Slashdot Mirror
NAI to Sell Off PGP Product Line
An Anonymous Coward writes: "Network Associates announced today that they are ceasing development of most of the PGP product line, including PGPMail and PGP Desktop Encryption software. This was apparently due to disappointing sales of the products. See the FAQ for more information on what's being killed and what's being kept." Another anonymous and unverified submitter says, "The entire PGP Business Unit was axed more or less wholesale. I guess selling encryption doesn't really make money. I worked there up until today and somewhere around 250 of the 300 employees were clipped."
If NAI didn't want to charge $5,500 for a server based encryption package. Up from $1,000 for a *two year license* for PGP version 5.
NAI is a bunch of idiots anyway. They totally screwed over people when they took over the Gauntlet firewall suite. First, "you need to migrate to NT, all Unix Gauntlet packages will be discontinued". Ok, 18 months later "Gauntlet for NT is now discontinued".
Hopefully, someone will pick up PGP and offer it at a price people can afford.
I'd agree thats a steal, but not for the IDS - it's not even signature based, it's got some canned 'attacks' built in but there's no update facility.
On the other hand the personal firewall PGPnet includes has quite a flexible rule interface, and works really well. And the rest of the package is amazing.
I'm also concerned about the on-hold status of Gauntlet Firewall/VPN. A really good product that was just starting to get even better with the 6.0 release, and now it's future is very uncertain. Gauntlet's roots are in open source too, as it evolved from the Firewall Toolkit.
The source code for PGP has been available for some time, at least the earlier versions of it. See http://www.pgpi.org unless you're in the US in which case it's illegal for you to use this version derived from the source.
Jason Wallwork
You're probably correct that many of the types who would be concerned enough with their privacy are geeks who would rather not pay for something they can get for free, it had a presense in corporate environments. I fought a huge battle at the company I used to work for to get PGP implemented at a departmental and later at the VP level.
One of the biggest initial issues was that people didn't understand it or the need for secrecy. Thankfully the group I was in had a need to periodically distribute root passwords and management was smart enough to realize that doing so in email was pretty darned dumb. Eventually I was able to get it adopted and we would encrypt a single message to the various people who needed to be able to read it. We also posted the encrypted file on our departmental webserver. It worked pretty well. When someone would leave the dept for whatever reason, we'd distribute the revoked key that was generated at the same time their key, change the password, and repost the file.
Another issue price. It was pretty difficult to get higher-level approval for the expenditure. We eventually snuck it in one license at a time, and later were able to buy licenses in bulk as my senior manager and later VP understood the issues and thought the solution was worth paying for.
Eventually an enterprise license was purchased. Unfortunately, the &*%($*%( lawyers wanted to force everyone to use escrowed keys. I'm not sure how it went elsewhere in the company, but we basically said 'sure', and kept using unescrowed keys for internal communications because 'root' is God's way of saying you have too much power.
PGP's support of key-escrow was the worst thing they could do IMO from the standpoint of trust, especially for those paranoid enough to be really up on the tech. I never fully trusted recent versions of PGP, and use GPG now.
This is an ex-parrot!
Ever since Phil Zimmerman left because of of "differences" with NAI, I was extremely reluctant to upgrade to future versions for fear of "backdoors" that might have been included in the product - things that wouldn't have happened under his watch but are now more likely.
So I stopped upgrading the free version at the last version he personally oversaw...7.0.3
----------
ah honey, we're all resplendent - Bill Mallonee
We've only been wanting to add a "security" topic for about TWO YEARS so it's nice to finally have one...
Not a problem. There is already public funding for GPG in Europe. And encryption of a PGP/GPG type does not need hundreds of developers (of the commercial full time variant).
I think it is no real problem for the manufacturers of mail software to include GPG support on their own.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
Not the strongest encryption in the world, but it'll keep prying eyes away. You might have some issues exchanging disk images with non-OS X users, though.
-jon
Remember Amalek.
Apparently Gauntlet firewall is going to. Too bad for those of us who use this product and have paid for long-term support.
While not the most popular product out there, it is serviceable. In our instillation I think we are pushing it to the limit, but their Webshield e-pliance product was sold as an easy to configure/manage secure product, and was quite secure straight out of the box.
As for us, we have several issues we are trying to ram through NAI technical support. Will NAI continue to support a product they aren't going to continue to sell? Will our support contracts be transferred with the product when its sold, or will NAI try to honour the support contract even though they don't own the product anymore.
It's a worrying sight when Internet security suppliers go out of business. Unless there were serious problems with the product not in the public domain (and I know about their mail daemon) it was a good security product for small to mid-ish companies and they are saying it's unprofitable. Either firewall products are about to become more expensive, or the quality is about to go down. Neither is a good sign.
