Network Associates Gives Up Search for PGP Buyer

nakhla writes: "I came across this article which states that Network Associates has given up the search for a buyer for its PGP division. The company has laid off 18 workers, and plans to continue to maintain the product for one year. It's a good thing that there are still products like GnuPG and others out there for people who need cheap, reliable encryption."

Sad..

[dj28]

I actually bought a version of PGP Personal Security 7.0.3 from these guys. It comes with some nice extras such as a very nice firewall. It's a shame that not enough people contributed to the development. Hopefully they will open source the latest version so that development can continue for long after one year.

Re:Sad..

[kerrbear]

I actually bought a version of PGP Personal Security 7.0.3 from these guys.

Er, what happens to all the files people encrypted with PGP ten years from now when their personal versions no longer run on the new OSs? If PGP Personal Security is rendered obsolete, will there be a way to retrieve those files, or should they be unencrypted now and re-encrypted with something that is going to stick around?

I've got some pretty important .pgp files lying around. Should I switch to something else or am I not understanding something here?

Re:Sad..

There are open source versions of PGP compatible with the commercial products. Try here http://www.pgpi.org/ and in particular here http://www.pgpi.org/download/gnupg/

Re:Sad..

[mhyclak]

I'd encourage you to switch to an open source project such as GnuPG just out of principle, but I do believe it can also interact with PGP encrypted things (to certain limitations... see the GnuPG FAQ on the subject. Basically if it's implementing OpenPGP, GnuPG can read it.

Re:Sad..

[Superpaz]

In 10 years it will easy to crack.

Re:Sad..

[hoggy]

I've got some pretty important .pgp files lying around. Should I switch to something else or am I not understanding something here?

It's probably quite worth getting gpg and seeing if it can work with your keys and encrypted files. One thing to note is that gpg doesn't support all of the algorithms that PGP used, because of patents/licensing (IDEA being an obvious example). So if you used those algorithms there's a serious risk of bitrot.

If gpg works OK with the files then you're safe as it's not likely to go away in a hurry. Keep the source around just in case though ;-)

Mixed feelings

[rknop]

I've got mixed feelings about this. On the one hand, PGP was revolutionary and is probably one of the main reasons encryption is as free and available today as it is. If Phil hadn't released that (at the expense of considerable suffering), I suspect that the governments of the world would have been able to clamp down on encryption big time, and all of us law abiding types would take it as an axiom that none of us really need anything like that, only terrorists do. It's sad to see the company that was carrying that torch give up on it. I fear this is just one more indication that personal encryption of e-mail and such isn't really going to catch on with the masses.

On the other hand, NAI's not been a perfect angel. Phil left them because of differences about releasing (if memory serves) source code-- not because Phil is an open source advocate per se, so much as for reasons of being able to verify the security. And, myself, I'm an open source geek and have been using GnuPG for quite some time as my encryption software of choice. There still is hope that GnuPG will be turned into something that can catch on with the masses (just like there's hope, however faint, that things like GNOME and KDE will catch on with the masses).

-Rob

Re:Mixed feelings

[leviramsey]

There still is hope that GnuPG will be turned into something that can catch on with the masses (just like there's hope, however faint, that things like GNOME and KDE will catch on with the masses).

Is there any way that GnuPG could be built with a nice GUI for Windows? The fact is that for the time being, encryption will be worthless if the Windows users can't get the software.

Re:Mixed feelings

[smnolde]

See winpt.org.

I use it quite a bit to sign emails and the interface is pretty clean, too.

Re:Mixed feelings

[wafath]

Take a look at http://www3.gdata.de/gpg/. It's in German. Use Google to translate.

It's beta, but if you use Outlook, it seems to do the job very nicely. If you go to the GPG page, there is also a link for another program that is a plug in for outlook express.

W

Re:Mixed feelings

[Cyno]

My dad installed a dual-boot windows 98se RedHat linux system yesterday, after building the computer, with no prior computer knowledge and a couple hours of phone support with me. He might have trouble with ls and cd right now, but he's starting to understand a filesystem/directory structure. I bet in a year or two he'll be writing encrypted email on linux, now his primary business OS, and maintaining a secure business. He's also converting his winmodem over to external serial modems and setting up another dual-boot linux system for dial-up web access at both his home and business, upgrading staroffice 5.2 to OpenOffice 641C on all platforms (windows and linux) for MS compatibility, and this time around its costing him less than $1000 for the latest technology, 1.6+Ghz system, G-Force 2, etc. I'm very proud of my dad. But he's no exception, he's just like all the other "computer illiterate" people out there. They're not computer illiterate(sp?), they just need a little help to get them started and lots of encouragement. That's all.

Re:Mixed feelings

[4of12]

Is there any way that GnuPG could be built with a nice GUI for Windows?

That's probably the most critical ingredient, and one which other responders to this post have already addressed.

But has GPG been ported to the Mac? I'd imagine that OS X would be pretty easy, but I know of some friends that run some pretty crusty old versions of MacOS that would still be out of luck.

Re:Mixed feelings

>Is there any way that GnuPG could be built with a nice GUI for
>Windows? The fact is that for the time being, encryption will be
>worthless if the Windows users can't get the software.
>
>
Who gives a shit if Windows users are too fucking lazy to use a non-GUI program? Their loss, not ours and stop trying to act like it is.

Re:Mixed feelings

[Ioldanach]

Just make sure he doesn't put his serial modem too close to the window...

Re:Mixed feelings

[superbiskit]

Huzzah, Huzzah!

You and Dad both deserve a plaque somewhere.

Yes, it can be done. All you really need is to want it badly enough.

Re:Mixed feelings

[superbiskit]

Since it is open source, what it turns into is a function of what the community cares enough about to work on.

If you want a different front-end, you have the unrestricted right to develop one. That's the beauty of open-source.

who feels suspicious about this too?

Seems from comments I read in other places (theregister.co.uk,newsforge.com,...) they never did any serious effort to market PGP. Still, there is a market for products like this. It is even growing. Some article also mentioned certain US government administrations as key clients... Doesn't this look a little suspicious?

Lots of products left allright, but easy to use?

[pmsr]

Not in your wildest dreams. PGP Desktop was as easy as it gets.

/Pedro

It's a shame

[WinterSolstice]

That a product as great as PGP is going under. I personally think that if it had stayed the way it was before the buyout, it would still be around. I wonder if something like this could eventually happen to /. or Gnome.

This is the reason I am always concerned when a major company snatches up some cool new technology; they see it in major use by techs/geeks/etc, and think, "hey, with some good marketing...". They fail to understand what features matter to the original audience, fail to capture a new audience, and then drop the product.

In the meantime, it strands people who used to like the product. I was a major PGP user since its inception. Now, I can't stand the darned thing. I tried the Palm and Pocket PC versions, I tried the Windows versions. They added too many toys and widgets to a small, light application.

Oh well. I hope the Gnu PGP clone keeps up.

-WS

Re:It's a shame

That a product as great as PGP is going under. I personally think that if it had stayed the way it was before the buyout, it would still be around. I wonder if something like this could eventually happen to /. or Gnome.

Yes, because it eventually happens to everything.

High Profile Use Case

[SirSlud]

PGP encryption could use a nice high profile use case where its use saved the ass of someone the average joe could relate to.

I really dont think that the average consumer is concerned about having their private messages intercepted. (The logic is usually: "I dont do anything bad. Hey, waitaminute. Why are /you/ so interested ... ?")

That being said, I'm not surprised that it was difficult to find a buyer for them. The market really hasn't encountered the high profile case that justifies wide spread deployment of PGP use. I think .. ?

Re:High Profile Use Case

[sammy+baby]

A good use case would be a major bennie, but I think you're coming at it from the wrong end. PGP isn't just used to encrypt/decrypt messages. The canonical four tasks:

1. • Encryption/Decryption (Shh! Don't tell anyone this!)
   • Tamper Detection (Dude. Did someone mess with this message?)
   • Authentication (Hey - who really wrote this?)
   • Nonrepudiation (Fess up. I know you wrote this.)

Rather than looking for situations where PGP prevented someone from intercepting a communictation - often very difficult to know ever happened - I'd be looking for case studies in which someone tried to tamper with a message and was foiled because of the PGP signature, or tried to forge a message... you get the idea.

Re:High Profile Use Case

"That being said, I'm not surprised that it was difficult to find a buyer for them. The market really hasn't encountered the high profile case that justifies wide spread deployment of PGP use. I think .. ?"

I'll bet all the evil doers at Enron and Microsoft wished their emails were encrypted. Encryption reall is the ultimate digital document retention policy.

Re:High Profile Use Case

[wirelessbuzzers]

Amnesty International uses PGP to protect their people (e.g. witnesses, reporters, etc.) from abusive governments. If the documents they sent could be decoded by these governments, the corrospondents referred to in the documents would be tortured and killed. Of course, while this is relatively high-profile, they are a non-profit organization and therefore can use the free version, so NAI doesn't get any money from them.

Re:High Profile Use Case

[Asgard]

If the government of the sender is in a position to arbitrarily torture/kill it's people, then the mere fact an unreadable message is being sent may be enough to warrant such action. The 'Rubber Hose' attack on crypto is still valid...

Re:High Profile Use Case

[monkeydo]

Why don't these "abusive governments" just execute anyone who sends encypted email to amnesty international?

You are assuming that the email is being intercepted and that the intercepting party knows who the sender and recipient are. You also assume the "abusive government" has access to the sender, hence the fear of torutre and death.

