Command-Line Crypto From Phil Zimmermann, Again

A few months ago, PGP creator Phil Zimmermann became a reseller for the current graphical version of the software he originally spawned, produced by PGP Corporation. Now, Zimmermann has just started selling through his own website a modern command-line encryption product called FileCrypt, which has its roots in an older version of PGP. Confusingly enough, this software is produced by a company called (Veridis), and doesn't say PGP on the box, because legally it can't. Network Associates, which acquired PGP Inc. in 1997, still holds the rights to that name; when NAI spun off PGP to PGP Corporation in 2002, they held onto the command-line version. PGP Corporation, for whom Zimmermann serves as a technical advisor (as well as a reseller), is contractually unable to sell a command-line version. (He is on the board of Veridis as well.) But why introduce a text-only version of utility software, anyway, when the GUI-fied desktop version has been maturing for years and costs less? Update: 02/07 23:07 GMT by T : Here are three instant clarifications: PGP Corporation was misrendered as "Open PGP" in this paragraph; Veridis' command line product was inspired by PGP but independently created; its codebase is separate from NAI's version of PGP; and the rights holder to the PGP name is PGP Corporation, not NAI.

They aren't paying for a pretty logo.

The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard) aren't even in the same market.

Casual computer users have never laid out much money for encryption. The widespread use of PGP in its original incarnation (during the era of Zimmermann's prosecution for allowing it to be exported) can be attributed as much to its zero-dollars price as to a generalized interest in privacy. Home and hobby users are not cut out from buying Veridis's software -- for about a hundred dollars, you can buy a personal use version of the command-line version. The real money isn't in individuals keeping their tax records private, though -- Zimmermann and Veridis, like NAI (whose PGP-based product is called E-Business Server) are really aiming at commercial and governmental datacenters, and for customers willing to accept a much higher pricetag.

Insurance companies, banks, credit card processing centers, state records -- anywhere financial or otherwise confidential records are exchanged or stored en masse -- these all need encryption which works at the command-line. More precisely, they need crypto software which can work without direct human intervention at all. Instead, massive data centers need tools which can be called by scripts and other programs, so servers, or server farms, can spend their time crunching numbers rather than drawing pictures.

The name is familiar ...

The commercial competition FileCrypt faces is familial -- it's the same product from NAI (sold from their McAffee division) that prevents Zimmermann and Veridis from calling their software PGP, even though NAI now labels their product E-Business Server. And though many companies have homegrown cryptographic solutions, Zimmermann says he knows of no other packaged software offering the high-volume encryption that the products from NAI or Veridis do.

And, he emphasizes, what they do is very similar. He says of the Veridis command-line product compared to NAI's, "It's drop-in compatible, identical in operation ... you could run the same perl scripts, the same command-line arguments."

If you want to buy Veridis' encryption software licensed for electronic commerce (not one-person use), hold onto your wallet: the price jumps about 50 times, to a shade under $5000, which Zimmermann describes as a bargain -- at least compared to the competition.

(Prices on the McAfee website show a one-year subscription-based license for E-Business Server starting at $6,875; $14,375 buys a perpetual license, with no included support.)

Both sides of that fence.

And of competing in this case with a product that originated from his own crypto software (and his own company, PGP Inc.), Zimmermann says "I just don't really think of that as my product any more. It's in the hands of NAI, all the engineers have been fired. I just don't feel psychologically connected to that product."

To look and not to sell.

Especially when it comes to cryptographic software, code openness is considered not just a virtue but a near necessity. Peer-review and independent auditing, after all, are about the only ways you can tell that software isn't shuttling credit card numbers to the wrong person.

The business model of selling high-priced crypto software at thousands of dollars per processor doesn't mesh well with gratis software, though. To that end, Zimmermann says the FileCrypt code will be soon be available for download and inspection under terms which he says will be similar to those under which users can download the code for PGP Corporation's version of the PGP-based desktop software. (PGP Corporation's terms are available though their source code page).

Automated jobs

[rawgod0122]

The reason command line tools are very useful is for cron jobs. I dont know how many times on a windows machine I wish that there was an command line tool to do something.

Re:Automated jobs

[Elvisisdead]

Absolutely. It would be great to set a job to run every night to encrypt certain user's files from prying eyes.

Re:Automated jobs

[lor3]

Erm cron [wincron.co.uk] for windows, and what about cygwin [cygwin.com]?

Re:Automated jobs

[Telastyn]

I don't think he was referring to cron, or at, or the windows scheduler. He was referring to being able to actually put an application into the scheduler. It's not useful when running someapp.exe just opens a gui. Then you just end up with the gui openned on regularly scheduled increments.

Re:Automated jobs

[SweetAndSourJesus]

automate [unisyn.com]

Re:Automated jobs

[Telastyn]

I'm aware of gui automation's existance, and I'm aware that most of them suck my left one. (and if they don't it's still significantly harder to automate a gui to find file, click click click than to run "pgp -f config.file infile.txt outfile.txt" or some such)

Re:Automated jobs

[SweetAndSourJesus]

You implied that it wasn't possible, all I'm saying is that it is.

