NAI to Sell Off PGP Product Line 305
An Anonymous Coward writes: "Network Associates announced today that they are ceasing development of most of the PGP product line, including PGPMail and PGP Desktop Encryption software. This was apparently due to disappointing sales of the products. See the FAQ for more information on what's being killed and what's being kept." Another anonymous and unverified submitter says, "The entire PGP Business Unit was axed more or less wholesale. I guess selling encryption doesn't really make money. I worked there up until today and somewhere around 250 of the 300 employees were clipped."
Rats... Ship (Score:4, Interesting)
Re:Rats... Ship (Score:2, Insightful)
Causes (Score:5, Insightful)
The biggest potential users of this would have been the Slashdot types, and we're known for being fierce advocates of open-source and free (as in beer) software. The kind of "Why pay for something when you can write it yourself?" mentality is what helped kill it.
The people that are most concerned about encryption are those least willing to pay for it.
Re:Causes (Score:4, Insightful)
No, the people that are most concerned about encryption are paranoid enough not to trust commercial apps.
Re:Causes (Score:4, Interesting)
I see now the price is $179 per workstation on their website. Still pretty pricey for encryption.
Re:Causes (Score:3, Insightful)
MS would be smart to buy and bundle it w/ outlook but modify it a bit so it's not openpgp compatible.
Free software cannibalization and software cycle (Score:4, Interesting)
This will simply become part of the arithmetic commercial developers will have to deal with.
Re:Free software cannibalization and software cycl (Score:2, Insightful)
This isn't a story about encryption being denied to the masses or anything. It's about a company giving up an unprofitable product line because most people just use the free versions. And in case whoever marked this post as a troll hasn't noticed, there is a great deal of software within Ars' timeframe that is having exactly this kind of thing happening to it: free alternatives are starting to pop up.
Try to think of a commonly used commercial application that is not having a free equivalent currently being worked on. With a bit of searching, you won't find many. Indeed, free software is even becoming increasingly popular as more people are getting sick of dropping $100-700 on software per product. A comprehensive commercial software package these days can cost even more than the computer you bought to use the software on. Do you think even the rather clueless average user isn't going to notice that?
C'mon, are Slashdot moderators really this dumb?
Re:Causes (Score:3, Informative)
You're probably correct that many of the types who would be concerned enough with their privacy are geeks who would rather not pay for something they can get for free, it had a presense in corporate environments. I fought a huge battle at the company I used to work for to get PGP implemented at a departmental and later at the VP level.
One of the biggest initial issues was that people didn't understand it or the need for secrecy. Thankfully the group I was in had a need to periodically distribute root passwords and management was smart enough to realize that doing so in email was pretty darned dumb. Eventually I was able to get it adopted and we would encrypt a single message to the various people who needed to be able to read it. We also posted the encrypted file on our departmental webserver. It worked pretty well. When someone would leave the dept for whatever reason, we'd distribute the revoked key that was generated at the same time their key, change the password, and repost the file.
Another issue price. It was pretty difficult to get higher-level approval for the expenditure. We eventually snuck it in one license at a time, and later were able to buy licenses in bulk as my senior manager and later VP understood the issues and thought the solution was worth paying for.
Eventually an enterprise license was purchased. Unfortunately, the &*%($*%( lawyers wanted to force everyone to use escrowed keys. I'm not sure how it went elsewhere in the company, but we basically said 'sure', and kept using unescrowed keys for internal communications because 'root' is God's way of saying you have too much power.
PGP's support of key-escrow was the worst thing they could do IMO from the standpoint of trust, especially for those paranoid enough to be really up on the tech. I never fully trusted recent versions of PGP, and use GPG now.
My corporation tried to buy PGP... And couldn't. (Score:5, Interesting)
Umm, no. I work for a company that has our own symbol on /., one with a funky dropped 'e' in it. You might be able to figure out who we are. We tried to buy PGP for Unix to secure engineering data--we happen to be one of the largest Microsoft shops on the planet, but all the real work still gets done on Unix/Linux--and NAI wouldn't sell it to us. We were talking THOUSANDS of licenses, ubiquitous deployment to everyone, and they weren't interested in providing a Unix client of the current version.
So we're going to be using GPG.
Get this: NAI have also threatened major bad legal juju if we ever put any GPG-generated keys on their keyserver product, which we also had previously bought (along with hundreds of individual PGP licenses). Hello? If that's not a Microsoftesque move, I don't know what is.
They coulda made millions on our account. WE WANTED TO PAY THEM MILLIONS. Negotiations fell through. So now we're saving the millions and going to be supporting open source even though senior management is still not 100% clued into that this is a good thing.
Explains a lot ... (Score:2, Interesting)
We'll just have to stick to our normal encryption method - making our documents too boring for anyone to remain concious while they read them.
Re:My corporation tried to buy PGP... And couldn't (Score:2)
Re:Causes (Score:2)
Unfortunately, the support sucked very badly. THAT seems to be the real problem; it didn't exactly inspire confidence.
Note that we wouldn't have bought the commercial version without the existance of GPG and the OpenPGP RFC. This gave us the assurance that IF Network Associates went bust (or in this case just dumped PGP) that PGP itself would not disappear. Setting up an effective Corporate PGP infrastructure is not trivial.
Re:Causes (Score:2)
"The biggest potential users of this would have been the Slashdot types"
Slashdot types generally run Linux / Solaris / *BSD and have more sense than that run closed source security packages produced by NAI.
Come to think of it, most users here have an operating system that comes with GnuPG! Why would you bother using PGP at all?!?
