PGP's New Release, Source Code, and PRZ

In high tech time, the span between Network Associates dropping PGP, its purchase by the purpose-formed PGP Corporation and that company's release today of PGP 8.0 may not be a short stretch, but it's been a busy several months. A product which appeared moribund despite widespread acclaim a few years earlier -- a victim of skewed corporate logic -- has rebounded for another major release, and Philip Zimmermann is doing something he's never done before: actually selling PGP. And as Zimmermann had urged long before NAI forged a deal with PGP Corporation, this time around the full source code is being released, albeit with strings. Read on for the rest of the story.

Would you buy PGP from this man?

Long before Dmitry Sklyarov was arrested for helping people undo e-book encryption, and before DeCSS was unlocking DVDs, Philip Zimmermann was being prosecuted for a nearly opposite endeavor: providing software which allowed ordinary people with a modicum of computer savvy to encrypt their own data in a way impractically difficult even for large government agencies to reverse. His modestly named application Pretty Good Privacy, or PGP, was released in 1991 as freeware and was quickly adopted by privacy seeking computer users.

Export controls then in effect barred international trade in such software; because of PGP's inevitable spread online well past the borders of the U.S., Zimmermann was accused of violating munitions-export laws. For a while, this made Zimmermann a poster boy for the right to create software free of intrusive restraint, and ended up in a three-year battle with the government which Zimmermann eventually won.

Now, in a twist worthy of novelization, Zimmermann has joined a small number of PGP Corporation partners on North America, and will be reselling PGP Corporation's version of PGP. Outside North America, PGP Corporation has sales partners in countries from Germany to Singapore -- in a sense, Zimmermann is simply their most famous salesman. (He also serves on PGP Corporation's technical advisory board and maintains a consulting relationship with the company.)

Sales, though, is really a sideline to Zimmermann's consulting business. "I'm not really switching my career to sales," he says. Zimmermann is nonetheless enthusiastic about his new role selling the software he kick-started more than 11 years ago, though it's a switch from his role in creating it. "I don't write code anymore," he said from his Silicon Valley home office. "As you get further along in your career, you get further away from the things you like to do. I wish I could get back to it, but it's the Peter Principle, and here I am." Zimmermann downplays the Federal government's legal proceedings against him in the first half of the 90s, calling it "old news" and "years in the past."

Like any large organization, in fact, the Federal government has a need to encrypt certain documents, so it's no surprise that the government bodies of every stripe use "a ton" of PGP. It seems likely that his sales venture means that Zimmermann will soon have come full circle, from producer of verboten software to vendor selling his product to government agencies. Zimmermann admits "It would be funny, and there would be a certain irony if that happens ... I'm hoping to sell to enterprise customers, large users, and that includes the government. If the government wants to buy it from me, that would be fine with me."

Something to sell, and source code, too.

PGP's present is finally catching up with its history (try this google search for a number of links): today's release of version 8.0 for Windows and Mac OS X differs not just in name from PGP as it was released under NAI's stewardship, because this time there is full source code to go along with it. (A Linux release is being investigated.)

The 8.0 release doesn't differ in basic purpose from previous versions of PGP: it's still intended as an easy-to-use approach to encryption for both business and personal use, with hooks to a wide range of network operating systems and mail systems; there are several simultaneous releases, actually, from freeware (for non-commercial use) to an Enterprise edition, and the features available vary with the price. There's also a link to download the full source, under certain conditions, from PGP Corporation's home page.

PGP Corporation director of products Stephan Somogyi says he's proud of the way the company has walked the tightrope between source code availability and securing its own interest in the product based on that code.

The license agreement it takes to download source code, however, contains clauses guaranteed to rankle some open-source advocates and security enthusiasts. For instance, part of the third section of the eight-section source code license reads: "You agree that you will not post any information about any bug, problem, deficiency, or weakness in the PGP software on any web site or electronic bulletin board, or otherwise disclose or provide any such information to anyone else, unless you have first reported it to PGP and until at least 30 days after PGP sends its email acknowledgement to you."

