Slashdot Mirror
NAI to Sell Off PGP Product Line
An Anonymous Coward writes: "Network Associates announced today that they are ceasing development of most of the PGP product line, including PGPMail and PGP Desktop Encryption software. This was apparently due to disappointing sales of the products. See the FAQ for more information on what's being killed and what's being kept." Another anonymous and unverified submitter says, "The entire PGP Business Unit was axed more or less wholesale. I guess selling encryption doesn't really make money. I worked there up until today and somewhere around 250 of the 300 employees were clipped."
If my product line was about to become illegal and wasn't selling well to begin with. I'd sell to the highest bidder too (and I'm sure it will sell high).
The biggest potential users of this would have been the Slashdot types, and we're known for being fierce advocates of open-source and free (as in beer) software. The kind of "Why pay for something when you can write it yourself?" mentality is what helped kill it.
The people that are most concerned about encryption are those least willing to pay for it.
Pretty Good Pinkslips
oh wait...oxymoron
Twice is enemy action...
First ZKS shuts is services, now PGP is orphened...it does not take a conspiricy fan to put this together.
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Now I'm going to have to bust out my old Hardy Boys Detective handbook to learn how to encrypt my messages. Everybody jump to OSDN as I'm officially starting the HaBOSEP (Hardy-Boys Open Source Encryption Project). Just send me 2$ for your secret decoder ring.
Say it ain't so, PGP, say it ain't so.
--I hate big sigs.
This product never ceased to amaze me. PGP 7.1 included, among other things:
- an encrypted IPSEC/IKE compliant VPN
- encrypted hard drive software (public key or shared secret encryption)
- Encrypted Email with multiple mail client integration
- Myriad windows hooks, like "encrypt clipboard"
- A secure file and hard drive wiper
- A full-blown INTRUSION DETECTION SYSTEM with email alert that would attach itself below the NDIS level.
...all for $30. I'm not a big fan of buying software, but I bought this religously because it was a steal, just for the IDS. I always wondered how they could afford to put so much top-notch development into such a cheap product (I never found a serious bug, and I've worked it over hard. That's a rare thing to be able to say about a windows networking application).
The answer appears to be that they were dumping serious development funds into this product and got were expecting massive sales. If you asked me to point a finger at the cause of death, I'd say they were overambitious. Too many developers building too much functionality made it far too expensive. All anyone ever really wanted was encrypted email. And perhaps if that's all they developed, supply would have matched demand.
Then again, hindsight is 20/20.
Is this a coincidence? Or is there some government pressure in action here? What's the next step? Pressuring ISPs of distribution points for Open Source encryption products? When that happens, I'm sure we'll be re-assured by the ISPs that they have sound economic reasons for disallowing encryption software; but that won't make it go over any easier with me.
So, luckily, the NAI Labs section of PGP was exempt from all this change and will be shuffled around more, but we're still here =) It's a bit disappointing to see your company admit failures like this, even if it's for the best interest of the company.
Brian Fundakowski Feldman
How many among even the savy group here maintains a valid PGP key that is available online? Of those, how many maintain their key in a searchable index? I presume the answer is less than 2%.
How many of you have received an email either signed or encrypted in such a fashion and then actually used the sender's public key to decrypt/verify?? Probably 10% of readers here or less.
And that folks, is why PKI and hence PGP are dead-ends.
I just happened to have it installed instead of GPG, but I will probably make the switch now that it's being discontinued.
1. Private Data... There's a lot of stuff that I do and say through email that is perfectly kosher, but is none of my company's or coworker's business, like emailing my wife whilst at work. I know for a fact that there are nosy people in my networking department, but 2048 bit D-H encryption makes this Somebody Else's Problem (tm) even thought I am forced to use Exchange at work.
2. Insecure Mail Servers... By the same token, I am forced to keep sensitive data on an Exchange server. It doesn't take a genius to see that any given company's Directory/Mail/Personal Info server is going to be one of a malicious cracker's first targets, if he or she is interested in doing anything other than 0vvnZ'ing the website. When the time comes... and it will... I will be able to say... 'No, my sensitive data was NOT compromised, because it was securely Encrypted.
