How to Save PGP 235
Tomcat666 sends in: "The Register got some excerpts from an interview with Phil Zimmerman. He talks about how it might be possible to save PGP (Network Associates couldn't sell it, and will stop its development), OpenPGP and the future (industry-backed OpenPGP?)." A follow-up to our story yesterday about Network Associates mothballing PGP.
Why not... (Score:2, Funny)
Re: Opensource PGP (Score:2)
Seen as a bumper sticker... (Score:5, Funny)
Re:Seen as a bumper sticker... (Score:2)
Re:Why not... (Score:2, Informative)
The source and encryption methodology betray nothing about how to decrypt a message. That is why PGP is pretty good. Also, is anyone really going to run a company that seems so inable to make money? As least people should have source to play with if they company is going under.
Re:Why not... (Score:2)
Re:Why not... (Score:2)
The formula for PGP, as well as twofish, blowfish, RC5, and every other major encryption tech in widespread use now is well known. Part of the process of becoming a good scheme is submitting the algorythm to acedemic (mostly mathematical and statistical) review.
Re:Why not... (Score:4, Informative)
Re:Why not... (Score:2)
PGP does not depend on keeping the code secret for security.
However the idea that open source automatically means good security software is not generally accepted in the crypto community. The canonical example being Kerberos whose design and code were public for 10 years before a major flaw was found.
The point is that the ability to review code does not translate into the code being reviewed and where security code is concerned who is doing the review matters. Open or closed source does not make as much difference as expert or inexpert review.
Most of the crypto code in use in closed source software is based on BSafe which has been extensively reviewed by at least as many crypto specialists as PGP.
It is a pity that folk talk about 'death of PGP' rather than 'using encrypted email'. How the email gets encrypted is not as important as the ability to encrypt. The major commercial email packages have been supporting S/MIME for a long time now.
Re:Why not... (Score:4, Insightful)
It didn't even take 10 minutes... Can someone tell me what PGP being open/closed source has to do with Microsoft? Last I checked NAI was the vendor of the product, and it was CLOSED source. From what I've heard this is an excellent product, and it's a shame to loose, no matter what plaform you run. Just because something is Open Source doesn't mean it's better. Do you think that the majority of the best coders do work for free, or for profit? And despite what you may think, some of the most talented people in this industry work at Microsoft (and NAI for that matter)... As for public vs. non-public disclosure of security issues, I'm sure that MS has plenty of reasons for NOT releasing their vulnerabilities. They have to take things into consideration that the Open Source community does not. With all the MS haters out there, as SOON as a vulnerability is announced, there are tens of thousands of script kiddies in their basement trying to wreak havoc on the Internet. Should there be vulnerabilities? No, but it's a fact of ANY software development. It doesn't mean there aren't a thousand people at MS slaving away trying to make their products better. Have a little more respect and appreciation for the scale of the systems we are even able to create nowadays. Damn zealots.
The lesson learned is... (Score:2, Insightful)
Make your pet projects free from the start.
Notice that Phil wants to release it under a BSD style license. As much as we'd all like that, it probably isn't going to happen.
RTFA (Score:4, Insightful)
This is the end of commercial PGP. This isn't a good thing for PGP to be used in commercial settings. Also this is the end of the PGPDesktop which was the only thing close to an option for (l)users.
Hopefully NSI will release the code in a manner that will allow a smaller company to add value and repackage it to large corporations.
Let's create a /. Corporation (Score:5, Interesting)
A win win situation! 8-)
IANAL. This is tongue in cheek. I hate having to explain myself...
Re:Let's create a /. Corporation (Score:1)
Re:Let's create a /. Corporation (Score:1)
'course i also said it was tongue in cheek. it's an interesting idea, but i can't imagine the administrative duties involved with maintaining a co-op of that size...
Re:Let's create a /. Corporation (Score:2)
ostiguy
Check this box to GPL abandonware (Score:4, Funny)
Then again, sometimes it might be good to just start some projects completely over. Remember Netscape?
Re:Check this box to BSDL abandonware (Score:2)
Re:Check this box to BSDL abandonware (Score:2)
Maybe you ought to look at the post [slashdot.org] this was a reply-to-a-reply to, or even the post [slashdot.org] that you replied to.
You must smoke even more weed than me to have that much memory loss..
