Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PGP & GPG

samzenpus posted about 8 years ago | from the lock-it-up dept.

157

Ben Rothke writes "PGP (Pretty Good Privacy), as most Slashdot readers know, is one of the most popular software encryption programs ever. It is so good and so effective that in the early 1990s the FBI launched a multi-year investigation against Phil Zimmerman, the creator of PGP, for possible violation of federal export laws, especially ITAR (International Traffic in Arms Regulation). After many years of investigation, the FBI ultimately dropped its case against Zimmerman. Even though PGP is synonymous with end-user encryption, there have only been a few books written on the subject. Jump to 2006, and PGP & GPG: Email for the Practical Paranoid is a welcome title." Read the rest of Ben's review.

On page 167 in Appendix A of the book, the author candidly writes that PGP "comes with a very good and complete manual at over 300 pages". With that, one may question why one would spend $24.95 on a book which covers much of the same information as the bundled documentation.

The reality is that there is a large class of people that will simply not read any form of documentation. Rather, they prefer something with an ISBN number. Such people are a boon to authors (of which I am one) and publishers. For that group, PGP & GPG: Email for the Practical Paranoid provides a pretty good overview of how to use PGP.

The book is written for an end-user who, while comfortable with the workings of technology, is new to the sometimes strange world of public key cryptography. The author writes in an easy-to-read style and, through repetition, inculcates the principal ideas of encryption and cryptography to the reader.

The introduction and first chapter provide a good presentation of the concepts of encryption, cryptography and public-key cryptography. The idea of public-key cryptography, on which PGP is based, is not so intuitive, and many people struggle with the basic concepts. The first chapter, appropriately titled 'Cryptography Kindergarten' is a good read for those who are public-key cryptography challenged.

On a side note, the notion that even smart end-users can be intimidated by public key cryptography was detailed in a now seminal research paper 'Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0.'

The premise of the paper is that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent. The authors argue that effective security requires a different usability standard, and that it will not be achieved through the user interface design techniques appropriate to other types of consumer software. The authors conclude that PGP 5.0 is not usable enough to provide effective security for most computer users despite its attractive graphical user interface. Even though PGP is in version 9.x, it still suffers from usability flaws.

Cryptography purists may recoil when the author repeatedly uses the term 'military-grade encryption.' Military-grade encryption and military-grade cryptography are overused terms, most often by marketing departments, but there is no real definition of 'military-grade encryption' -- and even if there were, it would be classified. Most people use 'military-grade encryption' to mean really strong crypto, much like those who use the term 'Olympic-size swimming pool' to refer to a really large pool. But the term 'military-grade encryption' is so misused by so many people that it is a lost cause to try to fight it.

In the rest of the book, chapters 2 - 11, the author details the varied usages of PGP & GPG. The book also details the differences between OpenPGP, PGP and GPG.
The difference between them is that PGP is a commercial piece of software, GPG (Gnu Privacy Guard) is open source, and OpenPGP is a protocol that defines a standard format for encrypted messages, signatures, and certificates for exchanging public keys.

The author astutely writes that while PGP provides really strong security, this is only if, and this is a huge if, it is implemented correctly. Chapter 11 notes that although OpenPGP provides a reliable method of authentication and encryption, it is also not unbreakable. OpenPGP can be vulnerable to many different types of attacks and weaknesses, including poor implementation, hardware or software compromise, fake keys and more. It is important to realize that OpenPGP provides significant, but not unbreakable security.

At 180 pages and priced at $24.95, PGP & GPG: Email for the Practical Paranoid is an excellent book that shows the end-user in an easy to read and often entertaining style just about everything they need to know to effectively and properly use PGP and OpenPGP.

For those that want to save money and perhaps save a few trees, the free documentation that comes along with the product is similarly worth reading.


You can purchase PGP & GPG: Email for the Practical Paranoid from bn.com.

Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

cancel ×

157 comments

A New Core Class in College? (5, Insightful)

neonprimetime (528653) | about 8 years ago | (#15608143)

The first chapter, appropriately titled 'Cryptography Kindergarten' is a good read for those who are public-key cryptography challenged.

So basically 99.9% of users online today.

Re:A New Core Class in College? (1, Interesting)

kwerle (39371) | about 8 years ago | (#15608876)

This is currently modded funny, but I'm not sure why.

So basically 99.9% of users online today.

You're missing at least one 9, I figure. If there are a billion folks [more or less] online...
1,000,000,000; 1 in 1000 would mean that 1,000,000 people online have more than a notion of how public-key cryptography works.

I guess I could believe that there are 10K or more, but I certainly think there are fewer than 100K.

Re:A New Core Class in College? (2, Insightful)

19thNervousBreakdown (768619) | about 8 years ago | (#15609374)

What level of understanding are we talking here? I understand how public/private key encryption works well enough to use it securely, and it's not that hard to grasp. I imagine a significant portion of Slashdotters understand it as well. With almost 1,000,000 accounts, if only one in ten of us got it, there's your 100K.

Now if you mean understand as in "could create a secure public key algorithm," then OK, I see your point.

X.509 is better (0, Insightful)

Anonymous Coward | about 8 years ago | (#15608158)

Outlook supports it natively, no craziness like with PGP / GnuPG. Users much prefer the simpicity of an X.509 solution. I like PGP and think it has its place, but that place is only for the paranoids / techies who want to deal with its complexities.

X.509 requires a CA. (4, Informative)

Ayanami Rei (621112) | about 8 years ago | (#15608240)

Until Microsoft starts bundling their Certificate Services in Vista Home editions as a My-Identity-broker kind of thing, X.509 is useless for most people. X.509 is in Outlook because Outlook is the frontend for Exchange.

GPG/PGP are asymmetric cryptosystems that don't rely on PKI infrastructure, just per-user public/private keypairs. Not enterprise friendly but they can be used to bootstrap a trusted online relationship.

Re:X.509 is better (4, Insightful)

nog_lorp (896553) | about 8 years ago | (#15608431)

I don't think anyone with who: A) has concern for their privacy and security, and B) is in their right mind, would want to use MicroSoft's Outlook email client. (Anyone recall the Outlook exploit that was executed without even opening the email?)

Aside from the fact that noone should use outlook, I read up a tiny bit on X.509. According to Wikipedia, X.509 uses signed certificates from CAs, meaning you have to PAY, and store your certificate with a "trusted company". Not only is this horrible for paranoids who wouldn't trust Verisign, but the US Gov. could subpoena your information from these companies, rendering your encryption useless (against the government).

