PGP 8.0 Beta Released 122
James Evans writes "With a release date seemingly scheduled in December, the new PGP Corporation has today released PGP 8.0 Beta. It features Smart Card functionality, Unicode support, Novell Groupwise support, among other things. A Mac OS X Beta is out as well, also with a robust feature set. One word of caution however: On Friday, December 6th, 2002, the beta will expire, at which time access to encrypted data will be prevented."
GPG vs PGP (Score:3, Interesting)
Re:GPG vs PGP (Score:1, Insightful)
A closed, proprietary, potentially backdoored binary code?
Re:GPG vs PGP (Score:5, Funny)
Re:GPG vs PGP (Score:5, Informative)
PGP comes with some lovely UI tools and a library for developing more. Speaking from experience of the Win32 impl, the integration with the shell is extremely handy, with encrypt/decrypt/sign options in context menus for example. The PGPDisk utility was also awesome though it doesn't work on XP - hopefully 8.0 will fix that.
Re:GPG vs PGP (Score:1)
You may try it. Maybe it works well for you.
PGP ckt Homepage [rootsweb.com]
Re:GPG vs PGP (Score:3, Informative)
PGPckt's PGPdisk does indeed work under Windows XP - albeit with a few quirks. However, since it is based on the PGP v6 codebase, it is unable to read PGPdisks created by PGP v7.
The new PGPdisk in PGP v8 is the only one to function under Windows XP with the ability to read all versions of PGPdisks.
/pah
Re:GPG vs PGP (Score:2)
Re:GPG vs PGP (Score:5, Informative)
XP Pro comes with integrated disk encryption. Come to that Outlook Express, Lotus and Netscape email have had encryption for 5 years now.
The real problem with secure email is that none of the spec ever had a solution for locating encryption keys.
One of the things we have been pushing lately is the idea that every ISP should set up an XKMS locate service to act as a key repository. The XKMS service would be linked to the DNS via a DNS SRV record.
So that if you want to send a message to Alice@slashdot.org you first look up _XKMS_SOAP_HTTP._TCP.slashdot.org, that gives you an XKMS service locate.slashdot.org. You then send a message to locate.slashdot.org to locate a key for alice@slashdot.org via either S/MIME or PGP. The service returns the untrusted key which can be validated by a variety of means (e.g. a local XKMS validate service).
Back in the mists of PKI time people thought that X.500 or LDAP would do this function. Problem being that X.500 has never been viable as a global infrastructure. Trying to propose a similar feature using LDAP ended up in the weeds because the LDAP mafia thought that we were trying to help them with the great conversion to replace DNS with LDAP...
Re:GPG vs PGP (Score:2)
The difference with PGPDisk is the whole volume is encrypted - files, directories, permissions, everything - which means it is much safer. It is also mounted/unmounted from a single passphrase held in your memory and none of this public/private/trusted key crap that XP buries in some advanced Admin settings page. Once the disk is unmounted, you have no idea what, if anything is inside that
Re:GPG vs PGP (Score:2, Informative)
Have you heard of GPGME [gnupg.org]? It's the official library for using GnuPG from other programs, and it does everything you mentioned. From the application point of view, it's just the same as if the crypto operations were in a library.
It does have some performance problems, because it must run a new gpg process for every operation, but those will be fixed in the future.
Re:GPG vs PGP (Score:2)
Re:GPG vs PGP (Score:1)
Perhaps this [gnupg.org] is what you're looking for? Maybe not. Not sure on the license or details because I'm lazy
Re:GPG vs PGP (Score:4, Informative)
There are some wrappers for GPG, which is solely a command line utility. The Windows Privacy Tray [winpt.org] is quite good.
However, one of the terms of sale of PGP IIRC was that there would always be a 'freeware' edition available, and that is definitely the case with PGP 8.0. This will be the first release that correctly supports Windows XP.
Re:GPG vs PGP (Score:1)
Recently, I built an installer for WinPT 0.7.91 and GnuPG 1.2.0. Hopefully it is a much better approach to GnuPG than GnuPG alone, and almost as good as PGP itself for the newbies.
