Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Encryption Security Your Rights Online

DMCA Attacks: NAI Tells Sites To Remove PGP (Updated) 254

daecabhir writes: "I am on Declan McCullough's excellent policy and technology mailing list, and received this article on Declan's Politech web site. Basically, Network Associates now appears to be using the DMCA to force sites that provide access to the "free" versions of PGP to cease and desist, if this is any indication. Unfortunately, I think that Network Associates may well be within their rights with regards to 'their' intellectual property, even if I disagree with the manner in which they are going about things." Update: 05/22 13:55 GMT by T : Looks like this wasn't the whole story, and in fact NAI was only objecting to a site with the commercial version of its software -- read below for more.
Grant Bayley writes: "The hype being generated by the "NAI pulls out the DMCA stick" postings and the spectre of PGP being "removed from the Internet" is entirely bogus, and provably so with a little bit of fact checking.

Looking through the Google cache, it becomes very clear very quickly that crypto.radiusnet.net was hosting a copy of the commercial version of the software - not a copy of the PGPi (aka freeware) version of the PGP product. Given that this is the case, NAI is well within their rights to demand the removal of the files.

You can confirm this in the Google Cache.

This discussion has been archived. No new comments can be posted.

DMCA Attacks: NAI Tells Sites To Remove PGP (Updated)

Comments Filter:
  • What is the DMCA's policy on older software?

    Does this mean that older versions of PGP now belong to Network Associates and are subject to the company's will? Even if they were free?
    • by homer_ca ( 144738 ) on Tuesday May 21, 2002 @10:04PM (#3563341)
      PGP versions 6 and 7 had both Freeware (free beer, for noncommercial use only) and Professional versions. If NA is trying to shut down PGP Freeware downloads, it's bogus. This is sections 1 and 3 from the PGP Freeware 6.5.8 license. Section 1.b grants the right to distribute unmodified copies. Section 3 states the term of the agreement, forever as long as the user violates the license. I was half expecting to find it, but they do NOT say "We reserve the right to change these licensing terms at any time without notice".

      1. License Grant. Subject to the terms and conditions of this Agreement, Network Associates hereby grants to you a non-exclusive, non-transferable right to use, copy and distribute solely for Non-Commercial Purposes (as defined below) the specified version of the Software and the accompanying documentation (the "Documentation").
      a. For purposes of the foregoing, "non-commercial purposes" means non-commercial, non-governmental use, including, without limitation, home use for personal correspondence, student or academic use, or use by non-profit human rights organizations. The Software is "in use" when it is loaded into the temporary memory (i.e., RAM) or installed into the permanent memory (e.g., hard disk, CD ROM, or other storage device) of a computer for the purpose of being accessible in client-mode by an end user.
      b. You may make exact, unmodified copies of the Software and distribute such copies solely (i) by electronic means; (ii) for Non-Commercial Purposes; and (iii) with all proprietary notices (including without limitation all copyright notices and this End User License Agreement) intact and unmodified or obscured.
      3. Term. This Agreement is effective unless and until earlier terminated as set forth herein. This Agreement will terminate automatically if you fail to comply with any of the limitations or other requirements described herein. Upon any termination or expiration of this Agreement, you must destroy all copies of the Software and the Documentation.
  • Hm. (Score:4, Informative)

    by Wakko Warner ( 324 ) on Tuesday May 21, 2002 @09:43PM (#3563230) Homepage Journal
    Good thing there's GPG [gnupg.org]...

    - A.P.
    • Re:Hm. (Score:4, Informative)

      by Clue4All ( 580842 ) on Tuesday May 21, 2002 @09:50PM (#3563272) Homepage
      The problem with GPG is that it lacks an easy-to-use interface and Windows plugins. This was the selling point of NAI's PGP: it was easy point-and-click encryption for the common person. It's a shame they're ditching it, it really had a good chance for encouraging the widespread use of encryption.
      • GPG frontends (Score:5, Informative)

        by PeterClark ( 324270 ) on Tuesday May 21, 2002 @10:02PM (#3563328) Journal
        I could be mistaken, but I think that GPG plays just fine with NAI's plug-ins. And as for frontends, I don't think you have looked hard enough [gnupg.org]. Also, Kmail has effortless integration with GPG, and I hear that Evolution does too, although I've heard that there were a couple of bugs in it. Perhaps they've been fixed by now.

        :Peter
        • Re:GPG frontends (Score:3, Interesting)

          by psychosis ( 2579 )
          I use GPG with Evolution daily, and have had no problems in the 1.0.3 release.
          It even handles different keys for different accounts without user intervention (after telling it the key number for a given account, of course).
          It has the handy features like "remember pass phrase for this session" (it's an option for the paranoid), sign-every-message, and verification of a signed message sent to you with a mouse click.
          Check it out - it's the only mail client I use now!
      • I just investigated this as well for my company. While GPG seems to be technically superior from a command line point of view it sucks from a gui point of view on windows. The NAI version has a very good gui config tool, and great integration into outlook. I found this site http://www3.gdata.de/gpg/ which offers similar gui integration into outlook and a gui config tool, but the NAI version works and looks better IMHO.
      • Re:Hm. (Score:3, Informative)

        by ergo98 ( 9391 )
        Though because NAI hadn't been keeping it up, with each iteration of Outlook it fell further behind. For it to work with current versions of Outlook you have to specially configure PGP 7.0.3 to have a workable scenario, and even then quirks abound.

        I agree entirely with what you said, however I should point out that it is not so much the common person, or a "lowest common denominator" set of skills, but rather the security versus the convenience ration : I like using encrypted emails simply because it's no one elses business, but if it wasn't as convenient, and if I had to copy/paste between apps in a big time consuming process, I likely wouldn't bother except for messages which have to remain private (and one of the tenets of strong encryption is that encryption shouldn't be limited to only the highly confidential because it gives a very directed target, and can imply guilt to some screwed up types).
      • That's point (Score:2, Insightful)

        by famazza ( 398147 )

        That's exactly the point. That's the way it should be. The application does exactly one thing, cryptography, and nothing else. This is the unix way.

        All applications should be responsible for a single task, we have wonderful examples to show us that this modularity is very positive, powerful applications, few bugs, easy customizations.

        OTOH we have only few examples of stable applications that have lots of functionalities, usually hard to customize, adapt to new paradigms and maintaince.

        The idea is keep all development teams independent of each other, by following few, but well defined, standards. That's the way X works, we must choose a window manager, X developers don't need to worry about user interface.

        IMHO this is the way it should be, of course, a tarball/rpm/deb/whatever that packs the application and GUI is a great idea, but much more important then this is the quality of the application

      • Re:Hm. (Score:3, Informative)

        by _Sprocket_ ( 42527 )


        The problem with GPG is that it lacks an easy-to-use interface and Windows plugins.


        Open Source works by scratching itches. NAI has done a lot to generate an itch for GUI plugins/frontends for GnuPG on Windows. Poke around and you can easily find some good starts.


        This page [geocities.com]provides a fairly nice listing of some of them. Check them out, kick the tires, see if they work for you. YMMV.


        One thing to note - WinPT [winpt.org] is shaping up nicely as a general GnuPG interface (although it doesn't provide a selection of MUA-specific plugins, they do also offer GPGOE [winpt.org], a plugin for Outlook Express). WinPT is Open Source under the GPL license. And unlike other frontends, WinPT is more tightly integrated by using GPGME [gnupg.org], GnuPG's new API.

    • Since GnuPG does not use the patented IDEA algorithm, it is in no danger from NAI.
    • Seems to me that Network Associates, with their backs to the wall [cnn.com], are playing the part of a losing hockey team facing elimination in Game 4 of a best-of-seven series.

