Network Associates Gives Up Search for PGP Buyer

nakhla writes: "I came across this article which states that Network Associates has given up the search for a buyer for its PGP division. The company has laid off 18 workers, and plans to continue to maintain the product for one year. It's a good thing that there are still products like GnuPG and others out there for people who need cheap, reliable encryption."

Mixed feelings

[rknop]

I've got mixed feelings about this. On the one hand, PGP was revolutionary and is probably one of the main reasons encryption is as free and available today as it is. If Phil hadn't released that (at the expense of considerable suffering), I suspect that the governments of the world would have been able to clamp down on encryption big time, and all of us law abiding types would take it as an axiom that none of us really need anything like that, only terrorists do. It's sad to see the company that was carrying that torch give up on it. I fear this is just one more indication that personal encryption of e-mail and such isn't really going to catch on with the masses.

On the other hand, NAI's not been a perfect angel. Phil left them because of differences about releasing (if memory serves) source code-- not because Phil is an open source advocate per se, so much as for reasons of being able to verify the security. And, myself, I'm an open source geek and have been using GnuPG for quite some time as my encryption software of choice. There still is hope that GnuPG will be turned into something that can catch on with the masses (just like there's hope, however faint, that things like GNOME and KDE will catch on with the masses).

-Rob

Lots of products left allright, but easy to use?

[pmsr]

Not in your wildest dreams. PGP Desktop was as easy as it gets.

/Pedro

Email Integration with GnuPG

[Dimwit]

First, some kudos to the GnuPG team. I think this is one example of free software really taking over a given market. I only know of one person who uses the commercial version of PGP, and that's because his job requires it. Everyone else I know uses GPG.

Now:

For those of you lucky enough to be using MacOS X (go ahead a flame me - I've been using Unix for ten years, and MacOS X rox my sox), just grab a copy of GnuPG from Fink [sf.net] and install GnuPG.

After that, grab a copy of PGPMail [sente.ch] from Sente, and use the easy, one-drag install. It's still in beta, but it's damn nice integration.

For reference, I'm running MacOS X 10.1.3. When I send an email to someone whose public key is in my keyring, I just click the button "Encrypt" before I click send. Voila. When I receive something encrypted, I have the option of having it automatically decrypt, or I just click "decrypt" in the toolbar. Very nice.

Re:Mixed feelings

[smnolde]

See winpt.org [winpt.org].

I use it quite a bit to sign emails and the interface is pretty clean, too.

Smartcard support

[nakhla]

One of the coolest things about the latest version of PGP (Corporate Desktop, I believe) is its support for smartcards. I have a Rainbow iKey, but it's pretty much useless for personal use because I don't have a certificate compatible with the device. With the newest version of PGP I could store PGP certs/keys on my iKey. It would be great if this kind of support was built into GnuPG. I'd LOVE to be able to use my iKey for PGP on Linux or for token-based authentication

Re:High Profile Use Case

[sammy baby]

A good use case would be a major bennie, but I think you're coming at it from the wrong end. PGP isn't just used to encrypt/decrypt messages. The canonical four tasks:

1. • Encryption/Decryption (Shh! Don't tell anyone this!)
   • Tamper Detection (Dude. Did someone mess with this message?)
   • Authentication (Hey - who really wrote this?)
   • Nonrepudiation (Fess up. I know you wrote this.)

Rather than looking for situations where PGP prevented someone from intercepting a communictation - often very difficult to know ever happened - I'd be looking for case studies in which someone tried to tamper with a message and was foiled because of the PGP signature, or tried to forge a message... you get the idea.

Re:Sad..

[Anonymous Coward]

There are open source versions of PGP compatible with the commercial products. Try here http://www.pgpi.org/ and in particular here http://www.pgpi.org/download/gnupg/

Re:Email Integration with GnuPG

[cmason]

The email client Mulberry also has the ability to automatically encrypt, sign and decrypt, and has for some time now.

Check it out at http://www.cyrusoft.com/mulberry/ [cyrusoft.com]. It is payware, but it's a damn nice email client. Works on Windows, Mac, MacOS X, Linux, and, I believe, Solaris.

-c

Re:Sad..

[mhyclak]

I'd encourage you to switch to an open source project such as GnuPG just out of principle, but I do believe it can also interact with PGP encrypted things (to certain limitations... see the GnuPG FAQ [gnupg.org] on the subject. Basically if it's implementing OpenPGP, GnuPG can read it.

Re:Mixed feelings

[wafath]

Take a look at http://www3.gdata.de/gpg/ [gdata.de]. It's in German. Use Google [google.com] to translate.

