Phil Zimmermann's post-PGP project: privacy for a price

Phil Zimmermann's post-PGP project: privacy for a price.

-- Tom

 

The quoted $20/month price is well above my budget but I am glad they are charging for their services because I don't believe it is possible to provide a quality and reliable service or product with no economical incentive.

 

Linux kernel, TOR, Firefox, GnuPG, Noscript, Truecrypt, etc..

Sure, some of them like Mozilla make money in other ways, but none of them charge money for the product or service. So the notion that free = low quality is absolutely untrue.

 

I agree with both statements. He saw a need, and wanted to make money providing the service. I think he earned it after releasing the world standard in email encryption for free. One way to look at it is this: He will have the money to fight any attempts at government intrusion, that a 'free' solution might not be able to. Pre-Twitter, I think if somebody went after RedPhone, Moxie would have probably had no choice but to shut it down. I do hope he can get it down to $15 or $10 though.

PD

 

That is why I included the word "reliable", if someone is not making a profit of some kind with a product or service he can decide to abandon it any time he likes, but I know of no company out there that is going to abandon a product that brings in money.

And about the products you mention, Firefox is making like $100 million dollars a year, Tor developers are funded by the EFF, Linux Kernel developers are paid too, GnuPG, Truecrypt and Noscript I don't know if they get paid or not but I know that as a customer I can not go to them and ask they get their act right or they implement A or B feature with the same pressure that a group of customers can do with a for profit company.

 

For profit software is almost always closed source, which is usually bad, especially for security applications. The best example is any kind of crypto software. If it is closed-source, no one can verify any of its claims and we have to accept it on "faith" which really sucks when we are paying money for it.

 

Good for him.

Re: comments about free vs paid for software, I think most of us have long since discovered that even for Windows users most of the best quality software is free (regardless of if the authors get paid in other ways).

 

Small bump:

Silent circle is set for launch on the 17th of september as per https://silentcircle.com/.

I hope it's open source. Most of zimmerman's software is Open for review just not under a libre license like GPL. I would be willing to pay as long as I can review it myself.

 

LowWaterMark,

In post #10 of the previous version of the current thread I made a reference to Chronomatic's comment in another thread about my s/w being just a one-time pad only easier to break. Or something like it!

I tried to find the comment above after sending you the PM and couldn't!

Has it been removed as well?

If 'yes', have any other references/replies to my s/w or thread been removed as well? …at least as far as you know.

Like I said, I’m a veteran! BTW, have you noticed the popularity if this thread? Hm! 1014 views!



Looking forward to your reply!

 

I just don't know about Phil's new venture!

Half the new company is ex DoD and, once in DoD, always in DoD!

It looks to me like Uncle Sam wants to know all people willing to pay $20 per month to have their 'secrets' 'hidden' professionally! Hm! It makes sense, doesn't it? I consider myself a veteran of the unmentionable and I can tell you about the tricks govs play that will keep you laughing well past the end of the world!!

BTW, In the 90s, Phil had an extensive authentication network for PGP. Does anybody know whatever happened to it! Without it... PGP encryption IS MUCH WORSE THAN PLAINTEXT due to the FALSE SENSE OF SECURITY it gives people. More dangerous than a loaded gun! Any comments...?

I sent two emails to Phil asking for his opinion on a project I'm involved in. When/if he replies I'll try to find out more about the new venture.

 

Wrong.

PD

 

Authentication is up to the user. It's called the Web of Trust. I see no issue with it. You should never sign a key whose identity you haven't verified.

 

What can I say about your insightful reply?!

Cute smiley and the spelling of your initials is correct!

Just curious...

Why do you say that and how do you know??

I said it because, as I mentioned elsewhere in this forum, I AM a veteran of the unmetionable!!!

 

Chrono,

Are you suggesting that people of insufficient cryptographic expertise should be screwed by conn artists while you, I and most posters on forums like this one stand by and enjoy?!

Count me out, please!

With no authentication network in place, s/w can be bugged "on-the-fly"! I'm sure you know that! ...and if you don't, you should!

BTW, How come wildersecurity.com has signed it's own security certificate? Do you know? I see red every time I post here! ...not that I have anything against the color 'red'!

 

I can't say Zimmermann is a con artist. He brought public-key cryptography to the world and spent time in prison for it. Is his new venture worth the money? I can't say, but I see no reason to distrust the man (even though he was affiliated with Hushmail and Hushmail had security problems).

Authentication means you are verifying who owns a specific key. I don't think an "authentication network" should be left to the people creating the software. In that case you are essentially trusting someone *else* to verify keys for you, and we've seen how well that has worked out for SSL! I do not and will not trust a third party to sign and verify someone else's key for me unless I know that third party very well.

That's how the Web of trust works. You can verify keys yourself or trust friends to verify keys for you. Ultimately it's up to you who you want to trust and how much you want to trust them. This mechanism is already built into PGP/GPG and I think it's the best way to do things until some new technology comes along.

