You may be asking yourself: where, oh where, has all the crypto gone? Where are the BlackNet's? Where is the untraceable Ecash? Where is the Cryptanarchy that we've been waiting for? For that matter...where is the crypto? The staunchest Cypherpunk will by now have noticed that PGP/GPG usage even amongst list members, once the bellwether indicator of Cypherpunks crypto adoption success, is in decline. NAI has pulled PGP off the shelves. Conspiracy theories as to what may have been driving this business decision abound. The fact of the matter is that the usage of PGP by businesses, the sole significant source of NAI PGP revenue, had long passed its peek. How many business do you know that rolled out PGP in the last year? How many do you know that quietly stopped using PGP after formally adopting its use with big fanfare a few years ago? The facts are that there are more of the latter than of the former. Did NAI receive The Briefing? I don't know. Nor does it really matter. There wasn't enough money to be made with PGP. A well-respected Cypherpunk recently expressed hope that if NAI's PGP were to disappear for good, perhaps compatibility problems amongst versions of PGP would diminish. A plausible sounding theory, if one were to assume that the compatibility problems amongst versions of PGP are between versions produced by different vendors. Presumably, the theory would go, with only one major supplier left standing, that being GPG (yes, I am aware there are others), interop problems with other vendors' implementations would pretty much disappear by definition. However, a closer inspection of the PGP interoperability problems, which have been at one of the issues coming up in just about every single discussion I've had with anybody about PGP over the last year, shows that the interop problems are not between current versions by multiple vendors, but between versions, in some cases by the same vendor, that were released over time. The current version of NAI-PGP will interoperate just fine with the current version of GPG. So why is PGP interoperability such a frequently raised issue? And why does the importance of this topic seem to diminish the further away you stray from Cypherpunks into the realms of the casual PGP users? The answer to the second question is straight-forward. Even the most casual user of software tends to be familiar with and acceptant of the need for occasional software upgrades. It appears that those that are experiencing interop problems are those that are insisting on using up to 5-year old versions of PGP. It is true and should come as no surprise that those 5-year old versions do indeed have interop problems with newer versions of PGP. Some may say: I shouldn't need to keep on upgrading my software to be able to send encrypted email. Does anybody seriously believe that those that insist on using 5-year old versions of PGP have not upgraded their operating systems in those 5 years? Indeed, upgraded more their operating systems more than once? Or does anybody seriously believe that those that insist on using old versions of PGP still run the exact same version of their MUA and text editor as they did 5 years ago? Of course they don't. If they did, their boxes would long have become unusable due to the warez traffic taking place on the machines as a result of the countless remote exploits discovered over these last 5 years. The reluctance to upgrade to a newer version of PGP does not appear to be driven by a refusal or inability to upgrade software in general. This reluctance to upgrade appears PGP specific. Why this is the case I do not know. (And don't greatly care. I am running the latest version of NAI PGP and I can make my copy talk to any version of PGP 2.x or higher). Now perhaps there may be the rare case of a PGP user that is still running PGP 2.x on the same DOS box, using the same mailer and the same text editor as they did 5 years ago. I don't know of any such users, but that doesn't mean no such users exists within the vastness of the Internet. What I do know is that those that I am aware of that are complaining about PGP version interoperability problems do not fall into the rare category of users who have not upgraded any software at all for the last 5 years. Since the existence of multiple PGP software providers has not been the cause of the interop problems experienced by some, reducing the number of PGP implementation providers should not be expected to have a significant impact on the number or severity of PGP interop problems experienced by the users. The same Cypherpunk expressed a hope that absent NAI's PGP, the German government group currently funding GPG might be more inclined to fund UI work for Windows. Perhaps they would. Assuming for a moment they will, would this lead to a better PGP Windows UI than NAI's PGP offered? NAI's PGP UI is pretty darn good. Looking at the sorry state of UI's currently offered for GPG, even with government funding, I suspect that it will be a long time indeed before we will see a GPG UI that will compare positively to the current NAI PGP UI. Of course Cypherpunks know that it is dangerous to base one's hope for the development of a Cypherpunk tools on funding by a government. Be that the US government or the German government. Strongly pro-crypto German governmental officials have been know for their