NAI to Sell Off PGP Product Line

An Anonymous Coward writes: "Network Associates announced today that they are ceasing development of most of the PGP product line, including PGPMail and PGP Desktop Encryption software. This was apparently due to disappointing sales of the products. See the FAQ for more information on what's being killed and what's being kept." Another anonymous and unverified submitter says, "The entire PGP Business Unit was axed more or less wholesale. I guess selling encryption doesn't really make money. I worked there up until today and somewhere around 250 of the 300 employees were clipped."

let's just hope

[GoatPigSheep]

Osama doesn't buy it

Rats... Ship

[NitsujTPU]

If my product line was about to become illegal and wasn't selling well to begin with. I'd sell to the highest bidder too (and I'm sure it will sell high).

Causes

[Moonshadow]

Sales were slow...hardly suprising.

The biggest potential users of this would have been the Slashdot types, and we're known for being fierce advocates of open-source and free (as in beer) software. The kind of "Why pay for something when you can write it yourself?" mentality is what helped kill it.

The people that are most concerned about encryption are those least willing to pay for it.

Re:Causes

[happyhippy]

Yeah, and you dont know if theres back doors into the thing written by someone else. Or if its effective.

Re:Causes

[tiny69]

The people that are most concerned about encryption are those least willing to pay for it.

No, the people that are most concerned about encryption are paranoid enough not to trust commercial apps.

Re:Causes

it's not:

Why pay for something when you can write it yourself

it's:

Why pay for something when someone else can write it for free

Re:Causes

[spudnic]

Not only was it not free, it was horribly expensive. We where looking at getting it for a public (read: poor) hospital that I was doing consulting work for a couple of years back. They wanted like $400 per workstation for their "corporate desktop" edition. There was no way they could afford $60,000 for this project.

I see now the price is $179 per workstation on their website. Still pretty pricey for encryption.

Re:Causes

[floop]

The reason why it's not a good seller is either people don't know about it or they think it isn't as important as $100 cost. We just bought 50 seats a couple months ago and were just about to buy 50 more and a key server. All due to people sending passwords in plain in email. The product has good email integration (with outlook anyway) and makes even the laziest person able to use it effectively.

MS would be smart to buy and bundle it w/ outlook but modify it a bit so it's not openpgp compatible.

Re:Causes

[zeugma-amp]

You're probably correct that many of the types who would be concerned enough with their privacy are geeks who would rather not pay for something they can get for free, it had a presense in corporate environments. I fought a huge battle at the company I used to work for to get PGP implemented at a departmental and later at the VP level.

One of the biggest initial issues was that people didn't understand it or the need for secrecy. Thankfully the group I was in had a need to periodically distribute root passwords and management was smart enough to realize that doing so in email was pretty darned dumb. Eventually I was able to get it adopted and we would encrypt a single message to the various people who needed to be able to read it. We also posted the encrypted file on our departmental webserver. It worked pretty well. When someone would leave the dept for whatever reason, we'd distribute the revoked key that was generated at the same time their key, change the password, and repost the file.

Another issue price. It was pretty difficult to get higher-level approval for the expenditure. We eventually snuck it in one license at a time, and later were able to buy licenses in bulk as my senior manager and later VP understood the issues and thought the solution was worth paying for.

Eventually an enterprise license was purchased. Unfortunately, the &*%($*%( lawyers wanted to force everyone to use escrowed keys. I'm not sure how it went elsewhere in the company, but we basically said 'sure', and kept using unescrowed keys for internal communications because 'root' is God's way of saying you have too much power.

PGP's support of key-escrow was the worst thing they could do IMO from the standpoint of trust, especially for those paranoid enough to be really up on the tech. I never fully trusted recent versions of PGP, and use GPG now.

Re:Causes

[gnomish]

Quite true. Sadly, if encruption were offered as a basic part of Microsoft Outlook more people might take interest. However, few people are aware of how open their computers are to inspection. Encryption is really only an option for people that realize how transparent the interent is THEN realize that they really have something to conceal... a small minority indeed. It's my guess that the people that are aware just expect (and hope for) obfiscation by means of proliferation.

Re:Causes

Sadly, if encruption were offered as a basic part of Microsoft Outlook more people might take interest

Encryption is offered as a basic part of Outlook. It's called S/MIME, and is fully integrated into the mailer (far more fully than PGP, as a plug-in, will ever be - the S/MIME support is completely transparent).

(I don't use Outlook, and never will, I'm just pointing out that it's had transparent crypto support in there for awhile. People don't use it because they couldn't be bothered, not because it's not there).

Re:Causes

[Llanfairpwllgwyngyll]

Actually, lots of us DID use it - we'd use GPG for personal use, and the companies we worked for would use PGP (at our request). The commercial version had features necessary for business use, but still interoperated with the free version.

Unfortunately, the support sucked very badly. THAT seems to be the real problem; it didn't exactly inspire confidence.

Note that we wouldn't have bought the commercial version without the existance of GPG and the OpenPGP RFC. This gave us the assurance that IF Network Associates went bust (or in this case just dumped PGP) that PGP itself would not disappear. Setting up an effective Corporate PGP infrastructure is not trivial.

Re:Causes

[ssimpson]

"The biggest potential users of this would have been the Slashdot types"

Slashdot types generally run Linux / Solaris / *BSD and have more sense than that run closed source security packages produced by NAI.

Come to think of it, most users here have an operating system that comes with GnuPG! Why would you bother using PGP at all?!?

Re:Causes

[Computer+suck!]

>MS would be smart to buy and bundle it w/ outlook but modify it a bit so it's not openpgp compatible.
Why? MS Outlook already supports signing/encryption & decription using X.509 keys.
Why bother with PGP aswell?

CS!

Re:Causes

We paid $102 each for it, in very low numbers. We did pay $8,000 for the server and sdk software.

Re:Causes

[ichimunki]

While it's offered and appears to be integrated, I think you should actually use it on a regular basis before you say it's transparent. I highly doubt that it is anywhere as easy to use as PGP/GnuPG are-- even in conjunction with Outlook.

First, no good security is transparent. At some point you, the user, have to create and share your own keys and verify that the keys you receive are valid (even with a web of trust, you have to correctly verify at least one other key to get into the loop).

I don't see how the certificates issued for Outlook users have any real trust built in. How did the Certificate Authority verify that the person requesting the key was really who they said they were-- and what about people with same or similar names? Even if they somehow verified the name, how do I know I've got the right "George Bush"?

Second, you still have to train people to understand the process and then to use it. If you tell them they have to fill out some long form just to get a certificate, they are likely to say "forget it", unless they have serious security needs-- in which case, they are hopefully not Outlook users in the first place. :)

Third, seriously, if secure email is your priority, why would you stack two or three proprietary, closed-source solutions one atop the other? Especially when there is an open source option available for both. Believe me, once you've generated your key for GnuPG on Linux and checked two simple options on KMail, the only non-transparent part of secure email is typing in your passphrase (and of course, obtaining and verifying other keys).

And then there's the problem of the fact that the Outlook security features did NOT use an existing standard for personal public key encryption-- PGP. Hopefully, Microsoft will buy them. Really. And integrate PGP into their mailer. That way the established crypto-using community and Outlook users can begin to interact in a meaningful way. I realize S/MIME is a "standard", but I've not seen it used at all... and the very limited uses for personal security that I've seen (even Slashdot didn't get it right when they ran interviews with Phil Zimmermann), all involved PGP, or the OpenPGP standard. I mean, the blink tag is/was a standard too, but...

Re:Causes

[Publicus]

Amen to that, and the people who buy software are too clueless to even think that they risk having it ready by anyone who wants to. What? My email is insecure, but AOL says that its safe! I think the market is the AOL types, who are completely unwilling to try anything if it requires any thought or concentration - ie, so easy, no wonder it's number 1!

I'm going to have to change my nick, I'm losing faith in mankind.

Re:Causes

[benb]

> I realize S/MIME is a "standard", but I've not
> seen it used at all...

S/MIME is big in the business sector, much like PGP in the private one.

Re:Causes

[The+Larch]

I've recently played around with both PGP and S/MIME with Outlook Express. The integration really is much better than with PGP -- where the built-in S/MIME has a clear advantage is when you have to regularly send file attachments, which is frequently the case if you need encrypted email in the first place. With PGP, you have to separately encrypt each file and perhaps rename them, or zip them up and encrypt the archive. It's also a minor pain having to keep picking out recipients from a long PGP keyring, since the plugin can't look up your recipients and doesn't even let you create recipient groups to duplicate the ones in your address book.

PGP's key distribution mechanism is better -- you can (in theory) communicate with someone you don't know by just retrieving the key from the server and checking the chain of trust. In practice, however, you often don't actually have a chain of trust to the person, since only a couple of his friends have signed his key. With the built-in S/MIME, if you don't have someone's certificate in your address book, you need to get it from them directly.

Getting a S/MIME cert signed by one of the CA's preinstalled in Windows does involve some security. It need not be much -- e.g. thawte.com offers free certificates that are valid for one year and identify nothing more than your email address. For a modest fee and some bureaucracy, your name can be slapped on to your cert.

The built-in S/MIME's big failing is the terrible documentation and the highly complex security model -- the user will have to expend much more effort to actually use it securely. For example, very little guidance is given when you're creating your keys with the wizard. You're asked to pick from three security levels which. If you pick the lowest level, your keys are available for programs to perform signing and decrypting operations automatically, without your intervention. If you pick the intermediate level, you are asked to confirm operations (a dialog box pops up saying "An application is requesting access to a Protected item."; in the Details you can see the name of the executable but no more information is offered). Only if you pick the highest level do you get to enter a pass phrase to protect the key. Backing up your keys is not clearly explained, and understanding the escrow features seems to require a good understanding of the Win2k security model, and I never bothered.

And of course the built-in S/MIME encryption is a Microsoft security product built on top of Microsoft's security services in a Microsoft Windows environment, so you're always one Nimda away from sending out your client's business requirements to all your other clients anyway. What would be really great would be S/MIME support in one of the better Unix MUA's, with a freely available key certification authority (verifying the email address only would be sufficient) and keyserver network.

Re:Causes

[JLinden]

Um, I think that was the point

Re:Causes

And then there's the problem of the fact that the Outlook security features did NOT use an existing standard for personal public key encryption-- PGP."

FYI, Microsoft actually did follow a standard when
implementing Public Key Cryptography in Outlook and
Outlook Express. It is called X.509. There are about
a dozen RFCs covering it so I won't list them here.

cheers

Re:Causes

I realize S/MIME is a "standard", but I've not seen it used at all.

Who supports SMIME out of the box:
+ Microsoft
+ Lotus
+ Novell
+ Netscape

Who supports PGP out of the box:
+ Nobody

(I agree that SMIME is not that popular, but it has key management features that are absolutely essential in a corporate environment. You can't have a 'web of trust' when a someone might be escorted out the door by security at any time. I signed up for a Thwate personal cert because the hooks in most mailers are just sooo much better than PGP's.)

Re:Causes

[wganz]

My company talked to them due to HIPAA regulations and it was going to cost roughly $10,000 to put PGP on 11 NT servers. Once the 'C' level exec's(as in CEO,COO,CIO) saw the price tag, Open Source GPG looked really good, really quick.

They priced themselves out of the market like Apple did.

Goodbye & Good Riddance to that bunch!!

So They Buy It, Close It Off, Then Axe It?

[Lethyos]

What's going to happen to this project now that it's no longer under development? Certainly we have GPG, but PGP is a long time trusted name. Are they going to reopen it like it once was or is it now entirely dead - in the software graveyard with so many other projects that were kept closed after being pronounced dead?

Re:So They Buy It, Close It Off, Then Axe It?

The source code for PGP has been available for some time, at least the earlier versions of it. See http://www.pgpi.org unless you're in the US in which case it's illegal for you to use this version derived from the source.

Jason Wallwork

Re:So They Buy It, Close It Off, Then Axe It?

[Spootnik]

NAI is getting quite a reputation, albeit a bad one, for sending its retail customers on wild goose chases in search of after-sale support that simply doesn't exist. The sad fact is when you buy an NAI product all you get is what comes in the box. You want support and upgrades? You won't be getting them from NAI.

Check their Web site and you'll find a few simplistic FAQs that reveal nothing you didn't already know and some Forums that are ignored by NAI staff.

I wonder...

[neema]

I wonder how much of this comes from the fact that Zimmerman was receiving hate mail for reports that Osama Bin Laden was using his encryption for communications, something he resorted to after he found out the US can monitor his satellite phone conversations.

But doesn't Osama know... the download page specifically says for US residents only!

Re:I wonder...

you are such a fucking dumbass, this almost doesn't deserve a reply.

#1 - there is an international version of pgp, called ipgp.com, Mr. cocksmoker

#2 - zimmerman didn't get hate mail, he got, erroneously, compasionate mail -- mail that said "don't blame yourself". HE NEVER BLAMED HIMSELF, nor should he. He didn't acquiesce, though the times reporters made it seem so.

#3 - there is no evidence, suggested or otherwise, that bin laden or any of his cockgobbling taliban assfuckers, ever used pgp. don't feed the hype, loser.

Re:I wonder...

How this got marked up to a 2? OBL used encryption and data merging inside a pix. This means that NSA/CIA/FBI has to figure out WHICH pix on the net holds info (good luck), but then once you get it, now you have to decrypt it. The implication of the parent post is that Zimmerman's PGP enables this. Yet ALL 4 year C.S.'s are taught RSA encryption. Likewise there is Blowfish and a large number of easy algos. Finally, 50% of the world allows for encryption, just the USA and China is trying to stop it. OBL has > $100M at his disposal. Does anybody with at least half a brain really believe that OBL is incapable of finding a first year programer who can write ~20 loc?

Re:I wonder...

[child_of_mercy]

Bugger all I imagine as Zimmerman left the project a few months ago

No one buys it because

No one is really interested in "protecting" their private emails. Who needs really good encryption software?

Banks,
Governments,
Military,
Terrorists,
Other criminals,
12 year old girls writing in their diaries,
and?

The whole point of technology and the push of civilization has been the dissemination of information and ideas. Encryption runs so much against this concept that it's no wonder that people both don't understand its necessity and don't want it.

What other outcome could have been expected, selling such a product?

Re:No one buys it because

[RedLeg]

• Customers of Banks
• Folks in fear of Governments
• Militant Freedom Fighters
• The Persecuted
• 12 year-olds who are entitled to their civil right of privacy
• and
• you
• I

Re:No one buys it because

Maybe you. Not I. Do you happen to fall into one the categories higher up in the list?

Re:No one buys it because

You dont use banks?

Re:No one buys it because

My bank uses encryption, I'm sure. That's why I put it in the list of entities needing to use the technology. I don't use encryption, though, to use the bank. In fact, it's probably pretty easy to rip me off using a forged check, but encryption wouldn't help me there anyway.

Re:No one buys it because

[Dr.+Awktagon]

Well I use it (PGP on the mac, and GPG on the ol' Linux) to encrypt all my private files, which include bank accounts, credit cards, love letters, files of passwords, sensitive data from clients that would rather not have the info public.. then I use rsync and copy them to remote computers (with the owner's permissions of course). That's how I've been doing all my backups for a while now.