Re:X.509 is better (4, Informative)

amliebsch (724858) | about 8 years ago | (#15608506)

First of all, you can get free personal S/MIME email certificates from Thawte, which is a trusted CA. Second of all, you don't have to use a commercial trusted CA. You can also be your own CA and issue yourself all the certificates you want. The only catch is that outside the domain of your CA, your CA will not be a trusted CA, so you either have to establish trust in advance with other users, or live with having an untrusted certificate.

Re:X.509 is better (1)

bXTr (123510) | about 8 years ago | (#15609090)

See previous comment [slashdot.org]

Re:X.509 is better (5, Informative)

Anonymous Coward | about 8 years ago | (#15608591)

I read up a tiny bit on X.509.

That is obvious.

According to Wikipedia, X.509 uses signed certificates from CAs, meaning you have to PAY,

No, you can set up your own CA (for free) with openssl. And in fact, you don't need a CA at all. You can use your own certificates that aren't signed by anyone, just like PGP/GPG. In fact, the underlying math (public-key cryptography) is exactly the same as PGP/GPG.

and store your certificate with a "trusted company".

Store your certificate? Bullshit. You send the CA a certificate signing request. They sign it, and send it back to you. The certificate is useless without your private key, and the private key doesn't leave your possession. Decryption can only be done with the private key. So don't lose it.

Not only is this horrible for paranoids who wouldn't trust Verisign,

You don't need to trust Versign for X.509 to work. The only time you need to trust Versign (or any other CA) is to identify the cert of someone you never met. How do you know that a cert really belongs to the person? Verisign (or some other CA) signed the certificate. How do you know if a PGP key really belongs to someone you never met? Someone signed it.

But do you trust the signer? That question occurs with certificates and PGP keys.

but the US Gov. could subpoena your information from these companies, rendering your encryption useless (against the government).

Even if the US Gov't seizes all of verisign's info, that won't help them break your cryptography, since the private key (see above) never left your possession and Verisign never had it.

It's one thing to be paranoid, it's another thing to be an idiot. Understand how cryptography works before you start to rant & rave.

Frankly, if the US Gov't really, really wants to break your encryption, they'll bug your computer, or your house, or call in the NSA, or send in the Marines.

Re:X.509 is better (1)

Watson Ladd (955755) | about 8 years ago | (#15609410)

But with GPG multiple people need to trust a key before I do. With X509 I trust one person, the CA, not to be evil. With GPG 5 people need to be evil depending on your settings before you trust a bad key.

Re:X.509 is better (4, Insightful)

1nhuman (597328) | about 8 years ago | (#15608603)

Users much prefer the simpicity of an X.509 solution.


The simplicity of X.509? Is completly the other way around. PGP is simple :)

You probably never implemented a corporate PKI infrastructure. I myself love PKI (it's a freeking miracle I got married, I know) and have implemented or at least contributed in implementing several PKI's over the years. Simplicity is definitely not the first thing that comes to mind. Things like OCSP and CRL's you need to check the validity of a key, basically everything around issuing keys, key-escrow etc. it is al pretty complicated. Not nescecairly the theory, but the actual implementation and integration. Plus not to mention expensive. And don't even get me started on the legal side of it, the contracts you need, the legal requirements, webtrust etc.etc.. Brrrrrrr.

PKI is cool, has a lot of potential etc. Put it's not simple in anyway. Microsoft may make it look simple (did I just say that?), by basically "trusting" loads of CA's defaultly but how much is that trust worth exactly? Not much in my eyes. Oke, the encryption during transit... that should be ok. But is the signer of that email really who he says he is?

Between me, my friends and my colleguae's we use GPG. Bunch of my friends are on Mac's like me others are on Linux or BSD flavored machines. Some even use Windows. I don't even know al the plug-ins everyone uses. Hell, I don't know the name of mine. It integrated with Apple Mail and I just press the buttons etc, type in my passphrase and it works. Simple. Plus the keys I trust, I explicitly trusted by hand. Basically this kind of trust is loads better then accepting any mail certificate issued by the Verisigns of the world.

Here is the Mac link: http://macgpg.sourceforge.net/ [sourceforge.net] . Loads of GUI GPG tools.

X.509 is worse (3, Informative)

Just Some Guy (3352) | about 8 years ago | (#15608604)

Me, via IM: Hey, John, here's my GPG key. <pastes GPG key into IM window>
John: Cool. Here's mine.

Et voila - we can now start sending private messages back and forth (neglecting man-in-the-middle issues with the key exchange that can be trivially avoided with a single phone call or in-person meeting). Notice the missing step: neither of us paid Verisign or another CA for the privilege of saying "Hey, wanna go to lunch?" in private.

Re:X.509 is worse (1)

amliebsch (724858) | about 8 years ago | (#15608863)

True, but you also have absolutely no assurances that "John on IM" is really the John his PGP key says he is, unless he's got some trusties who have signed his key, and how do you know to trust them? And same goes for him. You could always set up a face-to-face meeting to examine each other's credentials, but why not just spend the five minutes to get a free personal email certificate from Thawte?

Re:X.509 is worse (1)

Betabug (58015) | about 8 years ago | (#15609070)

> You could always set up a face-to-face meeting to examine each other's
> credentials, but why not just spend the five minutes to get a free
> personal email certificate from Thawte?

And this would prove *what* exactly? Answer: A "free personal email certificate" from Thawte proves that you had (not even "have") access to the mail account in question for the duration of signing up. Ever noticed that your name is not on the "free" certificate, only your E-Mail?

I have a S/MIME certificate to the name of "Joe DiMaggio", Thawte has a passport number from Burundi (IIRC), a phone number in Uruguay, some other made up bits of data, and a mail address on my server. Neither could Thawte certify the existence of this Joe DiMaggio, nor that it's really him. They don't even try - and they tell you so.

If you want your "identity" to be certified with e.g. Thawte, you have to either pay them (which uses a credit card as a means of proving your identity, which is just foolish), or use their own "web of trust". Yes, they copied the system from PGP.

S/MIME really works only for corporations, where I sign on the dotted line for the job and get issued a company ID and my S/MIME mail certificate.

Re:X.509 is better (1)

DrXym (126579) | about 8 years ago | (#15608712)

X.509 is a heap a crap for a number of reasons, but top of my list is that obtaining a cert for it is such a monumental bother that it renders the whole exercise pointless. You can either pay for a cert or go a-hunting for a free cert, but either way, the CAs want everything but a stool sample before they issue you with a cert that expires in anywhwere from 60 days to a year away. If you're lucky you might find a cert that lasts longer, but all that pain and suffering gets you a cert which the CAs do not validate or vouch for in any way.

