Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security

NAI to Sell Off PGP Product Line 305

Posted by michael from the pretty-bad-profits dept.
An Anonymous Coward writes: "Network Associates announced today that they are ceasing development of most of the PGP product line, including PGPMail and PGP Desktop Encryption software. This was apparently due to disappointing sales of the products. See the FAQ for more information on what's being killed and what's being kept." Another anonymous and unverified submitter says, "The entire PGP Business Unit was axed more or less wholesale. I guess selling encryption doesn't really make money. I worked there up until today and somewhere around 250 of the 300 employees were clipped."
This discussion has been archived. No new comments can be posted.

NAI to Sell Off PGP Product Line More

NAI to Sell Off PGP Product Line

Comments Filter:

  • Rats... Ship (Score:4, Interesting)

    by NitsujTPU ( 19263 ) on Thursday October 11, 2001 @11:24PM (#2418359)
    If my product line was about to become illegal and wasn't selling well to begin with. I'd sell to the highest bidder too (and I'm sure it will sell high).

  • Causes (Score:5, Insightful)

    by Moonshadow ( 84117 ) on Thursday October 11, 2001 @11:25PM (#2418360)
    Sales were slow...hardly suprising.

    The biggest potential users of this would have been the Slashdot types, and we're known for being fierce advocates of open-source and free (as in beer) software. The kind of "Why pay for something when you can write it yourself?" mentality is what helped kill it.

    The people that are most concerned about encryption are those least willing to pay for it.

    • Re:Causes (Score:4, Insightful)

      by tiny69 ( 34486 ) on Thursday October 11, 2001 @11:55PM (#2418473) Homepage Journal
      The people that are most concerned about encryption are those least willing to pay for it.

      No, the people that are most concerned about encryption are paranoid enough not to trust commercial apps.

    • Re:Causes (Score:4, Interesting)

      by spudnic ( 32107 ) on Friday October 12, 2001 @12:09AM (#2418522)
      Not only was it not free, it was horribly expensive. We where looking at getting it for a public (read: poor) hospital that I was doing consulting work for a couple of years back. They wanted like $400 per workstation for their "corporate desktop" edition. There was no way they could afford $60,000 for this project.

      I see now the price is $179 per workstation on their website. Still pretty pricey for encryption.

    • Re:Causes (Score:3, Insightful)

      by floop ( 11798 )
      The reason why it's not a good seller is either people don't know about it or they think it isn't as important as $100 cost. We just bought 50 seats a couple months ago and were just about to buy 50 more and a key server. All due to people sending passwords in plain in email. The product has good email integration (with outlook anyway) and makes even the laziest person able to use it effectively.

      MS would be smart to buy and bundle it w/ outlook but modify it a bit so it's not openpgp compatible.

    • Free software cannibalization and software cycle (Score:4, Interesting)

      by Ars-Fartsica ( 166957 ) on Friday October 12, 2001 @12:19AM (#2418539)
      Well, PGP had simply reached a level of age and maturity where one should expect a free replacement to come on the scene. My observations are that you have four to five years to squeeze revenues out of a software product before you can reasonably expect a free competitor.

      This will simply become part of the arithmetic commercial developers will have to deal with.

      • Why is Ars-Fartsica's post marked as a Troll? Her or his observation is fairly poignant, whether or not it is entirely true. (Only NAI execs know for sure.)

        This isn't a story about encryption being denied to the masses or anything. It's about a company giving up an unprofitable product line because most people just use the free versions. And in case whoever marked this post as a troll hasn't noticed, there is a great deal of software within Ars' timeframe that is having exactly this kind of thing happening to it: free alternatives are starting to pop up.

        Try to think of a commonly used commercial application that is not having a free equivalent currently being worked on. With a bit of searching, you won't find many. Indeed, free software is even becoming increasingly popular as more people are getting sick of dropping $100-700 on software per product. A comprehensive commercial software package these days can cost even more than the computer you bought to use the software on. Do you think even the rather clueless average user isn't going to notice that?

        C'mon, are Slashdot moderators really this dumb?