Re:No one buys it because

[Chasing+Amy]

In 1785, a resolution authorized the secretary of the Department of Foreign Affairs to open and inspect any mail that related to the safety and interests of the United States. The ensuing 'inspections' caused prominent men, like George Washington, to complain of mail tampering. According to various historians, it led James Madison, Thomas Jefferson and James Monroe to write to each other in code - that is, they encrypted their letters in order to preserve the privacy of their political discussion.

Government has shown time and again that it cannot be trusted not to eavesdrop without warrant and cause, whenever it thinks it can get away with it. The infamous FBI bugging of Martin Luther King and just about everyone else with political clout comes to mind. It was little more than thirty years ago, too, so don't complain my example is outdated. Or how about the recent study which found over 2,000 illegal, unwarranted wiretaps were performed last year? And that's just the ones we found out about after the fact.

The dissemination of information and ideas is one thing. Not leaving people alone long enough to gether information and form ideas, without fear of the Secret Police wondering why we're looking at that particular information and forming those particular ideas that it may not like, is a potential downfall of civilization.

Civilization is only advanced where ideas, even new and very jarring ones, are permitted to flourish. Today Socrates is considered to be the bedrock of all Western philosophy, since his pupil Plato wrote all the founding philosophical explorations. But recall that in his own time his ideas, nearly universal in the West today, were considered dangerous and he was executed for expressing them by the then-most-free society in existence, the birthplace of Democracy, Athens.

Encryption is the only way to express ideas without fear of reprisal by regimes which are not on the cutting edge of human rights, much as the U.S. is not. It is the sole way to protect one's privacy with any certainty from arbitrary invasions. Therefore we would do well to promote encryption, as a way to ensure that our rights are protected and respected. I trust myself to protect my rights with encryption, more than I trust the FBI, ATF, DOJ, etc., to do so with empty platitudes. And on this point I am in the company of George Washington, Thomas Jefferson, James Madison, and James Monroe--I'll take them to John Ashcroft, Janet Reno, the FBI and ATF agents who murdered innocent people at Ruby Ridge, and their ilk, any day.

Re:No one buys it because

[maxpublic]

I use encryption when I don't want other people to read my email. My mail isn't anyone's business, whether it goes via the post or over the net. In fact, I have a right to privacy:

Fourth Amendment: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

The Fourth Amendment has been interpreted to include snailmail and phone conversations. I see no reason why email should be different, yet because my government seems to hold a different view I use encryption.

To insinuate that a private citizen other than a 12-year-old girl would have no use for encryption unless they were a terrorist or a criminal is just plain stupid, not to mention irrelevant. It doesn't matter if the content of my letters is boring and trivial, I still have a right to privacy.

Max

Re:No one buys it because

[sql*kitten]

The whole point of technology and the push of civilization has been the dissemination of information and ideas. Encryption runs so much against this concept that it's no wonder that people both don't understand its necessity and don't want it.

You have it backwards. Civilization is about privacy. It's about having the freedom to do what you want to do rather than what the tribe wants you to do. It's about being free to disagree, being free to do something your way if you don't like the way everyone else does it.

As Bruce Schneier said, "it's not enough to protect ourselves with laws of men, we must protect ourselves with laws of mathematics". That is going to be true as long as there are people on earth who are willing to kill other people for what they believe.

Re:No one buys it because

[yatest5]

I find it hard to believe this drivel has been modded up! Who needs it?? Er, people who don't want others to read their email? Companies? Have you heard of the word confidential???

So you can mod that list to

and companies.

Yeah, no-one needs it, you're right.

Re:No one buys it because

But recall that in his own time his ideas, nearly universal in the West today, were considered dangerous and he was executed for expressing them by the then-most-free society in existence, the birthplace of Democracy, Athens.

Good post. I'll note that Socrates was probably executed because his questioning led to people opposing democracy, or at least Periclean democracy (which in its specifics is unlike anything we have today). Read the Republic for some of his weird [& apparently fascist] political ideas. It's hard to be sure what Socrates really thought since he didn't believe in writing things down. So anything he had to say is filtered through Plato, Xenophon or Aristophanes (heh).

Re:No one buys it because

I used to use PGP, about five or six years ago. But frankly, I don't have that much which is worth encrypting. I could encrypt my Gnucash save files, but almost all of that information can be found out simply by intercepting my bank statements, etc. Also there is the hassle of "what if I forget my passphrase."

So I haven't used PGP since 1996, and I haven't missed it. If I had anything really secret and important, you can bet I would use some encryption. But my work is made to be published eventually, and my personal life just isn't that interesting. So maybe you need encryption, but I sure don't.

Re:No one buys it because

[Weh]

come on, that's really not a description of what civilization is about. Things like individual freedom may be a part of our modern civilization but they are definitely not essential to civilization. Civilization can take many forms, look at history, there have been so many civilizations and a lot of them had different social structures in which individual freedom may have played a small or large role.

I think what you may have been thinking off is the difference between a primitive or tribal society in which the distinction between the individual and the group is vague and a more advanced or "civilized" society in which there is more distinction between the group and the individual.

Just because a society/civilization recognizes the difference between individual and group does not mean it values individual freedom.

Re:No one buys it because

[Weh]

so do you encrypt your regular mail as well ?

It's a little weird to me: Governments have been able to intercept and read individual's mail for ages and noone has really cared. Now that email is here people are suddenly becoming paranoid. I understand that it might be easier to filter/search email en-masse etc. but that doesn't mean that some of the paranoia is hyped imo.

Re:No one buys it because

[maxpublic]

You're missing the point. The courts have explicitly stated that the Fourth Amendment applies to snail mail; the government can't open and read my mail without a warrant (whether they actually do is a question for another conversation).

The courts have refused to provide the same protection for email, even though I see no functional difference between email and snail mail. Because the courts *won't* apply the Fourth Amendment to email, *I* apply it myself with encryption.

Max

Re:No one buys it because

[Weh]

ah, ok like that, I didn't realize that. Thanks for explaining...

PGP...

[Maskirovka]

Pretty Good Pinkslips
oh wait...oxymoron

Once is coincidence...

[farrellj]

Twice is enemy action...

First ZKS shuts is services, now PGP is orphened...it does not take a conspiricy fan to put this together.

ttyl
Farrell

Re:Once is coincidence...

[Milican]

Leave then AC.

JOhn

Re:Once is coincidence...

Like the one who modded you down?

Not terribly surprising

[Reality+Master+101]

There just aren't that many people who care about e-mail encryption. I understand all the arguments and the technology, and *I* don't care about it. I can only imagine what someone who doesn't know about the issues thinks about it.

And frankly, I wouldn't care about sending all my mail on postcards without envelopes. I can't even think of any personal mail that I would care about some anonymous postal worker reading, even if I thought postal workers sit around reading letters that zoom by. Except for maybe things with credit card numbers or bank numbers, but I wouldn't send thinks like that through e-mail anyway (and I venture to say that most people are probably savvy enough to know that's bad as well).

Re:Not terribly surprising

[yatest5]

No, you're right. The only people who care about people reading their mails are companies working on things they don't want their competitors to know about yet. Oh, that's all of them.

*sigh*

[beowulf_26]

Now I'm going to have to bust out my old Hardy Boys Detective handbook to learn how to encrypt my messages. Everybody jump to OSDN as I'm officially starting the HaBOSEP (Hardy-Boys Open Source Encryption Project). Just send me 2$ for your secret decoder ring.

Say it ain't so, PGP, say it ain't so.

Re:*sigh*

[ThatComputerGuy]

Hell, if ROT13 is good enough for ebooks, why isn't it good enough for you?

Or you could just ROT26 your stuff. The ease-of-use factor sure beats anything else.

Re:*sigh*

[orangesquid]

Actually, ROT26 is fun with non-English alphabets. Not only does it change the data, but it's non-symmetrical (except for 52-letter alphabets.)
:)

Re:*sigh*

[ThatComputerGuy]

Be careful of what you say around here, you've already probably broken some obscure language's ebook encryption routine!

Sales Would Be Great

[zentec]

If NAI didn't want to charge $5,500 for a server based encryption package. Up from $1,000 for a *two year license* for PGP version 5.

NAI is a bunch of idiots anyway. They totally screwed over people when they took over the Gauntlet firewall suite. First, "you need to migrate to NT, all Unix Gauntlet packages will be discontinued". Ok, 18 months later "Gauntlet for NT is now discontinued".

Hopefully, someone will pick up PGP and offer it at a price people can afford.

Dissapointing sales?

[sllort]

This product never ceased to amaze me. PGP 7.1 included, among other things:

- an encrypted IPSEC/IKE compliant VPN
- encrypted hard drive software (public key or shared secret encryption)
- Encrypted Email with multiple mail client integration
- Myriad windows hooks, like "encrypt clipboard"
- A secure file and hard drive wiper
- A full-blown INTRUSION DETECTION SYSTEM with email alert that would attach itself below the NDIS level.

...all for $30. I'm not a big fan of buying software, but I bought this religously because it was a steal, just for the IDS. I always wondered how they could afford to put so much top-notch development into such a cheap product (I never found a serious bug, and I've worked it over hard. That's a rare thing to be able to say about a windows networking application).

The answer appears to be that they were dumping serious development funds into this product and got were expecting massive sales. If you asked me to point a finger at the cause of death, I'd say they were overambitious. Too many developers building too much functionality made it far too expensive. All anyone ever really wanted was encrypted email. And perhaps if that's all they developed, supply would have matched demand.

Then again, hindsight is 20/20.

Re:Dissapointing sales?

[undie]

I'd agree thats a steal, but not for the IDS - it's not even signature based, it's got some canned 'attacks' built in but there's no update facility.

On the other hand the personal firewall PGPnet includes has quite a flexible rule interface, and works really well. And the rest of the package is amazing.

I'm also concerned about the on-hold status of Gauntlet Firewall/VPN. A really good product that was just starting to get even better with the 6.0 release, and now it's future is very uncertain. Gauntlet's roots are in open source too, as it evolved from the Firewall Toolkit.

Re:Dissapointing sales?

[The_Messenger]

You meant $300, right? Check their price list lately, bub?

Re:Dissapointing sales?

"I always wondered how they could afford to put so much top-notch development into such a cheap product "

They can't, thats the problem. They charge to little. Even if they just develop the e-mail plug-in they charge way to little.

Re:Dissapointing sales?

- an encrypted IPSEC/IKE compliant VPN

-It also has support for smartcards. I've put my pgp-key on an eToken usb-smartcard
to authenticate against a linux vpn-gateway running FreeS/WAN (with X.509 Patch).

It's not an out-of-the-box sollution, but that's how we like it, right?

What happens now?

[DarkZero]

What happens to a great commercial program after it's permanently axed by its creators? Do we just pirate the Hell of it now and generally continue to use it, since the encryption will probably be good for years to come, or is there some reason that we can't or morally shouldn't?

300 employees

Ok, so maybe I'm a moron, but can anybody explain to me why it takes 300 employees to do this in the first place? Good grief!

To support a staff that size, annual sales would have to be, what, maybe $50 million, maybe double that?

Either

a) this was stupidity
b) this was greed (hoping for massive overpriced corporate sales)
c) I'm on crack.

Re:300 employees

Worldwide deployment takes many people.

Re:300 employees

[happyhippy]

Well theres going to be a lot of tech guys for the computers to run the complicated key generations. Can you imagine trying to get two 128 bit primes (or whatever bit primes it takes to get a 128 key)? And keep a record of them?

Re:300 employees

[MaggieL]

can anybody explain to me why it takes 300 employees to do this

I don't know. As I recall, Zimmerman wrote the original package all by his lonesome and then made it freeware so Agent Smith and company wouldn't show up and erase it...and him.

Re:300 employees

.
.
Correct response: all of the above ? :-)

Re:300 employees

Who says that the "300" people who lost their jobs were developers? I can see it now:

Buyer: OK, here's $xx million for your product line.
NAI: OK, here's your CD with the source code. Have a nice day.

Most of the people who lost their jobs were probably sales staff. Although, I'll bet there will be a bunch of others looking.

Re:300 employees

[Raxxon]

Easy.

Developers. Dedicated sales to the product line. Front line support. Back line support. Enterprise account support reps. Sales Engineers.

It's very easy to hit 250 to 300 people, however not all of them are going to be axed most likely. They'll keep a few developers and move them to other products and maybe some of the Enterprise support people.... Most likely all the sales droids.....

Re:300 employees

[Marcos+the+Jackle]

Yes, you are on crack, moron!
The PGP unit is not just the PGP encryption package. It also includes the Gauntlet team as well. And when you have sales, support, deveplopers, QA, and admin people for both PGP and Gauntlet *around the world* then 300 people is a pretty lean operation.
I work (yes, still) for PGP... and I have say that this whole /. topic has made me sick. More than ever you slash-holes have proven what a piece of shit /. has become. What a bunch of losers...

FU /.

tools vs apps and PGP prevented hacks

[shibut]

To me this is just another example of a tool/IP business model not making it even though it is useful technology and if it were gone it would be sorely missed. Still, businesspeople don't have the capabilities of valuing a tool that is not an end product (show me an MBA that sees encryption as an income generating end-product and I'll show you a geek in wool/MBA clothing). Also, I have yet to hear of a major money draining hack to a corporation that could have been prevented by PGP, I believe the stolen credit cards etc were obtained by hacking the system open, not listening on the lines. Anyone know of such an example?

Maybe GnuPG had something to do with this

[Bistromat]

Since most users of public-key crypto are (presumably) technologically oriented, most of them are probably also aware that GnuPG offers the same functionality, but free, and open-sourced to boot. Why bother paying for PGP when GPG is free, integrates with your favorite email clients (an Outlook plugin is even available), and offers the same or better encryption? GPG effectively made PGP unprofitable. Nobody who knows better would use it.

And, like the poster above mentioned, since the tech is facing a serious risk of becoming illegal, investing too heavily in it might not be wise from an economic standpoint.

--nick

Re:Maybe GnuPG had something to do with this

[Skorpion]

GPG is a nice program but i wouldn't dare to call it a competitor. What your average corporate user wants is a company you can negotiate with, support, professional step-bys-tep manuals, easy to install software package, user friendly interface. GPG still has none of these. It is a frame with engine, wheels, transmission, seats and a arc-welded trunk to keep stuff in, and it do its thing but corporate users want cars, not the cores of the cars.

I once worked as an software designer (working on - non-incidentally - a PKI software) and boy, I was surprised hwat features were considered too complicated for your average user. GnuPG is a nice product (I'm small part of its team) but it has a loong way to go before it will reach corporate desktop.

OTOH much more suited for your casual Joe Luser is S/MIME. It also has drawbacks but all things you need to do is to get a certificate, and then click 'sign' or 'encrypt' in message properties before sending. It is almost simplified to the point where you average manager can learn it. You can even teach it successfully to a CEO (been there, done that).

Alex

Coincidence?

[Bud+Dwyer]

Okay, since September 11, we've seen Zero Knowledge Systems shut down their Freedom anonymizer service due to "lack of sales". Now we're seeing Network Associates dropping their encryption products due to "disappointing sales". We've seen encryption developers renounce their creations.