Re:Causes (Score:2, Informative)
Encryption is offered as a basic part of Outlook. It's called S/MIME, and is fully integrated into the mailer (far more fully than PGP, as a plug-in, will ever be - the S/MIME support is completely transparent).
(I don't use Outlook, and never will, I'm just pointing out that it's had transparent crypto support in there for awhile. People don't use it because they couldn't be bothered, not because it's not there).
Re:Causes (Score:4, Informative)
First, no good security is transparent. At some point you, the user, have to create and share your own keys and verify that the keys you receive are valid (even with a web of trust, you have to correctly verify at least one other key to get into the loop).
I don't see how the certificates issued for Outlook users have any real trust built in. How did the Certificate Authority verify that the person requesting the key was really who they said they were-- and what about people with same or similar names? Even if they somehow verified the name, how do I know I've got the right "George Bush"?
Second, you still have to train people to understand the process and then to use it. If you tell them they have to fill out some long form just to get a certificate, they are likely to say "forget it", unless they have serious security needs-- in which case, they are hopefully not Outlook users in the first place.
Third, seriously, if secure email is your priority, why would you stack two or three proprietary, closed-source solutions one atop the other? Especially when there is an open source option available for both. Believe me, once you've generated your key for GnuPG on Linux and checked two simple options on KMail, the only non-transparent part of secure email is typing in your passphrase (and of course, obtaining and verifying other keys).
And then there's the problem of the fact that the Outlook security features did NOT use an existing standard for personal public key encryption-- PGP. Hopefully, Microsoft will buy them. Really. And integrate PGP into their mailer. That way the established crypto-using community and Outlook users can begin to interact in a meaningful way. I realize S/MIME is a "standard", but I've not seen it used at all... and the very limited uses for personal security that I've seen (even Slashdot didn't get it right when they ran interviews with Phil Zimmermann), all involved PGP, or the OpenPGP standard. I mean, the blink tag is/was a standard too, but...
Re:Causes (Score:3, Insightful)
PGP's key distribution mechanism is better -- you can (in theory) communicate with someone you don't know by just retrieving the key from the server and checking the chain of trust. In practice, however, you often don't actually have a chain of trust to the person, since only a couple of his friends have signed his key. With the built-in S/MIME, if you don't have someone's certificate in your address book, you need to get it from them directly.
Getting a S/MIME cert signed by one of the CA's preinstalled in Windows does involve some security. It need not be much -- e.g. thawte.com offers free certificates that are valid for one year and identify nothing more than your email address. For a modest fee and some bureaucracy, your name can be slapped on to your cert.
The built-in S/MIME's big failing is the terrible documentation and the highly complex security model -- the user will have to expend much more effort to actually use it securely. For example, very little guidance is given when you're creating your keys with the wizard. You're asked to pick from three security levels which. If you pick the lowest level, your keys are available for programs to perform signing and decrypting operations automatically, without your intervention. If you pick the intermediate level, you are asked to confirm operations (a dialog box pops up saying "An application is requesting access to a Protected item."; in the Details you can see the name of the executable but no more information is offered). Only if you pick the highest level do you get to enter a pass phrase to protect the key. Backing up your keys is not clearly explained, and understanding the escrow features seems to require a good understanding of the Win2k security model, and I never bothered.
And of course the built-in S/MIME encryption is a Microsoft security product built on top of Microsoft's security services in a Microsoft Windows environment, so you're always one Nimda away from sending out your client's business requirements to all your other clients anyway. What would be really great would be S/MIME support in one of the better Unix MUA's, with a freely available key certification authority (verifying the email address only would be sufficient) and keyserver network.
So They Buy It, Close It Off, Then Axe It? (Score:2)
Re:So They Buy It, Close It Off, Then Axe It? (Score:2)
Check their Web site and you'll find a few simplistic FAQs that reveal nothing you didn't already know and some Forums that are ignored by NAI staff.
I wonder... (Score:2)
But doesn't Osama know... the download page specifically says for US residents only!
Re:I wonder... (Score:2)
What I find amazing... (Score:4, Insightful)
1) Source code to most versions of PGP is available and published internationally on many sites. If a terrorist wants PGP, and PGP has been discontinued, he can just download a binary from one of these foreign servers, or get someone computer literate to compile this source code for him. It's already in the wild on the net, and spread to servers in nearly every free or partially free nation; it will never disappear now.
2) Since the source code is available for even some very recent versions, overseas programmers will pick it up and improve it and release newer builds for newer OSes if it is discontinued or shown to have backdoors.
3) GPG is arguably just as good, plus it's truly Free and GPLed. It's not as shiny, but makes a good drop-in replacement for most people, terrorists included. And again, GPG is "in the wild" and not going to disappear from the Net even if the U.S. and half the world outlaw strong encryption, and since the source code is there people will hack on it and improve it, even if only overseas people.
4) Contrary to the beliefs of the ignorant, the U.S. is not so much more advanced than other countries that no other people from overseas can write strong encryption products as good as ours. Encryption is universal math, not American voodoo. In fact, the best symmetric encryption product currently comes from the U.K., Scramdisk. If America and the U.K. were to ban encryption, any country with competent mathematicians and programmers could take the lead.
5) Encryption is based on well-documented and easily available math, and many proven algorithms are already published and cryptanalyzed and shown to be secure enough. Even if by some extraordinary miracle all traces of encryption products and source code were wiped from the Net by the unprecedented cooperation of every nation on Earth--something truly impossible--people like Osama could hire any competent mathematician and programmer to write a decent encryption product using a proven cipher and simple calls. As long as it's kept simple and uses proven ciphers, it would likely be as secure as PGP or GPG or Scramdisk.