    • Re:Causes (Score:3, Informative)

      by zeugma-amp ( 139862 )

      You're probably correct that many of the types who would be concerned enough with their privacy are geeks who would rather not pay for something they can get for free, it had a presense in corporate environments. I fought a huge battle at the company I used to work for to get PGP implemented at a departmental and later at the VP level.

      One of the biggest initial issues was that people didn't understand it or the need for secrecy. Thankfully the group I was in had a need to periodically distribute root passwords and management was smart enough to realize that doing so in email was pretty darned dumb. Eventually I was able to get it adopted and we would encrypt a single message to the various people who needed to be able to read it. We also posted the encrypted file on our departmental webserver. It worked pretty well. When someone would leave the dept for whatever reason, we'd distribute the revoked key that was generated at the same time their key, change the password, and repost the file.

      Another issue price. It was pretty difficult to get higher-level approval for the expenditure. We eventually snuck it in one license at a time, and later were able to buy licenses in bulk as my senior manager and later VP understood the issues and thought the solution was worth paying for.

      Eventually an enterprise license was purchased. Unfortunately, the &*%($*%( lawyers wanted to force everyone to use escrowed keys. I'm not sure how it went elsewhere in the company, but we basically said 'sure', and kept using unescrowed keys for internal communications because 'root' is God's way of saying you have too much power.

      PGP's support of key-escrow was the worst thing they could do IMO from the standpoint of trust, especially for those paranoid enough to be really up on the tech. I never fully trusted recent versions of PGP, and use GPG now.

    • My corporation tried to buy PGP... And couldn't. (Score:5, Interesting)

      by Anonymous Coward on Friday October 12, 2001 @01:19AM (#2418651)
      The biggest potential users of this would have been the Slashdot types

      Umm, no. I work for a company that has our own symbol on /., one with a funky dropped 'e' in it. You might be able to figure out who we are. We tried to buy PGP for Unix to secure engineering data--we happen to be one of the largest Microsoft shops on the planet, but all the real work still gets done on Unix/Linux--and NAI wouldn't sell it to us. We were talking THOUSANDS of licenses, ubiquitous deployment to everyone, and they weren't interested in providing a Unix client of the current version.

      So we're going to be using GPG.

      Get this: NAI have also threatened major bad legal juju if we ever put any GPG-generated keys on their keyserver product, which we also had previously bought (along with hundreds of individual PGP licenses). Hello? If that's not a Microsoftesque move, I don't know what is.

      They coulda made millions on our account. WE WANTED TO PAY THEM MILLIONS. Negotiations fell through. So now we're saving the millions and going to be supporting open source even though senior management is still not 100% clued into that this is a good thing.

      • My company exchanges a shedload of confidential data with customers - some of whom use PGPG. I tried the eval of PGPmail last week and couldn't get it going with Notes (no Outlook - no virus). Even waving the prospect of 12,000 seats at them they wouldn't respond. Should've guessed something was up.

        We'll just have to stick to our normal encryption method - making our documents too boring for anyone to remain concious while they read them.
      • At my last job they wanted to try out encryption but did not see the need to spend so much money per seat (worked out to about $35k total). Also was willing to look into GPG but it doesn't integrate well (if at all with Outlook). Since this wasn't a technical oriented group (most of them didn't know how to change a defalt printer). It would have needed to be somewhat idiotproof.
    • Actually, lots of us DID use it - we'd use GPG for personal use, and the companies we worked for would use PGP (at our request). The commercial version had features necessary for business use, but still interoperated with the free version.

      Unfortunately, the support sucked very badly. THAT seems to be the real problem; it didn't exactly inspire confidence.

      Note that we wouldn't have bought the commercial version without the existance of GPG and the OpenPGP RFC. This gave us the assurance that IF Network Associates went bust (or in this case just dumped PGP) that PGP itself would not disappear. Setting up an effective Corporate PGP infrastructure is not trivial.

    • "The biggest potential users of this would have been the Slashdot types"

      Slashdot types generally run Linux / Solaris / *BSD and have more sense than that run closed source security packages produced by NAI.

      Come to think of it, most users here have an operating system that comes with GnuPG! Why would you bother using PGP at all?!?