Of course it's easier to automate a command line tool. They're designed that way.

Re:Automated jobs

[Telastyn]

Ah, my apologies, it was not meant to be meant that way. Simply that it was more difficult.

Re:Automated jobs

[Raistlin99]

Thanks to a redesign of Win2k's and XP's command line capabilities it can do alot of things that you can do in the GUI enviroment. You can install printers, do backups, manage disks, create and modify user accounts, start and kill processes. All from the new and improved NT command line. Here [robvanderwoude.com] is a quick link to something someone might find interesting. If it is a program that does not have a command line interface, well then you are shit out of luck.

Re:Automated jobs

[Paradise Pete]

AppleScript. Oh wait, you said Windows.

Re:Automated jobs

[Daftspaniel]

It is called COM and WSH. Very powerful.

Windows command line utilities

[harmonica]

Available at gnuwin32.sf.net [sourceforge.net], unxutils.sf.net [sourceforge.net] and other places.

Re:Automated jobs

[ag3n7]

I believe he meant that there wasn't a command line app that he could schedule through windows task scheduler.

For instance, it was nigh impossible to easily schedule disk defrags under 2000 using task manager because there was no way to kick off the defrag automatically. In XP this was resolved with the command line tool "defrag".

Re:Automated jobs

[rawgod0122]

Yup I was talking about the applications that can be called from stuff like cron and at. The reason I brought up windows was when I used to work on those systems I had difficulties finding cli based applications.

Re:Automated jobs

[anubi]

Absolutely... scripting tools are just so powerful

There are many things I automate, like you indicate like cron jobs, that automatically perform a given set of operations related to some event.

GUI is for human operators, where scripts are optimal for the machine usage.

It seems like I remember somewhere there was a precursor to PGP what *was* command-line.. is it something like gpg or something? I am rusty here.

Re:Automated jobs

[KDan]

gpg is a command-line tool indeed, and works fine. This piece stinks of self-promotion.

Daniel

Re:Automated jobs

[anubi]

Yeh, Dan, just reading all the posts coming through now... I was in the editor a bit.

When I reloaded, I see you posted too, with some nice info on the gpg.

I never got that involved with encryption, but it sure seems I remembered some command line version. I have always insisted that sets of critical maintainance tools be both GUI and Command-Line based for the exact reasons stated in many posts here - GUI for me, Scripts for things I set in place and run until I change them. (automation)

It does look like a re-release of something we have had for some time now... but under a different name now. And a much higher price...

That's the beauty of this forum.. it sure cuts through all the bs.

Re:Automated jobs

[jd142]

You mean like "at" available since NT 4?

The AT command schedules commands and programs to run on a computer at
a specified time and date. The Schedule service must be running to use
the AT command.

AT [\\computername] [ [id] [/DELETE] | /DELETE [/YES]]
AT [\\computername] time [/INTERACTIVE]
[ /EVERY:date[,...] | /NEXT:date[,...]] "command"

\\computername Specifies a remote computer. Commands are scheduled on the
local computer if this parameter is omitted.
id Is an identification number assigned to a scheduled
command.
/delete Cancels a scheduled command. If id is omitted, all the
scheduled commands on the computer are canceled.
/yes Used with cancel all jobs command when no further
confirmation is desired.
time Specifies the time when command is to run.
/interactive Allows the job to interact with the desktop of the user
who is logged on at the time the job runs.
/every:date[,...] Runs the command on each specified day(s) of the week or
month. If date is omitted, the current day of the month
is assumed.
/next:date[,...] Runs the specified command on the next occurrence of the
day (for example, next Thursday). If date is omitted, the
current day of the month is assumed.
"command" Is the Windows NT command, or batch program to be run.

Re:Automated jobs

[Anonymous Coward]

> You mean like "at" available since NT 4?

No, he means the commands called by 'at'. Some Windows functions have no commandline equivalents.

Re:Automated jobs

[eric2hill]

Like what?

Re:Automated jobs

[Linux_ho]

Like what?

Exactly.

Re:Automated jobs

[Anonymous Coward]

Like the equivalent of this:

Right click on "My Computer", then choose

• Properties
• Advanced
• Settings

which then opens the "User Profile" dialog box.

Now select the source account and click the "Copy To" button, which opens the "Copy To" dialog box.

Now complete the "Copy Profile To" field, by either clicking on the "Browse" button and navigating the resultant dialog box, or by simply entering the path into the edit box.

Now click the "Change" button in the lower frame. Depending on your security setup, do another series of steps to select the target user account. Now click the "Ok" button in the "Copy To" Dialog.

Now you might wish to click on the "Change Type" button, and select the appropriate type from the resultant radio button group, depending on whether or not you're doing roaming profiles.

Are you catching the drift?

Ive never seen it more easily done than the loose equivalent of these commands:

• groupadd new-account
• useradd new-account
• cp -a /source/files /dest/files
• chown -R new-account.new-account /dest/files
• chmod -R 755 /dest/files

But really, all kidding aside, I'd love to see how one is supposed to do what I described in the first portion of my comment from a command line or cron script in Windows.

