NAI to Sell Off PGP Product Line

An Anonymous Coward writes: "Network Associates announced today that they are ceasing development of most of the PGP product line, including PGPMail and PGP Desktop Encryption software. This was apparently due to disappointing sales of the products. See the FAQ for more information on what's being killed and what's being kept." Another anonymous and unverified submitter says, "The entire PGP Business Unit was axed more or less wholesale. I guess selling encryption doesn't really make money. I worked there up until today and somewhere around 250 of the 300 employees were clipped."

Causes

[Moonshadow]

Sales were slow...hardly suprising.

The biggest potential users of this would have been the Slashdot types, and we're known for being fierce advocates of open-source and free (as in beer) software. The kind of "Why pay for something when you can write it yourself?" mentality is what helped kill it.

The people that are most concerned about encryption are those least willing to pay for it.

Re:Causes

[tiny69]

The people that are most concerned about encryption are those least willing to pay for it.

No, the people that are most concerned about encryption are paranoid enough not to trust commercial apps.

Re:Causes

[floop]

The reason why it's not a good seller is either people don't know about it or they think it isn't as important as $100 cost. We just bought 50 seats a couple months ago and were just about to buy 50 more and a key server. All due to people sending passwords in plain in email. The product has good email integration (with outlook anyway) and makes even the laziest person able to use it effectively.

MS would be smart to buy and bundle it w/ outlook but modify it a bit so it's not openpgp compatible.

Re:Causes

[The+Larch]

I've recently played around with both PGP and S/MIME with Outlook Express. The integration really is much better than with PGP -- where the built-in S/MIME has a clear advantage is when you have to regularly send file attachments, which is frequently the case if you need encrypted email in the first place. With PGP, you have to separately encrypt each file and perhaps rename them, or zip them up and encrypt the archive. It's also a minor pain having to keep picking out recipients from a long PGP keyring, since the plugin can't look up your recipients and doesn't even let you create recipient groups to duplicate the ones in your address book.

PGP's key distribution mechanism is better -- you can (in theory) communicate with someone you don't know by just retrieving the key from the server and checking the chain of trust. In practice, however, you often don't actually have a chain of trust to the person, since only a couple of his friends have signed his key. With the built-in S/MIME, if you don't have someone's certificate in your address book, you need to get it from them directly.

Getting a S/MIME cert signed by one of the CA's preinstalled in Windows does involve some security. It need not be much -- e.g. thawte.com offers free certificates that are valid for one year and identify nothing more than your email address. For a modest fee and some bureaucracy, your name can be slapped on to your cert.

The built-in S/MIME's big failing is the terrible documentation and the highly complex security model -- the user will have to expend much more effort to actually use it securely. For example, very little guidance is given when you're creating your keys with the wizard. You're asked to pick from three security levels which. If you pick the lowest level, your keys are available for programs to perform signing and decrypting operations automatically, without your intervention. If you pick the intermediate level, you are asked to confirm operations (a dialog box pops up saying "An application is requesting access to a Protected item."; in the Details you can see the name of the executable but no more information is offered). Only if you pick the highest level do you get to enter a pass phrase to protect the key. Backing up your keys is not clearly explained, and understanding the escrow features seems to require a good understanding of the Win2k security model, and I never bothered.

And of course the built-in S/MIME encryption is a Microsoft security product built on top of Microsoft's security services in a Microsoft Windows environment, so you're always one Nimda away from sending out your client's business requirements to all your other clients anyway. What would be really great would be S/MIME support in one of the better Unix MUA's, with a freely available key certification authority (verifying the email address only would be sufficient) and keyserver network.

Once is coincidence...

[farrellj]

Twice is enemy action...

First ZKS shuts is services, now PGP is orphened...it does not take a conspiricy fan to put this together.

ttyl
Farrell

Dissapointing sales?

[sllort]

This product never ceased to amaze me. PGP 7.1 included, among other things:

- an encrypted IPSEC/IKE compliant VPN
- encrypted hard drive software (public key or shared secret encryption)
- Encrypted Email with multiple mail client integration
- Myriad windows hooks, like "encrypt clipboard"
- A secure file and hard drive wiper
- A full-blown INTRUSION DETECTION SYSTEM with email alert that would attach itself below the NDIS level.

...all for $30. I'm not a big fan of buying software, but I bought this religously because it was a steal, just for the IDS. I always wondered how they could afford to put so much top-notch development into such a cheap product (I never found a serious bug, and I've worked it over hard. That's a rare thing to be able to say about a windows networking application).

