Slashdot Mirror
NAI to Sell Off PGP Product Line
An Anonymous Coward writes: "Network Associates announced today that they are ceasing development of most of the PGP product line, including PGPMail and PGP Desktop Encryption software. This was apparently due to disappointing sales of the products. See the FAQ for more information on what's being killed and what's being kept." Another anonymous and unverified submitter says, "The entire PGP Business Unit was axed more or less wholesale. I guess selling encryption doesn't really make money. I worked there up until today and somewhere around 250 of the 300 employees were clipped."
If my product line was about to become illegal and wasn't selling well to begin with. I'd sell to the highest bidder too (and I'm sure it will sell high).
The biggest potential users of this would have been the Slashdot types, and we're known for being fierce advocates of open-source and free (as in beer) software. The kind of "Why pay for something when you can write it yourself?" mentality is what helped kill it.
The people that are most concerned about encryption are those least willing to pay for it.
What's going to happen to this project now that it's no longer under development? Certainly we have GPG, but PGP is a long time trusted name. Are they going to reopen it like it once was or is it now entirely dead - in the software graveyard with so many other projects that were kept closed after being pronounced dead?
Why bother.
I wonder how much of this comes from the fact that Zimmerman was receiving hate mail for reports that Osama Bin Laden was using his encryption for communications, something he resorted to after he found out the US can monitor his satellite phone conversations.
But doesn't Osama know... the download page specifically says for US residents only!
No one is really interested in "protecting" their private emails. Who needs really good encryption software?
Banks,
Governments,
Military,
Terrorists,
Other criminals,
12 year old girls writing in their diaries,
and?
The whole point of technology and the push of civilization has been the dissemination of information and ideas. Encryption runs so much against this concept that it's no wonder that people both don't understand its necessity and don't want it.
What other outcome could have been expected, selling such a product?
Pretty Good Pinkslips
oh wait...oxymoron
Twice is enemy action...
First ZKS shuts is services, now PGP is orphened...it does not take a conspiricy fan to put this together.
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
There just aren't that many people who care about e-mail encryption. I understand all the arguments and the technology, and *I* don't care about it. I can only imagine what someone who doesn't know about the issues thinks about it.
And frankly, I wouldn't care about sending all my mail on postcards without envelopes. I can't even think of any personal mail that I would care about some anonymous postal worker reading, even if I thought postal workers sit around reading letters that zoom by. Except for maybe things with credit card numbers or bank numbers, but I wouldn't send thinks like that through e-mail anyway (and I venture to say that most people are probably savvy enough to know that's bad as well).
Sometimes it's best to just let stupid people be stupid.
Now I'm going to have to bust out my old Hardy Boys Detective handbook to learn how to encrypt my messages. Everybody jump to OSDN as I'm officially starting the HaBOSEP (Hardy-Boys Open Source Encryption Project). Just send me 2$ for your secret decoder ring.
Say it ain't so, PGP, say it ain't so.
--I hate big sigs.
If NAI didn't want to charge $5,500 for a server based encryption package. Up from $1,000 for a *two year license* for PGP version 5.
NAI is a bunch of idiots anyway. They totally screwed over people when they took over the Gauntlet firewall suite. First, "you need to migrate to NT, all Unix Gauntlet packages will be discontinued". Ok, 18 months later "Gauntlet for NT is now discontinued".
Hopefully, someone will pick up PGP and offer it at a price people can afford.
This product never ceased to amaze me. PGP 7.1 included, among other things:
- an encrypted IPSEC/IKE compliant VPN
- encrypted hard drive software (public key or shared secret encryption)
- Encrypted Email with multiple mail client integration
- Myriad windows hooks, like "encrypt clipboard"
- A secure file and hard drive wiper
- A full-blown INTRUSION DETECTION SYSTEM with email alert that would attach itself below the NDIS level.
...all for $30. I'm not a big fan of buying software, but I bought this religously because it was a steal, just for the IDS. I always wondered how they could afford to put so much top-notch development into such a cheap product (I never found a serious bug, and I've worked it over hard. That's a rare thing to be able to say about a windows networking application).
The answer appears to be that they were dumping serious development funds into this product and got were expecting massive sales. If you asked me to point a finger at the cause of death, I'd say they were overambitious. Too many developers building too much functionality made it far too expensive. All anyone ever really wanted was encrypted email. And perhaps if that's all they developed, supply would have matched demand.
Then again, hindsight is 20/20.
What happens to a great commercial program after it's permanently axed by its creators? Do we just pirate the Hell of it now and generally continue to use it, since the encryption will probably be good for years to come, or is there some reason that we can't or morally shouldn't?
