PGP v GnuPG
Storm
Hash: SHA1
Although I probably don't have much need for PGP I believe strongly
in its use. The people I am trying to keep out of things could
probably be stopped with ROT13 but you never know when you might have
a need for better privacy. I guess my point is that I believe we
have a right to and use of privacy and security even if at the given
moment there is no need, at least for me anyway.
I have used every version of PGP since 2.6 and am running 7.0.3 now.
A UNIX admin (I'm a Windoze Admin, among other things) I know gave me
grief about it the other day regarding the fact that I had no idea
what was in that code, it could have a back door the size of a Bill
Gates wallet and he is right. The source code is not available to
the latest version and even if it was I know squat about programming
or Cryptology.
So upon his suggestion I looked into GPG but I really hate CL stuff.
I've messed with a couple of GUI's for it (GnuPGShell & WinPT) but I
just don't know that I trust them to be around for very long. If I'm
not wrong GnuPGShell is already abandonware. I remember the day of
PGP 2.6 and there were some front ends for it but they never seemed
to stay around or supported for very long.
I guess my question is more of a quest for opinions and knowledge. I
want to know if you think the fact that the source code for the
newest version of PGP is closed is a significant problem? I don't
really believe in trusting anyone and NAI certainly has not given me
any extra reason to. What I would like to believe is that with a
program as popular as PGP that if there were security holes in it
they would be made public much like what happens to Microsoft nearly
daily. I would also like to know your opinions of the longevity of
FrontEnd/GUI's for GPG on the Win32 platform.
I like the idea of supporting GnuPG just for the fact that it is open
source but don't want to have to live with a CL environment. Is that
an oxymoron? A Windows guy that believes in Open Source?
Thanks for your time, those of you that made it this far down. I'm
looking forward to your replies.
The Phreak Storm
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
Comment: Get my keys @ http://phreakstorm.com/pgpkeys/
iQA/AwUBO4mid8dglXFF5upBEQJQjwCfZfmZ9R+OdlNJOtbunoCtvHOTEggAoP39
MUO9AJ44ztwS+mIrXCPcrdyD
=mopj
-----END PGP SIGNATURE-----
Rich
<g48jotgj5d0t6h5bl...@4ax.com>, st...@phreakstorm.com
said...
>
> [SNIP]
>
> So upon his suggestion I looked into GPG but I really hate CL stuff.
> I've messed with a couple of GUI's for it (GnuPGShell & WinPT) but I
> just don't know that I trust them to be around for very long. If I'm
> not wrong GnuPGShell is already abandonware. I remember the day of
> PGP 2.6 and there were some front ends for it but they never seemed
> to stay around or supported for very long.
>
> I guess my question is more of a quest for opinions and knowledge. I
> want to know if you think the fact that the source code for the
> newest version of PGP is closed is a significant problem? I don't
> really believe in trusting anyone and NAI certainly has not given me
> any extra reason to. What I would like to believe is that with a
> program as popular as PGP that if there were security holes in it
> they would be made public much like what happens to Microsoft nearly
> daily. I would also like to know your opinions of the longevity of
> FrontEnd/GUI's for GPG on the Win32 platform.
>
> I like the idea of supporting GnuPG just for the fact that it is open
> source but don't want to have to live with a CL environment. Is that
> an oxymoron? A Windows guy that believes in Open Source?
>
> Thanks for your time, those of you that made it this far down. I'm
> looking forward to your replies.
>
> The Phreak Storm
Hello Mr Storm.
Open source is surely important. And I too am a Win32 open source
and Gnu believer.
I switched to GnuPG permanently the moment PRZ left NAI. I wasn't
thrilled the day he sold the right to the name PGP either.
I can't speak intelligently about GnuPG-Shell other than to tell you
it's closed source. Abandonware? Don't know.
I can speak intelligently about WinPT however since I'm good friends
with its author, talk to him every day, and happily use WinPT every
day.
Timo Schulz (the WinPT author) is committed to open-source crypto
on the Win32 platform and has no intention of stopping development of
WinPT. In fact he's got so many things on his WinPT TODO list that
he can't keep up! :-)
The simple fact that WinPT is open-source means it could never be
abandonware in the strictest sense of the word. You can go download
the source, and will always be able to do so.
There are people in this newsgroup who will try to trick you into
believing that GnuPG for Win32 is not secure. You are certainly free
to believe anything they say, but I would encourage you to do a
little investigating of your own before believing in shadows.
