Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Encryption Security

Network Associates Gives Up Search for PGP Buyer 180

nakhla writes: "I came across this article which states that Network Associates has given up the search for a buyer for its PGP division. The company has laid off 18 workers, and plans to continue to maintain the product for one year. It's a good thing that there are still products like GnuPG and others out there for people who need cheap, reliable encryption."
This discussion has been archived. No new comments can be posted.

Network Associates Gives Up Search for PGP Buyer

Comments Filter:
  • Sad.. (Score:4, Interesting)

    by dj28 ( 212815 ) on Thursday March 07, 2002 @09:49AM (#3124095)
    I actually bought a version of PGP Personal Security 7.0.3 from these guys. It comes with some nice extras such as a very nice firewall. It's a shame that not enough people contributed to the development. Hopefully they will open source the latest version so that development can continue for long after one year.
    • Re:Sad.. (Score:3, Interesting)

      by kerrbear ( 163235 )
      I actually bought a version of PGP Personal Security 7.0.3 from these guys.

      Er, what happens to all the files people encrypted with PGP ten years from now when their personal versions no longer run on the new OSs? If PGP Personal Security is rendered obsolete, will there be a way to retrieve those files, or should they be unencrypted now and re-encrypted with something that is going to stick around?

      I've got some pretty important .pgp files lying around. Should I switch to something else or am I not understanding something here?

      • Re:Sad.. (Score:1, Informative)

        by Anonymous Coward
        There are open source versions of PGP compatible with the commercial products. Try here http://www.pgpi.org/ and in particular here http://www.pgpi.org/download/gnupg/
      • Re:Sad.. (Score:2, Informative)

        by mhyclak ( 35694 )
        I'd encourage you to switch to an open source project such as GnuPG just out of principle, but I do believe it can also interact with PGP encrypted things (to certain limitations... see the GnuPG FAQ [gnupg.org] on the subject. Basically if it's implementing OpenPGP, GnuPG can read it.
      • Re:Sad.. (Score:2, Flamebait)

        by Superpaz ( 445451 )
        In 10 years it will easy to crack.
      • I've got some pretty important .pgp files lying around. Should I switch to something else or am I not understanding something here?

        It's probably quite worth getting gpg and seeing if it can work with your keys and encrypted files. One thing to note is that gpg doesn't support all of the algorithms that PGP used, because of patents/licensing (IDEA being an obvious example). So if you used those algorithms there's a serious risk of bitrot.

        If gpg works OK with the files then you're safe as it's not likely to go away in a hurry. Keep the source around just in case though ;-)
        • One thing to note is that gpg doesn't support all of the algorithms that PGP used, because of patents/licensing (IDEA being an obvious example). So if you used those algorithms there's a serious risk of bitrot.

          It used to be that one could just find a file named idea.c in the contrib directory of the primary gnupg ftp repository, but they were forced to remove it. You can find the idea.c in the contrib directories of mirror sites in countries that allow the distribution.

          The idea.c [gnupg.dk] file and it's detached signature [gnupg.dk] made by Werner Koch.

    • by SomethingOrOther ( 521702 ) on Thursday March 07, 2002 @12:05PM (#3124724) Homepage

      it comes with some nice extras such as a very nice firewall

      And that is partly the reason nobody bought it.
      PGP evolved into a nice e-mail encryption program. NA added so much crap to this (VPN that hardly worked, Firewall, hard drive encyption) they forgot there core market..... secure E-MAIL and convincing people that it was nessisary!
      (In a corperate enviroment, people alredy have firewalls etc... NA just made PGP more complex)

      I actually bought a version of PGP Personal Security 7.0.3
      YTC !!!
      NA never published the source code for version 7. That was the reason Phil Zimmerman left NA.
      Version 6.5.8 could be downloaded [pgpi.org] as freeware and is every bit as compatable!

    • For a corporate of enterprise environment you NEED the ADK that the NAI corporate version comes with. At home we can all use the free versions, and in fact I do, but it is not even a remote contender for most of my clients with 50000+ employees.

      NAI dropping this is going to seriously shaft them! There are some alternatives, but the transition is going to be expensive. Even the change of user licenses will cost over 1 Million pounds for a couple of my clients.
  • Mixed feelings (Score:5, Informative)

    by rknop ( 240417 ) on Thursday March 07, 2002 @09:49AM (#3124096) Homepage

    I've got mixed feelings about this. On the one hand, PGP was revolutionary and is probably one of the main reasons encryption is as free and available today as it is. If Phil hadn't released that (at the expense of considerable suffering), I suspect that the governments of the world would have been able to clamp down on encryption big time, and all of us law abiding types would take it as an axiom that none of us really need anything like that, only terrorists do. It's sad to see the company that was carrying that torch give up on it. I fear this is just one more indication that personal encryption of e-mail and such isn't really going to catch on with the masses.

    On the other hand, NAI's not been a perfect angel. Phil left them because of differences about releasing (if memory serves) source code-- not because Phil is an open source advocate per se, so much as for reasons of being able to verify the security. And, myself, I'm an open source geek and have been using GnuPG for quite some time as my encryption software of choice. There still is hope that GnuPG will be turned into something that can catch on with the masses (just like there's hope, however faint, that things like GNOME and KDE will catch on with the masses).


    • There still is hope that GnuPG will be turned into something that can catch on with the masses (just like there's hope, however faint, that things like GNOME and KDE will catch on with the masses).

      Is there any way that GnuPG could be built with a nice GUI for Windows? The fact is that for the time being, encryption will be worthless if the Windows users can't get the software.

      • Re:Mixed feelings (Score:3, Informative)

        by smnolde ( 209197 )
        See winpt.org [winpt.org].

        I use it quite a bit to sign emails and the interface is pretty clean, too.

      • Re:Mixed feelings (Score:2, Informative)

        by wafath ( 91271 )
        Take a look at http://www3.gdata.de/gpg/ [gdata.de]. It's in German. Use Google [google.com] to translate.

        It's beta, but if you use Outlook, it seems to do the job very nicely. If you go to the GPG page, there is also a link for another program that is a plug in for outlook express.


