Feeds

back to article MPs told PGP 'incompatible' with Parliament network

MPs have been told that although they are free to install PGP on their parliamentary machines the technology is not compatible with Parliament’s remote access software, making its use impractical. The curious response came from the House of Commons Commission via Lib Dem MP Nick Harvey in response to questions raised by Francis …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

FOC?

They'll install encryption software free of charge will they? I hope they are complying with the terms of the licence.

Maybe they are just hoping that the average less than tech savvy MP will allow the support guys to set the passphrase. Of course I can't imagine why they'd want to do that...

0
0
Anonymous Coward

titles suck

"The more paranoid among you might say that the other (unknown) product might be easier to eavesdrop upon."

I would have thought the other (unknown) product comes with free brown envelopes, whereas PGP although clearly the market leader doesnt. Either that or some ministers brother in on the board of execs.

0
0

why...

do they need encryption softwate?

if they've nothing to hide, they've nothing to worry about..................................

0
0
Boffin

Sounds bogus, or at least, misconfigured to "block viruses"

As the PGP folks said in so many words, their software's output is just a binary file. The VPN is just another network layer on top of TCP/IP, and should not care what files are being transported. If there truly is an issue, it implies the VPN is misconfigured to filter out binary files, probably in the mistaken idea that doing so will keep viruses from transporting across the VPN. The experiment to try is to see if one can send the PGP file "as is", and again after MIME encoding. (MIME = Multipurpose Internet Mail Extensions) All email is transmitted as US-ASCII plain text. Period. The way binary attachments to email are transmitted is that they are first encoded to an output that is all US-ASCII text. The most common modern encoding scheme for this is MIME. Another encoding scheme not used much anymore is UUENCODE ("Unix-to-Unix encoding").

In MIME encoding, the input data undergoes a mathematical transformation from base-2 to base-64. In this conversion, the output results in 4 bytes of output data for every 3 bytes of input data. But the good part is that every single one of those output bytes is a simple plain US-ASCII text byte. Hence, the MIME encoded file can be sent as part of an email and everything between the sending client and the receiving client sees nothing but US-ASCII text. The receiving client reverses the encoding to produce the original attachment file.

If the MIME encoded file transports across this screwy VPN but the binary PGP does not, then they are blocking the transmission of binary files probably thinking this impedes the spread of viruses across the VPN. (Bad assumption.)

0
0
Bronze badge

And what about staff?

It's not that PGP is hard to use, but I can see some point in PICT choosing a different crypto system, and supporting it. If something goes wrong, they know how to fix it.

And I know of cases of companies using horribly old browser versions because some bean-counter doesn't want to pay for an update to some critical bespoke app.

It doesn't have to be because they don't know how to read PGP traffic.

But I don't blame anyone for thinking that.

I think I'd rather use Babel-17 than PGP. Something that subverts the attacker's thinking when he tried to read the messages may still be sci-fi, but it's pretty good protection,.

0
0
Anonymous Coward

MS?

Considering HM gov's general love affair with all things Microsoft, I wouldn't be the least bit surprised to learn that this "other" product is one supplied by MS so that (a) they can suck-up to MS a bit more and (b) as an invitation to MS to screw them over in the future (I'm sure they'll find a way).

0
0
Silver badge
Coat

pretty good privacy incompatible with parliament

but we all knew that...

0
0
Stop

"PGP is incompatible with our networks..."

"... according to my friend, the CEO of a competing company, 'Encryptions Limited'."

Great name that, all you need is an apostrophe in the right place and it's a description of their product :P

0
0
sig
Black Helicopters

Parliament no different from government

In failing to use PKI encryption. The GovConnect secure gateway is an example: set up a dedicated network, parallel mailboxes etc, to allow local and central government to communicate. Far more complex than just issuing certificates etc.

Government use of PKI for secure email would kick start more general use of the technology. Might even help to kill spam. Why doesn't the Passport and Identity Service issue digital certificates along with passports?

But then snooping would be so much harder once we're all encrypting our communications.

0
0
Thumb Down

Translation:

"PGP is secure and we can't break it, please use our backdoored proprietary encryption instead."

0
0
Jon
Stop

Nice joined up thinking here...

To communicate with the Home Office they REQUIRE you to use PGP!

http://www.theregister.co.uk/2008/08/15/home_office_crypto_bureau/

0
0

FoI?

So the recommended software is currently unknown.

Anyone fancy submitting an FoI request? :)

If they refuse to divulge, we can probably assume it's cr@p. After all, not only PGP but many other examples of crypto software use algorithms that are virtually uncrackable (unless you have a room full of supercomputers to hand...). Case in point: distributed.net's attempts to crack RC5-72. They've been going over 5 years and they've only scratched the surface of the available keyspace...

0
0

@william henderson

"if they've nothing to hide, they've nothing to worry about"

Of course they've got things to hide. Cynicism aside, emails from constituents to MPs should be considered confidential.

0
0

This post has been deleted by its author

Coat

"We couldn't possibly comment"

Me too...

0
0
Thumb Up

Kudo for the House of Cards reference

"You may well think that. We couldn't possibly comment."

0
0
Coat

Cure with Conan

After all, he's used to dealing with Picts!

0
0
Paris Hilton

PGP What ? doesn't work

PGP® Whole Disk Encryption

PGP® Endpoint

PGP® Desktop Email

PGP® Desktop Home

PGP® NetShare

PGP Universal™ Gateway Email

PGP® Command Line

PGP® PDF Messenger

PGP® Mobile

PGP® Support Package for BlackBerry®

Paris, because I once dreamt she encrypted me

0
0
Boffin

There could really be a problem ....

There could really be a problem. Most comments have focused on PGP's use of crypto algorithms. Perhaps there is a compatibility problem with the way both PGP and the VPN product integrate into the OS.

