Pgp freeware-dead?
Stefano Ferrante
Hash: SHA1
Hello guys.
New pgp 9.0 has been released but...Pgp corporation does not mention
freeware anymore...
What does it mean? Is freeware dead?
Stefano
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
iQA/AwUBQn/SgQQvBtJfR/KaEQLbPgCg3y1dOxWdQwP23h+eIAa4OkZRcpwAn03n
XzdPVaQ/sqh+LuAq66GEGL6r
=lXh1
-----END PGP SIGNATURE-----
Neil W Rickert
Hash: SHA1
"Stefano Ferrante" <sorry...@spam.it> writes:
>New pgp 9.0 has been released but...Pgp corporation does not mention
>freeware anymore...
>What does it mean? Is freeware dead?
I think it means that the freeware version is now called GnuPG
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SunOS)
iD8DBQFCgAeDvmGe70vHPUMRAt5SAKC7PTKG0dIfQAMbfQnmM1HFAU7l+QCgqEYf
kvGV3R4NWA2OWkPT4keeyZ0=
=OgSB
-----END PGP SIGNATURE-----
vedaal
Hash: SHA256
Stefano Ferrante wrote:
> Hello guys.
> New pgp 9.0 has been released but...Pgp corporation does not
mention
> freeware anymore...
>
> What does it mean? Is freeware dead?
no,
just not available as pgp 9
only in pgp 8.x
fwiw,
other than being able to use sha256 in pgp9,
there is very little that is better in a practical sense for a
pgp desktop user,
and there seem to be possible areas of exploitation when
everything is 'seamleassly *automagically* encrypted and
decrypted, especially when html is allowed
it is possible that pgp 9 is geared toward the corporate or
business user,
and 8.x for the personal user, which remains available as
freeware
vedaal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32) - WinPT 0.9.92
Comment: Acts of Kindness better the World, and protect the Soul
iQIVAwUBQoAtM1qiDIZqWJqXAQhzNQ//Umg9uCVtS7xdebSmpe9dGs70qTC7nF/n
BxWJX4CfC/CLuv1ybMCieJhLILGNYI7CvBVMEeVSjzPLV4ipqyKKuH0lhzm/y3m5
PVJhnMVgZ4iModA7AXVfGA94UAHw5c22J1P/hQ7CEg9pXJn/9fPfuZLzognX5bae
GTcTIVoOzJcZElH/A/ykc0Fpo3pIneARfkRu1vOD2o5mf8q2WWYstiD0s/Cmq5kG
m4OJ9PbEdYX4EvINfz8xHspaTOTP1dyCT8xV2rUBn/iX/rBsSqMSc5ajfVg4pD5s
elVCUk5Vg4jhKy7/p6DDT6x1dYNhCmtfPvpDugy5gDQ3iSb6YtcfQMcWhWnPeDTt
mIOawtjhfHfTD9KJN4dnQ24Z+DvLkZG8SrzxBiXAdPINZl1Vv4FT+HpqCKpO8668
lit8x2/x3mrlN9u4Nbfso3rwE5hj3L/nImIuX0hn7fTn0eN5vv5cWxkO6bic+8fs
AShgh7A7X2Zx8sJpFCIJyznlPM8tZJu/DMqEdCJ80MWV1rxVhmZVdQTn1h5M/C4M
+sJE11qXLR5bhxjxSTZCZX2dUQh/BV5Pq8GExJutyxntBR/x+5L+XFgUcvNVdP27
Cv2m/5E+p5kcMtiNUcRgAHyAEHAT40ckVCJeLpHBRDkf1jqMF/8rp4LnmKCkn8aq
GoOSkzuQsTg=
=aJj0
-----END PGP SIGNATURE-----
Neil W Rickert
Hash: SHA1
Tom McCune <news1@DELETE_THISmccune.cc> writes:
>"Stefano Ferrante" <sorry...@spam.it> wrote in
>news:d5ojq7$dcs$1...@newsreader1.mclink.it:
>> Hello guys.
>> New pgp 9.0 has been released but...Pgp corporation does not mention
>> freeware anymore...
>> What does it mean? Is freeware dead?
>The word from PGP Corp is that the 30 day Trial becomes what would be
>expected of Freeware after the 30 days of use. It will then do the Current
>Window usage, etc., but not Whole Disk Encryption, PGP Virtual Disk
>(PGPdisk), or PGP Messaging (what is now used instead of plug-ins).
I sure hope you are right. But, after reading the various
agreements, it looks to me as if freeware is dead.
As someone else pointed out, their web page asserts that the trial
version will become cripple-ware after 30 days, with only decryption
allowed.
The EULA is unacceptable to me, with respect to the trial version.
Or does it even apply to the trial version? The wording is
terrible. It mentions evaluation licenses, but it is never clear
whether this is the same as the trial version. Whenever it mentions
evaluation licenses, it refers to "Section 3(d)". But there is no
such section in the EULA.
Maybe there is a section in the evaluation license. But if so, then
there is at least the appearance that I must agree to it (by accepting
the EULA) before I can find out what it is that I have agreed to. That's
not acceptable to me.
I teach a class on security topics, and encryption is part of what we
cover. I require that students send me at least one encrypted signed
message, and that all messages they send be signed. Up till now I
have allowed them to use either PGP or GnuPG. Most choose PGP. Some
of the students use email accounts on yahoo or hotmail. The EULA
restriction clearly prohibits this for the evaluation license. I
will therefore have no choice but to insist that students only use
GnuPG in this class.
Personally, I think PGP is the loser in all of this. If others who
teach similar classes do the same, then we will be teaching a future
generation on GnuPG. Most will probably never switch to commercial
PGP. PGP Corp is eating its seed corn.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SunOS)
iD8DBQFCgN5kvmGe70vHPUMRAgDmAJ9anY4hVrEBCPgZX14GsT2KCCT7jACguN3B
+htwVY/kTxsZa625/98nqek=
=YCE1
-----END PGP SIGNATURE-----
Stefano Ferrante
Hash: SHA1
"Tom McCune" <news1@DELETE_THISmccune.cc> ha scritto nel messaggio
news:en0ge.14720$eU.1...@twister.nyroc.rr.com...
>
> The word from PGP Corp is that the 30 day Trial becomes what would
> be expected of Freeware after the 30 days of use. It will then do
> the Current Window usage, etc., but not Whole Disk Encryption, PGP
> Virtual Disk (PGPdisk), or PGP Messaging (what is now used instead
> of plug-ins).
>
Well, how to say this...are you sure about this (I mean that it will
keep the basic functionality after trial expire) or do you just hope
it?
Forgive me for doubting...but I can't see the word freeware on
www.pgp.com, anymore; that's it.
And in case you are right...do you think pgp freeware will keep
sha-256 enabled?
Stefano
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
iQA/AwUBQoDgaAQvBtJfR/KaEQLF4wCfT8k88aG/GohE6Ba7So8R0FAOTlMAoPNQ
jfBodF7Z3D5t00MAxTFvOPKu
=Pct7
-----END PGP SIGNATURE-----
Mxsmanic
> The word from PGP Corp is that the 30 day Trial becomes what would be
> expected of Freeware after the 30 days of use. It will then do the Current
> Window usage, etc., but not Whole Disk Encryption, PGP Virtual Disk
> (PGPdisk), or PGP Messaging (what is now used instead of plug-ins).
Where is the source published?
--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.
Mxsmanic
> Personally, I think PGP is the loser in all of this. If others who
> teach similar classes do the same, then we will be teaching a future
> generation on GnuPG. Most will probably never switch to commercial
> PGP. PGP Corp is eating its seed corn.
I agree. It's dangerous to expect people to pay money for something
they can have for free. And in the world of encryption, the souce code
must be available as well.
Unruh
>>> Hello guys.
>>> New pgp 9.0 has been released but...Pgp corporation does not mention
>>> freeware anymore...
>>> What does it mean? Is freeware dead?
No. GPG.
Whether or not PGP corp continues with freeware or not is really
irrelevant.
Mike Easter
> Where is the source published?
http://www.pgp.com/downloads/sourcecode/index.html#dtsrc
<sNip>
PGP Desktop Source Code
The source code for PGP Desktop is available for peer review. To begin
the download process, please provide us with a valid email address on
the following form.
After filling out the form, you will then be emailed information on how
to download the source code.
Please note that PGP Corporation does not make its source code available
to others for reuse or to provide information about implementation
details.
</sNip>
--
Mike Easter
Anonymous via Panta Rhei
I strongly suggest reverting to PGP 6.5.8ckt. Especially if you
don't need the bulk of pgpnet or pgpdisk
https://www.panta-rhei.dyndns.org/downloads/PGP/pgp658ckt08.zip
~~~~~~~~~~~~~~~~~~~~~
This message was posted via one or more anonymous remailing services.
The original sender is unknown. Any address shown in the From header
is unverified. You need a valid hashcash token to post to groups other
than alt.test and alt.anonymous.messages. Visit www.panta-rhei.dyndns.org
for abuse and hashcash info.
Mxsmanic
> Please note that PGP Corporation does not make its source code available
> to others for reuse or to provide information about implementation
> details.
If the implementation details are not already in the source, then the
complete source is not being published.
Stefano Ferrante
Hash: SHA1
"Tom McCune" <news1@DELETE_THISmccune.cc> ha scritto nel messaggio
news:aeage.14776$eU.1...@twister.nyroc.rr.com...
> "Stefano Ferrante" <sorry...@spam.it> wrote in
>> Well, how to say this...are you sure about this (I mean that it
>> will keep the basic functionality after trial expire) or do you
>> just hope it?
>
> I'll give my only available references. From the PGP-Users list:
>
> "When the 30 Day Trial version of PGP Desktop Home expires, it
> reverts to a set of functionality comparable to what used to be
> known as Freeware, and said functionality remains available
> indefinitely -- under the same license conditions as Freeware
> used to be under."
>
> - - From the PGP Forum:
> http://forums.pgpsupport.com/viewtopic.php?t=3057
>
>> Forgive me for doubting...but I can't see the word freeware on
>> www.pgp.com, anymore; that's it.
>
> Can't blame you for doubting - this is why some of us asked.
>
Thanks for your kind reply...
I also wrote an email to Pgp to hear a word from them; I'll let users
know what they answer...if they ever do ;-)
Stefano
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
iQA/AwUBQoG2KwQvBtJfR/KaEQL39wCffgpDsNQeC57JdyH28Ru+RHZEW1oAn1C4
ZHBUvrdECGcYKUpUS/P22kiJ
=U4ep
-----END PGP SIGNATURE-----
Jim
>
> I strongly suggest reverting to PGP 6.5.8ckt. Especially if you
> don't need the bulk of pgpnet or pgpdisk
>
> https://www.panta-rhei.dyndns.org/downloads/PGP/pgp658ckt08.zip
gpg --verify pgp658ckt08.zip.sig pgp658ckt08.zip
gpg: BAD signature from "Imad R. Faiad <irf...@alum.munged>"
0x833F1BAD
75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
Anyone got a certified version?
controlit
Hash: SHA256
Mxsmanic wrote:
> Mike Easter writes:
>
>
>>Please note that PGP Corporation does not make its source code available
>>to others for reuse or to provide information about implementation
>>details.
>
>
> If the implementation details are not already in the source, then the
> complete source is not being published.
>
Nah! Just means they've got other things in mind, you'll get all the
source, they're just not gonna stand by while you crack their product.
This is the link where they try explaining why it says pgp9 will *cripple*
after thirty days http://forums.pgpsupport.com/viewtopic.php?t=3057
How totally idiotic of them not to stress it on the download page, by
this time I'm never going back to their products.
BTW, I just noticed that my PGP version allows 1024-16384 bits RSA keys
which is kind of funny, in a future proof way.
-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt
Comment: KeyID: 0x84505BC94FDD5895
iQEVAwUBQoIunYRQW8lP3ViVAQgAFAf/dd1qAgt4BvNPj1N3Kj+2xX98BmbGRnRG
4ItQ/0WBy4coD7K3H1uTxWnBG+rUnhqPTJyCVX7QFFL2bSNOIveBr6oEyVvi4P/z
rLxvTSkrbTmrvBgukcKFyqWSNV2iBGXVrtShCgf4weDG3HkE82n2oBAXdi1b4ef7
Qa/7cX3LswvocsdJgZwPAusiIHM0OKIXVedldbheevTOzG6sH3zleGk6ZRQEE9Nr
eJCzXjM5NzPlxhOueVtPk21h5FSsLMmNXdXZcFqHeRiTS7/oYHhzh+9uP5FYSnMs
d3/6ZPOqXjlD5n6P+Hlycqi7eidY2cwzXC1obbOgkQ05TWjaGJRZPQ==
=+lIO
-----END PGP SIGNATURE-----
Ron B.
Hash: SHA1
controlit wrote:
(Snip whole thread!)
>
> BTW, I just noticed that my PGP version allows 1024-16384 bits RSA keys
> which is kind of funny, in a future proof way.
>
>
Where did you get the 6.5.8ckt PGP version? I thought it was no longer
available.
Thanx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQIVAwUBQoJQql+iaVoeuMy2AQKYYRAAo9fEp75m+kJrjnsS5HKKvNHuUVwte9IR
v0qVWtZMhvilp+y7oxiY4giA/2QHZBtq/WQpwbV7SwzsjLi1A4gkJN0zQJcLOEMl
TlxeoPfTzT+DOHFPRrMh4Bw+JIKHGc93yHq5kUNGC52R6/P7MYWI5ILTjB2oIsUq
9enZq5Aa4xaCsbpLLN0m7d0fTukwuqQ5u9xvoQNcZn60dyregPyWLqT3dtDZW0Xu
vVgfCNTKEGFUrRCWb0IOOGfYAkt6VH9szZXKJZpFigxd8IrBpgT1rb7ObT8bzn/L
9kwXzeU5Kjrs5tiyNZs5emUSQiMr6wX58OFE4PBIDvM6dAXLTfpuRq0Xh7AmQ6Ai
bbSbd9vFiiAey28C6vkZ86SiaA0zT50oqEupotmRQPpnaS7gn7KROxl15GSegvDB
UvAz/5rWwp2MTX4l85u14loGaSPxBBOnc9UqtpJYf1ZlQTjsYzoj+T2y1W6xqzju
yvytcHjvyYN6AlbZGHFDm9eufwqUdeiv5LaC0dLqxVsTDS38zSrG8tradgzLK9qZ
/3H8vL4eniuXeqWZU3EN1x5DxClQGmzzW5Cd0m3YwLjuFDQl2EC8e24QbsS7wfap
7vWUbNyh9etSzbMdXtvgC8r6WnvfFDDhDgX67VezceG9TR6leIye1u7j3elSeX3X
bxQeMFX0XFk=
=BbII
-----END PGP SIGNATURE-----
Ron B.