      Play dirty to survive.
  • Clarification needed (Score:2, Interesting)

    by ergo98 ( 9391 )

    So which version was being hosted that led to NAI sending out the copyright violation notice? Was this a commercial version that truly was a `pirate' copy, or was it the same version hosted at pgpi.com? (http://www.pgpi.org/products/pgp/versions/freewar e/ [pgpi.org]) The pgpi site doesn't seem to have any information regarding this, and you would think they would given the impact of it to them.

  • by jnana ( 519059 ) on Tuesday May 21, 2002 @09:48PM (#3563257) Journal
    at http://web.mit.edu/network/pgp.html [mit.edu], but you can bet that i'm gonna download it again right now and burn the installer onto a CD.
  • Can someone else who is not a lawyer explain how the DMCA applies?

    TIA!

    • by Cardhore ( 216574 )
      It doesn't, except they included the letters DMCA in the title of their e-mail. This is probably just ordinary copyright law.
    • by Anonymous Coward on Tuesday May 21, 2002 @09:59PM (#3563314)
      Sure:

      Wealthy Client: I want that stuff down.
      Lawyer: Okay.
      [to host] Take that down. Or else.
      Host: F*ck that. I've got First Amendment rights.
      Lawyer: Ha. [sends obscure legalese email] Here's a ridiculously vague DMCA notice.
      Host: I don't understand this crap.
      Lawyer: Good. You're not supposed to. But I'll be generous and tell you anyway. It says that if you take this stuff down, you won't be liable for [insert Carl Sagan voice] billions and billions of dollars for copyright infringement.
      Host: Oh. Okay.... I guess. [deletes information]
      Lawyer: Muahahaha.
    • By invokin the DMCA, they use the safe harbor clause as leverage against the ISP. The ISP is guaranteed no legal liability if the act promptly to remove or block access to the alleged illegal material. If they try and stand up for the rights of their client, they are liable as accomplices to theft.

      I don't know what the particular situation is here, there are dozens of version of PGP and PGP-like programs, and no indication of what the actual supposedly infringing material was. If it was the actual no longer for sale commercial version of PGP, they are regrettably well within their rights to ask it to be removed, otherwise this is nonsense.
  • by zentec ( 204030 ) <zentec@@@gmail...com> on Tuesday May 21, 2002 @09:50PM (#3563269)

    I purchased several copies of NAI's PGP for Unix version 5. The CD had a standard license agreement with it. Two years later, I receive a letter from NAI telling me that my license was revoked and I could no longer use the software.

    Somehow, I do not think I received my $1500 worth.

    I should have known, I asked NAI's sales department for a price quote on NAI virus protection products for the "enterprise" and I never did receive a straight answer.

    Thank God for GPG! Works with NAI's PGP plug-ins and it's truly free.
    • How do you get gpg to work with nai's plugins? I love the outlook plugin from nai but I would love to use gpg on the backend.
    • How about a link to a scan of that letter (with your details blanked out, of course)? It'd also be educational to see the original license agreement, to determine if it even contained an out like that for NAI (providing that it's enforcable to begin with, which is probably a stretch in a non-UCITA state anyway). IANAL, etc.
      • For your reading pleasure:

        -----
        PGP for Unix, Version 5.0.2
        LICENSE COPY OF NETWORK ASSOCIATES PRODUCTS

        (Commercial, Executable Version)

        Copyright (c) 1990-1998 Network Associates Inc., and its Affiliated Companies.
        All Rights Reserved.

        End User License Agreement for PGP for Unix

        IMPORTANT-READ CAREFULLY: This Network Associates End-User License Agreement
        ("Agreement") is a legal agreement between you (either an individual or a single
        entity) and Network Associates, Inc. (or "Network Associates") for the Network
        Associates software product identified above, which includes computer software
        and may include associated media, printed materials, and "online" or electronic
        documentation ("Software Product"). By installing, copying, or otherwise using
        the Software Product, you agree to be bound by the terms of this Agreement. If
        you do not agree to the terms of this Agreement, you may not install or use the
        Software Product; you may, however, return it to your place of purchase for a
        full refund.

        The Software Product is owned by Network Associates, Inc. and is protected by
        copyright laws and international copyright treaties, as well as other
        intellectual property laws and treaties.

        1. GRANT OF LICENSE. Network Associates grants you (the original end-user,
        except as permitted under 1 (g)) a non-transferable non-exclusive license to put
        in use by a person or organization that agrees to be bound by the terms of this
        Agreement, one copy or node of the Software Product. If you purchased this
        Software Product from a retail store or directly from Network Associates as a
        retail product for individual users, this license is effective until terminated.
        If this Software Product was purchased in some other manner than as a retail
        product, the license may have a term commencing on the Delivery Date of a
        Product and continuing for an extended period of time as otherwise indicated in
        your purchase order or as set forth in a separate and complementing Software
        License Agreement to which this End User License Agreement is subject to.

        a. Installation. You may install one copy or node of the Software Product on
        one Client Device (defined as, any computer, workstation, personal digital
        assistant, pager, "smart phone" or other digital electronic device for which the
        software was designed and on which software may be used by an end user in
        client-mode).

        b. Use. You may use one copy or node of the Software Product on one Client
        Device or Server (except as may be specifically provided below). The Software
        Product is "in use" when it is loaded into the temporary memory (i.e., RAM) or
        installed into the permanent memory (e.g., hard disk, CD ROM, or other storage
        device) of a Client Device for the purpose of being accessible in client-mode by
        one end user. Though the Server may be connected at any point in time to an
        unlimited number of workstations or computers operating on one or more networks,
        you must acquire a separate License for each end user who accesses or otherwise
        utilizes the services of the Software Product. Any computer, workstation,
        personal digital assistant, pager, "smart phone" or other digital electronic
        device on which software may be used by an end user in client-mode shall be
        referred to as a "Client Device." An end user who uses software on a Client
        Device that accesses or otherwise uses the Software Product shall be referred to
        as a "Seat." Each License must be dedicated to one unique Client Device or Seat.
        It permits that Client Device or Seat to access or utilize the services of any
        Server running a copy of the Software Product. The services of the Software are
        considered to be accessed when there is a direct or indirect connection between
        a Client Device or Seat and a Server. Use of software or hardware that reduces
        the number of Client Devices or Seats directly accessing or utilizing the
        Software Products (sometimes called "multiplexing" or "pooling" software or
        hardware) does not reduce the number of Licenses required (e.g., the required
        number of Client Access Licenses would equal the number of distinct inputs to
        the multiplexing or pooling software or hardware "front end"). If the number of
        Seats or Client Devices that can access or use the Software Product can exceed
        the number of Licenses you have obtained, then you must have a reasonable
        mechanism or process in place to ensure that the number of Client Devices or
        Seats accessing or using the Software Product does not exceed the number of
        Licenses you have obtained.

        c. Volume Licenses. If this package is a volume license package (such as a
        "corporate license" or a "corporate bundle"), you may make and use additional
        copies or nodes of the Software Product up to the number authorized in this
        package or in your corporate license agreement, or otherwise indicated at the
        time of purchase. If the anticipated number of users of the Software Product
        will exceed the number of applicable licenses, then you must have a reasonable
        mechanism or process in place to ensure that the number of persons using the
        Software Product does not exceed the number of licenses you have obtained.

        d. Upgrades. If this Software Product is labeled as an upgrade or trade-up
        from a prior version of a Network Associates product that you were properly
        licensed to use, Network Associates grants you the right to put in use either
        the current or prior version of the Software Product, and any prior version
        license is replaced by this Agreement.