      • Actualy, gpg works on windows. I actualy wrote a COM interface for it a while back at my old job.
      • Uses GPG and works with all Windoze applications that allow cut/paste of ascii text.

      • Re:Mixed feelings (Score:2, Interesting)

        by Cyno ( 85911 )

        My dad installed a dual-boot windows 98se RedHat linux system yesterday, after building the computer, with no prior computer knowledge and a couple hours of phone support with me. He might have trouble with ls and cd right now, but he's starting to understand a filesystem/directory structure. I bet in a year or two he'll be writing encrypted email on linux, now his primary business OS, and maintaining a secure business. He's also converting his winmodem over to external serial modems and setting up another dual-boot linux system for dial-up web access at both his home and business, upgrading staroffice 5.2 to OpenOffice 641C on all platforms (windows and linux) for MS compatibility, and this time around its costing him less than $1000 for the latest technology, 1.6+Ghz system, G-Force 2, etc. I'm very proud of my dad. But he's no exception, he's just like all the other "computer illiterate" people out there. They're not computer illiterate(sp?), they just need a little help to get them started and lots of encouragement. That's all.

      • Is there any way that GnuPG could be built with a nice GUI for Windows?

        That's probably the most critical ingredient, and one which other responders to this post have already addressed.

        But has GPG been ported to the Mac? I'd imagine that OS X would be pretty easy, but I know of some friends that run some pretty crusty old versions of MacOS that would still be out of luck.

  • by Anonymous Coward
    Seems from comments I read in other places (theregister.co.uk,newsforge.com,...) they never did any serious effort to market PGP. Still, there is a market for products like this. It is even growing. Some article also mentioned certain US government administrations as key clients... Doesn't this look a little suspicious?
  • Not in your wildest dreams. PGP Desktop was as easy as it gets.

  • It's a shame (Score:3, Interesting)

    by WinterSolstice ( 223271 ) on Thursday March 07, 2002 @09:54AM (#3124122)
    That a product as great as PGP is going under. I personally think that if it had stayed the way it was before the buyout, it would still be around. I wonder if something like this could eventually happen to /. or Gnome.

    This is the reason I am always concerned when a major company snatches up some cool new technology; they see it in major use by techs/geeks/etc, and think, "hey, with some good marketing...". They fail to understand what features matter to the original audience, fail to capture a new audience, and then drop the product.

    In the meantime, it strands people who used to like the product. I was a major PGP user since its inception. Now, I can't stand the darned thing. I tried the Palm and Pocket PC versions, I tried the Windows versions. They added too many toys and widgets to a small, light application.

    Oh well. I hope the Gnu PGP clone keeps up.

  • by SirSlud ( 67381 ) on Thursday March 07, 2002 @09:55AM (#3124125) Homepage
    PGP encryption could use a nice high profile use case where its use saved the ass of someone the average joe could relate to.

    I really dont think that the average consumer is concerned about having their private messages intercepted. (The logic is usually: "I dont do anything bad. Hey, waitaminute. Why are /you/ so interested ... ?")

    That being said, I'm not surprised that it was difficult to find a buyer for them. The market really hasn't encountered the high profile case that justifies wide spread deployment of PGP use. I think .. ?
    • A good use case would be a major bennie, but I think you're coming at it from the wrong end. PGP isn't just used to encrypt/decrypt messages. The canonical four tasks:

        • Encryption/Decryption (Shh! Don't tell anyone this!)
        • Tamper Detection (Dude. Did someone mess with this message?)
        • Authentication (Hey - who really wrote this?)
        • Nonrepudiation (Fess up. I know you wrote this.)

      Rather than looking for situations where PGP prevented someone from intercepting a communictation - often very difficult to know ever happened - I'd be looking for case studies in which someone tried to tamper with a message and was foiled because of the PGP signature, or tried to forge a message... you get the idea.

    • Amnesty International [amnesty.org] uses PGP to protect their people (e.g. witnesses, reporters, etc.) from abusive governments. If the documents they sent could be decoded by these governments, the corrospondents referred to in the documents would be tortured and killed. Of course, while this is relatively high-profile, they are a non-profit organization and therefore can use the free version, so NAI doesn't get any money from them.
      • by Asgard ( 60200 )
        If the government of the sender is in a position to arbitrarily torture/kill it's people, then the mere fact an unreadable message is being sent may be enough to warrant such action. The 'Rubber Hose' attack on crypto is still valid...
      • Why don't these "abusive governments" just execute anyone who sends encypted email to amnesty international?

        You are assuming that the email is being intercepted and that the intercepting party knows who the sender and recipient are. You also assume the "abusive government" has access to the sender, hence the fear of torutre and death.

        If I were the "abusive government" I'd arrest the sender tourture them, for the key, then kill them. Problem solved.

        I doubt Anmesty International uses PGP for this very reason. Steganography is much better suited to this sort of application. As long as you don't do stupid things like email the same penguin.jpg back and forth it is much less obvious you are trying to hide something.

        Then again AI is a bunch of liberal thugs who think they are smarter and better than *everyone* so they might just be that stupid.
      • EASILY decoded is the point.

        With enough time and effort a Government should be able to brute force a key.

        But it's a lot of time and effort and even the US government can't go breaking all of them.

        govt's would certainly prefer everything was sent in easy-to-read ASCII
    • I know there have been a couple cases where people have used PGP to encrypt files to protect them from subpoena or prying employers. Unfortunately, the only cases I can think of are the subpoena to Kevin Mitnick, and the Hotline Communications fiasco. In both cases, the use of PGP was to thwart execution of the law. In my opinion, the laws were applied badly, but that doesn't make PGP look good to a lay person.
  • PGP is a joke (Score:3, Insightful)

    by Dwonis ( 52652 ) on Thursday March 07, 2002 @09:55AM (#3124127)
    Who cares? I stopped taking PGP seriously when NAI decided to stop releasing source code and expected me to 'just trust them' instead. Any crypto company that does that obviously knows nothing about security.
  • by maelstrom ( 638 ) on Thursday March 07, 2002 @09:56AM (#3124129) Homepage Journal
    It's not like there is highspread usage of PGP/GPG anyway. I have been trying to use PGP ever since Phil Zimmerman was still coding on it himself, but I've never been able to convince any of my friends to use it often enough to make it useful.