To me this is just another example of a tool/IP business model not making it even though it is useful technology and if it were gone it would be sorely missed. Still, businesspeople don't have the capabilities of valuing a tool that is not an end product (show me an MBA that sees encryption as an income generating end-product and I'll show you a geek in wool/MBA clothing). Also, I have yet to hear of a major money draining hack to a corporation that could have been prevented by PGP, I believe the stolen credit cards etc were obtained by hacking the system open, not listening on the lines. Anyone know of such an example?
Since most users of public-key crypto are (presumably) technologically oriented, most of them are probably also aware that GnuPG offers the same functionality, but free, and open-sourced to boot. Why bother paying for PGP when GPG is free, integrates with your favorite email clients (an Outlook plugin is even available), and offers the same or better encryption? GPG effectively made PGP unprofitable. Nobody who knows better would use it.
And, like the poster above mentioned, since the tech is facing a serious risk of becoming illegal, investing too heavily in it might not be wise from an economic standpoint.
--nick
Is this a coincidence? Or is there some government pressure in action here? What's the next step? Pressuring ISPs of distribution points for Open Source encryption products? When that happens, I'm sure we'll be re-assured by the ISPs that they have sound economic reasons for disallowing encryption software; but that won't make it go over any easier with me.
So, luckily, the NAI Labs section of PGP was exempt from all this change and will be shuffled around more, but we're still here =) It's a bit disappointing to see your company admit failures like this, even if it's for the best interest of the company.
Brian Fundakowski Feldman
How many among even the savy group here maintains a valid PGP key that is available online? Of those, how many maintain their key in a searchable index? I presume the answer is less than 2%.
How many of you have received an email either signed or encrypted in such a fashion and then actually used the sender's public key to decrypt/verify?? Probably 10% of readers here or less.
And that folks, is why PKI and hence PGP are dead-ends.
I just happened to have it installed instead of GPG, but I will probably make the switch now that it's being discontinued.
1. Private Data... There's a lot of stuff that I do and say through email that is perfectly kosher, but is none of my company's or coworker's business, like emailing my wife whilst at work. I know for a fact that there are nosy people in my networking department, but 2048 bit D-H encryption makes this Somebody Else's Problem (tm) even thought I am forced to use Exchange at work.
2. Insecure Mail Servers... By the same token, I am forced to keep sensitive data on an Exchange server. It doesn't take a genius to see that any given company's Directory/Mail/Personal Info server is going to be one of a malicious cracker's first targets, if he or she is interested in doing anything other than 0vvnZ'ing the website. When the time comes... and it will... I will be able to say... 'No, my sensitive data was NOT compromised, because it was securely Encrypted.
3. Personal Liability. I'm a freely spoken individual. Some people don't appreciate it. If I say something in an email that could possibly be used against me later by the owner of a mail server, it goes in encrypted. By the same token, any personal files on my work PC belong to me, and not my company. Without my passphrase, they can't do shit with them.
4. Geek factor. It is oh, so cool to be able to 'sign' an email, and advertise your public key. Mine is:
http://www.furinkan.net/key.txt
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
The US Government says that they can't crack certain types of encryption, and that this is hampering their ability to deal with the Terrorist Threat.
NAI, who has been selling virtually uncrackable encryption technology for years, suddently drops their top-of-the-line encryption product.
Coincidence? I wonder.
I'm not implying a conspiracy between NAI and the US Government, but I wonder if NAI stopped shipping their product because it "wasn't worth the trouble".
"Can of worms? The can is open... the worms are everywhere."
PGP had a few of strikes against it:
A. Little perceived need by the masses
B. Hassle to use
and more recently
C. Government rumblings
A. could be dealt with by some good old FUD. I've always been amazed that NAI and others have resisted the evil urge to play on naive users' fears of "hackers." Come on, companies with lame IDS and Firewall products have been playing the fear card for a while. Imagine how effective a campaign would be if the product were actually good... (Not that I'm a fan of these tactics).
B. is a more difficult problem. Although the product has come a long way since the old DOS version with it's confusing options, it has a way to go to acheive true ease of use. People don't necessarily "get it." I'm not a huge fan of dumbing down interfaces, but a real simple set of wizards that handled all the stages of key creation and software integration would be helpful. Plug-ins for email are good, but a deal with MS or Eudora to bundle it would be better. Plug-in with ICQ is good but a bit clumsy at times. Maybe playing up the Envelope metaphor in email programs would be better... Also, encouraging users to get their email contacts to install the freeware version would be great. Maybe, a window that popped up when people tried to send an encrypted email to a person whose key isn't know. The window could mention the problem, and offer to send the recipient an email with a link to the freeware (or perhaps a free "reader" that allowed for key creation and email integration).