Conversely, all it takes to to use PGP is a few seconds with the wizard to generate your key and you're all set. It doesn't ask you for your passport number or your ssn, or your birthday or anything else. Integration with mail readers is slightly harder, but solutions exist for PGP and GPG for most popular readers. Once you have the key you're all set to use it for as long as you like. If you're paranoid about impersonation you can even get a few friends to sign your key.

Re:X.509 is better (1)

anomalous cohort (704239) | about 8 years ago | (#15609221)

Email encryption and certification gathers in efficacy in direct proportion to its ubiquitousness. PGP Home costs $99, which no casual user to going to pay, and GPG asks questions, during the key set up, which your casual user is not going to understand. Distributing your public key can also have lots of "gotchas" that requires too much thinking for the casual user.

I am an advocate of a free and easy to use encryption and certification technology for sending and receiving trusted emails that cannot be intercepted. I believe that a free, single page "GPG for Dummies" PDF would be great.

Re:X.509 is better (1)

ReddyFreddy (948568) | about 8 years ago | (#15608847)

There is only one thing missing here Who controlls the 509 certs.. Everyone seems to miss that companies pay Microslop to include them as trusted CA providers.. Yes.. 75k to get trusted and 10K per year to stay trusted.. I have been using pgp/gpg for years.. it works fine.. I use it to encrypt my hard disk and confidential mail to my friends.. Fred

what the... (-1, Troll)

Anonymous Coward | about 8 years ago | (#15608159)

what the heck is GPG? Good Privacy Gladly? Goopy, porous gophers? Geeks passing gas? Gadgets protecting geeks? A little help here...

Re:what the... (3, Funny)

neonprimetime (528653) | about 8 years ago | (#15608178)

That was the most difficult google search I've ever done ... Gnu Privacy Guard [gnupg.org]

But why do a "difficult" Google search ... (1)

Ungrounded Lightning (62228) | about 8 years ago | (#15608399)

... when you could just read the fine review?

From the ninth paragraph:

The difference between them is that PGP is a commercial piece of software, GPG (Gnu Privacy Guard) is open source, ...

Re:But why do a "difficult" Google search ... (1)

neonprimetime (528653) | about 8 years ago | (#15608462)

I only got to paragraph 8 and I started to fall asleep.

Re:what the... (1)

Kazymyr (190114) | about 8 years ago | (#15608183)

GNU privacy guard. Duh!

Re:what the... (1)

Palshife (60519) | about 8 years ago | (#15608267)

A google search would have saved you about 100 keystrokes.

Anon has a point though (2, Insightful)

p3d0 (42270) | about 8 years ago | (#15608360)

Acronyms should be defined in the summary.

Re:Anon has a point though (0)

Anonymous Coward | about 8 years ago | (#15608433)

WTF? STFU!

Re:what the... (1)

Alphager (957739) | about 8 years ago | (#15608387)

Post like this make me crave the moderation "-1 lazy bastard"

PGP vs. GPG (0, Troll)

drpimp (900837) | about 8 years ago | (#15608161)

PGP (Pretty Good Price)
GPG (GNU - Free)

Re:PGP vs. GPG (1, Insightful)

Anonymous Coward | about 8 years ago | (#15608501)

PGP => Pay to Get Privacy
GPG => Get Privacy Gratis

So What Does It Mean? (5, Insightful)

Anonymous Coward | about 8 years ago | (#15608162)

(Pretty Good Privacy), as most Slashdot readers know, is one of the most popular software encryption programs ever.

This statement may indeed be true. And yet, 98 out of 100 people on the street would have no idea what PGP is. What does that say about software encryption programs.

No one knows, no one cares and very few have been affected by their ignorance.

Re:So What Does It Mean? (5, Insightful)

Rob T Firefly (844560) | about 8 years ago | (#15608276)

No one knows, no one cares and very few have been affected by their ignorance.
I'm sure many, many people have been affected.. it's just that when they get their email read or their private files exploited, they're ignorant that it could possibly have been prevented. Someone who doesn't know how to lock their front door might still be affected by a burglary.

Re:So What Does It Mean? (5, Interesting)

sahuaro (524043) | about 8 years ago | (#15608464)

Mod this poster up! The inventors of public key encryption envisioned a future where encrypting email would be as common as stuffing a letter in an envelope. Phishing would be unheard of since a digital signature would prove that the mail came from who it said it did.

The US government, of course, didn't want this future to come about and put roadblocks in place to prevent it. So, today we have phoney email scams and unencrypted personnel data that gets scattered to the winds on unsecured government and private sector computers. Encrypt your email? Why you must be doing something illegal!

Dennisk

Re:So What Does It Mean? (1)

jacksonj04 (800021) | about 8 years ago | (#15608726)

I think that it's made more difficult because sharing your public key to start with is hardly efficient given the length and complexity.

Re:So What Does It Mean? (2, Informative)

Watson Ladd (955755) | about 8 years ago | (#15609431)

That's why fingerprints and web of trust were invented.

Re:So What Does It Mean? (4, Funny)

Zarel (900479) | about 8 years ago | (#15608296)

And yet, 98 out of 100 people on the street would have no idea what PGP is.
That's because nerds usually don't go out on the street. :P

Re:So What Does It Mean? (1)

Red Flayer (890720) | about 8 years ago | (#15608310)

"No one knows, no one cares and very few have been affected by their ignorance."

So what's the problem? I always thought obscurity was a key to security...

Re:So What Does It Mean? (0)

Anonymous Coward | about 8 years ago | (#15608741)

So what's the problem? I always thought obscurity was a key to security...

Is that the public key or the private key?

more importantly... (1)

Connie_Lingus (317691) | about 8 years ago | (#15608563)

(Pretty Good Privacy), as most Slashdot readers know, is one of the most popular software encryption programs ever.

This statement may indeed be true. And yet, 98 out of 100 people on the street would have no idea what PGP is. What does that say about software encryption programs.


So then, what does this say about Slashdot readers?

Should rename the book (5, Interesting)

Rosco P. Coltrane (209368) | about 8 years ago | (#15608171)

PGP & GPG: Email for the Practical Paranoid

title soon to become "PGP & GPG: encryption for the practical suspicious target of the homeland security dept."

Re:Should rename the book (1)

agshekeloh (67349) | about 8 years ago | (#15608230)

title soon to become "PGP & GPG: encryption for the practical suspicious target of the homeland security dept."

(Caveat: I'm the author of the book)

I thought about such a subtitle, but the book is not just for the average person. Rich Americans can read it, too.

==ml

Re:Should rename the book (0)

Anonymous Coward | about 8 years ago | (#15608390)

lol

Re:Should rename the book (3, Funny)

bmah (99344) | about 8 years ago | (#15608527)

Wait a minute...how do we know you're the real Michael Lucas? :-)

Re:Should rename the book (1)

RetepMc (814214) | about 8 years ago | (#15608336)

If you get lonely, just borrow the book from your local library. Before you can even return it, you will be "visited" by the DHS and NSA.