If I were the "abusive government" I'd arrest the sender tourture them, for the key, then kill them. Problem solved.

I doubt Anmesty International uses PGP for this very reason. Steganography is much better suited to this sort of application. As long as you don't do stupid things like email the same penguin.jpg back and forth it is much less obvious you are trying to hide something.

Then again AI is a bunch of liberal thugs who think they are smarter and better than *everyone* so they might just be that stupid.

Re:High Profile Use Case

[Elwood+P+Dowd]

I know there have been a couple cases where people have used PGP to encrypt files to protect them from subpoena or prying employers. Unfortunately, the only cases I can think of are the subpoena to Kevin Mitnick, and the Hotline Communications fiasco. In both cases, the use of PGP was to thwart execution of the law. In my opinion, the laws were applied badly, but that doesn't make PGP look good to a lay person.

Re:High Profile Use Case

[decesare]

PGP encryption could use a nice high profile use case where its use...

I think that the best use case that would forward the cause of encryption in general (not just PGP in particular) will more likely come from a "not use" case, where perhaps sensitive, unencrypted corporate data (e.g. a contract in MS Word format, financial results, etc.) is either intercepted or copied from the sender or receiver computers. Right now, computer security simply is not taken seriously enough in most companies to warrant spending the money/time/etc. for PGP or any other encryption product.

Re:High Profile Use Case

[child_of_mercy]

EASILY decoded is the point.

With enough time and effort a Government should be able to brute force a key.

But it's a lot of time and effort and even the US government can't go breaking all of them.

govt's would certainly prefer everything was sent in easy-to-read ASCII

Re:High Profile Use Case

[wirelessbuzzers]

no. The emails would be sent anonymously, or by a foreign reporter who is suspect anyway, but the issue is that witnesses might be mentioned in the body of the email, and contact information for them. That way, Amnesty can get first-hand information. Cryptography would be useful here to keep the government from going down your witness list and killing every one of them. This is all speculation, I am not an amnesty operative. And if I were, I wouldn't tell you :-P

PGP is a joke

[Dwonis]

Who cares? I stopped taking PGP seriously when NAI decided to stop releasing source code and expected me to 'just trust them' instead. Any crypto company that does that obviously knows nothing about security.

Re:PGP is a joke

Any crypto company that does that obviously knows nothing about security.

And you do I suppose!

I had a look at your website and I would strongly recommend that you get your mommy to hit you very, very hard with a Cluestick(tm) before you go to bed tonight!

For fuck's sake: A business card with a public key printed on it. If any sorry-assed geek handed me one of those I'd shove it up his nose.

Re:PGP is a joke

monkeytongue.com

Re:PGP is a joke

[marktwen]

Hey, Dwayne -- That business card is pretty cool. What do all those parameters mean? (I'm still basically clueless about sec, 'cept what was in Cryptonomicon.) :)

Re:PGP is a joke

Oh, knock it off. You did *not* read the source in each release.

Re:PGP is a joke

[Dwonis]

And you do I suppose!

Well I'm hardly an expert (I can deploy crypto, but I wouldn't be comfortable implementing it), but I do know enough about crypto to know that there's a lot of snake oil out there, and that it's easy to accidentally (or deliberately) leak bits.

Since I'm not an crypto expert (or an expert in reading disassembly) it's even more important to me that as many people as possible who do know what they are doing are able to look at the source without too much trouble.

I had a look at your website and I would strongly recommend that you get your mommy to hit you very, very hard with a Cluestick(tm) before you go to bed tonight!

I'm well aware that my website sucks.

For fuck's sake: A business card with a public key printed on it. If any sorry-assed geek handed me one of those I'd shove it up his nose.

It's to promote awareness of security issues. Besides, business people are amazed by 'cool tech stuff' they don't understand, and security people have a use for this information.

Re:PGP is a joke

[Dwonis]

ID The unique ID of my PGP key Type The crypto algorithm this key is used for Length How long the key is Fingerprint Kinda like a hash of the key itself

When you get my public key from the key servers (using the ID), you can check it against all these parameters to make sure the key you just got is actually my key.

What difference will it make?

[maelstrom]

It's not like there is highspread usage of PGP/GPG anyway. I have been trying to use PGP ever since Phil Zimmerman was still coding on it himself, but I've never been able to convince any of my friends to use it often enough to make it useful.

I'm glad the option is there, and I know it's done a lot of good in a lot of places, but even using e-mail encryption automatically draws attention to yourself. It would be far better if everyone used it for every e-mail they sent. It would be great if keysigning and verification was a normal event in meatspace, but it just isn't to be. How is it that SSH and OpenSSH became so widespread but PGP and GPG haven't?

I think it's because PGP and GPG have such a sucky interface. It takes me forever to read the manual every time, and the integration with current mail programs sucks! Evolution seems to be fixing this and I know mutt and pine can support it, but it's just too much work to setup if no one else you e-mail can do it too!

Is there any hope? I'd like to think so, but only if it becomes the default in hotmail and MS Outlook will it become widespread, and what are the odds of that? *sigh*

Re:What difference will it make?

[flipflapflopflup]

At work, we are generallyrequired to use PGP for *all* project releated email, it's usually in the contract with the client. We use PGP 7, which, 99% of the time, works flawlessly with MS Outlook whn installed properly.

The problem comes when the person at the other end doesn't grasp public key encryption - which still seems a sticking point for a lot of people. Maybe they should teach it at High school?

Re:What difference will it make?

[Boiling_point_]

Is there any hope? I'd like to think so, but only if it becomes the default in hotmail and MS Outlook will it become widespread, and what are the odds of that?

That's the trouble with encryption, and security in general. It takes effort to be secure. You can trust an algorithm with your life, but do you trust the piece of software you installed on the computer you assembled out of parts you bought off the shelf? Sadly, strong encryption built as a default into something like Outlook might cause more trouble than its worth, in misplaced trust.

Most Outlook users wouldn't know how to tell if their private key had been compromised by some email malware. If they're using email for tasks that SHOULD be kept private because they trust that Outlook will make it safe, then where will we be?

Re:What difference will it make?

[Stigmata669]

"and the integration with current mail programs sucks! " Think Hushmail. Encryption standard web based email system.

Re:What difference will it make?

[Foxman98]

Can't agree with you more. I setup PGP/GPG for myself at one point in the past. Fact of the matter is, hardly anyone uses it. The reason for this? Simple - the average e-mail user is not aware of how open their e-mail really is. I remember eplaining to a co-worker that their e-mail was readable to anyone in the world who really wanted to. After explaining this fact (the whole "don't write anything you wouldn't write on a postcard" theory) they still didn't seem to "get it". So I decided to show them. I had them send a message to another co-worker while dsniff was watching their machine. Should've seen the look on their face when they say the e-mail displayed on my terminal. Point is - average user hears about, and knows that e-mail isn't entirely secure, but I don't think they realize just a) how insecure it is and b) how easy (and illegal) it can be to sniff it.

Re:What difference will it make?

[maelstrom]

That's the trouble with encryption, and security in general. It takes effort to be secure.

Agreed 100%, but generally I can sit down at a default install of Red Hat and know that I've got a cryptographically secure /dev/random, and a port of OpenSSH sitting right there waiting for me to use. Its cake to enable an ssh server, allowing remote access and file transfers.

All the normal user has to do to increase security over telnet is type ssh instead of telnet. E-mail needs to be the same way! They should just have to click one button and be more secure. Yes, this gives some illusions, but if we can make e-mail slightly more private from prying eyes it is worth it to me.

I'd have a hard time trusting my life to any software at all, but I'd have no problem trusting that encryption would at least keep a prying sysadmin out of my email! :)

Re:What difference will it make?

[torinth]

I think it's because PGP and GPG have such a sucky interface. It takes me forever to read the manual every time, and the integration with current mail programs sucks! Evolution seems to be fixing this and I know mutt and pine can support it, but it's just too much work to setup if no one else you e-mail can do it too!

If you really think so, take a look at Cypherus by APMSafe.com. We designed it to be really easy to use, for exactly that reason. Granted, it's currently Windows-only, and closed-source, but I imagine that works for alot of people. When I was still working there, we did a whole lot of work with windows internal stuff to be able to get it integrated into everything from your desktop, to Eudora and Outlook, to even Outlook Express (which we didn't even think was possible, at first). Check it out.

-Andrew

Re:What difference will it make?

[Dr_Claw]

That's the trouble with encryption, and security in general. It takes effort to be secure.

Absolutely. There are two huge problems. Firstly, it's easy to use things like PGP and set things up so that it's easily crackable. That requires knowledge (at all levels, from something as simple like making sure your private keys are only accessable by you, to the code using decent random generators).

Secondly, you have to care about being secure all the time. One lapse and you're wide open. This is an even bigger sticking point for the masses. Just the other day I was ranting about certain programs (I won't go into which ones here), and for each one of my main reasons for not using them was security or privacy concerns. The person I was trying to convince noticed that and basically asked why that was a big deal. This kind of took me by suprise, and so I did a quick poll of other reasonably computer literate friends (they would all know about PGP for example). Sure enough, most of them do not care if files on their computer can be read, so long as damage isn't done to the PC, etc, etc. I don't understand it, but it appears people are like that.

One random thought is that really email could do with a big overhaul. SMTP, email format, all kinds of aspects. Building encryption and authentication into that from the start would make things a hell of a lot cleaner and help make the above problems less of an issue. But sadly I think I'm dreaming that that will happen any time soon.