With C. the issue is just a big hassle. At some point you'd hope the Gov't would realize that restricting strong encryption will have no effect on criminals, only business and home users.
Buy Hex-Rated Stuff, fight the DMCA!
We looked into it for our company, turns out the head of our sales group sent a copy of the commision $$$ amounts to everyone in our sales group by mistake and we wanted to prevent that in the future. But that's another story.
Anyway they wanted about $175 a copy, I think for what we needed. Then I found the PGP Freeware link on their site. I thought, hey why pay for it when they give it away for free?
No wonder its going away. Could you imagine going to the Ford dealer and the dealer saying "here's the new Ford for $20,000". And you ask, "what about the Mercury over there exactly like it" and the dealer says "Oh those, they're free, take as many as you like" Where is the choice here?
I hope that someday we will be able to put away our fears and prejudices and just laugh at people. - Jack Handey
Post a link, man.
I just saw PGPNet 7.1 ONLY for $60 for a two year contract. This was from PGP too.
With the 7.1 series they split apart the entire PGP Desktop package are (were) selling the peices individually.
$30? I don't think so.
There are two kinds of encryption users...
1) There are ordinary folks who want an easy-to-use encryption solution out of the box, and don't want to read a manual to get that level of security. While NAI's software has been getting better and easier-to-use over the years, it's still not 'easy'. Concepts like 'ring of trust' & 'key signing' might still too academic for ordinary folks, and NAI has not made much of an effort to explain why these ideas are important.
2) There are encryption-geeks, who don't really trust the security of a closed-source product, or who are happy enough with ssh, pgpi, gpg, etc.
OK, I guess there is a third type of encryption user, the user who wants an easy to use encryption product for her business, and isn't concerned about fears like 'FBI backdoors' in their product, but they're probably a small segment of the market.
"Can of worms? The can is open... the worms are everywhere."
I went to the NAI website and tried to buy PGP about 18 months ago. There were problems with the site. The product was poorly explained, and I got error messages.
Also, would you buy encryption software from ANYONE who wasn't offering the source code? I had read that NAI would give the source code to someone who bought the product, but I was unable to find mention of that on their web site.
I sent NAI an e-mail message, and no one replied.
Finally, I just gave up and used the free version. I paid less (zero) and got more.
The story says, "I worked there up until today and somewhere around 250 of the 300 employees were clipped."
Do I understand this correctly? What could 250 people be doing with PGP, a product that was written by one man, and was changing very slowly?
Maybe they were selling special versions in Arabic to Saudis living in Afghanistan? (When you have 4 wives, you have to keep a lot of secrets.)
Secrecy and weapons sales corrupt democracy: What should be the Response to Violence?
Bush's education improvements were
I admit I haven't tried out GPG yet but I probably will soon.
In any case, if you don't use either PGP or GPG then please read my article Why You Should Use Encryption
Yes I know the link to the canadian article I mention is busted and someday I will even fix it. Not right now though.
-- Could you use my software consulting serv
PGP always boggled my mind. I had two choices. I could either buy the US version from NAI or download the international version for free. Now I wonder why sales could have been low.
'Same speed C but faster'
It's very interesting to notice that a majority of people indicate that they do not care about personal encryption, primarily for their electronic mail communication. I recall reading in the PGP readme, when I first discovered it - version 2.x or 3.x at the time, I think - how it made perfect sense to use encryption to ensure your privacy. After all, did you not prefer to send your most personal thoughts using letters within envelopes rather than postcards?
However, when I try to advocate encryption to those I know and hope to influence, they all seem to indicate that they aren't all that concerned about their email. And yet those same people never fail to be annoyed when I walk up to their computer and pretend to read their email in order to prove my point.
Perhaps most people are unaware of how easy their email can be intercepted and read? After all, an email address might appear to be like a telephone number - a direct link to whomever one might wish to contact. And we're comfortable with the phones - after all, wiretaps seem hard (or at least laboureous) to obtain, and we suspect that capacity prevents wiretaps from being universally applied. Not so with email, though - it's child's play to intercept any SMTP communication that passes through your network. And if you happen to be centrally located, in a network topological sense, there's no theoretical limit to the amount of communication you can eavesdrop on.
I must admit that I'm not being entirely altruistic when I advocate encryption - my wish for broad adoption of personal encryption technology is first and foremost self-serving. To tap again into the old PGP readme files; sending mail in "sealed" envelopes is not currently suspicious due to the fact that the practice is so widespread. Untill encryption becomes commonplace it remains far too easy to label it suspicious behaviour.
Here's to hoping that free encryption will carry on where the commercial offerings have failed. Cheers.
...particularly with new versions of PGP and GnuPG, which can send keys straight to the keyservers and retrieve them from there on an as-needed basis.