Democracy isn't about no one telling you what to do. It's about everyone telling you what to do.
I am a firmware engineer for a large hard drive company, and though I guarantee I know how to make the disk unreadable by these tools, it is impossible to do with any "user" program.
.1 tracks towards the outer diameter from center, and on a subsequent pass (the 7x overwrite) you wrote your data smack down the center of the track, then it would be possible to position your read head around .3 to .4 tracks towards the OD, crank up the gain in the read channel, and recover that "sideband" data. It would be an absolute pain in the ass, but it is possible. Of course, this setup would probably take roughly 30 mins-2 hours per LBA to calibrate, read, and decode, and on a 100 gig disk that'd take a LONG time...
The way I imagine most of these recovery tools work is by reading sideband data off of the drive... When the write head is hauling ass around the platter and you want it to write to a given LBA, it never writes in exactly the same place twice. It might be in slightly different phase with the start of the LBA (5-20ns is common), and since it is a mechanical system, an LBA isn't a perfect arc... it can tend to wobble.
Using in-house diagnostic tools we can "force" the servo code that is supposed to keep the read/write heads centered to a prescribed amount off to the side... If you had an event where the sensitive data was written
--eric
More data, damnit!
Encryption is offered as a basic part of Outlook. It's called S/MIME, and is fully integrated into the mailer (far more fully than PGP, as a plug-in, will ever be - the S/MIME support is completely transparent).
(I don't use Outlook, and never will, I'm just pointing out that it's had transparent crypto support in there for awhile. People don't use it because they couldn't be bothered, not because it's not there).
In 1785, a resolution authorized the secretary of the Department of Foreign Affairs to open and inspect any mail that related to the safety and interests of the United States. The ensuing 'inspections' caused prominent men, like George Washington, to complain of mail tampering. According to various historians, it led James Madison, Thomas Jefferson and James Monroe to write to each other in code - that is, they encrypted their letters in order to preserve the privacy of their political discussion.
Government has shown time and again that it cannot be trusted not to eavesdrop without warrant and cause, whenever it thinks it can get away with it. The infamous FBI bugging of Martin Luther King and just about everyone else with political clout comes to mind. It was little more than thirty years ago, too, so don't complain my example is outdated. Or how about the recent study which found over 2,000 illegal, unwarranted wiretaps were performed last year? And that's just the ones we found out about after the fact.
The dissemination of information and ideas is one thing. Not leaving people alone long enough to gether information and form ideas, without fear of the Secret Police wondering why we're looking at that particular information and forming those particular ideas that it may not like, is a potential downfall of civilization.
Civilization is only advanced where ideas, even new and very jarring ones, are permitted to flourish. Today Socrates is considered to be the bedrock of all Western philosophy, since his pupil Plato wrote all the founding philosophical explorations. But recall that in his own time his ideas, nearly universal in the West today, were considered dangerous and he was executed for expressing them by the then-most-free society in existence, the birthplace of Democracy, Athens.
Encryption is the only way to express ideas without fear of reprisal by regimes which are not on the cutting edge of human rights, much as the U.S. is not. It is the sole way to protect one's privacy with any certainty from arbitrary invasions. Therefore we would do well to promote encryption, as a way to ensure that our rights are protected and respected. I trust myself to protect my rights with encryption, more than I trust the FBI, ATF, DOJ, etc., to do so with empty platitudes. And on this point I am in the company of George Washington, Thomas Jefferson, James Madison, and James Monroe--I'll take them to John Ashcroft, Janet Reno, the FBI and ATF agents who murdered innocent people at Ruby Ridge, and their ilk, any day.
Chasing Amy
(We all chase Amy...)
"The more corrupt the state, the more numerous the laws"-Tacitus
PGP has always existed as freeware, with full source code too. It's not going to disappear!
PGP 7.1 has not been released as freeware, and source release for anything past 6.5.8 is problematic. You can get the crypto engine of 7.1 (but not 7.0), but only if you agree to a truly onerous license. Better to say
Freeware builds of PGP haven't been made available for 7.1, and there's been practically no source release, too. At this rate, it's going to disappear!
Of course, my panties are far from in a knot. In the first place, I wear boxers. In the second, I use GnuPG.
This is not only true for GnuPG, which has funding by the government (for the development of more user-friendly frontends, I think), but there is also a project for the development of an open source anonymity service (JAP) as strong as (or even stronger than) the Freedom anonymizer service, and there is also the Sphinx project to build a PKI for the public authorities and maybe others.