If that's doable through WSH or some other new tools, then well, that's great! But howcome nobody knows about the interfaces? Because they don't exist? I'm inclined to think so; or perhaps not until the recent past at best. At any rate, the commands for UNIX are tried and true; no brainers. They're not going to change any time soon and you can bet they'll pretty much work wherever you go.

But really, how do you do that in Windows?

Where's your Microsoft Bob when you need him?

Re:Automated jobs

[ralphclark]

Will some kind soul blessed with moderator privilege tonight please moderate up the above comment...

Thank you.

Re:Automated jobs

[jd142]

I'd love to see how one is supposed to do what I described in the first portion of my comment from a command line or cron script in Windows

Simple. The desktop setting is simply another registry setting. Have a batch file run that imports a .reg file with the appropriate background picture then refresh the registry with a command line call to the dll. I forget the exact syntax, but it is possible. I've done very similar things, but I don't have my code in front of me.

Re:Automated jobs

[eric2hill]

FTP?


C:>copy con ftpscript.txt
get /some/path/and/file.txt
close
quit
^Z
1 file(s) copied.
C:>ftp -A -s:ftpscript.txt ftp.some.site.com


How hard is that?

Re:Automated jobs

[eMilkshake]

And that's what rundll32 [microsoft.com] is for!
Oh, you meant tasks, not functions?

Re:Automated jobs

[Cyno]

There are no excuses. Can't do it on the command line? Learn perl.

I won't touch a windows network or help admin one because of how cheesy and unreliable that software is designed. If you want my help you got to use the best tool for the job, which unless we're talking about the desktop does NOT come from Microsoft.

By scripting and automating shit with perl you can deal with any number of these stoopid windows boxes that keep getting in your way, prompting you if you are sure. Hell, perl expect can securely manage an entire UNIX network using one user account and ssh.

If you can't find a command on an NT box and want to waste your time writing one I suggest grabbing perl and cygwin and smoking a big phat bowl to supress the desire to throw the box out the freakin window because of all the "are you sure" prompts.

Re:Automated jobs

[Malcontent]

How do I use AT when all the tools I am likely to call are GUI based?

At sometime launch some program, click to the appropriate tab, uncheck the appropriate box.

Re:Automated jobs

[archen]

At was depreciated after the release of win2k, you're supposed to use the task scheduler.

Re:Automated jobs

[LordWoody]

Try "at" under any NT variant (4.0, 2K, XP). It supports one time and repetitive simple schedules (every night at 10, m,t,t,f @ 8, etc...)

It can call any script or executable with or without switches. It may be ugly, but it is basically functional.

Re:Automated jobs

[Malc]

The trouble with at is the security context. I'm surprised their haven't been Windows exploits based off it. I use at to launch taskmgr 1 minute in the future... this gives a supercharged taskmgr that can kill missbehaving services running under the system account. Make sure you use the /inter switch and that you don't already have taskmgr running.

Re:Automated jobs

[rawgod0122]

Bad form to reply to self but I totally went and forgot. I designed and implemented a system that used gpg (which looks a great deal like this product, I said looks I am not implying anything other then the functionality is similar) to create a 'secure' file distribution network system via ftp on windows platforms. Durring that project there were a good deal of troubles with not having cli tools. btw does anyone know how to have a free high quality sshd/sftp server on a windows box? Ya ya ftp sux, but the data was well enough protected as it sat on the sight (via gpg). The OS was another question.

Re:Automated jobs

[LadyLucky]

Haven't you heard of windows scripting host? Geez man, give me a call when Linux is as scriptable as windows, I'll be waiting a while, methinks.

Re:Automated jobs

[evilviper]

Ever heard of cygwin? All the tools on Unix can be yours on Windows.

In addition, for the simpler GUI jobs, there's PTFB ("Push the Freaking Button"), which will allow you to have a certain button or location clicked-on a certain amount of time after the window appears.

In fact, I setup many a batch file, that would lauch PTFB with a certain config file, then start a software installer. In case you haven't caught on yet, PTFB was configured to push the buttons automatically, so you didn't have to click a single button. (If I hear one person comment on how this nullifies EULAs, I may be forced to beat them to a bloody pulp.)

Re:Automated jobs

[Angron]

I don't know what windows you're running, but there's an "at" program available at the command line of my Windows 2000 machine to add items into the Windows Task Scheduler. I'm not entirely sure how encompassing it is, but it's certainly better than nothing.

-A

Re:Automated jobs

[dtfarmer]

The reason command line tools are very useful is for cron jobs. I dont know how many times on a windows machine I wish that there was an command line tool to do something.

Here's a free clue, kid: just because you don't know how to do it, doesn't mean it can't be done. Like the other poster said, at /?. And if you're really into command lines, look up Windows Scripting Host on MSDN

Here's a free clue, kid: someone posts that command line tools are useful for in cron jobs, and that many times he wishes there was a "command line" tool to do something. (not schedule something)

60 people post a reply to him on slashdot to inform him of the command "at" which allows a windows machine to schedule things.

What do you do? what.. DO.. you... DO?