In short, I can't see there being very many users at all who have a current version of PGP and chose *not* to send their key into the keyserver -- it's just that tightly integrated. It takes a little more work with GnuPG, but the folks who know about it are the exact same folks who care.
Thus, I can't possibly see your 2% estimate being on the mark -- few may use OpenPGP-compliant crypto, but of those who do, nearly all use the keyservers.
This will simply become part of the arithmetic commercial developers will have to deal with.
This reminds me, does anybody know of any PGP-style email encryption/authentication programs that work under Mac OS X?
- j
Really? 300 people have been working on a product that doesn't sell? I can't blame them for layoffs, just overhiring.
Ever since Phil Zimmerman left because of of "differences" with NAI, I was extremely reluctant to upgrade to future versions for fear of "backdoors" that might have been included in the product - things that wouldn't have happened under his watch but are now more likely.
So I stopped upgrading the free version at the last version he personally oversaw...7.0.3
----------
ah honey, we're all resplendent - Bill Mallonee
Probably not. They're also dropping Gauntlet Firewall and some of the sales force. Sounds more like a company in financial trouble.
Umm, no. I work for a company that has our own symbol on /., one with a funky dropped 'e' in it. You might be able to figure out who we are. We tried to buy PGP for Unix to secure engineering data--we happen to be one of the largest Microsoft shops on the planet, but all the real work still gets done on Unix/Linux--and NAI wouldn't sell it to us. We were talking THOUSANDS of licenses, ubiquitous deployment to everyone, and they weren't interested in providing a Unix client of the current version.
So we're going to be using GPG.
Get this: NAI have also threatened major bad legal juju if we ever put any GPG-generated keys on their keyserver product, which we also had previously bought (along with hundreds of individual PGP licenses). Hello? If that's not a Microsoftesque move, I don't know what is.
They coulda made millions on our account. WE WANTED TO PAY THEM MILLIONS. Negotiations fell through. So now we're saving the millions and going to be supporting open source even though senior management is still not 100% clued into that this is a good thing.
We've only been wanting to add a "security" topic for about TWO YEARS so it's nice to finally have one...
*laughs*
Well, yes, it's quite true that PGP had disappointing sales. The company had a nasty tendancy of attempting to bundle about four other products with PGP and *refusing* to negotiate with any company, no matter how large, about perhaps a more reasonable package.
It's funny that I have this exact story from so many different sources that nobody can say I'm compromising internal information. Go ask your friendly IT Purchasing agent about any adventures they had trying to get a site license for PGP. This was mandate from upper management: Either all the stripes make some cash, or none at all.
NAI consistently chose the latter. Now, as for all the conspiracy theories...never attribute to malice...
--Dan
www.doxpara.com
Not a problem. There is already public funding for GPG in Europe. And encryption of a PGP/GPG type does not need hundreds of developers (of the commercial full time variant).
I think it is no real problem for the manufacturers of mail software to include GPG support on their own.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
My thoughts exactly... obviously the whole mess of legislation for backdoors (as a result of terrorist actions) had a fair amount of play in this decision.
XML is like violence. If it doesn't solve the problem, use more.
Not the strongest encryption in the world, but it'll keep prying eyes away. You might have some issues exchanging disk images with non-OS X users, though.
-jon
Remember Amalek.
HEY GUYS! Before you all get your panties tied up, PGP has always existed as freeware, with full source code too. It's not going to disappear! Just like DeCSS, etc -- even if it's made totally illegal by US govt, it will live on.
Lest we forget, there are libraries available to get around any RSA legal crap, too, in the PGP.
There's 10 types of people in this world, those who understand binary and those who don't.
All I want is an e-mail client with an 'encrypt' button. I press the button and it asks me for an encryption key. I enter a key that my correspondent and I have exchanged over the phone, in person, etc. The message is encrypted and sent.
/. crowd thinks it is to use PGP. Some of my friends aren't computer gurus and it's just too much complication and hassle for them to use PGP.
I'm not Osama Bin Laden. I'm not expecting someone to be monitoring my phone, e-mail, in-person conversations, cell phone, etc. I just want to be able to exchange e-mail with friends and not have every nosy guy at the ISP or my company be able to read it.
PGP is just an incredibly complex and painful solution for what should be a simple problem. 99.9% of the public just wants to be able to occasionally send encrypted messages to friends using a private key. I don't care how easy the
It is kind of a bummer though. I'm told the Windows version was pretty nice.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
250 is a lot of employees for such a small product.. at least in terms of what a person would view as a niche product, at best. Perhaps this is just one of the last vestiges of the bloated net economy fading into the distance.
