. Strange that I should ever agree with Spolsky [joelonsoftware.com] 100% on this.

        So I stand by my characterization of the "by geeks for geeks". Switch that phrase to "by lusers for lusers", and hey presto, you're criticizing Windblows.

        And that's the problem I have with this vague non-declared goal of OSS taking over the desktkop, and it's why I think losing NAI PGP is such a big deal.

        You -- the Slashdot crowd "you", not the "einhverfr" you -- extol the virtues of "anyone" being able to put together a front end on top of the actual encrypt/decrypt model. Well, that's not what Joe in accounting is willing or able to do. You -- again, the Slashdot crowd "you" -- talk about the importance of encryption evangelization. Well, Joe in accounting thinks it's a pretty good idea, but can't for the life of him figure out what he needs to do to sign his Eudora-sent email in the first place.

        In the end, I don't think at all that the UNIX mentality is broken, nor is Winblows' (well, not fundamentally broken, anyway).

        I do think that there's a huge userbase demanding (in the economics sense) a package that will fill the gap caused by the loss of NAI PGP, or a non-MS product, or what have you.

        It's just a question of whether those with the so-called UNIX mentality are willing to approach the problem from the other point of view. I'm cautiously optimistic.
        • Re:I agree (Score:2, Insightful)

          by soloport ( 312487 )

          It strikes me as ironic that the Slashdot crowd complains about feature bloat on PC software, all the while extolling the virtues of having a gazillion switches for a single command line program.

          But doesn't "bloatware" refer to Megs of memory required? No one's complaining about mega-options (in closed-arch. s/w). Whereas most closed-architecture providers throw features together, thus creating "bloatware", most hackers pride themselves in the fact that each added feature of their swiss-army-knife-ware cost little to add -- by design.

          Even the GUI s/w (e.g. KDE, GNOME, et al) is built with carefully crafted pride. It may be somewhat more bloated than CLI code, but by comparison (to the crap that exists behind closed "architecture" apps.), it's good stuff.

          Your complaint seem to be grounded more in impatience, not good logic. Good code takes time. I'd say that, not only is your observation about finger-pointing unfounded and illogical, it's also complementary to OSS hacks ;-)

          I think we've been hearing this same sort of complaint a lot, lately. "Why does it take seven years for Wine to match the Win95 API?". To me, this means that people are hanging their hopes on OSS to save (or at least better) their future. But the waiting game is something we're not used to having to play, either.

          A glacier is a good analogy for OSS progress as well as market impact. Moves really slow, but is absolutely unstoppable! (Oh, and it eventually destroys everything in its path, too.)

        • Re:I agree (Score:4, Insightful)

          by jgerman ( 106518 ) on Thursday March 28, 2002 @07:01AM (#3240113)
          It strikes me as ironic that the Slashdot crowd complains about feature bloat on PC software, all the while extolling the virtues of having a gazillion switches for a single command line program


          I think you're missing the distinction between flexibility and "bloatware". Software only becomes bloatware when all those additional feature impede the everyday use of the software. Command line switches don't cause this problem, regardless of whether of not it's a command line Unix program or a command line Windows (I know, I know). The reason being that most command line programs use few switches for normal operations. Bloatware is usually a GUI problem. When anything and everything is configurable in a GUI it's easy to design the interface poorly so that it's difficult to do common things without all of the different options getting in the way.


          There's also the problem with poor performance in bloatware, but that's more of a problem with poor coding and programmers taking the crap they heard in school "hardware is cheap so you don't need to worry about performance" as scripture. That mentality can apply equally to any software regardless of platform.

    • Interfacing might not be hard, but hasn't been done yet. Integrating is probably the problem. When I looked at it some time ago (18 mos, 2 yrs?), it didn't plug in to my mail tool (Netscape), nor did it support HTML or RTF emails in Outlook, which I use with work.
    • I have WinPT on my corporate Windows desktop: http://www.winpt.org/

      I can now use GPG encryption with anything that can cut/paste.

      There are similar frontends for Linux/Gnome/KDE etc.

    • I don't know what features would be wanted here. Lets figure it out and write it. Open Source is all about fixing problems you percieve.

      So, not trusting the corporations with our security means we have to write our own crypto and make it easy to use? Heh, cool. We can do this.