    I'm glad the option is there, and I know it's done a lot of good in a lot of places, but even using e-mail encryption automatically draws attention to yourself. It would be far better if everyone used it for every e-mail they sent. It would be great if keysigning and verification was a normal event in meatspace, but it just isn't to be. How is it that SSH and OpenSSH became so widespread but PGP and GPG haven't?

    I think it's because PGP and GPG have such a sucky interface. It takes me forever to read the manual every time, and the integration with current mail programs sucks! Evolution seems to be fixing this and I know mutt and pine can support it, but it's just too much work to setup if no one else you e-mail can do it too!

    Is there any hope? I'd like to think so, but only if it becomes the default in hotmail and MS Outlook will it become widespread, and what are the odds of that? *sigh*

    • At work, we are generallyrequired to use PGP for *all* project releated email, it's usually in the contract with the client. We use PGP 7, which, 99% of the time, works flawlessly with MS Outlook whn installed properly.

      The problem comes when the person at the other end doesn't grasp public key encryption - which still seems a sticking point for a lot of people. Maybe they should teach it at High school?
      • Try the built-in SMIME tools in Outlook, and then get back to us about how "flawless" PGP is...

        PGP's Outlook Plugin sorta works, sure, but it tends to bork on HTML mail and attachments, doesn't prove UI information about encryption/signing, and requires all sorts of external windows to pop-up, produces wierd error messages, and sometimes just goes south for no reason.

        Woefully, this is as good as it gets for PGP (at least on Windows), which is probably a big reason it never really caught on. And this is from someone who really wanted to use it and just got sick of all the bugs.

        In my experience, when you have seemlessly integrated encryption (like SMIME in Outlook or the Lotus Notes stuff), even the lusers start to use it with glee.
    • by Boiling_point_ ( 443831 ) on Thursday March 07, 2002 @10:04AM (#3124160) Homepage
      Is there any hope? I'd like to think so, but only if it becomes the default in hotmail and MS Outlook will it become widespread, and what are the odds of that?

      That's the trouble with encryption, and security in general. It takes effort to be secure. You can trust an algorithm with your life, but do you trust the piece of software you installed on the computer you assembled out of parts you bought off the shelf? Sadly, strong encryption built as a default into something like Outlook might cause more trouble than its worth, in misplaced trust.

      Most Outlook users wouldn't know how to tell if their private key had been compromised by some email malware. If they're using email for tasks that SHOULD be kept private because they trust that Outlook will make it safe, then where will we be?

      • That's the trouble with encryption, and security in general. It takes effort to be secure.

        Agreed 100%, but generally I can sit down at a default install of Red Hat and know that I've got a cryptographically secure /dev/random, and a port of OpenSSH sitting right there waiting for me to use. Its cake to enable an ssh server, allowing remote access and file transfers.

        All the normal user has to do to increase security over telnet is type ssh instead of telnet. E-mail needs to be the same way! They should just have to click one button and be more secure. Yes, this gives some illusions, but if we can make e-mail slightly more private from prying eyes it is worth it to me.

        I'd have a hard time trusting my life to any software at all, but I'd have no problem trusting that encryption would at least keep a prying sysadmin out of my email! :)

      • That's the trouble with encryption, and security in general. It takes
        effort to be secure.

        Absolutely. There are two huge problems. Firstly, it's easy to use things like PGP and set things up so that it's easily crackable. That requires knowledge (at all levels, from something as simple like making sure your private keys are only accessable by you, to the code using decent random generators).

        Secondly, you have to care about being secure all the time. One lapse and you're wide open. This is an even bigger sticking point for the masses. Just the other day I was ranting about certain programs (I won't go into which ones here), and for each one of my main reasons for not using them was security or privacy concerns. The person I was trying to convince noticed that and basically asked why that was a big deal. This kind of took me by suprise, and so I did a quick poll of other reasonably computer literate friends (they would all know about PGP for example). Sure enough, most of them do not care if files on their computer can be read, so long as damage isn't done to the PC, etc, etc. I don't understand it, but it appears people are like that.

        One random thought is that really email could do with a big overhaul. SMTP, email format, all kinds of aspects. Building encryption and authentication into that from the start would make things a hell of a lot cleaner and help make the above problems less of an issue. But sadly I think I'm dreaming that that will happen any time soon.

      • Most Outlook users wouldn't know how to tell if their private key had been compromised by some email malware.

        Malware like Outlook, for example?
    • "and the integration with current mail programs sucks! " Think Hushmail [hushmail.com]. Encryption standard web based email system.
      • Hushmail is a joke at best, and a scam at worst. For god's sake, they store the secret keys right alongside the public keys, on their own servers! Stupid stupid stupid.

        Then there's the fucking hushtools.com site (which I've tried under about four dozen different combinations of browsers and java runtimes under Windows 98 and Linux) which has never worked for me, so I can't even get the public keys of hushmail users! If I can't get the damn public key, what's the point?

        I don't know what Hushmail is trying to pull, but they're definitely incompetent. Perhaps deliberately so. If someone's got the CPU power to run a java runtime (pretty much any commodity PC made in the past 6 years) they've got the CPU to run PGP or GPG.

        About the only use I can think of for Hushmail is for other people to not know that you use PGP if your computers are ever confiscated. Although, even then, it's easy to fit GPG on a floppy.
    • Can't agree with you more. I setup PGP/GPG for myself at one point in the past. Fact of the matter is, hardly anyone uses it. The reason for this? Simple - the average e-mail user is not aware of how open their e-mail really is. I remember eplaining to a co-worker that their e-mail was readable to anyone in the world who really wanted to. After explaining this fact (the whole "don't write anything you wouldn't write on a postcard" theory) they still didn't seem to "get it". So I decided to show them. I had them send a message to another co-worker while dsniff was watching their machine. Should've seen the look on their face when they say the e-mail displayed on my terminal. Point is - average user hears about, and knows that e-mail isn't entirely secure, but I don't think they realize just a) how insecure it is and b) how easy (and illegal) it can be to sniff it.
    • I think it's because PGP and GPG have such a sucky interface. It takes me forever to read the manual every time, and the integration with current mail programs sucks! Evolution seems to be fixing this and I know mutt and pine can support it, but it's just too much work to setup if no one else you e-mail can do it too!

