Pretty geeky privacy

[InfoSec News <isn () c4i org>]

http://www.salon.com/tech/feature/2002/03/27/gnupg/index.html?x

By Bill Lamb
March 27, 2002  

When Network Associates halted development of its widely respected PGP
(Pretty Good Privacy) desktop encryption software in late February,
Julian Koh worried about his "postcards."

Koh considers everything that passes across the Internet -- e-mail,
mailing list postings, Web pages -- as no more private than postcards
that can be read by anyone along their path. That realization long ago
inspired an epiphany for the Northwestern University network engineer:  
"I was really amazed at the ease with which my network traffic could
be intercepted and examined, even with no malicious intent
whatsoever."

It wasn't a question of Koh having secrets. There are just some things
that are no one else's business. So for the past five years, both at
work and at home, he has used PGP to routinely encrypt potentially
sensitive communication, turning ordinary data into bits and bytes of
meaningless gibberish readable only by those with the proper digital
key.

"Typically, I [digitally] sign most of my outgoing messages, and
several people and organizations with whom I correspond regularly also
require encryption of messages," he says.

But online security, just like everything else, is subject to the ebb
and flow of capitalism -- and the relentless releases of new software
products with which one must be compatible. Updated operating systems
from Microsoft and Apple require updated versions of PGP, but Network
Associates is currently not making the necessary improvements. Koh and
tens of thousands of other PGP users have been forced to seek
alternatives.

Increasingly, they're finding haven in a small corner of the
open-source software world, bringing both opportunity and new users to
an oddly named and heretofore little-known programming effort fueled
by volunteers: GnuPG.

The synergies of the relationship are obvious: open-source software
and cryptography are two sublimely geeky obsessions that go well
together. But the story of how GnuPG is coming to the cryptogeek
rescue also illuminates some of the limitations of open-source, or
free software. Even a relatively slick consumer product like PGP has
been deemed too technically challenging by many normal computer users
-- despite widespread anxieties about privacy on the part of the
general Internet-using population. And making a software program easy
to use is exactly the challenge that open-source software has
historically been weakest at meeting.

When programmer Phil Zimmermann dubbed his pet encryption software
"Pretty Good Privacy" it was a master stroke of subtle understatement.  
PGP's mathematical heart is so complex that it defies any meaningful
lay description. The result of using it, however, is easily grasped:  
data so jumbled that, according to its developers and some
cryptography experts, our sun would burn out before all computers now
in existence, working together, would have time to find the correct
key for a single message. New advances in computing could ultimately
change that, but for the moment, PGP is more than just pretty good.

PGP is an implementation of public key cryptography in which the
"keys" that lock and unlock the meaning of a message are produced in
pairs, public and private. The public key is just that, and is
distributed to anyone who might wish to send the user an encrypted
message. The private key is kept by the user for decrypting messages,
turning them back into readable form. Cryptographer and security
specialist Bruce Schneier, in his book "Applied Cryptography," called
the public key system "the most striking development in the history of
cryptography."

Software engineer and privacy activist Zimmermann put the system to
practical use in 1991, creating the first crude version of PGP and
releasing it as freeware. "PGP empowers people to take their privacy
into their own hands," Zimmermann wrote in the original program's user
guide. "There has been a growing social need for it. That's why I
wrote it."

PGP spread worldwide on the Internet, and Zimmermann faced a
three-year federal investigation for violating then strict regulations
regarding the export of cryptographic software. When the government
case was dropped in 1996, Zimmermann formed PGP Inc., and the modern
age of consumer desktop encryption was born. PGP Inc. became a part of
Network Associates in 1997.

Like the system itself, PGP is both public and private. While Network
Associates' source code is proprietary and no longer released to the
general public, PGP, as a concept, lives in the open through the
OpenPGP movement, a set of design specifications intended to make all
forms of PGP-like public key systems interoperable.

Enter GNU (pronounced "guh-NEW") Privacy Guard, also called GnuPG.

GNU (a "recursive acronym" meaning "GNU's Not Unix") was launched in
1984 to develop and maintain a free and open-source "Unix-like"  
operating system. The GnuPG project is an OpenPGP offshoot managed by
the German Unix Users Group and begun in response to U.S. export
restrictions.

In a move seen as a rebuff of American pressure to tighten its
restrictions on cryptographic technologies, the German government
awarded the fledgling software effort a $177,000 grant in 1999. "In
Germany, we are really free to do anything now," Werner Koch, head of
the GnuPG movement, said of the German funding.

Now, just two years later, Koch and his GnuPG team have a robust
application available for multiple platforms -- and a new pool of
potential users with which to grow.

"I expected something like this," Koch said of PGP's demise. "They
(Network Associates) have moved away from an encryption tool to a 'do
everything security solution with the name PGP.' [But] it might have
turned out that the name PGP didn't help that much in marketing."