It can be found here [folk.uio.no] (sig here [folk.uio.no]). These links are a courtesy of Stephan Frye who apparently has a lot more bandwidth than me.
The original site for the installer contains some information about it, the apps packaged and is here [areaii.ufpe.br], and the primary mirror, here [ig.com.br].
The original site IS extremelly slow from 08am to 22pm (GMT+3).
Windows Privacy Tray home site is here [winpt.org].
Re:GPG vs PGP (Score:1, Interesting)
the other is free code, to modify etc...
I ue GPG (but, i wouldn't consider myself a CS wannabe blah blah), rather a software developer that can't have private info (client info etc...) leaking into the internet
That's called "lock-in" (Score:1, Interesting)
Re:That's called "lock-in" (Score:1)
Re:That's called "lock-in" (Score:1)
Re:That's called "lock-in" (Score:5, Insightful)
2) Paying for products isn't "totally against what we stand for here at Slashdot." Did the name change to GNU/Slashdot, or are you just making assumptions. If a product is free, use it. If a product is good, pay for it. If a product is both good and free, all the better.
3) No one is making them pay to protect themselves. They could use GPG if they really want a free encryption solution.
4) Paying for security is not like paying for music. Relate PGP to your data as you relate locks to your hardware. If you think everything should be free, you probably aren't in the right country (doesn't matter which one you're in, true communism doesn't exist most places).
5) I've said it before, but:
Freedom of information doesn't mean information should be free. Just because you can read the book doesn't mean you don't have to pay for it.
Re:That's called "lock-in" (Score:3, Informative)
Re:That's called "lock-in" (Score:1)
Does he endorse it?
I wonder if... (Score:5, Funny)
FGP (Score:1)
Who knows how reliable "Really Good" or "Pretty Good" actually is...
There will be a free version (Score:5, Informative)
Re:Huh? (Score:2)
PGP is only for windows (Score:1, Informative)
Not so. (Score:4, Informative)
There are PGP for a number of platforms.
The international version (for ppl outside of US) are here.
Download PGP [pgpi.org]
Re:PGP is only for windows (Score:2)
PGP is available for many platforms.
siri
Good to see they're still around (Score:3, Insightful)
It's for sending thing's across a network. Which means you send it, recieve it, and unencrypt it. Then it's done it's job.
How irresponsible would they be to leave beta encryption sitting around in use? They've prevented those too thick to ditch the beta from harming themselves... good job PGP.
Re:Good to see they're still around (Score:2, Insightful)
Re:Good to see they're still around (Score:1)
Remember folks, crypto is only for people who don't staple cash to postcards with their credit card number on it when they mail in their payments!
PGPHone (Score:5, Interesting)
For those of you that dont remember it... it was a secure voice communcations system.
With the improvements in sound encoders, standarized crypto libs (OpenSSL) and the huge amounts of processing powering that the avg desktop has it would seem to be much easier then it was in the early 90s.
Are there projects out there?
-M
Re:PGPHone (Score:2)
Re:PGPHone (Score:3, Interesting)
Re:PGPfone (Score:5, Informative)
PGPfone [pgpi.org] still exists. It's not only an IP telephony solution, one can also have two computers dial each other directly and have an encrypted conversation. It was for the severely paranoid; not originally intended as a way to bypass long distance charges, this was intended, first and foremost, for security.
A quick Google search turns up this MIT site [mit.edu] as the first hit, which has pointers to where the program can be found. They're still listing version 1.0 beta 2, not changed since July 11, 1996! (I never saw that much interest in it...) People know there are so many ways to compromise /eavesdrop on a conversation, and a computer (even a laptop) is a bulky way to make a phone call.
(God, look at how much cellphone tech has changed in 6+ years!)
The PGPi site lists a PGPfone version 2.1 (Windows and Mac), but notes that NAI has the rights to it:
I imagine the PGP Corporation owns that now -- did they get everything PGP-related from NAI?I think you're right, though. There's OpenSSL -- heck, there's OpenSSH, too! Set up a heavily-encrypted tunnel, run your favorite VoIP program through that. Since you have to worry about your computer being trojan-free in either case (both software and hardware), you can use a program that's a lot more mature than PGPfone.