And, if you are fortunate enough to have read the book before they get there, one way ticket to Gitmo! If you need to secure your email, you MUST be a terrorist. Then you can not worry about being lonely anymore, indefinately.

Win-Win.

Huh? (0, Interesting)

Anonymous Coward | about 8 years ago | (#15608194)

"On page 167 in Appendix A of the book, the author candidly writes that PGP "comes with a very good and complete manual at over 300 pages". With that, one may question why one would spend $24.95 on a book which covers much of the same information as the bundled documentation.

The reality is that there is a large class of people that will simply not read any form of documentation. Rather, they prefer something with an ISBN number. Such people are a boon to authors (of which I am one) and publishers. For that group, PGP & GPG: Email for the Practical Paranoid provides a pretty good overview of how to use PGP."

Okay, I stopped reading there. Basically you're saying "hey, you could look this stuff up, but if you're in the habit of spending money on information that is freely available in order to support a generally obsolete and overpriced/monopolized way of communication, go for it." Mind you I'm not railing against all authors/publishers, but technical manuals need some distinguishing reason other than "hey, it has an ISBN."

Pretty Poor Privacy (2, Interesting)

Anonymous Coward | about 8 years ago | (#15608237)

I can't say I ever found any PGP product good for any application. It was way too complicated and just not what was needed.

Instead, I found my holy grail of encryption in Truecrypt (http://truecrypt.org )which simply has rocked for the longest time (I'm in no way associated with it). Its free, and as far as I'm concerned as far as free encryption tools go, nothing can touch it, esp if you use one of the double pass encyption methods down the list, and don't label your volumes as truecrypt volumes or keep the encrytion program and the encrypted data on the same harddrive (use a USB key). No way they can identify what it is if you leave no clues.

Unfortunatly, I found out today on Wikipedia that Truecrypt has a rather lest than sparkling history... it seems rather sordid actually from what its homepage would allude to....

http://en.wikipedia.org/wiki/Truecrypt [wikipedia.org]

PGP's probelm was it was never really integrated into an email system, and it had that totally messy key system that really was not worth bothering with or learning unless you were a highly trained memeber of secret police agency (as opposed to John Q public). There definatly is a begging need for good encryption of plain text ascii emails, but PGP just doesn't step up to the job. It needs to be integrated end to end in sendmail or whatever other mail transport servers, and inside the big heavyweight email programs used out there... PINE, Netscape Mail, the webmail services, and perhaps even OUtlook.

Skip Truecrypt, encrypt your data in a small volume and attach it as a file to who you want to send it to... in fact, encrypt whole harddrives or create files that can be mounted as virtual harddrives.

Truecrypt: http://truecrypt.org/ [truecrypt.org]

Zimmerman is more of a posterboy against the man than really than anything else in my practical opinion. I don't know any compgeek that uses PGP, or anyone that uses it to encrypt their mail.

Re:Pretty Poor Privacy (2, Funny)

Kozar_The_Malignant (738483) | about 8 years ago | (#15608371)

>I don't know any compgeek that uses PGP, or anyone that uses it to encrypt their mail.

-----BEGIN PGP MESSAGE-----

Version: PGP for Personal Privacy 6.0

qANQR1DBwU4DA/vEixf2Zr4QB/95c5uv6mCv4yYel3qStiha bGzW7Ekfi4STPs1T CJf/fgp3S0SHUFmCgJXL4QNdkoo37wdVD/4v5xWWj7tXPfA2KQ 8bYueHIWp8QXIx TIxxRIQhw/69WXT/RAAtRBdvFPfucphQZ8xSxOc6gPlMYnPOVC PjXqXaZcZXwk8R Cv9yICy+S8ipGiGb3miPOfvqv/FAOT/uVCHv/VGrVJhDD29xfM 7TWk25LLXlbQW5 pOjgO30DNdbdhQMdsOSmQXTQdRDJDjbwQeWWk3CFZtpLmlbjXL U0hvZ7PtAGlQKh iIboJl+HM+jsEtHurqmgXR1+NQdqziBDOxUvQ29lJre6qi8+CA DHyCy+S6x2ZBfN 1qHt+3Hs6/AtF9q+auA1s6YbL2V2zyLKP8SHtA3foIORcyg325 Ki9ddME9VbVjN1 uirr01V3FwhdHdFBuPUDXF2270GPvdmoQDoUMpGOkLvr34ZeEK t9gmhzJlwVjkjS O/bwGWpml6qESWbS1xBJfxwzbT6KCpKqCmEVg1DC7U1MsKsC8y QHzsnRFpbr7jfW 40J/sDhmdu+2TnXNwflBeBVRU80wc+rqO2VD6apUSmcBj2b/U0 6fG/Py5c/F468l 56BJmIchgC24y6/q9Jm6fqjb6+C3Wg1bIRF15gp9giX8wBuFzx PvaOmVqf/I0fVk va1o+83bycDBYsLDcK82knA1ByPJpFfr0/7zZH6L6hApcBQGin WNDIy6XHNzCiFl VdL/KQzMBZs880m9ECKVfdhmfaH4ai9venAQi7vD3iSF2ZQ7Xl jVUtp3v6vcLNAD UqNXJ6a7rux5a10ao3GDtt0szqu+UxmH/+SVvIG7Hlp5Ygv+TX bTjVccBZoBhCj1 /2/gY3UeodNBJcLTdzY1trjx/cgSkF/gcts6/BlSyEmihM5pYM kJvLUk1a/HtZt8 uu1mfZJbwfDD+1SDmUaCJEYdijVn7HMjM0WB2tH87SP3xFMKvs qb5IT343ihgljo TGrfjKRU2EWnFeTaRk3ON5+c4zE7a4IQCUJd9qjwUt5U+Owv9i s/Zz8QxPSqDfC0 /t4P1C7eRBShaoDq30PotjK+gZP7P40vgRsrTVB0Hm08H1xitM xYy8uC2sqYKIwi gZYknFR7S02OVdQk6eCXVco7otVd1Zgk5tE1mgi48t+1FuPUUE yc3Q19dZM6m2Xx GQjhuVGlF8fnDw== =l9MK

-----END PGP MESSAGE-----

Oh, and there is a place for your public key on your /. page.

Re:Pretty Poor Privacy (0)

Anonymous Coward | about 8 years ago | (#15609056)

-----BEGIN PGP MESSAGE-----

Version: PGP for Personal Privacy 6.0

qANQR1DBwU4DA/vEixf2Zr4QB/95c5uv6mCv4yYel3qSti


- snip -

You do know that slashdot breaks up long lines, which messes up your PGP message...

