Symantec To Acquire PGP and GuardianEdge

An anonymous reader noticed the news that Symantec has bought PGP and Guardian Edge for $370 million. They plan to standardize their encryption stuff on PGP keys.

suckitude

[SoupGuru]

Let the soul sucking begin!

Re:

[sopssa]

It means hold on to your current PGP versions.

I wont be trusting Symantec with it.

What are good open source alternatives?

Re:suckitude

[Virak]

GnuPG [wikipedia.org] is what you're looking for.

Re:

[westlake]

GnuPG is what you're looking for.

Is GnuPG what you need when what you are looking for is a uniform GUI for the non-technical end user and enterprise deployment and management tools for your business?

Re:suckitude

[Locklin]

It *is* uniform if you pick one of the available GUI's and standardize on it.

Re:

[X0563511]

GnuPG (gpg) is the underlying tools and libraries. As locklin states parralel to me, there are plenty of GUIs out there.

Have a look [gnupg.org] but realize that there are even more out there, these are just the hilights.

Re:

[ZERO1ZERO]

Any decent web-based GPG interfaces that can be 'pointed at a directory of files, and encrypt each one', like wise for decryption?

I coded the basics of one in PHP, but wondered if anyone had a decent implemented solution already?

Re:

[X0563511]

Not that I am aware of, but then I am no fan of web-based anything but web pages (so, I can't say I've looked for a solution like what you ask for).

Re:

[Kozar_The_Malignant]

I have no problem with GPG, and use it with Linux. I've also used PGP since the good old illegal days when it was all command line, and the Feds were still trying to put Phil in jail. The problem with GPG is that it's not going to really get traction until there is a one-shot binary install for Windows that integrates with common programs that people use. While we all know it isn't that tough to install the command line version and then a GUI front end, most users can't/won't do that.

Re:

[Kozar_The_Malignant]

Short version - Phil Zimmerman wrote PGP. PGP incorporated the RSA algorithm. This got the feds after him for violation of the Arms Export Control Act, because strong crypto was considered munitions. Sanity prevailed after about three years and a bunch of lawyers' bills. A slightly longer version is here [wikipedia.org] in the Wikipedia article on PGP.

Re:

[RockDoctor]

Let me guess - you're under 25 AND you've only recently discovered that there is technical stuff going on behind the screen of your computer?

You've got your link to the story. While I wasn't particularly bothered one way or another about mail encryption, I did see the potential and understand it both for personal use, and for encrypting client's data while moving it around (as opposed to couriering it with a trusted person, which was the norm for us, then). But could I find a copy of PGP? Could I fsck! (Obv

Re:

[Lunix Nutcase]

Because you trusted it when it was in the hands of McAfee? LOL.

Re:

[icebraining]

It wasn't part of Mcafee since 2002: http://en.wikipedia.org/wiki/Pretty_Good_Privacy#Current_situation [wikipedia.org]

Encrypt file containers, partitions with TrueCrypt

[Futurepower(R)]

TrueCrypt [truecrypt.org] is reliable, reputable, fast, free, open source, and works on Windows, Mac OS X, and Linux.

The TrueCrypt documentation is very good, but not perfect.

TrueCrypt can encrypt a file that contains other files (a drive letter) or encrypt an entire partition, even the boot partition.

No one I know has any connection with TrueCrypt. We are just happy users.

Re:Encrypt file containers, partitions with TrueCr

[X0563511]

Truecrypt is not the same thing as PGP/GPG. Truecrypt is great, mind you, but it is not public key cryptography and signing, with web-of-trust. It's just data encryption and hiding.

Why not just GPG, then?

[Futurepower(R)]

GPG [gnupg.org] is also reliable, reputable, fast, free, open source, and works on Windows, Mac OS X, and Linux.

What we need is a list of things PGP can do that the free, open source GPG can't do. Is there anything? If GPG can do everything PGP can do, then there is no reason to pay a lot of money for a closed-source alternative.