  • What's going to happen to this project now that it's no longer under development? Certainly we have GPG, but PGP is a long time trusted name. Are they going to reopen it like it once was or is it now entirely dead - in the software graveyard with so many other projects that were kept closed after being pronounced dead?
    • NAI is getting quite a reputation, albeit a bad one, for sending its retail customers on wild goose chases in search of after-sale support that simply doesn't exist. The sad fact is when you buy an NAI product all you get is what comes in the box. You want support and upgrades? You won't be getting them from NAI.

      Check their Web site and you'll find a few simplistic FAQs that reveal nothing you didn't already know and some Forums that are ignored by NAI staff.
  • I wonder how much of this comes from the fact that Zimmerman was receiving hate mail for reports that Osama Bin Laden was using his encryption for communications, something he resorted to after he found out the US can monitor his satellite phone conversations.

    But doesn't Osama know... the download page specifically says for US residents only!
    • Bugger all I imagine as Zimmerman left the project a few months ago

    • What I find amazing... (Score:4, Insightful)

      by Chasing Amy ( 450778 ) <asdfijoaisdf@askdfjpasodf.com> on Friday October 12, 2001 @03:03AM (#2418779) Homepage
      What I find amazing is that most people labor under the foolish misconception that if only American encryption products (like PGP) were either backdoored, effectively export controlled, or discontinued altogether, that foreign criminals and terrorists would suddenly have nothing to hide their data with. Let's explore why only stupid people would think so:

      1) Source code to most versions of PGP is available and published internationally on many sites. If a terrorist wants PGP, and PGP has been discontinued, he can just download a binary from one of these foreign servers, or get someone computer literate to compile this source code for him. It's already in the wild on the net, and spread to servers in nearly every free or partially free nation; it will never disappear now.

      2) Since the source code is available for even some very recent versions, overseas programmers will pick it up and improve it and release newer builds for newer OSes if it is discontinued or shown to have backdoors.

      3) GPG is arguably just as good, plus it's truly Free and GPLed. It's not as shiny, but makes a good drop-in replacement for most people, terrorists included. And again, GPG is "in the wild" and not going to disappear from the Net even if the U.S. and half the world outlaw strong encryption, and since the source code is there people will hack on it and improve it, even if only overseas people.

      4) Contrary to the beliefs of the ignorant, the U.S. is not so much more advanced than other countries that no other people from overseas can write strong encryption products as good as ours. Encryption is universal math, not American voodoo. In fact, the best symmetric encryption product currently comes from the U.K., Scramdisk. If America and the U.K. were to ban encryption, any country with competent mathematicians and programmers could take the lead.

      5) Encryption is based on well-documented and easily available math, and many proven algorithms are already published and cryptanalyzed and shown to be secure enough. Even if by some extraordinary miracle all traces of encryption products and source code were wiped from the Net by the unprecedented cooperation of every nation on Earth--something truly impossible--people like Osama could hire any competent mathematician and programmer to write a decent encryption product using a proven cipher and simple calls. As long as it's kept simple and uses proven ciphers, it would likely be as secure as PGP or GPG or Scramdisk.

      So, it doesn't really matter what the download page says, or if it bothers to ask, or even if the U.S. were to enact the most Draconian encryption legislation tomorrow. PGP is nothing special. Its key functionality has already been duplicated in GPG and can be duplicated again and again by any number of competent non-U.S. residents. Therefore it doesn't matter who can download it, since they can get their hands on encryption technology that's just as strong.
      • Good points. I'd add one more thing: if I were a terrorist, guess what? I'd use a one-time pad.

  • No one buys it because (Score:2, Insightful)

    by Anonymous Coward
    No one is really interested in "protecting" their private emails. Who needs really good encryption software?

    Banks,
    Governments,
    Military,
    Terrorists,
    Other criminals,
    12 year old girls writing in their diaries,
    and?

    The whole point of technology and the push of civilization has been the dissemination of information and ideas. Encryption runs so much against this concept that it's no wonder that people both don't understand its necessity and don't want it.