Heck, just add a 61st post which tries to put the original poster in his place by answering a question he didn't even ask! It's the slashdot way!

Not that those other 60 posters aren't just as clueless... but you all should learn that if you don't understand someone's post... you should just keep your trap shut.

karma? who cares... flame away.

Re:Automated jobs

[rawgod0122]

Thanks man. I guess I should have clairfied(sp?) more in my orginal post. I have done that now. Oh ya btw I have been told many times by people with more experience in the IT industry and paticular applications that something can not be done. I like to show them that it can be it they would just think a bit more creativitly. I love it when things are used for porposes that they were not orginally designed for.

Re:Automated jobs

[sql*kitten]

and that many times he wishes there was a "command line" tool to do something

That's what WSH is for. Try it, you might like it.

Advantage of command line...

[Sir_Ace]

GUI is nice and all, but a command line one would work much better with procmail filters..
As well as just about every other kind of script I would assume...

Re:Advantage of command line...

[KDan]

Use gpg then. Fully command line, and does everything you could need.

Daniel

Re:Advantage of command line...

[Malc]

Command line? This is Windows damnit! What we need first is a COM object interface distributed in a DLL. Then any application will have access to it with minimal fuss and piddling around ensuring the utitlity is on the commandline. For those who want a command line version, it will then be simple to add a console-based facade to the COM DLL.

Re:Advantage of command line...

[Cyno]

Why not just make it a web service. Write it in java or C#. But be sure to use XML for all schemas, content delivery and databases. Then embed it in the kernel. ;)

Re:Advantage of command line...

[axxackall]

Right. Two months of C++ debugging in VC and finally your robot will run at scheduled time and press all those COM buttons in various GUI programs. And all was needed is few scripts piped in a single command line.

$^^#@#$@34fds#@$23$@#

[mrtroy]

im outside of the us and i just used it to encrypt "hah".( as per subject )

Story, or advertisement?

[Anonymous Coward]

Interesting for sure, but is this a hype piece?

It doesn't look like a normal submission to me. Proper grammer, objective opinion instead of random flames, and bulleted titles to visually seperate paragraphs instead of the shitty formatting job Slashdot forced me to get used to.

Me suspects there is more than meets the eye here...

Re:Story, or advertisement?

[KDan]

Mod parent up. I think (s)he's on the money here. GPG is a command-line tool, so wtf are they going on about with their "pgp and gpg are pointy-clicky-stuff that you can't use for heavy duty shiznit" crap? Sounds like a publicity stunt to me, unfortunately they've tried it on the wrong crowd (ie people who actually have a clue about what the soft on their computer does).

Go back to the drawing boards, ad-bot!

Daniel

Re:Story, or advertisement?

[hughk]

Sounds like a publicity stunt to me, unfortunately they've tried it on the wrong crowd

it got past the /. editors though didn't it!!!!!!

Re:Story, or advertisement?

[knowbody]

yeah, the drop out section headings are particularly suspect...nice call

Next iteration...

[Pseudonymus Bosch]

It doesn't look like a normal submission to me. Proper grammer, objective opinion instead of random flames, and bulleted titles to visually seperate paragraphs instead of the shitty formatting job Slashdot forced me to get used to.

I'll pass your feedback to the guys in ad copy writing, thank you. Who would have thought that the rules for advertising in Slashdot are reverse of everwhere else.

CLI version

[ackthpt]

Why not, GUI is ok for desktops, but I seems to me I'd prefer a CLI version for servers (and I don't mean piddly NT servers)

Whenever I get a new computer, I expect a Command Line Interface (or shell as some are wont to call it) I must be old school, but I don't feel I'm totally in control if I have layers of GUI-fication and de-GUI-fication between me and processes.

Though that's probably not their reasoning, it's probably more of a spite thing, or keeping a finger in the pie, anyway.

I hear ya

[SHEENmaster]

A lot of the "old school" stuff works more reliably in more situations with less hassle.

I primarily prefer command line interfaces, as opposed to GUI or curses/ncurses, because it is so damn easy to script it. I can encrypt all .jpg files in my web directory that I own with a single command.

Another example of "old school" being the better choice is in security. I have the logger daemon piping output to a dumb terminal so that I can watch what's going on. I'm about to add a second that displays httpd logs.

Old school games are also better; even after porting /usr/games/fortune to the web [frob.us], winshit [frob.us]/wine, OS X [frob.us], and OS 9 [frob.us], I still keep the console version on every box of mine (all of them are Linux, even the palmtops.)

Maybe we should have a no-GUI holiday in which we don't use curses, X11, Aqua, or winshitgui.

Please note that the winshit download has yet to be tested.

HIPAA and PGP

[prgrmr]

Insurance companies and health care organizations are increasingly relying on PGP in its various forms to met requirements for confidentiality and security of data imposed by the HIPAA legislation. Zimmermann's latest work has a potentially huge market this year, and potentially next year too, if there are more delays with implementing the "enforcement" aspects of the law.

Command line GUI

[geoffrey crawford]

I find with any GUI program, if there is no command line control, it becomes half as useful. Scripting and automation are what make computers beautiful.