Re:What difference will it make?

[EllisDees]

I think it's because PGP and GPG have such a sucky interface. It takes me forever to read the manual every time, and the integration with current mail programs sucks!

Have you tried Evolution yet? It integrates as seamlessly with GPG as PGP does with Outlook. All you have to do is type in your passphrase after you hit 'send'.

Re:What difference will it make?

[mhyclak]

I don't think it's really that difficult to integrate into mutt. You just source the gpg.rc file that comes with the distribution in your .muttrc and voila, it just works. I've customized my muttrc a bit even to sign+encrypt to people who's keys I know I have, and just sign everything else. The "Well no one else does it, so it's pointless for me to do it" attitude will never help get widespread use. I say use it every day, all the time, and maybe your family and friends will get sick of getting strangely formatted messages and ask you to help them set things up on their end! This has got to be a team effort.

Re:What difference will it make?

[maelstrom]

Yes, I have and I even mentioned it in my post :) However easy it is integrated, it doesn't solve the problem of initially generating the key, figuring out how to extract your public key into text, giving the right key to someone else, getting their key, figuring out how to put it into your keyring, etc, etc. :)

There's a program called sea-horse that I've tried that provides a very minimal gui frontend for gpg, but like I said, not worth the effort for me to use it yet, but here's hoping!

Re:What difference will it make?

[sharkey]

Most Outlook users wouldn't know how to tell if their private key had been compromised by some email malware.

Malware like Outlook, for example?

Re:What difference will it make?

[Glytch]

Hushmail is a joke at best, and a scam at worst. For god's sake, they store the secret keys right alongside the public keys, on their own servers! Stupid stupid stupid.

Then there's the fucking hushtools.com site (which I've tried under about four dozen different combinations of browsers and java runtimes under Windows 98 and Linux) which has never worked for me, so I can't even get the public keys of hushmail users! If I can't get the damn public key, what's the point?

I don't know what Hushmail is trying to pull, but they're definitely incompetent. Perhaps deliberately so. If someone's got the CPU power to run a java runtime (pretty much any commodity PC made in the past 6 years) they've got the CPU to run PGP or GPG.

About the only use I can think of for Hushmail is for other people to not know that you use PGP if your computers are ever confiscated. Although, even then, it's easy to fit GPG on a floppy.

Re:What difference will it make?

[rasjani]

Yep, you got a point, and do you know whats the other deal that people recent when it comes to encryption? Its the faulty behaviour in OutlookExpress (Might be Outlook too, dont know really).

When i even sign my mail with a gpg in evolution, my mail looks like an attachment in OE because it cannot handle the "unknown" mime headers. I communicate a lot with email in company where i work and use gpg and there's been a lot of complaints when people cant reply to my mails because the body of my own email is readable only in notepad (yeah, like they give a fuck about correct quoting..). One moronic who had installed some bizarre movieplayer, tried to open my mail in it because OE was suggesting it. Cant belive the look in my face when he dropped by to my cubicle to ask, what was the video about that i send him.

Anyway, GPG integration in the evolution can't get simplier. Well, it can if it would integrate gey generation and key imports but signing and encryption is working totally transparently. You just enter your public key id into account settings and voilã.

Re:What difference will it make?

[NutscrapeSucks]

Try the built-in SMIME tools in Outlook, and then get back to us about how "flawless" PGP is...

PGP's Outlook Plugin sorta works, sure, but it tends to bork on HTML mail and attachments, doesn't prove UI information about encryption/signing, and requires all sorts of external windows to pop-up, produces wierd error messages, and sometimes just goes south for no reason.

Woefully, this is as good as it gets for PGP (at least on Windows), which is probably a big reason it never really caught on. And this is from someone who really wanted to use it and just got sick of all the bugs.

In my experience, when you have seemlessly integrated encryption (like SMIME in Outlook or the Lotus Notes stuff), even the lusers start to use it with glee.

Re:What difference will it make?

[redcliffe]

Well KMail handles it all beautifully. I generated my key once, an uploaded it to keyserver. Since then everything I do with GPG is handled by Kmail with no problems whatsoever. In fact in the new version of KMail, if it can find a key for the person you are emailing it will encrypt it by default.

David

Re:What difference will it make?

> Granted, it's currently Windows-only, and closed-source, but I imagine that works for alot of people.

The sticker will be closed-source, not Windows-only. Closed source in an encryption program is saying "Just trust me.", and many folks will want to be able to inspect that source for backdoors or security coding errors - or know that others can do so.

Re:What difference will it make?

> I say use it every day, all the time, and maybe your family and friends will get sick of getting strangely formatted messages and ask you to help them set things up on their end!

...or maybe your friends and family will get sick of asking you not to send those strangely formatted messages to them and start throwing away your email.

Encryption Crackdown?

[flipflapflopflup]

Maybe a smells a bit of conspiracy-theory, but this article at The Register opens the floor to the idea that NIA's decision isn't entirely due to commercial factors, and in fact looks a bit "fishy".

Quite an interesting point - why would they give up on such a good product like this? And who could gain from them giving up a product like this?

Re:Encryption Crackdown?

[Mr.Intel]

Heh. I submitted that article yesterday afternoon as the story. It think it is a lot more interesting than the nwfusion one even if it is lite on facts. NAI's homepage has absolutely zero on this development. Even the PGP product page is blatently small on details. PGP had the potential to revolutionize e-mail and digital signatures as a whole. Too bad corporate America drove another fine product into the ground again.

Re:Encryption Crackdown?

[jonerik]

Yeah, I submitted this the other day, too, and also found the Register version more interesting. And they bring up a good point about the timing. Is NAI scared of the possibility of one of its products being linked to terrorism? Or have they crunched the numbers and determined that making software for building a police state is more profitable than making software that can prevent one?

laid off

[mlong]

Thank goodness they laid off 18 works and not 18 workers.

Better deal?

[Mattygfunk]

NAI is no longer actively trying to sell the product lines, she said, because it was unable to find a buyer who made an appealing enough offer.

If they arn't going to activly try and sell the product, how is this a better deal than taking the less appealing offer?

Re:Better deal?

[Xilman]

Read further down. NAI want to ensure that anyone who does buy it, doesn't lock them (NAI) out of future developments because PGP technology is used in other NAI products.

Selling to someone who goes on to screw your other products is markedly worse than maintaining the status quo.

Paul

PGP app user interface

[throwaway18]

I'v been an ocassional user of PGP for year, first the DOS client then GPG on linux.

A friend of mine tried to use the freeware NA windows version. Hes a typical windows user and won't read instructions. After giving him a five minute talk saying "Other people use you public key to write messages to you, only you can read the message with your private key etc". Days later I call in at his house and he had not managed to use it. The user interface was horrible. Despite having used command line PGP for user and having a quick look at the help I couldn't find his keyring or work out how to use it from a quick look at the menus.

I can't imagine what the staff working on PGP were doing, certainly not useability

There were three background processes running on his already unstable win98 machine poping up box's demanding he type in his details and register. I think he reinstalled windows in the end. People who use PGP are gneerally a bit paranoid, annoying them by trying to make tem register seems pointless.

Re:PGP app user interface

[OS24Ever]

I installed it on a Windows 98 box (before converting my main desktop to Linux and using GPG).

it started locking up randomly quite often. The common denomenator was that I installed PGP. Un-installing PGP it stopped locking up. I hand't tried it again.

Don't know what the deal was. Have not yet tried it again. I'd like to get it on my wife's XP Box but I haven't spent the effort as of yet.

The real pity of this

[jht]

PGP Desktop is a well-integrated application that has a nice file protection app (PGP disk), makes PGP signing your mail a lot easier (it integrates to most e-mail clients I've used), has a good IPSec VPN component, and runs on Mac and Windows (1 more platform than most products do, though there's no Linux desktop version). NAI never did a very good job of selling the product, though - it was always one of those "semi-orphan" packages. NAI couldn't figure out if it was meant to be a business package or a home use package, and pricing was never set in stone.

Ironically, it's probably an easier sell now than it's ever been, given that organizations are finally getting a little more security-conscious.

GPG is probably the best hope for a cross-platform replacement, but there's still a need for better snazzy front-ends on most platforms (I'm using it on MacOS X) to help Joe Average, and there's no easy PGP VPN or PGP Disk equivalent.

NAI - if anyone's listening, why not re-open the PGP codebase and let the marketplace solve the problem? Nobody wants to buy it, you don't want to sell it, so give it away!

Email Integration with GnuPG

[Dimwit]

First, some kudos to the GnuPG team. I think this is one example of free software really taking over a given market. I only know of one person who uses the commercial version of PGP, and that's because his job requires it. Everyone else I know uses GPG.

Now:

For those of you lucky enough to be using MacOS X (go ahead a flame me - I've been using Unix for ten years, and MacOS X rox my sox), just grab a copy of GnuPG from Fink and install GnuPG.

After that, grab a copy of PGPMail from Sente, and use the easy, one-drag install. It's still in beta, but it's damn nice integration.

For reference, I'm running MacOS X 10.1.3. When I send an email to someone whose public key is in my keyring, I just click the button "Encrypt" before I click send. Voila. When I receive something encrypted, I have the option of having it automatically decrypt, or I just click "decrypt" in the toolbar. Very nice.

