Can you trust the PGP Corporation with your Data?

What’s gone to that great computer room in the sky—why relativistic software that would do Einstein proud doesn’t always please—why what goes in doesn’t always come out, easily—why size really matters, honestly—why Luigi is invoicing the PGP Corporation for his doctor’s bill—why the PGP Corporation could do a great deal better! ... Masochistium Clickium Hic!

The Great Computer Room in the Sky

Now once upon a time our friend Luigi was a fan of the software produced by the PGP Corporation. He would use the latest version of PGP Desktop Professional, currently version 9.0, to store his data on an encrypted virtual disk.

After having suffered a few major data losses early on in his computer career Luigi had become careful. At the end of each day he would perform an incremental backup of his data to a USB memory stick containing a second PGP virtual disk. At regular intervals he would back-up his data to a PGP self-decrypting archive stored on an external disk that he kept onsite, and less frequently from that external disk to an external disk that he kept offsite (he even used a pair of disks for offsite backup so that his data was always physically present at two different locations at any one time). And he maintained hashes of his backup files and tested them regularly to ensure that they had not become corrupted. All in all, Luigi had the makings of a good systems administrator.

So when one day a thunderstorm interrupted his uninterruptible power supply and the ghost in his machine left for that great computer room in the sky, Luigi was annoyed but not despondent. After all, with backups generated by such a sterling product developed by such a large and reliable organization as the PGP Corporation what was there to worry about? Ah, what indeed dear reader!

Relativistic Software that would do Einstein proud!

Let’s join Luigi as he begins his quest for the holy grail of restored data.

Now-a the most-a recent backup is-a my onsite-a backup. So let’s-a copy the SDA to my new computer. Wow! It’s-a big file. ... Takes-a the time.

Now double click on the SDA and off-a we go. Hey, where’s-a the password screen? Maybe I no double click proper. So let’s-a press Enter instead. Nothing! Oh! Bugger-a! Computer’s-a locked up. Okay, so try Ctrl-Alt-Del to reboot. Ah! Shit-a! Even Ctrl-Alt-Del not-a work. Try hard reset.

Run SDA again. Nothing! Nothing! Nothing! Wait a few minutes. ... No! It’s-a still doing nothing. SDA must-a be corrupt. Have to go get the offsite backup. What-a pain!

Some days passed—dataless days for our valiant hero—before he got hold of the offsite backup. Let’s join him again.

I-a lost-a whole month of data. It-a just as well I keep-a the offsite backup or I lose everything. Okay, let’s-a double click on the offsite SDA. No! No! No! I don’t believe it. Nothing! Computer frozen again. What’s-a the odds? Two-a backups corrupted, even though I-a test each one after I create it! Very suspicious. Check-a the hash I-a make of offsite SDA. I don’t believe. Hash fine. Offsite backup not corrupted. Check-a the hash I-a make of onsite SDA. Again, hash-a fine. Onsite backup not corrupted. Ah! Maybe PGP software corrupted. I-a reinstall and try again.

Shit-a! Shit-a! It-a still no work. I have-a backup copy of PGP software. I-a try to reinstall from that. ... Not again! Still nothing! But this same CD I-a use to install PGP on previous computer where-a everything work-a fine, and I-a using the same version of Windows!

Shall we put Luigi out of his misery and explain what’s gone wrong? Now when you double click on a PGP SDA the password entry screen pops up immediately—well, it pops up immediately apart from those computers on which it doesn’t pop-up immediately that is!

We had a theory that the reason for this delay is all down to the increase in processor speeds. If electrons are travelling at relativistic speeds close to the speed of light then they will experience time dilation effects. So, perhaps some whiz-kid in the PGP Corporation decided to add a time dilation calculation into the software. That would explain why a password screen that normally appears within half a second can take the order of 5 minutes to appear on some machines. We suggested this to the Prof, but, sadly, he wasn’t at all impressed with our theory. But he’s patient with us non-technical types, so he banged a few buttons on his calculator before announcing that “defects in the crystal lattice would certainly not allow electrons to travel at 99.83% of the speed of light”—hmm, ah, well, there goes our Nobel Prize! Let’s just call it a feature!

More realistically, it seems that the problem relates to the way different computers handle large executables. Given two computers running the same version of Windows, with the same amount of physical memory and swap file size, one may start executing the executable immediately, while the other first makes a copy. This would explain why the extent of the delay before the password window appears is proportional to the size of the SDA.

Now during the time that the SDA is communing with Einstein’s ghost the computer is frozen, giving the impression that it has crashed. Very few people are going to sit around for five minutes looking at a frozen screen on the off-chance that some kindly deity will step in and unfreeze it. Most people are going to reboot. And after a few equally unsuccessful attempts they are going to conclude that they have lost their much cherished data for good, and will soon be searching eBay for a voodoo doll with “PGP Corporation” stamped on the front!

Now since a PGP SDA is the only place where most users are likely to encounter multi-gigabyte executables it would be nice if the PGP Corporation forewarned a user in the documentation that the user’s “crashed” computer had not really crashed. We explained to Luigi that his SDA could still be used. There was a look of horror on his face for a moment as he tried to recollect whether he had wiped the “non-working” SDAs. Fortunately for Luigi—and we suspect for the PGP Corporation as well—he had not!

What goes in doesn’t always come out—easily!

So let’s join Luigi again as he waves his magic wand over his SDA for the second time.

I-a start the onsite SDA again. I-a note the time. ... One minute, nothing. ... Two minutes, nothing. ... Three minutes, nothing. ... Four minutes, nothing. ... Five minutes, nothing. Ha! Now-a the password screen appear. Ah! I-a waste so much time. These PGP Corporation people. Slime-a! Slime-a! Slime-a! Type in-a password and off-a we go. It’s-a big SDA so it-a take-a long time to decrypt, maybe half-a hour. So-a I do some work. Come-a back later.

