Some time ago my boss found himself a new pony, named it SECURITAR and decided to ride it around office every other week talking about policies, improvements and all that jazz. I don’t really mind – it is a positive thing actually. He knows we need more of it, but doesn’t really know how exactly is it acquired. I think that at some point there was a plan to set up some hydroponic vats in the parking lot and try to grow it there but I don’t think that panned out well.
So SECURITAR gets brought up every once in a while, everyone full heatedly agrees that we need it and IT gets the job of figuring out how to implement it. Usually this involves, deploying encryption software on all laptops and workstations, training staff how to use it, enforcing strict security policies and smacking around people who don’t want to comply with them. Then directors scratch their heads, say
“Well… That’s a lot of effort and expenses and time… We have a really busy quarter right now, and maybe we shouldn’t rush into that thing just to get more SECURITAR…”
The subject gets dropped like its hot, Snoop Dog style only to be revisited the next time the big boss takes out the pony out of the shed and takes it for a ride.
A while ago someone has recommended PGP. The affair with it was short lived and ended around the time someone soberly said “it costs how much per user???”. Someone else said “I hope that this PGP comes with blackjack and hookers for that price” and I said “Get the fuck out of here Bender, no one asked you for your opinion”. So PGP never got rolled out and we still send emails unencrypted to this day.
Only that every once in a while the topic gets brought up again. Last time around I had some sort of a lapse and I blurted out something about GPG. I mean, it is roughly the same thing – only free, and its from GNU. And as everyone knows the G in GNU stands for Grrreat! At least that’s what Tony the Tiger told me before someone “punched” him in the face with my chair for being a Furry. So somehow I became the person responsible for figuring out how to make the GPG thing work in our Windows based, Outlook obsessed organization.
While G in GNU may stand for great, the NU definitely stands for Not Userfriendly for mere mortals. Don’t get me wrong – I use GPG myself, but then again I fucking hate mere mortals and I secretly hope they all die one day, preferably due to some sort of memetic-plague transferred via reality TV broadcasts and celebrity gossip. The problem is that GPG and Outlook do not play well together.
I downloaded and installed several free Outlook plug-ins that promised GPG integration and the breakdown was pretty much this:
- Shitty
- Shittier
- No longer maintained and last updated in the 1800’s
- PGP – also known as: “Costs Money == No Good”
Normally I’d post links to each and bash each on it’s own terms, but I just don’t feel like doing that. I looked at all the notable ones that I could dig out of Google and they all sucked hard. The interfaces were ugly, buggy and counter intuitive, key management was either nonexistent, clobbered together as an afterthought or required a separate application to run in the task bar and some very unstable communication between it and Outlook. And of course in most cases an encrypted email simply looked like a blank message with a weird attachment which could not be decrypted by double clicking, but rather required the user to save it to the hard disk, and then perform some complex operations involving clicking buttons, dancing, chanting and sometimes even singing the theme song from the Breakfast Club backwards while juggling 7 live poodles above your head. Or rather that’s how my users would describe it to their supervisors if we unleashed these monstrosities upon them.
Here is the thing – personally I think I could use all these applications, but neither one could match something like Enigmail in terms of simplicity, ease of use and level of integration with the mail client. They were all just a bit awkward. Of course when you are dealing with people who are technically half retarded when it comes to computers, bit awkward translates into UNUSABLE.
Now I know how PGP keeps making money even though OpenPGP and GPG are widely used and widely available alternatives. No one else has figured out (or bothered to figure out) how to seamlessly integrate with Outlook.
So here is a question for you. Do you use PGP/GPG at your work? Do you use it with Outlook? Can you recommend a free solution that could be used by a moderately intelligent Chimpanzees and/or regular people? I’m sure I’m missing something here but I’m at a loss. Perhaps we will simply have to suck it in and buy PGP licenses, or just forget about this whole deal. I’d migrate this whole merry bunch to Thunderbird in a heartbeat if this was feasible, but I don’t think that would fly with the management because of that fucking Office Addiction.
[tags]gpg, pgp, gnupg, pretty good privacy, email, outlook, ecryption[/tags]
Just fight the office addiction and go for Thunderbird + enigmail. It is clearly the right thing to do, since you need prepare them for when you have to swap them over to Linux anyway around ~2014 :D.
Heh, I wish it would be that easy. Also, perhaps by 2014 I will finally launch that revolutionary startup and become rich and famous like I always wanted too. And no, I don’t have an idea for that startup. I just want it to be like the next Google or something. Is that too much to ask?
lol
Yeah, can’t help you with outlook. With gmail there is a very smart, easy, and fairly userfriendly firefox extension – FireGPG – that I’ve been using for sometime. It works crossplatform (anywhere GPG works, although on windows you need some BS package too – WinPT I think). It is free. It is open source. And the only difficult thing is generating a key pair – which can mostly be done with a script.
So if you ever get off the office addiction and get a nice google apps box – you’re in good shape!
I use GPG4Win, works like a dream, install was a breeze. integrates smoothly with Outlook. The only shortcoming I’ve found is that it won”t work while you use Word for youe email composition, so, just flip over to the built in word processor when you need to use encryption. You can switch back and forth between Word and the native processor with a click or two under Tools/Options/somethingorother. Give it a try. It’s worth the twenty minutes it will take you to install it and you can be sending encrypted emails for free, in no time.