      If you really think so, take a look at Cypherus [cypherus.com] by APMSafe.com. We designed it to be really easy to use, for exactly that reason. Granted, it's currently Windows-only, and closed-source, but I imagine that works for alot of people. When I was still working there, we did a whole lot of work with windows internal stuff to be able to get it integrated into everything from your desktop, to Eudora and Outlook, to even Outlook Express (which we didn't even think was possible, at first). Check it out.

    • I think it's because PGP and GPG have such a sucky interface. It takes me forever to read the manual every time, and the integration with current mail programs sucks!

      Have you tried Evolution [ximian.com] yet? It integrates as seamlessly with GPG as PGP does with Outlook. All you have to do is type in your passphrase after you hit 'send'.

      • Yes, I have and I even mentioned it in my post :) However easy it is integrated, it doesn't solve the problem of initially generating the key, figuring out how to extract your public key into text, giving the right key to someone else, getting their key, figuring out how to put it into your keyring, etc, etc. :)

        There's a program called sea-horse that I've tried that provides a very minimal gui frontend for gpg, but like I said, not worth the effort for me to use it yet, but here's hoping!

        • Well KMail handles it all beautifully. I generated my key once, an uploaded it to keyserver. Since then everything I do with GPG is handled by Kmail with no problems whatsoever. In fact in the new version of KMail, if it can find a key for the person you are emailing it will encrypt it by default.

    • Yep, you got a point, and do you know whats the other deal that people recent when it comes to encryption? Its the faulty behaviour in OutlookExpress (Might be Outlook too, dont know really).

      When i even sign my mail with a gpg in evolution, my mail looks like an attachment in OE because it cannot handle the "unknown" mime headers. I communicate a lot with email in company where i work and use gpg and there's been a lot of complaints when people cant reply to my mails because the body of my own email is readable only in notepad (yeah, like they give a fuck about correct quoting..). One moronic who had installed some bizarre movieplayer, tried to open my mail in it because OE was suggesting it. Cant belive the look in my face when he dropped by to my cubicle to ask, what was the video about that i send him.

      Anyway, GPG integration in the evolution can't get simplier. Well, it can if it would integrate gey generation and key imports but signing and encryption is working totally transparently. You just enter your public key id into account settings and voilã.

  • by flipflapflopflup ( 311459 ) on Thursday March 07, 2002 @09:57AM (#3124134) Homepage
    Maybe a smells a bit of conspiracy-theory, but this [theregister.co.uk] article at The Register opens the floor to the idea that NIA's decision isn't entirely due to commercial factors, and in fact looks a bit "fishy".

    Quite an interesting point - why would they give up on such a good product like this? And who could gain from them giving up a product like this?
  • laid off (Score:1, Offtopic)

    by mlong ( 160620 )
    Thank goodness they laid off 18 works and not 18 workers.
  • NAI is no longer actively trying to sell the product lines, she said, because it was unable to find a buyer who made an appealing enough offer.

    If they arn't going to activly try and sell the product, how is this a better deal than taking the less appealing offer?

  • by throwaway18 ( 521472 ) on Thursday March 07, 2002 @10:03AM (#3124155) Journal
    I'v been an ocassional user of PGP for year, first the DOS client then GPG on linux.

    A friend of mine tried to use the freeware NA windows version. Hes a typical windows user and won't read instructions. After giving him a five minute talk saying "Other people use you public key to write messages to you, only you can read the message with your private key etc". Days later I call in at his house and he had not managed to use it. The user interface was horrible. Despite having used command line PGP for user and having a quick look at the help I couldn't find his keyring or work out how to use it from a quick look at the menus.

    I can't imagine what the staff working on PGP were doing, certainly not useability

    There were three background processes running on his already unstable win98 machine poping up box's demanding he type in his details and register. I think he reinstalled windows in the end. People who use PGP are gneerally a bit paranoid, annoying them by trying to make tem register seems pointless.

    • Hes a typical windows user and won't read instructions.

      That is a bit like giving someone keys to your house and not showing them how the funny lock works

      For him to send a plaintext message that he thought was encrypted (because he didn't RTFM properly) could have been disasterous. In the same way that your friend not locking your door properly ('cos he didn't know how) could be disasterous

    • I installed it on a Windows 98 box (before converting my main desktop to Linux and using GPG).

      it started locking up randomly quite often. The common denomenator was that I installed PGP. Un-installing PGP it stopped locking up. I hand't tried it again.

      Don't know what the deal was. Have not yet tried it again. I'd like to get it on my wife's XP Box but I haven't spent the effort as of yet.
  • PGP Desktop is a well-integrated application that has a nice file protection app (PGP disk), makes PGP signing your mail a lot easier (it integrates to most e-mail clients I've used), has a good IPSec VPN component, and runs on Mac and Windows (1 more platform than most products do, though there's no Linux desktop version). NAI never did a very good job of selling the product, though - it was always one of those "semi-orphan" packages. NAI couldn't figure out if it was meant to be a business package or a home use package, and pricing was never set in stone.

    Ironically, it's probably an easier sell now than it's ever been, given that organizations are finally getting a little more security-conscious.

    GPG is probably the best hope for a cross-platform replacement, but there's still a need for better snazzy front-ends on most platforms (I'm using it on MacOS X) to help Joe Average, and there's no easy PGP VPN or PGP Disk equivalent.

    NAI - if anyone's listening, why not re-open the PGP codebase and let the marketplace solve the problem? Nobody wants to buy it, you don't want to sell it, so give it away!

  • by Dimwit ( 36756 ) on Thursday March 07, 2002 @10:05AM (#3124167)
    First, some kudos to the GnuPG team. I think this is one example of free software really taking over a given market. I only know of one person who uses the commercial version of PGP, and that's because his job requires it. Everyone else I know uses GPG.


