Slashdot Mirror
NAI to Sell Off PGP Product Line
An Anonymous Coward writes: "Network Associates announced today that they are ceasing development of most of the PGP product line, including PGPMail and PGP Desktop Encryption software. This was apparently due to disappointing sales of the products. See the FAQ for more information on what's being killed and what's being kept." Another anonymous and unverified submitter says, "The entire PGP Business Unit was axed more or less wholesale. I guess selling encryption doesn't really make money. I worked there up until today and somewhere around 250 of the 300 employees were clipped."
The biggest potential users of this would have been the Slashdot types, and we're known for being fierce advocates of open-source and free (as in beer) software. The kind of "Why pay for something when you can write it yourself?" mentality is what helped kill it.
The people that are most concerned about encryption are those least willing to pay for it.
No one is really interested in "protecting" their private emails. Who needs really good encryption software?
Banks,
Governments,
Military,
Terrorists,
Other criminals,
12 year old girls writing in their diaries,
and?
The whole point of technology and the push of civilization has been the dissemination of information and ideas. Encryption runs so much against this concept that it's no wonder that people both don't understand its necessity and don't want it.
What other outcome could have been expected, selling such a product?
Twice is enemy action...
First ZKS shuts is services, now PGP is orphened...it does not take a conspiricy fan to put this together.
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
This product never ceased to amaze me. PGP 7.1 included, among other things:
- an encrypted IPSEC/IKE compliant VPN
- encrypted hard drive software (public key or shared secret encryption)
- Encrypted Email with multiple mail client integration
- Myriad windows hooks, like "encrypt clipboard"
- A secure file and hard drive wiper
- A full-blown INTRUSION DETECTION SYSTEM with email alert that would attach itself below the NDIS level.
...all for $30. I'm not a big fan of buying software, but I bought this religously because it was a steal, just for the IDS. I always wondered how they could afford to put so much top-notch development into such a cheap product (I never found a serious bug, and I've worked it over hard. That's a rare thing to be able to say about a windows networking application).
The answer appears to be that they were dumping serious development funds into this product and got were expecting massive sales. If you asked me to point a finger at the cause of death, I'd say they were overambitious. Too many developers building too much functionality made it far too expensive. All anyone ever really wanted was encrypted email. And perhaps if that's all they developed, supply would have matched demand.
Then again, hindsight is 20/20.
Ok, so maybe I'm a moron, but can anybody explain to me why it takes 300 employees to do this in the first place? Good grief!
To support a staff that size, annual sales would have to be, what, maybe $50 million, maybe double that?
Either
a) this was stupidity
b) this was greed (hoping for massive overpriced corporate sales)
c) I'm on crack.
Since most users of public-key crypto are (presumably) technologically oriented, most of them are probably also aware that GnuPG offers the same functionality, but free, and open-sourced to boot. Why bother paying for PGP when GPG is free, integrates with your favorite email clients (an Outlook plugin is even available), and offers the same or better encryption? GPG effectively made PGP unprofitable. Nobody who knows better would use it.
And, like the poster above mentioned, since the tech is facing a serious risk of becoming illegal, investing too heavily in it might not be wise from an economic standpoint.
--nick
Is this a coincidence? Or is there some government pressure in action here? What's the next step? Pressuring ISPs of distribution points for Open Source encryption products? When that happens, I'm sure we'll be re-assured by the ISPs that they have sound economic reasons for disallowing encryption software; but that won't make it go over any easier with me.
...to see what appears to be the demise of PGP. But I have to wonder how much of this is related to the recent occurances, and the resulting suggested legislation, and how much is related to the pricing models they had for the commercial product.
Their biggest users could have been corporate, but at a couple hundred bucks a shot, most corporations had a hard time convincing themselves it was worth it on a large scale - and most of the Engineering types would go with an (unlicensed for commercial use) Non-commercial version or GPG.
I've actually had to fight that battle in a large corporation - trying to do secure data distributions to a fairly large number of people in a corporate environment. Some departments balked at having to buy licenses for their users - others simply installed GPG.
Add in the fact that too many mainstream users can't figure out how to use it (including some otherwise bright people) and it's not a big surprise that PGP was a commercial failure.
Because, I like most people am not interested in Encrypting or PGP, or whatever they offer. Maybe I would like it, but maybe I'd like Caller ID, and Call Blocking, and a host of other services from the phone company. But it's too much of a bother, so I don't touch it.