Hash: SHA1
Pantyhoseman wrote:
(Snip)
>>
>>Where did you get the 6.5.8ckt PGP version? I thought it was no longer
>>available.
>
>
> You can get it here.
>
> ftp.zedz.net/pub/crypto/pgp/pgp60/pgp658_ckt
>
>
>
>
> Pantyhoseman
Thanks.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQIVAwUBQoJ0U1+iaVoeuMy2AQIsLQ//V+AdN9NnjagZZYJX0jsShGs0FyWb4Rrr
W4enyEGrdKcTT18HxMuvHmUsKE0eQs1XLPi7Y1AMDH6mZIjr8Udls2Nuh/pt+FWb
Uap9uTN34L3nykLcMkhtzQdCMfsnTzA5a1ldE63MqniLzbvZt1ps/TLfO5m2C2rZ
oNBfzcIlVMqgakV9i0bBhysoKpB3NJoI3cSpeZ8bJ4KnYffkpaTDw5gwfXkjUUiC
WT9kxNdvJrnD3UMlrvG/BDM5gPk/vZ1f+AtnDNasi0FeV/YFt6klypbMkgSS2+WN
X3vPQ4ARoUw0iGmCM02xS25ZJjQR+crmEO/C4gva0A88CWmm5EbBMmRnbLs5v8Ky
+h39jIK7F8PDwq44gfBwYWU9yKhCv1bYT2llEotMlvScM2ea3DCt/wZRIE3XKnEU
kVcxKiDd3GgNVSkFv1xOyUFCZjNt81WeKMi+nQDvWw3Uw9A3kPZybfd71K3ukuD0
r/xKwJGuIijxoFTSiFxXJXp93UblY9epYS8i7edAb68+qUkUJKbv3/yHkIS/GsW4
WQzmC6tWfXBusp6xVjpQg/bbi7+WFLrorHm5nJdSwojIhupW7agCOgE24n1rjIOE
0nMyfMH4Hz/lLSnItBYL91BY+MObske463qnU77Irrphhiq0HZY8D6P9aIOn1rsl
rR75MDFzbPk=
=Iwbj
-----END PGP SIGNATURE-----
Casey
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Pantyhoseman wrote:
>
> (Snip)
>
> >>
> >>Where did you get the 6.5.8ckt PGP version? I thought it was no longer
> >>available.
> >
> >
> > You can get it here.
> >
> > ftp.zedz.net/pub/crypto/pgp/pgp60/pgp658_ckt
> >
> >
> >
> >
> > Pantyhoseman
FTP.hacktic.nl/pub/crypto/pgp/pgp60/pgp658_ckt/
jusTinTime
<willkayakforf...@gmx.net> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: RIPEMD160
>
>Hi Ron,
>
>On Wed, 11 May 2005 13:36:27 -0500, you wrote:
>
>> Where did you get the 6.5.8ckt PGP version? I thought it was no
>> longer available.
>
>As others have pointed out, you can still obtain the CKT builds.
>
>There are, however, many varied opinions on the CKT builds. The users
>of these builds are, of course, quite enthusiastic about them, and
>then there are those who feel differently (both legally and
>technically). For a bit of balance, here's an opinion from someone
>who knows quite a bit about cryptography in general, and PGP/GnuPG in
>particular (Robert J. Hansen, who has been known to read/post here at
>times):
>
>http://sixdemonbag.org/PGPBasicsFaq.html#ckt
>
Yeah LOL. That article got me rolling in the aisles.
Pure BullShit but that's only my humble little opinion.
CKT? best thing since sliced bread. Faid is a hero.
He had to quit because of pressure from NAI and for Hansen to make a
cretinous disingenuous statement about lack of committment by Faid is
pathetic. My answer to Hansen is he can stuff his prig driven biased
drivel up his *** (backside?)
Sniper .308
Hash: SHA1
On Wed, 11 May 2005 17:12:32 -0700, Melissa
<willkayakforf...@gmx.net> wrote:
>(Robert J. Hansen, who has been known to read/post here at
>times):
>
>http://sixdemonbag.org/PGPBasicsFaq.html#ckt
>
>With some of the changes found in the recently released PGP v9 that
>I'm not so sure I like, I'm glad we have GnuPG available. :-)
What sort of changes, exactly. I have not tried v9.0 yet. As for
Mr. Hansen, I would have to agree with jusTinTime, Mr. Hansen is
clearly biased, and a bit of a prick. Faid is a hero, and should
have been rewarded for his work.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQoMI6GeRMROiAx2REQL0/wCg4FgBXG6ldcpMxdPSvOfmbWNBTqoAn06H
XC4jYJDswiv8k9f+e+x3/jq9
=YCqG
-----END PGP SIGNATURE-----
Simon H. Garlick
Hash: SHA1
On Thu, 12 May 2005 01:23:01 -0400, in alt.security.pgp jusTinTime
<jus...@lake.net> wrote:
> for Hansen to make a
>cretinous disingenuous statement about lack of committment by Faid is
>pathetic. My answer to Hansen is he can stuff his prig driven biased
>drivel up his *** (backside?)
In the interest of fairness, I feel compelled to point out that Rob Hansen
does not make any comment at his pages that Imad lacks "commitment" in a
general sense -- hell, anyone who followed the CKT builds in the PGP
5.x/6.x years knows that Imad does not lack commitment. What Rob Hansen
stated was that he has "doubts about (his) commitment to solid software
engineering practice".
"(S)everal people of repute within the PGP community—to name three, Will
Price, Hal Finney and Len Sassaman—do not have much respect for the
software engineering of 6.5.8CKT. Nor do I, given that several
well-publicized showstopper bugs in NAI’s 6.5.8 have not been fixed even as
late as 6.5.8CKT-8. This causes me to harbor serious doubts about Imad’s
commitment to solid software engineering practice."
I'm no software engineer and have not examined the source to PGP-CKT -- nor
would I understand it if I did. However to claim that Rob Hansen accused
Imad of "lack of commitment" full stop is misleading at best... malicious
at worst.
shg
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQoNjlpWn2pPDur23EQKEEACeInY6K2APPdJyo8xh7rY03CHmBw4An0Tr
NgzHSxDAcZNPUHddBs6CO58v
=lss8
-----END PGP SIGNATURE-----
Simon H. Garlick <"sgarlick" at "gmail.com">
PGP Key ID C3BABDB7
jusTinTime
that's a very poor argument to suggest my use of the 'commitment'
could be applied generally. There was a reference printed to the
article: the word 'commitment' was used one time in a specific context
within said article: I make a comment on the article and its subject
material as written by the writer, Hansen. Why pray would anyone then
take my comments out of context of the logical thread and apply them
in the general sense? It is totally logical to 'most' people therefore
that they would read my comments in the light of the original article
and the use of language within said article.
I was commenting on the totally facetious "doubts about (his)
commitment to solid software engineering practice". Its full of BS and
innuendo. What has solid engineering practice got to do with the
number of releases or when they are released. One could argue that the
reason that there has been no release since 6.5.8 is because Faid is
spending years solidly commited to the best engineering practices and
quality procedures getting the next release right before distributing
it. He simply stopped working on the product so let's cut the "doubts
about (his) commitment to solid software engineering practice" crap.
To validate such a comment you would need evidence of the methodology
by which Faid appproaches and performs his work. The entire tone of
the article was disparaging and negative and used cheap verbage to
efface the frontiers of balance opinion. My question to Hansen is what
axe is he grinding that he feels the need to write unsubstantiated
garbage and innuendo about someone he knows very little about.
Sniper .308
Hash: SHA1
On Thu, 12 May 2005 23:39:39 +0930, Simon H. Garlick
<n...@this.address> wrote:
>"(S)everal people of repute within the PGP community—to name three,
>Will Price, Hal Finney and Len Sassaman—do not have much respect for
>the
>software engineering of 6.5.8CKT. Nor do I, given that several
>well-publicized showstopper bugs in NAI’s 6.5.8 have not been fixed
>even as late as 6.5.8CKT-8. This causes me to harbor serious doubts
>about Imad’s commitment to solid software engineering practice."
What does that tell you about NAI and their practices. At least Faid
made the effort to improve the software, something NAI failed to do.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQoOHWmeRMROiAx2REQJu/QCg18Ka5bhvncGIgG8hC9YIMD3avswAoOYg
MrvFnfnT6BFBFjVwGFb13mPa
=1Hq8
-----END PGP SIGNATURE-----
Mike Easter
what 6.5.8CKT comprises or is all about, I wasn't able to read about it
at any Imad Faiad sites, but I found a fair description here
https://netfiles.uiuc.edu/ehowes/www/pgp-vers.htm#CKT .Melissa cited Rob
Hansen's reservations and Tom McCune's are at various places at his
site.
--
Mike Easter
vedaal
rsa keys, only dh keys, so the example below 'doesn't' show it, and it
'won't' cause ckt to crash)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Melissa wrote:
> Hi Sniper .308,
>
> On Thu, 12 May 2005 00:42:56 -0700, you wrote:
>
> > What sort of changes, exactly. I have not tried v9.0 yet.
>
> Though I haven't tried v9 myself, I've never been very comfortable
> with the idea of using a "transparent" proxy for cryptographic
> manipulations of email, and this is one of the new "features" of v9
> (in the commercial builds anyway).
> This sort of transparency might be great and convenient when it works
> as expected, but by its very nature (transparency), we might just as
> easily not know if/when it's not working as expected, and we might be
> sending clear text all the while assuming that we're not (or some
> other types of malfunction or vulnerabilities may be occurring or
> exploited without our knowledge). When it comes to this type of
> software especially, I'm still more comfortable if I can see, with my
> own eyes, each cryptographic manipulation as it is being invoked by
> my manual intent.
for an example of what this can lead to in pgp 9.x,
see here: (a pop-up blocker is recommended ;-( )
http://www.angelfire.com/pr/pgpf/intro.html
(try decrypt/verify from the pgp 'current window')
exploits like this have much more likelihood of 'fooling' someone
when the process is 'transparent',
e.g. receiving and automatically decrypting html e-mail
this was made public when the version was 6.5.8,
and (at least in pgp 9 beta), has still not been fixed)
now,
with regard to Rob Hansen's description of the bug in 6.5.8,
he was referring to 6.5.8 crashing when trying to verify
simultaneous double-signed clearsigned messages,
as in this very message that you are reading ;-)
i reported it to Imad at the time i first noticed it
(Rob was the first person i ever knew to start using double-signed
messages,
and it crashed my ckt )
[btw, simultaneous double-signing is a very nice way to introduce a
'new' key
to people who only have a user's old key, - just double-sign with the
old and the new key,
ckt accepts it in signed and encrypted form, or armored-signed form,
*without* crashing]
at that time though,
Imad's site was already down, and he was no longer maintaining ckt
and so it wasn't fixed
(although Rob has a simple patch for it that he's not releasing ;-( )
with regards to Rob's and Imad's disagreement
(btw, i have regularly corresponded with both,
and always with friendly, decent and helpful exchnages),
they are both right/wrong ;-)
Imad's support for md5 at that time,
is no worse that support for sha-1 at this time,
and the sha-1 group have still not officially 'deprecated' it,
although there is just enough reason to do so, as there was for md5 at
the time of
Rob's and Imad's discussion
it's sometimes hard to 'let go' of programs/algorithms,
that one has grown to know and feel comfortable with ...
a similar thing can be said of gnupg with elgamal signing,
(it took 'quite some time' between the original reported
vulnerabilities,
and the final described flaw that led to 'dropping' it)
> ... the heart of Robert's
> concern about the lack of "qualified" personnel willing to even "peer
> review" the hacked code of the CKT builds at all; hence his concerns
> that said code has not been adequately studied. Have you personally
> studied both the NAI and CKT PGP 6.5.8 code to the point that you're
> satisfied with the technical soundness of Imad's hacks? (and I don't
> mean "hack" in any derogatory manner, as even Imad himself referred
> to his work as being a "hacking" of the original PGP code).
two *respected* people in the crypto community, _have_ studied it,
though:
[1] Sam Simpson of Scramdisk, who reviewed the diff's between the 6.5.8
code,
and Imad's modifications
[2] Disastry, who streamline the c code changes after Imad made the
modifications,
(the final source-code is the Disastry modifications integrated by
Imad)
the legal issues,
are perhaps the strongest '*supporting*' evidence for 'ckt'
in terms of performance, versatility, and convenience,
ckt 9 beta 3,
is incomparably easier and simpler to use than pgp 8 or 9,
and if there were a 'fair contest',
(i.e. if pgp.com were to say,
"fine, 6.5.8 is an outdated codebase,
we don't care what anyone does to it, as long as it isn't 'sold',
and allowed Imad to 'modify/upkeep' it with a free hand,
and users were allowed to choose which one they wanted,
and anyone interrested could 'review' it without legal worries ),
then i don't think there would be much of a contest ... )
vedaal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Acts of Kindness better the World, and protect the Soul
iQEVAwUBQoPPeGoFoLeFMG0lAQjkPQgAkJgZXFmItkvDOd4CcWMDYSaqJ1tLVhRb
m6nEHhlqztEtaZJcnjzle/0Dmt/E8LKS/JqDJDTRldXCDVh7WJlCkkG7H+fsgOck
TSI+55cowTW79NHrRCubogCj8XiyTemk1gbygP9OUrPq6sL6v9639gL2fHdM+lYS
EVEU6UPgMZqHemDkCLzEp7Ccx7aKZPyPsqup3SxJzuhVar+1UOcigdobPFlWnQR/
b38aQEZTn+tVt9Zu8B0VHIRunYXb8KP28VxyyuTzjaV9VCnruKeZz/0G+bbUDdoT
4yZM/qDafPOzi7pnzMlVteTwXteR3vTP5UtbUsjURmoTMZWg24DgwokCFQMFAUKD
z3msoWP2BK3uIAEIG+0P/i0JB2r3H4CbTI6BEfGgBFVZ7l0ao6ibtIIeAwkXn5nV
m2BbMB5xG1gkrNa7rFDKP1vUPLrakYD9IOSDdkBjbLluN521cTtLX55At+SHwWvl
gXnPRpudG058WHt/pCFDHHInjbnDnzAydS8bOGjdugrXoHrqaNgX54l2MlWHCLbs
XqTNN5CFWkAuLLyKJ/VkeyivtnapFeilne55bnKXMNKRyYc13RR5ZMkplE0vaKxD
0O4tiOM6dhCq1KhDiHZ7YVZE9Yi4XDHIcLEc0kcXfkQ75DxLiXh41x5f+6C+Llof
OxPqX2CIThpgp04QfcgzVUGWVEn6CNOx279gHLtj1pZfLHCW0TBATYO9T3fmRF1j
MdyDgPLZvd2ZrwuomoNPFjQYoHT2ScP1efoUGyaAeepuCoEsZ6UY6q085xvR69UY
BwU1z1Y58r/17P88ioh87o9b0wNJ7ycT8a54vE3t8H33u9ZzIL50bN9wfZ6qwxUq
Z6eHRNsnLwh8Tv0c3RGsHpiaaH6eWHXV8CqLoP/a8chM36K5XHZ6gzpvgEY2XFOQ
pRJTEyUn8Ap8A5ieBbyk5syatsRyx1A9jwjd/vmvxDFWV88dsL+0a19XKXOt+EFO
VoI3V9FkbWcjEprueB02VXOcTRffbtH7znNto7tFwmggpkPtQyniJ/6Q/2eoTgPD
=2XH9
-----END PGP SIGNATURE-----
Ron B.