The answer appears to be that they were dumping serious development funds into this product and got were expecting massive sales. If you asked me to point a finger at the cause of death, I'd say they were overambitious. Too many developers building too much functionality made it far too expensive. All anyone ever really wanted was encrypted email. And perhaps if that's all they developed, supply would have matched demand.

Then again, hindsight is 20/20.

Coincidence?

[Bud+Dwyer]

Okay, since September 11, we've seen Zero Knowledge Systems shut down their Freedom anonymizer service due to "lack of sales". Now we're seeing Network Associates dropping their encryption products due to "disappointing sales". We've seen encryption developers renounce their creations.

Is this a coincidence? Or is there some government pressure in action here? What's the next step? Pressuring ISPs of distribution points for Open Source encryption products? When that happens, I'm sure we'll be re-assured by the ISPs that they have sound economic reasons for disallowing encryption software; but that won't make it go over any easier with me.

Encryption is alive - but PKI is dead

[Ars-Fartsica]

PGP and its ilk are really only useful in the scope of a meaningful PKI infrastructure, which doesn't exist and never will, as there are insurmountable educational hurdles for home and even business users.

How many among even the savy group here maintains a valid PGP key that is available online? Of those, how many maintain their key in a searchable index? I presume the answer is less than 2%.

How many of you have received an email either signed or encrypted in such a fashion and then actually used the sender's public key to decrypt/verify?? Probably 10% of readers here or less.

And that folks, is why PKI and hence PGP are dead-ends.

Expensive stuff

[bubblegoose]

We looked into it for our company, turns out the head of our sales group sent a copy of the commision $$$ amounts to everyone in our sales group by mistake and we wanted to prevent that in the future. But that's another story.

Anyway they wanted about $175 a copy, I think for what we needed. Then I found the PGP Freeware link on their site. I thought, hey why pay for it when they give it away for free?

No wonder its going away. Could you imagine going to the Ford dealer and the dealer saying "here's the new Ford for $20,000". And you ask, "what about the Mercury over there exactly like it" and the dealer says "Oh those, they're free, take as many as you like" Where is the choice here?

There are two kinds of encryption users...

[stefanlasiewski]

There are two kinds of encryption users...

1) There are ordinary folks who want an easy-to-use encryption solution out of the box, and don't want to read a manual to get that level of security. While NAI's software has been getting better and easier-to-use over the years, it's still not 'easy'. Concepts like 'ring of trust' & 'key signing' might still too academic for ordinary folks, and NAI has not made much of an effort to explain why these ideas are important.

2) There are encryption-geeks, who don't really trust the security of a closed-source product, or who are happy enough with ssh, pgpi, gpg, etc.

OK, I guess there is a third type of encryption user, the user who wants an easy to use encryption product for her business, and isn't concerned about fears like 'FBI backdoors' in their product, but they're probably a small segment of the market.

To Care or not to Care

[TightByte]

It's very interesting to notice that a majority of people indicate that they do not care about personal encryption, primarily for their electronic mail communication. I recall reading in the PGP readme, when I first discovered it - version 2.x or 3.x at the time, I think - how it made perfect sense to use encryption to ensure your privacy. After all, did you not prefer to send your most personal thoughts using letters within envelopes rather than postcards?

However, when I try to advocate encryption to those I know and hope to influence, they all seem to indicate that they aren't all that concerned about their email. And yet those same people never fail to be annoyed when I walk up to their computer and pretend to read their email in order to prove my point.

Perhaps most people are unaware of how easy their email can be intercepted and read? After all, an email address might appear to be like a telephone number - a direct link to whomever one might wish to contact. And we're comfortable with the phones - after all, wiretaps seem hard (or at least laboureous) to obtain, and we suspect that capacity prevents wiretaps from being universally applied. Not so with email, though - it's child's play to intercept any SMTP communication that passes through your network. And if you happen to be centrally located, in a network topological sense, there's no theoretical limit to the amount of communication you can eavesdrop on.

I must admit that I'm not being entirely altruistic when I advocate encryption - my wish for broad adoption of personal encryption technology is first and foremost self-serving. To tap again into the old PGP readme files; sending mail in "sealed" envelopes is not currently suspicious due to the fact that the practice is so widespread. Untill encryption becomes commonplace it remains far too easy to label it suspicious behaviour.

Here's to hoping that free encryption will carry on where the commercial offerings have failed. Cheers.

