Slashdot Mirror
Network Associates Gives Up Search for PGP Buyer
nakhla writes: "I came across this article which states that Network Associates has given up the search for a buyer for its PGP division. The company has laid off 18 workers, and plans to continue to maintain the product for one year. It's a good thing that there are still products like GnuPG and others out there for people who need cheap, reliable encryption."
I actually bought a version of PGP Personal Security 7.0.3 from these guys. It comes with some nice extras such as a very nice firewall. It's a shame that not enough people contributed to the development. Hopefully they will open source the latest version so that development can continue for long after one year.
I've got mixed feelings about this. On the one hand, PGP was revolutionary and is probably one of the main reasons encryption is as free and available today as it is. If Phil hadn't released that (at the expense of considerable suffering), I suspect that the governments of the world would have been able to clamp down on encryption big time, and all of us law abiding types would take it as an axiom that none of us really need anything like that, only terrorists do. It's sad to see the company that was carrying that torch give up on it. I fear this is just one more indication that personal encryption of e-mail and such isn't really going to catch on with the masses.
On the other hand, NAI's not been a perfect angel. Phil left them because of differences about releasing (if memory serves) source code-- not because Phil is an open source advocate per se, so much as for reasons of being able to verify the security. And, myself, I'm an open source geek and have been using GnuPG for quite some time as my encryption software of choice. There still is hope that GnuPG will be turned into something that can catch on with the masses (just like there's hope, however faint, that things like GNOME and KDE will catch on with the masses).
-Rob
That a product as great as PGP is going under. I personally think that if it had stayed the way it was before the buyout, it would still be around. I wonder if something like this could eventually happen to /. or Gnome.
This is the reason I am always concerned when a major company snatches up some cool new technology; they see it in major use by techs/geeks/etc, and think, "hey, with some good marketing...". They fail to understand what features matter to the original audience, fail to capture a new audience, and then drop the product.
In the meantime, it strands people who used to like the product. I was a major PGP user since its inception. Now, I can't stand the darned thing. I tried the Palm and Pocket PC versions, I tried the Windows versions. They added too many toys and widgets to a small, light application.
Oh well. I hope the Gnu PGP clone keeps up.
-WS
An operating system should be like a light switch... simple, effective, easy to use, and designed for everyone.
PGP encryption could use a nice high profile use case where its use saved the ass of someone the average joe could relate to.
/you/ so interested ... ?")
.. ?
I really dont think that the average consumer is concerned about having their private messages intercepted. (The logic is usually: "I dont do anything bad. Hey, waitaminute. Why are
That being said, I'm not surprised that it was difficult to find a buyer for them. The market really hasn't encountered the high profile case that justifies wide spread deployment of PGP use. I think
"Old man yells at systemd"
Who cares? I stopped taking PGP seriously when NAI decided to stop releasing source code and expected me to 'just trust them' instead. Any crypto company that does that obviously knows nothing about security.
I'm glad the option is there, and I know it's done a lot of good in a lot of places, but even using e-mail encryption automatically draws attention to yourself. It would be far better if everyone used it for every e-mail they sent. It would be great if keysigning and verification was a normal event in meatspace, but it just isn't to be. How is it that SSH and OpenSSH became so widespread but PGP and GPG haven't?
I think it's because PGP and GPG have such a sucky interface. It takes me forever to read the manual every time, and the integration with current mail programs sucks! Evolution seems to be fixing this and I know mutt and pine can support it, but it's just too much work to setup if no one else you e-mail can do it too!
Is there any hope? I'd like to think so, but only if it becomes the default in hotmail and MS Outlook will it become widespread, and what are the odds of that? *sigh*
The more you know, the less you understand.
Maybe a smells a bit of conspiracy-theory, but this article at The Register opens the floor to the idea that NIA's decision isn't entirely due to commercial factors, and in fact looks a bit "fishy".
Quite an interesting point - why would they give up on such a good product like this? And who could gain from them giving up a product like this?
I'v been an ocassional user of PGP for year, first the DOS client then GPG on linux.
A friend of mine tried to use the freeware NA windows version. Hes a typical windows user and won't read instructions. After giving him a five minute talk saying "Other people use you public key to write messages to you, only you can read the message with your private key etc". Days later I call in at his house and he had not managed to use it. The user interface was horrible. Despite having used command line PGP for user and having a quick look at the help I couldn't find his keyring or work out how to use it from a quick look at the menus.
I can't imagine what the staff working on PGP were doing, certainly not useability
There were three background processes running on his already unstable win98 machine poping up box's demanding he type in his details and register. I think he reinstalled windows in the end. People who use PGP are gneerally a bit paranoid, annoying them by trying to make tem register seems pointless.