  • GnuPG in Mozilla (Score:2, Insightful)

    by CanadaDave ( 544515 )
    Slightly offtopic - Getting GnuPG into Mozilla would help it spread its use to more people.

    If you have an account at Mozilla's Bugzilla [mozilla.org], vote for this bug here [mozilla.org].

    • GnuPG functionality is available for Mozilla through the Enigmail [mozdev.org] plugin. It finally made it out of development and is apparently ready for production use. You'll need Mozilla 0.9.9.

      • Oops, it's still in development... I misread, the announce. It isn't done, but it's useable:

        "Enigmail, a GnuPG "plugin" for Mozilla which has been under development for some time, has now reached a state of practical usability with the Mozilla 0.9.9 release."
        • Enigmail rocks - it may be in development, but Moz 0.9.9 with 0.39.2 is sweet. I use GPA on linux and WinPT on windows for easy key management. Installation was a snap - click the install button and restart Mozilla. WinPT even bundles GnuPG with it if you want. So it is coming along nicely.
    • Getting GPG seamless support into Outlook or Eudora would help a whole lot more than getting it into Mozilla. There are far more Outlook and Eudora users out there than Mozilla users.

      The whole point is getting GPG to "the masses." The masses don't use Mozilla. "By the geek, for the geek".

      I used the PGP Eudora plug-in on the Mac and it was slick. Select Decrypt/Encrypt, done. No front-end, no copy and paste into a helper app, just a single menu selection.

  • by mlk ( 18543 ) <michael.lloyd.le ... NO@SPAMgmail.com> on Wednesday March 27, 2002 @11:17PM (#3238580) Homepage Journal
    http://www.gnupg.org/frontends.html

    WinPT is quite good.
    http://www.winpt.org/

    But I've only found one "free software" package which is up to scrach with it's windows counterparts (in easy to install etc), and thats Apache Tomcat, and that needs some work. :)

    Ahh well, maybe one day.
    • Apache Tomcat? Easy to install? I swear that thing is packaged by Rain Man or some acid freak or something.

      Who even knows what the fucking things correct name is? Is it Tomcat? Jakarta? Catalina?

      What kind of server program depends on enviornment variables? I'll tell you, Apache Jakarta Tomcat freaking Catalina with Ant on the side.

      Oh, and make sure you put the correct 500 lines of crap about "workers" in the apache config file.

      Yeah, it's a breeze.

      -Peter
      • What kind of server program depends on enviornment variables?

        Uh oh. This world is in trouble. You know, kids these days are tought how to move a mouse, not speak the language of a command line. Environment variables and basic scripting should be compulsary education for students at the elementary school level. So many young minds lack logic skills and critical thinking, you'd think it was the greed of some evil corporation behind all of these "difficult to install" applications.

        Those 500 lines of "crap" config file could be an worthwhile alternative to an often repeated lame 500 word essay on the social implications of World War III and people who have been long dead.
        • You assume too much, dear lady.

          I was not fortunate enough to be exposed to *NUX until about four years ago, but I did take Applesoft Basic in the eighth grade. And I happen to have just polished off a little bash script today. That's not the issue.

          The issue is that I think it is a fundamentally bad idea to have a server service depend on a special environment variable. IMO it is too fragile a way of doing things. Think "This f-ing thing starts fine from the command line, but fails to start by the init script."

          You are, of course, free to disagree with me, but I think your "these kids today" attitude reflects on you far more than it does on me.

          Oh, and I was in high school by the time I had any sort of regular access to computer equipped with a mouse.

          So, I stand behind my statement that Tomcat (actually, Jakarta as I understand it) was unnecessarily difficult to install at the time I first attempted it (about a year ago, it may be a snap now). I'm not saying that I need a "wizard" to wipe my backside during an install, but Jakarata was too far the other way IMO.

          Just as a note for perspective, it took me about four hours and two Mt. Dews to install Apache with SSL and all the trimmings the first time. It took me the better part of three days and a case of the Dew to install Jakarta the first time.

          Finally, maybe I am just a dumb kid, but the last paragraph of your reply didn't make any sense to me at all. I'd really like to know what you meant and I hope you will offer a bit of an explanation.