Hash: SHA1
vedaal wrote:
> (btw, the 'flaw' that Rob described, doesn't seem to be present with
> rsa keys, only dh keys, so the example below 'doesn't' show it, and it
> 'won't' cause ckt to crash)
Vedaal: please note:
OpenPGP Security Info
Error - signature verification failed
gpg command line and output:
/usr/local/bin/gpg --charset utf8 --batch --no-tty --status-fd 2 -d
gpg: Signature made Thu 12 May 2005 04:49:44 PM CDT using RSA key ID
85306D25
gpg: BAD signature from "vedaal nistar <MUNGED>"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQIVAwUBQoQjQF+iaVoeuMy2AQIPuQ/+OeI5CrfuDUFfRBwLuxaRDGNKNiMPNw1P
xEzU249YEVRVkyueflVu9pdHpgyWW1X5554nzaR4fAyncyTyA1XrFJd7Sd/a46QG
uRwDVVd/2lMLJ8Dxg9lYFDxZZMdJ9wyVyUaB43ijlTDAC9UmzNt91AsZscgFqcVa
vZLRfb8JkA/JyIHwEx0HzRvb/FGXrdPasiIgMfT1vZaPN4DXy6Q2RXLba2b+3+OJ
nnl6uDa3GREZ0nGCGkAXLiKQ/sFC+qnM3KtmxPSVFezvQTt29yBd44E07SZ0YNSz
lsGB0MjN3mPdwNFanlgYdf3CpnwOLEQelTSPjlJyI0y/dqVUtrApr2YKhhE6LM/U
HDpxwlUbCr0ePBAZM+yWGA0zETipQZFo/4sbgehKCYmyr1zwIiUJa3xkfFqeqO60
MncdK6M5HzDUF0R4AcYicUxw6Xb74llcpeCsXHE6s7r5badhAHl0NjcZpzf/BbyV
+LmI5Kzljp23BifDM5LWWQzOgkLGwKpEwF5bVVUo3U/GyLczeX54ABtWrgwNR2Rc
6ORPkTN8wLvOAlEzRC2MXkyX0bNPcVl4Wy2Ob4csw1YAl7CK9RrEorRXvXecgxzH
MAlKnaGUtEHpxy+H5r9NI8gNGk04N95CY0FR+fVIBaUANLcJKbi35BZPEO2VYVD8
nPWhRY/rYyc=
=yZe3
-----END PGP SIGNATURE-----
vedaal
Hash: SHA256
Ron B. wrote:
> Vedaal: please note:
>
> OpenPGP Security Info
>
> Error - signature verification failed
>
> gpg command line and output:
> /usr/local/bin/gpg --charset utf8 --batch --no-tty
> --status-fd 2 -d gpg: Signature made Thu 12 May 2005 04:49:44
> PM CDT using RSA key ID 85306D25
> gpg: BAD signature from "vedaal nistar <MUNGED>"
i know ;-((
a recurrent problem i seem to have with posting from google ;-(
even though i compose and sign in another window,
then paste into the google window, then verify it from the
google window before 'posting'
one thing i've notice with google, is that it alters posts
sometimes
to orotect a quoted e-mail address from spam harvesters
(although this wasn't the case in my previous post)
vedaal
-----BEGIN PGP SIGNATURE-----
Comment: Acts of Kindness better the World, and protect the Soul
iQIVAwUBQoSpOlqiDIZqWJqXAQjgFQ//c2tUeZBpYI+75Wi8SGEoZIpMQQ3eDnbU
XcOizpcaxr65zdoVSdBFUVJ5MQpjc2nkO57tXb2yOnAShbuh3CBWB38w1OIlAW1B
wwYlOEso/73rURj6yZhZHYoSaWep+rvnPT4DRhLItudCilOsTNhIRVValZ66I0uk
QPopB+mu3PCcAoebrox6K9B0HfxkkV4QQkY5HJTbUWXpsbPHJ4W9aexD5nQzrczN
nSdRqp92kjK5WI8yvl/MJ7+eJxYw4/CeVVvjKWFMm7DGZWF9lHeFGO+jqTrFdSq5
CaMt85VDiin/NrxNNFfP5YtwX02m0RIpAESteypcxXvFaHIHSzfKewNw4ibHonWC
NmxfUNanuM78Z366tFDsWwHh93NcpCeyf8XB8SiXr2JjthW8I+gsyhMAXbLeIwWC
5XKrJCCoac7A4PUTUA3uxTDyr4pf3CxIHenDXiX3JxGrmeFg+l3DFTc7N8HmS5Qo
x525fp8VLp1XZsAK5nrhmKs+iXovsk7yBN2SttJ1ILIEdrpcHxyJ6pzezxSk709e
y1J0wUXFZsZNYxQU3KYXjTdoo/1Y+2pjfgXXNaca+UJP88po0Ubi6jwEwNe2vBJh
KDVu5WepUF4mu9kebtOq/xt9tXV6dEqzCUIE67dEm9ujKpeyUcFJCLUhecacJ/8Y
9BJ/u1h1nVM=
=Dk0u
-----END PGP SIGNATURE-----
Thomas J. Boschloo
>
> http://pgpdist.mit.edu/distserver/zz752369790/newpgp/index.html
That is not the same! 658ckt08 fixes several bugs and its pgpdisk will
actually work with XP (in the way that in 658 official it won't).
Anyways, the sig is a known problem with that version. I think I used to
have a replacement sig file, but I lost it and Imad's site is now gone.
The version I have was downloaded from ftp.zedz.net and has an md5 of
fd25e9b2c5f11f7b96974034a79a3550
Here is the improvements coded by Imad in ckt08
-----BEGIN PGP SIGNED MESSAGE-----
-----------------------------------------------------------
PGP 6.5.8ckt - Build08 - Read me file - 05/02/2002
-----------------------------------------------------------
1) Added the tiger 192 hash algorithm.
2) Updated the SHA2 hash algorithm.
3) Fixes to enable support for large clipboard where the
contents has no end of line characters.
4) Fixes to enable handling of detached signatures
where the contents of the detached signature file contains
leading non PGP blocks data.
5) Verification blocks for encrypted only messages.
6) Cipher display in the verification block.
7) there are three distinct verification block header/footer
as follows:-
BEGIN/END PGP DECRYPTED/VERIFIED MESSAGE (encrypted/signed)
BEGIN/END PGP DECRYPTED MESSAGE (encrypted only)
BEGIN/END PGP VERIFIED MESSAGE (signed only)
8) Omit version line feature, this may be accessed by entering
a NULL string in the "Version String Preference" combo in
the "Email" tab of the PGP preferences dialog.
9) Enabled editing in the password dialogs, this may be toggled
by ticking "Allow Cut & Paste" tick box in the password dialogs.
I am not too fond of this feature, however, it's there
if that is what you want to do.
10) Updated key servers.
11) The system fixed font is now used for display of the
decrypted/verified message in the PGP text viewer.
12) Fix for PGP 7.x generated RSA v4 keys which used
v3 format checksums.
13) Changed the order of default preferred ciphers
as follows:-
AES256, Twofish256, AES192, 3DES, AES128, CAST5,
IDEA, BLOWFISH.
14) Numerous typo and other misceleneous fixes.
15) Compiled with the July 2000 MS SDK so that the
build will run on the windows 95 OS.
16) The Bat plugin is now bundled with this build.
Make sure you are running the Bat v1.6d or better.
A Note about The Bat PGP plugin of this build:-
When the PGP plugin is invoked, the followings is done:
a) PGPlog will be used to give immediate feedback to the
user about the status of the decrypted/verified message.
b) the verification block(s) will be dumped to the clipboard,
with the processed message(s) block(s) replaced by "<snip>",
for more detailed analysis.
c) If the plugin is called via "OpenPGP Decrypt", the
processed message(s) and verification blocks are
passed to The Bat.
17) Fixes to the installer.
If you have build 07 installed, run "uninstall.exe" which should
be in your PGP install directory to un-install it.
"Add/Remove Program" may or may not work, this has now
been fixed.
Best Regards and happy encrypting
Imad R. Faiad
-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/
iQEVAwUBPNEkBrzDFxiDPxutAQE2vAgAiTOaIbs/8ROH4HejtT/W3PSpEhe0qxGY
FlbUZL6Rgt7VyKhE1QSkMqtPpBi2nfnTQK4XtZvBK51PRPJbg6IH8VbrEm81qoTZ
hQnJaRJzKw3sOIc8XcJyoX7QW3ALjQ8VWquX1fZrXlXMyHrXdIk8fehwEVrBdFT4
mFdrqpBs1wZLC9A+fjh3bbEYevp4eTNxncbWzB2wq0plQiXiuyaONMbtQn2B/LsG
CYTgO2EP9Hq4vrDpzv5V1gh2xX4HK6tQ2taYsODkocyEF4Pojgh5M/WB3oRO4I9d
XGp+NfvJ2StUrxxMG9jA9mdyQtlkBIJ8O3dL68JitAsuKga5P2/bPA==
=u5u/
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
-----------------------------------------------------------
PGP 6.5.8ckt - Build07(Updated) - Read me file - 03/17/2002
-----------------------------------------------------------
This is the 6.5.8ckt Build07 binary distribution.
The source code corresponding to this build may
be downloaded separately from http://www.ipgpp.com/
What's New:
1) Fixes to the PGPdisk driver so that PGP disk
volumes will appear in the windows XP explorer.
2) Fixes to the PGPdisk driver so that PGP disk
volumes may be formatted in the windows XP
environment.
3) Fixes to the MS Outlook PGP plugin so that
the decrypt button will work with Outlook
2000 and Outlook XP.
4) Graceful OpenPGP MDC packets handling.
5) Nuking of proprietary packets generated by non
compliant OpenPGP implementations.
6) Handling of signature verification where the
signing key is a sub-key.
7) Handling of decryption of messages where the
decryption sub-key is revoked or expired.
8) Fixes to the Keygen Wizard so that RSA v3 keys
will be properly generated with IDEA as the default
cipher.
9) Warning in Keygen Wizard removed when generating
RSA v4 keys.
10) Warning removed when exiting PGPtray.
11) Additional hashes support contributed by Disastry:-
SHA256, SHA384, and SHA512.
12) Preferred hash algorithm is now based on public
key algorithm. These may be set in the "Preferred
Hashing algorithm" combos in the Advanced tab of
the PGP preferences dialog. Many thanks to Disastry
for this valuable feature.
13) "Change Key Preferences" of v4 keys, namely change
the expiry date and/or the preferred ciphers of
an existing v4 key. This feature may be accessed
by clicking on the "Change Key Preferences..." button
in the Key properties dialog. This feature was also
contributed by Disastry.
14) Display of un-implemented hash algorithm by name instead
of by algorithm ID, in PGPKeys and the verification blocks.
The program is currently aware of the following un-implemented
hash algorithms: TIGER192, HAVAL-5-160, and HAVAL-5-256.
15) NAI's "PGPsdk Key Validity Vulnerability" patch applied
(Hotfix0904 http://www.pgp.com/downloads/pgpsdk-patch-download.asp).
16) Compiled with Intel RNG support. The program will use the Intel
RNG if the Intel Security Driver is installed. If you have
an Intel chipset based motherboard with an Intel firmware hub
(usually an 810 class or better Intel chipset) then you may
download the Intel Security Driver from here:-
http://www.intel.com/design/software/drivers/platform/security.htm
After installing the above, this build of PGP will use
the Firmware Hub's hardware Random Number Generator.
17) Ported the installer/un-installer to the InstallShield 6.31
platform, this should provide more reliability. The installer
will attempt to perform an un-install if it detects an existing
PGP 6.5.x installation, it will then proceed to install this build.
It is strongly recommended that the user re-boots to complete
the installation. Should the installer detect some version
of PGP other than 6.5.x installed, it will not proceed. In this case
please follow the installation procedure below. The installer is
now language aware, I hope.
18) Other minor fixes, and miscellaneous cosmetic changes.
19) Updated the deflate modules to use zlib 1.1.4 instead of zlib 1.1.3.
20) Compiled using MS SDK November 2001, Numega DriverStudio 2.6.
Please do not install the Outlook Express plugin on a windows 2k/XP
box, as this is known to cause random crashes of the system.
For proper installation please apply the following instructions carefully:-
1) Un-install whatever build of PGP you have.
2) Re-boot.
3) Using Regedit navigate to this key:
For Windows 9x/Me machines:-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\KnownDLLs]
For Windows NT/2K/XP machines:-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\KnownDLLs]
4) Should you find any values pertaining to PGP under the above key
please delete them, otherwise proceeds to step 6.
5) Re-boot.
6) Delete, if any, PGP*.* in your windows or windows system directory.
7) Install Build 07.
8) Re-boot.