Another section carefully lists uses of the code which are explicitly prohibited, including a note that a downloader may not "give (meaning sell, loan, distribute, or transfer) the source code files to anyone else" (except under certain outlined circumstances). Further, those who download the source code may not "use executable code versions of PGP software programs created by compiling these source code files for any purpose or reason other than verifying that there are no unknown vulnerabilities or the like or otherwise making your own assessment of the integrity of the source code and the security features of the PGP software."

Somogyi draws a distinction here between the meaning of an End User License Agreement (EULA) and a source code license such as the one required to download the PGP source. The source code is there, he says, because "PGP [Corporation] is making it clear that we don't have anything to hide and that PGP remains a trusted brand, a trusted codebase."

With nothing more than a click-through license protecting it, there will almost certainly be rogue copies of the source code soon, but as Somogyi puts it, "the only place that anyone who cares about their security is going to get PGP is from us -- no one is going to use some randomly compiled version of PGP, because they don't know the provenance. It's all about trust, from our perspective."

Zimmermann, too, takes pains to note a distinction which sounds similar to one made by Microsoft in describing that company's "Shared Source" source code disclosure. "Publishing source code doesn't mean you've giving away the software -- if you think about it, John Grisham publishes his novels in source code form. Does that mean he's giving up his copyright in them? No. If Microsoft published the source code to Office, does that mean they wouldn't still want money for it? There's a difference between letting people look at your source code -- finding bugs, fixing problems -- and giving it away."

Reputation and Propriety.

It's hard to say how much of PGP's reputation is really that of its creator.

Zimmerman's insistence on his right to create troublesome code, and on the freedom to encrypt which his software provided its users, endeared him to crypto-libertarians before most of the current battles of software freedom and philosophy had reached public consciousness.

Whereas Zimmermann famously left Network Associates, PGP Corporation seems much more interested in maintaining the integrity of Zimmermann's connection to PGP, which is if anything a tacit admission of Zimmermann's importance to the company's reputation.

"We would be foolish if we did not seek counsel from people who are the best in their fields," says Somogyi. "It's really important that Phil be involved." Zimmermann's presence on the technical advisory board from its inception will probably serve to reassure users worried about corporate machinations.

Should You Buy PGP from this man?

When PGP was first released, it was cutting edge -- in the sphere of ordinary computer users, it was a runaway hit. Now there are alternatives to PGP; in the Free software world, these include notably the GNU Privacy Guard (GPG), a suite of tools which aims to be a user-friendly equivalent to PGP consisting entirely of Free software.

Neither Zimmermann nor PGP Corporation's Somogyi seems worried about Free software alternatives to their own products, which can after all still be used free of charge.

"There's still a freeware version of PGP, and there's still going to be a free version of PGP, including the version that's coming out, version 8," says Zimmermann, who actually points to GPG and several other products from his sales web page. "I applaud the creation of GPG, we need to have multiple sources for this kind of technology. But you know, PGP is a good product, I think that it's easier to use."

Somogyi echos this line of reasoning. "Fundamentally I think that the people who use PGP is one group, and the people who use GPG are another, and I don't see a heck of a lot of competition between the two efforts," he says.

Zimmermann says that the prospect of selling PGP, though -- and making money from it -- is key to its prospects for success. "Look at what happened last time when nobody paid for PGP. NAI pulled the plug on the product. From February of this year until August, PGP was in limbo. ... Remember the National Lampoon from 70s, 'Buy this magazine or we'll shoot this dog'? That's what happened. They shot the dog!"

"It takes money to pay the engineers, it takes money to do all this stuff. PGP is a big important product, it doesn't just happen for free." And when NAI dropped PGP development, the software "went into an intellectual property black hole. When a company pulls the plugs on a product, it just disappears. All this political posturing about saying that cryptography should be free, that's all very nice, but it doesn't pay the bills."

Good for Zimmermann

If he can get corporations and individuals to buy his product, then where is the harm? I wish him the best of luck on trying to profit from his creation. Of course, the license is very prohibitive, but I don't see that as being a major factor affecting sales.

- Rick

Re:Good for Zimmermann

On the other side of the coin, if everything is protected by PGP (email too), then the workers can't be snooped on, and who knows what those evil little ants could be doing!