First, some kudos to the GnuPG team. I think this is one example of free software really taking over a given market. I only know of one person who uses the commercial version of PGP, and that's because his job requires it. Everyone else I know uses GPG.
Now:
For those of you lucky enough to be using MacOS X (go ahead a flame me - I've been using Unix for ten years, and MacOS X rox my sox), just grab a copy of GnuPG from Fink and install GnuPG.
After that, grab a copy of PGPMail from Sente, and use the easy, one-drag install. It's still in beta, but it's damn nice integration.
For reference, I'm running MacOS X 10.1.3. When I send an email to someone whose public key is in my keyring, I just click the button "Encrypt" before I click send. Voila. When I receive something encrypted, I have the option of having it automatically decrypt, or I just click "decrypt" in the toolbar. Very nice.
...but it's being eaten...by some...Linux or something...
Network Associates made a fatal mistake in my opinion, that singularly was to belive people are smart enough to ACTUALLY KNOW they need encryption.
People in general, Im not talking slashot techno geeks. Have NO clue WHATSOEVER that information can be snatched from the net. I have told people they have mail bouncing only to see hen freak and become accusitory , HOW do You KNOW ?? You mean You could READ IT ? Blah Blah Blah, I look at em and say yeah but to bwe honest I could give a crap less what you write and to who. hat usually tones em down a notch.
BUT Back to the point, If someone dosent KNOW there is a NEED then there is NO market for the product , If people dont buy it because they dont know there is a need can you blame em ? If someone tried to sell you say a under the desk testicle shield for radiological effects from monitor transmission would you buy it ? a few would , but most no , WHY ? Becaues if here is no problem, the product COMPLETLEY loses its percieved value.
Now, that said they are in a bad market to try and pitch the inherent Insecurity of networks, being Network Associates and all...
Sig went tro...aahemmm.....fishing........
Encryption is one of those things that goes really well with open source. PGP started out as Philip Zimmermann's free and open project which he released with a written warning against software that locked away its source code and algorithms. This makes it a little difficult to go back to closed source and proprietary encryption methods. The internet community's love affair with PGP was broken when Phil quit working with Network Associates. The trust wasn't with PGP alone, it was with Phil heading up PGP's development that drew the trust of us all.
So, its not too surprising that Network Associates is having a little trouble trying to pawn off a product that has no market.
Exit PGP, enter GnuPG.
You are receiving this message because your browser supports Slashdot Sigs and you have Slashdot Sigs enabled.
One of the coolest things about the latest version of PGP (Corporate Desktop, I believe) is its support for smartcards. I have a Rainbow iKey, but it's pretty much useless for personal use because I don't have a certificate compatible with the device. With the newest version of PGP I could store PGP certs/keys on my iKey. It would be great if this kind of support was built into GnuPG. I'd LOVE to be able to use my iKey for PGP on Linux or for token-based authentication
There are, IMHO, two things that keep the average email user from using encryption:
First, it has to be absolutely transparent. It can't put more of an overhead on a standard email send-and-receive than already exists. Key management would have to become at least as easy as address book management (say, having addresses and keys automatically integrated into your keyring). While this would present a security hole, most users aren't going to want to go and verify keys. They're also not going to want to type their password every time they send an email. Most users of apps like Outlook just store their passwords on their PCs anyway, because they can't be bothered logging in once per session (ever deal with someone who didn't remember their password because they never type it in anymore?). IIRC, PGP had several of these features, but with some apps you still had to encrypt to the clipboard and then paste the encrypted message back into your document.
Second, to even get people to do this minimum, and to demand it in products, they have to see the need for it. Phil put it best, I think, when he drew an analogy in the docs for PGP. I can't remember the exact wording, but it was something along the lines of "So you're not saying anything illegal. What would you think if the government outlawed envelopes, and all mail had to be sent on postcards?
Most people don't believe how easy it is to read email, because they have no idea how to go about it. Instead, they shrug and say that they don't care. If instead you ask them how they'd feel about having all of their corporate correspondence and private letters going out on postcards, they'd think twice, and (hopefully) bite the bullet and start using something like PGP. There can be a huge market for applications like PGP, but it has to be sold to people with the right message, and it has to, even at the expense of some security (and yes, I realize the implications of that, and know the argument that no security is better than flawed security), be easy to use.
(email addr is at acm, not mca)
We are Number One. All others are Number Two, or lower.
--The Sphinx
Maybe CAI didn't want to keep improving the product. DJB's crypto paper and methodology shows that any key less than 1024 can be "easily" cracked. CAI would have had some more work to do on their product (just as I'm sure the GNUPG team is reconsidering the approaches they are using).
Finding the people to verify PGP is secure and proving that any new method of encryption is secure takes money, and since many people still consider zipping a file up with a password as "strong encryption" there was no market for it.