So, it doesn't really matter what the download page says, or if it bothers to ask, or even if the U.S. were to enact the most Draconian encryption legislation tomorrow. PGP is nothing special. Its key functionality has already been duplicated in GPG and can be duplicated again and again by any number of competent non-U.S. residents. Therefore it doesn't matter who can download it, since they can get their hands on encryption technology that's just as strong.
Re:What I find amazing... (Score:2)
One Time Pads (Score:2)
The making of one time pads isn't a big deal at all compared with the distribution problem. A tv tuned to a blank station and a video capture card would be an inexhaustible source of truly random data. Just strip the headers from the compressed frames. If one is feeling really frisky the sampled tv data could be used to seed pseudorandom algorithms as well. This would remove any identifiable quirks of the natural random number source. The data from the tv will be random but still may adhere to some type of bell shaped curve that would look like it's bandpass response. Individual bytes would be unpredictable but enough of them would tell you something about that tv+card combo anyway....so mix em up a little.
No one buys it because (Score:2, Insightful)
Banks,
Governments,
Military,
Terrorists,
Other criminals,
12 year old girls writing in their diaries,
and?
The whole point of technology and the push of civilization has been the dissemination of information and ideas. Encryption runs so much against this concept that it's no wonder that people both don't understand its necessity and don't want it.
What other outcome could have been expected, selling such a product?
Re:No one buys it because (Score:2, Insightful)
Re:No one buys it because (Score:2)
Well I use it (PGP on the mac, and GPG on the ol' Linux) to encrypt all my private files, which include bank accounts, credit cards, love letters, files of passwords, sensitive data from clients that would rather not have the info public.. then I use rsync and copy them to remote computers (with the owner's permissions of course). That's how I've been doing all my backups for a while now.
Re:No one buys it because (Score:5, Informative)
Government has shown time and again that it cannot be trusted not to eavesdrop without warrant and cause, whenever it thinks it can get away with it. The infamous FBI bugging of Martin Luther King and just about everyone else with political clout comes to mind. It was little more than thirty years ago, too, so don't complain my example is outdated. Or how about the recent study which found over 2,000 illegal, unwarranted wiretaps were performed last year? And that's just the ones we found out about after the fact.
The dissemination of information and ideas is one thing. Not leaving people alone long enough to gether information and form ideas, without fear of the Secret Police wondering why we're looking at that particular information and forming those particular ideas that it may not like, is a potential downfall of civilization.
Civilization is only advanced where ideas, even new and very jarring ones, are permitted to flourish. Today Socrates is considered to be the bedrock of all Western philosophy, since his pupil Plato wrote all the founding philosophical explorations. But recall that in his own time his ideas, nearly universal in the West today, were considered dangerous and he was executed for expressing them by the then-most-free society in existence, the birthplace of Democracy, Athens.
Encryption is the only way to express ideas without fear of reprisal by regimes which are not on the cutting edge of human rights, much as the U.S. is not. It is the sole way to protect one's privacy with any certainty from arbitrary invasions. Therefore we would do well to promote encryption, as a way to ensure that our rights are protected and respected. I trust myself to protect my rights with encryption, more than I trust the FBI, ATF, DOJ, etc., to do so with empty platitudes. And on this point I am in the company of George Washington, Thomas Jefferson, James Madison, and James Monroe--I'll take them to John Ashcroft, Janet Reno, the FBI and ATF agents who murdered innocent people at Ruby Ridge, and their ilk, any day.
Re:No one buys it because (Score:2)
Fourth Amendment: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
The Fourth Amendment has been interpreted to include snailmail and phone conversations. I see no reason why email should be different, yet because my government seems to hold a different view I use encryption.
To insinuate that a private citizen other than a 12-year-old girl would have no use for encryption unless they were a terrorist or a criminal is just plain stupid, not to mention irrelevant. It doesn't matter if the content of my letters is boring and trivial, I still have a right to privacy.
Max
Re:No one buys it because (Score:2, Interesting)
You have it backwards. Civilization is about privacy. It's about having the freedom to do what you want to do rather than what the tribe wants you to do. It's about being free to disagree, being free to do something your way if you don't like the way everyone else does it.
As Bruce Schneier said, "it's not enough to protect ourselves with laws of men, we must protect ourselves with laws of mathematics". That is going to be true as long as there are people on earth who are willing to kill other people for what they believe.
PGP... (Score:3, Troll)
oh wait...oxymoron
Once is coincidence... (Score:4, Insightful)
First ZKS shuts is services, now PGP is orphened...it does not take a conspiricy fan to put this together.
ttyl
Farrell
Not terribly surprising (Score:2)
There just aren't that many people who care about e-mail encryption. I understand all the arguments and the technology, and *I* don't care about it. I can only imagine what someone who doesn't know about the issues thinks about it.
And frankly, I wouldn't care about sending all my mail on postcards without envelopes. I can't even think of any personal mail that I would care about some anonymous postal worker reading, even if I thought postal workers sit around reading letters that zoom by. Except for maybe things with credit card numbers or bank numbers, but I wouldn't send thinks like that through e-mail anyway (and I venture to say that most people are probably savvy enough to know that's bad as well).
*sigh* (Score:3, Funny)
Say it ain't so, PGP, say it ain't so.
Re:*sigh* (Score:2, Funny)
Or you could just ROT26 your stuff. The ease-of-use factor sure beats anything else.
Sales Would Be Great (Score:2, Informative)
If NAI didn't want to charge $5,500 for a server based encryption package. Up from $1,000 for a *two year license* for PGP version 5.
NAI is a bunch of idiots anyway. They totally screwed over people when they took over the Gauntlet firewall suite. First, "you need to migrate to NT, all Unix Gauntlet packages will be discontinued". Ok, 18 months later "Gauntlet for NT is now discontinued".