    What other outcome could have been expected, selling such a product?
      • Customers of Banks
      • Folks in fear of Governments
      • Militant Freedom Fighters
      • The Persecuted
      • 12 year-olds who are entitled to their civil right of privacy
      • and
      • you
      • I

    • Well I use it (PGP on the mac, and GPG on the ol' Linux) to encrypt all my private files, which include bank accounts, credit cards, love letters, files of passwords, sensitive data from clients that would rather not have the info public.. then I use rsync and copy them to remote computers (with the owner's permissions of course). That's how I've been doing all my backups for a while now.

    • Re:No one buys it because (Score:5, Informative)

      by Chasing Amy ( 450778 ) <asdfijoaisdf@askdfjpasodf.com> on Friday October 12, 2001 @03:26AM (#2418803) Homepage
      In 1785, a resolution authorized the secretary of the Department of Foreign Affairs to open and inspect any mail that related to the safety and interests of the United States. The ensuing 'inspections' caused prominent men, like George Washington, to complain of mail tampering. According to various historians, it led James Madison, Thomas Jefferson and James Monroe to write to each other in code - that is, they encrypted their letters in order to preserve the privacy of their political discussion.

      Government has shown time and again that it cannot be trusted not to eavesdrop without warrant and cause, whenever it thinks it can get away with it. The infamous FBI bugging of Martin Luther King and just about everyone else with political clout comes to mind. It was little more than thirty years ago, too, so don't complain my example is outdated. Or how about the recent study which found over 2,000 illegal, unwarranted wiretaps were performed last year? And that's just the ones we found out about after the fact.

      The dissemination of information and ideas is one thing. Not leaving people alone long enough to gether information and form ideas, without fear of the Secret Police wondering why we're looking at that particular information and forming those particular ideas that it may not like, is a potential downfall of civilization.

      Civilization is only advanced where ideas, even new and very jarring ones, are permitted to flourish. Today Socrates is considered to be the bedrock of all Western philosophy, since his pupil Plato wrote all the founding philosophical explorations. But recall that in his own time his ideas, nearly universal in the West today, were considered dangerous and he was executed for expressing them by the then-most-free society in existence, the birthplace of Democracy, Athens.

      Encryption is the only way to express ideas without fear of reprisal by regimes which are not on the cutting edge of human rights, much as the U.S. is not. It is the sole way to protect one's privacy with any certainty from arbitrary invasions. Therefore we would do well to promote encryption, as a way to ensure that our rights are protected and respected. I trust myself to protect my rights with encryption, more than I trust the FBI, ATF, DOJ, etc., to do so with empty platitudes. And on this point I am in the company of George Washington, Thomas Jefferson, James Madison, and James Monroe--I'll take them to John Ashcroft, Janet Reno, the FBI and ATF agents who murdered innocent people at Ruby Ridge, and their ilk, any day.
    • I use encryption when I don't want other people to read my email. My mail isn't anyone's business, whether it goes via the post or over the net. In fact, I have a right to privacy:

      Fourth Amendment: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

      The Fourth Amendment has been interpreted to include snailmail and phone conversations. I see no reason why email should be different, yet because my government seems to hold a different view I use encryption.

      To insinuate that a private citizen other than a 12-year-old girl would have no use for encryption unless they were a terrorist or a criminal is just plain stupid, not to mention irrelevant. It doesn't matter if the content of my letters is boring and trivial, I still have a right to privacy.

      Max
    • The whole point of technology and the push of civilization has been the dissemination of information and ideas. Encryption runs so much against this concept that it's no wonder that people both don't understand its necessity and don't want it.

      You have it backwards. Civilization is about privacy. It's about having the freedom to do what you want to do rather than what the tribe wants you to do. It's about being free to disagree, being free to do something your way if you don't like the way everyone else does it.

      As Bruce Schneier said, "it's not enough to protect ourselves with laws of men, we must protect ourselves with laws of mathematics". That is going to be true as long as there are people on earth who are willing to kill other people for what they believe.

  • PGP... (Score:3, Troll)

    by Maskirovka ( 255712 ) on Thursday October 11, 2001 @11:28PM (#2418377)
    Pretty Good Pinkslips
    oh wait...oxymoron

  • Once is coincidence... (Score:4, Insightful)

    by farrellj ( 563 ) on Thursday October 11, 2001 @11:30PM (#2418384) Homepage Journal
    Twice is enemy action...