          -Peter
    • by Llanfairpwllgwyngyll ( 81289 ) on Thursday March 28, 2002 @06:20AM (#3239992) Journal
      The front end doesn't solve the problem that *corporate* users face.

      GnuPG doesn't support ADKs (additional decryption keys). A lot of people don't LIKE the whole idea of ADKs. But look at it calmly. I would NOT have an ADK in my personal PGP key under any circumstances. But the PGP key I use for work - that has a designated revoker (so if I'm sacked the key can be revoked without my cooperation), and an ADK that *requests* (it cannot enforce) that items encrypted to my work PGP key can be read by one of our Corporate PGP keys (whose use is very highly controlled - and is held split anyway).

      I have encrypted disk partitions - but if I'm hit by a bus, the Corporate disk ADK can recover the data that belongs to the business.

      GPG doesn't inherently support key splitting, or disk partition encryption. The key splitting allows proper auditable control over particularly powerful keys. For example, our Root Corporate Signing Key is split amongst 8 trustworthy people and at least 4 of those 8 must cooperate to bring that key together for use.

      GPG is great, but it won't replace PGP in the Corporate setting (where it is used a lot more than you might expect...) even WITH a nice frontend until it can support such features. I look forwards to the time when it does!

      A business cannot risk losing access to data which is encrypted, so these facilities are required.
      • You are right. GPG only tries to do what the designers intended it to do. And if what they wanted wasn't what the business wanted ...

        If businesses want to use open source for something that the open source programmers don't feel like doing, then they will need to subsidize the development. That's the way it works. But if they do, then they get the options they want.

        If they choose to go with a closed source product, then they get what the developer provides, until the developer decides to stop providing it. If it's open source, then they get it with no time limits, but if the project stops supporting it, and they want maintenance, then they will need to pay for it, in some way or other.

        TANSTAAFL? Well, not really. But if your menu is the same as the other guys, then you can sure get a cheaper rate. And if you need a specially selected choice of wine with your dinner, then you pay extra.

        OTOH, if you go closed source, you probably don't have any choice as to what will be provided on the major products (that's a result of what they call a monopoly). And for the lesser products, you still don't have much choice after you make your purchase.

        Nothing's perfect. Open Source has it's flaws, and some of them are a bit excessive. But in my mind they pale in comparison to the flaws of closed source with a central monopoly.

        Back to GPG and the need for added features. If businesses want the product that you describe they can:

        1) write it from scratch or hire a consultant to do so

        2) modify an existing open source program as permitted by the license. If they are modifying GPG, then the GPL determines their choices. Which includes keeping everything secret, but also include forking the GPG into (say) the GPGC and just adding the features that were missing. This would probably also make modifying the existing GUI shells relatively simple.

        3) do without

        4) do something illegal, and count on chance and their lawyers

        5) do something I haven't thought of

        The features that you mention all seem quite reasonable for a commercial group to want, but it is quite unreasonable to expect an agglomeration of individuals to be in favor of them. E.g., if I were to have an encrypted disk partition, then it would be to my benefit if nobody could read it without my permission. And if I quit in anger, or was fired, then I wouldn't want the company to be able to read my disk. It would (perhaps) be to their benefit to be able to do so, but it's not at all clear that it would be to my benefit.

        This reasoning applies to all levels of the company from the secretary to the general manager. And this may in some measure explain why no significant effort is put into features of benefit to the company but not to the individuals. (Of course, computer techs will be most aware of this, but then they would also need to be the ones initiating the argument for funding the project.)

        A closed source company would be more likely to provide these functions, but they would also be more likely to keep their code secret and unmaintained if they went out of business. Perhaps leaving you with disks they were unreadable (what is the most likely cause of their going out of business?).

  • by Above ( 100351 ) on Wednesday March 27, 2002 @11:23PM (#3238607)

    I use gnupg. Not a lot, but with a few people who have it set up right I can just exchange PGP messages without really doing anything, which is the way it must be.

    I have tried many, many products to do PGP, and they all have problems. Even GPG with my favorite mailer had some fairly big setup hurdles. Fortunately once I cleared them it was relatively easy. I can only imagine that grandma is never going to use it at the current state of integration.