However, other influences may be involved. It's pretty obvious that encryption schemes, in general, are under scrutiny after the Sept 11 attacks. Any company that is producing an encryption product certainly has taken a look at it's business in recent days.
Ultimately, I think most people have given into the idea that their correspondence via email.. and really anything that ends up on their computer could be an open book if anyone really wants to look.
Apparently Gauntlet firewall is going to. Too bad for those of us who use this product and have paid for long-term support.
While not the most popular product out there, it is serviceable. In our instillation I think we are pushing it to the limit, but their Webshield e-pliance product was sold as an easy to configure/manage secure product, and was quite secure straight out of the box.
As for us, we have several issues we are trying to ram through NAI technical support. Will NAI continue to support a product they aren't going to continue to sell? Will our support contracts be transferred with the product when its sold, or will NAI try to honour the support contract even though they don't own the product anymore.
It's a worrying sight when Internet security suppliers go out of business. Unless there were serious problems with the product not in the public domain (and I know about their mail daemon) it was a good security product for small to mid-ish companies and they are saying it's unprofitable. Either firewall products are about to become more expensive, or the quality is about to go down. Neither is a good sign.
Democracy isn't about no one telling you what to do. It's about everyone telling you what to do.
1) "encode"? what's that?. (the ignorance fFactor that says 'if it didnt come with M$ office, i don't need it')
2) modern variant: "encode"? what's that? i heard terrorists were encoding messages
3)if you are interested in security, there's a good chance you have something to hide. like all those warez on your desktop. ergo, you didnt really pay fFor that copy of PGP at all.
What I find amazing is that most people labor under the foolish misconception that if only American encryption products (like PGP) were either backdoored, effectively export controlled, or discontinued altogether, that foreign criminals and terrorists would suddenly have nothing to hide their data with. Let's explore why only stupid people would think so:
1) Source code to most versions of PGP is available and published internationally on many sites. If a terrorist wants PGP, and PGP has been discontinued, he can just download a binary from one of these foreign servers, or get someone computer literate to compile this source code for him. It's already in the wild on the net, and spread to servers in nearly every free or partially free nation; it will never disappear now.
2) Since the source code is available for even some very recent versions, overseas programmers will pick it up and improve it and release newer builds for newer OSes if it is discontinued or shown to have backdoors.
3) GPG is arguably just as good, plus it's truly Free and GPLed. It's not as shiny, but makes a good drop-in replacement for most people, terrorists included. And again, GPG is "in the wild" and not going to disappear from the Net even if the U.S. and half the world outlaw strong encryption, and since the source code is there people will hack on it and improve it, even if only overseas people.
4) Contrary to the beliefs of the ignorant, the U.S. is not so much more advanced than other countries that no other people from overseas can write strong encryption products as good as ours. Encryption is universal math, not American voodoo. In fact, the best symmetric encryption product currently comes from the U.K., Scramdisk. If America and the U.K. were to ban encryption, any country with competent mathematicians and programmers could take the lead.
5) Encryption is based on well-documented and easily available math, and many proven algorithms are already published and cryptanalyzed and shown to be secure enough. Even if by some extraordinary miracle all traces of encryption products and source code were wiped from the Net by the unprecedented cooperation of every nation on Earth--something truly impossible--people like Osama could hire any competent mathematician and programmer to write a decent encryption product using a proven cipher and simple calls. As long as it's kept simple and uses proven ciphers, it would likely be as secure as PGP or GPG or Scramdisk.
So, it doesn't really matter what the download page says, or if it bothers to ask, or even if the U.S. were to enact the most Draconian encryption legislation tomorrow. PGP is nothing special. Its key functionality has already been duplicated in GPG and can be duplicated again and again by any number of competent non-U.S. residents. Therefore it doesn't matter who can download it, since they can get their hands on encryption technology that's just as strong.
Chasing Amy
(We all chase Amy...)
"The more corrupt the state, the more numerous the laws"-Tacitus
This isn't a story about encryption being denied to the masses or anything. It's about a company giving up an unprofitable product line because most people just use the free versions. And in case whoever marked this post as a troll hasn't noticed, there is a great deal of software within Ars' timeframe that is having exactly this kind of thing happening to it: free alternatives are starting to pop up.
Try to think of a commonly used commercial application that is not having a free equivalent currently being worked on. With a bit of searching, you won't find many. Indeed, free software is even becoming increasingly popular as more people are getting sick of dropping $100-700 on software per product. A comprehensive commercial software package these days can cost even more than the computer you bought to use the software on. Do you think even the rather clueless average user isn't going to notice that?
C'mon, are Slashdot moderators really this dumb?
PGP has always existed as freeware, with full source code too. It's not going to disappear!