Hopefully, someone will pick up PGP and offer it at a price people can afford.
Dissapointing sales? (Score:5, Insightful)
- an encrypted IPSEC/IKE compliant VPN
- encrypted hard drive software (public key or shared secret encryption)
- Encrypted Email with multiple mail client integration
- Myriad windows hooks, like "encrypt clipboard"
- A secure file and hard drive wiper
- A full-blown INTRUSION DETECTION SYSTEM with email alert that would attach itself below the NDIS level.
...all for $30. I'm not a big fan of buying software, but I bought this religously because it was a steal, just for the IDS. I always wondered how they could afford to put so much top-notch development into such a cheap product (I never found a serious bug, and I've worked it over hard. That's a rare thing to be able to say about a windows networking application).
The answer appears to be that they were dumping serious development funds into this product and got were expecting massive sales. If you asked me to point a finger at the cause of death, I'd say they were overambitious. Too many developers building too much functionality made it far too expensive. All anyone ever really wanted was encrypted email. And perhaps if that's all they developed, supply would have matched demand.
Then again, hindsight is 20/20.
Re:Dissapointing sales? (Score:3, Informative)
On the other hand the personal firewall PGPnet includes has quite a flexible rule interface, and works really well. And the rest of the package is amazing.
I'm also concerned about the on-hold status of Gauntlet Firewall/VPN. A really good product that was just starting to get even better with the 6.0 release, and now it's future is very uncertain. Gauntlet's roots are in open source too, as it evolved from the Firewall Toolkit [fwtk.org].
What?!? (Score:2, Interesting)
I just saw PGPNet 7.1 ONLY for $60 for a two year contract. This was from PGP too.
With the 7.1 series they split apart the entire PGP Desktop package are (were) selling the peices individually.
$30? I don't think so.
Re:What?!? (Score:2)
ostiguy
impressive indeed (Score:2)
Wow, a $30 patch for a $250 OS that might make you feel less venerable. I don't mind people trying to make a living selling binaries. I just don't understand why people would buy such things when free alternatives [debian.org] are available. GPG not enough security? Try OpenBSD [openbsd.org].
If the answer is that the free alternatives are too hard to administer and set up, go get help. There are Linux User Groups (LUGs) everywhere. Take the hundreds of dollars you as an individual would spend on canned binaries and hire someone to help you out. If you are a business, save yourself thousands of dollars the same way.
The world is always changing. Sometimes it hurts, as when 250 fine programers get laid off. As long as the world remains free, the changes will be for the better. Just think of that talent being liberated. All of those nifty Windows tricks are unlikely to be released even if NA itself goes belly up.
What happens now? (Score:2, Interesting)
tools vs apps and PGP prevented hacks (Score:2, Interesting)
Maybe GnuPG had something to do with this (Score:2, Insightful)
And, like the poster above mentioned, since the tech is facing a serious risk of becoming illegal, investing too heavily in it might not be wise from an economic standpoint.
--nick
Coincidence? (Score:4, Insightful)
Is this a coincidence? Or is there some government pressure in action here? What's the next step? Pressuring ISPs of distribution points for Open Source encryption products? When that happens, I'm sure we'll be re-assured by the ISPs that they have sound economic reasons for disallowing encryption software; but that won't make it go over any easier with me.
In Germany the converse happens ... (Score:3, Informative)
This is not only true for GnuPG [gnupg.org], which has funding by the government (for the development of more user-friendly frontends, I think), but there is also a project for the development of an open source anonymity service (JAP [tu-dresden.de]) as strong as (or even stronger than) the Freedom anonymizer service, and there is also the Sphinx [www.bsi.de] project to build a PKI for the public authorities and maybe others.
One of the main drivers for the JAP project (and maybe others) seems to be that many consumers (at least in Germany) apparently avoid E-commerce because of privacy concerns.
Yeah :-/ (Score:3, Interesting)
So, luckily, the NAI Labs section of PGP was exempt from all this change and will be shuffled around more, but we're still here =) It's a bit disappointing to see your company admit failures like this, even if it's for the best interest of the company.
Encryption is alive - but PKI is dead (Score:5, Insightful)
How many among even the savy group here maintains a valid PGP key that is available online? Of those, how many maintain their key in a searchable index? I presume the answer is less than 2%.
How many of you have received an email either signed or encrypted in such a fashion and then actually used the sender's public key to decrypt/verify?? Probably 10% of readers here or less.
And that folks, is why PKI and hence PGP are dead-ends.
Re:Encryption is alive - but PKI is dead (Score:2, Interesting)
Hash: SHA1
Well, it's all about convienence. I use pgp4pine which does automatic decryption/signature checking on incoming email, would automatically try to fetch public keys from PGP key servers, let you choose if you want to encrypt outgoing messages, just sign them or don't bother....
Appearantly mutt has some decent PGP tie-ins. Hell, I remember Eudora used to have a PGP mode.
Unfortunately, the implementation across OS's and mail packages are inconsistent, and that will probably be the demise of PGP/PKI.
*shrug* What do I care? I don't mind using the clear envelope theory of sending email 98% of the time... The other 2%, it's usually to a friend or colleague who also has PGP.
EOF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7xmqUKZYQqSA+yiURAiDRAJ9G3rMyNRJOHfpRDt+
9yhh23ifyYH57o1h5c+Y3Gg=
=VK6P
-----END PGP SIGNATURE-----
Re:Encryption is alive - but PKI is dead (Score:2)
gpg: BAD signature from "Ryan Finnie "
The searchable index thing works great... (Score:2)
In short, I can't see there being very many users at all who have a current version of PGP and chose *not* to send their key into the keyserver -- it's just that tightly integrated. It takes a little more work with GnuPG, but the folks who know about it are the exact same folks who care.