Re:PGPfone (Score:1)
From their products page at http://www.pgp.com/display.php?pageID=2
The following products were NOT part of the PGP technology acquisition and must continue to be purchased from Network Associates:
o PGP E-Business Server
o PGP Command Line
Do-do heads (Score:5, Informative)
Of course, to look at it from this perspective, it might be a ploy on their part so that people don't get away without paying by simply using the beta instead of paying for the final version: but coming from a closed-sourced, profit-making company, that seems like a typical, perhaps even rational thing that they might do.
So whats the hullabaloo all about?
Re:Do-do heads (Score:3, Informative)
It is not a lock-in ploy, just a beta.
Re:Do-do heads (Score:1, Informative)
Given the PRZ is involved with PGP Corp, it is highly likely that PGP 8.0 follows the OpenPGP standard.
Beta will expire on 6th Dec. 2002 (Score:1, Insightful)
Re:Beta will expire on 6th Dec. 2002 (Score:2, Informative)
I am just curious, but have you *ever* sent encrypted mail? On a regular basis?
Re:Beta will expire on 6th Dec. 2002 (Score:1)
Of course you can make backup of your keys/data, dcrypt your files before the beta expires or upgrade your software to the final version but all that *is not mentioned* in the desclaimer. I read the disclaimer as "test our product on our conditions and at our mercy".
Re:Beta will expire on 6th Dec. 2002 (Score:2)
At least then people can still get at their data, presumably to move it to the full release version.
Hearing the words "inhibiting access" in the same line as "encrypted data" makes me not want to go anywhere near their product.
For the last time... (Score:3, Informative)
The exception is if you have your data on a PGP disk, in which case you will have to go through some trouble, like buying the commercial version. The idea is that you are just testing that feature in the beta, not relying on it to store your data. But, hey, you can always set the date to December 6, launch the program, decrypt your data, and go on your merry way.
Perpetual licenses available (Score:3, Informative)
(And BTW, they've managed to fix their web shop; it seems to be working now.)
Smart Card support with GnuPG? (Score:4, Informative)
See http://www.opensc.org/ [opensc.org]
GnuPG is a better choice for *nix users because it can be used
from KDE or in your console mail client mutt,pine etc
Re:Smart Card support with GnuPG? (Score:1)
Boy good thing no one ever needed to encrypt data
years before kde or gpg came along.
What would he ever have done?
You will not lose your data (Score:5, Informative)
That is precisely what is meant by 'plan accordingly', it could have been worded more carefully though. This beta in not meant for the people who are freaking out in this discussion and say 'watch out, it's a lock in', 'they are trying to screw you!'. As with any beta, people experienced with the product are the prefered beta testers, and they have received the beta, which incidentally has been out since last Thursday, pretty well. There were some glitches upgrading from previous versions, but by what I hear it's pretty good.
For those still interested, I recommend you grab copy and pound on it. After the beta expires you can decide to buy it if you like it or move your keys over to GnuPG and still have access to all your data and friends.
Free at last! (Score:2, Insightful)
I downloaded the Mac OS X beta version and it's so cool looking. Very few of the applications that I get for Mac OS X look like real Mac OS X apps, but this one looks like it was built from the ground up for this OS. Excellent job, keep up the good work PGP!
Re:Free at last! (Score:1)
Yep. I just wish that it had a full-fledged plug-in for Entourage X (like Apple Mail's) vs the AppleScript.
That being said, I wonder in this post 9/11 era (gack, guess which option I picked in last week's poll?) how many back doors are coded in for our friendly law enforcement?
Freeware version... (Score:2)
No Win95 Support? (Score:1, Funny)
Seriously, though, I've bought my last Microsoft operating system.
Mac version requires 10.2 (Score:3, Informative)
Re:Mac version requires 10.2 (Score:3, Informative)
Re:Mac version requires 10.2 (Score:3, Informative)
I had that, too, after importing my old (v.6-era) keys. Trashed the prefs (search for pgp...they're obvious) and then all is well.