This build is by no means complete, it is released with the
hope that users will provide the necessary feedback so as
to enable me to better resolve any issues in subsequent builds.
Should you find any problems which are build specific, or should
you have any requests or recommendations, please do not hesitate
to contact me ma...@cyberia.net.lb
Best Regards,
And Happy Encrypting,
Imad R. Faiad
-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/
iQEVAwUBPJSs4rzDFxiDPxutAQE5fAf/bERlWj5GNqDD1xgDMXkVgrDq3Lz35uig
sfhgAV3anaLI1cpNfwjn45oFOTUKueuLOK3IU9sx7c0PmeKU0fR4Mgwv0dn27umH
08epCXoqastz6Ggv+9IFLNk+bP2ldkoXwhX/RFuHW8aiMqWOXljhWomi7/NDUdMs
AUe4St7HjwgLEU3uzJ+6SpCw5SW7HBu0vCX3e4yB+leLgZxpWaEt01cLIJmIyOmr
08Gqn01gMwfzfNMXnkgl5U1EJcxDP0JL+lLyCuOwi4TihPksbP7eI2r5pXBXC0Qx
h4OWNHVHV/KZUU1tmJvNpOAzRG4baZ2dIIQeFjDNyaufU42sp5EFBA==
=XeRX
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
----------------------------------------------------------
PGP 6.5.8ckt - Build06 - Read me file - 06/04/2001
----------------------------------------------------------
This is the 6.5.8ckt Build06 binary distribution.
What's New:
1) To make the distribution as light as possible the source code
archive is no longer bundled. The source code archive
may be downloaded separately from my site.
Also, I have omitted the visual studio redistributable files.
If you are running an older win9x or win nt system, you may download
these from:-
http://download.microsoft.com/download/vc60pro/Update/1/
W9XNT4/EN-US/VC6RedistSetup_enu.exe
(please concat the above two lines to obtain the full URL).
2) V4 signature verification support.
3) Allows the user to specify the public key algorithm when
generating sub-keys.
4) Sort by key type in PGPKeys.
5) Hash algorithm display for certificates in the tree display and key
property.
6) Correct public key algorithms display in the tree and key property
dialog for v4 RSA keys.
7) Hash algorithm display in the PGP verification block.
8) Key ID and lock algorithm display in the sub keys list.
9) Verification block string in the verification block.
This may be accessed from the "Verification Block String (VBS)
Preferences" group of controls in the email tab of the PGP
preferences. The verification block string will prefix all
verification block lines. You have a choice, of custom, verification
date/time, random, or none. The default is verification date/time.
10) "Remove Non PGP Block Data" check box in the Email tab of
the PGP preferences dialog. What this does is remove all data
which were not within a PGP block when displaying a verfied/decrypted
message. This (9) & 10)) is to prevent attacks based on composite
messages containing make believe PGP verification blocks designed
to mislead the user.
11) Better user control over the symmetric algorithm preferences.
These may be set to your liking using the "Symmetric Algorithm
Preferences" group of controls in the advanced tab of the PGP
preferences dialog.
12) Support for ElGamal Sign/Encrypt keys, this is to make PGP more
compatible with GnuPG.
13) Better control over the Preferred Hashing algorithm (Advanced tab, pgp
preferences dialog). Setting this option to default will result in the
following:-
RSA keys -> MD5 will be used
DSS or Elgamal Sign/Encrypt -> SHA1 will be used.
If it is set to MD5 and the key is DSS then SHA1 will be used. The
program is able to verify a DSS signed message where MD5 was used,
however will not allow you to use MD5 with a DSS key. This should
make PGP more compatible with GnuPG.
14) I have widened the hotkeys fields in the hotkeys tabs of the
PGP preferences dialog, as it overflowed in certain languages
e.g. with German systems "Strg+Umschalt+D" will make
the fields overflow.
15) Samopal Corporation's PGP ICQ plugin is bundled with this build.
To install it select "Samopal PGP ICQ Plugin", this will be
installed in your ICQ directory. You may need to copy your
Keyrings to the ICQ directory so that the plugin may use them.
The source code for the PGP ICQ plugin may be obtained from:-
http://www.samopal.com/soft/pgpicq/
Many thanks to Samopal Corporation!
16) Trust and Validity display for signatures in PGPKeys.
Should there be any problems which are build specific,
please do not hesitate to contact me (ma...@cyberia.net.lb).
As always,
Enjoy!
Best Regards,
and Happy Encrypting,
Imad R. Faiad
-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/
iQEVAwUBOxtxhrzDFxiDPxutAQFbzQgAjO5oqRZHp3TSIlnBenjikj8JaASejD4f
ZtDofCuGdE4OkviEfrG4/c+sxNQNoBToADFjToK6kZAnPcnxrM1uVgoFqTDBCjvj
NS7SCFfBEysxpEUY8nxRU2qUMDmcwYGGSfE5wRwVl5yjnx1kRoo0uyR/uPDngSvK
dhUHUvdDYRYLDDvKzJ/7NT9HesyWCuScTtlKPiab1hl/11ny6sm7CB/7IiG3SMtn
HTrq81dAM9MEHQk3Iwx6/tgTuEgNA+46qJ9jXNb+WTyqpzSGXPMAkR4JqE/9ItR0
OINfXxnKMwuOxEv8TqDgVW8nCxqc1CuVuRN8ejQp/oNUz1PcsEPv4Q==
=OJ4Q
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
----------------------------------------------------------
PGP 6.5.8ckt - Build05 - Read me file - 04/20/2001
----------------------------------------------------------
This is the 6.5.8ckt Build05 binary distribution,
which also contains the source code distribution.
What's New:
1) Twofish / AES hashing fixes (by Stefan Keller).
2) Enabled subkey generation > 4096 in the subkey creation dialog.
3) Fixes for Klima & Rosa style attacks on DSA Keys.
4) Fixed a bug in the PGP explorer context menu, which cause
the wipe dialog to appear when "encrypt & sign" is selected
for ".asc" & ".pgp" files.
5) Fixes for the so called "ASCII Armor Parser Vulnerability",
http://www.atstake.com/research/advisories/2001/a040901-1.txt
Please note that the above is not a PGP problem, it's
a windows problem, and is not limited to ASCII armored
files.
The PGP dll's are now protected via the KnownDLLs registry entries.
Also the user is prompted for the location where he wishes
to save the decoded file should the program detect an encoded
.dll file.
6) There are now two PGPmemlock and PGPdisk drivers for windows NT/2K,
One is compiled with the windows 2000 DDK, and the other is
compiled with the NT 4 DDK. The OS specific one will be selected
by the installer.
Fixes and enhancements by Disastry:-
7) Splitting 3DES, AES192, AES256, Twofish key now works properly.
8) When creating a key the preferred cipher is used to encrypt it
(before CAST5 was always used).
9) Display of all preferred ciphers in key properties.
10) Displays cipher used to protect private key in key properties
11) Key sort by 4 byte Key ID's in PGPKeys.
12) Allows different passphrase for subkeys.
13) Allows ascii armor when signing clipboard.
This may be accessed from the "armored output"
check box in the "Enter Passphrase" dialog.
14) Support for RSA v4 keys. This is still work
in progress, it was enabled so as to
allow more users to evaluate this feature,
and report any problems.
Should there be any problems which are build specific,
please do not hesitate to contact me (ma...@cyberia.net.lb).
As always,
Enjoy!
Best Regards,
and Happy Encrypting,
Imad R. Faiad
-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/
Comment: KeyID: 0x833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOuAIJbzDFxiDPxutAQFDSAgAkozHYyoc5RTBc99l99B2+Xpv5WiV2Fru
bUamgYEwUc1QdZKUYDQweGJ6yOZmhJh6Wpfptl4Fy9AUXw+Si3d7KhmLWEAb6VMi
H9ua5TlNUBgEQFdUdUdVnhX0+Yo9QQin8vOkmfqgObwMnhlBqGS/On5XwgSTIaHV
VjGoElXi3akVbh6Gy9BBFoUomZ0yBxW6pvQ+n5dmU9639sN1/txtP+UeYJA4sJdp
7mpKvg1QOzcu5WL6qfJQDEuys5butah2i0aCuXzgT6kN40WwxyuN701W+tu8/krf
ApGSyKwMXzgKIv4ChZjrf7L6/UfL+q8fp8cT9LH4PNvnkVkJ4Ukuyw==
=zv1C
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
----------------------------------------------------------
PGP 6.5.8ckt - Build04 - Read me file - 02/23/2001
----------------------------------------------------------
This is the 6.5.8ckt Build04 binary distribution,
which also contains the source code distribution.
What's New:
1) Further refined the 64 bits key ID display. The signing
key ID in the verification block will be displayed
according to the user's preferred setting in the "64 bits
Key ID Display" check box in the advanced tab of the PGP
preferences dialog. As it seems that this feature has
created a lot of confusion.
However, I recommend and encourage users to refer to PGP
Key ID's as 64 bits entities because this is how they are
handled internally by the program. Let's put it this
way, it is not that hard to spoof a PGP Key ID to 32 bits
of precision, however it is very hard to spoof the
PGP Key ID to 64 bits of precision.
A discussion of PGP Key ID's is beyond the scope of this
read me file.
If Sam or Tom are reading this, then I take this
opportunity to suggest that they both add a section in
their respective PGP FAQ's about PGP Key ID's :-)
2) Updated the links in the about box and added some more.
3) Updated the preset version strings.
I have acquired a new domain name http://www.ipgpp.com.
And will be moving to a new host soon. Please update your
book mark.
As always,
Enjoy!
Best Regards,
and Happy Encrypting,
Imad R. Faiad
-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOpcc37zDFxiDPxutAQHQbwf9GRwhxndSlr8TsT7/LGg0fuijfKWMRICh
U40KLW3Vnevno2OicAuxakO47jCj2qqw43zygDQHxId1Ii4Uvl/c0LY9Sa4hlLuS
CT/lGmrNqgXtlxBNMRt1EbxsgIfIk2SS4kepJ00PohhQD3t7uaCB3tfL9WL1t9M0
vLV3ZBnhJvTtIsu+wEATUxAZAuCH6ZPlN98/Mk8IdLst4u1uys8IwFO+tgBrKv/D
7WZoG2+/RFQUfLIl7FSnJkPkhTXKNazdrrVdx5fdWT5boqfa+1BeNJu+gon9TSei
VJoJESRF0Pl8JqAm/DLpTzj1NKr0vZs8MEW6D3H89MzM88xsHKNMRg==
=XUOz
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
----------------------------------------------------------
PGP 6.5.8ckt - Build03 Updated - Read me file - 02/17/2001
----------------------------------------------------------
This is the 6.5.8ckt Build03 updated binary distribution,
which also contains the updated source code distribution.
Note that this distribution of 6.5.8ckt Build 03
supersedes the one dated 02/12/2001.
What's New:
1) Added Key properties display to the matching key
found pop up dialog.
2) Fixed the "Allowed Algorithms"'s check boxes
in the advanced tabs of the PGP preferences
dialog. As some of them could not be un-checked.
3) Fixed the mnemonics in the advanced tabs of the PGP
preferences dialog.
4) Fixed the tab order in the advanced tabs of the PGP
preferences dialog.
5) Cleaned up the labeling of all the modified code
blocks in the source code. They are more consistent,
and all changes to the source code may be easily
found by doing a global search for "//BEGIN ".
Best Regards
Imad R. Faiad
-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOo8Bi7zDFxiDPxutAQG8egf8Cdo0LahHUw8zqjqFxdTJz+pateaUIh5w
/LarK8gvVSzLCPvsr8MVGefRpMM5UkNwxrkdqINLrqObfFpbLRujKNUbjrSSWzdv
n2K2EUHyroQhXherKEGAFhzWFpmImjSyF9dt3Wtc2pR1CvhkcCm6ToyVaE/7emqu
vPqw+4/Q1dEXtcZF6wjpOb94MyAHCYwWIBh7ZoRSRyZ+YF39yiISr3/jvnwU7hCD
atRv9hV6dvZUVObYNjU4yLUoQs16jmEZ6K2Ra32Rfuxhen5cEnFoQzqN8PgQqbw1
NvuCLGylpey3r2gUl97VJBHLC86c2NMEGVBy80vqa7KM1tJDPtgcdQ==
=2NdD
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
--------------------------------------------------
PGP 6.5.8ckt - Build03 - Read me file - 02/12/2001
--------------------------------------------------
This is the 6.5.8ckt Build03 binary distribution,
which also contains the source code distribution.
What's New:
-----------
1) This build incorporates Disastry's modifications
to support more ciphers.
Many thanks to Disastry, for sharing this with us.
Currently, the following additional ciphers are
supported:-
a) Blowfish-128.
b) Twofish-256.
c) AES-128.
d) AES-192.
e) AES-256.
I do not encourage the use of Blowfish, as it is
not implemented in any of the official PGP builds.
It is provided so as to make PGP more compatible
with GPG.
Whether you intend to use those additional ciphers
or not, should you come across a key using any
one of those ciphers, you will be equipped to
handle them.
2) Added the ability to display the creation and
expiration dates of a key in long date/time
format i.e. the time is also displayed.
This feature may be toggled via the
"Long Date Display" check box, in the advanced
tab of the PGP preferences dialog.
Checking it will display the creation or
expiration time of the key, in addition to the date.
In it unchecked state the creation and expiration
will be displayed in the traditional format
i.e. date only.
3) Fine tuned the 64 bits Key ID display feature.
The Key ID will now be displayed in your preferred
display format.
i.e. As per your selection via the "64 bits
Key ID Display" check box, in the advanced tab
of the PGP preferences dialog.
In it's unchecked state the key ID's will be displayed
in the traditional 32 bits format, otherwise,
the full 64 bits format will be used.
Note that the Key ID's in the signing key selection
Combo and the verification blocks will be displayed
in 64 bits format regardless of your preferred
Key ID display setting.
Finally I hope that you will enjoy this build, as much
as I had enjoyed putting it together.
I also hope, that you will find it useful, and
that it will encourage you to use PGP on a more regular
basis.
Should there be any problems which are specific
to this build, please do not hesitate to contact
me (ma...@cyberia.net.lb).
Enjoy!