    First ZKS shuts is services, now PGP is orphened...it does not take a conspiricy fan to put this together.

    ttyl
    Farrell

  • There just aren't that many people who care about e-mail encryption. I understand all the arguments and the technology, and *I* don't care about it. I can only imagine what someone who doesn't know about the issues thinks about it.

    And frankly, I wouldn't care about sending all my mail on postcards without envelopes. I can't even think of any personal mail that I would care about some anonymous postal worker reading, even if I thought postal workers sit around reading letters that zoom by. Except for maybe things with credit card numbers or bank numbers, but I wouldn't send thinks like that through e-mail anyway (and I venture to say that most people are probably savvy enough to know that's bad as well).

  • *sigh* (Score:3, Funny)

    by beowulf_26 ( 512332 ) <beowulf_26@hotm a i l . c om> on Thursday October 11, 2001 @11:32PM (#2418392) Homepage
    Now I'm going to have to bust out my old Hardy Boys Detective handbook to learn how to encrypt my messages. Everybody jump to OSDN as I'm officially starting the HaBOSEP (Hardy-Boys Open Source Encryption Project). Just send me 2$ for your secret decoder ring.

    Say it ain't so, PGP, say it ain't so.
    • Hell, if ROT13 is good enough for ebooks, why isn't it good enough for you?

      Or you could just ROT26 your stuff. The ease-of-use factor sure beats anything else.

  • Sales Would Be Great (Score:2, Informative)

    by zentec ( 204030 )

    If NAI didn't want to charge $5,500 for a server based encryption package. Up from $1,000 for a *two year license* for PGP version 5.

    NAI is a bunch of idiots anyway. They totally screwed over people when they took over the Gauntlet firewall suite. First, "you need to migrate to NT, all Unix Gauntlet packages will be discontinued". Ok, 18 months later "Gauntlet for NT is now discontinued".

    Hopefully, someone will pick up PGP and offer it at a price people can afford.

  • Dissapointing sales? (Score:5, Insightful)

    by sllort ( 442574 ) on Thursday October 11, 2001 @11:33PM (#2418395) Homepage Journal
    This product never ceased to amaze me. PGP 7.1 included, among other things:

    - an encrypted IPSEC/IKE compliant VPN
    - encrypted hard drive software (public key or shared secret encryption)
    - Encrypted Email with multiple mail client integration
    - Myriad windows hooks, like "encrypt clipboard"
    - A secure file and hard drive wiper
    - A full-blown INTRUSION DETECTION SYSTEM with email alert that would attach itself below the NDIS level.

    ...all for $30. I'm not a big fan of buying software, but I bought this religously because it was a steal, just for the IDS. I always wondered how they could afford to put so much top-notch development into such a cheap product (I never found a serious bug, and I've worked it over hard. That's a rare thing to be able to say about a windows networking application).

    The answer appears to be that they were dumping serious development funds into this product and got were expecting massive sales. If you asked me to point a finger at the cause of death, I'd say they were overambitious. Too many developers building too much functionality made it far too expensive. All anyone ever really wanted was encrypted email. And perhaps if that's all they developed, supply would have matched demand.

    Then again, hindsight is 20/20.

    • Re:Dissapointing sales? (Score:3, Informative)

      by undie ( 140711 )
      I'd agree thats a steal, but not for the IDS - it's not even signature based, it's got some canned 'attacks' built in but there's no update facility.

      On the other hand the personal firewall PGPnet includes has quite a flexible rule interface, and works really well. And the rest of the package is amazing.

      I'm also concerned about the on-hold status of Gauntlet Firewall/VPN. A really good product that was just starting to get even better with the 6.0 release, and now it's future is very uncertain. Gauntlet's roots are in open source too, as it evolved from the Firewall Toolkit [fwtk.org].

    • What?!? (Score:2, Interesting)

      by John Whorfin ( 19968 )
      Post a link, man.

      I just saw PGPNet 7.1 ONLY for $60 for a two year contract. This was from PGP too.

      With the 7.1 series they split apart the entire PGP Desktop package are (were) selling the peices individually.