PGP 7.1 has not been released as freeware, and source release for anything past 6.5.8 is problematic. You can get the crypto engine of 7.1 (but not 7.0), but only if you agree to a truly onerous license. Better to say
Freeware builds of PGP haven't been made available for 7.1, and there's been practically no source release, too. At this rate, it's going to disappear!
Of course, my panties are far from in a knot. In the first place, I wear boxers. In the second, I use GnuPG.
My company exchanges a shedload of confidential data with customers - some of whom use PGPG. I tried the eval of PGPmail last week and couldn't get it going with Notes (no Outlook - no virus). Even waving the prospect of 12,000 seats at them they wouldn't respond. Should've guessed something was up.
We'll just have to stick to our normal encryption method - making our documents too boring for anyone to remain concious while they read them.
This sig made only from recycled ASCII
In the wake af the ATA... could it be they want to loose a division which would not be profitable if the ATA falls through?
The use of uncontrolled encryption would be illegal and who would by the controlled versions?
That sparks up a bit of paranoia that might be interesting to discuss.
I maintain at least 1 active keypair. I put it out on distributed key server groups. I post it on web servers. I use it to encrypt private communications.
But I use it very sparingly when it comes to signing email. I have to see a really good reason to verify who I am before I sign anything. If paranoia causes one to take up using PGP, its an even more selective paranoia that causes one to not use all its potential.
So why am I so paranoid? After watching the subpoenas fly a couple of years ago, I've decided that I'd prefer to make it a little more difficult to prove any bad attitude really is mine. Granted, there's other ways to try and link email to an individual. But why make it a habit to provide that trail for every mail list post, friendly banter, and interoffice discussion message you fire off?
And that's a really important point - a majority of our (or at least mine) email is of a fire-and-forget, trivial nature. Its less a written letter and more a verbal conversation encapsulated in text. Without the bandwidth hit of wav file attachments. In this informal environment, things are often said... or ideas expressed... that one would not set to a permanent record. Yet email, and other forms of electronic communication, have an odd way of sticking around far beyond its intended life.
Do you really need to give a lawyer the means to prove them came from you? And sure, there are other ways to link an email to an individual. But I'd prefer to make anyone giving me a hard time jump through those extra hoops.
As a side note, memo and file retention policies existed well before email became an indispensable tool to business. Email only compounds the problem these policies were really designed to address (and no, storage of files isn't the real issue here). With the lines slowly fading between personal and professional data, it might be worthwhile to think about your own home shredder and review your own document retention policy.
Of course - this all doesn't cover the real reason all this signing happens. Geek appeal. That's easy to handle. Include your PGP Key ID and fingerprint in your
Our group was pushing the Corporate populas towards PGP as a standard desktop app. And for it to become a commonly used app, at that. We were actually making some progress. And that's when people began asking (if not demanding) the company's key server.
The company had an "official" internal key server at one time. There was even a DNS entry for it still. In actuality, this keyserver had been a side project on an individual's Solaris desktop machine. He had become burdened with other tasks and the keyserver fell in to disrepair until it had been taken offline. We didn't have the time / funding to deal with it either.
Our suggestion was to use the excellent network of public key servers in the meantime. It was odd. People were rather horrified at the idea. Public keyservers was just too scarry. No ammount of discussion would change their minds. They needed a nice, safe internal one or no key server at all would do.
We scored a hit in getting PGP out there. But I suspect it was an overall miss by somehow failing to educate the population on what they had.
My mail folders on our multiuser system are kept publically readable, so encrypting them on the wire seem silly.
However, there is a social convention about not reading other peoples mail, which means someone behaving like you would be rude. It is a public display of disrespect, which is insulting whether or not the victim cares about his mail privacy or not. I'd be annoyed too.
I saw this coming,. Not merely the dot-com boom bust of nai pki division but the implosion that is inevitable once too many people spot collusion between the US NSA and NAI.
l
... only use original flavor pgp RSA not the freeware "Diffie-Hellman/DSS-keys" pgp keys.
Now the money xfers from NSA to NAI are part of public record but theres plenty of suspicious info even before those press releases of this year. I include some here below,
NAI (owner of the source) makes money by doing things for the NSA... they themselves admit it. Then theres the key escrow backdoor weakness in new pgps. Plus history of NSA manipulation in other areas. Use older (years ago rsa only) pgp for true security, and compile it yourself and check compilation. Is source for what you used even available at all?
( FYI: If comparing macintosh builds: factor out (by hand pasting) the embedded date and time field in the executable header or the pgp singnature of the PEF will not match the distributed signed apps)
please read the following informative sites :
written in 2000, before the full NSA connection was revealed. VERY VERY LONG and detailed pgp
backdoor info
http://senderek.de/security/key-experiments.htm
an old useful page written right before NAI admitted taking NSA funds
http://cryptome.org/nsa-sabotage.htm
old 1998 site written before NAI admitted taking NSA funds for engineering work:
http://www.proliberty.com/references/pgp/
in general
and avoid all modern pgps..