For example, here is the GPG manual: web-of-trust. [gnupg.org]

It would be difficult to trust closed-source encryption software, especially from a company that so many people who have commented her

Re:suckitude

[Em Emalb]

Not off-topic at all.

Symantec will more than likely manage to screw this up just like they screw everything else up. Seriously, once upon a time their virus stuff was good. Now, you've gotta jump through hoops to remove it, their enterprise-level customer service is garbage, so I can only imagine how bad their home user support must be, and at some point their code base for the AV stuff grew so bloated you could run a Toyota (poorly) off it.

What's wrong with pointing out that they're simply gonna screw it up?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Amouth]

... and doesn't do it's job.

hey hey now.. that was uncalled for - last time i checked Symantec makes a lot of money off that crap, i'd say it is serving it's intended function quite well

Re:

[fwarren]

Ran Corporate version 9, 10 and 11, then with 12 it all fell apart. The replication database should only grow to 5 gigs in size. But it keeps growing till there is no space on the servers hard drive. We had to literally uninstall it, reinstall it, configure it and run it for 3 months till the database filled a 200 gig hard drive. 3 times. After 9 months and a promised "fix" always soon to be released but never actually seeing the light of day, we switched to Kaspersky.

Re:

[kiwimate]

I do not trust Symantec on enterprise anything since the days I was working with their Storage Foundation.

Bad trick #1
Go to the training course, where the instructor is bragging how he helped write the product. Observe that occasionally during the training course the software happens to lose sight of your volumes. Ask instructor, "how do I fix this?". Received response, "hmm...format and start again. I don't know how to fix that." If this is a production environment, I've just lost terabytes of critical inf

Re:

[Sorthum]

Nice to see that Symantec is continuing its tradition of buying terrific products solely to bloat them, screw them up, and effectively turn them into shit.

BackupExec, Norton Utilities, Brightmail... it's like they've got some kind of bizarre scatological alchemy going on.

I do hope that the whole disk encryption solution that PGP was offering for Mac and Linux will continue to be supported; IIRC Symantec tends not to focus overly much on non-Windows solutions.

Not bad

[Mikkeles]

It's Pretty Good Proprietory!

Re:

[Seakip18]

But, according to my bosses, that proprietary stuff is better! It has support contracts and since we buy the license, that must mean it's good.

It's not like Opensource stuff comes close, right?

Well, that is true for Outlook email client interfacing, which is a crapshoot anyways. The rest OpenSource handles quite well.

Re:

[Lunix Nutcase]

The rest OpenSource handles quite well.

Which is why professional graphic design have all dumped Photoshop for Duh GIMP? And all those people who work in professional video arena have dumped all their proprietary tools for KDenlive?

Re:

[CastrTroy]

Here's where we get into the point of "professional tool" vs. "something I install on my home PC". For professional people, the cost of software like Photoshop, VS.Net, Final Cut Pro, and others is almost completely insignificant. Compared to all the other costs of doing business, it's almost crazy not to pay for it. However for the home user, or hobbyist, these products seem completely out of range with what you get out of them. When you pay $300 for a computer, even $50 on a windows license, or $50 for

Re:

[Lunix Nutcase]

Here's where we get into the point of "professional tool" vs. "something I install on my home PC".

The GP was talking about software for his job. So no, your point has nothing to do with the topic.

For professional people, the cost of software like Photoshop, VS.Net, Final Cut Pro, and others is almost completely insignificant. Compared to all the other costs of doing business, it's almost crazy not to pay for it. However for the home user, or hobbyist, these products seem completely out of range with what you get out of them.

That's why home users buy Photoshop Elements [amazon.com] and they will download Visual Studio Express.

Re:

[Seakip18]

I was specifically talking about PGP vs. GPG.

Re:

[K. S. Kyosuke]

Which is why professional graphic design have all dumped Photoshop for Duh GIMP? And all those people who work in professional video arena have dumped all their proprietary tools for KDenlive?

GIMP started as a toy project. It's much better now, but would certainly profit from a major redesign (and I'm *not* talking about UI here). As far as video editing is concerned, what about Lightworks? :)

Re:

[fph il quozientatore]

Where's the "sad but true" moderator category when you need it?