propensity to stumble out of the windows of high story buildings. Warnings regarding the dangers that may lure in parking lots come to mind. Where has the crypto gone? The crypto has gone under the hood, away from the UI, to a place where the crypto will be of most use to the average user. Yes, for crypto to be secure against the active, well resourced, attacker, the crypto must at one point touch the user to permit the user to make a trust decision. But to secure communications from passive and/or less resourced attacker, crypto can be placed under the hood. I bet a good percentage of the readers of this list that still require to be engaged in a form of employment nowadays access their company network via some form of VPN. Up by orders of magnitude from a few years ago. More importantly, a good percentage of users that have never heard of this mailing list and will never hear of this mailing list are using strong crypto to access their company's information. The percentage of users utilizing strong crypto is increasing daily. Another major segment of Internet infrastructure in which strong crypto is rapidly becoming the default rather than the exception, at least amongst those running their own servers, is SMTP. The percentage of SMTP connections to my mail server that use TLS to encrypt SMTP has grown from around 30% a few months ago to well over 60% today. This increase in the use of STARTTLS on SMTP appears to parallel a loss of sendmail MTA market share in favor of postfix. It is just too darn easy to turn on support for STARTTLS during a migration to postfix, hence most sites performing such a migration appear to do so. (I am aware that sendmail and qmail support STARTTLS as well, but the increases in the use of STARTTLS that I am seeing at my SMTP server coincides with sites switching MTA's to postfix. I see a handful of qmail sites using TLS, representing a fraction of the postfix sites, and no sendmail site that I have noticed. Having once considered activating STARTTLS in sendmail myself, I vividly recall myself reading the instructions, bursting out laughing, followed by my researching competitive MTA's. Within a week I had switched to postfix. Wished I had done so years ago. All these hours that I wasted over those years... YMMV). An interesting side-effect of the increased adoption of MTA's and MUA's that support STARTTLS is that I now have a link that is secure against passive eavesdroppers to the majority of those with whom I regularly correspond in encrypted email. Is protection against only passive eavesdroppers good enough for me? No. Are we a heck of a lot further along than we were 5 years ago? I would argue that we are. Where has all the crypto gone? It has gone mainstream. Some of you may remember the discussions from years ago how we should try to find a way to make crypto cool and attractive for the average person. This afternoon, I installed the "Britney Spears SmartFlash Kit" on my Windows XP test box. For $29.95 plus shipping and handling, you too can own a Britney SmartFlash Kit, which includes a USB smartcard reader, a Gemplus smartcard (both the reader and card are graced with pictures of Britney), and a CD with Gemplus GemSafe smartcard crypto driver software (the click-wrap EULA reminds you that export to Cuba, Libya, and other naughty countries or those developing biological weapons is strictly prohibited. Sorry pop music fans located in Cuba or at the CDC). Once you installed the gear and inserted your one of 5 possible Britney Spears' smartcards (collect all 5), you will automatically be taken to a client-authenticated, 128-bit RC4 encrypted website that provides you with exclusive access to such exciting content as 45 second QuickTime clips of Britney purchasing chocolates and of course Fe's (Britney's most trusted advisor) indispensable advice column. A representative sample question follows. "Dear Fe: I'm 14 but my parents treat me like I am 10! They won't let me go out at night, and won't even let me bring a boy to the Homecoming dance. I'm in high school and want to do all the things that go along with that, but they won't let me! -- Trying to Grow Up, Americus, GA". I will spare you Fe's answer (get your own smartcard :), but I won't spare you this: if you wonder where crypto has gone, you need to look no further than Americus, GA. If the question posed to Fe leaves any doubt about the nouveau crypto users' demographics, a drop-down list inquiring about the user's age to participate in a contest (smartcard required) should help clarify matters. The age selections offered are: [2-6], [7-12], [13-15], [16-18], [over 18]. Do not worry should your parents disapprove of your choice of music. If you hear your parents walk up to your door, just yank the card out of the reader and your browser will close instantly. Crypto has gone as mainstream as can be. While crypto for crypt's sake may not have become cool to everybody, crypto has become a Must Have for your average 14 year-old high school freshman girl. Crypto has become ubiquitous. http://www.britneyspears.com/smartflashcard/index.php As to when we'll see BlackNet and untraceable Ecash, who knows. Here's hoping to 2005. [In the time it took me to write this post, another of the regular entries in my maillog has turned on STARTTLS, protecting the SMTP connection with EDH and 3DES]. --Lucky