Best Regards,
and Happy Encrypting,
Imad R. Faiad
-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOoiMprzDFxiDPxutAQFHFwf/UzCYrTb0qcXuHUtjJouu4ikYD15vm/7X
ymK4aC46EPRDZhqjaQ7/H8EB3yGkEYoRS28NpKP1SbmbUCIH8FK+uO4bBc6cNaBU
UV6VWTWxSFgCFdTxO398EJIwIvigSf4scG+6NAilvSq44IlIJ4uGVpVRmsCrpL2t
zaSsN13A9ew5cDyMtR8DQ2yya77Gzvmu7krvPucz4CBRcKiz5Vvmft4UZN3Ptrac
+xq6J7msDz2bq9kt4wKyWl4LMHCk8iz2Nv1K0HRi4s+vtT1I+xrgr+pd5VnU+tYd
nuKu8UMsQiIu5yMkSNk+vVXago7JrYQJ27AzM9mxkNIC/RaAxxI6vA==
=wdBa
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
--------------------------------------------------
PGP 6.5.8ckt - Build02 - Read me file - 09/27/2000
--------------------------------------------------
This is the 6.5.8ckt Build02 binary distribution,
which also contains the source code distribution.
What's New:
-----------
1) In Build01 I forgot to add the column header in
the Key ID 64 column of PGPKeys. This has now
been fixed.
2) Added the ability to toggle whether one wishes
to block ADK requests or not. This feature
may be accessed from the advanced tab of the
PGP preferences dialog by checking or un-checking
the "Block ADK requests" check box.
3) The user may now select whether he wishes the
Key ID to be display in 64 bits format, or the
traditional 32 bits format, in the key property
sheets and tree display of PGPKeys.
The preferred Key ID display may be set thru
the "64 Bits Key ID Display" check box, in the
advanced tab of the PGP Preference Dialog.
Finally, please note that the Adobe Acrobat
PGP documentations have been omitted from this
distribution to make it as light as is possible.
However, I strongly recommend that you peruse them.
They may be downloaded from:
The name of the item to download is PGP 6.5.1 .pdf
documentations.
As always,
Enjoy!
Best Regards,
and Happy Encrypting,
Imad R. Faiad
-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOdJ9k7zDFxiDPxutAQEm9Af+LP6rQ3oVVhRS13e+uURmLMqRHH0Ugim7
nvxx36ZlIkvFtAl1eXpQidofQc9+/jxXJ+thLpqGOtuU0ERbW3IKqKSE9aQ47PSx
tZyBKNAWqN7g7fDLeqN441gQlxzCX+vOGHQgnnAvCD+yH678VbBqfpUVfm/AuSUO
qLvh66mlKLJLSAtDGSTYDtZRX0o673VIMHhC35X4YNQWPrD8QkinMI4K/2/Y10Lh
0Hud1lAZph58uYGIcwVL08C/KWlYa2dJQqWcA7nBLwgj6262X5tjtWhAIMPFWUHI
EHz6qFaOvMJckInlE8Q7UPGGXZjSAalWyrkyrYZI3WlB+8w0Fqgr5w==
=BE/7
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
--------------------------------------------------
PGP 6.5.8ckt - Build01 - Read me file - 09/22/2000
--------------------------------------------------
This is the 6.5.8ckt Build01 binary distribution.
Well you asked for it, and we bought it to you.
There isn't much to add, it's really PGP 6.5.1ckt
Build08. As 6.5.1 and 6.5.8 are more or less the
same.
I have not included the Lotus Notes, and groupwise
plugins. I figured that if you really need them
then chances are that you should buy the
commercial release from NAI.
What's New
----------
Ported all the ckt goodies to PGP 6.5.8.
Cleaned up the shell extension context menu mod,
it needed it.
Without boring you too much, I have attached the
read me file of 6.5.1ck Build07.
Should there be any problems which are specific
to this build, please do not hesitate to contact
me (ma...@cyberia.net.lb).
Enjoy!
Best Regards,
and Happy Encrypting,
Imad R. Faiad
-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOc0krrzDFxiDPxutAQFsTwf+IRhOCvf5MqXpxOG+uNh8ODWwOjGM5Rrm
3dITbCNT9Cl7d/QYbpuybhR/3FRuaHeN5RBMMnTW7hLc0HY1ml4x+9/7g236DJI0
HUEhO3xFyxsSxHyKDfF4P630Sq6/oPTF55RyPhK6opvH/GetzeCM0ZOnEK0b4crj
CGyt5oR1OOzKPr7k5pys8/ufqJSJwo+vNcqTkHb4zKkXOkFm5LSoRNQxY5mmufoR
7nwG+oVxJmnnVClddvsOuZIEotaF5zfVWl/IFzhr05q9gvg0E+ddQzW8D8ALc3+h
bALXa/KKDOvEL3kHyZC1A+95WUoXLGGSaeWi83qPDQCix8tW5vRYyA==
=U62j
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
--------------------------------------------------
PGP 6.5.1ckt - Build07 - Read me file - 09/20/2000
--------------------------------------------------
This is the 6.5.1ckt Build07 binary distribution.
What's New:-
------------
1) Fixed the ADK bug. The program will no longer
honor any ADK's be they legitimate or otherwise.
Should you have a need for the ADK feature I
suggest that you purchase the commercial
release from NAI.
2) Fixed this typo in the verification block:-
*** Singer Key Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
changed Singer to Signer
3) In build 06, the PGPMemlock driver was linked by accident
using the 2k DDK, this caused the driver to fail
to load under the windows NT platform. This problem has
been fixed.
4) The source code archive which is bundled with this
distribution has been updated to reflect the changes
made up to Build 07. You will find the archive
in the same directory where PGP was installed, it's
the file pgp651ckt07.zip.
As always,
Should you have any problems or suggestions which are
specific to this build, please do not hesitate
to email me (ma...@cyberia.net.lb).
Enjoy!
Best Regards,
and Happy Encrypting,
Imad R. Faiad
-----BEGIN PGP SIGNATURE-----
Version: 6.5.1ckt http://www.ipgpp.com/
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOch8BbzDFxiDPxutAQESCAf+ICLpIbOGmYgsk7fQspy8pgqNPszD4GVG
NkFJnvoX3VcNRZMa3OjBjxVM78eGwumca3uKfvHWwl/eue9c3xyIwHWQWMKXEw7c
drjV5hZDODmMrsecm43S4gqTtjephVG6tjhsPIXOiPQZ3eoXSl0W9ZpqMIEN/wAq
zhbMKgse3dHAL7tY6ZJCuj1aVqen7x9ts1cSiDNk3JRYUr6nptRDnUao7EtmqxtV
dqnmfFXre5/bRrukL+TicDbNbq1Hx//szKCrPRl3iAQEM6Pg6NG1fC61A6RfG1bo
rxgskExcrieRfKhhheWpQ98HvSlKPztcczZ2McGj7p7p8s1SN6kujw==
=oLdH
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
--------------------------------------------------
PGP 6.5.1ckt - Build06 - Read me file - 05/27/2000
--------------------------------------------------
This is the 6.5.1ckt Build06 binary distribution.
Please note that this is an updated binary distribution
of Build05. So, there is no need to move to this build
unless you are affected by the issues which were fixed.
What's new:-
------------
The PGPNet SetAdapter executable was not included
in the installer in the earlier distribution. This update
corrects this.
The windows 9x PGPdisk driver was recompiled using
the latest release of DriverStudio 2.0b1, namely NuMega
VtoolsD 3.05.
The PGP command line was not statically linked in build 05.
This problem has been corrected, the new compiled binary
no longer imports from any of the PGP SDK dll's.
Fixed some win2k issues in the PGPDisk windows NT driver.
Fixed a typo in the verification block strings. Also,
revised the verification block strings to be more consistent.
This is the new verification block:-
*** PGP Signature Status: good
*** Signer: Imad R. Faiad <ma...@cyberia.net.lb>
*** Signer Key ID: 0xBCC31718833F1BAD
*** Singer Key Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
*** Signed: 5/27/2000 12:13:59 PM
*** Verified: 5/27/2000 12:14:41 PM
*** BEGIN PGP VERIFIED MESSAGE ***
This was the old one:-
*** PGP Signature Status: good
*** Signer: Imad R. Faiad <ma...@cyberia.net.lb>
*** Signing Key ID: 0xBCC31718833F1BAD
*** Singing Key Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
*** Signed: 2/5/2000 8:33:44 PM
*** Verified: 2/5/2000 8:33:49 PM
*** BEGIN PGP VERIFIED MESSAGE ***
Note the typo "Singing Key Fingerprint" which was fixed.
Also note the change from "Signing Key" to "Signer Key".
For the record, the MS platform SDK, April 2000 was
used to compile this build.
Should there be any problems which are specific to this
build, please do not hesitate to contact me:-
ma...@cyberia.net.lb.
Best Regards
Imad R. Faiad
-----BEGIN PGP SIGNATURE-----
Version: 6.5.1ckt http://www.ipgpp.com/
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOS+GnrzDFxiDPxutAQFlQQgAlOgB1tuVR2dqoP4MN5U2exkpan+UEHGA
9UUs0towIPsMDP7wj7xlNri6NVCvy0HhydM6KBSQDcZI8GwYEZHSgvSAIeXNsJHX
7/shuvzDt3Q7Kco09lDZhPsIFgooZ1QOdkZZesG5C+aUheO2TNilKv9kOsCdXlap
hvCzYcv8DWhRVW71CkJtkeSkNtvmaowkWe8Nkvp7Z+vQm9uvJIg1lkQ5m5SeOnfM
i0cSE4JZ5h7aJjHkl7lX0YntRuReuOHyi/G/bBcr9U0sQvARQbmGCfVJN+aqa29C
m+0qcmazJvR+lq/58+VgP8E1+dT1X+BDYZZrX7DgnJ7yBp6N+MATzg==
=A5lr
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
--------------------------------------------------
PGP 6.5.1ckt - Build05 - Read me file - 02/05/2000
--------------------------------------------------
This is build 05 in the 6.5.1ckt series. It is based
on the PGP 6.5.1 source code books which were scanned
by pgpi.com.
For the complete list of the changes which were made
to the plain vanilla 6.5.1i source code please refer
to this read me file as well as all those of the
previous builds in the 6.5.1ckt series which are
appended to this document.
Or better still:-
All the modifications are documented in the source code.
This binary distribution also contains the source code
archive used for this build. It will be automatically
copied to the same directory where you installed this
build by the PGP installer. In this build the source
code archive is in the file pgp651ckt05s.zip.
Please note that the source code only distribution for
this build is also available at my site:-
I have been informed that in a certain foreign usenet
newsgroup it has been purported (Anonymously of course)
that the ckt source code are never released.
I do find this a bit puzzling as we have always made our
source code available as soon as the source code tree
has become stable. But then again that particular
newsgroup is rife with rumors. And often times, I am
told, the rumors are apparantly dispelled by their
propagators (under another alias of course)!
I hereby certify that I have never found any backdoors
in any version of PGP. I have been hacking the source
code of PGP since PGP 5.0. In the process, I never
found any piece of code which is questionable. If there
were any backdoors I am sure they would have been discovered
by now. So, to the rumor mill camp, I have this to say:-
What is your agenda?
Changes in this Build:-
1) I have moved to the pgpi.com source code.
The previous builds used the source code which
was downloaded from the zedz.com ftp site (the only one
available at that time).
The proofread pgpi.com source code was released in late
November 1999.
The source code distributed by pgpi.com is a better
baseline in my view.
Of course all the modifications which were carried
out in the previous builds were successfully ported
to the new baseline code.
2) I have enhanced the PGP verifiction block. It now
shows the singing key ID in it's full 64 bits, the
signing key fingerprint is also shown.
The following is a sample verification block, which
I do hope will be self explanatory:-
*** PGP Signature Status: good
*** Signer: Imad R. Faiad <ma...@cyberia.net.lb>
*** Signing Key ID: 0xBCC31718833F1BAD
*** Singing Key Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
*** Signed: 2/5/2000 8:33:44 PM
*** Verified: 2/5/2000 8:33:49 PM
*** BEGIN PGP VERIFIED MESSAGE ***
This is a test message to demo the new improved verifiction block.
New Improved! LOL
*** END PGP VERIFIED MESSAGE ***
3) Most of the key ID's in the program are now displayed
in 64 bits format. They are too numerous to mention
individually, but should be obvious to users of any
build in the 6.5.x series. e.g. look at the
signing key id in the comment block of this message.
4) Recompiled PGPDisk using DriverStudio 1.5 RC1.
For installation instruction please refer to the read me file
of build 04 below.
Should there be any problems which are specific to this build
please do not hesitate to contact me.
I have built this version for my own personal use. I can
state that as far as I am aware, there are no back-doors
in this build, that the program (PGP) can generate and use
RSA keys up to 16384 bits in length, DH keys up to 8192 bits
in length, will handle DSA keys up to 2048 bits in length,
and that the integrity of the program has not been
compromised by my modifications.
Please note, that this is not a "Warezed" version of PGP.
And I, the compiler of the source code, hereby declare
that I do not own or claim ownership of the binaries so
produced. It is being made available "Gratis" to facilitate
the process of satisfying the PGP users community that the
current commercial release of PGP is still secure and
trustworthy. Therefore, it is my fervent hope, that all
users of this package observe all applicable laws with
regards to copyrights, patents, and other laws that may
govern its use.
I appeal to all users of this build to buy the commercial
product from NAI. It's only $15. As PGP users we owe it
ourselves to make sure that a good product such as PGP does
not get discontinued because it is not profitable for it
makers. Furthermore, by actively supporting the PGP team
you will ensure that PGP will evolve to meet your future
security needs. $15 or even a lot more is not that much
to pay to protect your privacy.
As always,
Enjoy!
Best Regards
Imad R. Faiad
--------------------------------------------------
DISCLAIMER
--------------------------------------------------
THIS SOFTWARE AND THE ACCOMPANYING FILES ARE
DISTRIBUTED "AS IS" AND WITHOUT WARRANTIES
WHATSOEVER, EXPRESS OR IMPLIED. SO USE IT AT YOUR
OWN RISK.