Re:

[phantomcircuit]

You shouldn't be using PGP for email encryption anyways. S/MIME is built into almost all modern email clients. The real reason that email encryption has not caught on is that it is basically impossible to implement it in webmail clients. (although signing is still possible).

Re:

[Seakip18]

True, as I was looking at S/MIME with openSSL. That implementation would be quite clean, with the right certificates.

Turns out they wanted more than S/MIME and GPG/PGP was the next tool on the list to look at.

Also true about the webmail client. I have a firefox addon that'll do both sign and encryption for gmail, but never really have a use for it.

S/MIME trust model

[tepples]

You shouldn't be using PGP for email encryption anyways. S/MIME is built into almost all modern email clients.

Does S/MIME work with a web of trust like that of PGP and other implementations of OpenPGP, or does it rely exclusively on central commercial certificate authorities?

Re:

[phantomcircuit]

S/MIME relies entirely on central certificate authorities. Of course in a corporate environment you would create your own certificate authority.

Re:

[X0563511]

Which is great and all, for everyone who don't have a magical CA available to them, or the cash to shell out to a commercial CA.

Re:

[phantomcircuit]

They're freely available from comodo and instantssl. http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html [instantssl.com] http://www.comodo.com/home/internet-security/free-email-certificate.php [comodo.com]

However they just verify your email address not your identity, but fortunately nobody is going to notice that...

Re:

[X0563511]

... which rely on companies.

GPG doesn't. It's not centralized, by nature.

Re:

[tepples]

GPG relies on companies to run the public key servers (such as pgp.mit.edu) and the key signing meetup sites (such as biglumber.com).

Re:

[profplump]

It absolutely does not. Those are handy places to find new keys, but it's perfectly possible for someone to simply send you their public key as part of the first exchange, and then do whatever sort of out-of-band validation you'd do with a key you found in the keyserver.

Re:

[X0563511]

In addition to what profplump just said, you realize that MIT isn't a "company"? It's an educational institution.

Besides, you don't even NEED keyservers for the system to function.

MIT Corporation

[tepples]

you realize that MIT isn't a "company"?

This page begs to differ [mit.edu]. MIT is a non-profit corporation.

Besides, you don't even NEED keyservers for the system to function.

Without keyservers, how would you follow the signature chain in order to verify that the public key that you're using to encrypt a message actually belongs to the recipient?

Re:

[X0563511]

By them giving me said key through any other secure means, including physically.

You got me with MIT. Though, do you really trust random for-profit over MIT?

Re:Not bad

[mlts]

If I want top notch security and not trusting some firm (possibly a CA that is offshore and is hostile to anything the country I reside in anyway), I will be using a PGP/gpg web of trust. I will either get a copy of the public key of someone face to face printed physically with a fingerprint (and will download and verify the public key and has from a keyserver), or I will agree on a passphrase that is used only once, and that is to send and receive a copy of the public key.

I also don't like keeping my public key that would be needed for S/MIME on an online machine. My secure private key resides on a machine that isn't Internet connected, it will reside on a smart card, or it will be on a smart card and used on an offline machine, so an attack would have to be done on a physical/local level in order to compromise my private key material. I do use S/MIME and a client key, but that is mainly a stopgap, better than nothing measure, compared to actual end to end manual encryption of data with gpg or PGP.

PGP WOTs were in use a lot in the early to mid 1990s by cypherpunks, but for the most part, convenience won over security and it is extremely rare for someone to use a public key of someone to send mail. A good WOT is far better than a CA. I have more trust in a public key claimed to be someone that is 3-4 links out from me on my PGP/gpg keyring than I do a key that is signed by a CA and told "hey, trust us." Of course, creating a WOT is a lot harder than just letting a CA do the work, but like Phil Zimmermann said, it is better to pack your own parachute when security is critical.