    PGP functionality needs to work perfectly with mailers. You enter a pass phrase, and it just works. Until that happens the masses are not going to use PGP. This is imporant. If it were that easy, 90% of e-mail could be PGP encrypted, by default no questions asked. You can get there now, but only if you know a lot about PGP, and communicate with people in the same boat.

    • There is a list [geocities.com] of GPG mailer plugins and modules for common mailers, including Eudora, Outlook, Netscape, KMail, emacs, Pine, Mutt, etc. Failing that, you can always write your own. [eudora.com]

      • Until the plugins ship with the mailer, it is not seamless.

        • Mutt has built-in PGP support. All you have to do is configure it.
    • I've been using Gnu Privacy Assistant(GPA) for key maintenance and Evolution for email. Evolution has seamless GPA and PGP support.

      GPA [slashdot.org] features a GUI and is very straightforward to use. I'm an encryption retard and I figured it out.
    • Having switched to Mac OS X I'm using a Chat (AIM/MSN/Yahoo/IRC/Jabber) called Fire.

      This has seemless GPG integration. You select the key you want to use, enter your pass phrase on startup and it's ready to work.

      Key exchange is managed from within the chat windows. There is an option to send your public key to your "buddy" and it automatically inserts the key into their keychain.

      This is as seemless a use of encryption tech that I've seen in software and would make a good model of how to integrate into other applications.

      BTW. I've had some experience in using PGP in a commercial environment being responsible for adding mandatory PGP signing to the UK domain registry in 1996.
  • Windows Privacy Tray [winpt.org] seems to be the best Windows GPG GUI, I use it as my PGP replacement at the moment. I also have Mozilla, which doesn't have such great PGP integration, so I relay through GPGrelay [sites.inka.de], which checks all incoming POP mail for PGP stuff, then decrypts and verifies or encrypts and signs behind the scenes. Mozilla only sees the mail after GPGrelay has dealt with it, so it's the closest I get to seamless integration. I don't have any problems with it.
  • I love GPG, I use it daily to decrypt PGP encoded files that I receive from several very large companies that I have as clients. It's evident there is a need for usable public encryption on the business level, and GPG/PGP works great for this.

    As much as I like GPG, I don't use it for personal emails, however. I believe that S/MIME is a better system for encrypting personal emails, simply because support is already built into the major email clients (Netscape, Outlook Express) already. When there is a button built right into my friends email client, I have a much greater chance of getting them to use that feature, as opposed to having them download a new, seperate piece of software. Now if Evolution would just support S/MIME (they've been teasing me with that grayed out S/MIME panel), I'd be all set.
  • by augustz ( 18082 ) on Wednesday March 27, 2002 @11:38PM (#3238661) Homepage
    If you have a bugzilla account, head on over to
    http://bugzilla.mozilla.org/show_bug.cgi?id=22687 [mozilla.org] and vote for what is probably the singles most popular bug there is. They need a framework which allows folks to plug in something like GPG at will. Plenty of work went into trying to get somewhere without any luck.

  • Not quite accurate.. (Score:2, Informative)

    by dcviper ( 251826 )
    The article stringly infers that PGP (I use the NAI Freeware distro) does not work with OSX or WinXP. I can't speak to OSX, but I know that 6.5.8 works just fine with Windows XP Pro.
    • Yup, 6.5.8 works fine, but 7.0.3 does not work. I spent an entire day hosing my two WinXP boxes trying every possible combination to get it to work. Thank god for DriveImage and the SystemRestore feature of WinXP. You can get 7.0.3 installed, but the VPN stuff hoses your TCP/IP stack, and there's no way to get it back...
    • A number of people, me being one of them, had "issues" with previous versions of PGPdisk running on Windows XP. In my case, it just plain wouldn't work. PGP 7.11 took care of that.

      I am a heavy user of PGPdisk, having probably 15 - 20 gig of data stored both on disk and CD. Until GNUpgp gets PGPdisk compatibility, it simply is not an option for me.

      There was also the "PGP hosed my TCP/IP stack" problem that a number of people experienced prior to 7.0something.
  • by tcc ( 140386 ) on Thursday March 28, 2002 @12:01AM (#3238744) Homepage Journal
    I wanted to get some PGP licenses at work.

