Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

actual PGP WDE source code - reviewing?

Created: 13 Aug 2013 | 7 comments

the current available source code version from PGP available for download dates from 2011 and is version 10.0.1

Questions:

1) when will the source code be updated to the actual version?

2) is there somewhere a (peer) reviewing about (current) PGP WDE/Symantec Encryption Desktop available on the internet, where "ordinary" PC/Mac users can read if they can trust this software?

kind regards, Stork

Operating Systems:

Comments 7 CommentsJump to latest comment

Tom Mc's picture

I'm checking on this - don't know how long it will take to report back to the forum.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

matt_s's picture

+1 for Stork467's request. I woudl certainly be interested in seeing the source code for WDE.

Also, the source code for PGP DT could do with updating to the current version also.

Stork476's picture

1) The possibility of downloading the actual source code is one thing, to be able to compile, read and interprete it is another thing.

As the majority of PGP users are most probably not able to perform this analysis themselves (including me), a published and "readable" peer-reviewed analysis of the actual version should be available.

2) D. Finkelstein wrote in his comment about trust that “…The source code that was published by PGP Corporation was never quite exactly what was used to build the PGP products.  Why?  Primarily, it was felt that certain sections of the code (say, for example, some low-level detail of how we optimized some aspect of disk encryption) was valuable intellectual property, and if published, we could not trust that it wouldn't be usurped by our competitors…”.

https://www-secure.symantec.com/connect/blogs/trust

so the source code is probably not really complete.

3) With the latest news and facts about global surveillance and “infiltration” of software companies it is really urgent that Symantec releases are clear statement and updates the source code PGP/Encryption desktop to the actual version to keep the trust of its users (the legal situation in the U.S makes it probably difficult even to release such statement)

Bruce Schneier describes the current situation quite clear here:

http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

Otherwise it is probably time to move to Linux and use GnuPG/dm-crypt…

Adam_BN's picture

There's a massive campaign towards Truecrypt's source, legalities and overall licensing.

http://istruecryptauditedyet.com/

I'm afraid that like all others, unless Symantec steps up to the plate to regain the ground they have lost with holding the world's most popular encryption software and having very close ties to our government, many, many others including myself will have to find a more trustworthy platform. Come on Symantec, you can prove yourself.

Adam St. George
Bombshell Networks

Stork476's picture

over 4 months after my request and still no clear reply from Symantec about source code...

...no answer is also an answer... really really pitty

Adam_BN's picture

http://www.symantec.com/connect/blogs/trust

It has been updated as of Nov. 14th, The second to last paragraph says:

"Symantec has owned PGP Corporation for over two years now.  There has been no pressure to change our focus on security, no pressure to add "backdoors", and complete support for our desire to publish our (slightly redacted) source code.  You can download an older version here:

https://www-secure.symantec.com/connect/downloads/...

It's from 2011, and expect to see updated source code published for our next release.

Do you trust Symantec's encryption products?  Millions of people do.  I hope you are one of them.  And if you aren't, I hope we can come to earn your trust."

So we will have to wait till next release.... not sure if next MP or major. Plus I understand on redacting certian spots of the code like the licensing sections of code... but you can simply XXX those out to release the full code.  I honestly would be happy with up-to-date code being redacted, as long as the full code structure could be handed to a crypto company for review, like TrueCrypt's Audit.

Adam St. George
Bombshell Networks

Stork476's picture

Thanks a lot Adam for the update, these are really not so bad news!

(I would have expected some reply or note in the forums rather than a +/- "silent" update of a blog, but this sounds already much better).

Agreed, an audit of PGP/Encryption desktop similar to TrueCrypt would be the best that Symantec could do. It would not only be a huge support for trusting PGP but should be supportive for buisness/boosting the sales of a commercial product with trusted security...

Let´s see what comes and if Symantec will have the courage of an audit..., an updated source code is already an essential step.