The command line is much quicker too. Don't want to type out a million options and flags? Then make an alias... one word is all it takes to run enormous computations.

In the case of PGP, the only GUI integration I need is in e-mail, and thankfully Evolution provides it. The rest of its use is on the command line, making encrytped tar archives, and saving other information.

Smug

[$$$$$exyGal]

Pic of Zimmerman [philzimmermann.com]

The look on his face is so smug, like, ha ha, "I have no such non-compete agreement with NAI", so I'm gonna screm 'em!

--naked [slashdot.org]

GNUPG?

[Anonymous Coward]

And what is wrong with gnuPG? Its Free and free.

I'm Confused?

[mrs clear plastic]

I am a little confused. Yes, mod me down for
this, but I could not resist.

I thought that the last time I used my pgp
(the oldie from MIT, now updgraded to GPG),
the whole darn thing is command line.

I get encryped email. I save it to a file (using
pine, my mua). I copy the file to my home machine.
I decrypt it using gpg, which is a command line
action. I read the message. I make my reply. I
encrypt it using my command line GPG. I ftp it
back to my email account. I use pine to include
the file into the reply email messages.

Now, I have been doing this both for my personal
use. I have also been using it to communicate
with one of my customers who is buying fetish
clothing from me, but who lives in a place that
he has to be careful.

Now, you are saying that I have to pay $5,000
for the privilege of using this, especialy for
my business?

Re:I'm Confused?

[Karpe]

Why haven't you tried pgp4pine [flatline.de] yet? There are even more pgp/gpg/pine integration filters available. You can find them on Google.

Re:I'm Confused?

[mrs clear plastic]

Thank you.

I will look into it.

Mark

Why not sell the banks GPG?

[Chris Croome]

I guess banks want to pay for software so they have someone to moan at or something, perhaps the commercial software runs really quick?

Apart from this I can't think of a reason not to use GNUPG [gnupg.org], or am I missing something fundamental here?

Re:Why not sell the banks GPG?

[mrseigen]

GPG isn't coming out of a large, monolithic corporation, so other large, monolithic corporations inherently distrust it until shown otherwise.

That, and it's fairly unlikely that the GPG group, as great as they are, has a dedicated corporate relations guy whose sole job is to make banks and corporations see the better value in the open-source world.

It's the same thing with Linux, although, now that there are companies like Red Hat backing it and there are lots of people embracing it and talking about their successes, that people are more likely to pick it up and use it for their installations. Sadly, GPG and a lot of other great projects haven't had this happen to them yet.

Re:Why not sell the banks GPG?

[BrookHarty]

I'm using the command line of GPG, and it works great. What makes filecrypt($5000+980 for support) better than GPG(Free-email support)? Is the filecrypt SDK worth the 5000 bux?

I see the need for the product, command line for encrypted server->server communications. Just wondering how/why it beats GPG. Maybe support. But at 99 dollars a user, the costs seem extremely high.

Good luck to Zimmermann, but cost saving companies will the free GNU versions.

Are you blind?

[KDan]

GPG can be called from the command line too!

[dan@dimension dan]$ gpg --help
gpg (GnuPG) 1.0.7
Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to
redistribute it
under certain conditions. See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192,
AES256, TWOFISH
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
Hash: MD5, SHA1, RIPEMD160

Syntax: gpg [options] [files]
sign, check, encrypt or decrypt
default operation depends on the input data

Commands:
(...)

And it doesn't cost $100...

Daniel

Re:Are you blind?

[Anonymous Coward]

Yes, but as far as commercial customers are concerned it isn't "PGP", nor is it a "commercial product". Sigh.

GPG is great, I just wish corporate customers to which the command-line version of PGP is targeted didn't feel unhappy using software they don't have to spend vast sums of money on.

People still believe in the mantra of "you get what you pay for" even if that saying is blatantly untrue with regards to free software - it's going to take a while before everyone understands that.

Re:Are you blind?

[KDan]

So if this is a marketting piece targetted at corporate IT-budget-droids what the hell is it doing on /.???

Daniel

GNU Privacy Guard isn't graphical

[lovelaceAtWork]

The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard)

Last time I checked, GNU Privacy Guard, also known as GPG, was a command line program. You're probably talking about the GNU Privacy Assistant (http://www.gnupg.org/(en)/related_software/gpa/in dex.html [gnupg.org]).

Neither Version Is Usable By Mom

[Anonymous Coward]

PGP is great. It's the strongest freely available crypto for the geek masses out there. However, it's still pretty much for the geek masses, or at least people who can get their minds around the difference between signing and encrypting and which key is used when. My mom can't use PGP, even though with all the Homeland Security and Total Information Awareness stuff going on, she'd like to just have 100% of her email encrypted and not have to worry about her sense of humor going into her federal permanent record.

For some of us, there's the other problem - we use Pine or FringeMail 1.0003 or something for which the multiple-megabyte SMTP client plugins PGP GUI monster is just too unwieldy. Perhaps Phil Zimmerman sees that as a niche that got left behind as the giant GUI version evolved, and recognizes a need for the simple command line version.