The GnuPG web page (if you're not aware) is www.gnupg.org and the
WinPT page is at www.winpt.org
On both sites you will find links to other interesting crypto
packages as well. Timo is also developing an open-source p2p
encrypted chat program (console based) called CryptChat (currently
searching for a more catchy name!) that is also very cool. That can
be found on his web site as well.
Good luck.
Rich...
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 80,000 Newsgroups - 16 Different Servers! =-----
Steve K
Hash: SHA1
On Mon, 27 Aug 2001 00:01:25 -0400, Rich <rich@_X_cnylug.org> wrote:
<...>
> The simple fact that WinPT is open-source means it could never be
>abandonware in the strictest sense of the word. You can go download
> the source, and will always be able to do so.
That's a prerequisite for any seriously intended crypto application,
and IMO a "front end" is part of the crypto application it manages.
> There are people in this newsgroup who will try to trick you into
>believing that GnuPG for Win32 is not secure. You are certainly
>free to believe anything they say, but I would encourage you to do
>a
>little investigating of your own before believing in shadows.
AFAIK the only functional difference between GPG on UNIX and GPG on
Win32 is the random number implementation. On UNIX, GPG gets its
entropy from /dev/random. On Win32, it uses a utility from a well
known open source freeware library, widely reviewed and believed to
be effective. I don't have a problem with this.
> The GnuPG web page (if you're not aware) is www.gnupg.org and the
>WinPT page is at www.winpt.org
>
> On both sites you will find links to other interesting crypto
>packages as well. Timo is also developing an open-source p2p
>encrypted chat program (console based) called CryptChat (currently
>searching for a more catchy name!) that is also very cool. That can
> be found on his web site as well.
There is no such thing as absoute security in the realm of networked
computing. But the silent and invisible nature of many potential
defects in crypto software, combined with the pivotal role
cryptography plays in all aspects of computer security, justifies
paying exceptional attention to making crypto as effective, and
trustworthy, as possible. Open source is mandatory and open
development models are highly desirable. The GPL license is highly
desirable as well, because it guarantees continued availability of
source code, and removes the possibility of price gouging.
GPG meets every requirement that I can think of except convenience,
and I have high hopes for the WinPT project in that area.
:o)
Steve K
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8ckt06 http://www.ipgpp.com/
iQA/AwUBO4nuUk0LbMwPxGulEQLQEwCfWduW87664qUo7Mr/PqLEqHnV2CQAnRTT
Y9EmeBC5Te3FA6DMmGXUjL6l
=Rba0
-----END PGP SIGNATURE-----
Robert J. Hansen
> wallet and he is right. The source code is not available to the latest
> version and even if it was I know squat about programming or Cryptology.
It could, yes, but that's extremely unlikely. If there were to be a
backdoor inserted into PGP, you can bet your last dollar that Hal Finney,
Dave Allen and Will Price would be out the door before the end of the
business day. I am not concerned about back doors in any recent version
of PGP.
I am, however, deeply concerned about the design of PGP 7.1. Basically, I
don't buy the design process--any design process which is not open for
review is automatically a design process which cannot be trusted. Even if
the design is open for review, if the code is not open for review, the
code cannot be trusted.
I'll stake a hundred bucks that there are no back doors in PGP 7.x, but I
still think it is exceptionally unwise to use it when there are more
trusted alternatives available.
> So upon his suggestion I looked into GPG but I really hate CL stuff.
You're not alone in that. Unfortunately, you can't get a trusted design
in a GUI. GUIs rely on too many components, too many
asynchronously-running event loops, to ever pass any sort of in-depth and
critical analysis. This is why in PGP there's a distinction between
PGPSDK and the PGP front-ends--the idea is to limit the amount of harmful
interactions between the two.
Werner Koch has never been too keen on creating a GPG library (the UNIX
version of an SDK), considering it to be some sort of security risk. I'm
not certain how or why he thinks it's a risk--it's far preferable to
trying to create an integrated whole, GUI and text front-end and crypto
code and all--but since Werner's voice is the most listened-to in GPG
development, there are no GPG libraries/SDKs.
There is a project underway to create a GPG library, called GPGME, but
development is creeping along at a glacial pace and appears to be
completely stalled at this point.
> I guess my question is more of a quest for opinions and knowledge. I
> want to know if you think the fact that the source code for the newest
> version of PGP is closed is a significant problem? I don't really
It is an absolute bar for me.
> I don't really believe in trusting anyone
Then you certainly shouldn't trust the opinions of USENETters you've never
met.