Thus, I can't possibly see your 2% estimate being on the mark -- few may use OpenPGP-compliant crypto, but of those who do, nearly all use the keyservers.
Keyservers (Score:2)
Our group was pushing the Corporate populas towards PGP as a standard desktop app. And for it to become a commonly used app, at that. We were actually making some progress. And that's when people began asking (if not demanding) the company's key server.
The company had an "official" internal key server at one time. There was even a DNS entry for it still. In actuality, this keyserver had been a side project on an individual's Solaris desktop machine. He had become burdened with other tasks and the keyserver fell in to disrepair until it had been taken offline. We didn't have the time / funding to deal with it either.
Our suggestion was to use the excellent network of public key servers in the meantime. It was odd. People were rather horrified at the idea. Public keyservers was just too scarry. No ammount of discussion would change their minds. They needed a nice, safe internal one or no key server at all would do.
We scored a hit in getting PGP out there. But I suspect it was an overall miss by somehow failing to educate the population on what they had.
Re:Encryption is alive - but PKI is dead (Score:3, Interesting)
Then it hit me. Who can I send this to? If I encrypt something, nobody is going to know what to do with it, not even most of my tech savvy friends. Even they don't have current keys that I could get hold of, so I couldn't encrypt it for them.
I settled for signing my messages if for nothing else to spread the PGP word. That ended when I actually had someone who I respected on a mailing list tell me to stop waisting space by including all that "garbage" in every one of my messages.
Geez.
Why I use PGP... (Score:5, Interesting)
1. Private Data... There's a lot of stuff that I do and say through email that is perfectly kosher, but is none of my company's or coworker's business, like emailing my wife whilst at work. I know for a fact that there are nosy people in my networking department, but 2048 bit D-H encryption makes this Somebody Else's Problem (tm) even thought I am forced to use Exchange at work.
2. Insecure Mail Servers... By the same token, I am forced to keep sensitive data on an Exchange server. It doesn't take a genius to see that any given company's Directory/Mail/Personal Info server is going to be one of a malicious cracker's first targets, if he or she is interested in doing anything other than 0vvnZ'ing the website. When the time comes... and it will... I will be able to say... 'No, my sensitive data was NOT compromised, because it was securely Encrypted.
3. Personal Liability. I'm a freely spoken individual. Some people don't appreciate it. If I say something in an email that could possibly be used against me later by the owner of a mail server, it goes in encrypted. By the same token, any personal files on my work PC belong to me, and not my company. Without my passphrase, they can't do shit with them.
4. Geek factor. It is oh, so cool to be able to 'sign' an email, and advertise your public key. Mine is:
http://www.furinkan.net/key.txt [furinkan.net]
Re:Why I use PGP... (Score:2, Interesting)
Trust me on this. Just went to a lecture for litigators for Corporate IP cases where IP was stolen, and they state they can recover data past the DoD 7 wipes, at a cost of 1 million. Likely not your case, but if they want it, they can likely get it.
Unless you are wiping free space on your disk over 7 times after every "confidential" message, discovery teams using tools like safeback can get to it.
Re:Why I use PGP... (Score:3, Informative)
The way I imagine most of these recovery tools work is by reading sideband data off of the drive... When the write head is hauling ass around the platter and you want it to write to a given LBA, it never writes in exactly the same place twice. It might be in slightly different phase with the start of the LBA (5-20ns is common), and since it is a mechanical system, an LBA isn't a perfect arc... it can tend to wobble.
Using in-house diagnostic tools we can "force" the servo code that is supposed to keep the read/write heads centered to a prescribed amount off to the side... If you had an event where the sensitive data was written
--eric
Cool Attitude (Score:2)
That sparks up a bit of paranoia that might be interesting to discuss.
I maintain at least 1 active keypair. I put it out on distributed key server groups. I post it on web servers. I use it to encrypt private communications.
But I use it very sparingly when it comes to signing email. I have to see a really good reason to verify who I am before I sign anything. If paranoia causes one to take up using PGP, its an even more selective paranoia that causes one to not use all its potential.
So why am I so paranoid? After watching the subpoenas [wired.com] fly a couple of years ago, I've decided that I'd prefer to make it a little more difficult to prove any bad attitude [jwz.org] really is mine. Granted, there's other ways to try and link email to an individual. But why make it a habit to provide that trail for every mail list post, friendly banter, and interoffice discussion message you fire off?
And that's a really important point - a majority of our (or at least mine) email is of a fire-and-forget, trivial nature. Its less a written letter and more a verbal conversation encapsulated in text. Without the bandwidth hit of wav file attachments. In this informal environment, things are often said... or ideas expressed... that one would not set to a permanent record. Yet email, and other forms of electronic communication, have an odd way of sticking around far beyond its intended life.
Do you really need to give a lawyer the means to prove them came from you? And sure, there are other ways to link an email to an individual. But I'd prefer to make anyone giving me a hard time jump through those extra hoops.
As a side note, memo and file retention policies existed well before email became an indispensable tool to business. Email only compounds the problem these policies were really designed to address (and no, storage of files isn't the real issue here). With the lines slowly fading between personal and professional data, it might be worthwhile to think about your own home shredder and review your own document retention policy [pbs.org].
Of course - this all doesn't cover the real reason all this signing happens. Geek appeal. That's easy to handle. Include your PGP Key ID and fingerprint in your
Re:Why I use PGP... (Score:2, Insightful)
Probably no one will ever raise a stink about stuff like this, but it's good to keep in mind that, unless you work at the world's most liberal company, both of these are probably against company rules.