Is this a coincidence? Or is there some government pressure in action here? What's the next step? Pressuring ISPs of distribution points for Open Source encryption products? When that happens, I'm sure we'll be re-assured by the ISPs that they have sound economic reasons for disallowing encryption software; but that won't make it go over any easier with me.

Encryption == Big Bucks

[Mdog]

Contrary to what the article poster had to say, RSA makes a LOT of money. What does not make money, it seems, is trying to sell a free product (asbestos).

Re:Encryption == Big Bucks

[bananafish2000]

Or maybe not. RSA have just announced they are laying off 15% of staff and the remaining US staff having a 10% pay cut.

All does not look good for cryptography companies.

Re:Encryption == Big Bucks

[Tassach]

All does not look good for cryptography companies

All does not look good for MOST companies. In case you havn't noticed, the economy is in the shitter. Everybody's feeling the pinch, not just tech companies.

It's unfortunate...

...to see what appears to be the demise of PGP. But I have to wonder how much of this is related to the recent occurances, and the resulting suggested legislation, and how much is related to the pricing models they had for the commercial product.

Their biggest users could have been corporate, but at a couple hundred bucks a shot, most corporations had a hard time convincing themselves it was worth it on a large scale - and most of the Engineering types would go with an (unlicensed for commercial use) Non-commercial version or GPG.

I've actually had to fight that battle in a large corporation - trying to do secure data distributions to a fairly large number of people in a corporate environment. Some departments balked at having to buy licenses for their users - others simply installed GPG.

Add in the fact that too many mainstream users can't figure out how to use it (including some otherwise bright people) and it's not a big surprise that PGP was a commercial failure.

Re:It's unfortunate...

[decesare]

Their biggest users could have been corporate, but at a couple hundred bucks a shot, most corporations had a hard time convincing themselves it was worth it on a large scale...

Good point, but I think that there's more to it than that. I know of companies that don't want their employees having encryption products available (and of a few that outright ban them as a matter of policy). While none of these outfits come right out and say so, I'd imagine that if employees start using encryption, companies would have a much more difficult time monitoring employee e-mails. Sad, but probably true.

Re:Nice icon!

Actually, I think they just added a new catagory. Watch what happens when u click on the PGP icon - it takes u to nowhere (aka there are no stories to click on, what will I do? Whew, tjank god for the back button).

F-bacher

understandable

[jchristopher]

Slow sales aside, perhaps it's just not a good time to be selling encryption (from a political standpoint).

Damn, and I was just going to email Will Price

[SinceEBCDIC]

to ask him when PGPdisk for Mac OS X was going to come out.

This certainly puts a wrinkle in my undies :-(

Re:Damn, and I was just going to email Will Price

[TWR]

Don't worry; Disk Copy in OS X 10.1 has the ability to create AES-encrypted disk images (128-bit). The key can be stored in your keychain.

Not the strongest encryption in the world, but it'll keep prying eyes away. You might have some issues exchanging disk images with non-OS X users, though.

-jon

Re:Damn, and I was just going to email Will Price

[SinceEBCDIC]

Whoa! I'll have to check out the fine print. This one completely flew under the wire. Of course, given today's political climate, I'm not surprised that encryption isn't top of "to publicize" list...

Nothing surprising to me...why?

Because, I like most people am not interested in Encrypting or PGP, or whatever they offer. Maybe I would like it, but maybe I'd like Caller ID, and Call Blocking, and a host of other services from the phone company. But it's too much of a bother, so I don't touch it.

And that's their problem, it's a bother, and they didn't go for the people for whom it may be a bother, but the cost is worth it. I'm talking about major corporations, the military, and the government. Getting them as clients would be steady money..

Yeah :-/

[Brian+Feldman]

It was a pretty somber PGP all-hands meeting today; I didn't expect it, really, but I wasn't paying that much attention. TIS^H^H^HNAI Labs exists really pretty separate from PGP except for being part of that "business unit", and considering that we aren't "losing market share", costing the corporation money, or anything like that....

So, luckily, the NAI Labs section of PGP was exempt from all this change and will be shuffled around more, but we're still here =) It's a bit disappointing to see your company admit failures like this, even if it's for the best interest of the company.

Re:Yeah :-/

I feel your pain there buddy. I was a TIS SE who got burned during the big NAI stock crash of 99. I wonder how Steve Walker feels right about now.

Chris "too lazy to register on Slashdot" Barker

Re:Yeah :-/

[Brian+Feldman]

I'm sorry to hear that, and can only hope you're doing something even better than before now. Likewise, despite not knowing anyone on that side of things in the "PGP division", I can't help but feel for everyone who's being let go at a time when things really were starting to look up.
This even comes just after Terry Benzel was talking to the legislature! I guess that many other people saw it coming, but it was a shock to a lot of people at the Labs.

Re:Yeah :-/

I haven't had a job since, man. My brother, a regional manager for Piggly Wiggly, offered to get me a pretty cool job in the french fry factory, but I just can't seem to get off the couch. I just eat pizza and masturbate, sometimes simultaneously.

But at least I have free copies PGP, which allows me to send secure email and prove my identity. Wow, maybe I am as cool as Mom says!

Chris

Encryption is alive - but PKI is dead

[Ars-Fartsica]

PGP and its ilk are really only useful in the scope of a meaningful PKI infrastructure, which doesn't exist and never will, as there are insurmountable educational hurdles for home and even business users.

How many among even the savy group here maintains a valid PGP key that is available online? Of those, how many maintain their key in a searchable index? I presume the answer is less than 2%.

How many of you have received an email either signed or encrypted in such a fashion and then actually used the sender's public key to decrypt/verify?? Probably 10% of readers here or less.

And that folks, is why PKI and hence PGP are dead-ends.

Re:Encryption is alive - but PKI is dead

[fo0bar]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, it's all about convienence. I use pgp4pine which does automatic decryption/signature checking on incoming email, would automatically try to fetch public keys from PGP key servers, let you choose if you want to encrypt outgoing messages, just sign them or don't bother....

Appearantly mutt has some decent PGP tie-ins. Hell, I remember Eudora used to have a PGP mode.

Unfortunately, the implementation across OS's and mail packages are inconsistent, and that will probably be the demise of PGP/PKI.

*shrug* What do I care? I don't mind using the clear envelope theory of sending email 98% of the time... The other 2%, it's usually to a friend or colleague who also has PGP.

EOF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7xmqUKZYQqSA+yiURAiDRAJ9G3rMyNRJOHfpRDt+g 1V 2SLuQH9ACfU/HG
9yhh23ifyYH57o1h5c+Y3Gg=
=VK6P
-----END PGP SIGNATURE-----

Re:Encryption is alive - but PKI is dead

[spudnic]

I had given PGP several chances. For one reason or another I'd get all fired up about it. I'd go an generate new keys, submit to keyservers, etc.

Then it hit me. Who can I send this to? If I encrypt something, nobody is going to know what to do with it, not even most of my tech savvy friends. Even they don't have current keys that I could get hold of, so I couldn't encrypt it for them.

I settled for signing my messages if for nothing else to spread the PGP word. That ended when I actually had someone who I respected on a mailing list tell me to stop waisting space by including all that "garbage" in every one of my messages.

Geez.

Re:Encryption is alive - but PKI is dead

[mosch]

gpg: Signature made Fri Oct 12 03:59:16 2001 GMT using DSA key ID 203ECA25

gpg: BAD signature from "Ryan Finnie "

Re:Encryption is alive - but PKI is dead

[ajna]

I maintain a valid PGP key online. See my user page, for instance. (Of course, unless you knew my real email address, you'd be restricted to verifying my sig or posting an encrypted comment to me.) Last I checked, the key is in the MIT key index, so I'm part of the 2% subgroup as well. Finally, not that my anecdotal evidence changes things, I use encryption regularly (about 20% of all my email). It pays to be paranoid, ya know.

Re:Encryption is alive - but PKI is dead

[The_Messenger]

I would've loved to get into PGP a few years ago, but in order for it to work, all of my friends and business associates would have had to use it, too. Some of my associates can't even spell PGP, and trying to convince the average computer user that privacy is important, and the government has no right to read any email no matter how lacking in importance, and that widespread use of email encryption is a good way to fuck over Eschelon is just impossible. And, as you said, there isn't a standard directory service for keys -- we need something like DNS, but that resolves email addresses to public keys (and perhaps even reverse lookups). We'd call it PKS -- public key server. Could be used for more than email.

So PGP doesn't work. But what alternatives do we have? PKI is amazing: it's simple, and it helps verify identity as well as hide cleartext, something that is VERY IMPORTANT because as you know SMTP is easy to spoof. Ideally, all email clients would have integrated PGP, and could automatically warn you if the sender's SMTP-apparent address didn't match the results of the PKS entry. This would be an excellent method for detecting spam.

But we don't live in an ideal world. And after the events in September, your organization is likely to be thought criminal for suggesting that citizens have a right to privacy. And who knows; if Asscroft gets all of his wishes, we may have more things to be scared of than unencrypted email. *shudder*

Anyway, IMHO PKI email is the only system that is simple enough to work on a large scale. Too bad no one knows about it or uses it. Maybe in the next life, I'll live in a country that is truly free, as opposed to one of rhetorical bullshit. If Franklin and other founding fathers could see us today, they would probably want to fly airliners into the Pentagon too.

Re:Encryption is alive - but PKI is dead

That's because a 8192 bit key is slightly out of line.

Re:Encryption is alive - but PKI is dead

[olla+podriga]

Last time I bothered to install a Windows version of PGP it automatically tried to upload the newly generated keys to a keyserver. The infrastructure is alive, but it isn't trusted.

You can't trust the average user with key signing since most of them just don't get what it's all about. So you end up with people signing keys just because it stops the annoying "could not verify.." message. That's what ruins the PKI infrastructure.
The idea of a "web of trust" between PGP-keys works only if you can trust that everyone who has signed a key knows what he does. Many don't. Luckily there are trustcenters or other authorities who can sign your keys. But most of them want to be paid, that's what renders them useless for most of the end users since it's too expensive or cumbersome to get a certificate.

The current PGP-PKI may be ruined because of many non-trustable signatures, but that can easily fixed if some trustcenters would issue free or at least cheap signatures for home use. (Wouldn't it be nice to have your PGP-Fingerprint in your passport?)

Re:Encryption is alive - but PKI is dead

[kiwaiti]

Here in Germany, well-known computer magazine c't (dead tree category) offers a free PGP key certification service on business fairs like CeBit (next chance is on Munich "Systems", Oct. 15-19) in order to promote cryptography.

Kiwaiti

Re:Encryption is alive - but PKI is dead

[Elwood+P+Dowd]

That's probably because slashdot munged the signature. With the rule against really long words. The same thing that screws up URLs. Iduno, would a gpg sig get damaged by an inserted space?

Re:Encryption is alive - but PKI is dead

[ichimunki]

That and you have no idea whether you should include the HTML markup in the text file itself or not. A host of issues affect posting signed bits into the middle of a web page like this without some guiding principles.

Re:Encryption is alive - but PKI is dead

I actually had someone who I respected on a mailing list tell me to stop waisting space by including all that "garbage" in every one of my messages.

Maybe he meant the part above the signature.

Re:Encryption is alive - but PKI is dead

You mean the header?

Re:Encryption is alive - but PKI is dead

[smnolde]

I got GnuPG to successfully verify the message after truncating each line and removing all whitespaces from lines around the 74th column.

Your Info:
Ryan Finnie
KeyID 0x203ECA25
Date: 2001-05-09

Now what?

[greenergrad]

Just when I was waiting for an OS X version, too. Damn. Does anyone have any ideas for IPSec VPN client sw to use under OS X? PGP Corporate Desktop under OS 9 works great for getting through my PIX but I haven't found anything for OS X. Ideas?

How do the open source PGP versions compare to NAI's PGP?

Why I use PGP...

[Bonker]

I just happened to have it installed instead of GPG, but I will probably make the switch now that it's being discontinued.

1. Private Data... There's a lot of stuff that I do and say through email that is perfectly kosher, but is none of my company's or coworker's business, like emailing my wife whilst at work. I know for a fact that there are nosy people in my networking department, but 2048 bit D-H encryption makes this Somebody Else's Problem (tm) even thought I am forced to use Exchange at work.

2. Insecure Mail Servers... By the same token, I am forced to keep sensitive data on an Exchange server. It doesn't take a genius to see that any given company's Directory/Mail/Personal Info server is going to be one of a malicious cracker's first targets, if he or she is interested in doing anything other than 0vvnZ'ing the website. When the time comes... and it will... I will be able to say... 'No, my sensitive data was NOT compromised, because it was securely Encrypted.

3. Personal Liability. I'm a freely spoken individual. Some people don't appreciate it. If I say something in an email that could possibly be used against me later by the owner of a mail server, it goes in encrypted. By the same token, any personal files on my work PC belong to me, and not my company. Without my passphrase, they can't do shit with them.

4. Geek factor. It is oh, so cool to be able to 'sign' an email, and advertise your public key. Mine is:

http://www.furinkan.net/key.txt

Re:Why I use PGP...

[indiigo]

If you use windows, slack space, temp files, etc. They can 99% of the time recover your "Safe" data.

Trust me on this. Just went to a lecture for litigators for Corporate IP cases where IP was stolen, and they state they can recover data past the DoD 7 wipes, at a cost of 1 million. Likely not your case, but if they want it, they can likely get it.

Unless you are wiping free space on your disk over 7 times after every "confidential" message, discovery teams using tools like safeback can get to it.

Re:Why I use PGP...

[edmudama]

I am a firmware engineer for a large hard drive company, and though I guarantee I know how to make the disk unreadable by these tools, it is impossible to do with any "user" program.

The way I imagine most of these recovery tools work is by reading sideband data off of the drive... When the write head is hauling ass around the platter and you want it to write to a given LBA, it never writes in exactly the same place twice. It might be in slightly different phase with the start of the LBA (5-20ns is common), and since it is a mechanical system, an LBA isn't a perfect arc... it can tend to wobble.

Using in-house diagnostic tools we can "force" the servo code that is supposed to keep the read/write heads centered to a prescribed amount off to the side... If you had an event where the sensitive data was written .1 tracks towards the outer diameter from center, and on a subsequent pass (the 7x overwrite) you wrote your data smack down the center of the track, then it would be possible to position your read head around .3 to .4 tracks towards the OD, crank up the gain in the read channel, and recover that "sideband" data. It would be an absolute pain in the ass, but it is possible. Of course, this setup would probably take roughly 30 mins-2 hours per LBA to calibrate, read, and decode, and on a 100 gig disk that'd take a LONG time...

--eric

Re:Why I use PGP...

[trongey]

...like emailing my wife whilst at work...
...any personal files on my work PC belong to me, and not my company. Without my passphrase, they can't do shit with them...

Probably no one will ever raise a stink about stuff like this, but it's good to keep in mind that, unless you work at the world's most liberal company, both of these are probably against company rules.
When the time comes that they need to cut staff, and don't want to pay severance, this stuff can put you out the door "with cause". Fired, not layed off.
If you can't trust them with your email then you're crazy to trust them with your future.

Re:Why I use PGP...

What's the accuracy and reliability of this method? Obviously it's slow and painstaking... but is it worth it?

Re:Why I use PGP...