PGP comes with corporate access features (the "ADK") so that the boss can always read employee messages. Needless to say, it's a controversial feature, but companies don't like the idea of an employee encrypting all their work and then, say, walking in front of a bus.

GnuPG ignores ADK packets, incidentally.

I can buy it but ....

OK, I can now buy the software for personal use, but I can download the source for free (for review, yada yada yada). Anyone see a problem with this logic?

Re:I can buy it but ....

They explain it in the article. The makers of PGP feel that some guy compiling the source code and making it available or using it himself isn't going to cut into their profits too much because most people interested in using cryptography aren't going to use some shady, homebrewed, perhaps compromised program, they're going to buy it straight from PGP so they can trust it.

Re:I can buy it but ....

You can buy a copy of Windows at Best Buy, or you can download it from a warez channel, or you can go to a friends and rip an ISO of his copy. Doe sanyone see a problem with this logic?

Phil has always advocated that it is very important that there is peer review of security products, and I entirely agree with him on that point, but he is not An open source advocate (which is why I find the nitpicking about the license absurd: It's not GPLd, folks, it's peer review. The release of the source is only intended to allow for particularly paranoid folks to ensure that there aren't any backdoors in the code). They are two entirely different things, and it's completely reasonable for him to release those products as he has.

If someone builds the source and distributes the binary, they are no different from someone ripping an ISO and distributing warez.

Re:I can buy it but ....

While I applaud your distinction between peer review and open source, I have to ask: How do we know that a binary we're given, and some source code we're given, amount to the same product?

Take "main(){printf("Hello!\n")}" and "main(){printf("%s","Hello!\n")}"

While functionally identical, gcc will compile them into two very different binaries.

In short, there's no way to verify that the source code and the program are the same. Even if the two programs appear to respond to every interaction in the same manner, there's no way to know that there isn't a back door in the pre-compiled version.

And we're prohibited from using the provided source code for anything but verifying a lack of flaws. Legally, we can't buy the program and compile the accomanied source for personal use.

I'm not saying "Don't trust PGP." I'm just pointing out a flaw in their peer-review logic. If they allowed you to use the compiled source for personal use, then all would be well. (Aside from moral compunctions, of course.)

Re:I can buy it but ....

In short, there's no way to verify that the source code and the program are the same.

Nonesense. You download the source and compile it in a build enviornment that matches the one used to produce the official executable.

If the MD5 and SHA1 checksums of the code you compiled locally matches those of the distributed version, you have a very high degree of confidance that the distributed executable was indeed compiled from the published source code. If they don't match, tampering is a possibility.

In order to do this successfully, you need two things that seem to be lacking in this case: the makefile used to compile the official executable, and all the pertinent details about the build enviornment (compiler version, versions of statically-linked libraries, and so forth). If you can't exactly duplicate the build enviornment, it's probable that there will be differences in the executable code even if it was compiled from the same source code.

There may be strings...

on publishing vulnerabilities or bugs, but at least they're making it possible, as long as you let them know, etc. Some of the more radical "full-disclosure at any cost instantly" types will rankle at this, but I think most will look at as it is- the company that has to maintain the software covering their butts as well as they can.

It could have just said "you're not allowed to publish any problems you find, period."

Turnaround Time

You agree that you will not post any information about any bug, problem, deficiency, or weakness in the PGP software on any web site or electronic bulletin board, or otherwise disclose or provide any such information to anyone else, unless you have first reported it to PGP and until at least 30 days after PGP sends its email acknowledgement to you.

I'd be more comfortable with this if there was an absolute cap that did not depend on the acknowledgement. As written, it would seem to allow PGP to freeze the clock indefinitely by simply not responding.

Re:Turnaround Time

It's a good point, but they know as well as anyone that an unacknowldeged problem becomes an embarrassing public one when the problem is posted anonymously, which is what would happen if they "froze the clock" in the manner you speak of.

I'm willing to extend them the benefit of the doubt on this one... they'd be hurt more than most of the software producers by having a security bug go unacknowledged/unpatched. It's not like a license agreement is going to stop the spread of any vulnerability info at any rate.