    For those of you lucky enough to be using MacOS X (go ahead a flame me - I've been using Unix for ten years, and MacOS X rox my sox), just grab a copy of GnuPG from Fink [sf.net] and install GnuPG.

    After that, grab a copy of PGPMail [sente.ch] from Sente, and use the easy, one-drag install. It's still in beta, but it's damn nice integration.

    For reference, I'm running MacOS X 10.1.3. When I send an email to someone whose public key is in my keyring, I just click the button "Encrypt" before I click send. Voila. When I receive something encrypted, I have the option of having it automatically decrypt, or I just click "decrypt" in the toolbar. Very nice.
    • The email client Mulberry also has the ability to automatically encrypt, sign and decrypt, and has for some time now.

      Check it out at http://www.cyrusoft.com/mulberry/ [cyrusoft.com]. It is payware, but it's a damn nice email client. Works on Windows, Mac, MacOS X, Linux, and, I believe, Solaris.


    • Sylpheed [good-day.net] has good support for GnuPG, and is my favourite MUA on Linux.

      The drawback is: I would like very much like to use the same e-mail client on Linux and Windows, but sylpheed is only theoretically cross-platform. On ftp.gnupg.org, there is a w32 build of sylpheed 0.4.60 which is buggy like hell, and I have no idea how it was compiled (otherwise I would rebuild a newer version).

  • Fatal Mistakes.... (Score:3, Interesting)

    by CDWert ( 450988 ) on Thursday March 07, 2002 @10:09AM (#3124180) Homepage
    Network Associates made a fatal mistake in my opinion, that singularly was to belive people are smart enough to ACTUALLY KNOW they need encryption.

    People in general, Im not talking slashot techno geeks. Have NO clue WHATSOEVER that information can be snatched from the net. I have told people they have mail bouncing only to see hen freak and become accusitory , HOW do You KNOW ?? You mean You could READ IT ? Blah Blah Blah, I look at em and say yeah but to bwe honest I could give a crap less what you write and to who. hat usually tones em down a notch.

    BUT Back to the point, If someone dosent KNOW there is a NEED then there is NO market for the product , If people dont buy it because they dont know there is a need can you blame em ? If someone tried to sell you say a under the desk testicle shield for radiological effects from monitor transmission would you buy it ? a few would , but most no , WHY ? Becaues if here is no problem, the product COMPLETLEY loses its percieved value.

    Now, that said they are in a bad market to try and pitch the inherent Insecurity of networks, being Network Associates and all...
    • People just don't know posting emails is almost like posting a letter in a transparent envelop... everybody from your neighboor to the postman may read it, if they want to.

    • I tell my wife this all the time when she writes something not too smart from her work email (like bitching about her boss). Forget packet sniffing, If you think your sysadmin never gets bored and starts reading people's mail, you have much better faith in human nature than I do. I KNOW a sysadmin at a former company read mail. I caught him doing it.
    • Never mind their bad marketing; lots of companies do that and still succeed. NAI consistently damaged their product - it's like anti-marketing.

      At one point, (about Summer 2000) NAI was still selling a decent product for about $70. It was a suite that contained a PGP encryptor/decryptor, a keyring application, and an IPSEC implementation. Everything you need, right?

      So NAI split up the bundle, and upped the price on BOTH the parts so it would cost the user about $200 to get the functionality of the old version. I could understand selling the VPN seperately from the keychain, but only if both fragments cost less.

      I'm not a conspiracy theorist. I don't think this was some scam to play onto Ashcroft's nice list. I merely think that there's at least one suit near the top of NAI who isn't that interested; funding cuts, perhaps inadequate time spent considering marketing, you could see how this might go.

      In the end, I suspect I hope in vain that NAI will give away the codebase when they stop support. They'll probably say something about "protecting shareholder value" by hanging onto the IP forever "in case" they could sell the increasingly outdated software for more than it's worth.

  • by pinkUZI ( 515787 ) <slashdot.7.jmask ... Gmet.com minus p> on Thursday March 07, 2002 @10:10AM (#3124184) Homepage Journal
    Encryption is one of those things that goes really well with open source. PGP started out as Philip Zimmermann [philzimmermann.com]'s free and open project which he released with a written warning [philzimmermann.com] against software that locked away its source code and algorithms. This makes it a little difficult to go back to closed source and proprietary encryption methods. The internet community's love affair with PGP was broken when Phil quit working with Network Associates. The trust wasn't with PGP alone, it was with Phil heading up PGP's development that drew the trust of us all.
    So, its not too surprising that Network Associates is having a little trouble trying to pawn off a product that has no market.

    Exit PGP, enter GnuPG.
  • Smartcard support (Score:4, Informative)

    by nakhla ( 68363 ) on Thursday March 07, 2002 @10:12AM (#3124189) Homepage
    One of the coolest things about the latest version of PGP (Corporate Desktop, I believe) is its support for smartcards. I have a Rainbow iKey, but it's pretty much useless for personal use because I don't have a certificate compatible with the device. With the newest version of PGP I could store PGP certs/keys on my iKey. It would be great if this kind of support was built into GnuPG. I'd LOVE to be able to use my iKey for PGP on Linux or for token-based authentication
  • I work for a small HMO, and we are one of the insurance options for Federal Government employees in our state. *All* data that goes back and forth between us and the Feds is supposed to be encrypted with PGP. They even specify which PGP version we are supposed to use.

    It will be interesting to see what happens now. I wonder if they will consider using GPG eventually?
  • by EschewObfuscation ( 146674 ) on Thursday March 07, 2002 @10:23AM (#3124230) Journal
    There are, IMHO, two things that keep the average email user from using encryption:

    First, it has to be absolutely transparent. It can't put more of an overhead on a standard email send-and-receive than already exists. Key management would have to become at least as easy as address book management (say, having addresses and keys automatically integrated into your keyring). While this would present a security hole, most users aren't going to want to go and verify keys. They're also not going to want to type their password every time they send an email. Most users of apps like Outlook just store their passwords on their PCs anyway, because they can't be bothered logging in once per session (ever deal with someone who didn't remember their password because they never type it in anymore?). IIRC, PGP had several of these features, but with some apps you still had to encrypt to the clipboard and then paste the encrypted message back into your document.