Re:Let's create a /. Corporation (Score:2, Funny)
Re:Let's create a /. Corporation (Score:2, Troll)
That's a great idea. However, the economics don't hold up in the face of current customer research [slashdot.org]. Right now the max "penetration rate" for subsciptions is hovering at about 20%, best case. In short, 80% of the people who read Slashdot are freeloaders who won't even pay to read their favorite web site. Couple that with the unavailability of a flat rate subsciption (despite overwhelming market preference for flat rate) and you've got a virtually nil chance of success. What makes you think Slashdot readers are going to pay for software of all things?
RE: Maybe we should think before we POST! (Score:2, Interesting)
In short, 80% of the people who read Slashdot are freeloaders who won't even pay to read their favorite web site.
What makes Slashdot such a great webpage? Is the ability to (most of the time) read about geek news? Or is the ability to read and discuss a certain post with thousands of technical savvy people?
I believe it is the second one. If you remove those 80% (the freeloaders) would you have the diversity? You'd probably have a lot less trolls, but I think you would lose a lot of good with the bad.
I belong to a great LUG [stllinux.org] which does not charge for membership. If they did, I wouldn't put as much effort into my time there. I try to give just as much as I get. Do I feel that I do? No, not really. I love going and hearing about aspects of Linux that I know nothing about and learning something new.
To tie that to your post, I feel the same way about Slashdot. I could pay for a news website, and get spoonfeed mass media trash, or exert my brain here on Slashdot. These freeloaders might be the very ones who give great info in AskSlashdot, or mirror slashdotted webpages. Pay to read their favorite webpage? They do! They try to give back to the Slashdot community as best as they can.
This is not meant to be a flamebait, you will notice I am logged in even. You seem to think cash is the ONLY method of paying for something. You have a lot to learn about life.
Vertical
Re:Sorry, I don't believe in paying for software. (Score:3, Informative)
To see what RMS actually thinks about this subject see http://www.gnu.org/philosophy/selling.html
From that page:
Then again, when has an AC let reality interfere with the contents of his posts?
-Peter
Re:Sorry, I don't believe in paying for software. (Score:2)
1. Corporation creates and sells an App under GPL for $1,000 (all legal but you do have to provide source).
2. one person buys your app. because it is gpl'd, Customer 1 puts it up on sourceforge for all to download free of charge. it's now GnuApp. all legal, all gpl.
3. Corporation now has to compete with it's own software available free of charge. Corporation can't pay rent, electricity, or those pesky programmer salaries.
4. therefore, whatever stallman SAYS about the ability to sell gpl software, the reality is that you are effectively giving it away for free. Ever wonder why you don't ever see pure play GPL software companies survive on their own for more than a few months?
I think GPL is great for stuff that you INTEND to be free forever, just be careful if you want to make $$$ by selling code.
Re:Sorry, I don't believe in paying for software. (Score:2)
Most of what you said is based on the exact confusion arising from the phrase "selling software" (and variants you used like "selling App" or "selling gpl software" or "selling code") that is explained in the page I linked to.
So, since you don't care to read that article, let me establish some vocabulary.
If "selling software" is to have any consistent meaning it must be selling the copyrights to a piece of software. Such as when Corel bought WordPerfect. This clearly is not the topic of the discussion.
Now we come to what you are really talking about, which is selling software licenses. When you "buy software" (really "buy a license") you never get anything but the use of the software IAW the license terms. If you actually "bought windows" why may you not sell it? I don't mean en masse, just the CD you bought? Because you didn't buy anything but a license.
Finally we have distributing software. Which is what I was talking about. Wal-Mart makes money by distributing both proprietary and Free Software. It doesn't make a difference to them. Redhat sits on the shelf right next to XP. See my other reply in this thread [slashdot.org] for more examples of people making money by distributing free software.
Finally, note that if we can agree to the terminology above then you were more correct than you know, since there is there is no license for use of Free Software distributed under the terms of the GPL to sell.
To be totally clear about what I just said; the GPL isn't a "software license" in the sense that many people think it is. The GPL is a software distribution license. It makes no demands on the user (unlike a EULA) except that they may not sue if they don't like the way the program works, or fails to work.
So again, there is no software license to sell. Thus, you are correct that selling licenses for unlicensed software is not a promising business model. That, however, has nothing to do with my original post.
