SCN: GnuPG
Steve
steve at advocate.net
Sat Mar 30 13:25:30 PST 2002
x-no-archive: yes
====================
(Bill Lamb, Salon)---When Network Associates halted development
of its widely respected PGP (Pretty Good Privacy) desktop
encryption software in late February, Julian Koh worried about his
"postcards."
Koh considers everything that passes across the Internet -- e-mail,
mailing list postings, Web pages -- as no more private than
postcards that can be read by anyone along their path. That
realization long ago inspired an epiphany for the Northwestern
University network engineer: "I was really amazed at the ease with
which my network traffic could be intercepted and examined, even
with no malicious intent whatsoever."
It wasn't a question of Koh having secrets. There are just some
things that are no one else's business. So for the past five years,
both at work and at home, he has used PGP to routinely encrypt
potentially sensitive communication, turning ordinary data into bits
and bytes of meaningless gibberish readable only by those with
the proper digital key.
"Typically, I digitally sign most of my outgoing messages, and
several people and organizations with whom I correspond regularly
also require encryption of messages," he says.
But online security, just like everything else, is subject to the ebb
and flow of capitalism -- and the relentless releases of new
software products with which one must be compatible. Updated
operating systems from Microsoft and Apple require updated
versions of PGP, but Network Associates is currently not making
the necessary improvements. Koh and tens of thousands of other
PGP users have been forced to seek alternatives.
Increasingly, they're finding haven in a small corner of the open-
source software world, bringing both opportunity and new users to
an oddly named and heretofore little-known programming effort
fueled by volunteers: GnuPG.
The synergies of the relationship are obvious: open-source
software and cryptography are two sublimely geeky obsessions
that go well together. But the story of how GnuPG is coming to the
cryptogeek rescue also illuminates some of the limitations of open-
source, or free software. Even a relatively slick consumer product
like PGP has been deemed too technically challenging by many
normal computer users -- despite widespread anxieties about
privacy on the part of the general Internet-using population. And
making a software program easy to use is exactly the challenge
that open-source software has historically been weakest at
meeting.
When programmer Phil Zimmermann dubbed his pet encryption
software "Pretty Good Privacy" it was a master stroke of subtle
understatement. PGP's mathematical heart is so complex that it
defies any meaningful lay description. The result of using it,
however, is easily grasped: data so jumbled that, according to its
developers and some cryptography experts, our sun would burn
out before all computers now in existence, working together, would
have time to find the correct key for a single message. New
advances in computing could ultimately change that, but for the
moment, PGP is more than just pretty good.
PGP is an implementation of public key cryptography in which the
"keys" that lock and unlock the meaning of a message are
produced in pairs, public and private. The public key is just that,
and is distributed to anyone who might wish to send the user an
encrypted message. The private key is kept by the user for
decrypting messages, turning them back into readable form.
Cryptographer and security specialist Bruce Schneier, in his book
"Applied Cryptography," called the public key system "the most
striking development in the history of cryptography."
Software engineer and privacy activist Zimmermann put the system
to practical use in 1991, creating the first crude version of PGP
and releasing it as freeware. "PGP empowers people to take their
privacy into their own hands," Zimmermann wrote in the original
program's user guide. "There has been a growing social need for
it. That's why I wrote it."
PGP spread worldwide on the Internet, and Zimmermann faced a
three-year federal investigation for violating then strict regulations
regarding the export of cryptographic software. When the
government case was dropped in 1996, Zimmermann formed PGP
Inc., and the modern age of consumer desktop encryption was
born. PGP Inc. became a part of Network Associates in 1997.
Like the system itself, PGP is both public and private. While
Network Associates' source code is proprietary and no longer
released to the general public, PGP, as a concept, lives in the
open through the OpenPGP movement, a set of design
specifications intended to make all forms of PGP-like public key
systems interoperable.
Enter GNU (pronounced "guh-NEW") Privacy Guard, also called
GnuPG.
GNU (a "recursive acronym" meaning "GNU's Not Unix") was
launched in 1984 to develop and maintain a free and open-source
"Unix-like" operating system. The GnuPG project is an OpenPGP
offshoot managed by the German Unix Users Group and begun in
response to U.S. export restrictions.
In a move seen as a rebuff of American pressure to tighten its
restrictions on cryptographic technologies, the German
government awarded the fledgling software effort a $177,000 grant
in 1999. "In Germany, we are really free to do anything now,"
Werner Koch, head of the GnuPG movement, said of the German
funding.
Now, just two years later, Koch and his GnuPG team have a
robust application available for multiple platforms -- and a new pool
of potential users with which to grow.
"I expected something like this," Koch said of PGP's demise. "They
(Network Associates) have moved away from an encryption tool to
a 'do everything security solution with the name PGP.' But it might
have turned out that the name PGP didn't help that much in
marketing."
GnuPG's marketing amounts to little more than word-of-mouth and
Web sites. But those appear adequate. Discussion of GnuPG
slipped onto the scene in PGP-related newsgroups and e-mail lists
with surprising stealth. No announcements, no fanfare. It was just
there one day, being recommended to an increasing number of
inquisitive Windows and Macintosh users as a possible
replacement for PGP.