GnuPG's marketing amounts to little more than word-of-mouth and Web
sites. But those appear adequate. Discussion of GnuPG slipped onto the
scene in PGP-related newsgroups and e-mail lists with surprising
stealth. No announcements, no fanfare. It was just there one day,
being recommended to an increasing number of inquisitive Windows and
Macintosh users as a possible replacement for PGP.

Koch, who oversees GnuPG development from Germany, said the number of
visitors to the GnuPG site each week has almost doubled since Jan. 6,
rising from 11,249 to 20,689. While download numbers are difficult to
measure since approximately 30 sites mirror the GnuPG files, Koch said
GnuPG's main server is registering approximately 2,000 downloads per
week for the application's Windows version and about the same for the
Unix version. That's up from approximately 1,700 each earlier this
year, he said.

Downloads of the relatively new GnuPG version designed for Apple's new
operating system, Mac OS X, have also jumped sharply, and new user
interface tools for OS X have been introduced within the past month --
and updated since then.

"I don't really have time for a full quantitative analysis, but I
think that interest is about three times what it was," said Gordon
Worley, a 19-year-old Orlando, Fla., computer science student who
oversees the Mac OS X version of GnuPG. "A lot of work is getting done
in the MacGPG project because users of PGP are realizing that they
have to find a solution when migrating to OS X."

Zimmermann, now a consultant who remains active in the OpenPGP
movement, indicated the Network Associates experience should be an
example to privacy advocates.

"... It is dangerous to put all your eggs in one basket, and we can
clearly see now how bad it can be to allow PGP to be buried by a
company that owns it exclusively," he said. "We are all fortunate that
GPG was developed."

After Network Associates purchased PGP, commercial releases began to
include services not required by the average user -- virtual private
networking, software firewall protection, key sharing and even a
third-party corporate key recovery system. GnuPG, on the other hand,
concentrates on the basics of digital signatures, e-mail and file
encryption, and key management.

And that's all that is required to protect Koh's postcards: "My
prediction is that I will eventually end up with GnuPG installed on my
machine."

But what about the rest of the world?

The open-source software movement, long the domain of highly talented
and motivated programmers working toward a socio-technical ideal and
for love of the craft, now is confronting the different expectations
of a PGP consumer base unwilling to surrender ease of use.

Network Associates, building on Zimmermann's work after purchasing his
company, made significant strides in hiding the arcane and promoting
the simple. Both Windows and Mac users finally could point-and-click
their way to a more secure desktop and communications environment. At
least a rudimentary understanding of the nature of public and private
keys, and how to use them, was still required, but a comprehensive
guide accompanying the software put the issues in as plain terms as
possible.

"Ease of use is critical," said Zimmermann. "E-mail encryption is used
by only a small segment of the population of e-mail users largely
because of ease-of-use issues."

The GnuPG project isn't yet that advanced when it comes to the user
experience, Koch concedes.

GnuPG is the engine that drives the encryption system: encrypting,
decrypting, signing and verifying, and creating and managing public
and private keys. Yet it relies on command-line entries. Installation
requires some minimal direct input of text commands. Graphical
interfaces are available, but they are separate, not part of the basic
GnuPG package.

Even Mac OS X users will find that installation of the basic MacGPG
package requires inputting text commands. And Worley, the Mac team's
leader, is very aware that Mac users are accustomed to more polish.  
"We have preliminary versions of most of the software that the average
PGP user will need on OS X, but more work is needed. Our software does
not fulfill the expectations of the Mac experience yet."

Open-source can also mean "closed climate," with developers working
only to meet their own desires and those of a relatively small and
stable base of users and fans. The strength of the movement --
distributed development by volunteer programmers worldwide -- isn't
geared toward the sudden appearance of clamoring consumers with
questions, complaints and wish lists in hand.

Eric S. Raymond, president and co-founder of the Open Source
Initiative, says the system will adjust.

"In fact, I think this kind of bombardment is a good thing. I think it
is exactly what open-source developers need to get a clue about the
way actual end-users think."

The commercial adage that the customer is always right still rules, he
said.

"Much of the open-source community is still weak at end-user UI. Most
hackers have not yet assimilated the knowledge or the attitude
necessary to serve end-users like these. This will change, but it
won't change overnight."

Despite its surge in user popularity, GnuPG may not remain the
long-term sole source for new PGP applications. Network Associates'
new code is locked away, but the company still hopes to sell it. And
the OpenPGP standard means that anyone with the will or the money --
or both -- can create and market a new product. Privacy advocates say
that's precisely the point.

"The general public seems very unaware and unconcerned with basic
issues of privacy and how their use of the Internet contributes to
major loss of privacy," said Tom McCune, a PGP user from Holland
Patent, N.Y., who maintains a popular Web site dedicated to PGP
issues. "For those with some level of awareness, there is a basic
attitude of just not wanting to be bothered with doing something about
it, and this is tremendously complicated by general lack of technical
skill."

Advocates believe open development by several companies, private
organizations and individual programmers will lead to even more
improvements, wider use and, ultimately, greater protection of
personal privacy.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.