3. Personal Liability. I'm a freely spoken individual. Some people don't appreciate it. If I say something in an email that could possibly be used against me later by the owner of a mail server, it goes in encrypted. By the same token, any personal files on my work PC belong to me, and not my company. Without my passphrase, they can't do shit with them.
4. Geek factor. It is oh, so cool to be able to 'sign' an email, and advertise your public key. Mine is:
http://www.furinkan.net/key.txt
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
PGP had a few of strikes against it:
A. Little perceived need by the masses
B. Hassle to use
and more recently
C. Government rumblings
A. could be dealt with by some good old FUD. I've always been amazed that NAI and others have resisted the evil urge to play on naive users' fears of "hackers." Come on, companies with lame IDS and Firewall products have been playing the fear card for a while. Imagine how effective a campaign would be if the product were actually good... (Not that I'm a fan of these tactics).
B. is a more difficult problem. Although the product has come a long way since the old DOS version with it's confusing options, it has a way to go to acheive true ease of use. People don't necessarily "get it." I'm not a huge fan of dumbing down interfaces, but a real simple set of wizards that handled all the stages of key creation and software integration would be helpful. Plug-ins for email are good, but a deal with MS or Eudora to bundle it would be better. Plug-in with ICQ is good but a bit clumsy at times. Maybe playing up the Envelope metaphor in email programs would be better... Also, encouraging users to get their email contacts to install the freeware version would be great. Maybe, a window that popped up when people tried to send an encrypted email to a person whose key isn't know. The window could mention the problem, and offer to send the recipient an email with a link to the freeware (or perhaps a free "reader" that allowed for key creation and email integration).
With C. the issue is just a big hassle. At some point you'd hope the Gov't would realize that restricting strong encryption will have no effect on criminals, only business and home users.
Buy Hex-Rated Stuff, fight the DMCA!
We looked into it for our company, turns out the head of our sales group sent a copy of the commision $$$ amounts to everyone in our sales group by mistake and we wanted to prevent that in the future. But that's another story.
Anyway they wanted about $175 a copy, I think for what we needed. Then I found the PGP Freeware link on their site. I thought, hey why pay for it when they give it away for free?
No wonder its going away. Could you imagine going to the Ford dealer and the dealer saying "here's the new Ford for $20,000". And you ask, "what about the Mercury over there exactly like it" and the dealer says "Oh those, they're free, take as many as you like" Where is the choice here?
I hope that someday we will be able to put away our fears and prejudices and just laugh at people. - Jack Handey
There are two kinds of encryption users...
1) There are ordinary folks who want an easy-to-use encryption solution out of the box, and don't want to read a manual to get that level of security. While NAI's software has been getting better and easier-to-use over the years, it's still not 'easy'. Concepts like 'ring of trust' & 'key signing' might still too academic for ordinary folks, and NAI has not made much of an effort to explain why these ideas are important.
2) There are encryption-geeks, who don't really trust the security of a closed-source product, or who are happy enough with ssh, pgpi, gpg, etc.
OK, I guess there is a third type of encryption user, the user who wants an easy to use encryption product for her business, and isn't concerned about fears like 'FBI backdoors' in their product, but they're probably a small segment of the market.
"Can of worms? The can is open... the worms are everywhere."
I went to the NAI website and tried to buy PGP about 18 months ago. There were problems with the site. The product was poorly explained, and I got error messages.
Also, would you buy encryption software from ANYONE who wasn't offering the source code? I had read that NAI would give the source code to someone who bought the product, but I was unable to find mention of that on their web site.
I sent NAI an e-mail message, and no one replied.
Finally, I just gave up and used the free version. I paid less (zero) and got more.
The story says, "I worked there up until today and somewhere around 250 of the 300 employees were clipped."
Do I understand this correctly? What could 250 people be doing with PGP, a product that was written by one man, and was changing very slowly?
Maybe they were selling special versions in Arabic to Saudis living in Afghanistan? (When you have 4 wives, you have to keep a lot of secrets.)
Secrecy and weapons sales corrupt democracy: What should be the Response to Violence?