Anon former mail admin here -- I've seen this happen when we accidentially discovered somebody sending PGPed mail through the corporate system. There was probably other political considerations, but the guy was shown the door by uniformed security. He was smart enough to eat the private key because we never found it.

The stupid thing is that the place had a "Hotmail's OK" policy, which meant that he could do whatever he was doing without anyone discovering or caring. (Although I've also worked at places that intercept webmail with special proxies)

Why in this day and age do people put 'personal files' on their work systems and use the work e-mail for anything non-business related is beyond me. It's usually the one that think they are being smart -- the normal (l)users know better. That and the porn addicts.

There are two types of users...

[stefanlasiewski]

The US Government says that they can't crack certain types of encryption, and that this is hampering their ability to deal with the Terrorist Threat.

NAI, who has been selling virtually uncrackable encryption technology for years, suddently drops their top-of-the-line encryption product.

Coincidence? I wonder.

I'm not implying a conspiracy between NAI and the US Government, but I wonder if NAI stopped shipping their product because it "wasn't worth the trouble".

PGP wish list

[4n0nym0u53+C0w4rd]

PGP had a few of strikes against it:

A. Little perceived need by the masses
B. Hassle to use

and more recently

C. Government rumblings

A. could be dealt with by some good old FUD. I've always been amazed that NAI and others have resisted the evil urge to play on naive users' fears of "hackers." Come on, companies with lame IDS and Firewall products have been playing the fear card for a while. Imagine how effective a campaign would be if the product were actually good... (Not that I'm a fan of these tactics).

B. is a more difficult problem. Although the product has come a long way since the old DOS version with it's confusing options, it has a way to go to acheive true ease of use. People don't necessarily "get it." I'm not a huge fan of dumbing down interfaces, but a real simple set of wizards that handled all the stages of key creation and software integration would be helpful. Plug-ins for email are good, but a deal with MS or Eudora to bundle it would be better. Plug-in with ICQ is good but a bit clumsy at times. Maybe playing up the Envelope metaphor in email programs would be better... Also, encouraging users to get their email contacts to install the freeware version would be great. Maybe, a window that popped up when people tried to send an encrypted email to a person whose key isn't know. The window could mention the problem, and offer to send the recipient an email with a link to the freeware (or perhaps a free "reader" that allowed for key creation and email integration).

With C. the issue is just a big hassle. At some point you'd hope the Gov't would realize that restricting strong encryption will have no effect on criminals, only business and home users.

Re:Rats... Ship

Ummmm, it's not about to become illegal! Arrrgh.

Expensive stuff

[bubblegoose]

We looked into it for our company, turns out the head of our sales group sent a copy of the commision $$$ amounts to everyone in our sales group by mistake and we wanted to prevent that in the future. But that's another story.

Anyway they wanted about $175 a copy, I think for what we needed. Then I found the PGP Freeware link on their site. I thought, hey why pay for it when they give it away for free?

No wonder its going away. Could you imagine going to the Ford dealer and the dealer saying "here's the new Ford for $20,000". And you ask, "what about the Mercury over there exactly like it" and the dealer says "Oh those, they're free, take as many as you like" Where is the choice here?

Re:Expensive stuff

The choice? Well, ethics or not for one. It is illegal to use it corporation wide or for a corporation without paying for it. Incidently, my company got a much better deal than 175/license.

Re:Expensive stuff

I don't see how PGP would have prevented that data from getting out. It would have just been sent to everyone _securely_.

Re:Expensive stuff

[pne]

Especially if the "head of sales group" used the MS Outlook plugin where it looks up the keys for all the recipients automatically.

Re:Expensive stuff

[DrXym]

For some companies, support and maintainance is more important than the cost of the original software and they'll gladly pay for the peace of mind.

Crypto is one of those places. If your crypto solution goes wrong it could seriously fuck up your company, especially when you have to explain to investors their entire solution was based on unsupported software "downloaded free from the internet". Yes, PGPFreeware is totally unsupported, less so even than GPL software where at least you can legally pay for someone to support it and hack it if necessary.

Even for individuals, the vast majority would be more than happy to fork out $50 for PGP if it came bundled on a single CD with a whole bunch of other NAI crap such as McAfee, Nuts & Bolts etc.

Re:Expensive stuff

[Troed]

Do you mean PGPi with "PGP Freeware"? If so, maybe your company ought to read the license ...

2.2. Can I use PGPi for commercial purposes?
Yes, you can, but you must obtain a commercial use license from Network Associates Inc. or its authorized representatives. (The GNU Privacy Guard can be used for commercial purposes without any license.)

What?!?

[John+Whorfin]

Post a link, man.

I just saw PGPNet 7.1 ONLY for $60 for a two year contract. This was from PGP too.

With the 7.1 series they split apart the entire PGP Desktop package are (were) selling the peices individually.

$30? I don't think so.

Re:What?!?

The personal edition costs $30 in the magazine I'm holding right now, it's about 14 days old. There are corporate editions also, it's not that one you see?

Re:What?!?

[fitsy]

http://mcafeestore.beyond.com/Product/0,1057,3-1 8- ML100111,00.html

It's $39.95, and I had trouble finding it too when I bought it.

Re:What?!?

[ostiguy]

SImilar to my experience. I was investigating it on the Mac platform as Cisco is currently providing a mac vpn client for their 3000 concentrators. The desktop suite had all kinds of crap - and on the mac they didn't sell the components separately.

ostiguy

There are two kinds of encryption users...

[stefanlasiewski]

There are two kinds of encryption users...

1) There are ordinary folks who want an easy-to-use encryption solution out of the box, and don't want to read a manual to get that level of security. While NAI's software has been getting better and easier-to-use over the years, it's still not 'easy'. Concepts like 'ring of trust' & 'key signing' might still too academic for ordinary folks, and NAI has not made much of an effort to explain why these ideas are important.

2) There are encryption-geeks, who don't really trust the security of a closed-source product, or who are happy enough with ssh, pgpi, gpg, etc.

OK, I guess there is a third type of encryption user, the user who wants an easy to use encryption product for her business, and isn't concerned about fears like 'FBI backdoors' in their product, but they're probably a small segment of the market.

Re:There are two kinds of encryption users...

[jyda]

Actually, I'd think the third type (corporate user) is the largest segment, by far. They usually have lots of sensitive data to protect. And 'FBI backdoors' are a big concern, even to PHB's. That's why there are so many proprietary "standards" in use.

What could 250 people be doing to PGP???

[Futurepower(tm)]

I went to the NAI website and tried to buy PGP about 18 months ago. There were problems with the site. The product was poorly explained, and I got error messages.

Also, would you buy encryption software from ANYONE who wasn't offering the source code? I had read that NAI would give the source code to someone who bought the product, but I was unable to find mention of that on their web site.

I sent NAI an e-mail message, and no one replied.

Finally, I just gave up and used the free version. I paid less (zero) and got more.

The story says, "I worked there up until today and somewhere around 250 of the 300 employees were clipped."

Do I understand this correctly? What could 250 people be doing with PGP, a product that was written by one man, and was changing very slowly?

Maybe they were selling special versions in Arabic to Saudis living in Afghanistan? (When you have 4 wives, you have to keep a lot of secrets.)


Secrecy and weapons sales corrupt democracy: What should be the Response to Violence?

My Page on Why You Should Use Encryption

[goingware]

I hope development continues of PGP freeware.

I admit I haven't tried out GPG yet but I probably will soon.

In any case, if you don't use either PGP or GPG then please read my article Why You Should Use Encryption

Yes I know the link to the canadian article I mention is busted and someday I will even fix it. Not right now though.

Re:My Page on Why You Should Use Encryption

[dagnabit]

The Canadian article can be found at the Information and Privacy Commisioner of Ontario's website here.

Re:What could 250 people be doing to PGP???

[kdz]

240 were likely trying to sell it, one was answering the phone, and the others were making viewgraphs for the upper management.

Buy it or get free version

[Fizzlewhiff]

PGP always boggled my mind. I had two choices. I could either buy the US version from NAI or download the international version for free. Now I wonder why sales could have been low.

hello?

[hyperstation]

hello? GnuPG? maybe you've heard of it....

To Care or not to Care

[TightByte]

It's very interesting to notice that a majority of people indicate that they do not care about personal encryption, primarily for their electronic mail communication. I recall reading in the PGP readme, when I first discovered it - version 2.x or 3.x at the time, I think - how it made perfect sense to use encryption to ensure your privacy. After all, did you not prefer to send your most personal thoughts using letters within envelopes rather than postcards?

However, when I try to advocate encryption to those I know and hope to influence, they all seem to indicate that they aren't all that concerned about their email. And yet those same people never fail to be annoyed when I walk up to their computer and pretend to read their email in order to prove my point.

Perhaps most people are unaware of how easy their email can be intercepted and read? After all, an email address might appear to be like a telephone number - a direct link to whomever one might wish to contact. And we're comfortable with the phones - after all, wiretaps seem hard (or at least laboureous) to obtain, and we suspect that capacity prevents wiretaps from being universally applied. Not so with email, though - it's child's play to intercept any SMTP communication that passes through your network. And if you happen to be centrally located, in a network topological sense, there's no theoretical limit to the amount of communication you can eavesdrop on.

I must admit that I'm not being entirely altruistic when I advocate encryption - my wish for broad adoption of personal encryption technology is first and foremost self-serving. To tap again into the old PGP readme files; sending mail in "sealed" envelopes is not currently suspicious due to the fact that the practice is so widespread. Untill encryption becomes commonplace it remains far too easy to label it suspicious behaviour.

Here's to hoping that free encryption will carry on where the commercial offerings have failed. Cheers.

Re:To Care or not to Care

[slipnfall]

No doubt, same problem on my end of things. Oddly enough, advocation isn't really a bother to most people, just a small spurt of motivation that needs to be done on both parties.

Personally, I consider paranoia as interupting my life. Automatic encryption outbound is done automatic; if you communicate with telnet or the like frequently, toss SSH on 'er and be done with it.

Accordingly, those who don't adhere a little bit of TLC to their 'nets get 'caught with their pants down' as they say.

Regards,
-Slipnfall

Re:To Care or not to Care

[sheldon]

There is a factor you might be forgetting. On privacy most people care if someone they know is reading their private info. But they don't care quite so much that someone they don't know might be reading it.

That's why they are unhappy when you look over their shoulder

Re:To Care or not to Care

[Kruemelmo]

Excellent comment!

Encryption is a need and is supposed to be a standard behaviour in the information age. The unawareness of this comes from the fact that education / public knowledge do not keep up with technology.

Somehow, everybody's feeling that privacy is important decreases as any information is accessible anyway. Some years ago, public phones had been in boxes - today, everybody has a mobil phone (without a box) anyway and people don't mind to inform the whole subway car about their business or heart affairs.

By the way, the old pgp readme files are really good - I still recommend them as a fast lesson on public key cryptography.

Re:To Care or not to Care

[macsforever2001]

There is a factor you might be forgetting. On privacy most people care if someone they know is reading their private info. But they don't care quite so much that someone they don't know might be reading it.

I think that people don't care not because they don't know the person reading it, but when they don't know if someone is reading their email at all.

The old addage, ignorance is bliss applies here.

Re:To Care or not to Care

[sheldon]

No, that's a different issue.

You readily provide your salary and financial info to banks, but how often would you give up that information to friends and family?

It's because people you know will do very different things with the information than people you don't know.

The searchable index thing works great...

[cduffy]

...particularly with new versions of PGP and GnuPG, which can send keys straight to the keyservers and retrieve them from there on an as-needed basis.

In short, I can't see there being very many users at all who have a current version of PGP and chose *not* to send their key into the keyserver -- it's just that tightly integrated. It takes a little more work with GnuPG, but the folks who know about it are the exact same folks who care.
Thus, I can't possibly see your 2% estimate being on the mark -- few may use OpenPGP-compliant crypto, but of those who do, nearly all use the keyservers.

Re:The searchable index thing works great...

[Ars-Fartsica]

Thus, I can't possibly see your 2% estimate being on the mark -- few may use OpenPGP-compliant crypto, but of those who do, nearly all use the keyservers.

I was referring to 2% of slashdot users having actually used PGP encrypted mail (not just downloaded the software and generated a key for fun)...and yes, you are right - 2% is not on the mark - probably closer to 0.5% (seriously).

Re:The searchable index thing works great...

Just out of curiosity, do those keyservers maintain logs of IP addresses that uploaded keys?

Re:The searchable index thing works great...

[cduffy]

Depends on the keyserver, of course. Some are open (so you can look through the code and *see* what they do) and some aren't.

The CryptNet keyserver is one you may wish to browse if you're genuinely interested in such things.

Free software cannibalization and software cycle

[Ars-Fartsica]

Well, PGP had simply reached a level of age and maturity where one should expect a free replacement to come on the scene. My observations are that you have four to five years to squeeze revenues out of a software product before you can reasonably expect a free competitor.

This will simply become part of the arithmetic commercial developers will have to deal with.

Slightly OT

[iso]

This reminds me, does anybody know of any PGP-style email encryption/authentication programs that work under Mac OS X?

- j

Re:Slightly OT

[ceranta]

pine

fukken 20 second waiting period

Re:Slightly OT

[sabi]

There is a GPG port for OS X, but what I'm really sad about is that NAI was working on a native Cocoa PGP port to OS X, and it was probably going to be finished in the next couple of months.

I hope it's going to be possible to salvage and finish the code that was under development. I never understood why PGP was free, given its the extraordinary quality. I would have gladly paid for it. NAI's Web site was so badly organized, even when I did want to buy it, it was a tremendous mess to try.

This is also an issue in that there's now no decent, free IPSEC client coming for OS X. Time to put some effort into continuing the port of KAME's efforts, I guess.

Re:Slightly OT

[hurst]

FWIW (which is next to nothin at the moment) NAI's PGP was being ported to MacOSX. Sorry, I don't have any links, the info came from our network guy who asked NAI about it.

Re:Slightly OT

[ehintz]

PGP is in the GNU-Darwin ports collection... I expect GPG would compile as well, although I've not tried. As for apps, dunno offhand. Wouldn't be surprised if somebody's written plugins for Apple's Mail app, but I've not gone looking for it. I'm lazy, and not sending anything over mail that's particularly sensitive...

Re:Slightly OT

[anarkhos]

Check out CDSA

How many worked on PGP?

[chip_s_ahoy]

Really? 300 people have been working on a product that doesn't sell? I can't blame them for layoffs, just overhiring.

I didn't trust it anymore, anyway.

[ruebarb]

Ever since Phil Zimmerman left because of of "differences" with NAI, I was extremely reluctant to upgrade to future versions for fear of "backdoors" that might have been included in the product - things that wouldn't have happened under his watch but are now more likely.

So I stopped upgrading the free version at the last version he personally oversaw...7.0.3

Re:I didn't trust it anymore, anyway.

[PhilHibbs]

Ever since Phil Zimmerman left because of of "differences" with NAI, I was extremely reluctant to upgrade to future versions for fear of "backdoors" that might have been included in the product

Yet Zimmerman said "PGP users should rest assured that I would still not acquiesce to any back doors in PGP" here - what's going on?

Re:I didn't trust it anymore, anyway.

any pgp version greater than 7.x cannot be trusted.
6.5.8 source was made available

Re:I didn't trust it anymore, anyway.