It's beta, but if you use Outlook, it seems to do the job very nicely. If you go to the GPG page, there is also a link for another program that is a plug in for outlook express.

W

Biometrics are not revocable

[petej]

Suppose someone finds an exploit in the device that does your retinal scan. Your admins must now deny your retinal scan credentials, and you have to switch to the other eye (presuming you have a spare). If that credential is compromised as well, you're completely out-of-luck.

With a passphrase-based system, by contrast, you can just change your passphrase as needed.

NAI didn't sell all of PGP

[Rahtok]

Guys, everybody here is missing what really happened here. About a year and a half ago, NAI separated the command line product from the GUI desktop product. NAI discovered that people will pay a large chunk of change for scriptable, command line stuff, and that they almost had to give away the GUI version. When they dissolved the business unit last October, they decided to KEEP the command line version [the McAfee biz unit sells it now, for the same large chunk of $$$] but were trying to sell off the GUI version. Now, riddle me this, riddle me that, how do you sell the GUI version to another company when the command line version you're keeping USES THE SAME CODE?! That's why NAI couldn't sell it -- no company wanted to pick up a product that NAI was going to keep the core product to. I know because I worked for NAI in the PGP division.

It all is a big shame too. The last version, 7.1, was cool. It was stable, had an IPSEC client that could talk to pretty much any VPN gateway out there in addition to creating peer to peer IPSEC tunnels with other PGP clients as well. A mini firewall / IDS rounded it out. Frankly, companies just aren't paranoid enough to require that level of encryption yet. And until that happens, no commercial product is likely to succeed in this arena.

NA made PGP into bloatware!

[SomethingOrOther]

it comes with some nice extras such as a very nice firewall

And that is partly the reason nobody bought it.
PGP evolved into a nice e-mail encryption program. NA added so much crap to this (VPN that hardly worked, Firewall, hard drive encyption) they forgot there core market..... secure E-MAIL and convincing people that it was nessisary!
(In a corperate enviroment, people alredy have firewalls etc... NA just made PGP more complex)

I actually bought a version of PGP Personal Security 7.0.3
YTC !!!
NA never published the source code for version 7. That was the reason Phil Zimmerman left NA.
Version 6.5.8 could be downloaded [pgpi.org] as freeware and is every bit as compatable!

What about S/MIME

[Anonymous Coward]

PGP is a good solution to email security. However, commercial software is mostly now using S/MIME, which is probably not less secure (if you use a good algorithm and reasonable-length keys). S/MIME is specified in a bunch of RFCs and is actively being extended and improved (see the IETF site [ietf.org] for details). You can get open-source code for it (e.g. it is part of Mozilla).

Use PGP CKT

[Constrain_Me]

I don't believe someone hasn't posted this. I use PGP CKT [ipgpp.com] and am VERY happy with it. It is built off of the last version of PGP that came with the source (6.5.8 Desktop Security, if i'm not mistaken), and they are currently on their 6th build (Build 07, which will fix XP problems is in Beta).

PGP CKT, comes fully loaded with PGPDisk, and PGP4ICQ, and the plugins for Outlook/Outlook Express, I'm not sure about PGPNet, I don't use it.

NAI Privacy Policy

[AntiNorm]

I was just about to download the freeware version of PGP last night when, in response to the mandatory registration, I read their privacy policy. Things like "We may also carefully select other companies to send you information about their products and services." caught my attention. Basically, they sell your information and require you to contact them to prevent this from happening. No, there isn't a 'please do not share this information' checkbox.

That doesn't look like much of a privacy policy to me. Hence the reason I didn't proceed.

Re:Encryption and the masses

[DrXym]

Actually there are several straightforward ways to get encryption to the masses without requiring them to think about whether they need it much.

1. Use Plain English to describe encryption. Make analogies to envelopes and stuff. Don't blabber on about S/MIME or other gibberish.
2. Integrate encryption into the mail program. Seamlessly and visibily. S/MIME support in most email programs is too complicated.
3. Make generating a key easy, a question while setting up an account. None of the current rigmarole of having to give your life history to Verisign or whoever for some worthless uncertified key which expires in 6 months.
4. Make key exchange on by default. Automatically insert a X-pgp-key-id header or somesuch into each mail sent out. Scan for this header in received mail and add to the address book entry by default.
5. Make encryption the default behaviour when you have the key for someone you're sending to.
6. Encourage e-tailers such as Amazon to put a "Encrypt your order details" checkbox on their order screens.

Most people would happily use encryption if it happened automatically and painlessly. The current problems arise because PGP is not integrated and S/Mime frankly sucks, having an overly complicated UI, difficulty getting a key and is dog slow to boot.