Discussion in 'privacy technology' started by ronjor, Apr 29, 2010.
Glad I stopped using PGP years ago. OpenSSL/GnuPG FTW!
Well, I guess bye bye PGP sometime down the road, or it'll morph into something else.
I like PGP over the open source varieties and I'll hope Symantec lets PGP Corp operate as an independent subsidiary of Symantec.
Thanks for the link, ronjor.
Snow, I'm curious why the Symantec hate?
Personally, I don't hate Symantec. My wife uses it on her desktop and I've used it in the past.
My concern is that Symantec has a habit of buying companies and then those companies disappear.
Also, if PGP is allowed to live, will it be as secure as it now is? Or, will Symantec give govt a back door?
It looks like encryption is about to get to be a very common thing. I am toying with the idea of encrypting the laptop in case someone else gets their hands on it. I do expect Symantec to insert a back door, so TrueCrypt is my first choice at the moment.
That's kind of my feeling too. I'm right now in the process of looking at gpg and other programs. No decision yet. I'll look at truecrypt again, but I don't think it does email encryption, which a couple of people I correspond with (business) insist on.
Unlike an operating system, PGP is not an app that a company can force onto the planned obsolescense path. It's not a web application that has to stay current to work. It doesn't become less secure with age and doesn't need constant updating. The existing versions will keep working properly no matter what they do. New and old versions can communicate securely. If users decide they want to stay with what they have, there's nothing Symantec can do about it. There's no need to abandon PGP. Just stay with what you have now.
Right, I'm aware that the various versions of PGP can communicate. A PGP employee posted on a PGP email type forum I'm a member of, and he seems quite high on the idea that Symantec bought out the company.
My concern is the back door issue. PGP never caved. I'm not as confident about Symantec holding the line. I like my emails being private. I like the idea that right now, my tax and business info which is PGP encrypted can't be read by anybody. And, I don't buy into the 'well, if you aren't doing anything wrong' nonsense.
I'm not, I just like my privacy.
Any backdoor they add will not affect the existing versions.
Forget PGP entirely and use this solution as I do:
S/MIME certificates are infinitely easier to use that PGP and when you roll your own, there is no chance the NSA can use a backdoor.
I'd always thought that since versions of PGP could talk to each other, a back door would work the same way. Have to do some checking on that.
I'm in the process of upgrading to the latest version. Heard it's a nice improvement.
There's 2 ways a backdoor could be added to PGP:
1, The application itself is backdoored. The user would have to choose to install it.
2, A new encryption algorithm could be introduced with a deliberate flaw. On an existing system, the user would have to choose to include and use it.
As it exists right now, there is no way to get a users private key from their public key. A backdoor in the application couldn't be used to obtain the private key of a user of a non-backdoored system. It can only compromise the individual using it.
The "improvements" are additional features, system integration, eye candy, etc. They are not security improvements. PGP has had very similar problems in its history. When the source code was no longer made freely available, the same questions circulated. At one time, some believed Network Associates was a front for the NSA, and PGP was already backdoored. Look up the history of the CKT versions. You will need the Wayback machine to get to the original pages. Most all of those pages have disappeared.
This is where users have a decision to make. PGP is an application built to protect your most sensitive communication. IMO, feature creep should be avoided in such an app. The more integrated an app is with the operating system, the more vulnerable it is to weaknesses and compromises of that host system. Every "feature" should be examined from the aspect of its effect on security, beginning with the availability of the source code and the ability to verify the apps integrity. This is one instance where change just to stay current is contrary to security. Don't fix it when it's not broken.
My reference to nice was in regards the GUI. I like it.
What I really wish was that the older v8.1 ran on Vista HP. I've got it on my XP desktop. On the laptop, from what I've read, it won't install. It's a shame. That's my favorite, for speed and size, plus I'm very familiar with it.
I don't really care about this as i use Linux and GnuPG for my e-mail encryption and LUKS-dm-crypt for WDE. What does concern me is that Symantec may try to change PGP to some other specification thus breaking its compatibility with the OpenPGP standard (which is what GnuPG and others use for interoperability). That means users like me on GnuPG might not be able to communicate securely with Windows users who have generated a key under the new Symantec PGP. That would really suck.
And if Symantec closes the source code, that should be a red flag. One should never trust encryption software that is closed-source.
So, Symantec spends big money for an encryption program and proceeds to add a backdoor which, when (not if) discovered, would destroy every ounce of respect they have as a security company and would likely put them out of business. I don't buy that for a minute.
There are various well known security services using PGP full disk encryption. I recall reading somewhere that Ministry of Defense in the UK had choosen PGP for use in their laptops.
My question is, would a Government agency use an encryption product that they know their adversaries (other Governments) can crack?
I think not
There was also a famous case a couple of years back of a a guy arrested crossing the Canada-US border with a laptop full of child porn encrypted with PGP, the customs officers unfortunately shut down the laptop before copying the evidence and with it, the encrypted container.
The guy managed to avoid charges invoking his right not to self incriminate and refusing to reveal the password. They never managed to crack it after two years of brute forcing it with a computer farm (according to Zdnet news). He is now back in Canada with his family.
And with PGP source code available under a non disclosure agreement, I trust them as much as I trust Truecrypt.
The acquisitions are now final:
I do not know much about cryptography, and I'm using GnuPG with Seahorse in Ubuntu, Symantec case opened door for the government, yet we would not have the Gnupg?
I'll say it again because I honestly believe this..... I can't see a company like Symantec taking the risk of inserting a "backdoor" and being caught. It would be the death knell with a single bullet for the security firm, seriously. I think the sale makes a lot of sense in that it brings other kinds of security products under their umbrella. I just don't see a company, with the respect they've built, risking it all with decisions to undermine their newly acquired encryption products.
Ok, I do not believe that Symantec would put a dark door in your product.
And they still do not know much about encryption, the Internet and reading many recommend using only open standards of encryption.
The governments have the opportunity to spy on its citizens with very little chance of being discovered, most likely will do it.
I believe that anyone who uses Pgp and is afraid now, you can use OpenPGP-based programs like Gnupg I use along with the Seahorse in Ubuntu.
I'm using an automatic translator, in case something goes wrong must be behind it.
I do not like proprietary software in most cases I could have secret doors.
next, the world.
I certainly agree. Customer trust is a critical asset, especially for a security company.
Additionally, I suspect that many (most?) PGP employees would walk out the door in protest if Symantec were even to contemplate such an action, due to the PGP culture of excellence and integrity.
A statement from PGP/Symantec on the issue of source code visibility...
Separate names with a comma.