And that's their problem, it's a bother, and they didn't go for the people for whom it may be a bother, but the cost is worth it. I'm talking about major corporations, the military, and the government. Getting them as clients would be steady money..
How many among even the savy group here maintains a valid PGP key that is available online? Of those, how many maintain their key in a searchable index? I presume the answer is less than 2%.
How many of you have received an email either signed or encrypted in such a fashion and then actually used the sender's public key to decrypt/verify?? Probably 10% of readers here or less.
And that folks, is why PKI and hence PGP are dead-ends.
The US Government says that they can't crack certain types of encryption, and that this is hampering their ability to deal with the Terrorist Threat.
NAI, who has been selling virtually uncrackable encryption technology for years, suddently drops their top-of-the-line encryption product.
Coincidence? I wonder.
I'm not implying a conspiracy between NAI and the US Government, but I wonder if NAI stopped shipping their product because it "wasn't worth the trouble".
"Can of worms? The can is open... the worms are everywhere."
We looked into it for our company, turns out the head of our sales group sent a copy of the commision $$$ amounts to everyone in our sales group by mistake and we wanted to prevent that in the future. But that's another story.
Anyway they wanted about $175 a copy, I think for what we needed. Then I found the PGP Freeware link on their site. I thought, hey why pay for it when they give it away for free?
No wonder its going away. Could you imagine going to the Ford dealer and the dealer saying "here's the new Ford for $20,000". And you ask, "what about the Mercury over there exactly like it" and the dealer says "Oh those, they're free, take as many as you like" Where is the choice here?
I hope that someday we will be able to put away our fears and prejudices and just laugh at people. - Jack Handey
There are two kinds of encryption users...
1) There are ordinary folks who want an easy-to-use encryption solution out of the box, and don't want to read a manual to get that level of security. While NAI's software has been getting better and easier-to-use over the years, it's still not 'easy'. Concepts like 'ring of trust' & 'key signing' might still too academic for ordinary folks, and NAI has not made much of an effort to explain why these ideas are important.
2) There are encryption-geeks, who don't really trust the security of a closed-source product, or who are happy enough with ssh, pgpi, gpg, etc.
OK, I guess there is a third type of encryption user, the user who wants an easy to use encryption product for her business, and isn't concerned about fears like 'FBI backdoors' in their product, but they're probably a small segment of the market.
"Can of worms? The can is open... the worms are everywhere."
PGP always boggled my mind. I had two choices. I could either buy the US version from NAI or download the international version for free. Now I wonder why sales could have been low.
'Same speed C but faster'
It's very interesting to notice that a majority of people indicate that they do not care about personal encryption, primarily for their electronic mail communication. I recall reading in the PGP readme, when I first discovered it - version 2.x or 3.x at the time, I think - how it made perfect sense to use encryption to ensure your privacy. After all, did you not prefer to send your most personal thoughts using letters within envelopes rather than postcards?
However, when I try to advocate encryption to those I know and hope to influence, they all seem to indicate that they aren't all that concerned about their email. And yet those same people never fail to be annoyed when I walk up to their computer and pretend to read their email in order to prove my point.
Perhaps most people are unaware of how easy their email can be intercepted and read? After all, an email address might appear to be like a telephone number - a direct link to whomever one might wish to contact. And we're comfortable with the phones - after all, wiretaps seem hard (or at least laboureous) to obtain, and we suspect that capacity prevents wiretaps from being universally applied. Not so with email, though - it's child's play to intercept any SMTP communication that passes through your network. And if you happen to be centrally located, in a network topological sense, there's no theoretical limit to the amount of communication you can eavesdrop on.
I must admit that I'm not being entirely altruistic when I advocate encryption - my wish for broad adoption of personal encryption technology is first and foremost self-serving. To tap again into the old PGP readme files; sending mail in "sealed" envelopes is not currently suspicious due to the fact that the practice is so widespread. Untill encryption becomes commonplace it remains far too easy to label it suspicious behaviour.
Here's to hoping that free encryption will carry on where the commercial offerings have failed. Cheers.
Really? 300 people have been working on a product that doesn't sell? I can't blame them for layoffs, just overhiring.
*laughs*
Well, yes, it's quite true that PGP had disappointing sales. The company had a nasty tendancy of attempting to bundle about four other products with PGP and *refusing* to negotiate with any company, no matter how large, about perhaps a more reasonable package.