-----BEGIN PGP SIGNATURE-----
Version: 6.5.1ckt http://www.ipgpp.com/
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOJ1vKrzDFxiDPxutAQGaogf/Z873jK7KirggyNJebC2inIRlgbXDNT2k
CW+gW67UQ20ksl1fumOYnzxG0mMJayqqNyXTqMCyqMnWzb4pVOdvjhX8HIBTx67d
d6vRlHS4pky65yEc5SfJzvjouBX94xyj+5sWblLUpARqKazmFY32WIUtnaA5jNYn
Iqx1Bd1eACP0YwpTYWTeNr01UXjQ8KhToXnphAAnIOrxl8rOZgIdN3UtkLvy68gs
cUbjdxs7C3b57fUnlsCQHgskYOR7WaSS8b18yfR7XA0WGUzJiTU7xZc79IcZEvFq
fOqC4M+wAA8XtwJJyu8Tj/PhGPXT9RDQJ3sphFoOmQYlshBL785BKA==
=oV4B
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
--------------------------------------------------
PGP 6.5.1ckt - Build04 - Read me file - 01/05/2000
--------------------------------------------------
Happy new millenium!
What's New:-
1) Added a column to PGPKeys which displays the Key ID in 64
bits. This feature may be accessed from "Views"|"Key ID 64 bits"
menu in PGPKeys.
2) Fixed a bug in the CBT hook proc which caused the
"Current Window" feature not to work in the windows 2000
environment.
3) Fixed a bug in the installer which prevented it from automatically
finding the Outlook Express install directory in the windows
2000 environment.
4) The installer will no longer install this build if it finds that
another build of PGP is already installed. It is better to
un-install manually, re-boot, clean up the shared dll files
in order to insure that a clean install of this build is
performed. Please refer to the installation procedure bellow.
5) Recompiled everything using the latest MS Platform SDK (January 2000)
and Numega DriverWorks.
6) Updated the icons in the list control of the Enter Passphrase
dialog to PGP 6.x.x style icons. In the builds prior to this we were
still using PGP 5.x.x icons. Check it out it's neat.
7) Since the last build, I have migrated to the Windows 2000 platform.
I can therefore state that this build works like a charm under the
above platform (Win 2k Build: 2128).
Known Issues:-
The Auto-Unmount after feature is grayed out in win2k. Also there has
been reports that it does not work on other windows platforms too.
Looking at the source code, this feature is classified as a PGP 7.0
feature in the PGP preferences. I am not sure whether this is build
specific or not.
Off to Build 05,
Best regards
Imad R. Faiad
-------------------------------
IMPORTANT - BEFORE YOU INSTALL:
-------------------------------
Before you install do the followings (yes I know it's time
consuming, but please do it none the less, this will save
a lot of your precious time should you have any problems):-
1) Exit all programs.
2) Un-install PGP.
3) Re-boot.
4) Delete these files, if any:-
for windows 95/98 systems:-
a) c:\windows\pgp*.*
b) c:\windows\system\pgp*.*
or for windows NT / 2000 systems:-
a) c:\winnt\pgp*.*
b) c:\winnt\system32\pgp*.*
5) Install this build.
6) re-boot.
7) Enjoy.
8) Let me know if you find any problems.
-----BEGIN PGP SIGNATURE-----
Version: 6.5.1ckt http://www.ipgpp.com/
Comment: KeyID: 0x833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOHMZ0bzDFxiDPxutAQG8/wgAnUiQL6vnB6nTwyrtryF+0CccWuHZgIbc
EYZb4T/d98jX0Wam9bIv8zipPBfmv/Ad1w9jFtG6JAW0wi550p23t9tXVvlIuE/u
H+ZN4+/eNB8kPZrCmVR7gWItFkLexymz/J9B4o2WnAI2L5UcqlMiT5h6bFL96Z9W
GvCMNvrdx8g2fTSPsGHacpV1vhavcmRdoXCfyX8Qj8eYrQ48DvIbNcgXotKAtFh5
r/4hewuoieBYpX0FMKRCwkhWPv2wDTMBLarWOiHtal+s9RpePJFcr1EMPSORPb1p
DBTUNzFO7+w0irQZ4wblReRkAHoSlhVYaxiQqoLtO1p1zuBU8jw3Aw==
=Vaz3
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
------------------------------------------------
PGP 6.5.1ckt - Build03 - Read me file - 11/27/99
------------------------------------------------
1) Ported the key ring backup feature.
That is, the user may select the number of backup key rings to be
maintained by the program. This may be set by the user from the
"Preferred Number of Key Rings Backups" combo box in the "Files" tab
of the PGP preferences dialog. You may chose to maintain from One to
Four key rings backup sets, however, I urge all users to set it to the
default Four, so that in case of key rings corruption one may always
roll back to a previous key rings backup set. So, you assess the risk,
and cautiously set this feature accordingly.
2) Expanded the web links in the about dialog. There are some very useful
PGP links there, so check them out.
3) Recompiled PGPDisk with the latest version of DriverStudio, V1.5b1.
4) I have added support for the SHA-Double hash algorithm. The Program
will successfully decode / verify a PGP message where the SHA-Double
hash algorithm is used. However, this algorithm may not be selected by
the user, it is invoked by the program when signing with a
DSA key > 1024 bits. As a bye product of this, DSA keys up to 2048
bits are now supported, however they may not be generated.
Please be aware that the use of the SHA-Double hash algorithm is
deprecated and should be avoided for three reasons:-
* It offers no added security over the other provided hash algorithms.
* It causes inter-operability problems with other implementations of
PGP. (PGP 5.x.x is the only official build of PGP that I am aware of
that supports the SHA1x hash algorithm).
* It may not be possible to implement in future versions of PGP.
5) Cleaned the preset version strings, added a couple more.
6) Ported the preferred hash algorithm feature. The user may select his
preferred hash algorithm. The selected hash algorithm will thereafter
be used whenever signing with an RSA key. The user may set this feature
via the "Preferred Hash Algorithm" combo box in the "Advanced" tab of
the PGP preferences dialog.
Please note that the default hash algorithm when signing with an RSA
key is MD5. However, in addition to the default, this build gives you
a choice of the SHA1 and the RIPEMD-160 hash algorithms.
A note to QDPGP users:-
The program will honor QDPGP hash algorithm settings when the selected
hash algorithm (in QDPGP) is other than the default MD5. If you wish to
sign a message from within QDPGP using the default MD5 hash algorithm,
please make sure that your PGP Preferred Hash Algorithm is also set to
MD5.
7) Ported the Key ID column in PGPlog feature. It is based on the PGP
5.5.3 PGPLog patch, I must therefore give credit to Lincoln Yeoh and
the anonymous poster of a message in alt.security.PGP, for this handy
enhancement to PGPlog.
8) Ported the key ID in signing key dialogs features.
It is now wider and the combo box shows the user ID, full key size
information including the DS key size, and the key ID. Many Thanks to
Mr. Michael Ray for proposing this change in PGP 5.5.3ckt.
9) The key size wizard dialog has been recoded. It now displays PRZ's
message in the top part. The bottom part has a combo box containing all
the supported key sizes in .5k bits increment, and an edit box for
custom key sizes. The range of the supported key sizes is correctly
displayed in the custom key size radio button's caption. Also, the key
sizes which may cause incompatibilities with other PGP versions are
clearly marked with an "*" in the key size selection combo box.
10) This build also implement the enhancements to the decrypt dialog as
originally suggested by the anonymous poster. This makes the decrypt
dialog box more user friendly and informative.
* It shows the full user ID in the first column, the key size in the
second, and the key ID in the third.
* It displays the key ID of any unknown private keys. The user ID will
be reported as "Unknown Private Key" and the size will be reported
as "???"
* It places a key pair icon to the left of the user ID. This will show
whether the key is RSA or DH and whether it's active, expired,
revoked, or not on your secring file. Unknown keys will display a
question mark icon.
Please note that double clicking on an unknown key in the above dialog
will cause the program to attempt to get that key from the default key
server.
Please also note that for both of the above enhancement the Key ID will
be reported correctly in these two instances:-
* if the key is an RSA key or
* if the key is DH/DSA and is in your key ring.
That is, if the key is a DH/DSA key, and it is not in your keyring the
Key ID of the DSA key will be reported instead of the DH key ID.
11) Enabled support (handling and generation) for RSA keys up to 16k bits
in length.
12) Enabled support (handling and generation) for DH keys up to 8k bits in
length.
How to Install?
---------------
1) Un-install whatever windows version of PGP you have installed on
your machine.
2) Re-boot.
3) Delete these files(if any):-
c:\windows\system\pgp*.dll (for win95/98 systems)
c:\winnt\system32\pgp*.dll (for windows nt system)
4) Install this build of PGP.
5) Re-boot.
Should there be any problems which are specific to this build, please
do not hesitate to contact me (ma...@cyberia.net.lb).
Off to Build04
Best Regards
Imad R. Faiad
------------------------------------------------
PGP 6.5.1ckt - Build02 - Read me file - 10/29/99
------------------------------------------------
1) Implemented the explorer context menu feature.
That is, the full compliment of the PGP sub-menu items
are shown regardless of the file type.
2) Changed the column layout in PGPKeys so that the Key ID will display
in the default view next to the key name.
3) I have added the Key ID column to the key selection dialog. The key ID
column is sortable. To sort on the Key ID simply click on the column
heading. This should make the selection of recipient keys much easier.
4) Updated the mfc dll files.
5) PGPNet has been re-compiled the way it should. The compile in build01
was somehow hacked.
6) Modified the InstallShield script, so that install is allowed under
win2k.
7) Re-compiled PGPDisk using the latest version of DriverStudio v1.01,
namely VtoolsD 3.01 and Driverworks v2.2.
For the record, the previous build was compiled using VtoolsD 2.04 (bug
heaven), and Driverworks 1.20.
So, to sum up, expect some improvements in PGPDisk, as many bugs were
ironed out in the latest releases of both VtoolsD and Driverworks.
As always, should there be any problems please do not hesitate to contact
me.
Off to Build03
Best regards
Imad R. Faiad
------------------------------------------------
PGP 6.5.1ckt - Build01 - Read me file - 10/13/99
------------------------------------------------
Finally the first build in the 6.5.1 series.
The source code was obtained from the replay.com ftp site.
Unlike previous ckt builds, this one was compiled with the
Desktop Security flags set. This, I am told will enable the
industrial strength PGPNet to be compiled. For the record
this build does not use BSAFE for RSA operations, it uses
the PGP Inc's home brewed libraries for that purpose.
It contains PGP 6.5.1 GUI, PGP 6.5.1 CLI, PGPDisk, and PGPNet.
I have omitted the mfc dll files and the .pdf files to make
the installer as light as possible.
Please do not select "User's Manual" in the installer, as this
will copy empty files with the same name as the real documentation
files.
The following ckt features have been ported so far:-
1) Enabled support (generation and use) for RSA keys up to 8k
bits in length.
2) Web Links in the About Dialog.
3) User selectable / defined version strings.
4) Append signing Key ID to comment block.
5) Append signing Key Fingerprint to comment block.
I have not tested PGPNet, nor do I intend to ever test it. If you
install it, and have some problems which are build specific, please
let me know so that this may be fixed.
This is a private build, and is not intended for general distribution.
Therefore, I would appreciate if this is never re-distributed.
Not that I do not want it to be propagated, but because the good folks
at NAI do not appreciate the ckt builds!
I hope you will enjoy this build, there is more to come of course.
Should you find any problems, please do not hesitate to contact me
ma...@cyberia.net.lb
Off to Build02,
Best regards
Imad R. Faiad
To Install:-
1) Verify the authenticity of the installer, the signature file
should be in the .zip archive.
2) UnZip the archive into some temporary directory.
3) Un-install whatever version of PGP GUI you have installed on
your machine.
4) Re-Boot.
5) Delete these files, if any:-
c:\windows\system\pgp*.dll
6) Run the installer.
7) Enjoy.
8) Let me know if there are any problems.
-----BEGIN PGP SIGNATURE-----
Version: 6.5.1ckt http://www.ipgpp.com/
Comment: KeyID: 0x833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOD+98LzDFxiDPxutAQGtrggAm41qqc5ZSxfWzXH5pf+2h1k42rLoNUBK
cmBObAImBeR8KKftSxXIk+1RRZt+bL5Ri5nr+O0ta8gC0WncUkni0Evv9zb2jkra
Puh22iLmPV+dG+FQ4A403Dk2bA5eQ3Lv0OX79W5UZe9Er1PoSGzlW4rYf+Pf5nsr
Z8q1XHbfmb0a60CQlhRnmmX7w0W0Q7RWP1Zrt7xFXexzWjLsjQu2FKacYXKn6lBJ
RvJVNeop0lGewMyRNaLO1QqiqumMLB06MkexBRz0Hiup/6dh9dhZ/sKeq4GMW7gT
fMDiCPTQPC/Naa+DVN/N+DIDwqwOS1D+PWX+9h2WvjWr55zXXQqx3A==
=LVby
-----END PGP SIGNATURE-----
--
"I don't know, it just seems to be so incredibly beautiful. It's magic."
- emmel, alt.games.creatures, may 2005
Thomas J. Boschloo
Melissa wrote:
> Hi Sniper .308,
>
> On Thu, 12 May 2005 00:42:56 -0700, you wrote:
>
>
>>What sort of changes, exactly. I have not tried v9.0 yet.
>
>
> Though I haven't tried v9 myself, I've never been very comfortable
> with the idea of using a "transparent" proxy for cryptographic
> manipulations of email, and this is one of the new "features" of v9
> (in the commercial builds anyway).
>
> This sort of transparency might be great and convenient when it works
> as expected, but by its very nature (transparency), we might just as
> easily not know if/when it's not working as expected, and we might be
> sending clear text all the while assuming that we're not (or some
> other types of malfunction or vulnerabilities may be occurring or
> exploited without our knowledge). When it comes to this type of
> software especially, I'm still more comfortable if I can see, with my
> own eyes, each cryptographic manipulation as it is being invoked by
> my manual intent.
This might be countered with a carefully configured firewall. E.g.
Mozilla Thunderbird that I am using to post this can only connect to two
newsservers that I use. One fixed IP and one fixed port for each.
Likewise you could probably configure your firewall to block all traffic
other than 'localhost' from your mail program. Haven't tried this myself
though..
I guess you could e.g. use Kerio in Advanced mode. <www.kerio.com>
>>As for Mr. Hansen, I would have to agree with jusTinTime, Mr.
>>Hansen is clearly biased, and a bit of a prick.
I remember Mr. Hansen! He seemed to be on the same level as Sam Simpson
to me, but I must agree that he seemed a bit biased against the ckt
builds. IIRC ckt goes back longer than him, probably back to version
2.6.2 of PGP.