When the time comes that they need to cut staff, and don't want to pay severance, this stuff can put you out the door "with cause". Fired, not layed off.
If you can't trust them with your email then you're crazy to trust them with your future.
There are two types of users... (Score:2, Insightful)
NAI, who has been selling virtually uncrackable encryption technology for years, suddently drops their top-of-the-line encryption product.
Coincidence? I wonder.
I'm not implying a conspiracy between NAI and the US Government, but I wonder if NAI stopped shipping their product because it "wasn't worth the trouble".
Coincidence? I wonder. (Score:2)
PGP wish list (Score:3, Interesting)
A. Little perceived need by the masses
B. Hassle to use
and more recently
C. Government rumblings
A. could be dealt with by some good old FUD. I've always been amazed that NAI and others have resisted the evil urge to play on naive users' fears of "hackers." Come on, companies with lame IDS and Firewall products have been playing the fear card for a while. Imagine how effective a campaign would be if the product were actually good... (Not that I'm a fan of these tactics).
B. is a more difficult problem. Although the product has come a long way since the old DOS version with it's confusing options, it has a way to go to acheive true ease of use. People don't necessarily "get it." I'm not a huge fan of dumbing down interfaces, but a real simple set of wizards that handled all the stages of key creation and software integration would be helpful. Plug-ins for email are good, but a deal with MS or Eudora to bundle it would be better. Plug-in with ICQ is good but a bit clumsy at times. Maybe playing up the Envelope metaphor in email programs would be better... Also, encouraging users to get their email contacts to install the freeware version would be great. Maybe, a window that popped up when people tried to send an encrypted email to a person whose key isn't know. The window could mention the problem, and offer to send the recipient an email with a link to the freeware (or perhaps a free "reader" that allowed for key creation and email integration).
With C. the issue is just a big hassle. At some point you'd hope the Gov't would realize that restricting strong encryption will have no effect on criminals, only business and home users.
Expensive stuff (Score:4, Insightful)
Anyway they wanted about $175 a copy, I think for what we needed. Then I found the PGP Freeware link on their site. I thought, hey why pay for it when they give it away for free?
No wonder its going away. Could you imagine going to the Ford dealer and the dealer saying "here's the new Ford for $20,000". And you ask, "what about the Mercury over there exactly like it" and the dealer says "Oh those, they're free, take as many as you like" Where is the choice here?
Re:Expensive stuff (Score:2)
Crypto is one of those places. If your crypto solution goes wrong it could seriously fuck up your company, especially when you have to explain to investors their entire solution was based on unsupported software "downloaded free from the internet". Yes, PGPFreeware is totally unsupported, less so even than GPL software where at least you can legally pay for someone to support it and hack it if necessary.
Even for individuals, the vast majority would be more than happy to fork out $50 for PGP if it came bundled on a single CD with a whole bunch of other NAI crap such as McAfee, Nuts & Bolts etc.
Re:Expensive stuff (Score:2)
2.2. Can I use PGPi for commercial purposes?
Yes, you can, but you must obtain a commercial use license from Network Associates Inc. or its authorized representatives. (The GNU Privacy Guard can be used for commercial purposes without any license.)
There are two kinds of encryption users... (Score:5, Insightful)
1) There are ordinary folks who want an easy-to-use encryption solution out of the box, and don't want to read a manual to get that level of security. While NAI's software has been getting better and easier-to-use over the years, it's still not 'easy'. Concepts like 'ring of trust' & 'key signing' might still too academic for ordinary folks, and NAI has not made much of an effort to explain why these ideas are important.
2) There are encryption-geeks, who don't really trust the security of a closed-source product, or who are happy enough with ssh, pgpi, gpg, etc.
OK, I guess there is a third type of encryption user, the user who wants an easy to use encryption product for her business, and isn't concerned about fears like 'FBI backdoors' in their product, but they're probably a small segment of the market.
What could 250 people be doing to PGP??? (Score:4, Funny)
I went to the NAI website and tried to buy PGP about 18 months ago. There were problems with the site. The product was poorly explained, and I got error messages.
Also, would you buy encryption software from ANYONE who wasn't offering the source code? I had read that NAI would give the source code to someone who bought the product, but I was unable to find mention of that on their web site.
I sent NAI an e-mail message, and no one replied.
Finally, I just gave up and used the free version. I paid less (zero) and got more.
The story says, "I worked there up until today and somewhere around 250 of the 300 employees were clipped."
Do I understand this correctly? What could 250 people be doing with PGP, a product that was written by one man, and was changing very slowly?
Maybe they were selling special versions in Arabic to Saudis living in Afghanistan? (When you have 4 wives, you have to keep a lot of secrets.)
Secrecy and weapons sales corrupt democracy: What should be the Response to Violence? [hevanet.com]
Re:What could 250 people be doing to PGP??? (Score:2)
Naah. Not when your wives can't divorce you and have no meaningful rights to speak of that aren't granted to them by you.
Go ahead. Mod me down.
My Page on Why You Should Use Encryption (Score:2)
I admit I haven't tried out GPG yet but I probably will soon.
In any case, if you don't use either PGP or GPG then please read my article Why You Should Use Encryption [goingware.com]
Yes I know the link to the canadian article I mention is busted and someday I will even fix it. Not right now though.
Buy it or get free version (Score:2, Insightful)
To Care or not to Care (Score:5, Insightful)
However, when I try to advocate encryption to those I know and hope to influence, they all seem to indicate that they aren't all that concerned about their email. And yet those same people never fail to be annoyed when I walk up to their computer and pretend to read their email in order to prove my point.