-Peter
Re:Sorry, I don't believe in paying for software. (Score:2)
It is true that Free Software does not have the "advantage" of artificial scarcity that proprietary software has. In spite of this, both Cheap Bytes and KRUD both operate in the black AFAIK.
If we expand beyond simple distribution there are additional ways to actually make money by distributing Free Software that have been demonstrated in the real world. Redhat turns a profit, largely by bundling service with distribution. Several of the PHPGroupWare guys support themselves by supporting PHPGroupWare when they aren't hacking on it. Other value-adds exist, such as IBM bundling Free Software with hardware.
But, I suppose it is true that you aren't going to make yourself rich by downloading Free Software on your cablemodem and mailing out burned CDs.
-Peter
Re:Sorry, I don't believe in paying for software. (Score:2)
Let's say that Red Hat and MS each sell an OS for $100. Each expects to spend $50 supporting it. RH has $15/copy (at expected distribution volume) invested in development, and MS has $30, since the write the whole thing from scratch.
Who has the larger margin?
Now, these are all made-up numbers, but I think that they are useful for illustration purposes. Can you make up a set of reasonable numbers to illustrate how bundling support and distribution of software that you largely get for free hurts your margin?
The way I explain that RH isn't making money hand over fist, but MS is is simple. Volume. I think that the reality is that RH spends something on the order of 1/10 what MS does on development, and has something like 1/1000 the (full price paid) distribution. So the numbers are more like 100/50/150 vs. 100/50/30.
Perhaps I was mistaken about Red Hat making a profit. I swear I read that somewhere. Ah, wait, here it is http://www.redhat.com/about/presscenter/2001/pres
OTOH, your $120 billion figure, if I'm not mistaken, is their peak market cap. Which is bullshit. Market cap is literally meaningless. It has nothing to do with actual money. Not money that they have, have spent, people have spent on them. Nothing.
That statement, combined with your statement that adding value by packaging and selling something that you get for free hurts the economy makes me question your grasp of economics.
Now, I know nothing about accounting, but my understanding of the English language leads me to believe that they had a quarterly loss of 17M in 2000 (and a somewhat higher loss in the same quarter of 2001). Which leads me to question your interpretation of any facts.
Finally, who said anything about "open source?" I'm talking about Free Software.
-Peter
Please do correct me if I'm wrong, but (Score:1)
Re:Please do correct me if I'm wrong, but (Score:2, Insightful)
Re:Please do correct me if I'm wrong, but (Score:1)
Re:Please do correct me if I'm wrong, but (Score:2, Insightful)
Re:Please do correct me if I'm wrong, but (Score:2)
Well PGP is a dead end but not for the reasons you give!
Quantum computing is practically irrelevant for mainstream crypto. If someone does build a big enough quantum computer it is unlikely that we will ever know about it. But we do know that there are some pretty severe limits on what it can do, it is not a magic wand. A quantum computer does not help against AES or SHA-1 for example. I suspect that long before Quantum computing is real there will be replacements for RSA that are robust against quantum computing.
The reason PGP is a dead end is that it was only deployed for email and only gives good privacy. PGP is not a good mechanism for signing binding e-commerce contracts.
It would be much better if people spent their time persuading people to use the crypto that is already built into Outlook Express, Communicator, Notes etc. rather than trying to resurect a competing message format.
Re:Please do correct me if I'm wrong, but (Score:3, Interesting)
There's nothing wrong with S/MIME as a message format, but the implementations fall far short of what (as I understand it) PGP does: allowing you to generate your key without anyone having to verify it, and then YOU choose to ask specific people to verify it too. If you try to do this with any S/MIME client that I know of, it will claim that the certificate is untrustworthy because Friendly Trusted Company, Inc hasn't signed for it. PGP will try to find a way through the "web of trust" via a chain of people who all trust each other, from you to the person in question.
If someone were to integrate the S/MIME message format with PGP-style keysigning and webs of trust, and persuade the email clients to stop insisting that only TrustedCompany signed keys are trustworthy, I suspect that encryption would be a lot more widely used...
Stuart.
Re:Please do correct me if I'm wrong, but (Score:4, Informative)
You don't have to be a corporation to sign keys. In fact there is a certificate signer distributed with every copy of Microsoft Office and Windows XP. Code to create X.509 certs is available as freeware in many open source distributions.