Re:Email Integration with GnuPG

[cmason]

The email client Mulberry also has the ability to automatically encrypt, sign and decrypt, and has for some time now.

Check it out at http://www.cyrusoft.com/mulberry/. It is payware, but it's a damn nice email client. Works on Windows, Mac, MacOS X, Linux, and, I believe, Solaris.

-c

Re:Email Integration with GnuPG

[Random+Walk]

Sylpheed has good support for GnuPG, and is my favourite MUA on Linux.

The drawback is: I would like very much like to use the same e-mail client on Linux and Windows, but sylpheed is only theoretically cross-platform. On ftp.gnupg.org, there is a w32 build of sylpheed 0.4.60 which is buggy like hell, and I have no idea how it was compiled (otherwise I would rebuild a newer version).

Re:Email Integration with GnuPG

[lewp]

Writing to support e-mail gets replies from the program's author, too. Mulberry is the only GUI mail client that could get me to stop SSH'ing into my mail server to use mutt :). Of course I still wish I could integrate gvim into it as my e-mail editor, but Mulberry does a pretty good job on its own.

PGP/GPG plugin is an extra $4. I've considered buying it a few times, especially since I managed to screw up and install it on my desktop when I was installing the SSL plugin and I get a nag screen.

Fatal Mistakes....

[CDWert]

Network Associates made a fatal mistake in my opinion, that singularly was to belive people are smart enough to ACTUALLY KNOW they need encryption.

People in general, Im not talking slashot techno geeks. Have NO clue WHATSOEVER that information can be snatched from the net. I have told people they have mail bouncing only to see hen freak and become accusitory , HOW do You KNOW ?? You mean You could READ IT ? Blah Blah Blah, I look at em and say yeah but to bwe honest I could give a crap less what you write and to who. hat usually tones em down a notch.

BUT Back to the point, If someone dosent KNOW there is a NEED then there is NO market for the product , If people dont buy it because they dont know there is a need can you blame em ? If someone tried to sell you say a under the desk testicle shield for radiological effects from monitor transmission would you buy it ? a few would , but most no , WHY ? Becaues if here is no problem, the product COMPLETLEY loses its percieved value.

Now, that said they are in a bad market to try and pitch the inherent Insecurity of networks, being Network Associates and all...

Re:Fatal Mistakes....

[Bloody+Bastard]

People just don't know posting emails is almost like posting a letter in a transparent envelop... everybody from your neighboor to the postman may read it, if they want to.

Re:Fatal Mistakes....

People in general, Im not talking slashot techno geeks. Have NO clue WHATSOEVER that information can be snatched from the net.

Most people I've talked to know this, they just don't understand that encryption can stop it. "I'm not sending my CCN over the internet." "But, it's https..."

Re:Fatal Mistakes....

[Pfhreakaz0id]

I tell my wife this all the time when she writes something not too smart from her work email (like bitching about her boss). Forget packet sniffing, If you think your sysadmin never gets bored and starts reading people's mail, you have much better faith in human nature than I do. I KNOW a sysadmin at a former company read mail. I caught him doing it.

Re:Fatal Mistakes....

[Xofer+D]

Never mind their bad marketing; lots of companies do that and still succeed. NAI consistently damaged their product - it's like anti-marketing.

At one point, (about Summer 2000) NAI was still selling a decent product for about $70. It was a suite that contained a PGP encryptor/decryptor, a keyring application, and an IPSEC implementation. Everything you need, right?

So NAI split up the bundle, and upped the price on BOTH the parts so it would cost the user about $200 to get the functionality of the old version. I could understand selling the VPN seperately from the keychain, but only if both fragments cost less.

I'm not a conspiracy theorist. I don't think this was some scam to play onto Ashcroft's nice list. I merely think that there's at least one suit near the top of NAI who isn't that interested; funding cuts, perhaps inadequate time spent considering marketing, you could see how this might go.

In the end, I suspect I hope in vain that NAI will give away the codebase when they stop support. They'll probably say something about "protecting shareholder value" by hanging onto the IP forever "in case" they could sell the increasingly outdated software for more than it's worth.

Encryption and open source

[pinkUZI]

Encryption is one of those things that goes really well with open source. PGP started out as Philip Zimmermann's free and open project which he released with a written warning against software that locked away its source code and algorithms. This makes it a little difficult to go back to closed source and proprietary encryption methods. The internet community's love affair with PGP was broken when Phil quit working with Network Associates. The trust wasn't with PGP alone, it was with Phil heading up PGP's development that drew the trust of us all.
So, its not too surprising that Network Associates is having a little trouble trying to pawn off a product that has no market.

Exit PGP, enter GnuPG.

Smartcard support

[nakhla]

One of the coolest things about the latest version of PGP (Corporate Desktop, I believe) is its support for smartcards. I have a Rainbow iKey, but it's pretty much useless for personal use because I don't have a certificate compatible with the device. With the newest version of PGP I could store PGP certs/keys on my iKey. It would be great if this kind of support was built into GnuPG. I'd LOVE to be able to use my iKey for PGP on Linux or for token-based authentication

Wow, useful information on Slashdot

[ShavenYak]

I work for a small HMO, and we are one of the insurance options for Federal Government employees in our state. *All* data that goes back and forth between us and the Feds is supposed to be encrypted with PGP. They even specify which PGP version we are supposed to use.

It will be interesting to see what happens now. I wonder if they will consider using GPG eventually?

Re:Wow, useful information on Slashdot

[SpaceLifeForm]

And which version do they specify that you use?

Re:Wow, useful information on Slashdot

[ShavenYak]

And which version do they specify that you use?

PGP Desktop Security Version 7.0, although they may have recently specified that 7.1 is acceptable as well.

Re:Wow, useful information on Slashdot

[SpaceLifeForm]

I figured as much. Anything over 6.5.8 can't be trusted. Even the NAI version of 6.5.8 had/has a security hole. You can trust the CKT 6.5.8 version IMHO.

It all fits from a conspiracy POV though. NAI takes over PGP, adds stuff[1], gubmint requires versions with stuff[1], PRZ resigns. Everyone[2] becomes suspicious and sales fall. Now NAI mothballs it effectively keeping the tool out of the hands of the computer novices. From the gubmints POV, you could not ask for more.

[1] - Use your imagination
[2] - Those that care

Encryption and the masses

[EschewObfuscation]

There are, IMHO, two things that keep the average email user from using encryption:

First, it has to be absolutely transparent. It can't put more of an overhead on a standard email send-and-receive than already exists. Key management would have to become at least as easy as address book management (say, having addresses and keys automatically integrated into your keyring). While this would present a security hole, most users aren't going to want to go and verify keys. They're also not going to want to type their password every time they send an email. Most users of apps like Outlook just store their passwords on their PCs anyway, because they can't be bothered logging in once per session (ever deal with someone who didn't remember their password because they never type it in anymore?). IIRC, PGP had several of these features, but with some apps you still had to encrypt to the clipboard and then paste the encrypted message back into your document.

Second, to even get people to do this minimum, and to demand it in products, they have to see the need for it. Phil put it best, I think, when he drew an analogy in the docs for PGP. I can't remember the exact wording, but it was something along the lines of "So you're not saying anything illegal. What would you think if the government outlawed envelopes, and all mail had to be sent on postcards?

Most people don't believe how easy it is to read email, because they have no idea how to go about it. Instead, they shrug and say that they don't care. If instead you ask them how they'd feel about having all of their corporate correspondence and private letters going out on postcards, they'd think twice, and (hopefully) bite the bullet and start using something like PGP. There can be a huge market for applications like PGP, but it has to be sold to people with the right message, and it has to, even at the expense of some security (and yes, I realize the implications of that, and know the argument that no security is better than flawed security), be easy to use.

Re:Encryption and the masses

[hany]

Either masses realy want security or they do not.

In the first case (they want security/privacy/...) they have to learn something. Without some knowlegge and good usage habits encryption is meaningless exercise/overhead (at least for them, but maybe also obstacles for those who care).

And in second case (they do not wont it) they have what they wanted: easy, careless life with all the consequences.

But maybe we can live even with poorly used encryption on massive scale - all we need is just "do not trust that key" and "do not trust that key signer" by default and be aware of warnings from encryption backend (i.e. assumption "it is encrypted/signed" should be clearly distinguished from "it is encrypted/signed by TRUSTED entity").

Re:Encryption and the masses

[EschewObfuscation]

What I'm saying, though (and you're right)
is that it would take a campaign in the office
along the lines of "You know, every 17 year old
intern we have working in IT can read every email
you send if you don't use encryption" or "Your
bounced message to Mr Smith dealing with your
weekend in the country ended up in my account.
Maybe you got his address wrong?"

Maybe that's a little too in-your-face
(and, depending on the company, might get people
fired), but it will bring the subject home to people
in a way they can understand.
It's better than explaining about packet sniffing
and other things that make people's eyes glaze
over (like Carnivore).

Scare people with a dose of reality. Make it easy
to use. They'll begin to understand, and start
using encryption. After that, they'll be more
ready to adopt stronger techniques.

Re:Encryption and the masses

[Xofer+D]

I know I've been looking for a mail app with just these features that runs on Windows (and hopefully Linux too). I'm a competent Linux and Windows user, and I have no trouble using PGP on Windows with my Mozilla mailer. On Linux, it takes me significant time to copy and paste together an encrypted - or even just signed - message.