[ruebarb]

Phil Zimmerman left NAI early this year..so while he says he would not support any backdoors...it's not really his call to make on this product anymore...Certainly with OpenPGP - but not the NAI version..

Here's what he said about the last version he oversaw...7.0.3

Let me assure all PGP users that all versions of PGP produced by NAI, and PGP Security, a division of NAI, up to and including the current (January 2001) release, PGP 7.0.3, are free of back doors. In all previous releases, up through PGP 6.5.8, this has been proven by the release of complete source code for public peer review. New senior management assumed control of PGP Security in the final months of 2000, and decided to reduce how much PGP source code they would publish. If NAI ever publishes the complete PGP 7.0.3 source code, I am confident that the public will be able to see that there are still no back doors. Until that time, I can offer only my own assurances that this version of PGP was developed on my watch, and has no back doors. In fact, I believe it to be the most secure version of PGP produced to date.

He may not support backdoors...but he's no longer working on that product. Whatever NAI chose to do to drive him out feels like something that would compromise the security of future versions of PGP

Re:I didn't trust it anymore, anyway.

[nestler]

The latest version I trust is 2.6.2.

I'm not talking about back doors. I'm talking about bloating it up so damn much, that you have stupid security bugs. For those with short memories, there was a bug involving their implementation of ADK's that would allow somebody to essentially get an extra copy of encrypted messages that they could read. All this for a feature like ADK, that no sane person would want in their encryption product (basically a form of allegedly voluntary backdoor in the encryption).

I want a program with source that I can read and understand. Not some big bloated crap that even their developer's can't understand.

Complexity breeds insecurity, intended or not.

Coincidence? I wonder.

[Animats]

Probably not. They're also dropping Gauntlet Firewall and some of the sales force. Sounds more like a company in financial trouble.

Re:Rats... Ship

You haven't been following recent trends in legislation, have you?

Re:Rats... Ship

Why would it sell high?
You just said it's selling poorly and about to become illegal. I can't think of anyone who would want to pay an excessive amount of money for that. If PGP can't market PGP, who can?

My corporation tried to buy PGP... And couldn't.

The biggest potential users of this would have been the Slashdot types

Umm, no. I work for a company that has our own symbol on /., one with a funky dropped 'e' in it. You might be able to figure out who we are. We tried to buy PGP for Unix to secure engineering data--we happen to be one of the largest Microsoft shops on the planet, but all the real work still gets done on Unix/Linux--and NAI wouldn't sell it to us. We were talking THOUSANDS of licenses, ubiquitous deployment to everyone, and they weren't interested in providing a Unix client of the current version.

So we're going to be using GPG.

Get this: NAI have also threatened major bad legal juju if we ever put any GPG-generated keys on their keyserver product, which we also had previously bought (along with hundreds of individual PGP licenses). Hello? If that's not a Microsoftesque move, I don't know what is.

They coulda made millions on our account. WE WANTED TO PAY THEM MILLIONS. Negotiations fell through. So now we're saving the millions and going to be supporting open source even though senior management is still not 100% clued into that this is a good thing.

hello?

hello? Outlook Plugin? maybe you've heard of it....

Re:Nice icon!

[jamie]

Actually it's our "Security" topic icon, and yeah it's new, thanks for noticing. We're not upgrading everything, but you'll see a bit of new stuff showing up.

We've only been wanting to add a "security" topic for about TWO YEARS so it's nice to finally have one...

PGP failed because of NAI incompetence

[Effugas]

*laughs*

Well, yes, it's quite true that PGP had disappointing sales. The company had a nasty tendancy of attempting to bundle about four other products with PGP and *refusing* to negotiate with any company, no matter how large, about perhaps a more reasonable package.

It's funny that I have this exact story from so many different sources that nobody can say I'm compromising internal information. Go ask your friendly IT Purchasing agent about any adventures they had trying to get a site license for PGP. This was mandate from upper management: Either all the stripes make some cash, or none at all.

NAI consistently chose the latter. Now, as for all the conspiracy theories...never attribute to malice...

--Dan
www.doxpara.com

Re:PGP failed because of NAI incompetence

[dwsauder]

About a month ago I upgraded from Eudora 4.3 to Eudora 5.1 (email client software). When I first bought Eudora 4.0, it came with a PGP plug-in, which was licensed from NAI (it may have been PGP, Inc at that time). At some point, when I was downloading and installing the version 4.x upgrades, the PGP plug-in stopped working. It definitely wasn't working with Eudora 4.3. That was the main reason I decided to upgrade to Eudora 5.x: I wanted a working email client program that supported PGP mail. Surprisingly, Qualcomm seems to have nothing to do with PGP! There is no PGP plug-in for Eudora 5.x. I spent hours on the web searching for a PGP plug-in for Eudora 5.1, with no success. So, what happened? Why couldn't Qualcomm renew their license with NAI? Was NAI asking too much? Or did Qualcomm find that so few people used PGP that it was no longer worth their efforts to support the plug-in? If that's true, why not allow customers to use the plug-in as an unsupported plug-in?

The fact that Qualcomm's Eudora no longer has anything to do with PGP does not look good for PGP. Microsoft is firmly behind S/MIME when it comes to choosing between S/MIME and OpenPGP. I believe Netscape has also chosen the S/MIME side. Qualcomm had been one of the few strong supporters of PGP. Now Qualcomm has abandoned it. The chances for broad adoption of PGP does not look good.

Re:PGP failed because of NAI incompetence

[Troed]

PGPi

My Eudora 5.1 got a nice PGP-plugin from there. In the standard 7.0.3 package.

Re:PGP failed because of NAI incompetence

[fwoomer]

My quick two cents:

I would be one of those friendly IT guys who tried to make an equitable purchase of a couple of NAI products.

Granted, we were relatively small (only looking for 600 seats immediate and 1000 seats total in 2 years), but if you do the math, it's still a good chunk of money they eventually lost out on because of their unwillingness to sell their products.

NAI isn't the only company that I've seen try to use these selling tactics. As an IT Director, I've repeatedly tried to work with vendors to get them to sell me a product at a good price while buying in bulk. Few will even budge a little when I try to negotiate a good deal with them.

It makes me wonder where/when they forgot that keeping customers happy is what sells products. In both cases, I ended up saving a ton of money for the company I was working for by going with an open source solution. Suddenly "We don't *do* site licensing. Ever." was no longer a problem.

Whoever came up with the idea of not selling your product when someone is offering to buy it equaling large profits is a total dumbass.

Another instance where NAI lost out is when I was consulting for a company -- was planning on buying 15,000 seats of it's TVD suite over the course of 2 years. They would not negotiate. Therefore, we found another solution.

Stupid asses.

Re:PGP failed because of NAI incompetence

[Fucky+the+troll]

really? My two cents involve your wife. and I get change.

A serious question

This is quite a slick business move, apparently -- as soon as I saw the headline, I rushed over to the website with the intent of buying both the Mac and Windows versions. Why? Because I worry that in a year it will be illegal to buy such software. Much like citizens are now hoarding gas masks and antibiotics, I feel like hoarding privacy tools -- except that instead of protecting myself from foreign terrorists, I want to protect myself from domestic terrorists; i.e. the federal government. What truly frightening times we live in.

Here's my question: what other companies provide commercial, PGP-scheme email encryption packages for the Mac? I'm aware that there are Cheap Software solutions available, but as those of you in the "real world" know, many businesses won't use software that they can't buy support for. Also, in my experience, the commercial packages tend to work better with Microsoft's email cients, which I readily admit to using on the Mac.

Before I blow $315 on the PGP Coporate Desktop for MacOS, let me know what my options are. Is NA/PGP the only one of its kind? It is certainly the only real commercial provider of email security that I was aware of.

What frightening, awful times we live in. As much as I bitch about the government, I never actually thought I'd be scared of it. And in the US, the government is of/for/by the people. That means that I live in terror of fellow citizens, who want to invade my life because we aren't protected from the tyranny of the majority. And I'm not even Muslim or of middle-eastern descent! I'm not religious, but I will be "praying" for my fellow citizens who are currently being subjected to racist violations of their human rights in the name of "national security."

GPG

[gweihir]

Not a problem. There is already public funding for GPG in Europe. And encryption of a PGP/GPG type does not need hundreds of developers (of the commercial full time variant).

I think it is no real problem for the manufacturers of mail software to include GPG support on their own.

Re:Rats... Ship

[ThatComputerGuy]

My thoughts exactly... obviously the whole mess of legislation for backdoors (as a result of terrorist actions) had a fair amount of play in this decision.

Hello? The freeware version is still there.

[Ryu2]

HEY GUYS! Before you all get your panties tied up, PGP has always existed as freeware, with full source code too. It's not going to disappear! Just like DeCSS, etc -- even if it's made totally illegal by US govt, it will live on.

Lest we forget, there are libraries available to get around any RSA legal crap, too, in the PGP.

Re:Rats... Ship

Are you American? Don't you think that you deserve to be hated by everybody outside the United States?

Encryption doesn't need to be this hard.

[fmaxwell]

All I want is an e-mail client with an 'encrypt' button. I press the button and it asks me for an encryption key. I enter a key that my correspondent and I have exchanged over the phone, in person, etc. The message is encrypted and sent.

I'm not Osama Bin Laden. I'm not expecting someone to be monitoring my phone, e-mail, in-person conversations, cell phone, etc. I just want to be able to exchange e-mail with friends and not have every nosy guy at the ISP or my company be able to read it.

PGP is just an incredibly complex and painful solution for what should be a simple problem. 99.9% of the public just wants to be able to occasionally send encrypted messages to friends using a private key. I don't care how easy the /. crowd thinks it is to use PGP. Some of my friends aren't computer gurus and it's just too much complication and hassle for them to use PGP.

Re:Encryption doesn't need to be this hard.

[Thaidog]

How about something that encrypts and then decrypts once the mailto has clicked on it to open it? Is there such a product?

Re:Encryption doesn't need to be this hard.

well shit just attach a passworded word doc. or zip file....

Re:Encryption doesn't need to be this hard.

Try www.mailvault.com

Re:Encryption doesn't need to be this hard.

[Thaidog]

Thank you.

Re:Encryption doesn't need to be this hard.

[Seelo]

All I want is an e-mail client with an 'encrypt' button. I press the button and it asks me for an encryption key. I enter a key that my correspondent and I have exchanged over the phone, in person, etc. The message is encrypted and sent.

I don't know why this ended up being so hard. Eudora with with the PGP plugin has an encrypt button just like that. Why NAI didn't make more deals like this is beyond me.

Re:Encryption doesn't need to be this hard.

The only real problem with your scenario is that your "key" that you've exchanged is not secure. Unless you are willing to type in a ludicrously long "key" (like a volume from the encyclopaedia Britannica), you might as well be typing your email using ROT-13 - it'll be more secure.

Re:Sad.

[BlowCat]

you ivory tower pantywaste cocksmokers

At least you will be attacked for a reason. And the reason is not because your country is the best democracy in the world, as some of your compatriots believe.

Did Anyone Trust Those Guys?

[Greyfox]

Zimmerman was getting all up in arms about something or other and we could get the source for GPG. I did get my manager at IBM to license PGP for sending source to a contracting company in Romania, but I figured if the fed had a backdoor into the cryptosystem, they'd just be apalled at our crappy driver code.

It is kind of a bummer though. I'm told the Windows version was pretty nice.

250 PGP employees?

[gnomish]

250 is a lot of employees for such a small product.. at least in terms of what a person would view as a niche product, at best. Perhaps this is just one of the last vestiges of the bloated net economy fading into the distance.

However, other influences may be involved. It's pretty obvious that encryption schemes, in general, are under scrutiny after the Sept 11 attacks. Any company that is producing an encryption product certainly has taken a look at it's business in recent days.

Ultimately, I think most people have given into the idea that their correspondence via email.. and really anything that ends up on their computer could be an open book if anyone really wants to look.

Re:250 PGP employees?

Well, I'd hardly think that 250 people would represent those who work to actually MAKE the products. Plus, the PGP "Business Unit" of PGP made way more than a single encryption product, some of which did not have "PGP" in the name. Regardless, as with a company of its size, many of those people are also going to be "infrastructure" ... HR people, office staff, management, etc. Sure, you can move the programmers to another part of the company (as they plan to do with the ones for the remaining products in this case). But when you eliminate the company altogether, that doesn't leave any place to put the rest of the people that run it's day-to-day operations. But 250-300 working on the product hands-on? The actual number of "little minions" working on the stuff is probably quite a bit smaller.

Some other comments from what I've read here...

From actually READING the announcement http://www.pgp.com/other/jump/customer-faq.asp, and listening to the NAI Earnings Conference Call from the same day (thanks Yahoo!), "NAI PGP" isn't being totally scrapped! They've just decided not to keep PGP as a separate business entity, as they see doing so as hindering their potential growth as a company. In doing so, they've evaluated their product lines and have decided to stick with what they think they can SELL, for example, their E-Business Server product. They spell out in their announcement what they feel they need to do to meet that goal. Some products are to be sold off (if possible), some moved, and some having parts extracted, possibly being merged into other similar products they already have in the other BUs. Once that's all done... of course they won't need ALL of their current PGP staff. And well, sounds like 250 is their estimate of what the surplus.

It's nice to be ulturistic and think "wouldn't it be nice if they just did it for the 'good of all' and gave the products away for free?" But well, that's not what software companies do. They exist to SELL the software they make. They need to make money to survive, as does any corporation, and that's about the only bottom line that their shareholders will care about.

I've read a lot of posts from a lot of people wanting a nice free version that they can use freely cuz "well, you could easily just write it yourself... why pay for it"? Well, I don't see anyone volunteering their time and efforts to obtain the PGP SDK and grace us all with their programming prowess and their 'for the good of all humanity' ideals. If anyone does... I have my own 'wish list' of features I wouldn't mind being added to PGPmail and PGPdisk. I can pass them along if you wish. Anything to help. :-)

But, unfortunately for us end-users... NAI seems to think (as indicated by the products that will remain, albeit moved to other business units) that $$$ for their PGP survival is going to come more from big business... not from us. I guess that judging from many of the comments here, they seem to be right, at least on the last bit: "not from us".

Re:250 PGP employees?

[gnomish]

You're pretty much 'spot on'. I'm sure that the code will survive and be incorporated into other products but only those that make bank. Large scale corporate products won't have exposure to everyday users.. and basically, the everyday user that needs, knows, and wants PGP can get it for free (or write it themselves :P).

What about Gauntlet firewall?

[oh]

Apparently Gauntlet firewall is going to. Too bad for those of us who use this product and have paid for long-term support.

While not the most popular product out there, it is serviceable. In our instillation I think we are pushing it to the limit, but their Webshield e-pliance product was sold as an easy to configure/manage secure product, and was quite secure straight out of the box.

As for us, we have several issues we are trying to ram through NAI technical support. Will NAI continue to support a product they aren't going to continue to sell? Will our support contracts be transferred with the product when its sold, or will NAI try to honour the support contract even though they don't own the product anymore.

It's a worrying sight when Internet security suppliers go out of business. Unless there were serious problems with the product not in the public domain (and I know about their mail daemon) it was a good security product for small to mid-ish companies and they are saying it's unprofitable. Either firewall products are about to become more expensive, or the quality is about to go down. Neither is a good sign.

lack of sales: reasoning

[skotte]

i've got three reasons it didnt sell.