Bush's education improvements were
It's very interesting to notice that a majority of people indicate that they do not care about personal encryption, primarily for their electronic mail communication. I recall reading in the PGP readme, when I first discovered it - version 2.x or 3.x at the time, I think - how it made perfect sense to use encryption to ensure your privacy. After all, did you not prefer to send your most personal thoughts using letters within envelopes rather than postcards?
However, when I try to advocate encryption to those I know and hope to influence, they all seem to indicate that they aren't all that concerned about their email. And yet those same people never fail to be annoyed when I walk up to their computer and pretend to read their email in order to prove my point.
Perhaps most people are unaware of how easy their email can be intercepted and read? After all, an email address might appear to be like a telephone number - a direct link to whomever one might wish to contact. And we're comfortable with the phones - after all, wiretaps seem hard (or at least laboureous) to obtain, and we suspect that capacity prevents wiretaps from being universally applied. Not so with email, though - it's child's play to intercept any SMTP communication that passes through your network. And if you happen to be centrally located, in a network topological sense, there's no theoretical limit to the amount of communication you can eavesdrop on.
I must admit that I'm not being entirely altruistic when I advocate encryption - my wish for broad adoption of personal encryption technology is first and foremost self-serving. To tap again into the old PGP readme files; sending mail in "sealed" envelopes is not currently suspicious due to the fact that the practice is so widespread. Untill encryption becomes commonplace it remains far too easy to label it suspicious behaviour.
Here's to hoping that free encryption will carry on where the commercial offerings have failed. Cheers.
This will simply become part of the arithmetic commercial developers will have to deal with.
Ever since Phil Zimmerman left because of of "differences" with NAI, I was extremely reluctant to upgrade to future versions for fear of "backdoors" that might have been included in the product - things that wouldn't have happened under his watch but are now more likely.
So I stopped upgrading the free version at the last version he personally oversaw...7.0.3
----------
ah honey, we're all resplendent - Bill Mallonee
Umm, no. I work for a company that has our own symbol on /., one with a funky dropped 'e' in it. You might be able to figure out who we are. We tried to buy PGP for Unix to secure engineering data--we happen to be one of the largest Microsoft shops on the planet, but all the real work still gets done on Unix/Linux--and NAI wouldn't sell it to us. We were talking THOUSANDS of licenses, ubiquitous deployment to everyone, and they weren't interested in providing a Unix client of the current version.
So we're going to be using GPG.
Get this: NAI have also threatened major bad legal juju if we ever put any GPG-generated keys on their keyserver product, which we also had previously bought (along with hundreds of individual PGP licenses). Hello? If that's not a Microsoftesque move, I don't know what is.
They coulda made millions on our account. WE WANTED TO PAY THEM MILLIONS. Negotiations fell through. So now we're saving the millions and going to be supporting open source even though senior management is still not 100% clued into that this is a good thing.
We've only been wanting to add a "security" topic for about TWO YEARS so it's nice to finally have one...
*laughs*
Well, yes, it's quite true that PGP had disappointing sales. The company had a nasty tendancy of attempting to bundle about four other products with PGP and *refusing* to negotiate with any company, no matter how large, about perhaps a more reasonable package.
It's funny that I have this exact story from so many different sources that nobody can say I'm compromising internal information. Go ask your friendly IT Purchasing agent about any adventures they had trying to get a site license for PGP. This was mandate from upper management: Either all the stripes make some cash, or none at all.
NAI consistently chose the latter. Now, as for all the conspiracy theories...never attribute to malice...
--Dan
www.doxpara.com
Not the strongest encryption in the world, but it'll keep prying eyes away. You might have some issues exchanging disk images with non-OS X users, though.
-jon
Remember Amalek.
All I want is an e-mail client with an 'encrypt' button. I press the button and it asks me for an encryption key. I enter a key that my correspondent and I have exchanged over the phone, in person, etc. The message is encrypted and sent.
/. crowd thinks it is to use PGP. Some of my friends aren't computer gurus and it's just too much complication and hassle for them to use PGP.
I'm not Osama Bin Laden. I'm not expecting someone to be monitoring my phone, e-mail, in-person conversations, cell phone, etc. I just want to be able to exchange e-mail with friends and not have every nosy guy at the ISP or my company be able to read it.