    Went on their website

    It was so weirdly organized, I mean you could get a "single user" license, okay cool, "i need 10 of that" wrote down the price... sent an email to get a PO

    Went back a few days after, couldn't find that product, felt on the desktop security thing for buisness, ok, 5x more, wrote down the price, went to get approval, came back a day or two later, price/license switch again... couldn't find the exact same thing that I saw the day before...I just dropped it (I don't have time to waste an hour or even minutes on a badly designed website that will make me swear and kill the next person asking me for support :) ).

    That's ineffective E-Commerce, and I thought it was sometime hard to find a specific download or older bulletin on microsoft's web site (and google helping more than most websites's own search engine), but this was ridiculous, not to mention all the license type and so on. If I dropped it, a lot of people probably did the same. My question is, why the heck not having something CLEAR and a decent price list, why putting things in 5+ click deep or changing stuff left and right just so the bookmarks don't work anymore and have a nightmare to find that specific thing again?

    They can blame the lack of sales, but they are to blame. I mean, when I go and buy a systemworks license (to name an example), I know the price for 1, I know the price for a 5 pack, it's clear, it's constant and they don't have a gazilion difference licensing of the same thing doing the same function exept worded differently thus giving you a different result at every searches if you change a space somewhere.

    All this said, it's a shame that there are not many alternatives, the freeware version does the job but the problem is "it's not legit for buisness to run this", I wonder what will happen if the product isn't sold anymore... does it make it obsolete and unavailable thus legit to use the freeware version? it does the job on the windows platform at least.

  • Don't you mean... (Score:2, Insightful)

    by Ranger Rick ( 197 )

    The article highlights one of the problems with Open Source software today[...]

    I can finish that sentence: "just because the writers at large popular online magazines can download something for free (and for Free), they feel that it's ok for them to bitch about how Open Source software isn't up to snuff, and yet they never try to make things better."

    I'd bet he hasn't entered one "enhancement" bug report, reported one request to the mailing list, or done anything else to make gnupg better.

    I work for a company whose product is open source. We have only so many developer hours to devote to feature enhancements. Guess which things get priority first? Either suggestions from support customers, or requests for features on our discussion list. If no one asks for it, it doesn't show up on our list of things to do.

    Just because you can't code doesn't mean you can't contribute. Make docs, try to find bugs, make feature requests. Shut up or put your money where your mouth is.

  • This passage of the article [salon.com] seems particularly insightful to me:

    Open-source can also mean "closed climate," with developers working only to meet their own desires and those of a relatively small and stable base of users and fans. The strength of the movement -- distributed development by volunteer programmers worldwide -- isn't geared toward the sudden appearance of clamoring consumers with questions, complaints and wish lists in hand.
    Linux is good, for people who are willing to put in the effort to use its power. The same holds for crypto. But marketing to the masses is not a "geek thing".

    Sig: What Happened To The Censorware Project (censorware.org) [sethf.com]

  • by kraf ( 450958 ) on Thursday March 28, 2002 @12:11AM (#3238783)
    I use it to encrypt/decrypt files I don't want others to read.
    And it's quite easy: gpg -c and -d .
  • Decline of PGP. (Score:4, Insightful)

    by juuri ( 7678 ) on Thursday March 28, 2002 @12:12AM (#3238788) Homepage
    First off we sometimes use PGP for file transfers at work. We get census data, 401kdata, lots of data with special numbers in it that people should never see. Why do we use PGP at all? Because most of the older large institutions move like the slow behomths they are. They take forever to evaluate something, much less actually roll it out. Commericial PGP was great because it gave us somewhere to point these people who still require us to allow FTP for these files and other early/mid 90s transfer methods. The commercial site offered a nice packaged product, but more importantly, SUPPORT. Support is key to large companies, they buy it for everything, regardless of need.

    Now why the decline? Thanks to the widespread usage of SSL and now SSH we have convinced many of these old guard companies to go with real time data that is sent over SSL connection or through SSH tunnels (or even with scp). This is great! No more pesky FTP around. Easy key management. Easy to setup and watch. Sure the data isn't as secure in transit but really if it is secure enough to give this user the data, it is secure enough to transfer it with. Of course the best thing about realtime data is we can throw it away instantly meaning there is nothing laying around for the average village idiot script kiddie to pick up.