1) "encode"? what's that?. (the ignorance fFactor that says 'if it didnt come with M$ office, i don't need it')

2) modern variant: "encode"? what's that? i heard terrorists were encoding messages .. that must mean it's bad. (yes, i have actually heard this. not a stretch at all)

3)if you are interested in security, there's a good chance you have something to hide. like all those warez on your desktop. ergo, you didnt really pay fFor that copy of PGP at all.

Re:lack of sales: reasoning

[radja]

I got 1 more reason:

NA was going to close the source to PGP. If there's one field where Open Source took off, it's crypto. Any advanced crypto-user wants to have the ability to look at the source to ensure security. Closing source for an encryption program makes that encryption program inherently less trusted.

//rdj

Re:lack of sales: reasoning

[Graymalkin]

Do you send paper mail in envelopes? Looks like you've got something to hide. Let's hal you down to the Ministry of Truth for some examinations. It's the "something to hide" stigma which is retardedly holding back the use and acceptance of cryptography. Encryption technologies are not just for people hiding warez (I've never even fucking heard of encrypted warez before and PGP is free for non-commercial use anyhow). E-mail is an inherently insecure communication medium. Few if any ISPs actually use or support secure e-mail in any fashion so that responsibility falls onto the user. You don't need illicit reasons for secureity, plain day to day business needs plenty of it. For a dallar of security you saveseveral dollars in losses.

Re:lack of sales: reasoning

[yatest5]

Is there free bloody karma points on here?

Here's the reason it didn't sell:

1) It's freeware.

People who *need* to encrypt know what it is.
People who *need* to encrypt aren't gonna not because 'that's what terrorists do'.
There *are* valid uses for encryption. Hope thats your points cleared up.

Re:lack of sales: reasoning

[MikeBabcock]

I have had customers purchase volume licenses of PGP. I stopped recommending it when they stopped releasing source code.

Without the support of the tech community that built up PGP and the web of trust in the first place, they will fail. Maybe Phil's new venture can purchase his software back from NAI?

Re:lack of sales: reasoning

[skotte]

no, dont misunderstand. i'm not saying everyone who encrypts is dealing in warez. that's patently silly. but i do wonder how many people who use PGP actually bought it.

Re:lack of sales: reasoning

[Graymalkin]

Not enough people obviously. PGP suffers from the problem that web browsers suffer from in the consumer market, it is based around a specification rather than a proprietary product. NAI was basically trying to sell a look and feel product on top of something that corporations could easily impliment on their own (assuming they have a decent programming staff) and end users wouldn't pay for because they didn't know what the fuck it was for.

Re:lack of sales: reasoning

[skotte]

exactly. this is the spirit of what i was getting at with my 'top three' list. either consumers dont know what it is, or worse they heard misinformation about it, and so anyone that really knows about what it actually is has the problem taken care of.

perhaps the best thing we can say about this whole article is the usual: "Not surprising." they should have looked more into what it was they were trying to market before assuming it would be a hit. but hey, i'm sure they added greatly to the basic awareness of privacy online, at least.

What I find amazing...

[Chasing+Amy]

What I find amazing is that most people labor under the foolish misconception that if only American encryption products (like PGP) were either backdoored, effectively export controlled, or discontinued altogether, that foreign criminals and terrorists would suddenly have nothing to hide their data with. Let's explore why only stupid people would think so:

1) Source code to most versions of PGP is available and published internationally on many sites. If a terrorist wants PGP, and PGP has been discontinued, he can just download a binary from one of these foreign servers, or get someone computer literate to compile this source code for him. It's already in the wild on the net, and spread to servers in nearly every free or partially free nation; it will never disappear now.

2) Since the source code is available for even some very recent versions, overseas programmers will pick it up and improve it and release newer builds for newer OSes if it is discontinued or shown to have backdoors.

3) GPG is arguably just as good, plus it's truly Free and GPLed. It's not as shiny, but makes a good drop-in replacement for most people, terrorists included. And again, GPG is "in the wild" and not going to disappear from the Net even if the U.S. and half the world outlaw strong encryption, and since the source code is there people will hack on it and improve it, even if only overseas people.

4) Contrary to the beliefs of the ignorant, the U.S. is not so much more advanced than other countries that no other people from overseas can write strong encryption products as good as ours. Encryption is universal math, not American voodoo. In fact, the best symmetric encryption product currently comes from the U.K., Scramdisk. If America and the U.K. were to ban encryption, any country with competent mathematicians and programmers could take the lead.

5) Encryption is based on well-documented and easily available math, and many proven algorithms are already published and cryptanalyzed and shown to be secure enough. Even if by some extraordinary miracle all traces of encryption products and source code were wiped from the Net by the unprecedented cooperation of every nation on Earth--something truly impossible--people like Osama could hire any competent mathematician and programmer to write a decent encryption product using a proven cipher and simple calls. As long as it's kept simple and uses proven ciphers, it would likely be as secure as PGP or GPG or Scramdisk.

So, it doesn't really matter what the download page says, or if it bothers to ask, or even if the U.S. were to enact the most Draconian encryption legislation tomorrow. PGP is nothing special. Its key functionality has already been duplicated in GPG and can be duplicated again and again by any number of competent non-U.S. residents. Therefore it doesn't matter who can download it, since they can get their hands on encryption technology that's just as strong.

Re:What I find amazing...

[biglig2]

Good points. I'd add one more thing: if I were a terrorist, guess what? I'd use a one-time pad.

Re:What I find amazing...

And how would you send new ones to your associates? Encrypted with PGP?

Re:What I find amazing...

[Clansman]

Its the effort of making and distributing them (one time pads) safely and continously that makes them tricky.

Logical?

[do!omite]

They are selling PGP because PGP has poor sales. Sounds like a Vulcan conundrum!

Re:Free software cannibalization and software cycl

[jacrawf]

Why is Ars-Fartsica's post marked as a Troll? Her or his observation is fairly poignant, whether or not it is entirely true. (Only NAI execs know for sure.)

This isn't a story about encryption being denied to the masses or anything. It's about a company giving up an unprofitable product line because most people just use the free versions. And in case whoever marked this post as a troll hasn't noticed, there is a great deal of software within Ars' timeframe that is having exactly this kind of thing happening to it: free alternatives are starting to pop up.

Try to think of a commonly used commercial application that is not having a free equivalent currently being worked on. With a bit of searching, you won't find many. Indeed, free software is even becoming increasingly popular as more people are getting sick of dropping $100-700 on software per product. A comprehensive commercial software package these days can cost even more than the computer you bought to use the software on. Do you think even the rather clueless average user isn't going to notice that?

C'mon, are Slashdot moderators really this dumb?

White Punks on Dope

what the fuck are YOU laughing about? fucking commie bastard!

Re:Hello? The freeware version is still there.

[rjh]

PGP has always existed as freeware, with full source code too. It's not going to disappear!

PGP 7.1 has not been released as freeware, and source release for anything past 6.5.8 is problematic. You can get the crypto engine of 7.1 (but not 7.0), but only if you agree to a truly onerous license. Better to say

Freeware builds of PGP haven't been made available for 7.1, and there's been practically no source release, too. At this rate, it's going to disappear!

Of course, my panties are far from in a knot. In the first place, I wear boxers. In the second, I use GnuPG.

There's NO hope...

Windows XP

Like so many other computer related things...

...their products are too cheap, it's as simple as that.

It's nice to get things for free or to very low prices but products that costs money to make must make a big enough revenue to support the costs of producing it.

We see this in dot-coms, open source (atleast with the current businessmodel) and other areas, they simple don't know how to charge.

If I'm not remember wrong I beleive PGP personal edition costs under $30 and the corporate desktop is not very expensive either. With those numbers they have to sell enourmous amount of copies to make it work and I seriously doubt the market is that big.

Re:Rats... Ship

why yes, i am... and yes, i do... now, do us all a favor and go fuck yourself with a splintered baseball bat . thanks, and have a miserable life!

Re:Actually.

I couldn't disagree more. Their products are way to cheap, you must charge enough for you products to atleast cover the development costs. Ofcause they can't be to expensive either, but they certanly aren't.

$5,500 for enterprise software is NOT very expensive and I doubt they can even possibly sell enough copies at that price to be able to support the development costs.

Cannibalize This!

"C'mon, are Slashdot moderators really this dumb?" Well, Slugger... In a word, yes. But seriously folks, I once shot an elephant in my pajamas... what he was doing in my pajamas, I'll never know because he was using free encryption software to communicate, freely. Sign o' the times.

Explains a lot ...

[King+Of+Chat]

My company exchanges a shedload of confidential data with customers - some of whom use PGPG. I tried the eval of PGPmail last week and couldn't get it going with Notes (no Outlook - no virus). Even waving the prospect of 12,000 seats at them they wouldn't respond. Should've guessed something was up.

We'll just have to stick to our normal encryption method - making our documents too boring for anyone to remain concious while they read them.

Re:Explains a lot ...

Just an FYI -- I've seen some Notes-PGP integration hacks, but they involve some custom coding in the mail template (the goodness of Notes is that almost everything can be modified in some way, the badness is that it shows). Not rocket science, but some effort involved.

I can understand why NAI didn't ship a Notes plugin -- Notes already has strong crypto (for internal use) and comes with decent SMIME support.

PGPi

[Master+Of+Ninja]

I'm sure there are many reasons why pgp is not taking off. People don't generally know about encryption on computers, and even if they do that awareness is due to all the hype about it on TV.

Those who do know (and especially in the open source camp) use GNUpg. Even then there is the PGP international page. From here you can download the free versions of the last international release (with source) and even the new 7.0.3 free versionwhich NAI sells.

I think that the clued up people go for this. I think it lacks a couple of features but it still has the core encryption for emails/files on hard disk base. If you know i think you would go for the free version as well. Anyway I though they were bundling PGP with virusscan and the like to make their money anyway.

Is slow sales really the reason?

[Diabolical]

In the wake af the ATA... could it be they want to loose a division which would not be profitable if the ATA falls through?

The use of uncontrolled encryption would be illegal and who would by the controlled versions?

terrorist, or freedom fighter?

let's see, kiddies, just who is a freedom fighter and who is a terrorist... ever hear of a little dude by the name of Menachem Begin? well, gather 'round and listen up. Menachem Begin was, before he was Prime Minister of Israel, a member of an underground militant group that saw fit to install some rather explosive materials in the King David Hotel (oh my! how did THAT happen), back in the day... now, was dear little Menachem a terrorist or a freedom fighter? i am as appalled and angry about the WTC disaster as is anyone, but MOST of you damned chuckleheads out there in the USA (and yes, i am a citizen of the USA from birth) lack the intelligence and knowledge to have any real historical perspective on these matters. you can't help it. precious few of you have been schooled in critical thought and rational analysis beyond some compsci classes and econ studies. my point? your brains are constipated and you cogitate in ancient modes born out of your particular prejudices. far be it from me to know who is a terrorist and who is a freedom fighter when one takes a good hard look at the history of the world. did someone mention Cambodia and Nixon and Kissinger? how about East Timor? or perhaps Chile? and by the way, whatever happened to Jacobo Arbenz, the democratically elected President of Guatemala? and President Mossadegh in Iran, killed by the CIA all those years ago so that the gov't of the USA could place the Shah of Iran on the throne and he promptly went about using his secret police, the Savak, to murder and torture so many in his own country that one out of every THREE Iranians could claim to have been affected by the Savak in some way... i could go on and on, but i digress... and pearls cast before swine are akin to facts cast before willfully ignorant people. pardon me whilst i encrypt an email. close your mouth, you are drawing flies.

Cool Attitude

[_Sprocket_]

4. Geek factor. It is oh, so cool to be able to 'sign' an email, and advertise your public key.

That sparks up a bit of paranoia that might be interesting to discuss.

I maintain at least 1 active keypair. I put it out on distributed key server groups. I post it on web servers. I use it to encrypt private communications.

But I use it very sparingly when it comes to signing email. I have to see a really good reason to verify who I am before I sign anything. If paranoia causes one to take up using PGP, its an even more selective paranoia that causes one to not use all its potential.

So why am I so paranoid? After watching the subpoenas fly a couple of years ago, I've decided that I'd prefer to make it a little more difficult to prove any bad attitude really is mine. Granted, there's other ways to try and link email to an individual. But why make it a habit to provide that trail for every mail list post, friendly banter, and interoffice discussion message you fire off?

And that's a really important point - a majority of our (or at least mine) email is of a fire-and-forget, trivial nature. Its less a written letter and more a verbal conversation encapsulated in text. Without the bandwidth hit of wav file attachments. In this informal environment, things are often said... or ideas expressed... that one would not set to a permanent record. Yet email, and other forms of electronic communication, have an odd way of sticking around far beyond its intended life.

Do you really need to give a lawyer the means to prove them came from you? And sure, there are other ways to link an email to an individual. But I'd prefer to make anyone giving me a hard time jump through those extra hoops.

As a side note, memo and file retention policies existed well before email became an indispensable tool to business. Email only compounds the problem these policies were really designed to address (and no, storage of files isn't the real issue here). With the lines slowly fading between personal and professional data, it might be worthwhile to think about your own home shredder and review your own document retention policy.

Of course - this all doesn't cover the real reason all this signing happens. Geek appeal. That's easy to handle. Include your PGP Key ID and fingerprint in your .sig and business cards. Stylish and practical, with a bit of geek attitude.

Re:Cool Attitude

[olla+podriga]

I've decided that I'd prefer to make it a little more difficult to prove any bad attitude [jwz.org] really is mine. Granted, there's other ways to try and link email to an individual. But why make it a habit to provide that trail for every mail list post, friendly banter, and interoffice discussion message you fire off?

Ever tried using different email addresses with different keys?

I don't think of signatures as a "trail" for every mail I wrote, but as a mean of authenticating to the recipient of the mail. "on the net" that works quite nice, since most of the time your postings to a mailing list can't be traced to your real identity. But it's a sure way to prevent someone faking your posts. (and thats good even for trivial matters)

But you are right about the unexpected long-term storage of mails. At least it can be a comfort to know that you will be quoted correctly. :-/
OTOH you can always revoke your key and proclaim that it has been compromised.

Keyservers

[_Sprocket_]

In short, I can't see there being very many users at all who have a current version of PGP and chose *not* to send their key into the keyserver -- it's just that tightly integrated.

Our group was pushing the Corporate populas towards PGP as a standard desktop app. And for it to become a commonly used app, at that. We were actually making some progress. And that's when people began asking (if not demanding) the company's key server.

The company had an "official" internal key server at one time. There was even a DNS entry for it still. In actuality, this keyserver had been a side project on an individual's Solaris desktop machine. He had become burdened with other tasks and the keyserver fell in to disrepair until it had been taken offline. We didn't have the time / funding to deal with it either.

Our suggestion was to use the excellent network of public key servers in the meantime. It was odd. People were rather horrified at the idea. Public keyservers was just too scarry. No ammount of discussion would change their minds. They needed a nice, safe internal one or no key server at all would do.

We scored a hit in getting PGP out there. But I suspect it was an overall miss by somehow failing to educate the population on what they had.