If you try to do this with any S/MIME client that I know of, it will claim that the certificate is untrustworthy because Friendly Trusted Company, Inc hasn't signed for it.
You can select the certificate and say 'trust this certificate' explicitly in all the popular implementations.
If you don't like the way the S/MIME cert handling is done it is easy enough to do it any way you choose.
Another scheme would be to set up an XKMS interface to a PGP web of trust and then drop an XKMS client into the CAPI or cryptoAPI layer of your favorite email client. Then you can configure any trust semantics you like in your Web O' trust service. No different in principle from using the BaL keyserver at MIT but a lot more powerful.
Why save PGP? (Score:2, Troll)
I actually have no objections to it being presevered and developed, especially if it were Free Software, what I'm asking for is reasons for it to be preseved from the point of view of Free Software advocates.
Re:Why save PGP? (Score:4, Insightful)
Usability? GUI?
Re:Why save PGP? (Score:2)
The Windows Version (Score:3, Interesting)
Re:The Windows Version (Score:2)
Cheers,
Crush
Re:The Windows Version (Score:2)
GPG, OpenPGP, and what needs saving (Score:5, Insightful)
He clearly states that the PGP protocol is in no danger whatsoever, and will continue to remain widely implemented.
Having spent many hours deciphering gpg command lines to use PGP to its full potential makes you realize how usefull a simple, easy to use GUI interface to a PGP would be. (Implicit in this task is integration with other applications, however, you can find plugin support for almost anything that you wish to use PGP in)
Re:GPG, OpenPGP, and what needs saving (Score:3, Interesting)
GPGME - GPG Made Easy (Score:4, Informative)
GPGME [gnupg.org] is a project to do this. From the website: "It provides a High-Level Crypto API for encryption, decryption, signing, signature verification and key management."
It's a work in progress. It's useable, but of course, there is the standard disclaimer. Compiles fine on most Linux distributions. It needed a small amount of help to compile on Mac OS X. Not sure about any other OSes.
Re:GPGME - GPG Made Easy (Score:4, Insightful)
Yes, but in the Real World we still need to support Windows.
Note that GPGME isn't really a GPG library. It uses the GPG command-line behind the scenes, so it is inherently unportable - you can't get IO from another running process in ISO C.
When I suggested creating a PGP library, I meant a true library. Make the code ISO9899 compliant, then the only issue is linking it to the front end.
Re:GPGME - GPG Made Easy (Score:3, Informative)
No, but you can use ISO C to make system calls (ported like everything else in the dual *nix/win/mac universes) that can communicate with the GPG process.
Really, this isnt that big of a deal. It's a slight inconvienance, but you still end up with a very portable library that can be used to interface with GPG in a programmable manner.
Re:GPG, OpenPGP, and what needs saving (Score:4, Informative)
This has been asked many, many times of the GPG developers, and they always have a very sound, technically reasonable explanation: Making a shared or static library for the GPG code would be a security risk.
Once you have the code linked in (statically or dynamically) you can do Bad Things to the GPG code. Manipulate static variables, change environment settings, corrupt memory, all in an attempt to compromise security.
This makes integration a bit more difficult, but there are still a number of wrapper libraries that provide similar functionality using fork() and exec() with the command line.
Personally I prefer a bit more integration effort with more security than vice versa.
Yes but... (Score:2)
Really, if "they've" already compromised the system to the point where you have to worry about the libraries being secure, you've got bigger problems on your hands than the libraries being secure. The only thing the lack of a library is contributing to is a hampering of programmers incorporating GPG natively into everything from E-Mail clients to network protocols.
Re:GPG, OpenPGP, and what needs saving (Score:2)
What? That doesn't seem plausible to me at all. That would mean that any malicious software using (for example) libc could take over any other application using libc? No way.
Besides, there are lots of other security libs that work without problems. If libSSL is possible then why not libGPG?
Re:GPG, OpenPGP, and what needs saving (Score:2)
The problem is that well-meaning programmers will do all of those things by accident, and it's a damn sight harder to do so with an executable.
Easy to use GPG front end for Mail.app on OS X (Score:2)
I don't get it... (Score:4, Insightful)
Plus, there is GPG, PGPi, and other freeware implementations of the standard (under the umbrella of OpenPGP.org).
