Slashdot Mirror
Network Associates Gives Up Search for PGP Buyer
nakhla writes: "I came across this article which states that Network Associates has given up the search for a buyer for its PGP division. The company has laid off 18 workers, and plans to continue to maintain the product for one year. It's a good thing that there are still products like GnuPG and others out there for people who need cheap, reliable encryption."
I've got mixed feelings about this. On the one hand, PGP was revolutionary and is probably one of the main reasons encryption is as free and available today as it is. If Phil hadn't released that (at the expense of considerable suffering), I suspect that the governments of the world would have been able to clamp down on encryption big time, and all of us law abiding types would take it as an axiom that none of us really need anything like that, only terrorists do. It's sad to see the company that was carrying that torch give up on it. I fear this is just one more indication that personal encryption of e-mail and such isn't really going to catch on with the masses.
On the other hand, NAI's not been a perfect angel. Phil left them because of differences about releasing (if memory serves) source code-- not because Phil is an open source advocate per se, so much as for reasons of being able to verify the security. And, myself, I'm an open source geek and have been using GnuPG for quite some time as my encryption software of choice. There still is hope that GnuPG will be turned into something that can catch on with the masses (just like there's hope, however faint, that things like GNOME and KDE will catch on with the masses).
-Rob
I'm glad the option is there, and I know it's done a lot of good in a lot of places, but even using e-mail encryption automatically draws attention to yourself. It would be far better if everyone used it for every e-mail they sent. It would be great if keysigning and verification was a normal event in meatspace, but it just isn't to be. How is it that SSH and OpenSSH became so widespread but PGP and GPG haven't?
I think it's because PGP and GPG have such a sucky interface. It takes me forever to read the manual every time, and the integration with current mail programs sucks! Evolution seems to be fixing this and I know mutt and pine can support it, but it's just too much work to setup if no one else you e-mail can do it too!
Is there any hope? I'd like to think so, but only if it becomes the default in hotmail and MS Outlook will it become widespread, and what are the odds of that? *sigh*
The more you know, the less you understand.
First, some kudos to the GnuPG team. I think this is one example of free software really taking over a given market. I only know of one person who uses the commercial version of PGP, and that's because his job requires it. Everyone else I know uses GPG.
Now:
For those of you lucky enough to be using MacOS X (go ahead a flame me - I've been using Unix for ten years, and MacOS X rox my sox), just grab a copy of GnuPG from Fink and install GnuPG.
After that, grab a copy of PGPMail from Sente, and use the easy, one-drag install. It's still in beta, but it's damn nice integration.
For reference, I'm running MacOS X 10.1.3. When I send an email to someone whose public key is in my keyring, I just click the button "Encrypt" before I click send. Voila. When I receive something encrypted, I have the option of having it automatically decrypt, or I just click "decrypt" in the toolbar. Very nice.
...but it's being eaten...by some...Linux or something...
Encryption is one of those things that goes really well with open source. PGP started out as Philip Zimmermann's free and open project which he released with a written warning against software that locked away its source code and algorithms. This makes it a little difficult to go back to closed source and proprietary encryption methods. The internet community's love affair with PGP was broken when Phil quit working with Network Associates. The trust wasn't with PGP alone, it was with Phil heading up PGP's development that drew the trust of us all.
So, its not too surprising that Network Associates is having a little trouble trying to pawn off a product that has no market.
Exit PGP, enter GnuPG.
You are receiving this message because your browser supports Slashdot Sigs and you have Slashdot Sigs enabled.
There are, IMHO, two things that keep the average email user from using encryption:
First, it has to be absolutely transparent. It can't put more of an overhead on a standard email send-and-receive than already exists. Key management would have to become at least as easy as address book management (say, having addresses and keys automatically integrated into your keyring). While this would present a security hole, most users aren't going to want to go and verify keys. They're also not going to want to type their password every time they send an email. Most users of apps like Outlook just store their passwords on their PCs anyway, because they can't be bothered logging in once per session (ever deal with someone who didn't remember their password because they never type it in anymore?). IIRC, PGP had several of these features, but with some apps you still had to encrypt to the clipboard and then paste the encrypted message back into your document.
Second, to even get people to do this minimum, and to demand it in products, they have to see the need for it. Phil put it best, I think, when he drew an analogy in the docs for PGP. I can't remember the exact wording, but it was something along the lines of "So you're not saying anything illegal. What would you think if the government outlawed envelopes, and all mail had to be sent on postcards?
Most people don't believe how easy it is to read email, because they have no idea how to go about it. Instead, they shrug and say that they don't care. If instead you ask them how they'd feel about having all of their corporate correspondence and private letters going out on postcards, they'd think twice, and (hopefully) bite the bullet and start using something like PGP. There can be a huge market for applications like PGP, but it has to be sold to people with the right message, and it has to, even at the expense of some security (and yes, I realize the implications of that, and know the argument that no security is better than flawed security), be easy to use.
(email addr is at acm, not mca)
We are Number One. All others are Number Two, or lower.
--The Sphinx
Guys, everybody here is missing what really happened here. About a year and a half ago, NAI separated the command line product from the GUI desktop product. NAI discovered that people will pay a large chunk of change for scriptable, command line stuff, and that they almost had to give away the GUI version. When they dissolved the business unit last October, they decided to KEEP the command line version [the McAfee biz unit sells it now, for the same large chunk of $$$] but were trying to sell off the GUI version. Now, riddle me this, riddle me that, how do you sell the GUI version to another company when the command line version you're keeping USES THE SAME CODE?! That's why NAI couldn't sell it -- no company wanted to pick up a product that NAI was going to keep the core product to. I know because I worked for NAI in the PGP division.
It all is a big shame too. The last version, 7.1, was cool. It was stable, had an IPSEC client that could talk to pretty much any VPN gateway out there in addition to creating peer to peer IPSEC tunnels with other PGP clients as well. A mini firewall / IDS rounded it out. Frankly, companies just aren't paranoid enough to require that level of encryption yet. And until that happens, no commercial product is likely to succeed in this arena.