Social conventions.

[Per+Abrahamsen]

My mail folders on our multiuser system are kept publically readable, so encrypting them on the wire seem silly.

However, there is a social convention about not reading other peoples mail, which means someone behaving like you would be rude. It is a public display of disrespect, which is insulting whether or not the victim cares about his mail privacy or not. I'd be annoyed too.

Re:Social conventions.

[edinho]

Huh? Your mail in the folder are still encrypted. It is only decrypted at your MUA.

Re:Social conventions.

[Per+Abrahamsen]

I *chose* to make it public readable, because I don't care if someone read it. The point was, *if* I cared about privacy, I'd probably start by making them o-r.

PGP killed PGP?

[jeti]

I might be terribly wrong about this.

But isn't it the case that PGP 2.6.x was
actually more secure than the later versions?

So anyone really interested in security would
stay with the (free?) 2.6.x release and not
spend money on updates.

the real reason for pgp drop - NSA INFLUENCES!!!!!

I saw this coming,. Not merely the dot-com boom bust of nai pki division but the implosion that is inevitable once too many people spot collusion between the US NSA and NAI.

Now the money xfers from NSA to NAI are part of public record but theres plenty of suspicious info even before those press releases of this year. I include some here below,

NAI (owner of the source) makes money by doing things for the NSA... they themselves admit it. Then theres the key escrow backdoor weakness in new pgps. Plus history of NSA manipulation in other areas. Use older (years ago rsa only) pgp for true security, and compile it yourself and check compilation. Is source for what you used even available at all?

( FYI: If comparing macintosh builds: factor out (by hand pasting) the embedded date and time field in the executable header or the pgp singnature of the PEF will not match the distributed signed apps)

please read the following informative sites :

written in 2000, before the full NSA connection was revealed. VERY VERY LONG and detailed pgp
backdoor info
http://senderek.de/security/key-experiments.html

an old useful page written right before NAI admitted taking NSA funds
http://cryptome.org/nsa-sabotage.htm

old 1998 site written before NAI admitted taking NSA funds for engineering work:
http://www.proliberty.com/references/pgp/

in general ... only use original flavor pgp RSA not the freeware "Diffie-Hellman/DSS-keys" pgp keys.

and avoid all modern pgps..

The founding author ("z") quit NAI one month before news broke that NAI has one major paying crypto cu$tomer of the division that got axed today : the US NSA!

You are all ignorant. PLEASE READ MY LINKS.

PGP: Difficult to use.

[yatest5]

Extremely difficult steps to use:

1. Install PGP (this involves pressing 'Next>' a few times.)
2. Make a key and distribute. (Using wizard and email).
3. Er, press the button before you send a mail - box comes up to choose keys, or you can just set a default.

Yep - incredibly complex all the way.

Official crypto

[ZaneMcAuley]

As there is a demand for crypto, would there now be a push for an official legal crpto a la Clipper?

Re:I'd buy that for a dollar

[ZaneMcAuley]

Why dont they just stick it on eBay :D

In Germany the converse happens ...

[Random+Walk]

Maybe encryption/privacy on the net goes down in the US, but at the same time it receives substantial funding by the German government.

This is not only true for GnuPG, which has funding by the government (for the development of more user-friendly frontends, I think), but there is also a project for the development of an open source anonymity service (JAP) as strong as (or even stronger than) the Freedom anonymizer service, and there is also the Sphinx project to build a PKI for the public authorities and maybe others.

One of the main drivers for the JAP project (and maybe others) seems to be that many consumers (at least in Germany) apparently avoid E-commerce because of privacy concerns.

Re:In Germany the converse happens ...

[Dexx]

I wonder if it has anything to do with Germany having been where the US seems to be going?

Re:PGP: Difficult to use.

[fmaxwell]

Don't lecture me -- I have used PGP and it is not the simple matter you pretend that it is -- especially not when you and your correspondents each use multiple computers and have to move your private keys around.

First they have to promise not to use it for commercial purposes and then they have to fill out a form that asks them how many copies they intend to purchase, the timeframe, the company for whom they work, their title, their address, phone number, e-mail address, number of computers at their location, etc. Do you have any idea of how long it takes for my friends with 56K modems to download a 7MB file (which PGP is)? About 30 minutes -- if they don't drop the connection. Then I have to go through the whole "you won't get a virus" lecture before they will cautiously try to install it.

The freeware version, by default, installs VPN/Firewall. Then it wants to know which adapters you want secured. Yeah, that's what I want to try to explain to someone who majored in English Literature. Then it wants the user to enter a passphrase of at least 8 characters -- but not write the passphrase down anywhere. Another thing for them to remember -- which many of them will not.

I could go on and on, but it's not worth my time. Instead, I'll ask you a simple question: What percentage of your non-computer-geek friends use PGP and if it is so simple to use and free, why do do few use it?

You just don't get it, do you? A simple private key encryption needs to be built in to the mail client the way that SSL is built into the browser. The whole digital ID thing for e-mail is a joke. I got a Thawte Freemail digital ID. My friend, a computer professional, also got one. Netscape 4.7x (his e-mail client) claimed that his had already expired -- despite displaying an expiration date in the future for the ID. Then he downloaded Mozilla only to find that it does not support encryption at all. He finally gave up after a lot of trying.

Re:PGP: Difficult to use.

[yatest5]

>>First they have to promise not to use it for >>commercial purposes and then they have to fill >>out a form that asks them how many copies they >>intend to purchase, the timeframe, the company >>for whom they work, their title, their address, >>phone number, e-mail address, number of >>computers at their location, etc.

Er, that's called 'filling in a form'. Many people have done this before - takes like 2 minutes.

>>Do you have any idea of how long it takes for >>my friends with 56K modems to download a 7MB >>file (which PGP is)? About 30 minutes -- if >>they don't drop the connection. Then I have to >>go through the whole "you won't get a virus" >>lecture before they will cautiously try to >>install it.

That's called 'downloading software'. If it was integrated into the browser, it would be 7 meg more on top of that download. The 'virus' thing has nothing to do with PGP, so I'll ignore that. You could download it for them and burn a cd?

>>The freeware version, by default, installs >>VPN/Firewall. Then it wants to know which >>adapters you want secured. Yeah, that's what I >>want to try to explain to someone who majored >>in English Literature. Then it wants the user >>to enter a passphrase of at least 8 characters ->>- but not write the passphrase down anywhere. >>Another thing for them to remember -- which >>many of them will not.

I agree that sucks somewhat, but it's not beyond the wild realms of possibility that you say 'uncheck this box'.

>>I could go on and on, but it's not worth my >>time. Instead, I'll ask you a simple question: >>What percentage of your non-computer-geek >>friends use PGP and if it is so simple to use >>and free, why do do few use it?

None use it. No-one I don't know wants to read about what I drank last night. We use it at work. People don't use it because they don't want/need it.

unintuitive windows user interface

[throwaway18]

I'v used PGP about twice a year for the last 4 years when I'v come across someone else willing to make the effort to use it. I'v allways used command line clients. When I want to use it it takes a while to find which harddrive my keys are on and two minutes to read the command line options, import the keys since I will have changed distro since I last used it, encrypt or decrypt a message and I'm done.
A friend who is barely computer literate ask me to help him with the PGP for win freeware he'd just installed. After a couple of minutes explanation of public keys and priivate keys I had a go with the windows program. I couldn't work out what was going on. There is a key utility that shows various keys but dosn't tell you if they are the public keys or the private keys its showing. I was lost despite knowing what I wanted to do and my friend who is a typical windows user and cannot be made to read more than once sentance of the help even when beaten with a stick had no chance.
PGP freeware edition also has three or four background processes running all the time, very unwelcome on an already less than stable win98 machine.
Very dissapointing, I really want more use of crypto. I'm daydreaming about a p2p app that does filesharing instant messaging, slashdot style discussion with the hard crypto and trust netwroks happing without clueless users even noticing.

Re:unintuitive windows user interface

[dsb3]

Hard Crypto + Clueless Users == Weak Crypto.

There's really no other way to dice it. Due to the very nature of crypto in algorithm and implementation there just isn't space for a clueless user to stumble around and not expect to eithe (1) break something critical or (2) break something critical without realizing it.

Repeat after me ... security is a process, not a product.

Re:My corporation tried to buy PGP... And couldn't

[rikkards]

At my last job they wanted to try out encryption but did not see the need to spend so much money per seat (worked out to about $35k total). Also was willing to look into GPG but it doesn't integrate well (if at all with Outlook). Since this wasn't a technical oriented group (most of them didn't know how to change a defalt printer). It would have needed to be somewhat idiotproof.

One Time Pads

[dmaxwell]

Granted, the distribution of one time pads is a pain in the rear. However since Osama primarily does business by courier anyway............

The making of one time pads isn't a big deal at all compared with the distribution problem. A tv tuned to a blank station and a video capture card would be an inexhaustible source of truly random data. Just strip the headers from the compressed frames. If one is feeling really frisky the sampled tv data could be used to seed pseudorandom algorithms as well. This would remove any identifiable quirks of the natural random number source. The data from the tv will be random but still may adhere to some type of bell shaped curve that would look like it's bandpass response. Individual bytes would be unpredictable but enough of them would tell you something about that tv+card combo anyway....so mix em up a little.

The problems is the big MS.

[Computer+suck!]

again...
Encryption/decryption & degital signing is build all major email clients now (including Outlook).
So why bother with PGP?

CS!

what a box product should give

[johnjones]

in a company what do you want from your crypto system?

1. The ability to send secure messages to customers
(relating to billing or just giving instructions about product that you don't want anyone else to know CUSTOMERS demand that it be secure)

2. send messages within the company that can be read only by receiver
(prevents leaks and makes sure that the whispers don't start up e.g. how many mails go to the postmaster )

3. escrow is needed when an angry employee leaves and you need to read their work
(the world is full of jerks and they can be hard to spot)

4. Key servers need to be up to date and manageable
(from a sysadmin point of view)

5. Standards for sending e-mail securely and product activation would be nice

yes its good to be open but some one needs to productise this so that company can buy an Complete Off The Shelf (COTS) solution that a company can buy because not enough people do secure themselves IMHO

are their anyone that fancies boxing up GPG, a keyserver and manuals on how to do the above I am sure that they could get some money from companies I know

regards

john jones

Re:What could 250 people be doing to PGP???

[camusflage]

Maybe they were selling special versions in Arabic to Saudis living in Afghanistan? (When you have 4 wives, you have to keep a lot of secrets.)

Naah. Not when your wives can't divorce you and have no meaningful rights to speak of that aren't granted to them by you.

Go ahead. Mod me down. :)

Gauntlet axed too though...

Their Gauntlet firewall line is being sold off too. That's something that should be getting MORE business in recent days. Face it, NAI is incompetant. They bought PGP and fucked it up and then killed it. They bought Gauntlet from TIS, fucked it up, and then killed it. Screw NAI. They are morons.

Sales call

[bcarlson]

I have been looking into using PGP for a corporate email security fix, and got a call from my salesman yesterday begging me to buy on the spot... I put him off until tuesday, but now I may have to look elsewhere! We finally have it working and just have a few more tests to make certain it would work. NAI has been very supportive, both from a sales perspective (i.e. letting us get it working before we buy), and from an engineering perspective (i.e. spending time on the phone with us, helping get things configured). Kindof disappointing that a good customer service company like this is going to drop a wonderful piece of software...

Re:My corporation tried to buy PGP... And couldn't

The trouble is encryption/security is never idiotproof.

Don't get me wrong - easier and more userfriendly is good. I like the PGP-clipboard integration on windows.

But the later products were starting to get Microsoftish - huge, dunno what the heck they are doing, needs reinstalls to get it to work etc.

impressive indeed

[twitter]

..all for $30

Wow, a $30 patch for a $250 OS that might make you feel less venerable. I don't mind people trying to make a living selling binaries. I just don't understand why people would buy such things when free alternatives are available. GPG not enough security? Try OpenBSD.

If the answer is that the free alternatives are too hard to administer and set up, go get help. There are Linux User Groups (LUGs) everywhere. Take the hundreds of dollars you as an individual would spend on canned binaries and hire someone to help you out. If you are a business, save yourself thousands of dollars the same way.

The world is always changing. Sometimes it hurts, as when 250 fine programers get laid off. As long as the world remains free, the changes will be for the better. Just think of that talent being liberated. All of those nifty Windows tricks are unlikely to be released even if NA itself goes belly up.

Re:impressive indeed

This has to be the lamest opportunity for gnulix advocacy that I've ever seen. What's next? A jihad against WinZip? I bet you are absolutely overwhelmed by converts.

The reason this product costs *only* $30, BTW is because most of that crap comes in the Windows 2000 box, which also includes such wonderful features as a CLIPBOARD which somebody can hook into.

And, fuck I'd rather spend $30 than go hang out at some Loser Anonymous LUG meeting.

Re:impressive indeed

As much as I like the security features of OpenBSD, it is hardly a desktop operating system.

The answer isn't that free alternatives are too hard to administer and set up, it's that the free alternatives don't provide the functionality needed.

Websensed?

[headchimp]

Can anyone post a summary or gist of it? For some unknown reason, it's websensed on my end.

And yes I work for a crappy company...

Re:My corporation tried to buy PGP... And couldn't

[deGleep]

On the other end of the scale, I worked for a small company of 18 employees about a year ago. I was able to convince the president of the company that encryption was a Good Thing, so he gave me the go-ahead as long as we used a well-known commercial product. So we started looking around the NAI site(s) for how to buy it.

I don't know how many have tried that, but it seemed as though NAI didn't really want to sell products on their website. At that point in time, you couldn't buy PGP (or any other NAI products) over the net. If you were an individual looking to buy PGP, they wouldn't sell it to you. Your only option was to download PGP Freeware. If you were a company, you had to send mail and have a sales droid call you back.

So, we sent mail and waited to hear from the sales droid. He called back pretty quickly, but it just amazed me that they could afford the overhead of people whose only function was to call people and verify; "Yes, I really, really want to buy your product."

It took about two weeks to finally buy the product - which we couldn't get without the mail plugins, IDS, firewall and other extras that invariably broke the other applications.

I'm just surprised their stellar business model hadn't collapsed before now...

Re:Rats... Ship

[SnapShot]

Why would it sell high?
You just said it's selling poorly and about to become illegal. I can't think of anyone who would want to pay an excessive amount of money for that. If PGP can't market PGP, who can?
We need a -1 Unable to Grasp Sarcasm moderation. What's even scarier is that he was modded up a point as insightful.

Let's buy it

[uptime]

Anyone want to chip in and buy PGP? I'll sink in $100 towards scoring it up. Not sure what I'd do with it, but I know I'd give it away (or do some sort of shareware sort of thing) and open it up if possible. This would make a dandy co-op product.

Btw, the next time you're chatting with the ludites in your life, you might want to make the analogy of Encryption to that of an envelope - not many people send a realspace letter sans an envelope, but folks seem to do it all the time on the Inet.

Re:My corporation tried to buy PGP... And couldn't

[killmenow]

Also was willing to look into GPG but it doesn't integrate well (if at all with Outlook). Since this wasn't a technical oriented group (most of them didn't know how to change a defalt printer). It would have needed to be somewhat idiotproof.