Re:Pretty Poor Privacy (1)

Kozar_The_Malignant (738483) | about 8 years ago | (#15609284)

>You do know that slashdot breaks up long lines, which messes up your PGP message...

Yes, it's a constant issue with PGP to make sure that your cyphertext output is already wrapped at a line length shorter than whatever your transmission medium uses. An the other hand, I am reasonably certain that I got the correct public key for "Anonymous Coward". :-)

Re:Pretty Poor Privacy (0, Insightful)

Anonymous Coward | about 8 years ago | (#15608415)

How in the world did a post this idiotic get modded up?

Re:Pretty Poor Privacy (1)

bzerodi (731405) | about 8 years ago | (#15608589)

I don't know any compgeek that uses PGP, or anyone that uses it to encrypt their mail.

... or any geek for that matter, probably.

Check out eCryptfs (1, Informative)

Anonymous Coward | about 8 years ago | (#15608634)

Check out eCryptfs, which has recently been accepted upstream into the
-mm Linux kernel:

http://ecryptfs.sf.net/ [sf.net]

This encrypts on a per-file basis, so that you can grab and copy the
file from the lower filesystem (which can be pretty much anything --
ext3, jfs, reiserfs, nfs...) without even having to mess with all that
partitioning stuff.

It's a great cryptographic filesystem now with just passphrase
support. It looks like they're going to be done with the public key
subsystem (with pluggable PKI support) before too long. HMAC
(integrity verification) will come next, and then when they get into
the policy stuff, eCryptfs will go beyond any crypto filesystem that
anyone has ever written, Open Source or not.

Coincidentally, the header format is inspired by the OpenPGP
specification (RFC 2440).

Re:Pretty Poor Privacy (1)

dotwaffle (610149) | about 8 years ago | (#15608677)

You're right - neither you nor I know anyone that openly encrypts all their mail, however that doesn't mean PGP/GPG is useless...

Personally, if I have some data I want secured and backed up, I use duplicity, and that backs up and encrypts the data using GPG. If I want to save a note for myself somewhere, I email it to myself, encrypted. The VAST majority of my email is GPG signed so that recipients know that the mail came from me.

It's really useful in the geek community. Trust me, have a play - it's a great way to meet new people too, with keysigning parties all the time!

Re:Pretty Poor Privacy (2, Informative)

QCompson (675963) | about 8 years ago | (#15608791)

Apples, oranges, pears, and bananas here people. Truecrypt is a fantastic program, but how in the world would it be easier to:

encrypt your data in a small volume and attach it as a file to who you want to send it to...

How would they know the passphrase to open your attachment? That's the whole point of the public/private key system.

Re:Pretty Poor Privacy (1)

element-o.p. (939033) | about 8 years ago | (#15609220)

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.2.3 (GNU/Linux)

hQIOA4seTkmA59QxEAgAjvJZlP/vX6EXZMqFtz8VR1Vhm3VbAX zunwF7/Q6PuSEG
szO/y/q8g7nH+nrMO4RX6D/bNY6eSwwigUsMaHYUQ5Ow1WsflD Srr2A+G6b8OgDs
8+YxR1Sg9/gJSlhtFkc46MaTXRhILF4ob2J8FGKTPPgDSlXF7y grF5hOSeQBscyp
OONNqmG7lB8d54ngWjrPUebTqaysZ8u4+/mjMubRDTUDxqRYpu skMkO4dlzHRjc3
9o0wQWP+vfvs7UMh89xh4i/iedXnbK5GIx5VquuaXO4+W/E1pm Liiv0SmSSgv9ot
wMMHyXmtx6RiE/LmspMbkJrHxwbFtkDwj35ktxbNDwf+IrhW7c bAgYmkvwzmdHra
cLhsgP9mtPwSrvaUFtLa2P/XoWeCsL3fqBFLb5a1cAe3QuJfVQ 060xDUtFqv+apj
sCPP+q+icepDOjPysSRlNPsEnVokkXmc79qzAQMQKxkV/Li0xA SUd2SVNCMlP7h0
BFRC6TBW8wlpqB4UnyXa7BsHwSv3V+A/yhXklMs2N5o/F5Fe89 beRkpXG5Q5nGWq
t1DcPbJ2w/fZF773M/vO1sMuJnGesqwf4yfmsxiOOot+R4nhZT J9TgHjw18lZYx/
vhkNFM2jBJVozFF7shzIchQ2MXXoOXiDJZ1VN7pfLnrYXOSort ndFyxDVPTpbEaF
R9JpAbAMenOsgbV87lyDRHyV1z2iufQbCV72D4TTRIClp1+3jq Mibsfdvh7VntSX
KDHO25270kohiZz8ZAs/ngBKxSPGaH7CBeUn4BuRmZG+p43WpB FihWTjxizh96Wq
MQ0D+8iUC57NF4/d
=FATj
-----END PGP MESSAGE-----

Slashdot and Public Keys (5, Informative)

ettlz (639203) | about 8 years ago | (#15608261)

There's a Public Key field in the User Preferences page on Slashdot, but does anyone know where you go to pick up other users' keys?

Re:Slashdot and Public Keys (1)

neonprimetime (528653) | about 8 years ago | (#15608386)

Public Key field in the User Preferences page on Slashdot

To be honest, this field reminds me of a common situation I run into when developing ... Management supplies the ABSOLUTE MUST-HAVE fields to be put into the the SQL backend ... and so I develop the website to with that field ... and then they never use it.

I have never seen this used on Slashdot ... and it's not mentioned in the FAQ that I could see.

Re:Slashdot and Public Keys (1)

Kozar_The_Malignant (738483) | about 8 years ago | (#15608392)

>does anyone know where you go to pick up other users' keys?

There are many public keyserves to search. PGP will automatically search them for unknown keys, if so configured.

Re:Slashdot and Public Keys (0)

Anonymous Coward | about 8 years ago | (#15609370)

Try here: http://pgp.mit.edu/ [mit.edu]

Or try sing tfw.

Mil Grade Crypto... IS defined :-P (5, Informative)

DarthStrydre (685032) | about 8 years ago | (#15608271)

"Cryptography purists may recoil when the author repeatedly uses the term 'military-grade encryption.' ... there is no real definition of 'military-grade encryption' -- and even if there were, it would be classified."

Ahem, reference http://www.nsa.gov/ia/industry/crypto_suite_b.cfm [nsa.gov]

While Suite A is classified, Suite B, specifically AES, is specifically mentioned as being suitable for up to TOP SECRET info.