Because it's a web forum and they don't need a high degree of security. There's nothing "classified" here. BTW, there's nothing wrong with self-signed certs. All it means is that Comodo or Verisign or Entrust didn't sign the certificate. That's fine with me since most of those companies are horrible when it comes to doing thorough checking.

 

Because I was in DoD, both in uniform and as a GS, and I'm one of the biggest "stay out of my business" advocates on here. So you are wrong that just because somebody had a career in DoD, that they will turn over your info to "the man'.

PD

 

I didn’t know that he actually spent time. That makes my distrust even deeper because I don’t know what the prison release conditions were! Alphagheterians love these kind of people! Prisons are like universities. They teach the value of discretion! I’m in Canukistan. Over here the National Insecurity Industry traffics in pardons. Over 100,000 in a five year period, according to one audit.

Oops! That’s not my definition and neither Zimmermann’s in early 90s. What I and he meant in the 90s is a network of trusted sites (in Canada he used the CBC) supplied with a ‘golden’ copy of PGP in a very secure/trusted fashion. One would download PGP from wherever and send it to one of these sites for ‘authentication’. End user only has to trust Zimmermann and all trusted BY him!

Think about it for a minute! Let’s say you want to distribute something like PGP. All your incoming/outgoing traffic goes through intermediate, likely gov-cntrl’ed sites. How difficult do you think it is for these sites to intercept requests for download and replace original with gov-approved versions of the same?! Piece of cake!

That doesn’t sound right to me!

What’s to stop, say, a bad pornography site from doing same? Again, remember I’m only an amateur Internet security dilettante! EE by training.

That’s just you! Not everybody!

If DoD were to come to you asking that you do ‘something’ for them as a civilian, would you decline? Would you still decline if they didn’t say it out loud but rather ‘whisper’ it?

I didn’t think so! Remember! I said it somewhere before: I’m not only an EE, but also a veteran (20 years) of the unmentionable!

Edit: BTW, What's a "GS" and how much of your DoD background you want to share with the forum? As for me... Just look at my avatar!

 

I'd tell them to pack sand. Why is that so hard to believe? You got a guy writing a book about the OBL raid right now...lot's of "formers" have abandoned the flock. Look at William Binney.

GS: Civilians working for the .gov

https://en.wikipedia.org/wiki/General_Schedule

As far as my resume', LOL...that would be foolish on a privacy related forum

PD

 

...and they just MIGHT outline the consequeces of so doing!

Sorry! If you were to phrase it like this "...lot's of "formers" WERE ALLOWED to abandon the flock.", then -- and only then -- we would agree! I've just seen TOO MUCH here in Canukistan! Too much GOOD and too much BAD!

BTW, What's "OBL raid"?

No offence intended!

I just asked a question since you already mentioned some of your resume'.

Edited out ref to other thread! Forgot the thread I was in! Sorry!

Ok! I read a bit about him. How do you know he's for real and NOT a simple misdirector?

I guess you don't believe the bit about me being a 20 year veteran. Let me tell you something sad, but true, about whistleblowers in this industry: The harmless live! The harmful die!

Here's a classic misdirector!

Covert Entry: Spies, Lies and Crimes Inside Canada’s Secret Service.
By Andrew Mitrovica. Toronto: Random House of Canada, 2002. 358 pages.

Reviewed by the NSA.

Search for title in the links above. I couldn't find the original NSA review which, btw, was right on!

 

How much farther OT can this thread get?

Regarding Silent Circle, I find it very hard to believe that such a service could be deployed in any country influenced by western governments without the service being made surveillance friendly. I also disagree with using the same service, company, etc for both the network and the actual encryption. I prefer them separate and independent, just as I prefer separate encryption apps for files/disk and for communication. IMO, relying on a single vendor, app, company, etc makes you more vulnerable.

Regarding PGP, my trust of the "official" versions ended when NAI stopped making the source code available. I'll have nothing to do with any version that Symantec has any involvement with. For those rare times that I need it, the last CKT version (which works fine on XP) serves my needs quite well.

 

Are you saying that you always recompile it?

or

Are you saying that source availability is a 'sign' you use in deciding whether to trust the company, or not?

In my own mind, one should not trust anything that could be infected in-flight.

 

With encryption software, the source code has to be available for inspection by anyone with no non-disclosure agreements in the way. Without it, there's no realistic way to know if the app has been weakened, backdoored, etc. As for "infected in flight", there are no guarantees that anything digitally transferred hasn't been intercepted, altered, replaced, etc, save for file hashes or armored signatures. For the encryption apps I use, those signatures were obtained from a source I trusted.

 

I disagree!

You get the source, you inspect, recompile and then -- and only then -- use! How can you be infected "in-flight"?

You can still be infected by a rootkit, but not if you keep the recompilation on a PC that's NEVER on Internet!

We are talking now about levels of security not needed by the average! ...still interesting though!