Re:Turnaround Time

allow PGP to freeze the clock indefinitely by simply not responding
Precisely. And what happens if they go out of business? This is one of the key things that many otherwise well-intentioned source code license agreements fail to recognize: the software may outlast the the company that created it. It would likely be problematic even if some other corporation bought the PGP vendor. It is not uncommon for someone to buy the ASSETS of an insolvent corporation, but the obligation to respond to queries about source code could would logically be considered a LIABILITY.

Anyway, I think they had good intentions with this clause but they've paid too much attention to their lawyers. Perhaps, if the clause as written turns out to be a problem, (good) hackers could merely post "I have some interesting information about the product, but I am legally prevented from disclosing it by Section X, Paragraph Y of the source code licensing agreement. Please encourage the PGP vendor to acknowledge my emails"

Differences from previous releases?

OK, as a corporate user with a Win2k machine using Outlook, is there any significant reason to upgrade to 8.0 from whatever I'm using now and have used for a year or so? I know the article says there aren't significant changes, but I'd be interested in what specifically is better / improved.

Broken?

Has PGP *ever* been broken, hacked? Could it now that the source code has been released?

Re:Broken?

Yes. An easy to find example [slashdot.org]. I believe there was a weakness way back in the early 2.1 - 2.3 versions as well. PGP (USA version) was probably also vulnerable due to some of the RSAref.lib bugs. Source for PGP up to 5i is available [debian.org].

PGP has been shown to be good secure code. Makeing the source available won't lessen the security. That is the point: peer review will strengthen the code. Phil Zimmerman knows what he is doing.

don't order it this morning...

I plunked down my cash first thing this morning.

It looks like they're pretty swamped. The download failed, and, after the third try told me that the link had expired.

We are sorry that we are unable to complete your download at this time. This download link expires three weeks from purchase and after three downloads.

I guess this means I've got to call their customer service deptartment today. So, you may want to wait a bit before buying. The beta I've got for OS X doesn't expire until 12/06/2002, so I'm not totally screwed yet.

GPG?

How well does PGP 8 compare to GPG (or vice versa).

I know GPG cant do some forms of encryption/de-encryption because of copyright schemes, but if this has the source being released maybe we will see some more competition between GPG and PGP, or is the license for PGP too restrictive?

PGP must be good encryption.

PGP must be good encryption. I've been trying to brute force decrypt the phrase "zimmermann" and I've had no luck at all so far.

But wait!

Shouldn't PGP be labeled as evil, since it isn't open source?

One thing I've noticed:

It's cool for a hacker (good connotation intended) like Phil Zimmerman to publish something that goes against the grain. On the other hand, it's not cool for a hacker (good connotation still intended) like those that frequent Bugtraq to publish something that goes against the grain (making public a security flaw without the express permission of PGP Corporation).

Managing disclosures of security flaws may be a good thing if you intend to fix them, but their policy doesn't mention what happens if they decide to sit on the problem instead.

Pay for PGP?

Sure, why not? Especially in an enterprise solution, where the PGP Corporation can personalize the software for each customer.

Open source != Open source, though?

While a lot of OSSes are going to get their panties in a bunch, note that it is still possible to study the code and write new code based on the *concepts* that you learned about encryption. I don't know how to write encryption, but if I were to learn, I'd love to study robust professional code for free.

PGP is overrated

so is GPG. If the government really wants to get you, they'll surround you with Tempest vans, put a key sniffer in your keyboard, grab all your traffic through your ISP and monitor your phone calls. Uncrackable files don't mean much when traffic analysis shows email to the Cali cartel and cyber-cafe's in Pakistan.

But, just like the NRA sorts, who cling to the illusion that their pre-ban AR-15 will protect them against the black helicopters, PGP users delude themselves into thinking they're making a heroic stand for freedom, when in reality, no one cares about their encrypted plans to sleep in line for the Two Towers premiere.