Another use for PGP over S/MIME is signing of files. A signed E-mail is difficult to forward and keep the integrity intact. However, if I have a file and a PGP/gpg signature of it (or just a PGP signed file), I can forward it, archive the two files, back them up to whatever backup media, and all it takes is a validation in the future to ensure that the file and the signature were not tampered with, assuming I have the public key in my keyring, and that hasn't been tampered with. Of course, I can use facilities like the file signing capabilities built into Acrobat, Word, or other software, but again, I have to use a third party CA, or pay for a special signing key, as opposed to a secure WOT. Plus, some files (archives and such) can't be signed internally, so having a separate .sig file is needed.

S/MIME is decent, built into most dedicated E-mail clients, and is better than nothing. However, if you want reliable E-mail security, you are best off using a PGP/gpg WOT.

Re:

[phantomcircuit]

I just want a nice lock icon in clients inboxes. It makes them feel all warm and fuzzy. :P

Re:

[ToasterMonkey]

Arg... this is so painful to read. What is with the mods? +1 Long post?

If I want top notch security and not trusting some firm (possibly a CA that is offshore and is hostile to anything the country I reside in anyway), I will be using a PGP/gpg web of trust.

I'm not a big defender of the big CAs, but trust chains serve a purpose. In a WOT, who first decides that someone really is associated with a given name, and why on Earth do you trust _them_? Sure, you will all be talking to the same person, but who is that? The point of the chain model is that at least someone is responsible for verifying a certificate holder's identity in some minimal way. To what length they go depends on wh

Re:

[phantomcircuit]

Maybe you should look up what a signature is...

Re:

[X0563511]

Start reading. [wikipedia.org]

You apparently have a very minimal understanding of what SSL/TLS actually are.

Re:

[JWSmythe]

You know, I've seen a lot of that in the corporate world. That's why folks have gone with RHEL rather than Fedora. They get to pay for something, so they feel better about it.

Of course, Microsoft servers are that much better, in that they can pay more for them. :)

Way back in the day, one boss was interested in going to Linux, but he couldn't find anything that satisfied his needs to pay for it. That was primarily a BSDi shop, but it switched over to Windows be

Re:

[Sorthum]

Actually, CentOS is the free version of RHEL; Fedora has an 18 month lifecycle.

You'd have to be some kind of masochist to deploy that as a server to an environment of more than a few servers.

Re:

[X0563511]

Or an idiot.

I've got to pull/clean lots of Fedora-Core 7 (or older) dedicated servers because of inept customers.

Re:

[JWSmythe]

    Off the record, once they deployed, they stayed like that forever. No patches, no upgrades, nothing. The party line was "It works this way, and has worked this way, we'll keep doing it this way." That was regardless of the fact that machines got exploited. If it didn't come in on the install CD, they didn't want it. Some days I'd just sit down and cry.

Re:

[Tekfactory]

Ahem, just to clarify what you mean by lifecycle.

Fedora has a 6 month release cycle, CentOS has an 18 month release cylce. This is how often they come up with a new version.

Fedora provides updates for the last 3 versions so 18 month supported updates.

CentOS provides updates for 5-7 years same as RHEL.

Re:

[aztracker1]

There are a few OpenSource email clients that do a decent job. Evolution works as well as Outlook, and Thunderbird + Lightning trumps Live/Windows Mail. Where OpenSource falters, is they don't have a solution that works better, or equal to Exchange and costs less. There are open-source Exchange-like servers, but are generally hindered in some way for the open-source version, or require a closed-source plugin to be really effective with Outlook, and/or other exchange clients. Usually this licensing winds

Re:

[muckracer]

> Evolution works as well as Outlook

Not on clustered Exchange it doesn't! Tried it with the mapi plugin...no good.

But as far as GPG is concerned, it's well done. Integrated nicely as it should be.

Smart move

[Enderandrew]

This is a smart move on their part, but I just have a really bad feeling about this.

I have zero trust when it comes to Symantec.

Scary

[desertjedi85]

Having my data encryption in Symantec's hands makes me feel extremely safe..... NOT!!!

Re:Scary

[dgatwood]

Just another enterprise company that Symantec will acquire, make a half-hearted attempt to integrate it into their company, then systematically lay off all the workers, outsource product development to India, release a nearly completely nonfunctional successor to it, and eventually cancel it outright after the support contract revenue dries up. I've seen this worthless company pull this stunt too many times to expect anything different.