As if all this isn’t enough, it comes with an additional component that inserts itself into the right mouse click menu to encrypt decrypt files right from the file explorer. It’s so intuitive it hardly needs documentation which as it turns out is a good thing because there hardly is any.
I’ve been fighting over GnuPG and Outlook as well for the better part of the week.
WinPT is silly in it’s tray and is instable as hell when you press the magic sign email shortcut.
GpgOL adds 2 little buttons to an email, with no configuration whatsoever. And it adds 2 attachments to every mail, so you get the actual mail, the mail again without the GPG stuff around it, and the GPG signature by itself.
I’ll probably write myself a little Outlook addin in C# somewhere later this month which just calls the gpg binaries to sign/encrypt and verify/decrypt my mails.
I’d say, bookmark my blog and you’ll probably see it pass one day ;)
As promised, here it is:
http://blog.cumps.be/gpg-in-outlook-2007-outlookgnupg/
An Outlook 2007 addin to add GPG support :)
@David Cumps: Dude! Awesome!
Hello.
Just came across your blog and can only confirm what you write. I feel your pain ;)
We tried to used Thunderbird/enigmail in a corporate environment once.. it overloaded our mailserver after just a couple of weeks of heavy IMAP usage – plus the client gets really sluggish when there is a lot of folders. And we were only some 20 users… Till now I have not come across a usable replacement for Outlook. (when you need collaboration and easy administration… a monkey with a keyboard can administer an exchange server. No offence, MCSA holders :P
Office is replaceable nowadays (openOffice and co are great) but there is the overhead of migrating there that repels most companies.
Why change something that everybody knows and can work with?
Do the startup as you suggested. Maybe you will change something :)
Steve Jobs surely did just by believing in something…
cheers
Andreas
@Andreas
Actually, I’ve seen the monkey with the keyboard, and trust me, Exchange was kicking his a$$.
I liked the way how you delivered your headache over here. @David Cumps addin, I would surely try that. Hope it’ll work without glitches! Thanks!
The gpg4win and other Outlook add-ins suffer from a critical flaw: when you decrypt mail, the client sends the decrypted mail message up to the Exchange server, where it sits decrypted waiting for any Exchange admin/hacker to read it.
I recently came across MailCloak it works well with outlook.
@ J:
How? According to their website, they support webmail only.
@ davidr521:
You probably found something else, the site for the product I was referring to is http://www.gwebs.com/
David Cumps:
Does the plugin work with OE?
or
Can it be made to?
Somewhat related to the Office addiction thing: if your company is addicted to Exchange for whatever reason, but you’d like to use Thunderbird or other nice clients instead of Outlook, I came across DavMail the other day. Not tried it, but looks like a good idea to me :-)
Russ
Thank you VERRYYY MUCH! I installed GPG and it didn’t work at first because it was indeed using WORD as the default editor. I turned it to plain text and it now works like magic, seamlessly!
John H. Mountcastle wrote:
Nice article and I came to the same conclusion: I found no “enterprise” viable solution for integrating Outlook and GPG.
As a proof of concept I successfully installed SeaMonkey browser/email reader with enigmail and it was working very well with Gmail.
Now: Is it viable to a company which decided to use MS-Outlook for emails ? probably not.
A question remains for me: if a company is able to pay hundreds thousands (if not milions) of dollars to Microsoft to use their programs (I guess they do not use only Outlook but probably the whole MS-Office suite, why do they talk aout cost of another software which is very well integrated (i used it in a company and it was the best outlook integration).
If they decide to throw away MS and start using Linux and OpenOffice, the cost of license would be smaller but the maintenance and user support will certainly cost more.
Example: 1’000 license PGP = ~140’000 dollars annually.
Think about how much people you need to maintain a clumsy solution based on open source software and how much they would cost to the company?
Another point: if they do not have such money, then the security is probably not a urgent issue: you have to balance between the security costs and (recovery cost (or loss of income in case of data stealing) + probability to be hacked/stealed )
I am not against OpenSource and I use many ( I am mainly programming in Java), but the idea (illusion) that it cost nothing is very strong in the people from management in general and this idea is just not realistic.
Well, I started to look for a safe way to send emails three hours ago. I installed gpg4win, read the first pages of the manual, made a public key, downloaded Outlook Privacy Plugin, installed that too and sent and decrypted several mails with Outlook 2013 since.
Even though its an old thread, you should look into that.
@ Luke Maciak:
2014 is here..where is your “revolutionary startup”?
Oh my, is it 2014 already? Thanks @ From the Future for triggering an update. I don’t even remember posting in this thread, but I’m sure back in good ol’ 2008 the year 2014 must have seemed far away. Hey, Tino from 2008, you know all those things you worry about? Well, most of them work out ok, try not to stress out too much.
As for my prediction, i.e., that Luke swaps his users over to Linux around 2014; well, a massive amount of regular people are using Linux on a daily basis now (the first phone with Android was launched in 2008, no less), so, meh, maybe I should count that prediction as a win. :).
Lets up the ante for 2020 (i.e., + 6 more years): we’ll have computers embedded inside our bodies, and no one is going to run Microsoft software on them.
Hey, Tino from 2020, I hope you’ll find your way back here, and that everything will have had worked out for the best. (cf., Time Traveler’s Handbook of 1001 Tense Formations.)
And Luke, I hope you did get that startup launched. But if not, best of luck in the race for 2020!
Pingback: Keybase: Mostly Painless Public Encryption | Terminally Incoherent