    Second, to even get people to do this minimum, and to demand it in products, they have to see the need for it. Phil put it best, I think, when he drew an analogy in the docs for PGP. I can't remember the exact wording, but it was something along the lines of "So you're not saying anything illegal. What would you think if the government outlawed envelopes, and all mail had to be sent on postcards?

    Most people don't believe how easy it is to read email, because they have no idea how to go about it. Instead, they shrug and say that they don't care. If instead you ask them how they'd feel about having all of their corporate correspondence and private letters going out on postcards, they'd think twice, and (hopefully) bite the bullet and start using something like PGP. There can be a huge market for applications like PGP, but it has to be sold to people with the right message, and it has to, even at the expense of some security (and yes, I realize the implications of that, and know the argument that no security is better than flawed security), be easy to use.
    • I know I've been looking for a mail app with just these features that runs on Windows (and hopefully Linux too). I'm a competent Linux and Windows user, and I have no trouble using PGP on Windows with my Mozilla mailer. On Linux, it takes me significant time to copy and paste together an encrypted - or even just signed - message.

      I don't think that there's a good reason to think that making PGP easier to apply to email would make it less secure:

      • Taking the PGP model as an example, we could simply bind a hotkey to the copy-EncryptClipBoard-paste operation.
      • Alternately, we could modify our mailers to include "encrypt" and "sign" buttons right next to the "send" button.
      • The problem with authentication could be solved by an icon displaying the level of trust the user may place in the key - highest if the user has typed it in manually and has explicitly indicated trust, lower for implicit trust, and very low for automatically found keys
      • There are already public key databases (which the NAI PGP client hooks into, I might add) which could be queried to decrypt or check signatures (see above re: trust levels) automatically. Making this transparent would significantly aid the spread of PGP use.
      As you can probably tell, I feel kind of strongly about this - I even convinced my mother to use the PGP suite (although it turned out that the old version I gave her crashes her Win2k machine). I'd seriously consider working on the project, but I know I couldn't do it alone, and there are limited numbers of free choices for Windows (which I think it's crucial to get this working on). This is something I'd love to see integrated into the Mozilla mailer, but I don't want to suggest it while they're bug-hunting for 1.0!

      I'd love to hear advice as to how I can help this to happen, or find it already sitting around.

      • Try out mutt. Incoming messages are automatically decrypted and/or verified. Outgoing messages can be signed by typing ps, encrypted with pe and both by pb. It can even be set to remember the PGP passphrase for a period of time. And mutt's a wonderful mailreader anyway--check it out when you get the chance.
        • I use mutt for my console mailer, actually. However, I haven't found an appropriate mailer for X and Windows - Under Windows, using a console program is actually really, really bad; I have never seen a decent terminal / console window application for Windows, and the "MS DOS Prompt" application sucks in several dimensions.
    • The problem with Phil's analogy to e-mail being like a postcard is that 99% of the time I use e-mail I would have no problem putting on a post card. And for the 1% of stuff I wouldn't normally put on a postcard...well, I'm just to lazy to set it up on every machine I use to send e-mail and convince all my contacts to use it and manage keys for everyone send e-mail to, and end up revoking and re-exchanging keys every time someone on a Win9X lets another person have physical access to their machine. This was the whole problem with the web of trust concept in the first place. The complexity of managing your trusted contacts (revoking certs, multiple certs for a contact, keeping your cert with you at all times) grows exonentially (or maybe worse).

      Besides, if 99.9% of the mail coming into my mailbox at home was postcards, I would probably send more postcards and not worry about it. The whole reason the postcard argument works is not real concern for privacy, but comfort with cultural customs. This is also why secure e-mail will never catch on for unior sending a message to grandma. Where it will and has caught on is in security concious businesses such as medical records where encryption of electronic correspondence with patients it is now required by law (do a earch of HIPPA to see all the headaches this is causing).
    • by DrXym ( 126579 ) on Thursday March 07, 2002 @03:43PM (#3126419)
      Actually there are several straightforward ways to get encryption to the masses without requiring them to think about whether they need it much.
      1. Use Plain English to describe encryption. Make analogies to envelopes and stuff. Don't blabber on about S/MIME or other gibberish.
      2. Integrate encryption into the mail program. Seamlessly and visibily. S/MIME support in most email programs is too complicated.
      3. Make generating a key easy, a question while setting up an account. None of the current rigmarole of having to give your life history to Verisign or whoever for some worthless uncertified key which expires in 6 months.
      4. Make key exchange on by default. Automatically insert a X-pgp-key-id header or somesuch into each mail sent out. Scan for this header in received mail and add to the address book entry by default.
      5. Make encryption the default behaviour when you have the key for someone you're sending to.
      6. Encourage e-tailers such as Amazon to put a "Encrypt your order details" checkbox on their order screens.

      Most people would happily use encryption if it happened automatically and painlessly. The current problems arise because PGP is not integrated and S/Mime frankly sucks, having an overly complicated UI, difficulty getting a key and is dog slow to boot.
  • pgp and key lengths (Score:3, Interesting)

    by cluge ( 114877 ) on Thursday March 07, 2002 @10:25AM (#3124236) Homepage
    Maybe CAI didn't want to keep improving the product. DJB's [cr.yp.to] crypto paper and methodology shows that any key less than 1024 can be "easily" cracked. CAI would have had some more work to do on their product (just as I'm sure the GNUPG team is reconsidering the approaches they are using).

    Finding the people to verify PGP is secure and proving that any new method of encryption is secure takes money, and since many people still consider zipping a file up with a password as "strong encryption" there was no market for it.

    To think, not to long ago the US govt. was complaining that the world would end if we all had encryption. As it turns out, few cared enough to use it.

    • shows that any key less than 1024 can be "easily" cracked.

      Yes some weeknesses have recently been discoverd in the RSA algoritham meaning that 1024 bit keys are less secure than people thought. HOWEVER PGP defaults to a 2048 bit Diffie Hellman (sp?) key.

      Not only that but PGP will happly accept DH keys up to 4096 bits (and RSA keys to 2048 bits if you are set on using RSA), just by changing the defaults!