It's funny that I have this exact story from so many different sources that nobody can say I'm compromising internal information. Go ask your friendly IT Purchasing agent about any adventures they had trying to get a site license for PGP. This was mandate from upper management: Either all the stripes make some cash, or none at all.
NAI consistently chose the latter. Now, as for all the conspiracy theories...never attribute to malice...
--Dan
www.doxpara.com
My thoughts exactly... obviously the whole mess of legislation for backdoors (as a result of terrorist actions) had a fair amount of play in this decision.
XML is like violence. If it doesn't solve the problem, use more.
All I want is an e-mail client with an 'encrypt' button. I press the button and it asks me for an encryption key. I enter a key that my correspondent and I have exchanged over the phone, in person, etc. The message is encrypted and sent.
/. crowd thinks it is to use PGP. Some of my friends aren't computer gurus and it's just too much complication and hassle for them to use PGP.
I'm not Osama Bin Laden. I'm not expecting someone to be monitoring my phone, e-mail, in-person conversations, cell phone, etc. I just want to be able to exchange e-mail with friends and not have every nosy guy at the ISP or my company be able to read it.
PGP is just an incredibly complex and painful solution for what should be a simple problem. 99.9% of the public just wants to be able to occasionally send encrypted messages to friends using a private key. I don't care how easy the
What I find amazing is that most people labor under the foolish misconception that if only American encryption products (like PGP) were either backdoored, effectively export controlled, or discontinued altogether, that foreign criminals and terrorists would suddenly have nothing to hide their data with. Let's explore why only stupid people would think so:
1) Source code to most versions of PGP is available and published internationally on many sites. If a terrorist wants PGP, and PGP has been discontinued, he can just download a binary from one of these foreign servers, or get someone computer literate to compile this source code for him. It's already in the wild on the net, and spread to servers in nearly every free or partially free nation; it will never disappear now.
2) Since the source code is available for even some very recent versions, overseas programmers will pick it up and improve it and release newer builds for newer OSes if it is discontinued or shown to have backdoors.
3) GPG is arguably just as good, plus it's truly Free and GPLed. It's not as shiny, but makes a good drop-in replacement for most people, terrorists included. And again, GPG is "in the wild" and not going to disappear from the Net even if the U.S. and half the world outlaw strong encryption, and since the source code is there people will hack on it and improve it, even if only overseas people.
4) Contrary to the beliefs of the ignorant, the U.S. is not so much more advanced than other countries that no other people from overseas can write strong encryption products as good as ours. Encryption is universal math, not American voodoo. In fact, the best symmetric encryption product currently comes from the U.K., Scramdisk. If America and the U.K. were to ban encryption, any country with competent mathematicians and programmers could take the lead.
5) Encryption is based on well-documented and easily available math, and many proven algorithms are already published and cryptanalyzed and shown to be secure enough. Even if by some extraordinary miracle all traces of encryption products and source code were wiped from the Net by the unprecedented cooperation of every nation on Earth--something truly impossible--people like Osama could hire any competent mathematician and programmer to write a decent encryption product using a proven cipher and simple calls. As long as it's kept simple and uses proven ciphers, it would likely be as secure as PGP or GPG or Scramdisk.
So, it doesn't really matter what the download page says, or if it bothers to ask, or even if the U.S. were to enact the most Draconian encryption legislation tomorrow. PGP is nothing special. Its key functionality has already been duplicated in GPG and can be duplicated again and again by any number of competent non-U.S. residents. Therefore it doesn't matter who can download it, since they can get their hands on encryption technology that's just as strong.
Chasing Amy
(We all chase Amy...)
"The more corrupt the state, the more numerous the laws"-Tacitus
This isn't a story about encryption being denied to the masses or anything. It's about a company giving up an unprofitable product line because most people just use the free versions. And in case whoever marked this post as a troll hasn't noticed, there is a great deal of software within Ars' timeframe that is having exactly this kind of thing happening to it: free alternatives are starting to pop up.
Try to think of a commonly used commercial application that is not having a free equivalent currently being worked on. With a bit of searching, you won't find many. Indeed, free software is even becoming increasingly popular as more people are getting sick of dropping $100-700 on software per product. A comprehensive commercial software package these days can cost even more than the computer you bought to use the software on. Do you think even the rather clueless average user isn't going to notice that?