I don't think that there's a good reason to think that making PGP easier to apply to email would make it less secure:

• Taking the PGP model as an example, we could simply bind a hotkey to the copy-EncryptClipBoard-paste operation.
• Alternately, we could modify our mailers to include "encrypt" and "sign" buttons right next to the "send" button.
• The problem with authentication could be solved by an icon displaying the level of trust the user may place in the key - highest if the user has typed it in manually and has explicitly indicated trust, lower for implicit trust, and very low for automatically found keys
• There are already public key databases (which the NAI PGP client hooks into, I might add) which could be queried to decrypt or check signatures (see above re: trust levels) automatically. Making this transparent would significantly aid the spread of PGP use.

As you can probably tell, I feel kind of strongly about this - I even convinced my mother to use the PGP suite (although it turned out that the old version I gave her crashes her Win2k machine). I'd seriously consider working on the project, but I know I couldn't do it alone, and there are limited numbers of free choices for Windows (which I think it's crucial to get this working on). This is something I'd love to see integrated into the Mozilla mailer, but I don't want to suggest it while they're bug-hunting for 1.0!

I'd love to hear advice as to how I can help this to happen, or find it already sitting around.

Re:Encryption and the masses

[stapedium]

The problem with Phil's analogy to e-mail being like a postcard is that 99% of the time I use e-mail I would have no problem putting on a post card. And for the 1% of stuff I wouldn't normally put on a postcard...well, I'm just to lazy to set it up on every machine I use to send e-mail and convince all my contacts to use it and manage keys for everyone send e-mail to, and end up revoking and re-exchanging keys every time someone on a Win9X lets another person have physical access to their machine. This was the whole problem with the web of trust concept in the first place. The complexity of managing your trusted contacts (revoking certs, multiple certs for a contact, keeping your cert with you at all times) grows exonentially (or maybe worse).

Besides, if 99.9% of the mail coming into my mailbox at home was postcards, I would probably send more postcards and not worry about it. The whole reason the postcard argument works is not real concern for privacy, but comfort with cultural customs. This is also why secure e-mail will never catch on for unior sending a message to grandma. Where it will and has caught on is in security concious businesses such as medical records where encryption of electronic correspondence with patients it is now required by law (do a earch of HIPPA to see all the headaches this is causing).

Re:Encryption and the masses

[DrXym]

Actually there are several straightforward ways to get encryption to the masses without requiring them to think about whether they need it much.

1. Use Plain English to describe encryption. Make analogies to envelopes and stuff. Don't blabber on about S/MIME or other gibberish.
2. Integrate encryption into the mail program. Seamlessly and visibily. S/MIME support in most email programs is too complicated.
3. Make generating a key easy, a question while setting up an account. None of the current rigmarole of having to give your life history to Verisign or whoever for some worthless uncertified key which expires in 6 months.
4. Make key exchange on by default. Automatically insert a X-pgp-key-id header or somesuch into each mail sent out. Scan for this header in received mail and add to the address book entry by default.
5. Make encryption the default behaviour when you have the key for someone you're sending to.
6. Encourage e-tailers such as Amazon to put a "Encrypt your order details" checkbox on their order screens.

Most people would happily use encryption if it happened automatically and painlessly. The current problems arise because PGP is not integrated and S/Mime frankly sucks, having an overly complicated UI, difficulty getting a key and is dog slow to boot.

Re:Encryption and the masses

The transparency thing can't be stressed enough, that and ease of installation/key generation.

I just finished writing a secure web based message app for a client who found pgp hopeless not only for himself, but for his clients who he wanted to communicate securely with. It's not just a question of the individual clueless user, but all the clueless users the individual wants to communicate with. It has to be as transparent as SSL.

Re:Encryption and the masses

[chasec]

Alternately, we could modify our mailers to include "encrypt" and "sign" buttons right next to the "send" button.

I recently switched to KMail for exactly this reason. It has buttons for 'encrypt' and 'sign' right on the toolbar. Give it a try. AFAIK, it doesnt run on Windows, though.

It works reasonably well; the only prblem I have is that it runs slow on my pentium/200. From what I understand, GCC generates slow C++ code, compared to other compilers. Anyone want to verify this?

Re:Encryption and the masses

The envelope analogy is wrong. A normal email is sent the same way as regular postal mail in an envelope. It generally takes a username/password to read an unenrypted email, just as it would take someone opening an envelope to read a postal mailing. Both take the some effort and neither protect sensitive information. People are less likely to think they need PGP for email if they receive confidental medical records and credit cards statements in regular envelopes with postal mail. Actually it is much easier for me to drive through your neighborhood and open your mailbox and get all of your personal information than it is for me to find out your email address and manage to login with your username and password just to find alot of non-confidential information!

So why would I need to receive PGP email from my buddy about hanging out on Friday night, when Citibank uses regular postal mail to send me private credit card information protected by a thin envelope sitting in my plastic publicly accessible mailbox.

Re:Encryption and the masses

[Bob+Uhl]

Try out mutt. Incoming messages are automatically decrypted and/or verified. Outgoing messages can be signed by typing ps, encrypted with pe and both by pb. It can even be set to remember the PGP passphrase for a period of time. And mutt's a wonderful mailreader anyway--check it out when you get the chance.

Re:Encryption and the masses

[Xofer+D]

I use mutt for my console mailer, actually. However, I haven't found an appropriate mailer for X and Windows - Under Windows, using a console program is actually really, really bad; I have never seen a decent terminal / console window application for Windows, and the "MS DOS Prompt" application sucks in several dimensions.

Re:Lots of products left alright, but easy to use?

easy, damn straight. not saying it's great, not saying it isn't, but it sure as hell is easy and is for OS X ONLY:

Cypher is an easy-to-use interface to a powerful encryption and decryption tool: ccrypt. Peter Selinger's (selinger@users.sourceforget.net) ccrypt tool is an open-source, fast, and powerful encryption/decryption program. For more information on ccrypt and to download the source code, please visit the ccrypt site at http://sourceforge.net/projects/ccrypt/.

Cypher was developed by ernieWare. For more information, visit the Cypher (http://homepage.mac.com/jhammer/cy) homepage.

Cypher is very easy to use. The easiest way to encrypt a file is to just drag and drop it onto Cypher's icon. Enter the passphrase you want to encode the file with and click "OK". That's it.

To decrypt a file, just drag the file onto the Cypher icon. Make sure the "Decrypt" icon is selected. Enter the passphrase you encoded the file with and click "OK". That's it.

Cypher allows you to create self-decrypting files. If you check the "Save as self-decrypting" button, then Cypher will encrypt your file, then turn it into an application. This allows any Mac OS X user that you send the encrypted file to to open and decrypt the file -- even if they don't have the Cypher application installed (and provided they enter the correct passphrase to decrypt it).

About ccrypt Encryption (from the ccrypt README file):

ccrypt is a utility for encrypting and decrypting files and streams. It was designed to replace the standard unix crypt utility, which is notorious for using a very weak encryption algorithm. ccrypt is based on the Rijndael cipher, which is the U.S. government's chosen candidate for the Advanced Encryption Standard (AES, see http://www.nist.gov/aes/). This cipher is believed to provide very strong security.

ccrypt License

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

pgp and key lengths

[cluge]

Maybe CAI didn't want to keep improving the product. DJB's crypto paper and methodology shows that any key less than 1024 can be "easily" cracked. CAI would have had some more work to do on their product (just as I'm sure the GNUPG team is reconsidering the approaches they are using).

Finding the people to verify PGP is secure and proving that any new method of encryption is secure takes money, and since many people still consider zipping a file up with a password as "strong encryption" there was no market for it.

To think, not to long ago the US govt. was complaining that the world would end if we all had encryption. As it turns out, few cared enough to use it.

Re:pgp and key lengths

[Col.+Panic]

CAI would have had some more work to do on their product

I doubt it - I am using an older commercial version (6.5.2) and it will handle RSA keys up to 2048 bit and Diffie/Hellman up to 4096 (DH2048 is the default).

NAI Another Commodore?

Remember how Commodore's incompetence helped kill the Amiga? Well I,
personally, don't see much difference between that and what NAI has done
to the companies/products is bought/merged.

Where I work we use McAfee VirusScan and the Gauntlet firewall. At home,
personal use only, I use PGP. (Good ol' 2.6.) Since NAI raised its ugly
head:

. Working with McAfee has become more difficult in nearly
every respect, in my experience.

. The Gauntlet firewall product has become so bad, particularly
the support, that we gave up on it. (We're still using it. We just
haven't bothered with (non-)support contracts or "upgrading.") I
used to love that product :-(. And TIS used to be a pretty good
company to work with.

. When I tried to license PGP for business use, not only did
NAI not have a Unix version for sale, they had no mechanism whereby
I could license the "open source" version for business use. Think
of it: basically free money for them. They had to do no more than
charge me. No media. No downloads. No support. Just me saying to
them "Here! Take some money." The concept was utterly beyond
them.

So the PGP product is now dead. Imagine that. They've sold Gauntlet to
Secure Computing Corp. God knows what the status of the McAfee product
line is.

In summary: it's my opinion that NAI has done those products, not to
mention their (ex-)customers no favours. Needless to say: NAI is not one
of my favourite companies.

Re:NAI Another Commodore?

The Gauntlet firewall product has become so bad, particularly the support, that we gave up on it. (We're still using it. We just haven't bothered with (non-)support contracts or "upgrading.") I used to love that product :-(. And TIS used to be a pretty good company to work with.