      I think your comment is missleading. Standard PGP keysizes are secure (and should remain secure for many more years) but uping the keysizes can be done very easily!

      • No, I think you missed the point. The point is that if the author was correct then the keysize increases are linear and the speed of additional nodes is linear but over time the speed of computers is exponential so that ultimately any crypto based on factoring is extinct. Luckily there are other forms of crypto including elyptic curves. Factoring was doomed anyways once quantum computers became mainstream, this just quickens the pace a bit.
  • by Anonymous Coward
    Remember how Commodore's incompetence helped kill the Amiga? Well I,
    personally, don't see much difference between that and what NAI has done
    to the companies/products is bought/merged.

    Where I work we use McAfee VirusScan and the Gauntlet firewall. At home,
    personal use only, I use PGP. (Good ol' 2.6.) Since NAI raised its ugly

    . Working with McAfee has become more difficult in nearly
    every respect, in my experience.

    . The Gauntlet firewall product has become so bad, particularly
    the support, that we gave up on it. (We're still using it. We just
    haven't bothered with (non-)support contracts or "upgrading.") I
    used to love that product :-(. And TIS used to be a pretty good
    company to work with.

    . When I tried to license PGP for business use, not only did
    NAI not have a Unix version for sale, they had no mechanism whereby
    I could license the "open source" version for business use. Think
    of it: basically free money for them. They had to do no more than
    charge me. No media. No downloads. No support. Just me saying to
    them "Here! Take some money." The concept was utterly beyond

    So the PGP product is now dead. Imagine that. They've sold Gauntlet to
    Secure Computing Corp. God knows what the status of the McAfee product
    line is.

    In summary: it's my opinion that NAI has done those products, not to
    mention their (ex-)customers no favours. Needless to say: NAI is not one
    of my favourite companies.
  • I currently use PGPDrive volumes, does anybody know of one that is better? With PGPDrive volumes I can defrag, mount and unmount and transfer to other systems too, nice integration.
  • There was some short news preview (either for a book or an upcoming show) on fox news yesterday, that I only caught in passing, about the use of technology by terrorist groups. They mentioned in passing that the NSA had cracked pgp 2 years ago. This was news to me.
    • A check of the foxnews.com and of the Google newgroup archives mentions nothing about that. Do you have anything more specific to add which we could use to nail down the specifics?
    • They mentioned in passing that the NSA had cracked pgp 2 years ago.

      The government will always have bigger weapons than you. It's a fact of life. I have a pistol and a rifle and they have nukes. I have PGP and they have rows upon rows of supercomputers.

      But that's not to say that PGP is useless. That pistol of mine is still great for defending myself against criminals. It's also okay to defend myself against rogue agents of the government. Likewise, PGP is great for securing your email against criminals, your boss, your wife, your nosy neighbor, and does a respectable job of protecting your email against you nosy sheriff, IRS agent, numbnut judge, etc.
  • We mostly use PGP for VPN access at work, when will GPG have such feature (if ever) ?
    • I don't see why it should. Gnu Privacy Guard is a program that talks OpenPGP (RFC 2440). A OpenSource/Free VPN solution is for example FreeS/Wan [freeswan.org]. Those are different things ad selling them under one brand, while business-wise feasible, is like mixing aplles and oranges.
      • There is no open source IPSEC client for windoze. I know, since a guy wanted me to setup a VPN for him. I setup FreeSwan, then realized that the only way to make windoze connect up was to buy copies of PGP/NET's IPSEC client...
  • Perhaps the EFF should buy them and make PGP opensouce/freeware/shareware or whatever, just so there's something out there that the common computing schmuck can rely on in the future.
    • Tell me a reason why they should do something like that ? There's allready a gpl'd version thats compatible with PGP called GPG [gnupg.org].
      • It works well,
      • and is ported to many platforms, including windows
      • And has even 3rd party outlook plugins.
      So, Why ?
      • Actually, a version of PGP under an unrestricted license (BSD, MIT) would be a very Good Thing. Why? because PGP is a standard. If it's only available under the GPL, then it can only be incorporated into other GPL applications. Normally that isn't a terribly horrible thing, but such licensing would hinder integration into commercial (ei. proprietary) mail clients. Since 90% of mail clients are Windows based and proprietary, this is Not Good.

        An unrestricted PGP would allow everyone access to PGP. Since the value of PGP increases with the number of users, it makes sense to give it the least restrictive license possible. GnuPG is already GPL. Since NAI will probably dump the semi-free PGP anyway, releasing it under the BSD or MIT license would be a good idea. Those people who loathe the very existance of non-GPL licenses can stick with GnuPG, and Microsoft, Apple, etc., can start integrating the unrestricted version into their software.
  • I loved NAI's PGP because it made things so easy!

    For instance, if I have a truckload of files to decrypt, it goes as follows.

    Select Files > Right Click > PGP > Decrypt > Input passphrase and voila!

    Cooler even is that it preserves the original filename after decrypting.

    Its always an annoyance to decrypt multiple files with gnupg on linux. Does anyone here know how to implement a passphrase caching mechanism so that I do not have to type that bloody lengthy passphrase everytime? I know this might be a security risk but hey, my home system is not networked. To reduce the risk of people doing stupid things, how about having to edit the source and modify something before the passphrase caching works? I am ready to do that. I am sure most seasoned gnupg users would find that useful too.

    Also, how do you preserve the original filename?

    Hint: to see the original filename use --list-packets with gnupg.


  • Security schemes based on what you know (passwords) or what you can calculate (public/private key encryption) are fundamentally flawed.

    Security based on what you are (biometrics) is much more reliable and can range from voice recognition over a 3kHz phone line to DNA scans. The more you need to KNOW, the deeper (but not necessarily the more invasive,) the source. The more you need to be sure, the more biometric signatures you can use to corroberate a message.

    Use a pair of biometric keys to encrypt/decrypt using the same algorithms as public key and you've got some underivable security. (The keys don't have to be primes.)

    As the Beatles sang all those years ago "There's nothing you know that can't be known." So much for passwords.

