[ISN] Pretty geeky privacy

From: InfoSec News (isnat_private)
Date: Wed Mar 27 2002 - 23:03:56 PST

  • Next message: InfoSec News: "[ISN] MS vs. open source: Security's the same"

    By Bill Lamb
    March 27, 2002  
    When Network Associates halted development of its widely respected PGP
    (Pretty Good Privacy) desktop encryption software in late February,
    Julian Koh worried about his "postcards."
    Koh considers everything that passes across the Internet -- e-mail,
    mailing list postings, Web pages -- as no more private than postcards
    that can be read by anyone along their path. That realization long ago
    inspired an epiphany for the Northwestern University network engineer:  
    "I was really amazed at the ease with which my network traffic could
    be intercepted and examined, even with no malicious intent
    It wasn't a question of Koh having secrets. There are just some things
    that are no one else's business. So for the past five years, both at
    work and at home, he has used PGP to routinely encrypt potentially
    sensitive communication, turning ordinary data into bits and bytes of
    meaningless gibberish readable only by those with the proper digital
    "Typically, I [digitally] sign most of my outgoing messages, and
    several people and organizations with whom I correspond regularly also
    require encryption of messages," he says.
    But online security, just like everything else, is subject to the ebb
    and flow of capitalism -- and the relentless releases of new software
    products with which one must be compatible. Updated operating systems
    from Microsoft and Apple require updated versions of PGP, but Network
    Associates is currently not making the necessary improvements. Koh and
    tens of thousands of other PGP users have been forced to seek
    Increasingly, they're finding haven in a small corner of the
    open-source software world, bringing both opportunity and new users to
    an oddly named and heretofore little-known programming effort fueled
    by volunteers: GnuPG.
    The synergies of the relationship are obvious: open-source software
    and cryptography are two sublimely geeky obsessions that go well
    together. But the story of how GnuPG is coming to the cryptogeek
    rescue also illuminates some of the limitations of open-source, or
    free software. Even a relatively slick consumer product like PGP has
    been deemed too technically challenging by many normal computer users
    -- despite widespread anxieties about privacy on the part of the
    general Internet-using population. And making a software program easy
    to use is exactly the challenge that open-source software has
    historically been weakest at meeting.
    When programmer Phil Zimmermann dubbed his pet encryption software
    "Pretty Good Privacy" it was a master stroke of subtle understatement.  
    PGP's mathematical heart is so complex that it defies any meaningful
    lay description. The result of using it, however, is easily grasped:  
    data so jumbled that, according to its developers and some
    cryptography experts, our sun would burn out before all computers now
    in existence, working together, would have time to find the correct
    key for a single message. New advances in computing could ultimately
    change that, but for the moment, PGP is more than just pretty good.
    PGP is an implementation of public key cryptography in which the
    "keys" that lock and unlock the meaning of a message are produced in
    pairs, public and private. The public key is just that, and is
    distributed to anyone who might wish to send the user an encrypted
    message. The private key is kept by the user for decrypting messages,
    turning them back into readable form. Cryptographer and security
    specialist Bruce Schneier, in his book "Applied Cryptography," called
    the public key system "the most striking development in the history of
    Software engineer and privacy activist Zimmermann put the system to
    practical use in 1991, creating the first crude version of PGP and
    releasing it as freeware. "PGP empowers people to take their privacy
    into their own hands," Zimmermann wrote in the original program's user
    guide. "There has been a growing social need for it. That's why I
    wrote it."
    PGP spread worldwide on the Internet, and Zimmermann faced a
    three-year federal investigation for violating then strict regulations
    regarding the export of cryptographic software. When the government
    case was dropped in 1996, Zimmermann formed PGP Inc., and the modern
    age of consumer desktop encryption was born. PGP Inc. became a part of
    Network Associates in 1997.
    Like the system itself, PGP is both public and private. While Network
    Associates' source code is proprietary and no longer released to the
    general public, PGP, as a concept, lives in the open through the
    OpenPGP movement, a set of design specifications intended to make all
    forms of PGP-like public key systems interoperable.
    Enter GNU (pronounced "guh-NEW") Privacy Guard, also called GnuPG.
    GNU (a "recursive acronym" meaning "GNU's Not Unix") was launched in
    1984 to develop and maintain a free and open-source "Unix-like"  
    operating system. The GnuPG project is an OpenPGP offshoot managed by
    the German Unix Users Group and begun in response to U.S. export
    In a move seen as a rebuff of American pressure to tighten its
    restrictions on cryptographic technologies, the German government
    awarded the fledgling software effort a $177,000 grant in 1999. "In
    Germany, we are really free to do anything now," Werner Koch, head of
    the GnuPG movement, said of the German funding.
    Now, just two years later, Koch and his GnuPG team have a robust
    application available for multiple platforms -- and a new pool of
    potential users with which to grow.
    "I expected something like this," Koch said of PGP's demise. "They
    (Network Associates) have moved away from an encryption tool to a 'do
    everything security solution with the name PGP.' [But] it might have
    turned out that the name PGP didn't help that much in marketing."
    GnuPG's marketing amounts to little more than word-of-mouth and Web
    sites. But those appear adequate. Discussion of GnuPG slipped onto the
    scene in PGP-related newsgroups and e-mail lists with surprising