        e. Support. Subject to U.S. export control laws and regulations, Network
        Associates may provide you with technical support services relating to the
        Software Product according to Network Associates' standard support policies and
        procedures, which may be described in the user manual, in "on line"
        documentation and/or other materials provided by Network Associates or posted on
        Network Associate's web site ("Support Services"). Any supplemental software
        code provided to you as part of the Support Services shall be considered part of
        the Software Product and subject to the terms and conditions of this Agreement.
        With respect to technical information you provide to Network Associates as part
        of the Support Services, Network Associates may use such information for its
        business purposes, including for product support and development. Network
        Associates will not utilize such technical information in a form that personally
        identifies you.

        f. Dual Media Software and Multiple Platform Versions. If the package from
        which you obtained this Software Product contains more than one medium (e.g.,
        both 3 1/2" disks and a CD), you may use only the medium appropriate to your
        computer. You may not use the other disk(s) on another computer or loan, rent,
        lease, or transfer them to another user except as permitted under this Agreement
        or as part of the permanent transfer (as provided above) of all the Software
        Product and related materials. If the CD or disk(s) on which the Software
        Product resides contains several copies of the Software Product, each of which
        is compatible with a different operating system or platform architecture (such
        as Windows95/NT, Macintosh, one or more versions of Unix, the x86 architecture,
        or various RISC architectures), then you may install the Software Product for
        use with any of those architectures up to the number of copies or nodes
        purchased but in no event may you use any version(s) on another computer or
        loan, rent, lease, or transfer them to another user except as permitted under
        this Agreement or as part of a permanent transfer (as provided above).

        g. Restrictions.

        i) Transfer. The original of this Agreement is your proof of license
        to exercise the rights granted herein and must be retained by you.
        You may not rent or lease the Software Product, including all
        accompanying printed materials.

        ii) Other Restrictions. You may not reverse engineer, decompile,
        disassemble or otherwise translate the Software Product, except and
        only to the extent that such activity is expressly permitted by
        applicable law notwithstanding this limitation. If this Software
        Product is labeled "Evaluation Copy," "Not For Resale," "NFR" or to
        any of those effects, this license only permits use for
        demonstration, test, or evaluation purposes.

        2. COPYRIGHT. The Software Product is licensed, not sold. All right, title
        and interest in the Software Product (including any images, "applets,"
        photographs, animations, video, audio, music, and text incorporated into the
        Software Product), accompanying printed materials, and any copies you are
        permitted to make herein, are owned by Network Associates, Inc. and its
        affiliated companies or its suppliers, and the Software Product is protected by
        United States copyright laws and international treaty provisions. Therefore,
        you must treat the Software Product like any other copyrighted material (e.g., a
        book or musical recording) except that you may either (a) make one copy of the
        Software Product solely for backup or archival purposes or (b) transfer the
        Software Product to a single hard disk, provided you keep the original solely
        for backup or archival purposes. Such copy shall include Network Associates'
        copyright and other proprietary notices. You may not copy the printed materials
        accompanying the Software Product.

        3. U.S. GOVERNMENT RESTRICTED RIGHTS LEGEND. The Software Product and
        documentation are provided to the U.S. Government with RESTRICTED RIGHTS. The
        U.S. Government acknowledges Network Associates' representation that the
        Software is "commercial computer software" as that term is defined in 48 C.F.R.
        12.212 of the Federal Acquisition Regulations ("FAR") and is "Commercial
        Computer Software" as that term is defined in 48 C.F.R. 227.7014 (a)(i) of the
        Department of Defense Federal Acquisition Regulation Supplement ("DFARS"). Use,
        duplication or disclosure by the U.S. Government is subject to restrictions set
        forth in subparagraphs (a) through (d) of the Commercial Computer-Restricted
        Rights clause at FAR 52.227-19 when applicable, or in subparagraph (c)(1)(ii) of
        the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013,
        or at 252.211-7015, or to this commercial license, as applicable, and in similar
        clauses in the NASA FAR Supplement, as applicable. Contractor/manufacturer is
        Network Associates, Inc. 2805 Bowers Avenue, Santa Clara, CA 95051-0963.

        4. EXPORT LAW. Export of the Software Product may be subject to compliance
        with the rules and regulations promulgated from time to time by the Bureau of
        Export Administration, United States Department of Commerce, which restrict the
        export and re-export of certain products and technical data. If the export of
        the Software Product is controlled under such rules and regulations, then the
        Software shall not be exported or re-exported, directly or indirectly, (a)
        without all export or re-export licenses and governmental approvals required by
        any applicable laws, or (b) in violation of any applicable prohibition against
        the export or re-export of any part of the Software.

        5. TERMINATION. This Agreement will immediately and automatically terminate
        without notice if you fail to comply with any term or condition of this
        Agreement. You agree upon termination to promptly destroy the Software Product
        together with all of its component parts, prior and replacement versions, and
        all copies, modifications and merged portions thereof in any form.

        6. LIMITED WARRANTY.

        a. Limited Warranty. Network Associates warrants that the Software Product
        will perform substantially in accordance with the accompanying written materials
        for a period of sixty (60) days from the date of original purchase. To the
        extent allowed by applicable law, implied warranties on the Software Product, if
        any, are limited to such sixty (60) day period. Some jurisdictions do not allow
        limitations on duration of an implied warranty, so the above limitation may not
        apply to you.

        b. Customer Remedies. Network Associates' and its suppliers' entire
        liability and your exclusive remedy shall be, at Network Associates' option,
        either (a) return of the purchase price paid for the license, if any or (b)
        repair or replacement of the Software Product that does not meet Network
        Associates' limited warranty and which is returned at your expense to Network
        Associates with a copy of your receipt. This limited warranty is void if
        failure of the Software Product has resulted from accident, abuse, or
        misapplication. Any repaired or replacement Software Product will be warranted
        for the remainder of the original warranty period or thirty (30) days, whichever
        is longer. Outside the United States, neither these remedies nor any product
        support services offered by Network Associates are available without proof of
        purchase from an authorized international source and may not be available from
        Network Associates to the extent they are subject to restrictions under U.S. export
        control laws and regulations.

        c. NO OTHER WARRANTIES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW,
        AND EXCEPT FOR THE LIMITED WARRANTIES SET FORTH HEREIN, THE SOFTWARE AND
        DOCUMENTATION ARE PROVIDED "AS IS" AND NETWORK ASSOCIATES AND ITS SUPPLIERS
        DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS OR IMPLIED,
        INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
        FOR A PARTICULAR PURPOSE, CONFORMANCE WITH DESCRIPTION, TITLE AND NON-
        INFRINGEMENT OF THIRD PARTY RIGHTS, AND THE PROVISION OF OR FAILURE TO PROVIDE
        SUPPORT SERVICES. THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU
        MAY HAVE OTHERS, WHICH VARY FROM JURISDICTION TO JURISDICTION.

        d. LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE
        LAW, IN NO EVENT SHALL NETWORK ASSOCIATES OR ITS SUPPLIERS BE LIABLE FOR ANY
        INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL OR EXEMPLARY DAMAGES OR LOST
        PROFITS WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS
        PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR ANY OTHER
        PECUNIARY LOSS) ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE PRODUCT
        OR THE FAILURE TO PROVIDE SUPPORT SERVICES, EVEN IF NETWORK ASSOCIATES HAS BEEN
        ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY CASE, NETWORK ASSOCIATES'
        CUMULATIVE AND ENTIRE LIABILITY TO YOU OR ANY OTHER PARTY FOR ANY LOSS OR
        DAMAGES RESULTING FROM ANY CLAIMS, DEMANDS OR ACTIONS ARISING OUT OF OR RELATING
        TO THIS AGREEMENT SHALL NOT EXCEED THE PURCHASE PRICE PAID FOR THIS LICENSE.
        BECAUSE SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
        LIABILITY, THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.