> popular as PGP that if there were security holes in it they would be
> made public much like what happens to Microsoft nearly daily. I would
Once upon a time this would have been true. PRZ was honest, honorable,
and ethical; you could rely on PRZ to tell you about weaknesses and
vulnerabilities as soon as they were discovered. However, ever since the
Bloody December in which Bill Larson (NAI head honcho) and most of senior
management was sacked, current NAI/PGP Security management ... well,
simply doesn't understand the importance of full disclosure. And with
PRZ gone, well... let's just say I'm not very hopeful.
> also like to know your opinions of the longevity of FrontEnd/GUI's for
> GPG on the Win32 platform.
Effectively infinite, since some of them are released under the terms of
the GNU General Public License. The source is available for you to
download, tweak, modify and make improvements to.
Smitty
which are written in C++. This could compile on any platform.
Smitty
In article <bi8jot41deultvuqi...@4ax.com>, "Storm"
Joseph N.
Hash: SHA1
I keep hearing about interface issues with GnuPG on Windows, and of
course there are the trust issues of PGP above 6.5.8. What does GnuPG
offer, command line or not, that PGP 6.5.8 does not offer?
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBO4sC2eH2IGJNcAawEQLEMgCgjEu3wrumeqBx2B25G08Ohy8mfVYAn2Aq
xzaShzG5MrJTEVSOaAqQyJsq
=hOqB
-----END PGP SIGNATURE-----
Robert J. Hansen
> course there are the trust issues of PGP above 6.5.8. What does GnuPG
> offer, command line or not, that PGP 6.5.8 does not offer?
From a casual user's perspective? Nothing. It offers v4 signatures
(which weren't added until PGP 7.x, IIRC) and more cipher choices (Twofish
and AES), but from a casual user perspective, these are nonissues.
Joseph N.
news:mXJi7.815$aC1....@newsread1.prod.itd.earthlink.net:
What are "v4 signatures"?
apm
> Robert J. Hansen wrote in
> news:mXJi7.815$aC1....@newsread1.prod.itd.earthlink.net:
>
> >> I keep hearing about interface issues with GnuPG on Windows, and of
> >> course there are the trust issues of PGP above 6.5.8. What does GnuPG
> >> offer, command line or not, that PGP 6.5.8 does not offer?
algorithm. GPG did not suffer the ADK vunerability of PGP.
I think GPG is tracking security issues very keenly.
PGP might be, but with closed source who can tell ?
One area where the old version of PGP scores is that there is
a program called PGP stealth, which strips the PGP info off and
massages the data so that one can plausibly deny it to be a PGP
message. This is useful in conjunction with steganography.
I have looked into writing GPG stealth but it is non-trivial.
I have discussed the issue with the GPG developers but there
is little interest. So I am actually on the point of reverting
from GPG 1.0.x to PGP 2.6.y. This is a pity but combining public
key cryptography with steganography is of interest to me
because I live in the UK where a law has been passed known
as RIPA. This makes it an offence to not surrender crypto keys
on demand. This has kindled some interest in steg. I want to
combine the 2 because steg on its own is just security through
obscurity.
-apm
Stefan Bellon
[snip]
> This is a pity but combining public key cryptography with
> steganography is of interest to me because I live in the UK where a
> law has been passed known as RIPA. This makes it an offence to not
> surrender crypto keys on demand.
Therefore GnuPG can "give away" just the session key of an encrypted
message. This way you don't have to reveal your secret key. You can
just release the session key to decrypt one special message. Is that
enough for your UK law or do they really want the secret key?
[snip]
> I want to combine the 2 because steg on its own is just security
> through obscurity.
Yes, exactly my point: Steganography is just some other way of security
through obscurity. But it stays the same, even if you hide PGP data
inside it.
Greetings,
Stefan.
--
Stefan Bellon * <mailto:sbe...@sbellon.de> * <http://www.sbellon.de/>
PGP 2 and OpenPGP keys available from my home page
There's no point in being grown up if you can't be childish sometimes.
Robert J. Hansen
Version 4. There was some sort of change to the data format; this new
standard is Version 4. However, PGP 6.5.8 only supports up to version 3.
GPG supports v3 and v4 both.
More than that, I'm really not certain--go read the OpenPGP spec and see
what it has to say about the different versions.
--
=====
Robert J. Hansen <rjha...@inav.net>
PGP Fingerprint: 23C8 C3D1 BBE7 C72D D17D D008 980E 18A7 82C2 392B
=====
Johan Wevers
> Therefore GnuPG can "give away" just the session key of an encrypted
> message. This way you don't have to reveal your secret key. You can
> just release the session key to decrypt one special message. Is that
> enough for your UK law or do they really want the secret key?