PGP support in Windows mail clients (Score:5, Interesting)
So, being a OSS supporting Windows user, I thought I'd try this out.
My normal mail client is Outlook Express (don't complain, when used by someone with a clue there's no more security risk than with any other mailer), and the method that PGP plugs into Outlook Express is digusting. There's a GPG [gnupg.org] Outlook Express plugin [winpt.org] that suffers from the same problem. Basically, when a message windows is loaded, the decoder automatically copies all the text from the window into a buffer, runs the text through PGP, and then pastes the results back into the window. In the case of the version of PGP I tried, in 8pt font.
This also doesn't help when you have a Windows mailer that doesn't support MIME types correctly (Evolution especially likes to send mail with the PGP block as an 'attachment', which basically means your message appears blank in OE with two attachments). No PGP verification there.
I hear Outlook isn't much better; Outlook's IMAP support isn't as polished as OE's, and I guess they don't really want to make it better at the expense of Exchange licenses.
What's the answer? Enigmail [mozdev.org]. You have to use Mozilla Mail, of course, but that's something that can be adjusted to (and if it's too hard to adjust, it can be customized in XUL of course.) But it seems to be the only way to get correct behaivour for PGP email verification in Windows. And it's all OSS, too.
That said, it didn't handle decryption at all. But I was running a beta on a nightly with a 2 day old GPG build, etc. You get what you pay for.
What would I like to see happen? Outlook Express to become a bit more modular, with actual support for PGP (even the free PGP Home edition would be better than nothing). Or Mozilla Mail evolve a little bit more so I can tolerate using it as my mail client
Use The Bat (Score:1, Interesting)
http://www.ritlabs.com/the_bat/
From its wep page:
"
The Bat! is a powerful, highly configurable, yet easy to use email client. We've designed it especially to help you deal with your growing volume of email as quickly and efficiently as possible, saving much of your precious time. Use all its powerful features at home or at the office to handle your email naturally - the way you want and how you want, simply and directly.
* Support for an unlimited number of accounts and users
* Fully customizable message templates that save hours of typing
* Powerful filtering for automated message handling
* Support for S/MIME and PGP versions from 2.6x through 6.5
* Mail Dispatcher for managing email on remote servers
* Simultaneous mail processing in the background for all accounts
* Familiar Explorer-style folders for organizing messages
* Easily configurable user interface with message preview option
* Built-in HTML email viewer and message editor with spell-as-you-go
* Sophisticated address book for storing all personal information
* Unique Mail Ticker(TM) for email notification
* Multi-lingual interface supporting 15 languages on the fly
* Import message bases from all major email clients
* Many more features for managing email quickly and easily...
"
Re:PGP support in Windows mail clients (Score:2, Insightful)
One is in the normal text of the message, the other is as a mime attachment.
The standard behavior, with the old pgp plugins anyway, was that, if it was the main body of the message, it would be decrypted automatically. If not, you would have to click on the attachment to decrypt it.. the benefit being the attachment method is a bit more 'standard', and perhaps a bit more secure, depending on the environment.
What we really need, though, is something that works equally well in all popular mailers.
(Outlook, Outlook Express, Eudora, Netscape) and has a set of unix tools to allow the oss world to integrate as well.
And the interface needs to be easy.. easy for my Mom.
Outlook's imap support is crap; it won't even do imap & exchange server at the same time without a plugin; you have to set it up in 'internet only' mode.
"You have to use mozilla mail" is not an adequate solution for the masses.
Outlook Express, btw, worked fairly well with the old pgpfreeware plugins, as does eudora. it's just a bit too weird for joe average.
My experience with PGP (Score:2, Funny)
Recently I noticed that my teenage son Ezekiel had begun to encrypt his emails with a program called PGP. I was concerned because I'd always covertly monitored their email for any hints of illegal activity, drug use or interest in the occult - some of his classmates have begun playing Dungeons and Dragons and listening to KISS. Since Ezekiel was now using PGP, his activites were hidden from me!