        7. GENERAL . These terms and conditions may not be modified, amended,
        canceled or in any way altered, nor may they be modified by custom and usage of
        trade or course of dealing, except by an instrument in writing and signed by a
        duly authorized officer of Network Associates. THESE TERMS AND CONDITIONS SHALL
        BE CONSTRUED AND ENFORCED IN ACCORDANCE WITH THE LAWS OF THE STATE OF
        CALIFORNIA, UNITED STATES OF AMERICA. Any action or proceeding brought by anyone
        arising out of or related to these terms and conditions shall be brought only in
        a state or federal court of competent jurisdiction located in the county of
        Santa Clara, California, and the parties hereby consent to the jurisdiction and
        venue of said courts. Should any term of these terms and conditions be declared
        void or unenforceable by any court of competent jurisdiction, such declaration
        shall have no effect on the remaining terms hereof. These terms and conditions
        are in the English language, and only the English language version hereof,
        regardless of the existence of other language translations of these terms and
        conditions, shall be controlling in all respects. The failure of either party to
        enforce any rights granted hereunder or to take action against the other party
        in the event of any breach hereunder shall not be deemed a waiver by that party
        as to subsequent enforcement of rights or subsequent actions in the event of
        future breaches. Network Associates reserves the right at any time without
        liability or prior notice to change the features or characteristics of this
        Software Product, or its documentation and related materials, or future versions
        thereof. These terms and conditions constitute the complete and exclusive
        statement of the agreement between us which supersedes any proposal or prior
        agreement, oral or written, and any other communication between us relating to
        the subject matter of these terms and conditions.

        Copyright (c) 1990-1998 Network Associates, Inc. and its affiliated companies. All
        rights reserved. PGP and Pretty Good Privacy are registered trademarks of
        Network Associates, Inc. and its affiliated companies. The Software Product may
        use public key algorithms described in U.S. patent numbers 4,200,770, 4,218,582,
        4,405,829, and 4,424,414, licensed exclusively by Public Key Partners; the
        IDEA(tm) cryptographic cipher described in U.S. patent number 5,214,703,
        licensed from Ascom Tech AG; and the Northern Telecom Ltd., CAST Encryption
        Algorithm, licensed from Northern Telecom, Ltd. IDEA is a trademark of Ascom
        Tech AG. The Software Product may also include any of the following; compression
        code which is provided by Mark Adler and Jean-loup Gailly, used with permission
        from the free Info-ZIP implementation; LDAP software which is provided courtesy
        University of Michigan at Ann Arbor, Copyright (c) 1992-1996 Regents of the
        University of Michigan, All rights reserved; DB 2.0 software which is Copyright
        (c) 1990, 1993, 1994, 1995, 1996, 1997 Sleepycat Software, Inc., All rights
        reserved; software developed by the Apache Group for use in the Apache HTTP
        server project (http://www.apache.org/), Copyright (c) 1995-1997 The Apache
        Group, All rights reserved. Network Associates, Inc. and its affiliated
        companies may have patents and/or pending patent applications covering subject
        matter in this software or its documentation; the furnishing of this software or
        documentation does not give you any license to these patents. Note: Some
        countries have laws and regulations regarding the use and export of cryptography
        products; please consult your local government authority for details. Should you
        have any questions concerning these terms and conditions, or if you desire to
        contact Network Associates, Inc. for any reason, please write: Network
        Associates, Inc. Customer Service, 2805 Bowers Avenue, Santa Clara, CA 95051-
        0963. http://www.nai.com.
    • by Baki ( 72515 ) on Wednesday May 22, 2002 @12:22AM (#3563825)
      Richard Stallman was (once again) criticized by some of the slashdot crowd today in this article [slashdot.org], about being pedantic, purist, impracticle etc. PGP/GPG is an excellent example of RMS being pedantic and purist, and rightly so.

      RMS and the FSF have always been refusing to use PGP, because of its license. They have been critiziced along the same lines for this, since PGP was "free in a practical sense" i.e. free as in free beer, even though it had been written by "good guy" Phil Zimmermann. Today we may be glad that the FSF refused to use PGP, started to write GPG as soon as the RSA patent expired (i.e. as it was legally possible to write a clone without infringing on patents).
  • I find it interesting how Network Associates bought out PGP, then killed it, and is now trying to shut it down. Although it may be a long shot, could it be that the government is behind this? The government did not want PGP to be released in the first place because they thought it would threaten security...
    and for those still looking for PGP and unwilling to use GPG, there's still KaZaA.
    • and for those still looking for PGP and unwilling to use GPG, there's still KaZaA.

      OK - do we use that to make sure we have no privacy left [slashdot.org] and make using any encryption redundant, or do we use it to make sure we get a copy before they all dissapear?

      grokster, bud, grokster. 8-)

      Soko
    • NAI killed the PGP line of their products because it wasn't making any money.

      The government did not object to PGP being released; they objected to PGP being exported, and zimmerman got shit for it, and although it's unfortunate, he WAS in violation of federal export control laws regarding munitions. Yes, those laws were rediculous and unenforceable, but they pre-dated pgp by quite a number of years.

      NAI's pgp for windows is excellent. The eudora plugin works almost perfectly (automatic decryption seems to not work at all for me.. anyone know about this?). It has good keyserver and key management functions, and supports x.509 certificates as well.

  • Phil Zimmerman? (Score:2, Interesting)

    by sludgely ( 447712 )
    Has Phil made a comment yet regarding this? PGP is his child and it seems like if anyone has anything useful regarding this to say, he does. Where are you, Phil?
    • It's probably too soon for him to have made a comment; all the same, a little Googling turned up some insightful stuff: apparently, Zimmerman dissed [gnupg.org] GPG. But that was a couple of years ago. I wonder what he thinks of it now, considering that GPG is about the only PGP replacement worth considering.

      :Peter
    • Re:Phil Zimmerman? (Score:5, Informative)

      by Slashamatic ( 553801 ) on Wednesday May 22, 2002 @02:00AM (#3564077)
      I am not Phil but I worked on PGP 1.x through 2.x or so, mostly on one of the ports. First a bit of history.

      Theoretically PGP in the early days could use RSAREF from RSA Labs but it needed some calls that were not in the published interface and thus broke RSA Labs non-commercial licence.

      The thing is that Phil requested that none of our software was GPLed as he wanted to try to use parts of it commercially. Fair enough, he would keep the non-commercial version as open as he could. Actually it was pretty open by then because contributors were working in France, Germany, even, I think, Russia.

      When the program was first passed to Viacrypt. They had there own licensed RSA engine and could drop it into PGP. However PGP still used another patented algorithm, IDEA. This had to be licensed (about $15) for commercial users.

      Viacrypt then got swallowed by NAI or at least PGP was transferred with it together with Phil Zimmerman. PGP moved away from algorithms like RSA and IDEA so didn't have so many patent issues. We ended up through Phil's efforts with a version of PGP free for non-commercial use an a licensed version for the corporates. However, many of the platforms were dropped.

      The source code of PGP was printed by MIT in an OCR freindly font and the whole thing was exported legally to Norway, scanned nd put up on the pgpi server. Later, NAI did something similar to get the code to their office in Switzerland and with the availability of commercial PGP in Europe, the free version went non-commercial only.