C'mon, are Slashdot moderators really this dumb?
Well, I'd hardly think that 250 people would represent those who work to actually MAKE the products. Plus, the PGP "Business Unit" of PGP made way more than a single encryption product, some of which did not have "PGP" in the name. Regardless, as with a company of its size, many of those people are also going to be "infrastructure" ... HR people, office staff, management, etc. Sure, you can move the programmers to another part of the company (as they plan to do with the ones for the remaining products in this case). But when you eliminate the company altogether, that doesn't leave any place to put the rest of the people that run it's day-to-day operations. But 250-300 working on the product hands-on? The actual number of "little minions" working on the stuff is probably quite a bit smaller.
:-)
Some other comments from what I've read here...
From actually READING the announcement http://www.pgp.com/other/jump/customer-faq.asp, and listening to the NAI Earnings Conference Call from the same day (thanks Yahoo!), "NAI PGP" isn't being totally scrapped! They've just decided not to keep PGP as a separate business entity, as they see doing so as hindering their potential growth as a company. In doing so, they've evaluated their product lines and have decided to stick with what they think they can SELL, for example, their E-Business Server product. They spell out in their announcement what they feel they need to do to meet that goal. Some products are to be sold off (if possible), some moved, and some having parts extracted, possibly being merged into other similar products they already have in the other BUs. Once that's all done... of course they won't need ALL of their current PGP staff. And well, sounds like 250 is their estimate of what the surplus.
It's nice to be ulturistic and think "wouldn't it be nice if they just did it for the 'good of all' and gave the products away for free?" But well, that's not what software companies do. They exist to SELL the software they make. They need to make money to survive, as does any corporation, and that's about the only bottom line that their shareholders will care about.
I've read a lot of posts from a lot of people wanting a nice free version that they can use freely cuz "well, you could easily just write it yourself... why pay for it"? Well, I don't see anyone volunteering their time and efforts to obtain the PGP SDK and grace us all with their programming prowess and their 'for the good of all humanity' ideals. If anyone does... I have my own 'wish list' of features I wouldn't mind being added to PGPmail and PGPdisk. I can pass them along if you wish. Anything to help.
But, unfortunately for us end-users... NAI seems to think (as indicated by the products that will remain, albeit moved to other business units) that $$$ for their PGP survival is going to come more from big business... not from us. I guess that judging from many of the comments here, they seem to be right, at least on the last bit: "not from us".
...their products are too cheap, it's as simple as that.
It's nice to get things for free or to very low prices but products that costs money to make must make a big enough revenue to support the costs of producing it.
We see this in dot-coms, open source (atleast with the current businessmodel) and other areas, they simple don't know how to charge.
If I'm not remember wrong I beleive PGP personal edition costs under $30 and the corporate desktop is not very expensive either. With those numbers they have to sell enourmous amount of copies to make it work and I seriously doubt the market is that big.
I got 1 more reason:
NA was going to close the source to PGP. If there's one field where Open Source took off, it's crypto. Any advanced crypto-user wants to have the ability to look at the source to ensure security. Closing source for an encryption program makes that encryption program inherently less trusted.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
Do you send paper mail in envelopes? Looks like you've got something to hide. Let's hal you down to the Ministry of Truth for some examinations. It's the "something to hide" stigma which is retardedly holding back the use and acceptance of cryptography. Encryption technologies are not just for people hiding warez (I've never even fucking heard of encrypted warez before and PGP is free for non-commercial use anyhow). E-mail is an inherently insecure communication medium. Few if any ISPs actually use or support secure e-mail in any fashion so that responsibility falls onto the user. You don't need illicit reasons for secureity, plain day to day business needs plenty of it. For a dallar of security you saveseveral dollars in losses.
I'm a loner Dottie, a Rebel.
...like emailing my wife whilst at work...
...any personal files on my work PC belong to me, and not my company. Without my passphrase, they can't do shit with them...
Probably no one will ever raise a stink about stuff like this, but it's good to keep in mind that, unless you work at the world's most liberal company, both of these are probably against company rules.
When the time comes that they need to cut staff, and don't want to pay severance, this stuff can put you out the door "with cause". Fired, not layed off.
If you can't trust them with your email then you're crazy to trust them with your future.
You never really know how close to the edge you can go until you fall off.