Military grade is not a useless term, as it is therein defined.

HOO-AH!

Re:Mil Grade Crypto... IS defined :-P (1)

throx (42621) | about 8 years ago | (#15608600)

It's not really the crypto algorithm that makes military grade crypto "military grade". It's how they implement key exchange and management.

Obligatory (-1)

Anonymous Coward | about 8 years ago | (#15608284)

I for one, welcome /!5638jsdcyhb287%!(!5bc9i!#!%#

Re:Obligatory (1)

ettlz (639203) | about 8 years ago | (#15608317)

Actually, the obligatory troll in this case is the old "HELLO WORLD HELLO WORLD" gag.

book quality / IT (1)

PrayingWolf (818869) | about 8 years ago | (#15608292)

one may question why one would spend $24.95 on a book which covers much of the same information as the bundled documentation.

Yeah, I've noticed this on most IT books. And I'm not one of those people "who want an ISBN". I don't think those people even read the books...
I wonder if there is a book called "Linux man pages explained - with complete printouts"...

Re:book quality / IT (1)

jcappaert (985146) | about 8 years ago | (#15608338)

People love shiny stuff, a book looks much nicer then a bunch of printed papers :)

Re:book quality / IT (1)

Ohreally_factor (593551) | about 8 years ago | (#15609258)

I buy O'Reilly books just for the cute animal pictures on the covers. I'm hoping they'll come out with a Cocker Spaniel book on some aspect of Mac programming. =)

One sided comparison (1)

Monster_Juice (939126) | about 8 years ago | (#15608309)

The author astutely writes that while PGP provides really strong security, this is only if, and this is a huge if, it is implemented correctly.

OpenPGP can be vulnerable to many different types of attacks and weaknesses, including poor implementation...

So one is vulnerable from poor implementation and the other provides really strong security? Hardware or software compromise is a flaw of only OpenPGP? Seems like a slightly tilted comparison.

Misdirected criticism (1, Interesting)

Anonymous Coward | about 8 years ago | (#15608346)

The failure of secure email to proliferate has nothing to do with PGP's usability issues. 99% of email users already have S/MIME integrated into their mail readers as a standard feature - very usable and secure, yet almost universally unused. It's not about the user interface, it's about perceived need (or lack thereof).

S/MIME (4, Interesting)

Lord Ender (156273) | about 8 years ago | (#15608350)

When people say "X.509" when talking about email security, what they mean is S/MIME. It is pretty clear S/MIME is going to win the battle to be the most common form of email security on the Internet. It has built-in support on Outlook, Thunderbird, hell--even mutt.

If people CHOOSE to trust a PKI, S/MIME works WAY better than PGP because key distribution is much easier. If they don't want to do a PKI, they can still trust individual certificates, just like PGP. They can verify certificates by reading thumbprints over the phone, if they like.

Basically, S/MIME can do everything PGP/MIME can do except the "web of trust." And WoT is just WAY too much work for 99.9% of the population. PGP will eventually vanish.

Re:S/MIME (1)

amliebsch (724858) | about 8 years ago | (#15608439)

I agree. S/MIME, because of the relatively full-featured certificate services bundled with Windows Server 2003, and the ability to manage certificates with Active Directory, appears to have much more institutional momentum than PGP, and that will, I think, ultimately make the difference.

Re:S/MIME (2, Insightful)

Betabug (58015) | about 8 years ago | (#15608914)

> It is pretty clear S/MIME is going to win the battle to be the most
> common form of email security on the Internet.

If this is going to happen then S/MIME has yet some way to go first. Reality is that I see S/MIME only ever "used" by corporate minions. I put quote marks around "used", because I have yet to receive anything more than a signed mail. On the other hand there are ISPs and domain registrars who work with PGP - you can give them your public key and do business like that.

Have you noticed how many open source projects use PGP signatures to verify source downloads? Would you like to wait for them to use S/MIME to sign those tarballs?

Then there is what happens on a more personal level. Myself I'm communicating with geeks and non-geeks in my surrounding with GPG [betabug.ch] and it works fine once it's been set up. A book like the one described could be a big help here. I can't really say that the book "would help", because the review just plain sucks - it doesn't tell us if the book is any good, it just says what it attempts to do.

The main problem with S/MIME is certificate revocation though. And this is an old problem with S/MIME, it's been said again and again. There is just no good strategy to deal with revoked keys/certificates. You have revocation lists, but they do not get used (same problem as with webserver SSL certificates). Even if revocation lists in S/MIME got used, the setup is tailored for corporations.

That is the reason why PGP had and still has that little bit of success: It was designed for us "little guys", the normal people. We're no corparations, corporations don't work for us, and their software doesn't work for us.

Re:S/MIME (1)

bXTr (123510) | about 8 years ago | (#15609020)

Here's [infoworld.com] an example of how S/MIME certificates can be easily spoofed, and how both Outlook and Apple's Mail.app happily accepts them as valid. Want more trustworthy certs? Expect to pay out the nose.

Re:S/MIME (1)

Lord Ender (156273) | about 8 years ago | (#15609081)

That is not a flaw in S/MIME.

And as I said, everyone has a choice as to which PKIs they trust. Nobody is forcing you to trust the Thawte Freemail CA.

Re: Wrong Tool (1)

mpapet (761907) | about 8 years ago | (#15609097)

x.509 has a useful niche. PGP has a useful niche. I believe you are confusing tools.

I admin a PKI system inside the company I work for and it's the bees knees. I add public keys to the keychain. If you aren't on the keychain, then you won't have access to some things on the LAN. Simple, discreet control.

Let me be clear: There is a way around *every* security system. Running PGP/PKI systems meaningfully raises the bar.

Declaring x.509 "the winner" sounds like you have a very serious investment in it's success as opposed to the more professional perspective, right tool for the job.

OT Info:
As a general warning to all: MS's efforts in x.509 are the usual Embrace, Extend, Extinguish thereby crippling interoperability. Note that they've got Red Hat publicly endorsing their efforts now. http://www.identityblog.com/ [identityblog.com]

Whereas shibboleth http://shibboleth.internet2.edu/ [internet2.edu] is supposed to be the neutral party.

Re: Wrong Tool (1)

Lord Ender (156273) | about 8 years ago | (#15609261)

"The right tool for the job" argument would lead to everyone being burried in billions of tools. I think email security is one of those areas where people don't want multiple tools, and will eventually settle on one for the vast majority of uses. Nobody can predict the future, so you can falsely accuse me of having a vested interest and claim that the people really want multiple tools if you want... but I think you'll be proven wrong in the long run.

There is 1 SMTP. There is one SSL. There is one HTTP. There will probably be one "email security" system, too. And it will NOT involve maintaining a "web" if the majority of the Internet will be using it.