    stealth. No announcements, no fanfare. It was just there one day,
    being recommended to an increasing number of inquisitive Windows and
    Macintosh users as a possible replacement for PGP.
    Koch, who oversees GnuPG development from Germany, said the number of
    visitors to the GnuPG site each week has almost doubled since Jan. 6,
    rising from 11,249 to 20,689. While download numbers are difficult to
    measure since approximately 30 sites mirror the GnuPG files, Koch said
    GnuPG's main server is registering approximately 2,000 downloads per
    week for the application's Windows version and about the same for the
    Unix version. That's up from approximately 1,700 each earlier this
    year, he said.
    Downloads of the relatively new GnuPG version designed for Apple's new
    operating system, Mac OS X, have also jumped sharply, and new user
    interface tools for OS X have been introduced within the past month --
    and updated since then.
    "I don't really have time for a full quantitative analysis, but I
    think that interest is about three times what it was," said Gordon
    Worley, a 19-year-old Orlando, Fla., computer science student who
    oversees the Mac OS X version of GnuPG. "A lot of work is getting done
    in the MacGPG project because users of PGP are realizing that they
    have to find a solution when migrating to OS X."
    Zimmermann, now a consultant who remains active in the OpenPGP
    movement, indicated the Network Associates experience should be an
    example to privacy advocates.
    "... It is dangerous to put all your eggs in one basket, and we can
    clearly see now how bad it can be to allow PGP to be buried by a
    company that owns it exclusively," he said. "We are all fortunate that
    GPG was developed."
    After Network Associates purchased PGP, commercial releases began to
    include services not required by the average user -- virtual private
    networking, software firewall protection, key sharing and even a
    third-party corporate key recovery system. GnuPG, on the other hand,
    concentrates on the basics of digital signatures, e-mail and file
    encryption, and key management.
    And that's all that is required to protect Koh's postcards: "My
    prediction is that I will eventually end up with GnuPG installed on my
    But what about the rest of the world?
    The open-source software movement, long the domain of highly talented
    and motivated programmers working toward a socio-technical ideal and
    for love of the craft, now is confronting the different expectations
    of a PGP consumer base unwilling to surrender ease of use.
    Network Associates, building on Zimmermann's work after purchasing his
    company, made significant strides in hiding the arcane and promoting
    the simple. Both Windows and Mac users finally could point-and-click
    their way to a more secure desktop and communications environment. At
    least a rudimentary understanding of the nature of public and private
    keys, and how to use them, was still required, but a comprehensive
    guide accompanying the software put the issues in as plain terms as
    "Ease of use is critical," said Zimmermann. "E-mail encryption is used
    by only a small segment of the population of e-mail users largely
    because of ease-of-use issues."
    The GnuPG project isn't yet that advanced when it comes to the user
    experience, Koch concedes.
    GnuPG is the engine that drives the encryption system: encrypting,
    decrypting, signing and verifying, and creating and managing public
    and private keys. Yet it relies on command-line entries. Installation
    requires some minimal direct input of text commands. Graphical
    interfaces are available, but they are separate, not part of the basic
    GnuPG package.
    Even Mac OS X users will find that installation of the basic MacGPG
    package requires inputting text commands. And Worley, the Mac team's
    leader, is very aware that Mac users are accustomed to more polish.  
    "We have preliminary versions of most of the software that the average
    PGP user will need on OS X, but more work is needed. Our software does
    not fulfill the expectations of the Mac experience yet."
    Open-source can also mean "closed climate," with developers working
    only to meet their own desires and those of a relatively small and
    stable base of users and fans. The strength of the movement --
    distributed development by volunteer programmers worldwide -- isn't
    geared toward the sudden appearance of clamoring consumers with
    questions, complaints and wish lists in hand.
    Eric S. Raymond, president and co-founder of the Open Source
    Initiative, says the system will adjust.
    "In fact, I think this kind of bombardment is a good thing. I think it
    is exactly what open-source developers need to get a clue about the
    way actual end-users think."
    The commercial adage that the customer is always right still rules, he
    "Much of the open-source community is still weak at end-user UI. Most
    hackers have not yet assimilated the knowledge or the attitude
    necessary to serve end-users like these. This will change, but it
    won't change overnight."
    Despite its surge in user popularity, GnuPG may not remain the
    long-term sole source for new PGP applications. Network Associates'
    new code is locked away, but the company still hopes to sell it. And
    the OpenPGP standard means that anyone with the will or the money --
    or both -- can create and market a new product. Privacy advocates say
    that's precisely the point.
    "The general public seems very unaware and unconcerned with basic
    issues of privacy and how their use of the Internet contributes to
    major loss of privacy," said Tom McCune, a PGP user from Holland
    Patent, N.Y., who maintains a popular Web site dedicated to PGP
    issues. "For those with some level of awareness, there is a basic
    attitude of just not wanting to be bothered with doing something about
    it, and this is tremendously complicated by general lack of technical
    Advocates believe open development by several companies, private
    organizations and individual programmers will lead to even more
    improvements, wider use and, ultimately, greater protection of
    personal privacy.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 01:44:58 PST