Re:PGP is overrated

I can't remember where I read this analogy, but I'm pretty sure Zim came up with it:

You use envelopes, right? Why? Becuase you don't want everyone in the post office reading your mail. If you didn't care, you'd use postcards. Sure, the envelope isn't bulletproof, but it's enough to keep the casual snooper out. Same deal with PGP.

You're right, if the Man wants to read your email, he's going to do it. PGP isn't designed to be a totally secure system, just a mostly secure one.

Re:PGP is overrated

If the government really wants to get you, they'll surround you with Tempest vans, put a key sniffer in your keyboard, grab all your traffic through your ISP and monitor your phone calls. ....

So, given that's true, why bother encrypting anything? Answer: if a lot of innocent traffic is encrypted, it significantly raises the effort level required to identify the non-innocent traffic, and thus makes it much less likely that the government WILL decide that it ``really wants to get you''.

Is that a good idea? Even after the events of the last year, government in general still seems to have the resources to be a greater threat to us than all the Islamic malcontents in the the world put together. Some of those governments definitely have the will to do us harm; after all, some of them are run by those same Islamic malcontents. Some of us are living under the power of those evil governments. PGP and its successors have been used by human rights groups operating in countries like Yugoslavia, to keep records secret.

Don't forget, also, that while a despot might tire of amusing himself by persecuting you, the bureaucrats who persecute decent folks in the western world are doing it for our own good, and their self-image as good people and hard workers depends on putting Dimitry in jail, or busting down the doors of prople who have violated a contract with their cable company by uncapping a modem, or what-not. The people who are probably the greatest threat to us in the US and Europe are these well-intentioned, honest, hardworking idiots, who honestly believe that they are protecting us all. Sometimes they ARE protecting us all, and sometimes they are doing quite the opposite, but they are always trying to earn their pay by doing their job, no matter how destructive that may be.

Overall, I think it is an excellent idea to make it as difficult as possible for the government to keep tabs on us, or to single us out, even when our government is NOT deliberately evil, as is the case in the US.

... PGP users delude themselves into thinking they're making a heroic stand for freedom, when in reality, no one cares about their encrypted plans to sleep in line for the Two Towers premiere.

It isn't just governments that have secrets. Most companies have marketing plans, customer lists, and so on that their competition would give big bucks to get. If only the sensitive email is sent encrypted, it's obvious which messages need to be cracked. It's also obvious when there is a flurry of sensitive activity. If you also encrypt your non-sensitive email at work, that eliminates that sort of problem.

Finally, personal, frivolous users of encryption ARE helping folks who have a serious need for it, at least indirectly. See my first paragraph. If they are deluded, well, that's good for the rest of us. We can't afford to have things reach the point that using PGP makes you a suspect. The world is full of folks who are eager to do bad things to good people, some of them with the very best of intentions for the very people they'd harm.

What about the Linux port?!?!?!

So, when does the Linux version come out?!?!

ttyl
Farrell

John Grisham

This is a flawed comparison, or did I miss the links to the tex/docbook sources?

A book is just as much its own source code as a Windows XP installation CD.

To be or not to be

"As you get further along in your career, you get further away from the things you like to do. I wish I could get back to it, but it's the Peter Principle, and here I am."

Sounds like he is trying to convince himself that he is happy and it's not quite working.

Signing source code?

Is the PGP source code signed? If so, then there is no question of provenance as quoted in the article. You can get the source code from anywhere and verify the signature (using an old, trusted copy of the PGP binaries if necessary). That will prove that the source has not been altered and it is just as good as getting it from the company.

(If PGP is not signing the source code that would be a bit odd, not using the very technology that they are selling. Presumably they are in fact signing it and the provenance thing was just marketing BS.)

Java

I sure hope the pending SDK [pgp.com] has support for the latest version of Java. I have yet to get the latest version of Cryptix OpenPGP [cryptix.org] to work with the J2SE v 1.4.1 [sun.com].

So it's just for Windows and Mac?

All I see are Windows and Mac versions on their download page [pgp.com]. That's, um, mostly useless to a lot of folks (as in the kind of folks into crypto who are more likely to be running Linux or Solaris or *BSD than Joe eMachine is).