I don't see why "PGP" as a whole is going down.
It's like saying if Microsoft or Netscape decided to stop relasing browsers, then the entire WWW is doomed, when there's still Konquerer, Opera, Mozilla, and the whole W3C standards body, etc...
w3c and patents (Score:2)
Besides, as you would know if you'd done a little research rather than just skimming headlines, the w3c has never *had* a patent policy before, and therefore could easily have created a standard that relied on patented technology. The fact that they haven't is an indication of their general goodwill towards patent-free standards - when they got half-way through SVG and found that apple had a patent on alpha-blending, they stopped what they were doing for ages to try to ensure that the standard would remain patent-free. That was when they started looking into having a patent policy.
Of course, as a closed organization they first asked their members, who are primarily corporations, and those corporations said "we should have patented standards". Hence their first draft. Then they submitted the draft for public review, and NOBODY NOTICED. After a long comment period with no comments, someone suddenly posted it to slashdot with 2 days to go, and all hell broke loose - and the w3c essentially backtracked and now have a sane policy.
If anyone is to blame for the poor original policy, it's the fact that the community wasn't alert - it's mindboggling that the "many eyes" that are supposed to make bugs shallow didn't catch a major announcement like that from the w3c.
Stuart.
Re:W3C and patents (Score:2)
Also, the membership policy is such that nearly all of the members of the committee are sponsored by large corporations. So the representatives make choices in what they see as the best interests of their employers. It's true that the open source community now has two representatives there, which is a tremendous improvement, but they aren't in a majority on even a single sub-committee.
Now it is quite reasonable for an association of manufacturers in an industry, which is what the W3C effectively is, to further the goals of the manufacturers. What I don't find acceptable is for them to make standards with such a goal. That said, up until the last year their actions seemed to be for the general public good, and they had acquired a rather enormous amount of trust from the community. To say that the community should always be watching over their shoulder is in the first place an admission that they are not to be trusted, and in the second place a bit unfeasible. Sub-committee meeting aren't exactly open to the public (and I'm not saying that they should be). But if the members of the committee cannot be trusted to represent the good of the public, then the public cannot trust them. It's more basic than a syllogism.
.
Open Source probably the solution but not BSD! (Score:4, Interesting)
- Slick interface
- Good sponsor
- Open source
Since a slick interface would mean development and they current development is in limbo(with two shipable inferfaces in stock!!) I really don't think that an option. Second option is a sponsor, but since nobody is willing to buy pgp, I don't really think sponsorship will be attrictive to sponsors. Leaves only one optionRe:Open Source probably the solution but not BSD! (Score:2)
Sorta Phil's fault (Score:3, Informative)
If he would have put it under the GPL from the beginning we would not be seeing this. He would be like the Linus of crypto, but he was so determined to controll the things he shouldn't be controlling that he lost controll over the things he should be.
Re:Sorta Phil's fault (Score:3, Insightful)
I think it was definitely advantageous to have the corporate support of PGP in order to get it entrenched (however deeply it is) in the business world. Now, with commercial PGP going away, it's possible companies will have no choice but to move to open sourced alternatives and implementations if they wish to keep their security and privacy intact.
Re:Sorta Phil's fault (Score:2)
You've put the cart before the horse. Corporations needed encryption - and that led to the adoption of technologies like PGP in the industry, the GPL would have encouraged it's use even more, and perhaps have forever thwarted the patent abuses that came with PGP. It's not like corporations decided from upon high that they would suddenly give their blessing to PGP which would then in turn become entrenched.
Re:Sorta Phil's fault (Score:2, Informative)
The PGP algorithm was not Phil Zimmerman's to sell. He basically made a freeware version of a popular commercial program, using their proprietary algorithm, and spread it all over the internet. He did this because believed that people should be able to avoid government surveillance on the internet. Whether or not you agree with him (I do), "encryption for the masses" is now a reality.
I would be willing to guess that Phil was more afraid of government agencies like the CIA, KGB, and FBI, than of Microsoft and Cisco. It is only slashdot readers who can't understand the difference between a corporation, which can take away your money or your job, and a government, which can take away your life or your freedom. Having to pay $1 extra on a DVD is not oppression. It may be unfair. It may be something you should write to your congressman about. But it is not opression. Oppresssion is being shot because you supported the wrong political candidate, like in the U.S.S.R. under Stalin.