The staff sounds like they're pretty happy to hear they were bought by a security company like Secure Computing though. It could have been worse.. look at what happened to poor Raptor.. err.. Symantec Enterprise Firewall. hehe.

Encrypted Volumes

[ZaneMcAuley]

I currently use PGPDrive volumes, does anybody know of one that is better? With PGPDrive volumes I can defrag, mount and unmount and transfer to other systems too, nice integration.

Re:Encrypted Volumes

[frog51]

Try www.pointsec.org for an excellent boot level encryptor for your whole drive.

Flaimbait!

Yeah right. Like all the /. trolls are going to flame the poster!

Sheesh! Slashdot moderation isn't worth shit!

pgp and the NSA

[gruntvald]

There was some short news preview (either for a book or an upcoming show) on fox news yesterday, that I only caught in passing, about the use of technology by terrorist groups. They mentioned in passing that the NSA had cracked pgp 2 years ago. This was news to me.

Re:pgp and the NSA

[Martin+Blank]

A check of the foxnews.com and of the Google newgroup archives mentions nothing about that. Do you have anything more specific to add which we could use to nail down the specifics?

Re:pgp and the NSA

[gruntvald]

Sorry I really didn't catch it. I'm pretty sure it was for a news special coming up today or in a few days, and it may have been on CNN headline news, instead. I don't see anything listed though.

Re:pgp and the NSA

[xlv]

I heard it too. It was on CNN Headlines News. I didn't have time to investigate it more yesterday but it was about some "expert" commenting on email interceptions about Al Qaeda people regrouping in Pakistan.

Re:pgp and the NSA

[Arandir]

They mentioned in passing that the NSA had cracked pgp 2 years ago.

The government will always have bigger weapons than you. It's a fact of life. I have a pistol and a rifle and they have nukes. I have PGP and they have rows upon rows of supercomputers.

But that's not to say that PGP is useless. That pistol of mine is still great for defending myself against criminals. It's also okay to defend myself against rogue agents of the government. Likewise, PGP is great for securing your email against criminals, your boss, your wife, your nosy neighbor, and does a respectable job of protecting your email against you nosy sheriff, IRS agent, numbnut judge, etc.

Re:pgp and the NSA

[gruntvald]

Aha! I was beginning to think I was going crazy. It was just mentioned as a side issue. Pretty freakin' big side issue to me, as a long time pgp user.

Re:Lots of products left alright, but easy to use?

[pmsr]

File encription is very easy with several products. But what key management? And what about email? That is where these products fail.

/Pedro

Re:Lots of products left alright, but easy to use?

what about email? so you create a word doc, encrypt it and attach it to your dang email. hard? not.

key management? i'll do that for myself. hard? not.

Karma Whoring

[Tomcow2000]

More info at The Register. This one is better, if only for the reference to Ashcroft and a "lucrative surveillance state."

Does GnuPG has VPN support?

[Oniros]

We mostly use PGP for VPN access at work, when will GPG have such feature (if ever) ?

Gauntlet on the other hand...

[drsoran]

On the other hand, the Gauntlet firewall which used to be under the PGP division did find a buyer thankfully. Secure Computing acquired it and IIRC the support people. Now, whether they bought it just to strip the proxy technology from it and integrate it into Sidewinder (x86 based) or if they plan on continuing to develop the Solaris and HP-UX based Gauntlet itself has yet to be seen. As for PGP, like people said, use GnuPGP. Lately PGP has seemed like it turned down a dark path of distrust. I can't ensure that what I've encrypted with the latest versions are actually secure because I don't know what impact 9/11 has had on this proprietary closed source piece of software and any backdoors it may contain.

How much is NA asking anyhow?

[Anne_Nonymous]

Perhaps the EFF should buy them and make PGP opensouce/freeware/shareware or whatever, just so there's something out there that the common computing schmuck can rely on in the future.

Re:How much is NA asking anyhow?

[rasjani]

Tell me a reason why they should do something like that ? There's allready a gpl'd version thats compatible with PGP called GPG.

• It works well,
• and is ported to many platforms, including windows
• And has even 3rd party outlook plugins.

So, Why ?

Re:How much is NA asking anyhow?

[Arandir]

Actually, a version of PGP under an unrestricted license (BSD, MIT) would be a very Good Thing. Why? because PGP is a standard. If it's only available under the GPL, then it can only be incorporated into other GPL applications. Normally that isn't a terribly horrible thing, but such licensing would hinder integration into commercial (ei. proprietary) mail clients. Since 90% of mail clients are Windows based and proprietary, this is Not Good.

An unrestricted PGP would allow everyone access to PGP. Since the value of PGP increases with the number of users, it makes sense to give it the least restrictive license possible. GnuPG is already GPL. Since NAI will probably dump the semi-free PGP anyway, releasing it under the BSD or MIT license would be a good idea. Those people who loathe the very existance of non-GPL licenses can stick with GnuPG, and Microsoft, Apple, etc., can start integrating the unrestricted version into their software.

Re:How much is NA asking anyhow?

What makes you think Microsoft wouldn't embrace and extend PGP to .NETpgp, with a few 'crucial' changes put in that make the product 'work better' and at the same time be incompatible with everything else?

Monopolies can do things like this.

Re:How much is NA asking anyhow?

[Arandir]

For exactly the same reason they haven't done the same to TCP/IP.

Re:Does GnuPG has VPN support?

[drsoran]

That was part of the problem with NAI. They integrated too much together on the desktop suite. You had the VPN client (ipsec based), PGP client for encrypting mail and files, PGPDisk for creating what is basically just a loopback encrypting disk image that looks like a drive to users, the PGP desktop firewall software, the PGP desktop IDS software bundled with that firewall, etc.

GPG is just the equivalent of the mail and file encrypting tool that was part of the PGP Desktop package. It has nothing to do with VPN access, firewall software, etc.

Re:Lots of products left alright, but easy to use?

[Dredd13]

what about email? so you create a word doc, encrypt it and attach it to your dang email. hard? not.

Oh that's JUST how I want to get "average joes" using encyrption on e-mail. By building up big freaking attachments and slinging the attachments around, forcing the recipient to download the attachment, save it, decrypt it, and load it in $APPLICATION.

Are you stoned?

THE NSA CRACKED PGP!!?

any folow-ups on this?

First "Zimmerman is a terrorist" post!

. . . for people who need cheap, reliable encryption.

Like al Quaeda?

Say what?

It's a good thing that there are still products like GnuPG and others out there for people who need cheap, reliable encryption.

Yeah, because if NA had a monopoly on encryption they'd definately still be dissolving that business.

Re:Lots of products left alright, but easy to use?

[pmsr]

Key management? Why all the fuss? Just send the attachment password by email! ;-)

/Pedro

Re:Lots of products left alright, but easy to use?

[Pfhreakaz0id]

Nope. he's not stoned, he's just a Linux user who thinks that is "ease of use."

He doesn't realize that half the non geeks only attach documents to an email by using Word/Excel/Powerpoint's "mail this document" feature. I couldn't tell you the number of times I've had to show people how to attach a another kind of document (like a picture).

The windows interface rocked!

[simpleguy]

I loved NAI's PGP because it made things so easy!

For instance, if I have a truckload of files to decrypt, it goes as follows.

Select Files > Right Click > PGP > Decrypt > Input passphrase and voila!

Cooler even is that it preserves the original filename after decrypting.

Its always an annoyance to decrypt multiple files with gnupg on linux. Does anyone here know how to implement a passphrase caching mechanism so that I do not have to type that bloody lengthy passphrase everytime? I know this might be a security risk but hey, my home system is not networked. To reduce the risk of people doing stupid things, how about having to edit the source and modify something before the passphrase caching works? I am ready to do that. I am sure most seasoned gnupg users would find that useful too.

Also, how do you preserve the original filename?

Hint: to see the original filename use --list-packets with gnupg.

Simpleguy

Use biometrics NOT passwords and encryption

[crovira]

Security schemes based on what you know (passwords) or what you can calculate (public/private key encryption) are fundamentally flawed.

Security based on what you are (biometrics) is much more reliable and can range from voice recognition over a 3kHz phone line to DNA scans. The more you need to KNOW, the deeper (but not necessarily the more invasive,) the source. The more you need to be sure, the more biometric signatures you can use to corroberate a message.

Use a pair of biometric keys to encrypt/decrypt using the same algorithms as public key and you've got some underivable security. (The keys don't have to be primes.)

As the Beatles sang all those years ago "There's nothing you know that can't be known." So much for passwords.

And remember, encryption calculations are cumulative. Once you've worked out all 128-bit factors, cracking a code you've never seen before just becomes a table look up. (First rule of performance optimization: NEVER do anything TWICE. You can't buy a second but you can rent one if you use cold hard cache.)

And the price of storage falls every month and the number of factors calculated grows every second. (Don't think the NSA hasn't figured that out yet.)

Re:Use biometrics NOT passwords and encryption

Once you've worked out all 128-bit factors, cracking a code you've never seen before just becomes a table look up.

Try working out just how much storage this would take, and you'll see why this isn't remotely feasible. There are more possible 128-bit keys than atoms in the planet. Much more, IIRC.

I don't think you could use biometric signatures as key pairs, which require special mathemagical properties. In any case, biometrics aren't a cure-all. See this by Bruce Schneier for details.