Perhaps most people are unaware of how easy their email can be intercepted and read? After all, an email address might appear to be like a telephone number - a direct link to whomever one might wish to contact. And we're comfortable with the phones - after all, wiretaps seem hard (or at least laboureous) to obtain, and we suspect that capacity prevents wiretaps from being universally applied. Not so with email, though - it's child's play to intercept any SMTP communication that passes through your network. And if you happen to be centrally located, in a network topological sense, there's no theoretical limit to the amount of communication you can eavesdrop on.
I must admit that I'm not being entirely altruistic when I advocate encryption - my wish for broad adoption of personal encryption technology is first and foremost self-serving. To tap again into the old PGP readme files; sending mail in "sealed" envelopes is not currently suspicious due to the fact that the practice is so widespread. Untill encryption becomes commonplace it remains far too easy to label it suspicious behaviour.
Here's to hoping that free encryption will carry on where the commercial offerings have failed. Cheers.
Re:To Care or not to Care (Score:2)
That's why they are unhappy when you look over their shoulder
Re:To Care or not to Care (Score:2)
There is a factor you might be forgetting. On privacy most people care if someone they know is reading their private info. But they don't care quite so much that someone they don't know might be reading it.
I think that people don't care not because they don't know the person reading it, but when they don't know if someone is reading their email at all.
The old addage, ignorance is bliss applies here.
Re:To Care or not to Care (Score:2)
You readily provide your salary and financial info to banks, but how often would you give up that information to friends and family?
It's because people you know will do very different things with the information than people you don't know.
Social conventions. (Score:2)
However, there is a social convention about not reading other peoples mail, which means someone behaving like you would be rude. It is a public display of disrespect, which is insulting whether or not the victim cares about his mail privacy or not. I'd be annoyed too.
Slightly OT (Score:2)
- j
How many worked on PGP? (Score:2, Insightful)
I didn't trust it anymore, anyway. (Score:5, Informative)
So I stopped upgrading the free version at the last version he personally oversaw...7.0.3
Re:I didn't trust it anymore, anyway. (Score:2)
PGP failed because of NAI incompetence (Score:5, Insightful)
Well, yes, it's quite true that PGP had disappointing sales. The company had a nasty tendancy of attempting to bundle about four other products with PGP and *refusing* to negotiate with any company, no matter how large, about perhaps a more reasonable package.
It's funny that I have this exact story from so many different sources that nobody can say I'm compromising internal information. Go ask your friendly IT Purchasing agent about any adventures they had trying to get a site license for PGP. This was mandate from upper management: Either all the stripes make some cash, or none at all.
NAI consistently chose the latter. Now, as for all the conspiracy theories...never attribute to malice...
--Dan
www.doxpara.com
Gauntlet, too (NAI incompetence) (Score:3, Informative)
Funny you should mention that. The exact same thing happened after NAI bought Trusted Information Systems, makers of the (formerly) superb Gauntlet firewalling software: They bundled it with such in indigestible batch of mandatory other goods and services that all of the professional TIS installers I know switched in disgust to other products, such as Novell Border Manager. Which has more or less killed TIS Gauntlet.
Rick Moen
rick@linuxmafia.com
Re:PGP failed because of NAI incompetence (Score:2)
My Eudora 5.1 got a nice PGP-plugin from there. In the standard 7.0.3 package.
GPG (Score:2, Informative)
I think it is no real problem for the manufacturers of mail software to include GPG support on their own.
Hello? The freeware version is still there. (Score:2)
Lest we forget, there are libraries available to get around any RSA legal crap, too, in the PGP.
Re:Hello? The freeware version is still there. (Score:3, Informative)
PGP 7.1 has not been released as freeware, and source release for anything past 6.5.8 is problematic. You can get the crypto engine of 7.1 (but not 7.0), but only if you agree to a truly onerous license. Better to say
Freeware builds of PGP haven't been made available for 7.1, and there's been practically no source release, too. At this rate, it's going to disappear!
Of course, my panties are far from in a knot. In the first place, I wear boxers. In the second, I use GnuPG.
Comment removed (Score:4, Insightful)
Re: (Score:3, Informative)
Did Anyone Trust Those Guys? (Score:2)
It is kind of a bummer though. I'm told the Windows version was pretty nice.
250 PGP employees? (Score:2, Interesting)
However, other influences may be involved. It's pretty obvious that encryption schemes, in general, are under scrutiny after the Sept 11 attacks. Any company that is producing an encryption product certainly has taken a look at it's business in recent days.
Ultimately, I think most people have given into the idea that their correspondence via email.. and really anything that ends up on their computer could be an open book if anyone really wants to look.
Re:250 PGP employees? (Score:2, Insightful)
Some other comments from what I've read here...
From actually READING the announcement http://www.pgp.com/other/jump/customer-faq.asp [pgp.com], and listening to the NAI Earnings Conference Call from the same day (thanks Yahoo!), "NAI PGP" isn't being totally scrapped! They've just decided not to keep PGP as a separate business entity, as they see doing so as hindering their potential growth as a company. In doing so, they've evaluated their product lines and have decided to stick with what they think they can SELL, for example, their E-Business Server product. They spell out in their announcement what they feel they need to do to meet that goal. Some products are to be sold off (if possible), some moved, and some having parts extracted, possibly being merged into other similar products they already have in the other BUs. Once that's all done... of course they won't need ALL of their current PGP staff. And well, sounds like 250 is their estimate of what the surplus.
It's nice to be ulturistic and think "wouldn't it be nice if they just did it for the 'good of all' and gave the products away for free?" But well, that's not what software companies do. They exist to SELL the software they make. They need to make money to survive, as does any corporation, and that's about the only bottom line that their shareholders will care about.