PGP failed because of NAI incompetence

[Effugas]

*laughs*

Well, yes, it's quite true that PGP had disappointing sales. The company had a nasty tendancy of attempting to bundle about four other products with PGP and *refusing* to negotiate with any company, no matter how large, about perhaps a more reasonable package.

It's funny that I have this exact story from so many different sources that nobody can say I'm compromising internal information. Go ask your friendly IT Purchasing agent about any adventures they had trying to get a site license for PGP. This was mandate from upper management: Either all the stripes make some cash, or none at all.

NAI consistently chose the latter. Now, as for all the conspiracy theories...never attribute to malice...

--Dan
www.doxpara.com

Encryption doesn't need to be this hard.

[fmaxwell]

All I want is an e-mail client with an 'encrypt' button. I press the button and it asks me for an encryption key. I enter a key that my correspondent and I have exchanged over the phone, in person, etc. The message is encrypted and sent.

I'm not Osama Bin Laden. I'm not expecting someone to be monitoring my phone, e-mail, in-person conversations, cell phone, etc. I just want to be able to exchange e-mail with friends and not have every nosy guy at the ISP or my company be able to read it.

PGP is just an incredibly complex and painful solution for what should be a simple problem. 99.9% of the public just wants to be able to occasionally send encrypted messages to friends using a private key. I don't care how easy the /. crowd thinks it is to use PGP. Some of my friends aren't computer gurus and it's just too much complication and hassle for them to use PGP.

What I find amazing...

[Chasing+Amy]

What I find amazing is that most people labor under the foolish misconception that if only American encryption products (like PGP) were either backdoored, effectively export controlled, or discontinued altogether, that foreign criminals and terrorists would suddenly have nothing to hide their data with. Let's explore why only stupid people would think so:

1) Source code to most versions of PGP is available and published internationally on many sites. If a terrorist wants PGP, and PGP has been discontinued, he can just download a binary from one of these foreign servers, or get someone computer literate to compile this source code for him. It's already in the wild on the net, and spread to servers in nearly every free or partially free nation; it will never disappear now.

2) Since the source code is available for even some very recent versions, overseas programmers will pick it up and improve it and release newer builds for newer OSes if it is discontinued or shown to have backdoors.

3) GPG is arguably just as good, plus it's truly Free and GPLed. It's not as shiny, but makes a good drop-in replacement for most people, terrorists included. And again, GPG is "in the wild" and not going to disappear from the Net even if the U.S. and half the world outlaw strong encryption, and since the source code is there people will hack on it and improve it, even if only overseas people.

4) Contrary to the beliefs of the ignorant, the U.S. is not so much more advanced than other countries that no other people from overseas can write strong encryption products as good as ours. Encryption is universal math, not American voodoo. In fact, the best symmetric encryption product currently comes from the U.K., Scramdisk. If America and the U.K. were to ban encryption, any country with competent mathematicians and programmers could take the lead.

5) Encryption is based on well-documented and easily available math, and many proven algorithms are already published and cryptanalyzed and shown to be secure enough. Even if by some extraordinary miracle all traces of encryption products and source code were wiped from the Net by the unprecedented cooperation of every nation on Earth--something truly impossible--people like Osama could hire any competent mathematician and programmer to write a decent encryption product using a proven cipher and simple calls. As long as it's kept simple and uses proven ciphers, it would likely be as secure as PGP or GPG or Scramdisk.

So, it doesn't really matter what the download page says, or if it bothers to ask, or even if the U.S. were to enact the most Draconian encryption legislation tomorrow. PGP is nothing special. Its key functionality has already been duplicated in GPG and can be duplicated again and again by any number of competent non-U.S. residents. Therefore it doesn't matter who can download it, since they can get their hands on encryption technology that's just as strong.

Re:lack of sales: reasoning

[Graymalkin]

Do you send paper mail in envelopes? Looks like you've got something to hide. Let's hal you down to the Ministry of Truth for some examinations. It's the "something to hide" stigma which is retardedly holding back the use and acceptance of cryptography. Encryption technologies are not just for people hiding warez (I've never even fucking heard of encrypted warez before and PGP is free for non-commercial use anyhow). E-mail is an inherently insecure communication medium. Few if any ISPs actually use or support secure e-mail in any fashion so that responsibility falls onto the user. You don't need illicit reasons for secureity, plain day to day business needs plenty of it. For a dallar of security you saveseveral dollars in losses.