Re:Use biometrics NOT passwords and encryption

[steve_bryan]

Does it make you feel safe that only mathematically literate readers are certain your comments are absurd and uninformed? Know many people who use 128 bit PGP public keys? Wouldn't it be somewhat more likely that the key length is something like 1024 or 2048 bits?

Now let's make this more explicit. You plan to compute all prime factors of the relevant size and store all corresponding products of each pair so they can be found by a simple lookup. Planning to use the Sieve of Erastosthenes to find all these primes? Regardless the quantity of primes less than a number x (in our case some approximately 512 bit number for 1024 bit keys) is asymptotic to x/log x (the Prime Number Theorem, page 9 of "An Introduction to the Theory of Numbers" by Hardy and Wright). You are considering roughly every possible pair of that quantity so square that number. I get a number around 2^980. Each will require 3000 bits of storage (ignoring, at least for now, attempts to compress) or about 375 bytes. That previous large number is something like 10^327 which we need to bump to 10^329 to get a rough estimate of the number of bytes needed.

I'm hoping I can buy a 100 gigabyte drive for $100 before too long. That would provide 10^11 bytes of storage. So I would need about 10^318 such drives for your project. I suppose when buying in bulk like this I might get a better price but I don't have anything like $10^320 laying around. In fact, I doubt that the NSA has money like that at its disposal.

If it hasn't been piling on already I imagine the next step is, but how long do you think that "table look up" would take if you did manage to assemble that much storage? A nanosecond for each comparison and traversing about half the list on average? So 10^327 times 10^-9 seconds or 10^318 seconds. I seem to recall there are 3.15 times 10^7 seconds per year. Your average look up would take 10^311 years to complete. Current estimates of the time since the big bang at less than 10^10 years. (I also doubt there are 10^300 elementary particles in the universe).

Just to summarize: anyone who thinks brute force is a useful option just doesn't know what he is talking about. Quantum computing is another topic left as an exercise for the reader who wants to consider real threats to RSA.

I'll buy it

[autopr0n]

For one dollar!

Hopefully it would come with at least one aeron chair.

mmm. Aeron chair...

gpg

[autopr0n]

Actualy, gpg works on windows. I actualy wrote a COM interface for it a while back at my old job.

Re:gpg

He didnt say 'does it work on windows' - he asked if there was a nice front end, so non-geeks dont have to go something like:

GPG -mw23942 -mx77448 -p -d -c -v -b -b "hilugdg" >file.txt

or whatever.

Danger Will Robinson! Danger!

[BurritoWarrior]

Part of the issue with widespread adoption of PGP isyou can't deploy it in a corporate environment. Imagine one disgruntled employee who encrypts a bunch of mission critical files, takes his keys, and goes home (resigns).

Yeah, we will su his a$$! Well, in the meantime, you are SOL and out of business for all intents and purposes.

PGP is great for individual use. It is a far too risky for corporate use.

Re:Danger Will Robinson! Danger!

[caluml]

Erm - how is that different to the disgruntled employee that just deletes the files instead? You just restore from backup.

If you didn't have backups of your "business critical" data, you shouldn't be in business anyway.

Re:Danger Will Robinson! Danger!

[BurritoWarrior]

We have things like Network Undelete running to prevent just this sort of thing (and the more frequent bozo user who deletes data he shouldn't by accident) - so that we can restore a deleted file in a matter of minutes. An encrypted file would require restoring from tape, which would be an enormous nightmare with multiple files/applications hosed.

Re:Does GnuPG has VPN support?

[Skorpion]

I don't see why it should. Gnu Privacy Guard is a program that talks OpenPGP (RFC 2440). A OpenSource/Free VPN solution is for example FreeS/Wan. Those are different things ad selling them under one brand, while business-wise feasible, is like mixing aplles and oranges.

PgpAPI!?

[autopr0n]

If anyone else out there has gotten a chance to use the PGP API, it's simply a beauituful thing for adding crypto to your application. I don't think GnuPG has anything near what PGP had as far as an API (their motto: "Use the command line program as a base for other things!", yeh, real usefull for in-memory encryption)

It sucks to see that go. GnuPG may be free, but the source was available for PGP, and the API was just fantastic.

Bollocks! Key lengths not a problem

[SomethingOrOther]

shows that any key less than 1024 can be "easily" cracked.

eh?
Yes some weeknesses have recently been discoverd in the RSA algoritham meaning that 1024 bit keys are less secure than people thought. HOWEVER PGP defaults to a 2048 bit Diffie Hellman (sp?) key.

Not only that but PGP will happly accept DH keys up to 4096 bits (and RSA keys to 2048 bits if you are set on using RSA), just by changing the defaults!

I think your comment is missleading. Standard PGP keysizes are secure (and should remain secure for many more years) but uping the keysizes can be done very easily!

Re:Bollocks! Key lengths not a problem

[afidel]

No, I think you missed the point. The point is that if the author was correct then the keysize increases are linear and the speed of additional nodes is linear but over time the speed of computers is exponential so that ultimately any crypto based on factoring is extinct. Luckily there are other forms of crypto including elyptic curves. Factoring was doomed anyways once quantum computers became mainstream, this just quickens the pace a bit.

Re:Lots of products left allright, but easy to use

easy as proxo or zonal? Yeah, right pad're PGP wuz another 6-finger webfoot bitch.

Reliable ?

[japhering]

Only reliable, when care is taken to maintain system security. Let us not forget the pgp virus
created by the Chinese Government, which simply sends them all your key rings........

Re:Reliable ?

Too bad secret key rings are useless without the passphrase. Typical Chinese...

Biometrics are not revocable

[petej]

Suppose someone finds an exploit in the device that does your retinal scan. Your admins must now deny your retinal scan credentials, and you have to switch to the other eye (presuming you have a spare). If that credential is compromised as well, you're completely out-of-luck.

With a passphrase-based system, by contrast, you can just change your passphrase as needed.

To be secure you _must_ RTFM

[SomethingOrOther]

Hes a typical windows user and won't read instructions.

That is a bit like giving someone keys to your house and not showing them how the funny lock works

For him to send a plaintext message that he thought was encrypted (because he didn't RTFM properly) could have been disasterous. In the same way that your friend not locking your door properly ('cos he didn't know how) could be disasterous

Tech economy

[wizman]

You know, I'm a huge believer in open source, but I'm starting to loose faith.

We always cry that OS software is the way to go, and greedy bastards who charge for software are evil.

Well, look at the economy. Look at the number of out-of-work techies out there mowing lawns and flipping burgers to stay afloat. I wonder how many of them would have jobs if there was less open source software in existance. Are we shooting ourselves in the foot?

Re:Tech economy

[NDPTAL85]

Most techies don't work for software companies. The downturn was brought about because of shitty business plans not because of the prevelance of open source software. At the same time I still think there aren't enough qualified, truly qualified (emotionally as well as skill wise) people in the industry.

NAI didn't sell all of PGP

[Rahtok]

Guys, everybody here is missing what really happened here. About a year and a half ago, NAI separated the command line product from the GUI desktop product. NAI discovered that people will pay a large chunk of change for scriptable, command line stuff, and that they almost had to give away the GUI version. When they dissolved the business unit last October, they decided to KEEP the command line version [the McAfee biz unit sells it now, for the same large chunk of $$$] but were trying to sell off the GUI version. Now, riddle me this, riddle me that, how do you sell the GUI version to another company when the command line version you're keeping USES THE SAME CODE?! That's why NAI couldn't sell it -- no company wanted to pick up a product that NAI was going to keep the core product to. I know because I worked for NAI in the PGP division.

It all is a big shame too. The last version, 7.1, was cool. It was stable, had an IPSEC client that could talk to pretty much any VPN gateway out there in addition to creating peer to peer IPSEC tunnels with other PGP clients as well. A mini firewall / IDS rounded it out. Frankly, companies just aren't paranoid enough to require that level of encryption yet. And until that happens, no commercial product is likely to succeed in this arena.

Re:NAI didn't sell all of PGP

[chiph]

The company I work for is one of those who paid big bucks (5-figures) for a 2-year license to the command-line PGP utility. Even though the price is steep, it's still a bargain compared to RSA, who wanted 2% of revenue for using their toolkit. It also got us out of the hassle of dealing with the Commerce Dept. if we were to write our own.

Another big plus is that it's multi-platform. Not all of our clients are on Windows or Intel CPUs, and PGP just worked because it generates plain ole' ASCII. MS Crypto API? Couldn't trust it to interoperate with *nix or mainframe clients. DES? My niece could crack it. AES? Not all clients have the skill to implement it, and well-implemented libraries are as scarce as hen's teeth. PGP was the right choice for us. Chip H.

Freeware version

The freeware version on the PGP International site goes up to 7.03: downloads here. This site is not owned by NAI so it shouldn't be affected by this decision.

NA made PGP into bloatware!

[SomethingOrOther]

it comes with some nice extras such as a very nice firewall

And that is partly the reason nobody bought it.
PGP evolved into a nice e-mail encryption program. NA added so much crap to this (VPN that hardly worked, Firewall, hard drive encyption) they forgot there core market..... secure E-MAIL and convincing people that it was nessisary!
(In a corperate enviroment, people alredy have firewalls etc... NA just made PGP more complex)

I actually bought a version of PGP Personal Security 7.0.3
YTC !!!
NA never published the source code for version 7. That was the reason Phil Zimmerman left NA.
Version 6.5.8 could be downloaded as freeware and is every bit as compatable!

Re:NA made PGP into bloatware!