To think, not to long ago the US govt. was complaining that the world would end if we all had encryption. As it turns out, few cared enough to use it.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Suppose someone finds an exploit in the device that does your retinal scan. Your admins must now deny your retinal scan credentials, and you have to switch to the other eye (presuming you have a spare). If that credential is compromised as well, you're completely out-of-luck.
With a passphrase-based system, by contrast, you can just change your passphrase as needed.
Guys, everybody here is missing what really happened here. About a year and a half ago, NAI separated the command line product from the GUI desktop product. NAI discovered that people will pay a large chunk of change for scriptable, command line stuff, and that they almost had to give away the GUI version. When they dissolved the business unit last October, they decided to KEEP the command line version [the McAfee biz unit sells it now, for the same large chunk of $$$] but were trying to sell off the GUI version. Now, riddle me this, riddle me that, how do you sell the GUI version to another company when the command line version you're keeping USES THE SAME CODE?! That's why NAI couldn't sell it -- no company wanted to pick up a product that NAI was going to keep the core product to. I know because I worked for NAI in the PGP division.
It all is a big shame too. The last version, 7.1, was cool. It was stable, had an IPSEC client that could talk to pretty much any VPN gateway out there in addition to creating peer to peer IPSEC tunnels with other PGP clients as well. A mini firewall / IDS rounded it out. Frankly, companies just aren't paranoid enough to require that level of encryption yet. And until that happens, no commercial product is likely to succeed in this arena.
it comes with some nice extras such as a very nice firewall
And that is partly the reason nobody bought it.
PGP evolved into a nice e-mail encryption program. NA added so much crap to this (VPN that hardly worked, Firewall, hard drive encyption) they forgot there core market..... secure E-MAIL and convincing people that it was nessisary!
(In a corperate enviroment, people alredy have firewalls etc... NA just made PGP more complex)
I actually bought a version of PGP Personal Security 7.0.3
YTC !!!
NA never published the source code for version 7. That was the reason Phil Zimmerman left NA.
Version 6.5.8 could be downloaded as freeware and is every bit as compatable!
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
you can't deploy it in a corporate environment.
You ARE wrong! Read this about which PGP version to use.
Here is a cut 'n' paste of the intersting bit....
The Business versions allow you to set up how PGP will be used throughout an organization, and also allow for use of an Additional Decryption Key (ADK); but do not really include anything of additional value to an individual user. The ADK is just a master key used by an organization that all of its email/files is also encrypted to, so that if someone leaves the organization, there will still be access to his/her encrypted files - It has absolutely nothing to do with concepts such as government key recovery.
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
PGP is a nifty little package for encrypting files & e-mail. If it had been sold as a nifty little package at a low price, NAI would not be looking to dump it.
I played with PGP when it was freeware. In a pilot project, I exchanged office gossip with a co-worker to see if ordinary people could use it effectively for secure e-mail communications. It worked quite well, but we didn't have a pressing need for the technology so deployment went nowhere.
Years later, I'm at a different company and now I have a use for it. I visit NAI to see if I can buy just the basic file & e-mail encryption. I discover all they really want to sell is the entire PGP Desktop bundle, for a price that IMHO far exceeds what basic encrypted e-mail should be worth. Eventually, I managed to buy the basic package, but only after making phone calls and finding a reseller who could do such a thing. The licensing complexities of the whole process was as if I was buying an nuclear reactor! Had this been an easier process, I might have deployed it on hundreds of PCs, instead it's only a handful.
I am the customer; I am always right. I want an easy-to-buy, easy-to-use, cheap-to-deploy package that encrypts the 5% of my users' e-mail & files that are worthy of encryption. NAI could have marketed PGP successfully to a high percentage of business and home PC owners, but for whatever reason they chose to go after the ultra-paranoid, encrypt-everything, price-is-no-object crowd instead. PGP is a great product; better management could have made it profitable. Maybe someone will buy the product and figure out how to broaden its appeal.
I don't believe someone hasn't posted this. I use PGP CKT and am VERY happy with it. It is built off of the last version of PGP that came with the source (6.5.8 Desktop Security, if i'm not mistaken), and they are currently on their 6th build (Build 07, which will fix XP problems is in Beta).
PGP CKT, comes fully loaded with PGPDisk, and PGP4ICQ, and the plugins for Outlook/Outlook Express, I'm not sure about PGPNet, I don't use it.
I was just about to download the freeware version of PGP last night when, in response to the mandatory registration, I read their privacy policy. Things like "We may also carefully select other companies to send you information about their products and services." caught my attention. Basically, they sell your information and require you to contact them to prevent this from happening. No, there isn't a 'please do not share this information' checkbox.
That doesn't look like much of a privacy policy to me. Hence the reason I didn't proceed.
I pledge allegiance to the flag...
of the Corporate States of America...