Works for me; I'll always cut n' paste my ciphertext. I still use PGP 2.6.2. What's needed is a very simple cut n' paste Windows app that can generate or accept PGP-style blocks of ASCII.

Re:Neither Version Is Usable By Mom

[proverbialcow]

Your mom is smart enough to know what crypto is and why she wants to use it, and she can't use a command line?

Huh.

Re:Neither Version Is Usable By Mom

[wurp]

If your mom wants encrypted email but doesn't know jack about computers, set her up with a free account on Hushmail (https://www.hushmail.com). Your browser must have good java support (on Linux, it seems to require Sun jvm 1.3+ and a recent version of Mozilla or Netscape). You have to wiggle your mouse around some when setting up the account to generate randomness. Then you pick a passphrase, and from there on out it's just like any other web based email, except your data is encrypted from before it leaves your computer until after it gets to the target computer.

It interoperates with GPG/PGP compatible mail clients. Of course, your email to people who have no encryption support is not encrypted, but that's pretty much unavoidable ;)

It has Bruce Schneier's stamp of approval, and for a crypto product, that's really saying something.

Check it out.

Cut & paste

[Beryllium Sphere(tm)]

Well, there's PGPTray's menu choices of {Encrypt, Sign, Encrypt&Sign, Decrypt&Verify}{Current Window, Clipboard}. It still asks you what key to use, but that's hard to avoid :-).

Re:Cut & paste

[wurp]

In case you're really paranoid about security...

I'm not sure if it's still an exploit, but IE used to have an exploit in which a javascript could monitor your cut&paste buffer and, for example, transmit it to a third party. Of course, if you're really paranoid about security, you're probably not using IE ;)

Or you could just use mcrypt

[Anonymous Coward]

libmcrypt offers all the functionality you need. I believe there are bindings for perl, php, python and plenty more It can use most common ciphers including RSA, Blowfish, etc. If you need command line compatibility with your existing code that calls pgp, a simple shell (or perl) wrapper can provide the syntactic sugar. Things like easy to use key storage, drag and drop encryption, etc. are not an issue in the kinds of setups described in the article.

It's so easy that one time I need a encryption for some data from php, and I couldn't get libmcrypt installed. So, I wrote a simple cgi to stream the text through and then save the encrypted contents.
I'll sell it for $5 a copy for personal use and $500 a seat for commercial. I can customize the interface at my normal rates. But you really should just check out:

http://www.gnu.org/directory/security/crypt/mcry pt .html

Believe it or not

[kfg]

There are actually many of us who still *prefer* to handle our purely text based tasks, such as email, from the command line.

I have nothing against GUI's, I'm running KDE right now, but to have to fire one up just to encrypt text when I'm already in text mode is not only annoying, it's doofey.

KFG

Drifting, drifting....

[airrage]

"Confusingly enough, this software is produced by a company called (Veridis), and doesn't say PGP on the box, because legally it can't. Network Associates, which acquired PGP Inc. in 1997, still holds the rights to that name..."

I'm sure PGP is important, but I can't remember what the acronym stands for --don't drift, don't drift off, focus buddy you can hang in there...

"...when NAI spun off PGP to PGP Corporation in 2002, they held onto the command-line version. OpenPGP, for whom Zimmermann serves as a technical advisor (as well as a reseller),..."

Almost five, it's about time to pack up and leave here, I wonder what's on TV tonight, probably nothing, Friday night blows. Need to get Road to Rome, but the flunky at Best Buy, who doesn't know his ass from a hole in the ground, said they're getting another shipment today, so probably need to go by there after work...maybe pick up mgs2 for xbox while I'm at it. mmmm xbox....

"...is contractually unable to sell a command-line version. (He is on the board of Veridis as well.) But why introduce a text-only version of utility software, anyway, when the GUI-fied desktop version has been maturing for years and costs less?

"actually, if I send Bill Lumberg my tps reports now .. maybe I can sneak out past Milton...

Re:Drifting, drifting....

[LinuxHam]

I'm sure PGP is important, but I can't remember what the acronym stands for

PGP is important, but the world won't be ready for its functionality for another 10 years.

TOOMA here, but I think Phil Zimmerman once wrote in the documentation that when you use 2,048-bit encryption it would take the "US Government's best computers about 13,000 years to brute force the private key and decrypt the message." This translated to an encryption that while will not survive forever, it will survive long enough that you will be dead many times over before anyone cracks it. Therefore, its not perfect but its..

Pretty Good Privacy

Advertorioal again?

[hughk]

The Gnu Privacy Guard [gnupg.org] works quite adequately for the standard stuff. Some of the more advanced stuff in PGP isn't there yet such as secret sharing with a quorum, but for file based signature and encryption from the command line, GPG works very well.

I don't really understand why Phil is doing this. Perhaps some commercial customers feel more comfortable with a commercial package. However, GPG has had (German) government money funding its development and is thought to be quite good. The German Govt liked PGP as well, but it was complicated to licence. The old PGP commercial licence only permitted you to use the supplied binary, not to compile from source. The Germans supported the rewrite and AFAIK it is a standard there.