Koch, who oversees GnuPG development from Germany, said the
number of visitors to the GnuPG site each week has almost
doubled since Jan. 6, rising from 11,249 to 20,689. While
download numbers are difficult to measure since approximately 30
sites mirror the GnuPG files, Koch said GnuPG's main server is
registering approximately 2,000 downloads per week for the
application's Windows version and about the same for the Unix
version. That's up from approximately 1,700 each earlier this year,
he said.
Downloads of the relatively new GnuPG version designed for
Apple's new operating system, Mac OS X, have also jumped
sharply, and new user interface tools for OS X have been
introduced within the past month -- and updated since then.
"I don't really have time for a full quantitative analysis, but I think
that interest is about three times what it was," said Gordon Worley,
a 19-year-old Orlando, Fla., computer science student who
oversees the Mac OS X version of GnuPG. "A lot of work is getting
done in the MacGPG project because users of PGP are realizing
that they have to find a solution when migrating to OS X."
Zimmermann, now a consultant who remains active in the
OpenPGP movement, indicated the Network Associates
experience should be an example to privacy advocates.
"... It is dangerous to put all your eggs in one basket, and we can
clearly see now how bad it can be to allow PGP to be buried by a
company that owns it exclusively," he said. "We are all fortunate
that GPG was developed."
After Network Associates purchased PGP, commercial releases
began to include services not required by the average user --
virtual private networking, software firewall protection, key sharing
and even a third-party corporate key recovery system. GnuPG, on
the other hand, concentrates on the basics of digital signatures, e-
mail and file encryption, and key management.
And that's all that is required to protect Koh's postcards: "My
prediction is that I will eventually end up with GnuPG installed on
my machine."
But what about the rest of the world?
The open-source software movement, long the domain of highly
talented and motivated programmers working toward a socio-
technical ideal and for love of the craft, now is confronting the
different expectations of a PGP consumer base unwilling to
surrender ease of use.
Network Associates, building on Zimmermann's work after
purchasing his company, made significant strides in hiding the
arcane and promoting the simple. Both Windows and Mac users
finally could point-and-click their way to a more secure desktop
and communications environment. At least a rudimentary
understanding of the nature of public and private keys, and how to
use them, was still required, but a comprehensive guide
accompanying the software put the issues in as plain terms as
possible.
"Ease of use is critical," said Zimmermann. "E-mail encryption is
used by only a small segment of the population of e-mail users
largely because of ease-of-use issues."
The GnuPG project isn't yet that advanced when it comes to the
user experience, Koch concedes.
GnuPG is the engine that drives the encryption system: encrypting,
decrypting, signing and verifying, and creating and managing
public and private keys. Yet it relies on command-line entries.
Installation requires some minimal direct input of text commands.
Graphical interfaces are available, but they are separate, not part
of the basic GnuPG package.
Even Mac OS X users will find that installation of the basic
MacGPG package requires inputting text commands. And Worley,
the Mac team's leader, is very aware that Mac users are
accustomed to more polish. "We have preliminary versions of most
of the software that the average PGP user will need on OS X, but
more work is needed. Our software does not fulfill the expectations
of the Mac experience yet."
Open-source can also mean "closed climate," with developers
working only to meet their own desires and those of a relatively
small and stable base of users and fans. The strength of the
movement -- distributed development by volunteer programmers
worldwide -- isn't geared toward the sudden appearance of
clamoring consumers with questions, complaints and wish lists in
hand.
Eric S. Raymond, president and co-founder of the Open Source
Initiative, says the system will adjust.
"In fact, I think this kind of bombardment is a good thing. I think it is
exactly what open-source developers need to get a clue about the
way actual end-users think."
The commercial adage that the customer is always right still rules,
he said.
"Much of the open-source community is still weak at end-user UI.
Most hackers have not yet assimilated the knowledge or the
attitude necessary to serve end-users like these. This will change,
but it won't change overnight."
Despite its surge in user popularity, GnuPG may not remain the
long-term sole source for new PGP applications. Network
Associates' new code is locked away, but the company still hopes
to sell it. And the OpenPGP standard means that anyone with the
will or the money -- or both -- can create and market a new
product. Privacy advocates say that's precisely the point.
"The general public seems very unaware and unconcerned with
basic issues of privacy and how their use of the Internet
contributes to major loss of privacy," said Tom McCune, a PGP
user from Holland Patent, N.Y., who maintains a popular Web site
dedicated to PGP issues. "For those with some level of
awareness, there is a basic attitude of just not wanting to be
bothered with doing something about it, and this is tremendously
complicated by general lack of technical skill."
Advocates believe open development by several companies,
private organizations and individual programmers will lead to even
more improvements, wider use and, ultimately, greater protection
of personal privacy.
Copyright 2002 Salon.com
* * * * * * * * * * * * * * From the Listowner * * * * * * * * * * * *
. To unsubscribe from this list, send a message to:
majordomo at scn.org In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * * http://www.scn.org/volunteers/scn-l/ * * * * * * *
More information about the scn
mailing list