I've read a lot of posts from a lot of people wanting a nice free version that they can use freely cuz "well, you could easily just write it yourself... why pay for it"? Well, I don't see anyone volunteering their time and efforts to obtain the PGP SDK and grace us all with their programming prowess and their 'for the good of all humanity' ideals. If anyone does... I have my own 'wish list' of features I wouldn't mind being added to PGPmail and PGPdisk. I can pass them along if you wish. Anything to help.
But, unfortunately for us end-users... NAI seems to think (as indicated by the products that will remain, albeit moved to other business units) that $$$ for their PGP survival is going to come more from big business... not from us. I guess that judging from many of the comments here, they seem to be right, at least on the last bit: "not from us".
What about Gauntlet firewall? (Score:2, Informative)
While not the most popular product out there, it is serviceable. In our instillation I think we are pushing it to the limit, but their Webshield e-pliance product was sold as an easy to configure/manage secure product, and was quite secure straight out of the box.
As for us, we have several issues we are trying to ram through NAI technical support. Will NAI continue to support a product they aren't going to continue to sell? Will our support contracts be transferred with the product when its sold, or will NAI try to honour the support contract even though they don't own the product anymore.
It's a worrying sight when Internet security suppliers go out of business. Unless there were serious problems with the product not in the public domain (and I know about their mail daemon) it was a good security product for small to mid-ish companies and they are saying it's unprofitable. Either firewall products are about to become more expensive, or the quality is about to go down. Neither is a good sign.
lack of sales: reasoning (Score:2, Interesting)
1) "encode"? what's that?. (the ignorance fFactor that says 'if it didnt come with M$ office, i don't need it')
2) modern variant: "encode"? what's that? i heard terrorists were encoding messages
3)if you are interested in security, there's a good chance you have something to hide. like all those warez on your desktop. ergo, you didnt really pay fFor that copy of PGP at all.
Re:lack of sales: reasoning (Score:2, Insightful)
NA was going to close the source to PGP. If there's one field where Open Source took off, it's crypto. Any advanced crypto-user wants to have the ability to look at the source to ensure security. Closing source for an encryption program makes that encryption program inherently less trusted.
//rdj
Re:lack of sales: reasoning (Score:4, Insightful)
Is slow sales really the reason? (Score:2)
The use of uncontrolled encryption would be illegal and who would by the controlled versions?
the real reason for pgp drop - NSA INFLUENCES!!!!! (Score:2)
Now the money xfers from NSA to NAI are part of public record but theres plenty of suspicious info even before those press releases of this year. I include some here below,
NAI (owner of the source) makes money by doing things for the NSA... they themselves admit it. Then theres the key escrow backdoor weakness in new pgps. Plus history of NSA manipulation in other areas. Use older (years ago rsa only) pgp for true security, and compile it yourself and check compilation. Is source for what you used even available at all?
( FYI: If comparing macintosh builds: factor out (by hand pasting) the embedded date and time field in the executable header or the pgp singnature of the PEF will not match the distributed signed apps)
please read the following informative sites :
written in 2000, before the full NSA connection was revealed. VERY VERY LONG and detailed pgp
backdoor info
http://senderek.de/security/key-experiments.htm
an old useful page written right before NAI admitted taking NSA funds
http://cryptome.org/nsa-sabotage.htm
old 1998 site written before NAI admitted taking NSA funds for engineering work:
http://www.proliberty.com/references/pgp/
in general
and avoid all modern pgps..
The founding author ("z") quit NAI one month before news broke that NAI has one major paying crypto cu$tomer of the division that got axed today : the US NSA!
You are all ignorant. PLEASE READ MY LINKS.
what a box product should give (Score:2)
1. The ability to send secure messages to customers
(relating to billing or just giving instructions about product that you don't want anyone else to know CUSTOMERS demand that it be secure)
2. send messages within the company that can be read only by receiver
(prevents leaks and makes sure that the whispers don't start up e.g. how many mails go to the postmaster )
3. escrow is needed when an angry employee leaves and you need to read their work
(the world is full of jerks and they can be hard to spot)
4. Key servers need to be up to date and manageable
(from a sysadmin point of view)
5. Standards for sending e-mail securely and product activation would be nice
yes its good to be open but some one needs to productise this so that company can buy an Complete Off The Shelf (COTS) solution that a company can buy because not enough people do secure themselves IMHO
are their anyone that fancies boxing up GPG, a keyserver and manuals on how to do the above I am sure that they could get some money from companies I know
regards
john jones
Re:Nice icon! (Score:3, Informative)
We've only been wanting to add a "security" topic for about TWO YEARS so it's nice to finally have one...
Re:Damn, and I was just going to email Will Price (Score:4, Informative)
Not the strongest encryption in the world, but it'll keep prying eyes away. You might have some issues exchanging disk images with non-OS X users, though.
-jon
Re:unintuitive windows user interface (Score:2, Interesting)
There's really no other way to dice it. Due to the very nature of crypto in algorithm and implementation there just isn't space for a clueless user to stumble around and not expect to eithe (1) break something critical or (2) break something critical without realizing it.
Repeat after me
Re:It's unfortunate... (Score:2, Insightful)
Their biggest users could have been corporate, but at a couple hundred bucks a shot, most corporations had a hard time convincing themselves it was worth it on a large scale...
Good point, but I think that there's more to it than that. I know of companies that don't want their employees having encryption products available (and of a few that outright ban them as a matter of policy). While none of these outfits come right out and say so, I'd imagine that if employees start using encryption, companies would have a much more difficult time monitoring employee e-mails. Sad, but probably true.