To me this seems like another of the recnt /. advertorials. An article about a product that isn't really newsworthy and there is a good Open Software and free equivalent.

Sad really isn't it!

I'm really disappointed....

[tytso]

That Slashdot chose to include the entire press release (since that is what this clear was) as part of the slashdot article. A pointer to a web page, perhaps --- the fact that Phil Zimmerman is behind a new commercial product that competes with original commercial version of PGP, perhaps. But the entire press release? Please! Why give them free advertising? (I'm assuming here that this wasn't a new way for the OSDN to raised revenues by getting an entire Slashdot article with arbitrary content from a marketing organization in exchange for $$$).

In any case, it's not really clear this story is all that interesting as news anyway, for the very simple reason that it is very doubtful that commercial versions of PGP will succeed, simply becuase for the naive user, PGP is Just Too Hard to use. The moment you have to explain certification chains to users, you've lost. The naive user (the ones who can't figure out how to set the time on their VCR's) simply won't be able to cope. And for the expert users, they'll just simply download GPG, or perhaps the old version of PGP 2.6.2. Why should they pay $$$ for a commercial command-line version?

Re:I'm really disappointed....

[KDan]

Corporate clients might, but I don't see why the /. crowd should care about a marketting piece directed at corporate bean-counters...

Daniel

Re:I'm really disappointed....

[smallpaul]

In any case, it's not really clear this story is all that interesting as news anyway, for the very simple reason that it is very doubtful that commercial versions of PGP will succeed, simply becuase for the naive user, PGP is Just Too Hard to use.

I guess commercial versions of relational databases will never succeed because for the naive user, SQL is Just Too Hard to use.

Not disappointed....

[wytcld]

This guy has legitmately been a martyred hero to freedom. In my book that should afford him a lot of goodwill in his business ventures. Plus, it's interesting to see where his later life is taking him. Like, we don't chat about how Linus is making out at Transmeta? And not even any martyrdom points for him. Jeeze.

Re:I'm really disappointed....

[aafiske]

Man, the editors can't win, can they? If they include the whole text they're corporate shills. If they don't, they get blasted for not providing the text themselves because 'they should know what's going to happen to the webserver they link to'.

They had a piece of text that was clearly allowable to mirror (press releases probably aren't things people want kept secret) and they did. More people could read the story. Seems like a good thing to me.

Re:I'm really disappointed....

[3ryon]

the fact that Phil Zimmerman is behind a new commercial product that competes with original commercial version of PGP, perhaps. But the entire press release? Please! Why give them free advertising?

What makes you think it was free? Slashdot now accepts commercial ads written to look like the other stories. This started maybe a year ago?

GUI vs CLI

[minionman]

A GUI isnt always desired - why WOULDNT you have a command line version of a utility like this? If you're going to be doing batch jobs, it would be a lot easier to have something that would be easily scriptable that doesnt require a bloated GUI version (or any GUI for that matter - Im not implying that the given product has a bloated GUI, before you flame). Not all users have a need for a graphical windowing system.

Selling it through his site

[errxn]

Do you think he'll mind if we screen scrape it [slashdot.org]?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Command Line Crypto? GnuPG, surely?

[Anonymous Coward]

Let's be honest here. No-one in their right mind would use the PGP command line since something much better - GnuPG [gnupg.org] - came along, and this has been a while ago (they aren't migrating, they've often completed migration).

• GnuPG is gratis - no cost. $0. PGP command line and other commercial command line OpenPGP products (like this Filecrypt) cost a shedload of money (they start at $99 - there may not even be an end) for such a simple, albeit effective, program.
• GPG can be tweaked to your own needs legally - you can even redistribute your tweaks. Hell, you can give your friends copies. Not so with Filecrypt.
• GPG can do everything that Filecrypt can do, with two exception - firstly, it can't work on X.509 certificates. Noooo, that's OpenSSL's job (which, you will notice, is also free of charge, open-source software). Secondly, if you need IDEA (blech, implies PGP2 which uses MD5 signatures, becoming a bad idea today) you need to install a module or merge a patch but that's simple if you're a command line hacker - and if you're not a personal user, you do need a patent licence from MediaCrypt AG, but that is still likely to be much cheaper than the equivalent copy of Filecrypt. [Caveat - I'm not sure if Filecrypt can use IDEA either.]

What Phil's trying to do here is sell a piece of software for an extremely high price which competes directly - directly, not just on the same turf but on the actual same blade of grass - with now well-proven software which is entirely free (beer and speech).

This is not a smart business plan. Only chance Veridis has is fast talking, name leverage and selling good support - trouble is, GPG doesn't actually need support as such, the software doesn't need to be, and isn't, really all that complex. Documentation should be enough, because it works already. The source is even friendly enough to adapt and build around for your own purpses, unless you're a moron, and morons should really not be adminning boxes you wanted to use strong crypto on.

I can't see a single reason you'd want to actually use Filecrypt over gnupg, especially given the high price tag... anyone?