Additionally, I also overheard him talking of using a program called Stegasaurus to embed secret information into normal-looking pictures.
Terrified that my son might be speaking in some sort of sinful code, I immediately grounded him for a month. He was only allowed to go to school and Bible study.
Anyways, I've done several days worth of research on this and discovered a few things about PGP that I'd like to share with the readers of these web sites. To begin with, I realized that many of the claims made by the creators of PGP are blatently false. Although I do not have a background in mathematics (I have an AA in Photography) I was easily able to rebuild Ezekiel's private key via his public key and one of his encrypted messages.
Of course I am above-average in intelligence, but PGP is supposedly unbreakable! Perhaps crytogrophers aren't as smart as they believe?
Fortunately in this case Ezekiel was just discussing a girl he met in school - a situation I harshly reprimanded him for. However, while PGP may be a program with flaws, it got me thinking about other programs.
Perhaps someone will construct a PGP-like program that cannot be so easily broken; one that would take days of computer time to hack!
My concern with a program like this is that people who use cryptography always do so because they have something to hide. A sense of guilt and shame seems to drive them. They know that they are doing something wrong and desperately want to hide it from the eyes of the world (although hiding it from the eyes of God is another matter! LOL!)
A study recently released by the Institute for Family Computing revealed that the top three uses of cryptography were for 1) "terrorist-related activity" 2) pedophillia and 3) drug abuse. In fact as far as I can tell, no legitimate use was on the top ten at all!
What scares me about this is that law-enforcement agencies will be unable to sift through email to find people who are breaking the law, or otherwise engaged in suspicious activity. At a time when our nation is under siege, I find it disturbing that people are working on developing cryptography that cannot be broken, even by our protectors in the FBI and CIA! Only those with something to hide truly need cryptography.
Thus I urge cryptogrophers world wide to refrain from working on such programs, until our nation is no longer at war. I would ask those of other countries to respect our right to self-defense and aid us in our time of trouble. Your cryptographic skills can be better put to use trying to find terrorists than to assist them.
Thank you for your time.
Did you really break PGP? (Score:1, Funny)
Just in case...
Although I do not have a background in mathematics (I have an AA in Photography) I was easily able to rebuild Ezekiel's private key via his public key and one of his encrypted messages.
If parent is not a troll, and you have figured out a way to reconstruct a PGP user's private key, then please immediately report the details of your crack to PGP Inc and to CERT. If this is real, it's groundbreaking, and your work could get published in a prominent journal of mathematics.
-- PinocchioRe:My experience with PGP (Score:1)
Re:My experience with PGP (Score:1)
I'm more worried about the EULA... (Score:5, Informative)
YOU HEREBY EXPRESSLY CONSENT TO PGP'S PROCESSING OF YOUR PERSONAL DATA (WHICH MAY BE COLLECTED BY PGP OR ITS DISTRIBUTORS)...
Remind again me why I want that feature in my crypto software...
And it's not open source anymore... so you can't really tell what they're sending...
Re:I'm more worried about the EULA... (Score:3, Informative)
So it's not the software that is collecting the information, but PGP Corporation. I guess at some point during download or installation it asks you to register.
Maybe it's not a really good privacy policy, but it's not spyware either.
Re:I'm more worried about the EULA... (Score:1)
regarding linux, from the website (Score:2, Interesting)
Our current products will not run on Linux. However, we realize the installed base for Linux is growing and our future product plans will include Linux support.
This will be open source?? (Score:3, Interesting)
From The CTO Letter [pgp.com]:
First of all continuity - you will be glad to hear that we will publish source code. This is very important to us. It's very important to our investors, too. They understand that one of the main reasons people trust PGP is that its source is available. Our forthcoming source release will be for PGP 8.
Re:This will be open source?? (Score:2, Insightful)
Source available != Open Source. You're allowed to look at the code, but you are not free to take chunks of it and create your own version.
Enjoy the view though.