      NAI stopped publishing source code after 6.5.8 so a lot of people stopped there with that release. Strangely, a commercially licensed user was not allowed to recompile from the free source.

      Ok, history lesson over. PGP always has had a bit of a chequered past because some people [nsa.gov] don't like it one little bit. It was a difficult product to sell but NAI seemed to have had a steady business with it. That they dropped it after 9/11 came as no suprise to anyone (it may have been making money but not enough to want to compromise sales of other s/w to the US government). However, in the background we have the OpenPGP standard (well, RFC) being developed that gave a chance for other interoperable programs like GnuPG [gnupg.org] to be developed. This project has the backing of the German government, who seem to believe in strong encryption for the masses. The software is currently far from perfect (try recompiling the Windows version), but it works and without the patented algorithms. There are some front-ends that make it reasonably user friendly. It isn't there yet, but it will be.

      In the mean time, I have seen PGP in use in Central Asia, not by terrorists, but by a Central Bank for interbank money transfers. That terrorists and criminals have used PGP is certain, but so do people like Amnesty and the Red-Cross. The use of PGP to co-ordinate attacks against the US is a massive red-herring to cover up incompetence by the FBI and INS.

  • by Cardhore ( 216574 ) on Tuesday May 21, 2002 @09:53PM (#3563289) Homepage Journal
    If your user agent happens to include "wget", watch out! "Any IP/Host seen using wget or any other mirror tool will be banned! [radiusnet.net]
    • It's unethical. but it's possible to change this. And even if it weren't included in the options, being open source it would be easy enough to change:


      `-U AGENT-STRING'
      `--user-agent=AGENT-STRING'
      Identify as AGENT-STRING to the HTTP server.


      The HTTP protocol allows the clients to identify themselves using a `User-Agent' header field. This enables distinguishing the WWW software, usually for statistical purposes or for tracing of protocol violations. Wget normally identifies as `Wget/VERSION', VERSION being the current version number of Wget.

      However, some sites have been known to impose the policy of tailoring the output according to the `User-Agent'-supplied information. While conceptually this is not such a bad idea, it has been abused by servers denying information to clients other than `Mozilla' or Microsoft `Internet Explorer'. This option allows you to change the `User-Agent' line issued by Wget. Use of this option is discouraged, unless you really know what you are doing.


    • http://crypto.radiusnet.net/archive/pgp/
      Date: Thu, 9 May 2002 13:01:40 -0500
      From: Peter_Beruk@NAI.com
      To: root@radiusnet.net, webmaster@radiusnet.net
      Subject: Network Associates, Inc. DMCA Notice

      [ The following text is in the "iso-8859-1" character set. ]
      [ Your display is set for the "US-ASCII" character set. ]
      [ Some characters may be displayed incorrectly. ]

      DMCA NOTICE OF INFRINGING MATERIAL

      Via Email: root@radiusnet.net; webmaster@radiusnet.net;
      Re: Digital Millennium Copyright Act Notice
      Dear Radiusnet.net
      I am writing on behalf of Networks Associates, Inc. and its affiliated
      companies (collectively, "Network Associates"). As you may know, Network
      Associates is a leading provider of computer software for network security
      and management. Among its business units are such well-known names as
      McAfee, PGP Security, Sniffer Technologies, and Magic Solutions.
      We have learned that Radiusnet.Net is providing access on its system or
      network to material that infringes the copyrighted work of Network
      Associates. In particular, I refer you to the web pages located at
      http://crypto.radiusnet.net/archive/pgp which contains links from your site
      that provide unauthorized copies of NAI proprietary materials, including
      software. The material on this web site infringes Network Associates'
      valuable copyrights.
      Accordingly, Network Associates requests that Radiusnet.Net immediately
      remove or disable access to this infringing material. You should know that
      Network Associates takes its intellectual property rights seriously. By
      bringing this matter to your attention, we hope that Radiusnet.Net will act
      promptly to remedy this problem.
      We have a good faith belief that use of the material described above is not
      authorized by Network Associates, any of its agents, or the law. To the
      best of our knowledge, the information contained in this notification is
      accurate.
      Under penalty of perjury, I am authorized to act on behalf of Network
      Associates. If you have any questions or concerns, please contact me at the
      address listed above. You can also reach me by e-mail at
      peter_beruk@nai.com or by phone at +1 301-947-7150.
      Thank you for your anticipated cooperation.
      Sincerely,

      Peter Beruk
      Director, Anti-Piracy Programs

      Peter Beruk
      Director, Anti-Piracy Programs
      Network Associates, Inc.
      Phone: +1.301.947.7150
      Fax: +1.301.527.0482
  • Network Associates are quite within their rights to stop people distributing their software unless they had specifically given those rights in an unrevocable way. Why is this a good thing?

    • Even more development should move to GPG as alternative options are required.
    • More people should become aware of the fragile basis of all proprietry software.
    • Network Associates will lose this business forever (they are killing PGP and that's fine by me).
    • Yeah - but can anyone explain why Network Associates wants to orphan their privacy software at a time when online privacy concerns are really coming into focus? Seems like this is a time to be getting into the market, rather than out.

      Any chance they're worried about the implications of widely available privacy software for "bad guys"?
    • they are killing PGP and that's fine by me

      Fine by you yes, but what about us that use PGP to securly e-mail friends and family on Windows machines? If they can't get copies (legally) then it will die and then I've got to go about maintaining not only a copy of my secret key but now PGP as well.

      There is more to PGP than sending and getting secure e-mails. E-mail signing and even secure data backup.

      The problem is that the freeware version of the license says that anyone can distribute it forever.
  • Looks like it's time to switch to GNU Privacy Guard [gnupg.org] if you haven't already. Does anyone know if it will be immune to this attack?


    And for those that haven't found it yet, enigmail [mozdev.org] should allow you to use GNU Privacy Guard with Mozilla [mozilla.org], even under Windows. Haven't tried it myself yet.



    • Looks like it's time to switch to GNU Privacy Guard [gnupg.org] if you haven't already. Does anyone know if it will be immune to this attack?


      You might want to poke around the link you provided. GnuPG is an implementation of RFC2440 [gnupg.org] (OpenPGP). Since OpenPGP is based on PGP, there is a certain degree of compatability between PGP and GnuPG, however, GnuPG is not based on PGP code. In short, NAI has no ownership over GnuPG in any form. Any attempts to block GnuPG with DMCA claims would be completely outlandish.


      It might be worth noting that GnuPG is also being developed with funding from the German government [gnupg.de]. Even if NAI were to try and block GnuPG with such a DMCA claim, I suspect it would be entirely futile and wouldn't even cause a hiccup in GnuPG distribution and development.

  • DMCA... (Score:3, Funny)

    by jmv ( 93421 ) on Tuesday May 21, 2002 @10:14PM (#3563384) Homepage
    Under the DMCA, I ask you to keep your dog from sh... on my lawn!!!

    Has the word DMCA been recently accepted as a synonym for "generic laswuit"?
  • it's dead, Jim (Score:3, Insightful)

    by g4dget ( 579145 ) on Tuesday May 21, 2002 @10:18PM (#3563404)
    What's the point? If it's not open source and if it's not commercially supported, it's dead. Oh, you may still be able to use it for a little while but then operating systems and libraries will drift away.
  • you know... (Score:4, Interesting)

    by kevin lyda ( 4803 ) on Tuesday May 21, 2002 @10:18PM (#3563405) Homepage
    it's too bad that people don't pay more attention to rms when he talks about freedom.

    and it's also too bad that people kept doing dev on possibly not free pgp versions instead on truly free implementations of pgp (ie gnupg).
    how many times are we going to learn this lesson?
    • how many times are we going to learn this lesson?