True, but "Let me assure all PGP users that all versions of PGP produced by NAI, and PGP Security, a division of NAI, up to and including the current (January 2001) release, PGP 7.0.3, are free of back doors," said Zimmerman (http://www.theregister.co.uk/content/8/17064.html )

Also, it's unclear if this the reason that PZ left NAI, or if he just saw the writing on the wall (that the division wasn't making money and would be axed).

Re:NA made PGP into bloatware!

[Jadecristal]

Phil actually left after 7.0.3 was released, and he declared it "safe." - from my understanding, at least. After 7.0.3, it would seem that all bets were off.

Product with potential, company with flaws

[glasn0st]

I agree that NAI has brought the demise of this product upon themselves. This product was destined to be a killer app, but they have not given it a proper chance.

They have never marketed it properly to the corporate world. Except for us geeks, who knows about it? Surely the underlying concepts of cryptography will never be well-known, but they haven't even tried to push the feeling "PGP makes my email secure". (This marketing goal is feasible; compare it to the majority that thinks "Linux is secure!")

To make it worse, NAI effectively denied the existence of a consumer market. In fact, in my area (Netherlands) it was not possible to buy PGP 7 as an end-user until end 2001 (I gave up trying then). No web shop for Europe, so no impulse purchases. NAI's dutch branch only sold the obsolete 6.x version; does a geek want to spend their money on a (flawed) old version? I know several other people in my area who were willing to buy a copy but failed. If this sample is representative for NAI's overall policy I can imagine why they could not "excel" in this market.

I hardly feel sorry for NAI, they have made serious mistakes and the lack of revenue and market share is a logical result. Although NAI effectively destroyed PGP's credibility, PGP (even their PGP application suite) still has a lot of potential and even now NAI could be able to clean up their act; they have a good working set of applications which can easily be adapted to all ages and markets!

To see this valuable product moved into maintenance mode is a big shame. I wonder who will jump in to fill the hole they left.

What puzzles me most is - why hasn't Microsoft Corp. made an offer to buy the PGP technology?

Windoze Privacy Tray - AKA WinPT

[Moderation+abuser]

Uses GPG and works with all Windoze applications that allow cut/paste of ascii text.

Re:Does GnuPG has VPN support?

[andersen]

There is no open source IPSEC client for windoze. I know, since a guy wanted me to setup a VPN for him. I setup FreeSwan, then realized that the only way to make windoze connect up was to buy copies of PGP/NET's IPSEC client...

Bollocks! PGP has option for corperate key escrow!

[SomethingOrOther]

you can't deploy it in a corporate environment.

You ARE wrong! Read this about which PGP version to use.

Here is a cut 'n' paste of the intersting bit....

The Business versions allow you to set up how PGP will be used throughout an organization, and also allow for use of an Additional Decryption Key (ADK); but do not really include anything of additional value to an individual user. The ADK is just a master key used by an organization that all of its email/files is also encrypted to, so that if someone leaves the organization, there will still be access to his/her encrypted files - It has absolutely nothing to do with concepts such as government key recovery.

Easy PGP

[dickDragon]

Try the new mailvault.com.

Marketing blunder!

[dcavanaugh]

PGP is a nifty little package for encrypting files & e-mail. If it had been sold as a nifty little package at a low price, NAI would not be looking to dump it.

I played with PGP when it was freeware. In a pilot project, I exchanged office gossip with a co-worker to see if ordinary people could use it effectively for secure e-mail communications. It worked quite well, but we didn't have a pressing need for the technology so deployment went nowhere.

Years later, I'm at a different company and now I have a use for it. I visit NAI to see if I can buy just the basic file & e-mail encryption. I discover all they really want to sell is the entire PGP Desktop bundle, for a price that IMHO far exceeds what basic encrypted e-mail should be worth. Eventually, I managed to buy the basic package, but only after making phone calls and finding a reseller who could do such a thing. The licensing complexities of the whole process was as if I was buying an nuclear reactor! Had this been an easier process, I might have deployed it on hundreds of PCs, instead it's only a handful.

I am the customer; I am always right. I want an easy-to-buy, easy-to-use, cheap-to-deploy package that encrypts the 5% of my users' e-mail & files that are worthy of encryption. NAI could have marketed PGP successfully to a high percentage of business and home PC owners, but for whatever reason they chose to go after the ultra-paranoid, encrypt-everything, price-is-no-object crowd instead. PGP is a great product; better management could have made it profitable. Maybe someone will buy the product and figure out how to broaden its appeal.

What about S/MIME

PGP is a good solution to email security. However, commercial software is mostly now using S/MIME, which is probably not less secure (if you use a good algorithm and reasonable-length keys). S/MIME is specified in a bunch of RFCs and is actively being extended and improved (see the IETF site for details). You can get open-source code for it (e.g. it is part of Mozilla).

Re:What about S/MIME

[inflex]

I am envisigaging a new problem that's going to arise if GPG/PGP take off... how do we filter the content of the emails! Hence, I'm all for S/MIME, which allows encrypted messages between client/server/server, but the content of the email remains in its original form.

If GPG/PGP takes off as a method of transferring, then we'll be back to square one with trying to prevent viruses getting to the end users *sigh*

Additionally, S/MIME is easier to setup and far simpler to deploy on a large scale.

Use PGP CKT

[Constrain_Me]

I don't believe someone hasn't posted this. I use PGP CKT and am VERY happy with it. It is built off of the last version of PGP that came with the source (6.5.8 Desktop Security, if i'm not mistaken), and they are currently on their 6th build (Build 07, which will fix XP problems is in Beta).

PGP CKT, comes fully loaded with PGPDisk, and PGP4ICQ, and the plugins for Outlook/Outlook Express, I'm not sure about PGPNet, I don't use it.

NAI Privacy Policy

[AntiNorm]

I was just about to download the freeware version of PGP last night when, in response to the mandatory registration, I read their privacy policy. Things like "We may also carefully select other companies to send you information about their products and services." caught my attention. Basically, they sell your information and require you to contact them to prevent this from happening. No, there isn't a 'please do not share this information' checkbox.

That doesn't look like much of a privacy policy to me. Hence the reason I didn't proceed.

Get your idea.c here

[Cadre]

One thing to note is that gpg doesn't support all of the algorithms that PGP used, because of patents/licensing (IDEA being an obvious example). So if you used those algorithms there's a serious risk of bitrot.

It used to be that one could just find a file named idea.c in the contrib directory of the primary gnupg ftp repository, but they were forced to remove it. You can find the idea.c in the contrib directories of mirror sites in countries that allow the distribution.

The idea.c file and it's detached signature made by Werner Koch.

Re:Get your idea.c here

gnupg?

what about the other 90% of the people (literally) who don't use unix?

Thank you.

Re:gnupg?

Hush/HushMail is still making OpenPGP products and releasing source. They've got a Java/COM SDK and an Outlook solution, from what I understand.

Their stuff isn't as hardcore secure as gnupg - more focus on usability - but what can Windows user expect?

Re:Does GnuPG has VPN support?

Considering that there's no open source version of Windows, why not just use the built-in IPSec stuff? AFAICT, FreeSwan interoperates with it.

Re:Lots of products left alright, but easy to use?

> Oh that's JUST how I want to get "average joes" using encyrption on e-mail. By building up big freaking attachments and slinging the attachments around, forcing the recipient to download the attachment, save it, decrypt it, and load it in $APPLICATION.
> Are you stoned?

You're making the "average Joe's" case for auto-executing attachments and scripts as well. If you want people to get used to handling attachments in a secure manner, then all of them need to be handled that way or Average Joe will whine about how 'inconvenient' it is to work with .exes compared to the other, easier mail, and why can't .exes just work as nicely?..back to Square One so far as antivirus efforts are concerned.

Ease of use has its limits if we all want safer email reading.

The silent 'S'

[Christopher+Biggs]

So NA kills PGP?

Is that a silent 'S' between the 'N' and the 'A'?

Free PGP

When Phillip Zemmerman sold pgp. Their was a cluse in it. That clause is that a person can get pgp for free for personal use. However you must purchase pgp if you are going to use it in a corporation. You can down load it for free at the MIT web site. You must be a US resadent.

Mod parent up please!

[Simon+Garlick]

My kingdom for a mod point. PGP 6.5.8ckt is the most feature-powerful and trustworthy version of PGP available.

pgp.com keyserver

[Simon+Garlick]

Anyone care to comment on how long ldap://certserver.pgp.com will remain operational?

Re:What is windows ?

and what is closed source ?

I only know UNIX/Linux and BSD.

Europe may pick up the slack

[janolder]

Recent sentiment in European governments is that they've had it with the US services reading each and every email sent in Europe, whether business to business or intra-government. I suspect that - eventually - the Europeans will get their act together and write email security solutions of their own.

That, of course, means replacing Microsoft "swiss cheese" Outlook and other oh-so-convenient-yet-sieve-like software, which is why it hasn't been done yet. It might also be necessary to switch to Linux to avoid all the security problems of closed source Windows. As reported on Slashdot, this is already in the works.

The freeware versions miss out something

[frog51]

For a corporate of enterprise environment you NEED the ADK that the NAI corporate version comes with. At home we can all use the free versions, and in fact I do, but it is not even a remote contender for most of my clients with 50000+ employees.

NAI dropping this is going to seriously shaft them! There are some alternatives, but the transition is going to be expensive. Even the change of user licenses will cost over 1 Million pounds for a couple of my clients.