Re:Sorta Phil's fault (Score:2, Funny)
My friend, there were no wrong political canditates in Stalin's day. Because they were all dead.
Re:Sorta Phil's fault (Score:3, Informative)
No he did not. Phil did not have rights to use the RSA algorithm. But the code, the message formats, everything that was all Phil and Phil alone.
Drove the rest of us working on secure email up the wall. Phil had a point about the PEM certification hierarchy nonsense. But he could have reused the PEM message formats instead of rolling his own.
The version of PGP in use today is largely the MIT version set up by Jeff Schiller and Hal Abelson and coded by Derek Atkinson arround RSAREF. That version has always been GPL as far as I know, with the major proviso that it linked to RSAREF which was encumbered big time but had no choice 'cos of the patent.
Re:Sorta Phil's fault (Score:2)
It shouldn't have been anybdy's to sell..
Whether or not you agree with him (I do), "encryption for the masses" is now a reality.
And the GPL would have made it more of a reality instead now PGP is heading toward the scrap heap.
The USA, the USSR, corporations or what not - taking away freedoms is taking away freedoms and the best way to loose a lot of freedoms is to accept the nickle and diming of a little freedom.
GUI Interface (Score:3, Informative)
But, the problem is you still must maintain your GnuPG bits manually on the command line. That was the beauty of NA's program. It had a slick GUI. Of course, in the end it didn't take me very long to pick up how to use gpg via the command line, but for the general populace it's still a barrier.
On the server side (Score:4, Interesting)
It seems to be that possibly losing out on the client-side 'niceness' that a commercial PGP implementation provides could be a non issue if the next round of standards include support for providing PGP mechanisms as part of their protocols (not that you'd HAVE to use PGP, but that PGP would somewhere in the protocol if you wanted to use it.)
That would reduce the need to depend on the never-surefire client market penetration in order to see widespead and longterm usage of PGP as a means of protecting ones privacy.
I've always felt open protocols make the best vehicles for propogating public-interest technology. That way, you dont need [Mailclient] + [PGP intergrated client] but [Mailclient that supports Next Gen Protocol X] where one of X's functionality sets uses a private/public key encryption scheme. Not sure what the likelihood of that happening is, tho, both from the perspective of when we'll outgrow the current crop of protocols, whether the new crop will be open enough to get public interests into the design phase, and whether the creators of said protocol would even think it would be a good idea to include a PGP layer in the protocol.
IMC is already considering along with S/MIME (Score:2)
part of the problem is that the IDEA algorithm is licensed technology from the Swiss company that owns the patent.
What PGP needs is a pluggable-encryption component, so that it could leverage something like AES
Scandelous (Score:5, Interesting)
We need some laws that force work into the public domain if it wont be exploited for the private domain. I'm sick of companies keeping what will go into the dustbin. This is another example of how too much private interest can
Of course, I respect that the work in question would probably have to pass some criterium whereby its release into the public domain would not cause significant damage to the company in question (if the company is to live on), but surely we can't believe that scenarios like this outweigh the benifits of laws forcing companies to push work they lose interest/money in back into the public domain?
Re:Scandelous (Score:2)
Let me be the first to say: No, no we don't.
If you want software they wrote and they won't give it to you, find an alternative, write it yourself, anything else.. But for the love of god, don't pass silly laws like this. How tragic that would be...
Re:Scandelous (Score:2)
The whole *point* is the avoid this vast duplication of effort. If a company has created something which has value to the public which it refuses to sell, and in fact is just going to dissolve, *why* shouldn't the public have access to it? How is this a silly or tragic law?
Re:Scandelous (Score:2)
Once a corporation is not acting in the public good, or if a corporation can be made to act in the public good without harming the corporation or the shareholders there is nothing wrong with compelling them to do something.
In the case of this software the corporation decided not to sell it anymore. It would do no harm to the corporation or it's shareholders to release it to the public and it would do the public a lot good.
Re:Scandelous (Score:2)
Re:Scandelous (Score:2)
Corporations are routinely held to different standards then human beings. Nothing new about that.
Re:Scandelous (Score:2)
Actually in this case the code is still private property no matter what philosophical fence you decide to sit on. This code has not been published, disclosed or distributed. You do not have the right to redistribute it for the elementary fact that you do not have a copy of the code.