Okay, let’s-a have a look. It-a should-a be done long ago. What’s-a this message, “Filename exceeds maximum length – try decrypting to the root of the volume.” Oh, no!

Now we all save web pages to our hard disks. And some of these web pages have rather long titles. And these rather long titles are used as the default file names. Now PGP will create an SDA using files with long file names without any difficulty—it doesn’t matter what directory the files are in. But when it comes to decrypting an SDA it’s a different matter. The SDA must be in the root directory of some partition if a filename exceeds a certain length. Otherwise, the poor user is forced to cancel, move the SDA, and start all over again.

Luigi’s response, “Why-a they-a not-a tell me this?” Why indeed! Given that it takes the order of 30 minutes to decrypt a large SDA, it’s not the sort of task Luigi—or even you dear reader—would wish to repeat too often! We explained to Luigi that product testing is not one of the PGP Corporation’s strong points.

Wouldn’t it be nice to have a little message during the encryption process telling the poor user that the SDA can only be decrypted from within a root directory? Wouldn’t it be nice if a little flag were set in the SDA so that the executable could inform the poor user that the directory in which he is attempting to decrypt the SDA is a “no-hoper” at the very beginning of the decryption process, and not 20 minutes later when the decryption process first encounters an “unsuitably” long file name? Of course we suffer from the strange conceit that software, even if it is not user friendly, should at the very least not be downright malicious, malevolent, and take a perverse pleasure in torturing its users—a conceit that’s clearly not shared by the PGP Corporation.

Size really matters!

Let’s rejoin Luigi and his ever increasing blood pressure!

Root directory. Start-a the SDA. Wait-a the five minutes while it’s-a communing with-a nature, or whatever it does. ... Now enter password. Now go away for-a long time while it-a maybe decrypt, or maybe not decrypt!

Ah! It’s-a done. Success! Four days! Four days to restore a backup of my data! Now let’s-a create a new PGP virtual disk. ... Okay, that’s done. Now let’s-a copy the backup files from the decrypted SDA to the virtual disk. Here-a we go. That little sheet of paper flying across from one-a folder to another. Who-a needs-a goldfish when he’s-a got-a Windows file copy?

Wow! It’s-a taking a long time with this file. Must-a be big. Maybe I leave it a little bit. A watched-a file-copy never-a finish!

Okay, I’ve-a had-a lunch and taken my blood pressure medication. Maybe I-a invoice PGP Corporation for my doctor’s bill. It’s-a been copying for over hour. Should-a be finished long, long time ago. No! No! No! It’s-a still copying the same file. Oh, no! It’s-a only a 50 Mb file. Should-a copy in a few seconds. I cancel. ... Now Windows it’s-a locked up! Try Ctrl-Alt-Del. It-a does bugger-all! Hard reset. ... Logon on. ... Nothing! Screen frozen. It-a look like PGP bugger up Windows operating system. I-a wait. ... One minute. ... Two minutes. Ah! It’s-a coming back! Message from Windows say it has reinstalled drivers and must restart. It seem this PGP it-a crap all over my registry. Reboot.

Now-a only one thing remain-a to do. Only one-a thing I need to do to-a be happy, to-a lower blood pressure. And this-a thing is to delete all software produced by PGP Corporation from my computer!

Shall we tell Luigi what’s gone wrong. Well, Luigi’s computer happens to use an SIS IDE driver. And...and...PGP virtual disk does not work on computers with SIS IDE drivers. Well to be fair it does work as long as your files are small. If you’re one of those strange people who wants to copy files larger than about 20 Mb—a music file, or, perish the thought, a PGP SDA file, for example—onto your virtual disk, then PGP will throw a tantrum and crash Windows (and if you backed up the PGP virtual disk file instead of first copying the contents to some other medium then...then you’re stuffed—though we’re sure you’d think of a more energetic expletive should it ever happen to you!).

If you’re lucky Windows will repair itself after the hard reboot. If not, then you’d better have a system image tucked away somewhere, or have a spare few days to hand so that you can reinstall Windows and all your software.

We explained to Luigi that product testing is not one of the PGP Corporation’s strong points—hmm! hmm! A glitch in the Matrix, or at least in that portion of it that passes for neural matter within the “Testing Division” of the PGP Corporation! They may not know how to test their software, but they’re certainly experts at testing their users’ patience!

For on-the-fly encryption Luigi is now very happily using TrueCrypt—its developers seem to have mastered the art of copying files greater than 20 Mb to a virtual disk! Luigi’s one question to us—in between gulping down his pills for high blood pressure—was, “How’s it-a possible for an organization as big as PGP Corporation to produce such a crap product?” Hmm! Difficult one that. If the PGP Corporation was a “one man and his dog” operation then all would be forgiven, but it’s not. It’s big, and its products are targeted squarely at the corporate sector, a sector that has a habit of getting a little testy when software doesn’t work straight out of the box.

It’s very difficult to envisage how a large corporation could have such a poor testing regime, one that allows the litany of sins, both of omission and commission, described above to get out the door. While no product is going to run on every custom-built box, well-tested products from major suppliers should at least run on the standard boxes produced by the main manufacturers. If you’re a company producing encrypted file system software, then you develop relationships with the developers of hard disk drivers, and you test them with your product while those drivers are still in beta, so that when a driver is released and used by the PC manufacturers you know that it will work with your product.

Much as we like the PGP Corporation, even in these post Zimmerman days, their report card must state, “Could do a great deal better!”

Tiffium & Morphium – Bigus Brutium-Absentium Zonium

Cyber roads, take me HOME
To the page where I came from
Freedom's Fire, my desire
Take me home, cyber roads.