When I observed the discussion develop between Imad and Robert I
couldn't help but feel sympathy for Imad, even though Robert was
probably right about MD5. Heck, I still use MD5 and I have not seen
anyone forging my sigs yet! That would require a very determined
attacker IMO.
Still, I have seen links to pages which claim to hold a collision for
MD5 that has been found, but it was probably a lot of work to get it, so
here I still agree with Imad after all these years.
People might also notice that I use a very short key to sign this
(800bitRSA), but it reflects the confidence I have in the security of my
key. It serves its purpose on the internet fine however and I don't feel
like generating a new one :-)
But now that SHA-1 has been broken this might be a good time to use the
ckt builds again.. At least they allow hashes like RIPEMD to be easily
used! And ckt fixes some compatibility issues with GnuPG (like the MDC
packet the broke compatibility with 6.5.8 official).
Regs,
Thomas
- --
"I don't know, it just seems to be so incredibly beautiful. It's magic."
- - emmel, alt.games.creatures, may 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQB5AwUBQojilgEP2l8iXKAJAQEcugMcDWl3OY7EvOcKIrtVY75zRO1Y/68u1oif
P14yJo8AGt4Bx3xEMSeuOCAeOqDE6OfxS4njPMC3TLeaBpttFsUluixJM6+iKFxk
RC8+aSsUf1RSIGJuCVyFISIH9WZ2tRIy4GzEwA==
=qGJU
-----END PGP SIGNATURE-----
ciphe...@gmail.com
Simpson
> to me, but I must agree that he seemed a bit biased against the ckt
> builds. IIRC ckt goes back longer than him, probably back to version
> 2.6.2 of PGP.
Whenever anyone calls me "Mr. Hansen" I look around for my father. :)
Yes, I've been reading a.s.p for the last few years, but by and large
I've been too busy with graduate school to participate. That, and I'm
not sure whether or not I can still grab a USENET feed directly.
Responding to messages means using Google Groups, which I've always
found to be one of the most annoying ways to use USENET.
With regards to bias, a distinction needs to be drawn between prejudice
and postjudice. Bias is prejudicial; you've come to a decision without
first being in possession of the facts. Judgment is postjudicial;
you've come to a decision after learning the facts. In my judgment,
I've decided I will not recommend CKT builds for both legal and
engineering reasons. The legal reasons should be self-evident. People
may be a little unclear on the engineering reasons.
The crash-on-doubly-signed messages was a problem in the 6.5.8
codebase. It was a critical bug: a legal, well-formed PGP-signed
message could crash 6.5.8. NAI announced this bug prior to 2000 and
had it fixed for the PGP 7 release in 2000. CKT8, released in 2002,
still had this bug.
It is not prejudice or bias to ask how a critical bug which had been
known about for two years went unfixed in the CKT builds. It is not
prejudice or bias to suspect that perhaps the software engineering of
the CKT builds is not up to snuff. It is not prejudice or bias to
wonder what other bugs have gone unfixed. These are sincere questions
and suspicions, and ones pretty much any professional programmer would
have.
With respect to Imad, I have no ill will towards him. In fact, I like
him. He's been very helpful to newbies, he generally stays polite and
civil in discussions, and he's unquestionably committed to giving
people free resources for their security needs. All of these are
commendable, and I wish more people would be like him.
For some reason, people think that just because I don't like the CKT
builds that I don't like Imad. Nothing's further from the truth. I
can like Imad while at the same time disliking CKT. It's true that he
sometimes frustrates me, but hey, I frustrate a lot of people. We're
adults, and both Imad and I are capable of dealing with frustration.
:)
> Still, I have seen links to pages which claim to hold a collision for
> MD5 that has been found, but it was probably a lot of work to get it,
so
At ShmooCon this year Dan Kaminsky of DoxPara Research was doing MD5
collisions in realtime, or at least so it's been reported to me. I
wasn't there. Professional infosec geeks who were in the audience told
me Kaminsky had a demonstration where he took Shmoo's webpage and added
various non-displaying characters to the HTML until it hashed out
identically to the NSA's webpage.
Let me emphasize I wasn't there and I didn't see it. That said, I find
the reports credible. Dobbertin proved this could be done, and
Kaminsky's certainly a good enough cryppie to have refined the
Shengdong U. attack on MD5 to run in realtime.
Thomas J. Boschloo
ciphe...@gmail.com wrote:
<snip>
> The crash-on-doubly-signed messages was a problem in the 6.5.8
> codebase. It was a critical bug: a legal, well-formed PGP-signed
> message could crash 6.5.8. NAI announced this bug prior to 2000 and
> had it fixed for the PGP 7 release in 2000. CKT8, released in 2002,
> still had this bug.
Sounds like a lot of work to fix it. And IIRC, PGP 7 was not open source
at first (or at least you had to sign a non-disclosure agreement or
something).
I have the source of PGP 8.0 on my hd, so it must have been possible to
get it, but I don't doubt that PGP 7 differs a lot from 6.5.8 and it
might be hard to find the exact location where this bug was fixed.
Still, there are people using PGP 6.5.8 for use with JBN2 and they would
probably be better of the the ckt builds (from an 'engineering' POV).
And I believe we lost something in Europe once the export restrictions
on crypto where lifted and the PGPi builds stopped to be.. We even had
the PGP 5.5.3p (Preston IIRC) builds in the past and I thought that was
very cool!
<snip>
> At ShmooCon this year Dan Kaminsky of DoxPara Research was doing MD5
> collisions in realtime, or at least so it's been reported to me. I
> wasn't there. Professional infosec geeks who were in the audience told
> me Kaminsky had a demonstration where he took Shmoo's webpage and added
> various non-displaying characters to the HTML until it hashed out
> identically to the NSA's webpage.
>
> Let me emphasize I wasn't there and I didn't see it. That said, I find
> the reports credible. Dobbertin proved this could be done, and
> Kaminsky's certainly a good enough cryppie to have refined the
> Shengdong U. attack on MD5 to run in realtime.
That sounds like a serious attack! It would basically mean I shouldn't
use v3 keys anymore (though I greatly trust the source code from with
PGP 2.6.3i was compiled, if only for its limited size)
Thanks for replying,
Thomas
- --
"I don't know, it just seems to be so incredibly beautiful. It's magic."
- - emmel, alt.games.creatures, may 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQB5AwUBQo399wEP2l8iXKAJAQFmxQMfTEwKXBHZDuknmORfVD5gVghsKCd6onth
xdvZd8sS3kTBWgOJ3WRNq/cOdRZCSCbyKEpx1ICNhaOK81QRn0TWkdmVEBkhmIEx
XYofTUDFAgqdnNo5gvRJYTD0Ye8n6wA7nyXAGw==
=PlHm
-----END PGP SIGNATURE-----
ciphe...@gmail.com
lack of source, it wasn't hard to find and fix this bug.
vedaal
Hash: SHA256
ciphe...@gmail.com wrote:
> The crash-on-doubly-signed messages was a problem in the
> 6.5.8 codebase. It was a critical bug: a legal, well-formed
> PGP-signed message could crash 6.5.8. NAI announced this bug
> prior to 2000 and had it fixed for the PGP 7 release in 2000.
> CKT8, released in 2002, still had this bug.
>
> It is not prejudice or bias to ask how a critical bug which
> had been known about for two years went unfixed in the CKT
> builds.
am happy to report that this *_WAS*_ fixed in build 9 beta 3
(my mistake for not having noticed this until now :-((
Imad didn't list it as a change, and i assumed that it was not
yet fixed,
and so, didn't check it after upgrading from build 8,
it may even have been fixed in build 9 beta 1, but have not
tested it there)
here is a site where it can be tested:
http://www.angelfire.com/pr/pgpf/dspm.html
(again, pop-up blocker recommended ...)
ckt users,
please check/verify with builds 8, 9 and post back here to
confirm,
Thanks!!!
vedaal
-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt build 9 beta 3
Comment: Acts of Kindness better the World, and protect the Soul
Comment: KeyID: 0x5AA20C866A589A97
Comment: Fingerprint: ED035602A6A9093F0BF71BD05AA20C866A589A97
iQIVAwUBQpC7EVqiDIZqWJqXAQjeIw//eoKOfbOxLV2TjmZJ7VpbHsrYRiR9ydr8
TCJzJEvP1ADwzg852ne5J2dAeNtafnwe959bhHBGlL9H4L+gunFtXZiEDXcjM1fW
AnC50IHTB4DdYG8ebaR6u3/osHqbCY196l5t1ECKCDyUbix0ceT0GyLkhvQS1zPv
AfLlHvvKczAYq1awxiVESzEKVmscNOLdMo16ilrUpVajPvfEAnq7+CxPWizLuiVX
s2j5/ARP0qWemzcuPymyIJxbn4o5BIUK43gx8AMZRUwXdb0+rAsMTzFod06xeatT
XuDXnZY2dVe/yZCOC7WkYo4zgJ9XhN25OWjiIMiNESb8eSOzY9/HVT9HO6TpkN7D
a3iF3E3gsP2qkcH04m0hOXdfgNgcLMefBSyleevoKKsYjeH+HvTuuPRNEdnb+Rwo
sLdAwNUAwaIMqlIkJmXp1nH93muMI7flAv6hVm3XLA+u65Iy/MYFxQuZR0oq6R1s
gBNCGPERV1B+d3wZOG7GRthXmkqGVrspe5eRxKxV3ZuVR6Tz4nMfWMp98GxtFuJ+
5JRwdADUmVe4WpMnAfpQQdZTusq+dvgI0a/mMzVm9MG5xF8YJMjtkiQ2IZmFttLM
f60Ie0WFatv+opoXEZcH94m040V9qo7jQsa+21YNnyErvqBQO9kLKvuFeJeqgavr
EZiJsWlVwEE=
=r9P3
-----END PGP SIGNATURE-----
vedaal
Hash: SHA256
ciphe...@gmail.com wrote:
> The crash-on-doubly-signed messages was a problem in the
> 6.5.8 codebase. It was a critical bug: a legal, well-formed
> PGP-signed message could crash 6.5.8. NAI announced this bug
> prior to 2000 and had it fixed for the PGP 7 release in 2000.
> CKT8, released in 2002, still had this bug.
>
> It is not prejudice or bias to ask how a critical bug which
> had been known about for two years went unfixed in the CKT
> builds.
am happy to report that this *_WAS*_ fixed in build 9 beta 3
(my mistake for not having noticed this until now :-((
Imad didn't list it as a change, and i assumed that it was not
yet fixed,
and so, didn't check it after upgrading from build 8,
it may even have been fixed in build 9 beta 1, but have not
tested it there)
here is a site where it can be tested:
http://www.angelfire.com/pr/pgpf/dspm.html
(again, pop-up blocker recommended ...)
ckt users,
please check/verify with builds 8, 9 and post back here to
confirm,
Thanks!!!
vedaal
-----BEGIN PGP SIGNATURE-----
vedaal
Hash: SHA256
vedaal wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> cipherpunk at gmail.com wrote:
(ok , this time the bad sig is clearly google's fault!
in the quoted e-mail address, google susbstituted '...'
for 'unk' in cipherpunk
try changing it back , and the sig should confirm
vedaal
-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt build 9 beta 3
Comment: Acts of Kindness better the World, and protect the Soul
Comment: KeyID: 0x5AA20C866A589A97
Comment: Fingerprint: ED035602A6A9093F0BF71BD05AA20C866A589A97
iQIVAwUBQpC+L1qiDIZqWJqXAQjHzRAAmLlcZ08zJHrBhNKo2fWsG53Eyy52UZnk
74A6ZmqjKGTLi+imHA5Ps3akXq9GS2MD87OX4K+C0sRONsnQPGKvrd6/H1mvrTmy
urrRv9GpFwjxJ1cteMVZGEO9ayTfIV47abKjd5A/mgT2Qqecdaec/tlxgetlQS3S
CXctBrhpIAZ91WZ8vH2xF03gdUdOjcZ/UaNrL5RxR3SigG8iI3WM1ELjPFsWE6rx
7WHv3cYFvav9RrhO349Q3BJv3DeL6RRvnVn5VQYXV82k1lGRgv8wYv4njEvCuQPe
agYcAvsh1bWOkaBBOH47Zzoiv7vvsQ8HtSikVxhwIDKWEZYs9xbezzkwsOpqc730
Lsmip4J8Eh50aSRQs9VcusumYyLhpGt9LOdRLx+K2Kyown4G367LyjIG1R1qrVbL
ZD6o5MJMfIupF517lusn6QINsrVPS5uMxYGPPCExTXzQnH1ta/BNOnRX4Myy7eex
hx1oOaekkBx+ai6a4SZq8wZb8MFhvbLD9/wn2tEcRkWbdImXr/JA/wCUlacGYLrS
u9JhjTti3Fz+vrAW4T2CQnM/tvoVrI9cE/xDolQeO4DgrUPUyj6exBg/31R9dZV+
Gsw8y6tl5vBwTll78CyKSTEAsxcA9PEJSbcphhevYmTlrzoakcOSoIGMWKjLz4IZ
d2PAzIqqoxU=
=OlLa
-----END PGP SIGNATURE-----
vedaal
Hash: SHA256
Melissa wrote:
> I do remember, at the time Imad stopped development of his
CKT build
> 9, beta 3, that he posted a message here recommending that
build 8 be
> used instead. Other than the fact that he felt build 9, beta
3
> wasn't yet ready for final release, I can't remember if he
mentioned
> any specific issues to be concerned with,
> I'm assuming here that most users of PGP or GnuPG are like
myself, in
> that we can't read code, so we're left to trust the idea that
someone
> might be reading the code looking for problems and/or we must
trust
> the developer(s). In the case of CKT, the developer himself
> recommended against using build 9, beta 3. Is this not a
concern for
> you? Have you asked Imad why he recommended build 8 over the
betas
> of build 9?
in fact, i have corresponded with him about all of the
versions,
and , if you may remember,
the time that the 9 betas were done,
was the time that gnupg instituted the new secret key
protection,
but the pgp 8.x at the time, did not.
so,
in order to stay compatible with pgp 8, Imad recommended to
stay with build 8, and use the workaround in gnupg,
after pgp 8.x also adopted the new secret key format,
build 9 would be compatible with both gnupg and pgp,
and there was no further reason for hesitation about 'beta'
at that time, much to our great loss,
Imad stopped publicly furthering ckt,
(i will not speculate why,
but will say only, that his silence in no way reflected any
flaw in the build 9 beta 3 release)
nothing else other than the secret key issue, is 'beta' about
it
(build 9 beta 3 also included command-line pgp)
with regard to 'trust',
an absolutely fundamental aspect of open source,
is to be able to compile the program from the source-code
(otherwise, how does one know that the program one is running,
is the one whose source-code is examined ?