    The only downside is we have some users that actually SCP PGP encrypted files over to us. It will be a shame when that type of security has to go away because they will dump PGP the second they can't purchase support for it.

  • by tweakt ( 325224 ) on Thursday March 28, 2002 @12:28AM (#3238832) Homepage
    Why can't you just continue to use PGPFreeware 7.02 (whatever the latest is?) It's not like they can stop you from using it. Unless it gets "broken" somehow (I doubt it).
    • About once or twice a year a bug of security significance is uncovered in PGP (e.g. the ADK bug, the RNG on UNIX bug, the keystorage bug etc) and this would render the latest 7.02 next to useless.

      Why can't people amend the source code and recompiler themselves? They don't have access to the source code.

      Also remember that PGP is now very (over-) complicated and includes various drivers and kernel hooks. Every new version of an MS operating system (Win2k, WinME, WinXP) breaks compatibility.

      The best current hope is the CKT [ipgpp.com] builds of PGP, that are based on the 6.5.8 code. These have all known bugs fixed and still work on all Win32 operating systems. This is also the only version that is actively maintained!


  • "The article highlights one of the problems with Open Source software today: its "by the geek, for the geek" nature, which by and large places barriers to mass adoption of OSS"

    I will probably get moded down to -50 Troll or Flamebait for this but here it goes....

    Open Source has many problems but "by the geek for the geek" is NOT one of them. For some reason people seem to think that Open Source exists to serve the greater of humanity, and end human strife, etc.....(Whatever noble cause you can think of) But Open Source software is not primarily "by the geek for the geek".


    It is primarily "by the geek for him/herself". The reason that there are not a bunch of pretty GUI front-ends that really wow people is because the people who code them don't need/want a GUI front-end.

    If people want pretty front-ends then they should code them themselves.... It is easy to stand back and lambast [dictionary.com] the Open Source community for not being more user friendly but I have a news flash for ya.
    Most Open Source developers don't care.... Open Source is about coding: what you want. Build a front-end yourself.

    OSS developers code for fun, for their own sense of accomplishment, and for personal use.

    As far a "mass adoption", If people are too lazy to spend the time to work through and figure out a CLI then too bad for them. If your privacy is really that important to you then you will have to "tough it out" like the rest of the geeks.

    My .02

  • I finished a W2K upgrade to all desktops in 2001. The schedule is that we don't do anything till 2005. I've already verified that I can use pgp in outlook to encrypt something that gpg from the shell can decrypt. Though I like the NA product, if they're done, they're done, and I have something workable for 3 more years, after which I'll just switch to a gpg infrastructure. End of problem.
  • Many, if not most, Linux apps are by-geeks-for-geeks, and there's nothing wrong with that. Can't configure sendmail? RTFM. HOWEVER, GPG is an exception. Why? Because your security is only as good as that of the person you're communicating with. GPG is useless if you have mastered its arcane commands, but none of the people you know can encrypt or decrypt messages.

    GPG is different because, unlike most software, it's not something you use by yourself. Crypto is something you must use in concert with other people, and not just other geeks, but possibly your boss, clients, family, etc. This isn't just by-us-for-us: for once, it MATTERS what other people think of the software. Therefore, an easy-to-use interface is not just a matter of aesthetics, it's an essential feature -- and since it's the only way to facilitate widespread adoption of crypto, anything else is a security hole.

    Cheers,
    IT
  • Geeks & Interfaces (Score:5, Interesting)

    by maggard ( 5579 ) <michael@michaelmaggard.com> on Thursday March 28, 2002 @02:59AM (#3239337) Homepage Journal
    NAI PGP for Windows was a good program?! Show me one average person who ever felt it was a slam-dunk. You know, not the ones who read /. but those that had to install it for some reason, were given this fool thing and a sheet of local instructions and told "install this" and weren't found trembling under their desk 3 days later with a pooched PC.

    Ech.

    Some great concepts but still a cranky idiosyncratic bastard of a program. Trivial to use? Sure, after reading far too many poorly written manual pages. Easy to interact with? When it didn't hopelessly mangle what it was supposed to secure (we didn't want one-way!) Integrated - as long as you didn't do this or that or...