Re:Scandelous (Score:2)
Re:Scandelous (Score:2)
Sorry dude, but their code is their code. Period. It does not belong to you. It doesn't matter what the morality of copyright is or is not. This is private, undisclosed and published code. To force it into the public domain would violate every tenet of liberty.
Re:Scandelous (Score:2)
If you write some code and want to give it away, please do. If you write some code, sell a package, decide you don't want to screw with it any more and then give it away, that's great of you too.
At the same time, if I write code and make some neato package, you are perfectly welcome to politely suggest how I distribute it. But in the end, its the owner's choice, not yours, and if you don't like it, tough shit.
I wish NAI would release the code under [insert free (speach and beer) license of choice here] so that development can continue. I wish PZ hadn't sold it to them in the first place, but as I state above, his code - his choice. But the first legislative attempt to FORCE them to release the code will plant me firmly on the side of NAI.
And that's my opinion for any other piece of orphanware, abandonware, garbageware, nolongerwantedware etc etc. I too wish that companies would find it in the goodness of their hearts to release code they are no longer going to support or use. But its THEIR code, and NO ONE should have the right to FORCE them to do ANYTHING with it.
The thing that depresses me the most these days when I read
Re:Scandelous (Score:2)
For example the intellectual property rights on certain AIDS medications have been suspended in Brazil.
Although the software question doesnt really rise to the same bar, since its not really/usually a life or death issue, it doesnt mean that there would never be a case where the needs of the public would outweigh the harm done to the individual even for software (although I couldn't come up with any at the moment).
I respect the rights of an author to control their work, however I also feel that holding on to a piece of property effectively forever that you never intend on doing anything with just for the sake of controlling it (in particular IP) is miserly, anti-social and relegates it to be forgotten forever adding nothing to the human condition. (However these decisions are only sometimes made by the original developers, often instead being relegated to some company that owns the code the developers produced, or bought said company or the work is already completely forgotten by everyone and no one really knows who owns it anymore).
Re:Scandelous (Score:2)
Says you. I personally don't trust any government to decide what is "in the best interests of the governed."
For example the intellectual property rights on certain AIDS medications have been suspended in Brazil.
Yes, Brazil, that great bastion of liberty...
I respect the rights of an author to control their work
No, you clearly don't.
Re:Scandelous (Score:2)
It was a tough choice. Respect the IP rights of a foreign company and let a few hundred thousand people die, strip the IP rights from that company and let your citizens live. In the US there would be no question we would let the people die. In brazil apparently the govt cares more about it's citizens then the IP rights of foreign corporations.
Yes it seems like a weird concept but I guess that's the way those foreigners think.
Re:Scandelous (Score:2)
And so we end up without medicines which would have been possible. Yeah, that's really smart.
Re:Scandelous (Score:2)
Re:Scandelous (Score:2)
So you're saying if I create something really great, and decide not to sell it or let anyone use it, that there should be a law where you can come and take my creation and put it in the public domain?
This is called socialism.
Please move to China.
Re:Scandelous (Score:2)
Re:Scandalous (Score:2)
With a large enough gun, any piece of physical property can be defended. Governments exist to keep us from needing guns to do that.
Intellectual property can ONLY be defended with the use of the government. By removing this government protection from IP that is not used, the market is MORE laise-fare(sp), not less.
Now, if the government were to take an active roll, such as disseminating IP that is not used, that would be wrong.
GPG is available, and the Germans are improving it (Score:5, Informative)
It's true that currently GPG's user interface is terrible for beginning users if they have to use it directly. So, clearly, you want to use programs that embed GPG (like Evolution). Also, note that the German government is funding further development of GPG [gnupg.de]. They specifically say that their funding will be used to make GPG more usable by less experienced users, including porting the software to other operating systems, developing graphical user interfaces (GUI) and writing a handbook.
Thus, this sounds like a short-term problem at worst.
Why PGP instead of S/MIME? (Score:2)
PGP is a product of its own, which is probably good and bad -- good, because you can use it with non-email, and (awkwardly) with most mail clients. S/MIME would have to be built in, I imagine -- but a couple of easy implementations would bring encryption (and decryption) to many more people than the current situation with PGP/GPG/whatever.
So why aren't people making S/MIME capable clients?