The founding author ("z") quit NAI one month before news broke that NAI has one major paying crypto cu$tomer of the division that got axed today : the US NSA!
You are all ignorant. PLEASE READ MY LINKS.
This is not only true for GnuPG, which has funding by the government (for the development of more user-friendly frontends, I think), but there is also a project for the development of an open source anonymity service (JAP) as strong as (or even stronger than) the Freedom anonymizer service, and there is also the Sphinx project to build a PKI for the public authorities and maybe others.
One of the main drivers for the JAP project (and maybe others) seems to be that many consumers (at least in Germany) apparently avoid E-commerce because of privacy concerns.
Don't lecture me -- I have used PGP and it is not the simple matter you pretend that it is -- especially not when you and your correspondents each use multiple computers and have to move your private keys around.
First they have to promise not to use it for commercial purposes and then they have to fill out a form that asks them how many copies they intend to purchase, the timeframe, the company for whom they work, their title, their address, phone number, e-mail address, number of computers at their location, etc. Do you have any idea of how long it takes for my friends with 56K modems to download a 7MB file (which PGP is)? About 30 minutes -- if they don't drop the connection. Then I have to go through the whole "you won't get a virus" lecture before they will cautiously try to install it.
The freeware version, by default, installs VPN/Firewall. Then it wants to know which adapters you want secured. Yeah, that's what I want to try to explain to someone who majored in English Literature. Then it wants the user to enter a passphrase of at least 8 characters -- but not write the passphrase down anywhere. Another thing for them to remember -- which many of them will not.
I could go on and on, but it's not worth my time. Instead, I'll ask you a simple question: What percentage of your non-computer-geek friends use PGP and if it is so simple to use and free, why do do few use it?
You just don't get it, do you? A simple private key encryption needs to be built in to the mail client the way that SSL is built into the browser. The whole digital ID thing for e-mail is a joke. I got a Thawte Freemail digital ID. My friend, a computer professional, also got one. Netscape 4.7x (his e-mail client) claimed that his had already expired -- despite displaying an expiration date in the future for the ID. Then he downloaded Mozilla only to find that it does not support encryption at all. He finally gave up after a lot of trying.
At my last job they wanted to try out encryption but did not see the need to spend so much money per seat (worked out to about $35k total). Also was willing to look into GPG but it doesn't integrate well (if at all with Outlook). Since this wasn't a technical oriented group (most of them didn't know how to change a defalt printer). It would have needed to be somewhat idiotproof.
Hard Crypto + Clueless Users == Weak Crypto.
... security is a process, not a product.
There's really no other way to dice it. Due to the very nature of crypto in algorithm and implementation there just isn't space for a clueless user to stumble around and not expect to eithe (1) break something critical or (2) break something critical without realizing it.
Repeat after me
Slashdot? Oh, I just read it for the articles.
Granted, the distribution of one time pads is a pain in the rear. However since Osama primarily does business by courier anyway............
The making of one time pads isn't a big deal at all compared with the distribution problem. A tv tuned to a blank station and a video capture card would be an inexhaustible source of truly random data. Just strip the headers from the compressed frames. If one is feeling really frisky the sampled tv data could be used to seed pseudorandom algorithms as well. This would remove any identifiable quirks of the natural random number source. The data from the tv will be random but still may adhere to some type of bell shaped curve that would look like it's bandpass response. Individual bytes would be unpredictable but enough of them would tell you something about that tv+card combo anyway....so mix em up a little.
Their biggest users could have been corporate, but at a couple hundred bucks a shot, most corporations had a hard time convincing themselves it was worth it on a large scale...
Good point, but I think that there's more to it than that. I know of companies that don't want their employees having encryption products available (and of a few that outright ban them as a matter of policy). While none of these outfits come right out and say so, I'd imagine that if employees start using encryption, companies would have a much more difficult time monitoring employee e-mails. Sad, but probably true.
in a company what do you want from your crypto system?
1. The ability to send secure messages to customers
(relating to billing or just giving instructions about product that you don't want anyone else to know CUSTOMERS demand that it be secure)
2. send messages within the company that can be read only by receiver
(prevents leaks and makes sure that the whispers don't start up e.g. how many mails go to the postmaster )
3. escrow is needed when an angry employee leaves and you need to read their work
(the world is full of jerks and they can be hard to spot)
4. Key servers need to be up to date and manageable
(from a sysadmin point of view)
5. Standards for sending e-mail securely and product activation would be nice
yes its good to be open but some one needs to productise this so that company can buy an Complete Off The Shelf (COTS) solution that a company can buy because not enough people do secure themselves IMHO
are their anyone that fancies boxing up GPG, a keyserver and manuals on how to do the above I am sure that they could get some money from companies I know
regards
john jones
Maybe they were selling special versions in Arabic to Saudis living in Afghanistan? (When you have 4 wives, you have to keep a lot of secrets.)