I fail to see how the PGP vs. GPG question isn't settled on this very point. PGP won't even run on many platforms, so any ease-of-use claims should be dimissed out of hand on that basis alone. The choice is really between GPG (which is being actively developed) and freeware PGP [mit.edu] (which looks to be getting pretty old). That isn't much of a choice.

Go ahead and flame away...

-B

Re:So it's just for Windows and Mac?

Yeah, because so few people use Windows and Mac. The idiots! Surely they should have released first for OpenBSD!

Maybe they'll fix that annoying XP problem

... PGP 7.0 had the annoying problem that the firewall / network filtering stuff it wanted to install would completely hose XP's network stack.

Oh, and if you ran the un-installer, trying to fix it, it would remove the TCP/IP stack from XP altogether (even though that's not supposed to be possible).

If you rolled back using the XP Configuration tool, it was all OK. If you tried to reinstall XP's TCP/IP stack alone, or repair it using the install disk, you got mightily screwed by the fact that XP doesn't do a proper TCP/IP reinstall, coupled with the fact that when you run this reinstall/repair, it blows away your ability to roll back to a good configuration.

OUCH...

Of course, if you installed it without the network stuff, it was OK, and just makes XP occasionally pop up messages saying that the SDK driver is unavailable.

I can't believe OSS zealots are taking this...

I'm CONSTANTLY reading about how MS's EULA are so terrible, yet this one prohibits what you can and cannot say about the product and *this* is acceptable? Talk about truly restricting free speech (I don't even know if this is legal). Anyone who buys this has got to be out of their fucking minds. I buy MS stuff (licenses and all), but I wouldn't touch this with a 10 foot pole.

Only can use source code to verify integrity?

WTF? I can download the source code to audit, but I can't compile it for any other use than to verify it? This means I can't use the compiled source code in daily normal use?

Anyone else have a problem with this? OK, I download source code, verify it looks fine, but if I want to use the program, I need to buy/download the binary from them -- whose binaries may not necessarily be compiled from the source code I verified to my satisfaction.

(Thank god for GNU and gpg, no strings attached beyond that "nasty" "viral" (sarcasm) GPL)

p.s. I guess we won't be seeing THIS product as part of gentoo! :)

It's not just encryption

A lot of people have posted comments to the effect of "If they want to get at your secret email, they will anyway despite PGP". Don't forget that GnuPG/PGP has a huge other use as well. OpenPGP signatures are what protects a huge number of software packages from tampering.

The recent trojanings of OpenSSH, etc, would have been caught even earlier if users had checked the OpenPGP signature distributed along with the tarball.

Student License

You know - when PGP was owned by NAI I had no qualms just warezing it. I loved PGP disk and a few other PGP things. Just quick encryption of files was nice. A little tighter encorporation with Outlook and taking up less recourses would be very cool.

Now that its PGP not owned by NAI, I really want to own and use and promote this product. I however have no money as a college student. However, as a college student I think I would REALLY benefit from PGP. Not only keeping email between advisors and other students encrypted but also just keeping my personal records safe on the "wonderfully" secure campus network.

Anyhoo, just my thought trinkles.

Easy, multilingual, open source

An easy way to install WinPT [winpt.org] is available now [fabianrodriguez.com].

Cheers,

F.

I contributed $50 to Phil's legal fund...

back in the 90's. Does this mean I get a discount?

Anyone else think it's expensive? $80 for Windows for one year, or $165 for a perpetual license. Ouch!

have you seen the price for a license?

PGP Desktop (Windows) Price: $80.00 and that entitled you to "own" the license for a single year FFS. That's a lot of money IMO $30=$40 I'd gladly pay, afterall it's a great product and Phil is clever bloke. but $80 is too much when I can get the same functionality from the old free version or the completely free GNU version.

There's a more important use of PGP than privacy!

To me, there's a more important, significant use of PGP than privacy. One of the biggest obstacles to *really* doing business over the internet is being able to verify where messages come from. PGP provides this. A PGP signed message is as good as a signed piece of paper.