Setting up the right financial infrastructure (Score:2)
But what I really want to do, at least initially, is to promise a payment, which becomes payable when enough other people have promised that the software's current owner agrees to the deal. Inevitably trust issues come up: I might welch on my promise. Or to make things more complicated, I might promise and pay only on the condition of anonymity.
How to do all this? One way would be to place the money in escrow for a limited time, and if the deal doesn't come together by then, I get my money back. The people trying to organize the deal would give themselves a time limit and encourage donors to set their escrow timers for that time limit. A reputable bank or insurance company (or maybe a casino?) could act as the escrow agent.
There's a guy named Ronnie Horesh with a very cool idea called social policy bonds [geocities.com], intended to bring market forces to bear on social issues. Government auctions off bonds, which mature when some measurable social goal occurs, and are then redeemable for larger amounts. He once commented that a social policy bond is like a bet. The government hedges its position (that, say, literacy is good) by begging that literacy won't go up. When literacy does go up, the government has to pay up.
In the same way, if I believe that PGP should go into the public domain, I may hedge that belief by betting Network Associates that they won't do that. They can easily win that bet by releasing PGP, when they decide that winning all those bets is more important than retaining PGP as closed-source software.
Am I paranoid? (Score:2)
ttyl
Farrell
The important parts of NAI's PGP (Score:2, Informative)
The important parts are the Windows infrastructure and the patented protocols that appeared in PGP5.
The Windows infrastructure is more than just the GUI - the GUI is OK, but nothing special. The infrastructure includes
- a low level secure storage driver at the OS level
- integration with many mail clients
- an Explorer shell extension to handle encrypt / decrypt, secure wipe, and verify functions
- a secure viewer with anti-tempest fonts
- the PGPNet VPN solution
- the PGPDisk secure storage solution
This is what NAI have paid to develop, and this is why it represents a major loss.Jon.
Re:Why? (Score:4, Insightful)
Think about that, how many computer programs would you trust your life with?
Re:Why? (Score:1)
You mean aside from windows?
Re:Why? (Score:2)
Fine then... (Score:2)
Personally I use GPG and think it works wonderfully, and Network Associates has nothing to do with that. May not have some of the bells and whistles of the full commercial PGP but it still does what PGP has always done, encrypt e-mail. Organizations like AI should be able to function fine with just that.
Re:Why? (Score:2)
Re:Why? (Score:2)
"If you're talking about the British government or the American government,
they're virtually permanently tapping all of our stuff and using voice and
character recognition," Gregory says. "I know what technology they've got.
"The Tunisians [where a new office is being set up] aren't as subtle as the
Americans and the British. It's a bit like heavy breathing on the line."
However, even though Amnesty staff can automatically encode any message sent
in Notes with its built-in encryption - certain staff use far stronger PGP
encryption - Gregory says the US export ban on strong encryption still
leaves it in a difficult situation.
Remember, not all countries that AI investigates can be as unsubtle as to beat passphrases out of people, and the person couriering the data need not have the passphrase to have it beat out of them.
Re:Why? (Score:2)
Second step is steganography, hiding the message, either by attaching it to the end of a zip file, or by weaving it into an image.
Third step is to have an encryption system which allows alternate passwords: each password reveals a different set of data, and the password you get forced to tell someone reveals not much at all.
You need more than just encryption to hide your data from governments.
Re: (Score:2)
Re:Save it WHY? (Score:4, Insightful)
Re:One word... (Score:2)
Re:One word... (Score:2)
Re:MK-Ultra experiments on children (Score:2)
That's like saying that cars don't cause injury, getting into accidents in cars causes injury. True, but LSD puts the user into a state where they can become very agitated by even the most mundane of circumstances. It essentially creates traumatic situations.
LSD is not the demon drug that it has been labeled as, but having seen some friends take mental nose-dives on acid, that have lasted for months, I have to say that it's not exactly as safe as houses either. It's major saving grace is that it's not addictive. So, as long as you don't a) get locked into some "I need the drug to see the aliens" physchosis and b) don't use it as a gateway to other (addictive) drug use, it's easy enough to stop using it if there's a problem,and then seek help.
I think we're both basically on the same track here. I just don't belive in sugar-coating the dangers of mind-altering drugs of any kind (and I include drugs that doctors give out like candy without really understanding, here).