PGP is just an incredibly complex and painful solution for what should be a simple problem. 99.9% of the public just wants to be able to occasionally send encrypted messages to friends using a private key. I don't care how easy the
What I find amazing is that most people labor under the foolish misconception that if only American encryption products (like PGP) were either backdoored, effectively export controlled, or discontinued altogether, that foreign criminals and terrorists would suddenly have nothing to hide their data with. Let's explore why only stupid people would think so:
1) Source code to most versions of PGP is available and published internationally on many sites. If a terrorist wants PGP, and PGP has been discontinued, he can just download a binary from one of these foreign servers, or get someone computer literate to compile this source code for him. It's already in the wild on the net, and spread to servers in nearly every free or partially free nation; it will never disappear now.
2) Since the source code is available for even some very recent versions, overseas programmers will pick it up and improve it and release newer builds for newer OSes if it is discontinued or shown to have backdoors.
3) GPG is arguably just as good, plus it's truly Free and GPLed. It's not as shiny, but makes a good drop-in replacement for most people, terrorists included. And again, GPG is "in the wild" and not going to disappear from the Net even if the U.S. and half the world outlaw strong encryption, and since the source code is there people will hack on it and improve it, even if only overseas people.
4) Contrary to the beliefs of the ignorant, the U.S. is not so much more advanced than other countries that no other people from overseas can write strong encryption products as good as ours. Encryption is universal math, not American voodoo. In fact, the best symmetric encryption product currently comes from the U.K., Scramdisk. If America and the U.K. were to ban encryption, any country with competent mathematicians and programmers could take the lead.
5) Encryption is based on well-documented and easily available math, and many proven algorithms are already published and cryptanalyzed and shown to be secure enough. Even if by some extraordinary miracle all traces of encryption products and source code were wiped from the Net by the unprecedented cooperation of every nation on Earth--something truly impossible--people like Osama could hire any competent mathematician and programmer to write a decent encryption product using a proven cipher and simple calls. As long as it's kept simple and uses proven ciphers, it would likely be as secure as PGP or GPG or Scramdisk.
So, it doesn't really matter what the download page says, or if it bothers to ask, or even if the U.S. were to enact the most Draconian encryption legislation tomorrow. PGP is nothing special. Its key functionality has already been duplicated in GPG and can be duplicated again and again by any number of competent non-U.S. residents. Therefore it doesn't matter who can download it, since they can get their hands on encryption technology that's just as strong.
Chasing Amy
(We all chase Amy...)
"The more corrupt the state, the more numerous the laws"-Tacitus
In 1785, a resolution authorized the secretary of the Department of Foreign Affairs to open and inspect any mail that related to the safety and interests of the United States. The ensuing 'inspections' caused prominent men, like George Washington, to complain of mail tampering. According to various historians, it led James Madison, Thomas Jefferson and James Monroe to write to each other in code - that is, they encrypted their letters in order to preserve the privacy of their political discussion.
Government has shown time and again that it cannot be trusted not to eavesdrop without warrant and cause, whenever it thinks it can get away with it. The infamous FBI bugging of Martin Luther King and just about everyone else with political clout comes to mind. It was little more than thirty years ago, too, so don't complain my example is outdated. Or how about the recent study which found over 2,000 illegal, unwarranted wiretaps were performed last year? And that's just the ones we found out about after the fact.
The dissemination of information and ideas is one thing. Not leaving people alone long enough to gether information and form ideas, without fear of the Secret Police wondering why we're looking at that particular information and forming those particular ideas that it may not like, is a potential downfall of civilization.
Civilization is only advanced where ideas, even new and very jarring ones, are permitted to flourish. Today Socrates is considered to be the bedrock of all Western philosophy, since his pupil Plato wrote all the founding philosophical explorations. But recall that in his own time his ideas, nearly universal in the West today, were considered dangerous and he was executed for expressing them by the then-most-free society in existence, the birthplace of Democracy, Athens.