    Look, you want a well integrated NAI program look at how NAV interacts with Outlook. Yeah it's a big pig and lots of folks hate it but to the user it's *not an issue*. It scans for nasties. It scans incoming & it scans outgoing. It can be configured with a few clicks in a clean interface written in simple language. It just works.

    Personally I ask any ambitious developer to take the same strategy NAI does for NAV and don't try to build yourself into the apps and instead become a proxy. I'd love a local PGP proxy app that my mail could go through. The only interface I'd need would be a tiny plug-in to set a header on messages for the proxy to read and act on. That sort of plugin should be simple enough to write for all of the popular email apps, let the engine remain consistant across everything.

    With how to talk to the engine simplified then the effort can be moved to making PGP as an installation easier, more intuitive, and less of a jerk. For one thing default to a minimal install, go the install-on-demand route if need be, but DON'T dump a half-dozen applications into a system by default. Firewalls and VPNs are lovely but make sure the customer knows what they're getting into first, leave it as a second phase install by default. Plug-ins? Drop folks to a web-page where plugs for each app can be listed. Include some default plugs in the install for the most common uses but still encourage the ambitious to check out the newer/more featureful/not-in-the-distrib versions.

    Finally, why isn't there yet a standard for PGP-certifying and/or encoding web-pages?

  • by karlm ( 158591 ) on Thursday March 28, 2002 @03:15AM (#3239427) Homepage
    ...as soon as AOL decides it makes business sense to integrate it.

    I sign nearly all of my outgoing emails, but seriously, encryption will remain a geek toy until AOL or another big player decides to provide public key infrastructure (PKI, keys signed by eidey trusted authorities, or sufficiently many people that are minimally seperated from you) for its users. There are plenty of GUI encryption email clients out there. I believe there's a GPG plugin for Eudora. However, finding your friend's public key is hte big problem right now. Once everyone's ISPs ste[ in and sign the user's keys and proide key servers, then signed and encrypted email will be the norm. After a short bit, you will be able to filter out SPAM by doing good checks on signatures, or prosecuting those spammers that actually sign their emails with valid and registered keys. Encryption will also greatly increase CPU demands for mass emailing. This is why ISPs will like crypto: it deters spam and reduces thier bandwidth requirements. The big question is: how long will it take for a major ISP to start providing PKI.

    Key generation isn't hard. Once AOL starts signing all of their users' public keys, then it will be common practice for you email client to go the all of the recipients' ISPs, verify their Verisign certificate, and verify theirsignature on the user's public key, then encrypt everything at transmit time.

    Key generation isn't all that tough. Nearly everyone trusts Verisign.

  • Clearly this poster hasnt got a clue how things should be done in the unix-a-like os'es.

    The thing is, good programs are extensible because they just provide the core of doing things the right way. So does gpg. In easiest form, it can create keys and it can en/decrypt data.

    This is what it does and that it does well.

    Now, if you want bell and whistles, go find a software that you like and ask nicely the authors to include support for gpg.

    For example, ive used gpg for allmost a year now, since gpg support was first published in Evolution mailer. I created my keys (3 commands, i have 3 emails and i wanted to use different keys), and put the date into Evolution. Since that day, i havent invoked gpg directly at all. I have some gui tools to import/scan keyservers for keys that im missing and evolution itself does the rest. So, in my eyes, gpg is as good as it can get.

  • The german government(!) is sponsoring a project to use GNUPG. Details (Achtung! German!) can be found here:

    http://www.gnupp.de/start.html

    Roughly translated:

    Security for e-mail, e-commerce and e-government. The goal of this project is to deliver free encryption software that's easy to use.

    The fun thing is this:

    http://www3.gdata.de/gpg/download.html
    and if you don't understand those strange words, you can download here:

    http://gdataspace.de/download/gpg/GDATA_plugin_0 91 -eng.exe

    This is an Outlook-Plugin for GnuPG. Using this plugin GNUPG is easy as 1-2-3.

    HTH

    Jan Wildeboer
    • This is an Outlook-Plugin for GnuPG. Using this plugin GNUPG is easy as 1-2-3.