ckt allows for this, gnupg allows for this,
but pgp does 'not' allow for this,
even though it would not interefere with the mode of use,
(i.e. without a hacked patch to the code, the user would still
only have the functionalities he/she paid for)
i am not suggesting pgp is 'insecure' because of it,
i prefer not to use it, only because it does not allow the
choice of signing hash, (as well as other conveniences i have
grown accustomed to)
with regard to trust,
Disastry examined all the ckt source code diffs,
(for as long as he was alive to do so),
and he was publicly praised here, in a.s.p.
by the same pgp people who were quoted as not liking Imad's
changes
as i am somewhat familiar with Disastry's skills,
accomplishments, and integrity,
then,
*yes* this is *_quite enough_* for me to trust ckt,
vedaal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32) - WinPT 0.9.50
Comment: Acts of Kindness better the World, and protect the Soul
iQIVAwUBQpFUrFqiDIZqWJqXAQhOug/+JgifJwdD4gSz/LBWMOkCzDVGsX1BC29o
ex5kLjjHuadkqZ5t1/EsWE4g9isii9unx//u48aAP/eI8Zt7geZRHubHbbCQQ7UD
jvaoO8yqKrT6/CAiuPnzlcIXaY94jHAplebMwQc9gg9U4t2+6/g/oxIhWAn9/OsS
vEqyGuZhu4DQzgMr3Tuh6910nnd2J/satAOQE9ZYevD6aqzTSBXdWqLRcME57/gT
4vvxvf6LC/mbkOE7zCgsCfZWWEqA/I2jtqzyzuxbKqixS50vIupfWXh4VaYWNpLE
F3AKrVrO9TasDKu9dAJ9QgqYjgpuIaFxX+lml3wxp99afKAZTMhCG2pEYY9umDy0
TvP4mLh/UAnS6pC20jka35DhDS5HBk7XjA1vpKUSvpqF1LQBDC7gHoIEf80CPtna
sVzZMllCjHxUVhb4LgkCXP5qS9k7EmhwNaiEIos7fZ62BRpj0bB71rMSQ+S+e+W+
N1o8QOyg3As+yHHKErh+P3B1lqW63ubfw5nGE4T5zfeZ5ZHRCoUtTUJbNjZ3xXhd
gU4AylTnf/YwA5HhQvexSO6h5gecFE6R1pEt5ssn9njxCje7cJWefea0exA52who
U6ob0bJ8nAIWUAUF4wdSov/fAyrG7FR+jPPX0Y9STEosdROn9gmRCJ6trYTOf/6h
1iC3xDRzOfU=
=cpmR
-----END PGP SIGNATURE-----
ciphe...@gmail.com
check to see if it matches the binary you're running. The only way you
can do so is to violate the NAI license agreement. If you want to
claim that you can check to make sure the code compiles correctly on
the CKT builds, then you have to also acknowledge that under the same
conditions--namely, a complete disregard of the license agreement--you
can do the same for PGP 8.x and 9.x.
I'm not arguing in favor of EULAs. I really can't stand them, truth be
told, and I doubt they're legally enforceable. However, it's
inconsistent to claim you can violate the license agreement with 6.5.8
to verify that CKT is what you're expecting it to be, but you can't do
the same with PGP 8.x or 9.x because the license agreement forbids you
from doing so.
vedaal
Hash: SHA256
ciphe...@gmail.com wrote:
> In point of fact, vedaal, you are <i>not</i> allowed to
compile CKT to
> check to see if it matches the binary you're running.
well, one is not allowed to use ckt *at all*, 'legally'
so, ok ,
i concede that if people are anyway not overly concerned with
this, and really just wanted to compile their own personal
version, they could do so with pgp 8 or 9
but i do take issue with the extrapolation that if one 'bug' in
ckt,
(for a very rare circumstance), was not fixed because it was
described in the non-open source pgp 7 documentation,
(which reasonably, when closed source,
Imad did not bother to keep up with),
that this is genralizable to a fear/uncertainty/doubt
ckt-dismissing statement of
"who knows what other bugs were not fixed"
especially when:
(a) it 'was' fixed as soon as Imad was made aware of it
(b) double-signing itself is vulnerable to exploits
(c) no other bugs were identified
my bottom line feelings about this:
[1] for practical use, ckt 9 beta 3, is far easier to use, and
more versatile than any build of pgp 8 or 9
[2] the desirable features in ckt, were always presented to the
pgp people in an attempt to have them incorporated into
mainstream pgp,
[3] other than the minor advantage of being able to use an
algorithm other than cast5 for pgpdisk, i can't think of any
improvement that pgp 8 or 9 offers that ckt 9 beta 3 doesn't
[4] pgp obsoletes each of its versions, by adding a must-have,
but relatively trivial improvement to the next version,
bundling it with a new host of other features, but not updating
it to the previous versions.
(e.g. how many people would switch to pgp 9, if there were a
patch to 8 allowing sha-2 signatures, and how many people can
'stay' with pgp 8 once sha-1 is fully broken ??
is it really right for a person who paid for a perpetual
license
for pgp 8, to find that the flaw with sha-2, since it is
technically not a 'bug' in pgp, will *never* be 'upgraded' in
pgp 8 ?
choosing a signing hash is really a trivial option,
unthinkable to be left out in gnupg,
and offered in gnupg and ckt well before there was any hint of
an sha-1 vulnerability,
but *_unavailable_* forever to people who paid for their
perpetual licenses in pgp 8)
it has reached the point, where i would gladly pay for pgp 9,
in return for a license to use ckt 9 beta 3 ;-))
as it is, i look at ckt only occasionally for academic
interest,
(the pgp that 'could have been' ;-((( )
and prefer gnupg for everything else
n.b.
caveat:
for those who have not yet tried ckt,
do not do so now,
it would be the equivalent of trying 'the bat' when all one has
used before was 'oe'
(Melissa, that should say it all ;-) )
vedaal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32) - WinPT 0.9.93-cvs
Comment: Acts of Kindness better the World, and protect the Soul
iQIVAwUBQpHeiFqiDIZqWJqXAQgu/xAAj3XMoNGgfZqX0H9rYsba8Qnlt5iiLI5p
qq/JVwX/NZvMvpwf4n3A5//cP55mjGuhZTtGVSz+yx8TZOHNY1i4OpBAzOSSSy6k
Z/r7/5my8w6VjFWEKSKbuZDajGvlxCK5KLbQgwnCYrQ8vXf9F+RSN3PBI76ZeekW
ONo117j5uk8xegpQ88aI9dWJRwKiYs6PXHCQWTgtzQFpHe93Rfwi6JrFnTsTEFTM
MWvmxBmPGojOZU4B4hkOd+3L0y9W/yxbZQMLoRwV0WD59M8JG7hbLMwppaEghDNU
Bg6R83cxrKYkdSq6K1KeNlQf8kDHNHFHvwumQh4P3VzZ7eM9JmaQ/cv+Gu/5H8PV
B4i2GvVDfZIQXkYxzp50AzTNqxIibRl94QZFi/kXQWmUcUDmE4fM7nFD69akEZwX
656iMgexyaIMhMm4GJ9/Bgw7eoS4vGb9C8kt98X04VSHpsOq9EDRdz+I6RgugZAf
zPTta9DUK4PsqdjVUJ5JfXFWG4ppVCoGyX9K1Mx9Nqg1zFnrCk+KFDbo5iKneODs
epsTA1hKDemu6T2YLEcFDMqoEaZ6paMIdRTmVE3wnC13lu6pKxtRQsIeE6t1ISPT
1O2WcDFThmouHGDMPzHbZVCDnQ+S5ISrjHuJgwwPC609W2xSFPnkbAW/7wwW6DHZ
mqQJNKSQoJo=
=9j1+
-----END PGP SIGNATURE-----
ciphe...@gmail.com
memory serves, a 6.5.8 hotfix and NAI published it as a "known bugs in
6.5.8" immediately after it was reported. It was explicitly mentioned
in the "New in PGP 7" documentation. What all of this tells me is that
the bug was known about, was published widely, and NAI did an
acceptable job in making sure users knew this problem existed.
A major part of software engineering is controlling bugs. Software
engineering isn't a synonym for programming--programming is only the
smallest aspect of things. Software engineering is about process.
It's about ensuring that a methodical process exists for handling
feature requests, for handling changes to design, for handling this,
that and the other.
If a bug which has been known about and published widely for two years
did not make it into Imad's bug process, that leads me to reasonable
questions about what Imad's bug process is. It makes me wonder whether
he tracks the published bug reports for the 6.5.8 codebase.
Nor is it reasonable for Imad to have said--assuming you're right and
that he did this--"PGP 7 is closed source, I won't bother reading the
documentation." If I were maintaining my own branch of the 6.5.8
source (which I am definitely not), I'd make it a point to check the
official NAI releases for everything past 6.5.8, every hotfix, for
every mention of a bug; and once I found a mention of a bug, I'd check
to see if it existed in the 6.5.8 codebase or if it was added after I'd
made the fork. This is basic software engineering practice and it's
taught in every respectable undergraduate software engineering course.
vedaal
Hash: SHA256
cipherpunk at gmail.com wrote:
> The bug in question was published widely.
where?
any source the public would know about,
or one known chiefly to maybe only some people that you know
that were working for nai at the time ?
> It was the subject of, if
> memory serves, a 6.5.8 hotfix and NAI published it as a
"known bugs in
> 6.5.8" immediately after it was reported.
again, where ?
> It was explicitly mentioned
> in the "New in PGP 7" documentation. What all of this tells
me is that
> the bug was known about, was published widely, and NAI did
an
> acceptable job in making sure users knew this problem
existed.
this is not yet clear to me
none of this is mentioned on Tom McCune's pages,
and he tries *very hard* to stay current and track down and
describe 'any' pgp bug,
even those far less likely to affect pgp users,
than a bug that can cause a crash
if Tom doesn't mention it,
how 'widely known' can it be outside of nai ?
(Tom, forgive me if i'm out of line here,
i don't mean to try to get you involved,
am only referring to your *page*,
as it is a widely respected public pgp resource page)
> A major part of software engineering is controlling bugs.
...
> This is basic software engineering practice and it's
> taught in every respectable undergraduate software
engineering course.
i defer to you on this, and am happy that such are the quality
control standards expected of software engineers ...
all this taken into account,
do you suspect any particular type of bug that you think Imad
missed ?
it seems to me that opposition to Imad's ckt builds,
well predates the description of the double-signature crash
when i first reported it to the ietf,
there was no reply that this bug was known and fixed,
although many pgp people do respond in that forum,
and one did respond that it was a 'legal open-pgp construct'
you have never tried the ckt builds,
i don't expect you to, and understand your legal reasons,
but if you were to possibly look at the installed ckt 9 beta 3
on someone else's 'test' computer, (even xp pro),
and, it goes without saying,
not use it yourself,
but just 'watch',
and see how smoothly it functioned, and how incomparably better
it is
than any pgp gui,
then, like us,
you might be saddened at the needless waste that the bickering
has caused,
and how much greater pgp could be now,
and how much more widespread pgp use would be,
if these talented minds could work together to bring forth
the pgp that 'could have been / could still be'
vedaal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32) - WinPT 0.9.93-cvs
Comment: Acts of Kindness better the World, and protect the Soul
iQIVAwUBQpJn4VqiDIZqWJqXAQjsDw/+KS1x7iR2bDDAT6F/u5UVljKE1+iY7+N3
xjBvT+MiJw7QZ1E8N5Qsr4R0cfYDghW3PpnpmtaP+4UJQgJ6Pou0MYjeZ++y+NcU
1op+9mwShlC6SjUdpM8kFG3wdJ8JQ3hhx5uVXykAhubT7inGZhSBiyfwZ4mkYBZA
e3rYEsjlBbNdZSHweHC6vYaZ0XlaVGQapYCcnYrLY7vP/11SiePj1hhVv3UG9XGE
vTqvScHa1pSG50Kwmyy8rFBat62z/lBpSD5fPlmo+r1iP4xV/foHZB5akj9JVMlC
GCcL3dmiAQNc6PjcmOM9SAQVgdeNzI9/a90Ks8uFjmuOvsXaj1xbGjnR5pBQlz9c
yOPPwVdeqefmyd3Uq/chjK3pyL7M0j9SjiGgVFfLZhPnF9Jl4gRWdnLCiYKBUmAo
F8WajkN3dqvOZ0x2TLoD8syoUdlMlTtQG98Kw2yuIjBN48HmmV23Ym9Xy6qmjNN4
4CMym83TJl77u9iiz01z+T1u5HGvvRy9Y5Rj57OiPZsGmoY6kSYw+yLNUQ4Go/mW
QX6JdhXxcO1V7kuE41cfy+bXPkyrFahqmftcXxj68qrgNx9hqorP3AmCqp97H6LS
/afAusivqcdj1mNGyIzOQnK5iAKUfi2R7jd4MbcULi4A8loAP8Q3msik7Wi44jSG
XD1YivqLCTk=
=PbuF
-----END PGP SIGNATURE-----
ciphe...@gmail.com
buried from five years ago. That said, I recall this bug mentioned in
the PGP 7 release notes, in the "what's fixed since 6.5.8" section.
And I'm dead certain it was listed on NAI's website in a publically
available section dedicated to known issues and hotfixes; I clearly
recall seeing it there.
Insofar as are there any other bugs I expect to see, I haven't looked
at the PGP source code in ages and I've never looked at the PGP-CKT
source code. Any statements I could make about what I expect would be
half-informed and speculative. As a result, I don't expect anything.
All that I'm saying--and all that I've ever said--is based on a known
bug in the PGP 6.5.8 source existing for two years post-reporting in
the CKT builds, I'm suspicious of Imad's bughunting methodology; and
given the importance of this to software engineering, it leads me to
being suspicious of the CKT software engineering.
But what people are completely missing is that a suspicion is not an
accusation. Saying "I am not convinced Imad is committed to good
software engineering practice" is not the same as accusing him of bad
software engineering practice. All it says is, I am not convinced.