      I think we'll only learn it once. The question is when that one time is finally going to happen.
    • and it's also too bad that people kept doing dev on possibly not free pgp versions instead on truly free implementations of pgp

      It's terrible, yes. So...are you going to pay the people a salary to work on the free versions or shall I?

      What? You're not prepared to pay for it? Then how are these coders going to earn their living?

      It's good that free alternatives can be developed by those with the interest and time. However, don't knock the people working on the closed stuff - they're just earning their living like any other coder.

      Cheers,
      Ian

      • uh, moron, i was referring to people contributing code to the non-free versions. not the people paid to do it, just the ones who were contributing code thinking it was free software when it was actually just "free beer" software.
  • My PGP EULA (Score:5, Informative)

    by SignalFreq ( 580297 ) on Tuesday May 21, 2002 @10:20PM (#3563411)

    A quick look at the documentation that came with my version of PGP Freeware:

    Network Associates Freeware End User License Agreement
    (Non-Commercial Use and Distribution Only)

    1. License Grant. Subject to the terms and conditions of this Agreement, Network Associates hereby grants to you a non-exclusive, non-transferable right to use, copy and distribute solely for Non-Commercial Purposes (as defined below) the specified version of the Software and the accompanying documentation (the "Documentation").

    a. For purposes of the foregoing, "non-commercial purposes" means non-commercial, non-governmental use, including, without limitation, home use for personal correspondence, student or academic use, or use by non-profit human rights organizations. The Software is "in use" when it is loaded into the temporary memory (i.e., RAM) or installed into the permanent memory (e.g., hard disk, CD ROM, or other storage device) of a computer for the purpose of being accessible in client-mode by an end user.

    b. You may make exact, unmodified copies of the Software and distribute such copies solely (i) by electronic means; (ii) for Non-Commercial Purposes; and (iii) with all proprietary notices (including without limitation all copyright notices and this End User License Agreement) intact and unmodified or obscured.

    ... blah, blah, blah...

    3. Term. This Agreement is effective unless and until earlier terminated as set forth herein. This Agreement will terminate automatically if you fail to comply with any of the limitations or other requirements described herein. Upon any termination or expiration of this Agreement, you must destroy all copies of the Software and the Documentation.

    11. Miscellaneous. This Agreement is governed by the laws of the United States and the State of California, without reference to conflict of laws principles. The application of the United Nations Convention of Contracts for the International Sale of Goods is expressly excluded. This Agreement sets forth all rights for the user of the Software and is the entire agreement between the parties. This Agreement supersedes any other communications with respect to the Software and Documentation. This Agreement may not be modified except by a written addendum issued by a duly authorized representative of Network Associates. No provision hereof shall be deemed waived unless such waiver shall be in writing and signed by Network Associates or a duly authorized representative of Network Associates. If any provision of this Agreement is held invalid, the remainder of this Agreement shall continue in full force and effect. The parties confirm that it is their wish that this Agreement has been written in the English language only.

    Quick overview of the sections not included:
    2. Restictions: no renting/leasing/loading/reselling.
    4. Updates: No tech support.
    5. Ownership Rights: They still own all the copyrights.
    6. Warrant Disclaimer: "As is" software.
    7. Limitation of Liability: I can't hold them liable.
    8. US Government:
    9. Export Controls: Don't let it cross a border! oh no!
    10. High Risk Activities: Don't use this inconjunction with life-support, etc.

    So, section 1 grants me the right to use, copy and distribute PGP. Section 3, there is no expressed limit on the amount of time I can use it. The only limiting factor is section 11, which gives them the right to modify by a written addendum.

    Damn. Guess I'll just have to switch to GPG.

    - SignalFreq
  • by Anonymous Coward on Tuesday May 21, 2002 @10:20PM (#3563413)
    Hi all,

    I think we'll all find that this ends up being less of a problem than it seems to be, and certainly one unworthy of Declan's attention. The first thing to consider is that of the couple of security/crypto archives out there (Wiretapped [wiretapped.net], munitions.vipul.net [vipul.net], the old zedz.net site [zedz.net], Packetstorm [packetstormsecurity.org]), the crypto.radiusnet.net one is the only one of the group that is out of date, disorganised and discourages mirroring. Look over the site, and you'll see what I mean. The second thing to consider is that (as another poster has already mentioned) PGPi.org has the explicitly freeware versions of the software available on a number of mirrors worldwide, and does not appear to have been made a target here.

    Conspiracy theories aside, if they were mirroring commercial versions of the product, NAI is well within their rights to pursue them, and I'm sure the other legitimate crypto/security archive sites will be glad to see crypto.radiusnet.net stop sullying their good names by association.

    • GPi.org has the explicitly freeware versions of the software available on a number of mirrors worldwide, and does not appear to have been made a target here.

      It's kind of hard to enforce the DCMA outside the US, isn't it?

      NA is no longer selling PGP, right? It's a cost cutting measure, right? Sure, it's much cheaper to not defy your government and remain in business.

      I've seen a lot of posts here accusing radius of being a Warez site. Sounds like big bullshit to me. That letter would have been sent bye the "anti-piracy" division long ago if this were true. Are these posters telling me that radius really does not know what NA has asked them to remove?

      NA is within their legal rights in anycase. Their goofey EULA explicity alowed this kind of behavior, and US laws back them up. You never really owned it, you just used it. It's unatural, it's wasteful and it's stupid. That's why there is free software. [fsf.org]. Drink all the free beer you want, but don't complain about the hangover or the night you spent sobering up in jail, or the little girl you ran over under the influence. The rest of us will tell you how obnoxious you were later.

  • NOT FREE (Score:5, Informative)

    by Anonymous Coward on Tuesday May 21, 2002 @10:35PM (#3563454)
    The version hosted on radiusnet was not a freeware version nor public domain, or whatever. It was PGP corporate desktop and other various COPYRIGHTED materials. I visited that sight every month or so for updated versions. Of course, now I use gpgp ;)
  • I've still got the installer for the newest version of free PGP for windows. If anyone wants it.
  • Well, first off, this really isn't a problem seeing as how the superior (and open) GnuPG is available to all. (And yes, there are GUIs available.)

    On the other hand, it's a scary look at how copyright with regards to software has apparently evolved into 'information control' instead of right to have a copy. How many proprietary software EULA's include a clause that XYZ company may terminate the license at any time? If I'm not mistaken, that means that someone like M$ or Adobe can walk into any office in the US that uses their software and shut them down at their own whim. And is there even a legal framework for forcing a refund? So lawyers or law experts, what you say about this?

    If this is all true, you RMS bashing folks in the crowd ought to give the 'all proprietary is evil' ideology another mental run-around before something else like this comes around and bites you. How long before we need a "War on Proprietary Software"? (-:
    • Well, technically, GNU software is proprietary. All that means is someone owns it. Company software (like MSWindows) is Trade secret, proprietary, and liscensed software. GPL stuff is STILL OWNED. By whom, you ask? Anybody who contributes to the code base.

      Say, a company goes to Linus and offers to buy an exclusive linux kernel for X dollars to him for unlimited liscense. OK. All he has to do is get an UNANIMOUS vote from EVERY DEVELOPER(lest that be thousands of lines of code, or a simple 1 liner) a YES to allow that liscense.

      Effectively, GPL locks out companies from using thier code directly.
      • Effectively, GPL locks out companies from using thier code directly.

        On the contrary: the GPL allows any company to use the licensed code. They just can't re-release it under a non-GPL license.