Don't put too much trust in certs (1, Interesting)

Anonymous Coward | about 8 years ago | (#15609341)

PGP will eventually vanish.

Don't put too much trusts in certs. For example, you can ssl in the middle, so in theory smime in the middle should be possible. I actually figured out in one case ssl in the middle only works transparently when a valid CA root cert existed. A self signed cert gave it up that my ssl traffic was being intercepted when the popup informed me the host didn't match where I was going. If you don't believe this look as the Bluecoat proxy servers. One hotel I stayed in did this, so I VPNed using ipsec to home to do my banking.

PGP, I prefer the GNU version as the source is visible, veted and verified not to have back doors. And I can check for myself. PGP allows me to trust you without the need for a 3rd party trust. Do you trust all the root and trusted CAs in IE? I sure don't.

Calling for PGP to "vanish" is quite premature.

Outlook plugin? (2, Insightful)

haeger (85819) | about 8 years ago | (#15608361)

I've been looking at different plugins for gpg but haven't found anything that's quite what I want. The best one I've found is something that uses the clipboard for encryption/decryption. Works OK for someone who doesn't mind a little work.
What I'd like to see is an Outlook plugin (or OExpress) that does the following. (Please note that I wrote O/OE because they are the major players)

* GPG included to make it easy for the user. Just one install for the whole package.
* Automatically create keypair during installation
* Default option to keep passphrase cached (not safe, yes I know, I know)
* Automatically decrypt/sigcheck all incoming emails
* Automatically encrypt/sign all outgoing mails.
* Attach the pubkey to all outgoing mails where the address isn't in my keyring.
* Automatically (just ask for password confirmation or something) addition of incoming pubkeys to my keyring.
* GPL :-)
* The people who got the pubkey would also get a link to where to download the plugin.

I'm sure someone can expand this list quite a bit and I'm sure I forgot half of what I wanted to put on that list, but it's a start anyway.

Anyone care to write such a plugin? Or is there one already that I don't know of?
I do think that if there was something to that effect that you would see a spike in encrypted emails going across the globe.
I used to encrypt/sign everything but since I was the only one using pgp/gpg it was kind of pointless.

.haeger

Re:Outlook plugin? (0)

Anonymous Coward | about 8 years ago | (#15608770)

I'd suggest the portable thunderbird package that includes GPG and enigmail. It has all the features you listed (except the whole Outlook/Outlook Express plugin.) Single install, it asks if you want to cache your passphrase, want to encrypt/sign by default and will automatically decrypt (if the passphrase is cached). It is all GPL.

Re:Outlook plugin? (2, Informative)

Fnkmaster (89084) | about 8 years ago | (#15608891)

Well, it doesn't do absolutely everything on your list but it's a pretty good start: http://www.gpg4win.org/ [gpg4win.org] .

It does the first two, and the third - it does cache passphrases for short periods of time. I don't know off the top of my head how to change the cache duration, but there should be a config option somewhere.
Sending encrypted or signed email is just a matter of two toggles in a toolbar on every email - you should be able to change a setting somewhere so they always default to on (right now they default to off unless I'm replying to a PGP-encrypted/signed email).

It is GPL.

As for this:
* Attach the pubkey to all outgoing mails where the address isn't in my keyring.

Seems like it would be a pretty easy addition to the existing GPG4Win codebase.

* Automatically (just ask for password confirmation or something) addition of incoming pubkeys to my keyring.

Not sure about this since I don't think I ever get such emails, but I believe you can just double click on a pubkey attachment in the correct format and it will open it in WinPT, the key management software packaged with GPG4Win.

* The people who got the pubkey would also get a link to where to download the plugin.

This is trivial if you are already attaching the pubkey, just stick a link in your sig.

The one thing GPG4Win needs is some English documentation - it's got decent documentation, but in German only. A bit more professional looking web design would be nice too. And some parts of the software feel a touch rough around the edges, but overall it "just works" most of the time.

Yahoo and GMail (0)

Anonymous Coward | about 8 years ago | (#15609319)

I would really like to see a good method of using OpenPGP with the major web-based email services. I would, however, not want to upload my private key to their servers.

Re:Yahoo and GMail (1)

AnyoneEB (574727) | about 8 years ago | (#15609394)

I have thought about that. In theory, the web mail provider could create an app that would act as a mini web server running on your computer which would do all of the actions requiring the private key. You could have it show a pop-up every time it is needed saying what it will do and ask for your passphrase.

Secure mail for a windows user (0)

Anonymous Coward | about 8 years ago | (#15609373)

... different plugins for gpg but haven't found anything that's quite what I want.

Here is a secure, perhaps radical approach for secure mail for Windows.

Go to VMWare, download a free version and install it on XP.

Get a Linux Distro, Suse 10 works quite nice, load Linux into a VM partion

Find out where the VMWare virtual files are, encrypt this directory in XP OS (See MS for instructions)

In Linux, setup Evolution for your ISP, generate some PGP keys. Read the instructions.

Once you have learned how to use the above, your PC could be stolen or hard drive copied and they will not get far.

Re:Secure mail for a windows user (1)

AnyoneEB (574727) | about 8 years ago | (#15609406)

Uh, why could one not just run a Windows mail client and encrypt the files? You could even use the win32 build of Evolution that was on /. a few days ago if you wanted.

I wish security were more accessible to the masses (5, Funny)

jdavidb (449077) | about 8 years ago | (#15608366)

Just the other day I saw the following on the website of an author selling her own book directly:

Emailing Credit Card Numbers To email your credit card number, we suggest sending two emails. The first email should contain half of the credit card number and expiration date: 1234 5678 XXXX XXXX exp date: 07/XX The second email should contain the other half of the credit card number and expiration date. XXXX XXXX 3141 5926 exp date: XX/05

Sigh...

Re:I wish security were more accessible to the mas (1)

Broken_Ladder (821456) | about 8 years ago | (#15608442)

I love your sig. Wacha think about the free state project?

Re:I wish security were more accessible to the mas (3, Interesting)

smoker2 (750216) | about 8 years ago | (#15608776)

Add to that the number of web sites using an aging perl shopping cart system whereby half the credit card number is immediately emailed to the admin and the rest is stored as plain text on the server. Also the web sites who claim that your numbers are perfectly safe as they are using 128 bit encryption and the data is not decrypted until it reaches their [colocated, probably virtual] server. I had an argument with some previous employers when they insisted on calling their colocated RAQ3 a "secure server". I pointed out that they had never even seen the facility that it was housed in, and the private data was freely accessable using telnet, because it wasn't encrypted once ssl had done with it.