Commercial vs freeware

[SiliconEntity]

GPG is freeware, as is the old PGP 2.X. Zimmermann's new product and the NAI version are commercial software. When you pay the big bucks for these programs what you are really buying is support and hand-holding. Many companies still prefer to pay for the privilege of having another company they can go to when things go wrong, rather than relying on the user community.

One reason for this is psychological; Republicans like to pal around with Republicans, Democrats like to hang with Democrats, and companies like to do business with companies.

Re:Commercial vs freeware

[omnirealm]

GPG is freeware

No GnuPG is not ``freeware'' It is licensed under the GPL; hence, it is Free Software. ``Freeware'' refers to a classification of software that is distributed by the author (or his publishing company) at no monetary cost. You may still be restricted by anti-community clauses in the EULA and by the source code remaining secret. Free Software preserves your freedoms and guarantees that you have access to the source code for studying, modification, and redistribution.

Better Solution

[xgyro]

Our company has been evaluating KeyMatix [keymatix.net] for file encryption. It seems to work quite well, and allows for remote key storage. With the remote key storage you can disable access to the keys when your data has been compromised. Has anyone implemented a solution with KeyMatix?

ncrypt

[Anonymous Coward]

You might want to check out nmrc's [nmrc.org] ncrypt [sourceforge.net].

PGP Cluster

[geoffrey crawford]

Another ability of a command line version could be in clusters.

Imagine someone wants to have strong key based encryption for a growing database with sensitive information. That someone could use huge muliprocessor, or clusters of smaller (or even just as large) computers to ecrypt that data, and archive it for another party or even themselves. Normally such a thing would take a while on a single computer, but with many computers working together, it could conceivably instantaneous.

A robust command line application could easily do that with currently availble cluster systems non-prepiertary to PGP. Someone with a cluster already built wouldn't even consider a GUI program.

Non-ssl-secured purchase form...???

[giantsquidmarks]

The web form to purchase the product does not appear to be an ssl secured form...

http://www.veridis.com/openpgp/en/buy2.asp

Re:Non-ssl-secured purchase form...???

[elemental23]

<form name="form1" method="post" action="https://www.veridis.com/openpgp/en/buy2.as p">

The form data is being sent over SSL to the script that does the processing. The empty form, as it's sent to you, does not need to be secured as long as the information you send back is.

But I agree, not having the form itself SSL secured is a bad move, as it's easy to assume your information will not be encrypted either.

"Here are three instant clarifications"

[verbatim_verbose]

Yeah, PGP is good... but I'll be damned if anyone can break these cryptic slashdot ramblings...

Why GPG is not an option

[dokebi]

A lot of comments point to the free GPG program. The problem is not that GPG doesn't already have all the functionality of PGP--it does. But what it can't do is be a drop in replacements for PGP-- in terms of command syntax and output file format.

Re:Why GPG is not an option

[dokebi]

Oh, and I forgot to mention, GPG doesn't use IDEA because it requires a hefty license for commercial use. So if you want to be compatible with existing PGP infrastructure, you need to have either a command line PGP or a commercial clone.

Re:Why GPG is not an option

[Xtifr]

Oh, and I forgot to mention, GPG doesn't use IDEA because it requires a hefty license for commercial use.

It doesn't include it by default because of patent issues, but if you need it, it's available [gnupg.org]. (There's even a precompiled Windows DLL.) Of course, depending on where you live, it may be against the law for you to use this code. You may even care. You might even be able to negotiate a license from the patent-holders to use the code, and still save money compared to what a commercial IDEA-based system might cost. And that might even help you begin a gradual migration away from IDEA and it's associated licensing fees, if an abrupt transition isn't possible. Just a thought.

Re:Why GPG is not an option

[Xtifr]

But what it can't do is be a drop in replacements for PGP-- in terms of command syntax and output file format.

It probably could be, but it's true that it isn't. However, the former problem can be mostly solved with pgpgpg [nessie.de], and the latter problem is pretty rare in my experience.

Anyway, all the tools I use [debian.org] have been updated to work with GPG. I think some of them may have even dropped PGP support. :)

FileCrypt comptetes with NAI product, not GPG

[prz]

Some Slashdot readers complained that FileCrypt appears to compete with GPG, which is free. Let me make it clear that my intention was not to compete with GPG, but to compete with McAfee E-business Server, for which NAI charges over $14000 per copy. I wouldn't dream of suggesting that GPG users should switch to FileCrypt. In fact, I think GPG is a nice product. But some companies prefer to do busines with companies selling commercial products. That's why NAI makes millions of dollars selling their product. There's no reason why I shouldn't try to compete in that market. And, unlike the NAI product, FileCrypt can also be licensed at a far cheaper price for users who want it on their (command-line) desktop instead of a server.

Re:FileCrypt comptetes with NAI product, not GPG

[muzzmac]

(Fake?) Phil,

How 'bout you sign your posts so we know it's really you?

from a home/personal use standpoint...

[krinsh]

I am glad there is a product out there that will let me do this. I've been trying to encourage electronic privacy among my friends and family for a couple years; and they cannot afford or are unwilling to pay for products. If they can use this to learn and expose themselves to encryption; that is great!