One of the main drivers for the JAP project (and maybe others) seems to be that many consumers (at least in Germany) apparently avoid E-commerce because of privacy concerns.
Don't lecture me -- I have used PGP and it is not the simple matter you pretend that it is -- especially not when you and your correspondents each use multiple computers and have to move your private keys around.
First they have to promise not to use it for commercial purposes and then they have to fill out a form that asks them how many copies they intend to purchase, the timeframe, the company for whom they work, their title, their address, phone number, e-mail address, number of computers at their location, etc. Do you have any idea of how long it takes for my friends with 56K modems to download a 7MB file (which PGP is)? About 30 minutes -- if they don't drop the connection. Then I have to go through the whole "you won't get a virus" lecture before they will cautiously try to install it.
The freeware version, by default, installs VPN/Firewall. Then it wants to know which adapters you want secured. Yeah, that's what I want to try to explain to someone who majored in English Literature. Then it wants the user to enter a passphrase of at least 8 characters -- but not write the passphrase down anywhere. Another thing for them to remember -- which many of them will not.
I could go on and on, but it's not worth my time. Instead, I'll ask you a simple question: What percentage of your non-computer-geek friends use PGP and if it is so simple to use and free, why do do few use it?
You just don't get it, do you? A simple private key encryption needs to be built in to the mail client the way that SSL is built into the browser. The whole digital ID thing for e-mail is a joke. I got a Thawte Freemail digital ID. My friend, a computer professional, also got one. Netscape 4.7x (his e-mail client) claimed that his had already expired -- despite displaying an expiration date in the future for the ID. Then he downloaded Mozilla only to find that it does not support encryption at all. He finally gave up after a lot of trying.
While it's offered and appears to be integrated, I think you should actually use it on a regular basis before you say it's transparent. I highly doubt that it is anywhere as easy to use as PGP/GnuPG are-- even in conjunction with Outlook.
:)
First, no good security is transparent. At some point you, the user, have to create and share your own keys and verify that the keys you receive are valid (even with a web of trust, you have to correctly verify at least one other key to get into the loop).
I don't see how the certificates issued for Outlook users have any real trust built in. How did the Certificate Authority verify that the person requesting the key was really who they said they were-- and what about people with same or similar names? Even if they somehow verified the name, how do I know I've got the right "George Bush"?
Second, you still have to train people to understand the process and then to use it. If you tell them they have to fill out some long form just to get a certificate, they are likely to say "forget it", unless they have serious security needs-- in which case, they are hopefully not Outlook users in the first place.
Third, seriously, if secure email is your priority, why would you stack two or three proprietary, closed-source solutions one atop the other? Especially when there is an open source option available for both. Believe me, once you've generated your key for GnuPG on Linux and checked two simple options on KMail, the only non-transparent part of secure email is typing in your passphrase (and of course, obtaining and verifying other keys).
And then there's the problem of the fact that the Outlook security features did NOT use an existing standard for personal public key encryption-- PGP. Hopefully, Microsoft will buy them. Really. And integrate PGP into their mailer. That way the established crypto-using community and Outlook users can begin to interact in a meaningful way. I realize S/MIME is a "standard", but I've not seen it used at all... and the very limited uses for personal security that I've seen (even Slashdot didn't get it right when they ran interviews with Phil Zimmermann), all involved PGP, or the OpenPGP standard. I mean, the blink tag is/was a standard too, but...
I do not have a signature
Yes...I use Outlook...at work...
BUT, our backend mail server is HP OpenMail on Linux and I know how to configure Outlook properly. No one in our company has been touched by SirCam, etc. and all my e-mails are sent PLAIN TEXT (none of the HTML mail or BODY.RTF crap) and in this mode, using WinPT, Outlook integrates well with GPG. I type my message, then I press ALT+SHIFT+S to sign it or ALT+SHIFT+E to encrypt it and WinPT pops up a dialog for me to choose a key to sign/encrypt with (lets me have a default signing key) so I just type in my passphrase and the original message is cut out and the clear-signed message gets pasted in. Then I press CTRL+ENTER to send.
That is at least somewhat idiotproof. It may not be as pretty as PGP's integration, but then there's a bug with that that won't allow me to automatically sign on send, so I have to sign
you're dumb. 250 people in pgp business unit. there are like 14 products within the unit. again, you're dumb. please never post again.
Funny you should mention that. The exact same thing happened after NAI bought Trusted Information Systems, makers of the (formerly) superb Gauntlet firewalling software: They bundled it with such in indigestible batch of mandatory other goods and services that all of the professional TIS installers I know switched in disgust to other products, such as Novell Border Manager. Which has more or less killed TIS Gauntlet.
Rick Moen
rick@linuxmafia.com