I never cease to be amazed at how this aspect of PGP is never discussed. I guess all the stupid, nose-picking, trainspotting geeks all over the world really can't see beyond the government prying into their porn collections.

gpg can actuall help sell pgp

we use (or advocate the use of) gpg to encrypt and auth sensitive data for our servers. this is not to protect the files from the gov't, it's to stop data with a high monetary value from being stolen. most of us at work at least have gpg configured.

we usually recommend pgp for less technical users - of which there are far more then on the server side. so pgp would get more sales from us due to gpg. i hope they sell lots of their s/w and make it even easier to use - it would really help us if less technical people were more exposed to pgp.

XP like activation

From reading their site [pgp.com], it sounds like they are now using XP like product activation. You enter your license key, then it contacts their servers to validate your license.

Java JNI implementation

OK, maybe this is wrong place to ask this question, but I've searched the web and have not found what I'm looking for. Has anyone ported the newer PGP (6.5.8+) to Java using JNI? I'd really like to programmatically use PGP in Java without using a command-line.

And I'm a lazy bastard who doesn't want to port it myself. I've got enough other coding on my plate to work on...

TIA...

GnuPG seems a better choice

I can't think of any reason to prefer PGP to GnuPG, and there are some reasons (already pointed out) for preferring GnuPG to PGP.

So, overall, I can't why anyone would use PGP.

Zimmerman made a great contribution, deserves tremendous credit for what he did, but as he says himself, it's all history.

Source available not as good as open source

There's a difference between letting people look at your source code -- finding bugs, fixing problems -- and giving it away.

Great, I was looking for an opportunity to debug someone elses commercial software for free!

I applaud his efforts toward transparency, and restricted source is better than no source. But if I'm thinking of putting some effort into improving some software for me own use, it's an easy choice between GPG and PGP. With GPG, I know that my changes and the code that my changes are based on will be available to myself forever, and I can share my changes with others if the official source goes away.

Zimmerman vs Stallman?

Zimmerman sounds reasonable, but I'd dearly love to hear what RMS has to say about this.

I think that both Zimmerman and Stallman are Good Guys.

There's daylight between Zimmerman's source release and the GPL. I think Zimmerman's license intends to accomplish something different than the GPL. "There's no NSA backdoors in here." is different than "Here's the source, send back any improvements you find."

I think the GPL is more realistic in that it acknowledges that (healthy) software is not static. The proof of this conjecture will come when PGP and GPG have been out there for a few years and we see which one has more useful features and fewer bugs.

We'll see.

I just paid my $39

For the use I've had out of freeware and compiled-from-source versions of PGP over the years, this is a no-brainer. PGP has been invaluable to me for a long time.

Come on PGP users, put your money where your privacy is!

eBusiness Server

FYI: Network Associates kept the rights to their eBusiness Server when they sold the rights to the desktop version of PGP to the new PGP Corporation. eBusiness Server is used by many corporations to automate their PGP encryption for batch processes, SOAP servers, etc.

Even when (If!) the Gnu GPG group decides to release a library/DLL version of their privacy tool, I suspect a fair number of companies will continue to use the NAI product in order to avoid having to deal with the Bureau of Industry and Security in the US Department of Commerce [doc.gov] for exporting their own compiled encryption software.

Paranoia

That license doesn't make sense. Let's see:

1. You can use the binary they compiled.
2. You can compile the source, but not use it.
3. Source is provided to verify lack of backdoors.
4. That means that the source should produce the binary you get on their site.
5. Therefore, both binaries are identical so different use restrictions are nonsense.
7. Somebody mentioned here that while they provided information about the build environment attempts to get an identical binary weren't successful.
8. All this seems to indicate there's a quite strong possibility of PGP being backdoored.

Great Article

Since Timothy posted this, i'm going to assume that he wrote it, too. Thanks Timothy. This is possibly the best-written article I've found here in two years I've been reading Slashdot.

Here's to real tech journalism on the web. You covered the topic with the details that the Slashdot audience wants and polished it to a level of quality that is worthy of any self-respecting newspaper. If this kind of quality keeps up, I'll definately buy a subscription.

Be warned, editors who post shoddy articles here. This is the standard to which you should aspire. If you write well, you shall be rewarded.