But with good steganography you can deny that the file is an
encrypted message and not give any key whatsoever. GnuPG can
set the encrypted-to key to zero (making it try all secret keys
on decrypt), so you could deny having a fitting secret key, but
not going through all this mess with slow working governement
agancies is of course far preferable.
> Yes, exactly my point: Steganography is just some other way of security
> through obscurity.
But one that might work considering the usual lack of knowledge police
officers display about crypto matters. As a first line of defence
against abusive governments security through obscurity might be a
good idea.
--
ir. J.C.A. Wevers // Physics and science fiction site:
joh...@iae.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
Robert J. Hansen
You should know better, Paul. What he's doing may be illegal, but very
unpopular.
In most Western countries, it's safer to be a lawbreaker than to be
unpopular. If you break the law but the public loves you for it, you have
nothing to fear. If you live within the law but the public despises you,
watch out for the lynch mob.
allie°M
> I can't speak intelligently about GnuPG-Shell other than to tell you
> it's closed source. Abandonware? Don't know.
GnuPG Shell isn't abandonware. The latest version, v1.91 was just
recently released.
-= allie°M =-
Johan Wevers
> If you're doing nothing too illegal what have you to fear?
Shut up with this nonsense. Governments sometimes have other
definitions of what should be illegal and what they are allowed
to know than some (most) of their citizens. Most people interested
enough in encryption to read a group like this most probably
want to set those borders themselves and don't want to have them
set for them.
Free-man
<nob...@dizum.com> wrote:
>On Thu, 30 Aug 2001, (Š Paul) wrote:
>
>
>>If you're doing nothing too illegal what have you to fear?
>
>"First they came for the hackers.
>But I never did anything illegal with my computer,
>so I didn't speak up.
>Then they came for the pornographers.
>But I thought there was too much smut on the Internet anyway,
>so I didn't speak up.
>Then they came for the anonymous remailers.
>But a lot of nasty stuff gets sent from anon.penet.fi,
>so I didn't speak up.
>Then they came for the encryption users.
>But I could never figure out how to work PGP anyway,
>so I didn't speak up.
>Then they came for me.
>And by that time there was nobody left to speak up."
>-Unknown
First, they came for the drug users but I didn't speak up
because I wasn't one of them and everbody knows
that "drugs kill" unless they are distributed by the
government.
Next, they came for the smokers but I didn't speak up
because "smoking kills", it causes excruciating pain,
the smoking industry targets "the children", freedom to
choose is bad because some people may make "wrong"
choices. Smoking shortens the life span and longevity
is the highest of all values. Nicotine is a "drug" and, horror
of all horrors, it is "addictive". Those who value freedom
should be treated as children because they do not know
what is important, etc.
Rich Eramian aka freeman at shore dot net
Free-man
wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Thu, 30 Aug 2001 17:11:42 GMT, Capit...@Freedom.org (Free-man)
>wrote:
>
><snip>
>>
>>Next, they came for the smokers but I didn't speak up
>>because "smoking kills", it causes excruciating pain,
>>the smoking industry targets "the children", freedom to
>>choose is bad because some people may make "wrong"
>>choices. Smoking shortens the life span and longevity
>>is the highest of all values. Nicotine is a "drug" and, horror
>>of all horrors, it is "addictive". Those who value freedom
>>should be treated as children because they do not know
>>what is important, etc.
>>
>>Rich Eramian aka freeman at shore dot net
>>
>>
>I think I am beginning to understand you. You oppose any and all
>regulation of your life,
Yes, I oppose people who try to regulate other other people's lives.
> even when those activities will maim/kill your
>neighbors.
No. I do not support murder, assault, theft, fraud or disturbing the
peace.
>Second hand smoke kills. PERIOD.
Then everyone on this planet should be dead. PERIOD.
But what about your second hand smoke assuming that you use
electricity, heat your home, cook food, use modern transportation
and communications, or puchase products that are produced in
factories, etc. ?
>If you engage in an activity that harms/maims your neighbor then you are
>irresponsible, and do not deserve the same liberties as responsible
>persons.
I have a neighbor who smokes cigars, drinks wine, has outdoor
barbecues, mows his lawn, drives a car, heats and cools his
home, etc. He is a great guy who does not kill, harm, or maim
anyone and he deserves to be free just like you.
Rich Eramian aka freeman at shore dot net
"There is nothing that needs reforming so much as other
people's bad habits." -- Mark Twain