Self Decrypting Archives

David Shaw dshaw@jabberwocky.com
Thu Jun 19 20:55:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Jun 19, 2003 at 01:36:23PM -0400, Gates, Scott wrote:
> Point on the 'security' taken.  However, SDA's have their uses; they are
> sometimes simpler than attempting to get the receiver to install GPG or PGP.
> 
> 
> I have to send a couple of business related files to vendors.  All of this
> is coordinated over the phone.  If the info is insecurely transmitted it's
> my @$$(i.e. BIG JAIL TIME), but if the vendor's machine is trashed, it's the
> vendor's problem.  See my point?   
> 
> I can talk someone through opening a SDA and I encourage them to Virus
> Check.  Since convincing them to install GPG or purchase PGP-Corporate (I
> use both) isn't going to happen, SDA's are all I have left.  

I'm curious why installing GnuPG isn't a viable option.  (I assume
this is a Windows platform).  I certainly understand the resistance to
install a new program under Windows, but given the use you are talking
about (regular symmetric encryption of a file) GnuPG doesn't need to
be "installed" to be used.  Just unzip the archive and you can run the
'gpg' program.  No installation necessary, and to "uninstall" just
throw the program in the trash.

If you really wanted to, you could even send your receiver a zip file
containing the "gpg" binary, plus the encrypted file, and a batch file
that contained something like "gpg theencryptedfile.gpg".  Poof:
instant SDA.  Of course, it's still insecure ;)

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iD8DBQE+8gdb4mZch0nhy8kRAkjYAKCuFCEONMOXi3PRx6n2yYQcacDOuQCfQVVy
dqH74ahBKHtXYQMS0q44fiA=
=sMGc
-----END PGP SIGNATURE-----