Encryption is the only way to express ideas without fear of reprisal by regimes which are not on the cutting edge of human rights, much as the U.S. is not. It is the sole way to protect one's privacy with any certainty from arbitrary invasions. Therefore we would do well to promote encryption, as a way to ensure that our rights are protected and respected. I trust myself to protect my rights with encryption, more than I trust the FBI, ATF, DOJ, etc., to do so with empty platitudes. And on this point I am in the company of George Washington, Thomas Jefferson, James Madison, and James Monroe--I'll take them to John Ashcroft, Janet Reno, the FBI and ATF agents who murdered innocent people at Ruby Ridge, and their ilk, any day.
Chasing Amy
(We all chase Amy...)
"The more corrupt the state, the more numerous the laws"-Tacitus
PGP has always existed as freeware, with full source code too. It's not going to disappear!
PGP 7.1 has not been released as freeware, and source release for anything past 6.5.8 is problematic. You can get the crypto engine of 7.1 (but not 7.0), but only if you agree to a truly onerous license. Better to say
Freeware builds of PGP haven't been made available for 7.1, and there's been practically no source release, too. At this rate, it's going to disappear!
Of course, my panties are far from in a knot. In the first place, I wear boxers. In the second, I use GnuPG.
Do you send paper mail in envelopes? Looks like you've got something to hide. Let's hal you down to the Ministry of Truth for some examinations. It's the "something to hide" stigma which is retardedly holding back the use and acceptance of cryptography. Encryption technologies are not just for people hiding warez (I've never even fucking heard of encrypted warez before and PGP is free for non-commercial use anyhow). E-mail is an inherently insecure communication medium. Few if any ISPs actually use or support secure e-mail in any fashion so that responsibility falls onto the user. You don't need illicit reasons for secureity, plain day to day business needs plenty of it. For a dallar of security you saveseveral dollars in losses.
I'm a loner Dottie, a Rebel.
This is not only true for GnuPG, which has funding by the government (for the development of more user-friendly frontends, I think), but there is also a project for the development of an open source anonymity service (JAP) as strong as (or even stronger than) the Freedom anonymizer service, and there is also the Sphinx project to build a PKI for the public authorities and maybe others.
One of the main drivers for the JAP project (and maybe others) seems to be that many consumers (at least in Germany) apparently avoid E-commerce because of privacy concerns.
Don't lecture me -- I have used PGP and it is not the simple matter you pretend that it is -- especially not when you and your correspondents each use multiple computers and have to move your private keys around.
First they have to promise not to use it for commercial purposes and then they have to fill out a form that asks them how many copies they intend to purchase, the timeframe, the company for whom they work, their title, their address, phone number, e-mail address, number of computers at their location, etc. Do you have any idea of how long it takes for my friends with 56K modems to download a 7MB file (which PGP is)? About 30 minutes -- if they don't drop the connection. Then I have to go through the whole "you won't get a virus" lecture before they will cautiously try to install it.
The freeware version, by default, installs VPN/Firewall. Then it wants to know which adapters you want secured. Yeah, that's what I want to try to explain to someone who majored in English Literature. Then it wants the user to enter a passphrase of at least 8 characters -- but not write the passphrase down anywhere. Another thing for them to remember -- which many of them will not.
I could go on and on, but it's not worth my time. Instead, I'll ask you a simple question: What percentage of your non-computer-geek friends use PGP and if it is so simple to use and free, why do do few use it?
You just don't get it, do you? A simple private key encryption needs to be built in to the mail client the way that SSL is built into the browser. The whole digital ID thing for e-mail is a joke. I got a Thawte Freemail digital ID. My friend, a computer professional, also got one. Netscape 4.7x (his e-mail client) claimed that his had already expired -- despite displaying an expiration date in the future for the ID. Then he downloaded Mozilla only to find that it does not support encryption at all. He finally gave up after a lot of trying.
Funny you should mention that. The exact same thing happened after NAI bought Trusted Information Systems, makers of the (formerly) superb Gauntlet firewalling software: They bundled it with such in indigestible batch of mandatory other goods and services that all of the professional TIS installers I know switched in disgust to other products, such as Novell Border Manager. Which has more or less killed TIS Gauntlet.
Rick Moen
rick@linuxmafia.com