      Nice. Do you know if it works with XP/Outlook 2002? I had the full commercial version of PGP and the Outlook plugin worked fine on Win2K/Outlook 2000 but was mysteriously broken on the XP versions (something about relying on a Service that didn't understand Fast User Switching).
  • by calle42 ( 90619 ) on Thursday March 28, 2002 @04:30AM (#3239639)
    Go to www.gnupp.org [gnupp.org], home of the GNU Privacy Project. GnuPP is (currently) only for Windows and consists of an easy installer for GPA, GPG and WinPT. This is being sponsored by the German government (like GnuPG itself too), fully GPL'ed, and at least for us Germans, there's a good manual available from the Wirtschaftsministerium too. Anybody can order it for _free_. They gave printed documentations including an installer CD away for free at CeBIT. Anybody who can get this, should. The page there is still in German, but there's an english version [gnupp.org] of GnuPP too.
  • by ssimpson ( 133662 ) <(moc.nospmismas) (ta) (todhsals)> on Thursday March 28, 2002 @05:19AM (#3239878) Homepage

    Often people say that "GPG needs a frontend before non-geeks can use it". That point is probably true, but even though NAI PGP has had a "mature" GUI based front end for several revisions, normal users are still incapable of getting their head around creating keys, the difference between public and private keys, the difference between signing and encryption etc etc.

    A usability study [cmu.edu] was undertaken by researchers at Carnegie Mellon in which they found that virtually 0 non geeks managed to use PGP successfully anyway.

    Sure, OpenPGP based programs need to achieve better reach, but simply copying the NAI PGP design won't achieve this goal....


  • GPG and MacGPG (Score:3, Informative)

    by ReadParse ( 38517 ) <john@funny[ ].com ['cow' in gap]> on Thursday March 28, 2002 @06:26AM (#3240021) Homepage
    I'm one of those many recent OS X converts who just bought my first Mac, after years of having used Unix and Windows.

    PGP is something I've played with over the years, like a lot of geeks, but never used religiously. But I decided a few months ago that it was something I should start using regularly, so I sought out a mail client with built-in PGP (or variant) support. I found a neat little (non-free) Windows e-mail client called The Bat! [ritlabs.com] (that's their exclamation point, not mine), which had not only built-in support, but you can configure it to use PGP, GnuPG, and even their own OpenPGP implementation. That and many other cool features persuaded me to buy that e-mail client, after which time I decided to throw the switch [cavaliers.org] and begin signing all e-mail that I send.

    Along the way I discovered WinPT [winpt.org] (Windows Privacy Tray), which is a decent little frontend for GPG. Remember, GPG is a backend -- how you interface with it is up to you.

    The came my Titanium PowerBook. I got it for all the reasons mentioned around Slashdot and elsewhere, but I didn't really expect to find cool things like a good GPG frontend, let alone e-mail with GPG support. Boy was I wrong! I went to the GPG site and found a link to the Mac GPG [sourceforge.net] site, which ports GPG to OS X. Not only the backend, but a frontend that integrates with the "Finder" (that's Mac-speak for the "Explorer" equivalent), right in the "Services" menu (which is much like the global right-click menu in Windows Exploror.

    But that's not all! I saw further down on the same page that somebody else [sente.ch] has written an extension to the OS X default mail client (which ain't as bad as you might think) that provides very good GUI GPG support for mail.

    So, even though switching over to the Mac isn't the easiest thing in the world (I say that as I sit here typing on my Windows machine for reasons I won't go into), I can say that GPG is among the least of my problems.

    RP

  • Oh, I forgot to mention....

    There's also a great little instant messaging client available for OS X (called Fire [epicware.com]) that connects you to all the major services at once, and it has built-in GPG support. And very good support, too.

    I'm not yet to the point that I feel I need to either sign or encrypt my instant messages, but that time may come, and it's nice to know that Fire is ready.

    RP
  • GPG is delivering! (Score:2, Informative)

    by zecg ( 521666 )
    ...only most people are too blind to notice.

    Timo Schultz's WinPT is an all-in-one encryption frontend which sits in the system tray and does EVERYTHING. Even safely wipes data from the drive. And for convenience, he has an Outlook Express plugin (which works!) and a Windows Explorer plugin (which I don't need and thus haven't tried yet).

    Give it a try and see...

    http://www.winpt.org

The price one pays for pursuing any profession, or calling, is an intimate knowledge of its ugly side. -- James Baldwin

Working...