Note to CEOs: getting acquired by Symantec is corporate suicide. If you care at all about your employees or your product, the correct answer is not "no", but rather "hell f**king no". Just saying.

Pretty Bloated Privacy

[Fraggy_the_undead]

oh great, just what everyone was waiting for.

Re:Pretty *Bogus* Privacy

[denis-The-menace]

You can just bet there will be backdoors for the NSA/CIA/FBI/etc in no time.

Re:

[calmofthestorm]

>> You can just bet there are already backdoors for the NSA/CIA/FBI/etc.

Fixed that for you.

Re:

[icebraining]

There was a time when despite not being Open Source licensed, the source was available. I don't know if it's still the case.

Re:Pretty *Bogus* Privacy

[calmofthestorm]

Regardless, I would assume the NSA has its fingers everywhere. Backdoors are not trivial to catch in the source code, like the famous if (uid = 0) test on an obscure flag combination on an obscure call.

Don't get me wrong, I'll trust OSS a lot more if the code can be read by anyone,but what good is the potential if no one actually does it?

The beauty is the I don't do anything the NSA cares about, I just like my privacy. Anyone powerful enough to get my personal data has bigger fish to fry.

Re:

[RobertLTux]

but what if the agent just needs a few XP to "level up"??

Re:

[WillDraven]

I don't do anything the NSA cares about right now,

Fixed that for you.

It used to be the Japanese, then the commies, now the Muslims. Who's to say in 20 years it wont be some group you happen to be a part of.

Re:

[Trogre]

Until you come to realise that, with all that expensive computing power and data mining algorithms, they can happily fry you, your neighbours and the big fish in the same pan.

Re:

[calmofthestorm]

I was trying to differentiate ability to get info on /anyone/ vs ability to get info on /everyone/ but I guess I didn't make it clear. As long as you have nothing to hide AND htey can't watch us all, life is good.

Re:

[icebraining]

I simply didn't care enough. I use GnuPG anyway.

Re:

[TheLink]

Some years ago PGP was bought by Network Associates Inc (which was a merger of McAfee + Network General).

McAfee, Symantec? Meh...

Open Source Alternative

[Anonymous Coward]

GPG is out there { http://www.gnupg.org/ } and we should use it.

Privacy is a human right. Democracy can't work if it's citizens are controlled like slaves in the roman empire.

Freedom is ours to take! Long live the RPG!

Re:Open Source Alternative

[wealthychef]

Freedom is ours to take! Long live the RPG!

Rocket propelled grenades?

Re:

[JWSmythe]

    Ya, that doesn't quite make sense. An RPG survives until it hits the target. While I like explosions as much as any pyromaniac, they aren't designed to be long lived items unless you never use them. What fun is a box full of RPGs when you don't use it?

Re:

[steelfood]

I think he meant Final Fantasy.

Long live Final Fantasy indeed.

Re:

[CelticWhisper]

Bah, Shin Megami Tensei is so much better.

Re:

[Linker3000]

Long live ROT13!

Re:Open Source Alternative

[jack2000]

And the sniper rifle. I've always been a stay out of harms way type of player:)

Re:Open Source Alternative

[Chris Mattern]

"...that among these are life, liberty, and the pursuit of BOOM HEADSHOT!"

Re:

[Terrasque]

Sniper's a good job, mate!

http://www.youtube.com/watch?v=3PrHKs2c0ZQ [youtube.com]

Re:

[BJ_Covert_Action]

As most of the powers in WWII figured out, the most efficient means of getting rid of a pesky sniper involves an excessive use of explosive directed in the general direction of the sniper. That said, those RPGs can come in very handy. ;)

Re:

[Explodicle]

We live in a democracy ???? What country are you in?

Slashdot.

Be a patriot! Mod this comment up!

