1997-10-30 - PGP 5.0: What were they thinking? (revisited)

Header Data

From: lcs Mixmaster Remailer <mix@anon.lcs.mit.edu>
To: cypherpunks@Algebra.COM
Message Hash: 9239d1c7ca9f7dac98a9aeafea711d54042c1c0c25caf61c07118d2a1befda89
Message ID: <19971030080001.18658.qmail@nym.alias.net>
Reply To: N/A
UTC Datetime: 1997-10-30 08:04:01 UTC
Raw Date: Thu, 30 Oct 1997 16:04:01 +0800

Raw message

From: lcs Mixmaster Remailer <mix@anon.lcs.mit.edu>
Date: Thu, 30 Oct 1997 16:04:01 +0800
To: cypherpunks@Algebra.COM
Subject: PGP 5.0: What were they thinking? (revisited)
Message-ID: <19971030080001.18658.qmail@nym.alias.net>
MIME-Version: 1.0
Content-Type: text/plain



>On Thu, 30 Oct 1997, Anonymous wrote:
>
>>
>> Where can I find a copy of PGP 5.0 which handles this "SHA1" hash extension,
>> and the new forced incompatabilities? I'm looking for a Linux distribution.
>> All I've found are Windoze versions, really old betas which break
>> *everything* which calls PGP from a script or command line, and betas which
>> have a lame expired timebomb in them. Source is prefered for obvious reasons.
>
>http://www.pgpi.com/

I went and took a look at this. They've broken the PGP functionality into
several different psuedo-binaries which are just symlinks which point to the
same binary. Invoking just 'pgp' gives this:

>PGP is now invoked from different executables for different operations:
>
>pgpe    Encrypt (including Encrypt/Sign)
>pgps    Sign
>pgpv    Verify/Decrypt
>pgpk    Key management
>pgpo    PGP 2.6.2 command-line simulator (not yet implemented)
>
>See each application's respective man page or the general PGP documentation
>for more information.

Now this, of course, breaks all matter of things. Some of this may be wrong, 
so feel free to correct it:

Phil releases PGP. It rapidly becomes a standard for personal privacy and is
used all over the world. Various versions come about including several
international versions. 

Finally PGP 5.0 is released. It uses a completely new scheme, including DH
keys. The Windows version purposefully excludes RSA key generation, in
effect forcing people to generate DH keys. There is no UNIX version released.

Weeks or months later, after incompatabilities were introduced into the
system, UNIX versions begin to filter out. Instead of keeping command line
compatability so scripts and programs which call PGP still work, they decide
to break the functions up into several different invocations, all of which
point to the same binary anyway. The README-BIN file for the "beta 11" Linux
distribution says:

>Rest assured, we WILL be releasing a source Unix distribution.
>Unfortunately, licensing and export issues make this difficult; the
>beta process for Linux will be completed on a binary basis.  We
>understand the difficulty this causes, and will be working to find a
>solution in the future.

They also take the liberty of coding in a timebomb:

$ ./pgp
This beta evaluation version of PGP has expired.
$ pwd
<censored>/pgp50b11-linux-i386/apps/pgp

"lnx-b11" is the version currently handed out by http://www.pgpi.com, by the
way. The "PGP 5.0 beta for Linux Intel (US version)" selection on their
download page leads to a link to:
ftp://ftp.ifi.uio.no/pub/pgp/5.0/usa_only/linux/PGP50-lnx-b11.tgz

The current source distribution from that site is b8a. One of the README 
files from that reads:

>Welcome to the PGP beta test program!
>
>Before reporting any bugs, please check the pgp(1) man page to ensure
>that they are not already known.
>
>Bugs should be reported on the beta test web page at:
>
>  http://beta.pgp.com/

However when one goes to http://beta.pgp.com they're confronted with a legal
agreement. Of course the link to it from the front page won't work in Lynx 
2.7.1 because it uses something called an "https" link, so the user has to 
type in the URL manually as "http://www.pgp.com/beta/license.cgi". 

After reading this license and agreeing to it, the user is allowed to reach
the "BetaWeb" page. However the "public bug reports" link yields this:

>   Sorry, the bug report form is not available yet.
>   Please be patient as we get things ready.
>      
>         Please see the PGP BetaWeb for further information, or contact the
>         Beta Manager with specific questions.
>
>   For now, please use the "Back" button in your browser to return to the
>   previous page.

So maybe you can at least get whatever the current beta is and hope it
works, right? Wrong. "PGP Personal v5.5.1 BetaHome"'s "Beta Software &
ReadMe Download Button" wants a user name and password, but it's doubtful
they have a UNIX distribution in there anyway considering the rest of this
mess. 

Well, at least maybe the user can suggest a new "feature" for PGP 6
and that feature be "Release a source distribution which when installed
doesn't break anything which calls PGP," right? Wrong. You have to have a
username and password for that too.

Well, obviously they want you to register as a "Registered PGP Beta Tester"
to get this clearance. However "Beta Registration" yields:

>   Sorry, we are not currently accepting new beta testers.
>   We will be shortly, however, so please check back if you are interested.
>      
>         Please see the PGP BetaWeb for further information, or contact the
>Beta Manager with specific questions.

>   For now, please use the "Back" button in your browser to return to the
>   previous page.

And of course my 2.6.3i breaks on this "Hash: SHA1" stuff.

So correct me if I'm wrong but the way I see it is like this: A new version
of PGP was released. It was incompatable with previous versions. They
release a Windows version but don't release a version which works under
UNIX. Of course Windows users now start using the "latest and greatest,"
sending messages and keys all over the place which are completely
incompatable with the version of PGP everybody else is using. They claim to
be working on a UNIX version, granted, but that should have been released
at the same time as the Windows version and *AFTER* there was an
international version of PGP 5.0 available. Their UNIX version of PGP 5.0
also seems to be completely incompatable with anything which calls PGP from
a script or program. In addition their UNIX versions are purposefully
crippled so that they don't work after a certain time period, don't provide
an override for this that I can see, and they insist on releasing
binary-only distributions for Linux which prevents people from commenting
that out. They have no method to get new up to date versions, nor do they
have a method to report bugs like they say they do. Further the
"PGP50-lnx-b11-6126098-1.src.rpm" contains the *BINARY* distribution, *not*
the source. I've also been informed that PGP 5.0 encrypts to the CMR key
without even bothering to ask and there's no way to override that short of
hacking the key record.

What the hell are these people thinking? Did they get into bed with
Microsoft to try to get people to say "screw this" and go use Windows?






Thread