Just as a an example, I set up a shopping cart of the type I mentioned and they thought it was the mutts nutz until I showed them that I was receiving both parts of the credit card numbers by email at a private email account. Even then I don't think they thought it was a problem. I left shortly afterwards.

I wonder whose harvesting those numbers now...

BTW, I deleted that shopping cart, so I am not guilty of abusing the system. It was done to prove a point. [slashdot.org]

Re:I wish security were more.. (2, Interesting)

hyfe (641811) | about 8 years ago | (#15608788)

Any snooping done is most likely going to be automatic, and this ensures naive snooping won't work. As long as this is not in widespread use it's going to much more secure than not doing it, and it's relativly easy to do and non-obstrusive.

All-in-all, I think it's a practical down-to-earth simple solution. Seriously, don't laugh just because it's not technical enough for you.. So while you're busy being a tech-snon, the world will be busy getting stuff done. This works; for now.

Re:I wish security were more accessible to the mas (2, Insightful)

DMoylan (65079) | about 8 years ago | (#15608924)

that's pretty secure compared to this site

http://www.rncca.com/ [rncca.com]

why they have a password is beyond me when they list the password on the site?

Re:I wish security were more accessible to the mas (1)

Trevahaha (874501) | about 8 years ago | (#15609045)

Haha, and if you click cancel, you still get directed to the page.

paranoia? (-1)

JustNiz (692889) | about 8 years ago | (#15608584)

OK so how many people actually believe PGP is still safe and that the NSA still can't crack it?

Given their vast amount of resources and the fact that every serious criminal and terrorist organisation probably choose PGP I'm guessing they must have something by now, not that they'd want anyone to know.

My guesses include:

* They've coerced the author to build in a backdoor (a la clipper).
* They've spent enough billions on serious hardware that they can brute-force it in a reasonable time.
* They've got some very clever mathematician to figure out a viable attack.

Re:paranoia? (4, Insightful)

Ohreally_factor (593551) | about 8 years ago | (#15609292)

My guesses include:

* They've coerced the author to build in a backdoor (a la clipper).
* They've spent enough billions on serious hardware that they can brute-force it in a reasonable time.
* They've got some very clever mathematician to figure out a viable attack.


I think you can safely scratch #1, while also safely assuming #2. The trick is how timely, and how much encrypted traffic there is overall. If you or your message has been flagged as a high priority decrypt, then they're likely to throw a lot of crunch at it.

However, if you're not flagged and more people start to use encryption, you're more likely to get lost in the noise.

Your #3, I have no idea. I don't really have enough math knowledge to have a good grasp on the difficulties such a mathematician would face.

Documentation != books? (1, Funny)

navyjeff (900138) | about 8 years ago | (#15608629)

The reality is that there is a large class of people that will simply not read any form of documentation. Rather, they prefer something with an ISBN number.

So a large class of people prefer to read, what, barcodes??

If you're really paranoid... (0)

Anonymous Coward | about 8 years ago | (#15608648)

If you're really paranoid then you're going to know better than to rely on encryption for your communication.

Advice for me (2, Funny)

paulproteus (112149) | about 8 years ago | (#15608779)

For those that want to save money and perhaps save a few trees, the free documentation that comes along with the product is similarly worth reading.
I want to save money, but I hate trees. What do you suggest I do?

Re:Advice for me (0)

Anonymous Coward | about 8 years ago | (#15609079)

Read the .pdf on the disk.

Re:Advice for me (0)

Anonymous Coward | about 8 years ago | (#15609120)

Clip coupons?

English Majors (0)

Anonymous Coward | about 8 years ago | (#15609136)

On page 167 in Appendix A of the book, the author candidly writes that PGP "comes with a very good and complete manual at over 300 pages". With that, one may question why one would spend $24.95 on a book which covers much of the same information as the bundled documentation.

Who's a bigger fraud, the CS major pretending to write good English or the English major pretending to write good code?

PGP vs phishing (0)

Anonymous Coward | about 8 years ago | (#15609210)

Have you ever thought of this?

All official letters (and normal letters) are signed and sometimes stamped.
Would all banks, insurance companies, ebays, paypals and whatsoevers use _signed_ emails as official communication, the whole issue of phishing, including cross site scritping and other browse issues would be over!

vajk

Interoperability? (1)

ArkiMage (578981) | about 8 years ago | (#15609213)

When I first read the title I hoped the ability for these systems to communicate correctly was what was being addressed. I've been working with a bank for weeks now trying to get things I encrypt with GPG to be decryptable by their PGP "Universal Server" product. They can install PGP Desktop on a PC and decrypt my messages just fine. They have this larger/fancier package that decrypts upstream of their Exchange server and internally passes on the unencrypted emails to their folks. It also has a webmail (https) interface for outsiders to send/receive things to them, etc.. It simply refuses to decrypt something created by GPG and PGP's support has been thoroughly useless so far. Hrm...

Re:Interoperability? (0)

Anonymous Coward | about 8 years ago | (#15609499)

You might have to build gpg with the IDEA cipher module. I think the commercial version of pgp defaults to using the IDEA cipher. The IDEA module for pgp isn't included because it isn't license free.

Getting Started with PGP and GPG (2, Interesting)

klenwell (960296) | about 8 years ago | (#15609225)

Uncanny timing on this article for me -- I just this morning set up both PGP and GPG clients on my Windows machine. I found some inspiration in this tutorial on PGP:

http://www.haltabuse.org/pgp/win/index.shtml [haltabuse.org]

The tutorial talks about version 7 or 8 of the software when it was still freeware. Version 9 it appears still offers the basic functionality for free, but I have to admit that I was a bit put off by the fact that it's presented as a 30 day trial with a EULA that includes passages like this:

You hereby expressly consent to PGP Corp's processing of personal data you provide to PGP Corp (which may be collected by PGP Corp or its distributors) according to PGP Corp's current privacy policy which is incorporated into this Agreement by reference (see ). If "you" are an organization, you will ensure that each member of your organization (including employees and contractors) about whom personal data may be provided to PGP Corp has given his or her express consent to PGP Corp's processing of such personal data. Personal data will be processed by PGP Corp or its distributors in the country where it was collected, or in the location of PGP Corp or its distributors; United States laws regarding processing of personal data may be less stringent than the laws in your jurisdiction.

Standard EULA boilerplate perhaps, but I found it unnerving in a product that's supposed to protect your privacy.

I also downloaded GPG4Win from

http://www.gpg4win.org/ [gpg4win.org]

and got it running. I just succeeded in encrypting a message with the one and decrypting it with the other, so I think I'll go with GPG.

Amazing that such tools aren't de rigueur by now.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...