I don't trust Symantec

[Anonymous Coward]

This really sucks. In dial-up days, I used a cool, lightweight firewall application published by WRQ [wikipedia.org] called AtGuard [cryogenius.com]. Symantec licensed the product and incorporated it into their own software; the stand-alone product known as AtGuard then disappeared from the market. I used to use Partition Magic [wikipedia.org]. Again, Symantec bought it and it exists no more.

With that little bit of sample history, I'm sure we can bid PGP farewell.

Oh. My. God.

[BenEnglishAtHome]

I work for a giant TLA. [irs.gov] Our AV is Symantec. Our removable media and whole-disk encryption products are in mid-migration to all-GERS (from a combination of GERS and WinMagic).

We're headed straight to hell, aren't we?

Re:Oh. My. God.

[Amouth]

I work for a giant TLA. [irs.gov] ... We're headed straight to hell, aren't we?

humm I believe you have already arrived

Not really...

[BenEnglishAtHome]

It's a pretty nice place to work if you're in IT. Other parts of the organization vary widely. Generally speaking, if you're willing to work hard at helping people, you can find a place to do it here.

This may be blasphemous, but I actually *like* my job.

Re:

[Amouth]

It's not blasphemous.. your fortunate that you like where you work and what you do.

personally i like where i work but not exactly what i do.. but i'll take the good with the bad to not have to live in an over crowded city and have more than a 15-20min commute

Re:

[dwye]

> He works for the IRS dosnt he? So yeah, he has his own slice of hell.

Not necessarily. One of the Disciples/Apostles was a tax collector, too (actually, probably a tax farmer, which is far worse).

What is this, aquire and merger week?

[frambris]

Everybody seems to buy eachother this week. By the end of the year the Internet is run by three companies: MicroApple (software), HP (hardware) and Ciscoogle (Internet)

Re:What is this, aquire and merger week?

[bipbop]

What do you mean? MicroApple has always been at war with Oceania!

Acronym change

[Limburgher]

Now, it's Pretty Good Privacy. Soon, it will be Poof Gone Permanently.

This is fantastic!

[JonJ]

I've always wanted encryption-software from people who can't write a fucking uninstaller properly.

I'm still using PGP freeware version, heh

[simetra]

I've kept a copy of the installer for the freeware version of PGP before they started getting uppity about it.
Works on XP just great. Version 8.0.2.... dunno if this version is still found in the wild....

Re:

[Kozar_The_Malignant]

A lot of older versions are available from The International PGP Home Page [pgpi.org].

Re:

[simetra]

But if you follow the links to download, they go back to pgp.org where you have to pay $$$$

Re:

[Kozar_The_Malignant]

Only for version 8.0.2. The rest go to mirrors outside the US.

PGP was already privatized! By McAfee & co.

[CuteSteveJobs]

PGP got taken over by McAfee / Network Associates years ago. Look here: http://www.openpgp.org/members/nai.shtml [openpgp.org]

They took it over and killed it.

Well, it was already dead. Although we loved PGP at the time because it was encryption when no one was allowed to have it, the product itself was very badly designed. The user interface was hostile (Trust? Invalid? Implicit? WTF?), and although they provided E-mail plugs for Eudora and Outlook they never supplied one for Mozilla/Thunderbird. You had to copy paste th

Too late!

[CuteSteveJobs]

No one else is using it and that is the point
Once a comms product drops below critical mass it's dead.

Re:Lol

[CondeZer0]

> PGP was bloatware before. Now that the most talented producer of bloatware in the world (Symantec) bought it, the PGP software will might soon win the bloatware of the year award.

If Adobe bought Symantec I suspect the massive concentration of bloat would cause the creation of a super massive black hole that would eat instantaneously eat up the whole solar system.

Re:

[CannonballHead]

eat instantaneously eat up the whole solar system

Wow, so it eats it twice :-o

Re:

[steelfood]

I suspect the LHC operators would be very disappointed if this were to happen before they could get it to run at full power.

Re:

[CondeZer0]

If you added SAP and Oracle, it would eat up the whole galaxy.

Re:

[silanea]

Only if done in a consortium along with T-Systems, Motorola and EADS.