        As an interesting twist, this means that IBM has a say in whether LInux goes proprietary. I leave as an exercise for the reader to determine whether this could pose a problem later.

  • To do list (Score:2, Interesting)

    by corebreech ( 469871 )
    I know gnupg [gnupg.org] has made some very big strides in this area, but clearly, now is the time to devise a framework upon which popular encryption is allowed to survive PGP.

    The point isn't whether the geeks can do it. The point is whether some poor, persecuted soul in some totalitarian country, like -- um, you know -- can click a button and send an email out of the country or to his best friend, securely.

    Clearly we would like to see front-ends developed for all the popular email applications that can accept code implementing any kind of encryption scheme whatsoever, and encryption algorithms that can fit into any popular email application available.

    If somebody comes up with a new encryption algorithm, they shouldn't have to write code to support Evolution, Eudora, Outlook Express, so forth and so on.

    Likewise, somebody should be able to write a front-end for a email application according to a specific API and expect to see every available encryption algorithm thus far implemented available from within that email application.

    And of course, it all needs to be open source. If anything needs to be open source, it is this.

    gnupg is great, but it presumes a single algorithm, doesn't it? Wouldn't it be much better to make it easier to introduce new algorithms into the mix? Put yourself in the position of the GS-7 analyst sitting in Virginia who has to run all these decipher jobs. If he gets to *assume* that the encryption being used is pgp-style, his workload is modest, he just needs to feed the file to the program.

    But if he first has to figure out what algorithm is being used, suddenly his job becomes many orders of magnitude harder. Especially if there are hundreds if not thousands of algorithms out there, each and every one available to the common man for his use.

    I know we're not supposed to rely on obscurity for encryption, but that presumes your only interest is in protecting a single channel of communication. If your interest is in protecting *all* channels of communication, obscurity becomes viable. Something as trivial as taking the output of gnupg and exclusive-or'ing with a Erica Rose Campbell jpeg would add another - if - statement to the NSA's decryption code. Add another 100 jpegs every day and very quickly the NSA's job becomes very, very hard.

    I never liked PGP. They zip before encrypting, and I could never get an answer from Zimmermann as to whether or not the checksum survived the zip. If the checksum survives, all the NSA has to do is unzip every try at an encrypted file and see if the checksums match. Strip out the checksum, and their job becomes much harder. The checksum needs to go.
    • gnupg is great, but it presumes a single algorithm, doesn't it?

      No. Everything's done by pluggable modules, and there are several choices of algorithm.

      But if he first has to figure out what algorithm is being used, suddenly his job becomes many orders of magnitude harder.

      It becomes n times harder, where n is the number of algorithms. Assuming, of course, that each of those algorithms is equally secure. In practice, there are a handful of algorithms that have been pounded hard enough to believe secure. Many other algorithms, especially those done by an untrained amature, will fall apart under the hands of a decent cryptoanalyist. It's much better to double your key length then to try and make choice of algorithm part of the encryption. (GPG includes the algorithm choice in plain text due to this principle.)
      • I'll take your word for gnupg's pluggability, since no mention seems to be made of it in the documentation... but I'll read it again.

        However...

        I think you miss the point regarding the value of increasing the number of algorithms. The complexity increase is not n times but rather n factorial. Algorithms can be applied in daisy-chain fashion upon other algorithms. Even a trivial algorithm works here.

        Yes, a decent cryptoanalyst will tear apart a trivial algorithm, but how many decent cryptoanalysts are there? More than the number of people who can choose any combination of installed algorithms via point-and-click?

        No.

        Again, we've been trained to think about this as a problem of protecting a single channel. All of that is still valid, for that one specific problem. The problem of how to get the NSA to give up this travesty of a cause is quite another, and it is realizable only by demonstrating to them the impossibility of the problem they are attempting to solve.

        For instance, does gnupg allow me to plug in a one-time pad as an encryption algorithm? I don't think so. The gui I'm envisioning would. Yes, there are practical considerations in the use of the one-time pad, but once those are met, the resulting communication is impervious to cryptoanalysis, regardless of the technology the NSA is wielding.

        For instance, two friends at graduation who are going their separate ways, agree to rip a CD using /dev/random, make a copy, and use those 680MB to encrypt the emails they send to one another... for life. Very cool, very doable... very unbreakable.

        Get enough people doing that, along with people using the encoder rings they got in their box of Cap't Crunch, and rot13, and all the trivial extensions of all the serious encryption algorithms and the NSA will be swimming in complexity... a kind of complexity they can't easily leverage their hardware to tame.
        • The complexity increase is not n times but rather n factorial

          A complexity increase that can disappear in an instant, and comes at the cost of using a good algorithm.

          Algorithms can be applied in daisy-chain fashion upon other algorithms.

          Which, in some cases, will render them worthless as they counteract each other.

          Yes, a decent cryptoanalyst will tear apart a trivial algorithm, but how many decent cryptoanalysts are there?

          If you don't want to keep it from a decent cryptoanalyst, why bother using serious encryption in the first case?

          For instance, two friends at graduation who are going their separate ways, agree to rip a CD using /dev/random, make a copy, and use those 680MB to encrypt the emails they send to one another... for life. Very cool, very doable... very unbreakable.

          I don't know how many years it would take to get 680MB from /dev/random, but it isn't going to be quick. In any case, who cares? Add a patch to GPG to do this, but don't think there will be many users.

          the NSA will be swimming in complexity... a kind of complexity they can't easily leverage their hardware to tame.

          I would be surprised. One good algorithm used by the people they want to watch would give them trouble. A thousand lousy ones will merely make their jobs more interesting - "hey, look, here's another idiot using MD4. Haven't seen that in a while."
          • I don't have anything to say at the moment about the larger issues being debated in this thread but I do have something to say about random number sources. If I wanted to fill a CD with good random numbers /dev/urandom is not how I would go about it. The quality of /dev/urandom is reasonable as uses bits of fluff like the delay between keypresses and chatter from the device drivers to create an "entropy pool" to seed a pseudorandom algorithm with. The problem is that it is slooooowwww. Most goings on in a normal desktop PC are very very ordered and deterministic. The few that aren't represent a very small amount of entropy.

            All of this means that the process that is generating your iso is going to see short bursts of data inbetween long periods of entropy gathering. That CD will probably take hours at least to generate. Also I said the quality of the data is "reasonable". If one means to keep the government or a well heeled corporate attacker out of the cyphertext it may not be good enough. Even the non-deterministic processes in a PC likely have a fair amount of order in them. In other words, that entropy pool is probably good enough to make a 2048 bit assymetric key. It probably wouldn't do for a 650MB iso. The longer the string of numbers, the more likely hidden order can be found.

            The way I would is to sample the output of a white noise generator. The output of the ADC is then used to seed a good pseudorandom algorithm. The reason why we use the white noise as a seed is to obliterate any bias in the data caused by such factors as the slew rate, bandpass of the analog circuitry making the white noise or any subtle imperfection that may exist in the ADC. A reverse biased transistor is one source of analog noise. This would be a high speed generator of quality random numbers. The speed would only be limited by the clock rate of the ADC or rate at which the PC can process the output.
        • Your basic problem, pointed out many times, is that you're applying the _wrong_ math to the problem.

          Cryptanalysis isn't random probabilities from discrete 101 ... its large number theory (in most cases) and usually uses direct analysis, not trial and error.
    • Are you trolling? (Score:5, Informative)

      by rjh ( 40933 ) <rjh@sixdemonbag.org> on Wednesday May 22, 2002 @12:50AM (#3563913)
      Really. You're painfully uninformed.