Re:This will be open source?? (Score:2)
If you take a moment to understand the words you have used, you will realize that "source available" means the same thing as "open source". "Open source" implies nothing more than the source code being published or openly available; it does not imply any right to use the source code or the program unless otherwise specified. (This is why you will hear companies such as Apple, Microsoft, and Sun speak of "shared source" or "open source", and why PGP Corporation could rightly call its software "open source" if it makes its source code publically available.)
This is exactly why the Free Software Foundation [fsf.org] recommends the term free software [gnu.org]. The "free" is what gives you the "freedom" to "take chunks of it and create your own version" as you say.
Question (Score:2)
Cryptography is great as long as I'm the only person controlling the data. So it's great for the documents I want to protect.
But as far as encrypting my communications, I have to wonder if the effort is really worth it. Sure, encrypting my communication stream to the other party prevents a man-in-the-middle.
But that's not the only part that needs protecting. What happens when it gets to my lady friend, Ima Muslim? She could really be someone pretending to be her. She could be forced into compromising her password. There's no way to keep secret that I'm communicating with her, which can be as damning as if they knew what the message said.
How does PGP address those issues? If PGP doesn't address them, what solutions do exist?
Re:Question (Score:1)
PGP (or any other program for that matter) can do nothing (or very little) against user malice/stupidity/carelessness. That is beyond the scope of PGP. If you whispered a secret message to Ms. Muslim in a dark alley, there is still nothing preventing her from doing as she wishes with your (until-now) private message. For more on software controlling the users, check out what Microsoft is trying to do [microsoft.com] (albeit fairly unsuccessfully).
PGP will also do you no good for "traffic attacks" (Alice sends an encrypted message to Bob, Bob murders Alice's spouse, Bob sends an encrypted message to Alice. You guess cop's #1 suspect) and has never intended to. You may want to look into cryptography's little sister, steganography [everything2.com] for message hiding.
I would highly recommend browsing to http://www.pgpi.org/doc/faq/ [pgpi.org] and doing some more reading. I also own O'Reilly's PGP: Pretty Good Privacy [oreilly.com] and have found it an excellent resource. It was published back when PGP was still Phil's, but applicable today nonetheless. Heavy on theory and application, there's also a very good appendix on the dirty math involved.
PGP Infrastructure (Score:3, Interesting)
Re:PGP Infrastructure (Score:1)
Re:PGP Infrastructure (Score:1)
pgp/terrorists (Score:1)
Let's make sure Al-Qaeda get a copy of this!!
pgp on OS X with net info (Score:1)
Last Post! (Score:1)
1, 2076 (check THAT in your perpetual calendar program), 14 feet above
the ground directly in front of the Milpitas Gumps. Members will grep
each other by the hand (after intro), yacc a lot, smoke filtered
chroots in pipes, chown with forks, use the wc (unless uuclean), fseek
nice zombie processes, strip, and sleep, but not, we hope, od. Three
days will be devoted to discussion of the ramifications of whodo. Two
seconds have been allotted for a complete rundown of all the user-
friendly features of Unix. Seminars include "Everything You Know is
Wrong", led by Tom Kempson, "Batman or Cat:man?" led by Richie Dennis
"cc C? Si! Si!" led by Kerwin Bernighan, and "Document Unix, Are You
Kidding?" led by Jan Yeats. No Reader Service No. is necessary because
all GUGUs (Gurus of Unix Group of Users) already know everything we
could tell them.
-- "Get GUMMed," Dr. Dobb's Journal, June '84
- this post brought to you by the Automated Last Post Generator...
Re:What? (Score:2)
For starters you could export your keys and go use an older version of PGP (or you could use GPG, assuming you just used crypto supported by GPG) to decrypt whatever encrypted documents you made with the beta. At least that should work. I think they should choose new phrasing in their warning.
Anyway, they are probably planning to release a full version by then. So if you have your little smart cards and want to go on using them, you could just upgrade.
Re:What? (Score:2, Informative)
Re:What? (Score:1)
I use beta software all the time to do useful stuff, especially when there's no non-beta equivalent. I'd be a bit hesitant to use beta software for anything important, though...
Liam
Re:What? (Score:1)
(I guess my English can still use a little work)
Haha (Score:2, Funny)