PGP does much more than merely encrypt files. PGP doesn't just rely on the user remembering to encrypt their data before sending it. PGP has also side-stepped the problem of integrating into the different mail clients. PGP functions as an internal proxy server to handle both inbound and outbound traffic.

I have PGP installed on my system at home. Look what happens when I try to make an SMTP connection to an arbitrary address.

$ telnet 1.2.3.4 25

Trying 1.2.3.4...

Connected to 1.2.3.4.

Escape character is '^]'.

The PGP SMTP proxy has intercepted the connection and will give me the opportunity to encrypt the subsequent message.

The VPN software will also be intercepting attempts to establish TCP connections. Perhaps the two attempts to intercept connections interfere with one another.

0
0
Go

No PGP?

If PGP is verboten surely there's a simple answer, use GPG.

Which then makes you wonder: Are Linux and Mac PCs compatible with their VPN?

0
0

More info needed

I'm not an expert on these matters but I can speak from experience of using PGP.

A lot of the laptops where I work have Whole Disk Encryption managed by Universal Server, the latter ensuring that if people forget their passwords or leave the company a recovery token can be issued to log on to the machine in question. These laptop users can all access the company systems via our VPN.

So as the AC asked, what part of PGP and I'd like to know what VPN?

0
0

@stf/#@plt$

The real problem is with PGP® Whole Disk Encryption. This can render CDs and DVDs left on trains useless to newspaper editors.

OOps, how do you do un-encrypted titles?

0
0

Perhaps

They need an encryption software more conceptually aligned with government, like rot13.

0
0
Anonymous Coward

@sig

"In failing to use PKI encryption. The GovConnect secure gateway is an example: set up a dedicated network, parallel mailboxes etc, to allow local and central government to communicate. Far more complex than just issuing certificates etc.

Government use of PKI for secure email would kick start more general use of the technology. Might even help to kill spam. Why doesn't the Passport and Identity Service issue digital certificates along with passports?

But then snooping would be so much harder once we're all encrypting our communications."

Funny you should say all that, but govconnect guidelines actually recommend against the use of ssl internally on the local government network. Why do you suppose that would be then?

0
0

PGP Corporation would like to help

It is always difficult to do customer support by long distance, and especially difficult when the problem report is coming in through a news story. PGP is established, long-standing technology. We use it with VPNs ourselves, as do millions of customers including a large number in the UK government. We firmly believe that this is an issue that can be solved with a support call or a short support visit.

We are committed to helping all of our customers resolve their configuration issues. We look forward to talking to PICT or any other PGP user to resolve any deployment issues and use PGP effectively in their environment. We welcome PICT or anyone else to contact PGP Corporation's technical support directly, or to contact me personally and I will direct the appropriate people to resolve this issue.

Regards,

Jon Callas, CTO and CSO, PGP Corporation

0
0
Silver badge
Thumb Up

PGP incompatible but a competing product isn't?

"MPs told PGP 'incompatible' with Parliament network"

Let me just remove all those extraneous letters from the second 'a' to the 'w' here...

"MPs told PGP 'incompatible' with Pork"

There. Fixed that for you. :)

0
0

D U H

Ban PGP = spy on anyone.

Isn't it obvious, or are all earth brains dead at this point.

0
0
Anonymous Coward

Is that the sound of a BOFH sucking his teeth I hear?

"Hmm, this could involve doing some actual work. Best tell them it can't be done for some spurious reason. Then go to the pub."

0
0
Anonymous Coward

how to inspire global confidence (or not)

Why does Parliament continue to reinforce the idea they should not be allowed anywhere near sharp objects? Or heavy objects, or even each other....?

Point the Witch-doctor bone at whatever muppet decided on the product sets without checking compatibility and specifically correct interoperability. OTOH, if its just a configuration snafu, then fix it* and shut the pharq up, otherwise it just says 'aint it great - I'm stupid and I still get paid'.

How many readers of this in other countries shake their heads in wonder at the willfully advertised incompetence of the UK government, whether its spin or not.

*be a "JEDI Nike" : accompany your trainers with a brown monks robe that has "Just Effing-well Do It" emblazoned on the back.... laser sword optional

0
0
Flame

PGP support

I used to have a paid subscription to PGP for my XP based PC. I gave up on it because I kept having problems with some kind of memory leak in PGP that caused it to unpredictably gobble massive amounts of memory and bring my machine to its knees. I reported the problem to PGP Corp, but never received a solution. No fix = no subscription renewal Mr Callas

I would imagine that MP's had a similar problem support of their PC's by the IT Support teams would be problematic.

0
0
Coat

I think a better phrase is

our network is incompatable with PGP.

Only recent versions of PGP redirect the mail through a proxy and even then thats only for corporate installs where there are key servers.

That is not nessicary if you posess the recipiants public key. Just click on the PGP tray icon and choose Encrypt current window. It is (also) perfectly normal to encrypt an attachment and then attach the encrypted version, just as it is possible right.

To AC @13:32 GMT you are confusing VPN with mail servers.

The VPN only encrypts the connection (well a few other things too), but it DOSNT block attachments, thats what the policy on the mail server does.

I would have used the Icon for "May contain ... degree level" but I don't want to be associated with being wrong

0
0
Alert

it most concerning that PICT, are having issues enabling there customers "MPs"

I find it most concerning that PICT, are having issues enabling there customers "MPs" with a tool a which so popular and simple to deploy and use. Also of concern is the indication that PICT wish to use another encryption tool in its place.

It is also interesting that PGP is a CAPS evaluated encryption product, it would be interesting to know if the other encryption product PICT are offering is CAPS evaluated or not!

It would also be interesting to know if the VPN solution is approved for Government use....

0
0
This topic is closed for new posts.