      If somebody comes up with a new encryption algorithm, they shouldn't have to write code to support Evolution, Eudora, Outlook Express, so forth and so on.

      They don't. RFC2440 (plus RFC2015, 3156, etc.) are extensible; they support a broad variety of algorithms and are designed to support future algorithms. RTFFAQ.

      Likewise, somebody should be able to write a front-end for a email application according to a specific API and expect to see every available encryption algorithm thus far implemented available from within that email application.

      Microsoft CAPI provides just this. GPG Made Easy (GPGME) also makes it almost trivial to incorporate crypto support into your application. (ObDisclosure: I'm working on C++ bindings for GPGME, so I'm biased.)

      gnupg is great, but it presumes a single algorithm, doesn't it?

      RTFFAQ. OpenPGP supports more algorithms than you can shake a stick at. For instance:
      • IDEA
      • 3DES
      • CAST5-128
      • Blowfish
      • Rijndael/AES-128, -192, -256
      • Twofish
      • RSA
      • El Gamal
      • DSA


      Wouldn't it be much better to make it easier to introduce new algorithms into the mix?

      No. In fact, I personally dislike the fact that most PGP implementations (including GnuPG) support so many algorithms. Every implementation must support 3DES, and y'know, 3DES has a twenty-five year track record of turning brilliant cryptanalysts into burned-out alcoholic wrecks. Anyone who wishes to use AES256 for "security" is missing the point--the most trusted algorithms aren't the latest sexy things. The most trusted algorithms are the ones which are older than God and uglier than a Soviet worker's housing bloc.

      If he gets to *assume* that the encryption being used is pgp-style, his workload is modest, he just needs to feed the file to the program.

      The analyst is already going to know what algorithms you're using. The way you plan these things is to assume the analyst has access to tens of thousands of times more computing power than exists in the world, tens of thousands of times more memory than exists in the world, knows you better than your wife does, and knows every last detail of your cryptosystem except what your key is.

      Assuming anything else is absolute folly.

      And yes, I am a cryptographer.

      Especially if there are hundreds if not thousands of algorithms out there, each and every one available to the common man for his use.

      There are three symmetric algorithms I would trust my deepest secrets to. IDEA, 3DES and Blowfish. AES isn't on that list (won't be for another couple of years while peer review shakes out). If I'm a professional in this field, and out of the literally thousands of different symmetric block ciphers proposed over the years I can only find three which I recommend without hesitation, and the other 997+ range somewhere between interesting-but-flawed and fatally stupid, I really doubt that you--a layman with no experience whatsoever--will be able to intelligently choose the three good ciphers out of a field which consists, mostly, of spectacularly bad ones.

      Something as trivial as taking the output of gnupg and exclusive-or'ing with a Erica Rose Campbell jpeg would add another - if - statement to the NSA's decryption code

      Please go read this book: Codebreaking, by Rudolf Kippenhahn. You have a critical misunderstanding of how cryptanalysis works. It doesn't work by a series of "try this, then try that, then try..." It works by looking for redundancies, patterns, in data and then creating a mathematical model which can recreate those same redundancies and patterns. If you're XORing with a JPEG, you're not going to be making it appreciably harder to break. There's a lot of mathematical order in a JPEG.

      I would bother responding to your last comment about why PGP is "weak", but really, it's clear that you're talking through your hat. I can believe that you're utterly clueless, or I can believe that you're trolling. If the latter, then HAND, IABT. If the former, then please go off and read up on the subject.

      I'd suggest starting with David Kahn's The Codebreakers, from there Rudolf Kippenhahn's Codebreaking, then Schneier's Secrets and Lies. Only then start to work on Applied Cryptography and the Handbook of Applied Cryptography.
      • OK, I see /. truncates messages, it's happened to my reply (first time I've seen it happen to me) and it happened to your message. I'm particularly interested in how you were going to finish the following sentence:

        I would bother responding to your last comment about why PGP is "weak", but really, it's c

        Again, I was making a big deal about the checksum appearing in the zip file that PGP creates before encrypting.

        You don't think that's a problem?
  • Whats funny... (Score:2, Insightful)

    by f0rtytw0 ( 446153 )
    Whats funny is originally PGP was released for free on the internet at a time when encryption software had heavy export restrictions. Being released for free on the internet was what made it so popular.
  • by Dogcow ( 7944 ) on Tuesday May 21, 2002 @11:48PM (#3563736)
    ---------- Forwarded message ----------
    Date: Wed, 22 May 2002 14:41:59 +1000 (EST)
    From: Grant Bayley
    To: Declan McCullagh , R. A. Hettinga ,
    Meyer Wolfsheim , peter_beruk@nai.com
    Subject: Re: NAI pulls out the DMCA stick.

    Hi Declan, others.

    The hype being generated by the "NAI pulls out the DMCA stick" postings and the spectre of PGP being "removed from the Internet" is entirely bogus, and provably so with a little bit of fact checking.

    Looking through the Google cache, it becomes very clear very quickly that crypto.radiusnet.net was hosting a copy of the commercial version of the software - not a copy of the PGPi (aka freeware) version of the PGP product. Given that this is the case, NAI is well within their rights to demand the removal of the files.

    You can confirm this in the Google Cache, here:

    http://216.239.33.100/search?q=cache:QA-H5VtPvP4 C: crypto.radiusnet.net/archive/pgp/+&hl=en

    Keep in mind that of the couple of crypto/security archives out there, the radiusnet one is basically the "abortion" of the bunch. It's disorganised and out of date in so many places as to be dangerous.

    By "crypto/security archives", I'm referring to Wiretapped (www.wiretapped.net, which I operate), munitions.vipul.net, the zedz.net archives (ftp://ftp.zedz.net/) and Packetstorm (www.packetstormsecurity.org).

    If this is the straw that breaks the radiusnet camel's back, I for one won't be complaining, if only because of the old and out of date material
    on the site. In the case of tools that perform a security function using crypto (IPSec, ssh etc), being updated is critical, as a number of the older versions of the software have contained serious security problems.

    Grant
  • by Anonymous Coward on Wednesday May 22, 2002 @12:17AM (#3563806)
    The subject line here should be: Free Software Advocates shoot their mouth off without checking the facts.

    Over 100 posts, and only one or maybe two have hit the nail on the head - the site was posting commercial, proprietary software. Not free software in whatever sense you like to use the term. Not open source either.

    Please guys, get your facts right before posting.

    Whoops - I forgot - this is Slashdot.

    Home of irresponsible adhocratic journalism...
  • Misleading headline (Score:3, Informative)

    by Simon Garlick ( 104721 ) on Wednesday May 22, 2002 @01:28AM (#3564012)
    So NAI wants to stop warez distribution of its full commercial (unbuyable or not) registered PGP suite. Perfectly reasonable.

    Good to see the Slashdot editorial team is on the job! Nice work, Timothy!
  • by tandoor ( 571899 ) on Wednesday May 22, 2002 @04:46AM (#3564383) Homepage
    Imad's PGP Page [ipgpp.com]

    He's been updating the latest source release of PGP (6.5.8), adding features, and fixing bugs. The latest solid release if Build 08

    Imad is based in Lebanon (so you can guess what he thinks of US IP Lawyers' threats)
  • It's about time that encryption was recognised as a tool to keep governments from spying on private citizens. The idea is that Goverment should have the power to spy on its citizens, but not that is should spend all of its time and resources doing so.

  • NAI no longer publishes their source code. Backdoors? "Trust us", they say. "Fuck that", I say.

A conclusion is simply the place where someone got tired of thinking.

Working...