Yes...I use Outlook...at work...

BUT, our backend mail server is HP OpenMail on Linux and I know how to configure Outlook properly. No one in our company has been touched by SirCam, etc. and all my e-mails are sent PLAIN TEXT (none of the HTML mail or BODY.RTF crap) and in this mode, using WinPT, Outlook integrates well with GPG. I type my message, then I press ALT+SHIFT+S to sign it or ALT+SHIFT+E to encrypt it and WinPT pops up a dialog for me to choose a key to sign/encrypt with (lets me have a default signing key) so I just type in my passphrase and the original message is cut out and the clear-signed message gets pasted in. Then I press CTRL+ENTER to send.

That is at least somewhat idiotproof. It may not be as pretty as PGP's integration, but then there's a bug with that that won't allow me to automatically sign on send, so I have to sign ... then send ... which is the same as with WinPT.

Who need encrypted email..

What private citizen has information that needs that level of encryption except maybe their credit card numbers. From what I've heard steganography is much harder to detect and when aided by encryption incrediably difficult to crack (assuming you know it's their in first place). Information encoded in a family picture sent to grandma or the latest hit MP3 doesn't exactly scream terrorist secrets. No wonder their closing down. The headers PGP puts on a message make it stand out.

JFK used PGP and look what happened to him

[rot26]

Just a couple of random thoughts that nobody will read since this article was posted yesterday

We know carnivore was written by a major player in the software industry, NAI being one of a couple of dozen potential candidates. If this were the case PGP is more of a threat than a failed profit center. (Assuming that whoever developed carnivore is currently making buttloads of money off of it.) Anybody besides me having heavier than usual planned outages from "scheduled maintenance" by your ISP lately?

And even if NAI isn't involved with carnivore, and even assuming that the NSA (or other three letter acronym of your choice) isn't putting pressure on encryption providers, they're probably very nervous about having any of their products go on record as having been used by "terrorists".

Slashdot could help PKI work

[cpuffer_hammer]

If slashdot could provide a public key server and support encripted traffic for logged in users. There would be a wedge to start pushing at least our own comunity to use PKI.

Re: What percentage of us actually use PGP/GPG

[killmenow]

Well, I'm one who actually uses it. I sign messages all the time. I don't encrypt as often because not so many of my recipients also use PGP/GPG but some do so I can encrypt.

Additionally, my key is loaded onto keyservers and being on several security-related mailing lists, I often receive signed e-mails and I use keyservers to verify those signatures.

But I alone don't count for 0.5%

How many of us use this feature of slashdot?

alternatives

[Maxthemax2000]

What are the Good alternatives to PGP besides GPG?

No wonder with 300 employees

[athmanb]

I have to go with pud and ask: Why the fuck did they need 300 employees to build an encryption program?!
Give me about five other coders who understand their stuff and a $100k budget and I'd deliver them exactly the same product, minus the outrageous development costs that forced them to sell PGP at such a ridiculous price.

Oh well, those MBAs, I'm glad I don't understand how they think...

Re:My corporation tried to buy PGP... And couldn't

[Technik~]

Umm, no. I work for a company that has our own symbol on /., one with a funky dropped 'e' in it. You might be able to figure out who we are.
Dang, now what could that company be? Better check here.

You ever try to buy this stuff from NAI?

[pease1]

Seems like almost everything NAI sells is difficult to buy because they make their product lines so complex. They are so complex that it is very difficult to understand just what you are buying. You end up having to talk to a sell rep and are completely relying on their knowledge of a very complex product.

I bought one of the PGP suites about a year ago. Took forever to figure what product I needed, then I had to buy a BUNCH of stuff that I never used (All I wanted was the PGPdisk (a very cool product), but ended up with all sorts of stuff that I never used.

Finally, you didn't really buy this stuff from NAI, you leased it... usually for two years. Does this sound familar?

Same story if you try to look at their sniffer products.

In fact, same story if you look at their Virus protection products. Complex packages that are too difficult to understand.

PGP sold more than the mail encryption program

[drsoran]

The thing you're missing though is that the PGP division of NAI encompassed a lot more products than the desktop mail encryption program. Gauntlet (a damn good firewall), E-Business Server (I still don't know what the hell that is), CyberCop Scanner, PGP Desktop (which includes the desktop VPN client product, personal firewalls, disk encryption, as well as the mail stuff). Personally I couldn't give a damn what happens to PGP since I can just go and download GPG and use it instead but there is no open source alternative to Gauntlet. You're stuck with going to Symantec's firewall (formerly Axent's Raptor), or Sidewinder if you want to stick with proxy based firewalls. If you're not concerned with security of anything higher than layer 3 you can probably settle for Firewall-1 or a Cisco PIX. Hopefully NAI will find a good buyer for these PGP product lines though. It'd be a shame to lose them.

Re:What could 250 people be doing to PGP???

you're dumb. 250 people in pgp business unit. there are like 14 products within the unit. again, you're dumb. please never post again.

Gauntlet, too (NAI incompetence)

[rickmoen]

The company had a nasty tendency of attempting to bundle about four other products with PGP and *refusing* to negotiate with any company, no matter how large, about perhaps a more reasonable package.

Funny you should mention that. The exact same thing happened after NAI bought Trusted Information Systems, makers of the (formerly) superb Gauntlet firewalling software: They bundled it with such in indigestible batch of mandatory other goods and services that all of the professional TIS installers I know switched in disgust to other products, such as Novell Border Manager. Which has more or less killed TIS Gauntlet.

Rick Moen
rick@linuxmafia.com

Re:300 employees -- Where?

Are these unfortunates in Oregon? Their web site
conceals the locations. It would be bad if they are in a small and depressed geographical job market.

Re:My corporation tried to buy PGP... And couldn't

WinPT (Windoze Privacy Tray)

Great - Security software written by 14 year old Slashdot trolls. Where can I sign up?!

Re: What percentage of us actually use PGP/GPG

[cduffy]

How many of us use this feature [slashdot.org] of slashdot?

Hopefully, very few. It's a misfeature; folks who use PGP should use the keyservers for key distribution, not the web sites they happen to have accounts on. Distributing keys through such extra channels (particularly ones which, like /., provide no significant authentication) can result in multiple, conflicting keys being publicly available -- and everyone can agree that that's a Bad Thing.

Re: What percentage of us actually use PGP/GPG

[killmenow]

Distributing keys through such extra channels (particularly ones which, like /., provide no significant authentication) can result in multiple, conflicting keys being publicly available

I disagree. I use keyservers, I posted my public key to /. I post it on my web site, I will e-mail, post it to usenet, and make bar-code scannable posters of it.

I feel that I can manage my keys. I can control which channels I distribute them through. I can revoke old keys. When managed appropriately, distributing keys via multiple channels provides additional opportunity to validate them against each other and provides some degree of protection from MITM attacks.

I agree that a keyserver should be the primary distribution channel, I think having others is just a way to hedge against a corrupt keyserver...even if the other channel is just another keyserver under a different organization's control.

Clarification Please?

[Kramer747]

I use PGP freeware 7.0.3

Whats the difference between what I have and the PGP that costs money to buy and GnuPG?

If they all do the same thing why not just use a free one?

Re:My corporation tried to buy PGP... And couldn't

Ehh.. E Plus?

^_~

If you know, provide a list.

[Futurepower(tm)]

Fine, in the business unit, but I don't know what 250 people could be doing. If you do, provide a list.

INTEL

He's talking about INTEL!!! BUt don't tell anyone!!!

300 Employees

The PGP division of NAI was more than just the email and file encryption. It was Gauntlet, and it was the CyberCop Scanner. PGP really made very little money in the desktop version. What they were really making the dough with was Gauntlet and the PGP eBiz server [read command line PGP]. Gauntlet is honestly one of the trickest firewalls on the market... or rather was. NAI realized that the command line product was really the flexible piece, and so started doing things like porting it to OS/390. Also, in internal beta testing were 3 special versions that were direct plugins. There was a PERL, COM, and JAVA version of PGP coming out so you could call it without shelling out. The speed of the eBiz server version 7 or later was significantly better than the 6.5.8 product due to the way it dealt with the key rings. [Old product has to parse entire file all the time, new one didn't] Anyway, GPG entered into things a few times, but not really that often. The real problem was that nobody cares about encryption. Too many stupid users who whine all the time.

I am one of the laid off persons. I'll stay anonymous so they don't yank my severence check in case I've said something they don't like. Keep in mind people, the geeks love GPG, but companies don't like basing their infrastructures on products without support. It's a rare large enterprise that buys a product and doesn't give a whit about support. That's the thing that holds back the free software. Once we figure that out, the software industry will be turned on it's collective ear.

Re:Causes [demand for encryption]

[rpg25]

I don't agree that it's only slashdotters who want (or at least need) strong encryption. There are lots of professionals like attorneys, therapists, clergypeople, etc. who should be using some form of privacy enhancement for their email.

I agree, though, that people like this may not know yet that they need encryption. Most people aren't aware that (1) the internet is a lot like a party line and (2) you need good encryption. It's not a matter of being a terrorist or of being paranoid. The simple fact is that even ankle-biters, given the power of modern PCs, can break weak encryption. And there could easily be a lot of ankle-biters out there who want to read a shrink's correspondence.... Not to mention the real criminals out there who might want to read the correspondence of a lawyer, stockbroker, etc.

Re:Free software cannibalization and software cycl

[Da+Masta]

C'mon, are Slashdot moderators really this dumb?

You even need to ask?

Re:Once is coincidence... twice is a cheap scanner

[Coyote]

Let's face it, the only encryption we need is to XOR the first letter of each word and move it to the end of the word and add "ay" to it. No.. wait... they went broke too. Damn, thats 3 of them!

Their best product was FREEEEEEE

[chamoru16]

Of course they aren't gonna make any $$$ when they give away their core product.

Re:300 employees -- Where?

The people affected are smattered across many NAI locations... but development-wise, HQ in Santa Clara, California (for the desktop products)... and Rockville, Maryland (lots of former TIS/Gauntlet people) were hit hard. And of course others.

If not mistaken, Oregon is primarily McAfee-related.

Re:What could 250 people be doing to PGP???

[Eric+Green]

Heheh. But I suspect you're close to the truth. I, too, cannot figure out what 250 people would be doing to the PGP product. Yes, they had more products than PGP. Someone mentioned 12 products. However, most of those products were rather trivial. If there was more than 1 or 2 engineers on each of those products then someone was seriously padding the payroll with second cousins. Even assuming 5 engineers per product (which is a gross overstaffing for most of their products unless the engineering department was staffed by total incompetents) that would be 60 engineers and 190 people to sell and market the products.

I think it is clear that this is a company on the verge of crash because of management featherbedding and incompetence, not because of lack of product (their products are great, according to everything I've read, though since they do not have a Linux version I do not of course have personal knowledge of such). They took an idea that will support a company of perhaps 25 people and tried to create a company of 250 people. In the process they ran up massive debts and chewed through massive amounts of cash. This, alas, is a common thing nowdays.

Time for Hushmail

[Dudemar]

HushMail is the world's premier secure Web-based email system. We offer ease of use and total end-to-end security. Thanks to a unique key pair management system, HushMail eliminates the risk of leaving unencrypted files on Web servers. HushMail messages, and their attachments, are encrypted using OpenPGP standard algorithms. These algorithms, combined with HushMail's unique OpenPGP key management system, offer users unrivalled levels of security.

https://www.hushmail.com

Full disclosure: Don't work there, but love the product.

Hush Communications Inc.

Word on the street is Hush Communications (Hushmail.com) is nearly out of funding. I noticed they put up some serious obtrusive advertisement on the main page today. You can't login till you click through it.

Sad.

Re:What could 250 people be doing to PGP???

[crucini]

On the other hand, when one lives in a place where adultery can be fatal, discretion might be advisable. However since the internet is banned in Afghanistan I'm not sure how PGP would help.

Re:My corporation tried to buy PGP... And couldn't

It coulda been Internet Explorer.

Re:the real reason for pgp drop - NSA INFLUENCES!!

Dude, you are one of the stupidest fucking morons I have ever seen. This is complete bullshit. I worked at PGP for years, and there is absolutely no NSA backdoors in PGP. Read the millions of posts by Phil Zimmermann about this if you don't believe me. Why don't you stop spreading all these bullshit lies and slander about PGP and go jump off a cliff.

Re:What could 250 people be doing to PGP???

Trivial?

Again... I think what most people are confusing is that PGP itself is NOT a product. Yes... one man originally wrote PGP on his own for the most part... but that's the UNDERLYING PGP base... and a command-line utility which isn't much more than a wrapper. Basically, take PGP... add a command-line parser... make the appropriate PGP calls for the options specified... and BAM.. you got a simple PGP command-line tool. And yes... "something anyone could write themselves". Hmmmm.... why do you probably think NAI dropped their own command-line product? LOL

The PGP Business unit developed many other products. E-mail client plug-ins, firewall applications, disk-encryption tools, a key server, network monitoring software, PDA encryption tools. This stuff must all be written, tested, supported, packaged, shipped, and yes, sold. Frankly, if I was the one man, or on a team of only 5 or so developers, doing all that, as people seem to be suggesting... I'd be one grumpy, stressed and tired guy by the end of the day.

So, I think it's safe to say that PGP engineering staff does NOT NEARLY account for the 250 people. Especially since a fair number of the engineering force that did exist have been transfered to other business units (specifically McAfee and Sniffer), to continue on the remaining PGP products. (I'd be one of them.)

The point here is that they are shutting down a BUSINESS... a business which did not run itself. But people who RUN a business aren't needed when you get rid of said business: HR folks, legal folks, managers, perhaps some sales, secretaries, etc... basically, the whole bureaucracy of it all. I'd imagine that they make up a fair chunk of the 250. In fact, the approximate numbers are that 150 were let go somewhat immediately... with the remaining 100 (most likely engineering people) classed as 'transitional'.

As you suggest, 5 or so engineers for one product might be realistic, but that doesn't get the product tested. That doesn't get it to production. That doesn't get the phones answered when the customers call for support. Especially because... as I said... we aren't talking any more about just one guy who's sitting around writing an encrypting engine and a command parsing front-end.

Microsoft, Netscape, Lotus support S/MIME

[Zeinfeld]

The problem with PGP is that it only solved the Privacy problem well. The Web of Trust concept is not intended to support the establishment of the real world identity of the individual signing a message in a legally binding manner.

That is the problem that F500 enterprises have really been interested in spending money to solve. If you can solve that problem you can then go on to deploy a whole rack of true e-commerce systems.

That is why the vast majority of corporate spending has been on certificate based email security systems.

There are still crypto companies making good money but times are tough. Over the past five years a lot of enterprises bought a lot of software they never deployed. As a result a lot of IT depts are being told to deploy their 'shelfware' before they buy more stuff. The software product model is definitely not doing well, buying software as a service on the other hand is doing very well.

Companies that sell 'plug ins' have been doing worst of all. Plug-ins have a pretty bad record in the enterprise space. They tend to cost as much as and often more than the applications they plug-into and tend to be a pain to manage with version number incompatibilities, configuration glitches and other issues that are annoying if its just one slashdot reader but a help desk catastrophe if you have several thousand clueless users to support.