:)
Naah. Not when your wives can't divorce you and have no meaningful rights to speak of that aren't granted to them by you.
Go ahead. Mod me down.
The truth about Scientology, Xenu, and you: Operation Clambake
Wow, a $30 patch for a $250 OS that might make you feel less venerable. I don't mind people trying to make a living selling binaries. I just don't understand why people would buy such things when free alternatives are available. GPG not enough security? Try OpenBSD.
If the answer is that the free alternatives are too hard to administer and set up, go get help. There are Linux User Groups (LUGs) everywhere. Take the hundreds of dollars you as an individual would spend on canned binaries and hire someone to help you out. If you are a business, save yourself thousands of dollars the same way.
The world is always changing. Sometimes it hurts, as when 250 fine programers get laid off. As long as the world remains free, the changes will be for the better. Just think of that talent being liberated. All of those nifty Windows tricks are unlikely to be released even if NA itself goes belly up.
Friends don't help friends install M$ junk.
Yes...I use Outlook...at work...
BUT, our backend mail server is HP OpenMail on Linux and I know how to configure Outlook properly. No one in our company has been touched by SirCam, etc. and all my e-mails are sent PLAIN TEXT (none of the HTML mail or BODY.RTF crap) and in this mode, using WinPT, Outlook integrates well with GPG. I type my message, then I press ALT+SHIFT+S to sign it or ALT+SHIFT+E to encrypt it and WinPT pops up a dialog for me to choose a key to sign/encrypt with (lets me have a default signing key) so I just type in my passphrase and the original message is cut out and the clear-signed message gets pasted in. Then I press CTRL+ENTER to send.
That is at least somewhat idiotproof. It may not be as pretty as PGP's integration, but then there's a bug with that that won't allow me to automatically sign on send, so I have to sign
If slashdot could provide a public key server and support encripted traffic for logged in users. There would be a wedge to start pushing at least our own comunity to use PKI.
Funny you should mention that. The exact same thing happened after NAI bought Trusted Information Systems, makers of the (formerly) superb Gauntlet firewalling software: They bundled it with such in indigestible batch of mandatory other goods and services that all of the professional TIS installers I know switched in disgust to other products, such as Novell Border Manager. Which has more or less killed TIS Gauntlet.
Rick Moen
rick@linuxmafia.com
All does not look good for MOST companies. In case you havn't noticed, the economy is in the shitter. Everybody's feeling the pinch, not just tech companies.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
How many of us use this feature [slashdot.org] of slashdot?
/., provide no significant authentication) can result in multiple, conflicting keys being publicly available -- and everyone can agree that that's a Bad Thing.
Hopefully, very few. It's a misfeature; folks who use PGP should use the keyservers for key distribution, not the web sites they happen to have accounts on. Distributing keys through such extra channels (particularly ones which, like
I think it is clear that this is a company on the verge of crash because of management featherbedding and incompetence, not because of lack of product (their products are great, according to everything I've read, though since they do not have a Linux version I do not of course have personal knowledge of such). They took an idea that will support a company of perhaps 25 people and tried to create a company of 250 people. In the process they ran up massive debts and chewed through massive amounts of cash. This, alas, is a common thing nowdays.
Send mail here if you want to reach me.
On the other hand, when one lives in a place where adultery can be fatal, discretion might be advisable. However since the internet is banned in Afghanistan I'm not sure how PGP would help.
That is the problem that F500 enterprises have really been interested in spending money to solve. If you can solve that problem you can then go on to deploy a whole rack of true e-commerce systems.
That is why the vast majority of corporate spending has been on certificate based email security systems.
There are still crypto companies making good money but times are tough. Over the past five years a lot of enterprises bought a lot of software they never deployed. As a result a lot of IT depts are being told to deploy their 'shelfware' before they buy more stuff. The software product model is definitely not doing well, buying software as a service on the other hand is doing very well.
Companies that sell 'plug ins' have been doing worst of all. Plug-ins have a pretty bad record in the enterprise space. They tend to cost as much as and often more than the applications they plug-into and tend to be a pain to manage with version number incompatibilities, configuration glitches and other issues that are annoying if its just one slashdot reader but a help desk catastrophe if you have several thousand clueless users to support.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/