    And remember, encryption calculations are cumulative. Once you've worked out all 128-bit factors, cracking a code you've never seen before just becomes a table look up. (First rule of performance optimization: NEVER do anything TWICE. You can't buy a second but you can rent one if you use cold hard cache.)

    And the price of storage falls every month and the number of factors calculated grows every second. (Don't think the NSA hasn't figured that out yet.)
    • Suppose someone finds an exploit in the device that does your retinal scan. Your admins must now deny your retinal scan credentials, and you have to switch to the other eye (presuming you have a spare). If that credential is compromised as well, you're completely out-of-luck.

      With a passphrase-based system, by contrast, you can just change your passphrase as needed.
  • For one dollar!

    Hopefully it would come with at least one aeron chair.

    mmm. Aeron chair...
  • Part of the issue with widespread adoption of PGP isyou can't deploy it in a corporate environment. Imagine one disgruntled employee who encrypts a bunch of mission critical files, takes his keys, and goes home (resigns).

    Yeah, we will su his a$$! Well, in the meantime, you are SOL and out of business for all intents and purposes.

    PGP is great for individual use. It is a far too risky for corporate use.
    • Erm - how is that different to the disgruntled employee that just deletes the files instead? You just restore from backup.

      If you didn't have backups of your "business critical" data, you shouldn't be in business anyway.

    • you can't deploy it in a corporate environment.

      You ARE wrong! Read this [mccune.cc] about which PGP version to use.

      Here is a cut 'n' paste of the intersting bit....

      The Business versions allow you to set up how PGP will be used throughout an organization, and also allow for use of an Additional Decryption Key (ADK); but do not really include anything of additional value to an individual user. The ADK is just a master key used by an organization that all of its email/files is also encrypted to, so that if someone leaves the organization, there will still be access to his/her encrypted files - It has absolutely nothing to do with concepts such as government key recovery.

  • If anyone else out there has gotten a chance to use the PGP API, it's simply a beauituful thing for adding crypto to your application. I don't think GnuPG has anything near what PGP had as far as an API (their motto: "Use the command line program as a base for other things!", yeh, real usefull for in-memory encryption)

    It sucks to see that go. GnuPG may be free, but the source was available for PGP, and the API was just fantastic.
  • by Rahtok ( 527483 ) on Thursday March 07, 2002 @11:56AM (#3124676) Homepage
    Guys, everybody here is missing what really happened here. About a year and a half ago, NAI separated the command line product from the GUI desktop product. NAI discovered that people will pay a large chunk of change for scriptable, command line stuff, and that they almost had to give away the GUI version. When they dissolved the business unit last October, they decided to KEEP the command line version [the McAfee biz unit sells it now, for the same large chunk of $$$] but were trying to sell off the GUI version. Now, riddle me this, riddle me that, how do you sell the GUI version to another company when the command line version you're keeping USES THE SAME CODE?! That's why NAI couldn't sell it -- no company wanted to pick up a product that NAI was going to keep the core product to. I know because I worked for NAI in the PGP division.

    It all is a big shame too. The last version, 7.1, was cool. It was stable, had an IPSEC client that could talk to pretty much any VPN gateway out there in addition to creating peer to peer IPSEC tunnels with other PGP clients as well. A mini firewall / IDS rounded it out. Frankly, companies just aren't paranoid enough to require that level of encryption yet. And until that happens, no commercial product is likely to succeed in this arena.
  • Marketing blunder! (Score:3, Insightful)

    by dcavanaugh ( 248349 ) on Thursday March 07, 2002 @12:56PM (#3125008) Homepage
    PGP is a nifty little package for encrypting files & e-mail. If it had been sold as a nifty little package at a low price, NAI would not be looking to dump it.

    I played with PGP when it was freeware. In a pilot project, I exchanged office gossip with a co-worker to see if ordinary people could use it effectively for secure e-mail communications. It worked quite well, but we didn't have a pressing need for the technology so deployment went nowhere.

    Years later, I'm at a different company and now I have a use for it. I visit NAI to see if I can buy just the basic file & e-mail encryption. I discover all they really want to sell is the entire PGP Desktop bundle, for a price that IMHO far exceeds what basic encrypted e-mail should be worth. Eventually, I managed to buy the basic package, but only after making phone calls and finding a reseller who could do such a thing. The licensing complexities of the whole process was as if I was buying an nuclear reactor! Had this been an easier process, I might have deployed it on hundreds of PCs, instead it's only a handful.

    I am the customer; I am always right. I want an easy-to-buy, easy-to-use, cheap-to-deploy package that encrypts the 5% of my users' e-mail & files that are worthy of encryption. NAI could have marketed PGP successfully to a high percentage of business and home PC owners, but for whatever reason they chose to go after the ultra-paranoid, encrypt-everything, price-is-no-object crowd instead. PGP is a great product; better management could have made it profitable. Maybe someone will buy the product and figure out how to broaden its appeal.
  • Use PGP CKT (Score:4, Informative)

    by Constrain_Me ( 551193 ) on Thursday March 07, 2002 @01:19PM (#3125225) Homepage Journal
    I don't believe someone hasn't posted this. I use PGP CKT [ipgpp.com] and am VERY happy with it. It is built off of the last version of PGP that came with the source (6.5.8 Desktop Security, if i'm not mistaken), and they are currently on their 6th build (Build 07, which will fix XP problems is in Beta).

    PGP CKT, comes fully loaded with PGPDisk, and PGP4ICQ, and the plugins for Outlook/Outlook Express, I'm not sure about PGPNet, I don't use it.
  • NAI Privacy Policy (Score:3, Informative)

    by AntiNorm ( 155641 ) on Thursday March 07, 2002 @02:58PM (#3126021)
    I was just about to download the freeware version of PGP last night when, in response to the mandatory registration, I read their privacy policy. Things like "We may also carefully select other companies to send you information about their products and services." caught my attention. Basically, they sell your information and require you to contact them to prevent this from happening. No, there isn't a 'please do not share this information' checkbox.

    That doesn't look like much of a privacy policy to me. Hence the reason I didn't proceed.

As of next Tuesday, C will be flushed in favor of COBOL. Please update your programs.