      $30? I don't think so.
      • SImilar to my experience. I was investigating it on the Mac platform as Cisco is currently providing a mac vpn client for their 3000 concentrators. The desktop suite had all kinds of crap - and on the mac they didn't sell the components separately.

        ostiguy
    • ..all for $30

      Wow, a $30 patch for a $250 OS that might make you feel less venerable. I don't mind people trying to make a living selling binaries. I just don't understand why people would buy such things when free alternatives [debian.org] are available. GPG not enough security? Try OpenBSD [openbsd.org].

      If the answer is that the free alternatives are too hard to administer and set up, go get help. There are Linux User Groups (LUGs) everywhere. Take the hundreds of dollars you as an individual would spend on canned binaries and hire someone to help you out. If you are a business, save yourself thousands of dollars the same way.

      The world is always changing. Sometimes it hurts, as when 250 fine programers get laid off. As long as the world remains free, the changes will be for the better. Just think of that talent being liberated. All of those nifty Windows tricks are unlikely to be released even if NA itself goes belly up.

  • What happens now? (Score:2, Interesting)

    by DarkZero ( 516460 )
    What happens to a great commercial program after it's permanently axed by its creators? Do we just pirate the Hell of it now and generally continue to use it, since the encryption will probably be good for years to come, or is there some reason that we can't or morally shouldn't?
  • To me this is just another example of a tool/IP business model not making it even though it is useful technology and if it were gone it would be sorely missed. Still, businesspeople don't have the capabilities of valuing a tool that is not an end product (show me an MBA that sees encryption as an income generating end-product and I'll show you a geek in wool/MBA clothing). Also, I have yet to hear of a major money draining hack to a corporation that could have been prevented by PGP, I believe the stolen credit cards etc were obtained by hacking the system open, not listening on the lines. Anyone know of such an example?
  • Since most users of public-key crypto are (presumably) technologically oriented, most of them are probably also aware that GnuPG offers the same functionality, but free, and open-sourced to boot. Why bother paying for PGP when GPG is free, integrates with your favorite email clients (an Outlook plugin is even available), and offers the same or better encryption? GPG effectively made PGP unprofitable. Nobody who knows better would use it.

    And, like the poster above mentioned, since the tech is facing a serious risk of becoming illegal, investing too heavily in it might not be wise from an economic standpoint.

    --nick

  • Coincidence? (Score:4, Insightful)

    by Bud Dwyer ( 527622 ) on Thursday October 11, 2001 @11:37PM (#2418410) Homepage
    Okay, since September 11, we've seen Zero Knowledge Systems shut down their Freedom anonymizer service due to "lack of sales". Now we're seeing Network Associates dropping their encryption products due to "disappointing sales". We've seen encryption developers renounce their creations.


    Is this a coincidence? Or is there some government pressure in action here? What's the next step? Pressuring ISPs of distribution points for Open Source encryption products? When that happens, I'm sure we'll be re-assured by the ISPs that they have sound economic reasons for disallowing encryption software; but that won't make it go over any easier with me.

    • Maybe encryption/privacy on the net goes down in the US, but at the same time it receives substantial funding by the German government.

      This is not only true for GnuPG [gnupg.org], which has funding by the government (for the development of more user-friendly frontends, I think), but there is also a project for the development of an open source anonymity service (JAP [tu-dresden.de]) as strong as (or even stronger than) the Freedom anonymizer service, and there is also the Sphinx [www.bsi.de] project to build a PKI for the public authorities and maybe others.

      One of the main drivers for the JAP project (and maybe others) seems to be that many consumers (at least in Germany) apparently avoid E-commerce because of privacy concerns.

  • Yeah :-/ (Score:3, Interesting)

    by Brian Feldman ( 350 ) <green@FreBOHReBSD.org minus physicist> on Thursday October 11, 2001 @11:45PM (#2418440)
    It was a pretty somber PGP all-hands meeting today; I didn't expect it, really, but I wasn't paying that much attention. TIS^H^H^HNAI Labs exists really pretty separate from PGP except for being part of that "business unit", and considering that we aren't "losing market share", costing the corporation money, or anything like that....

    So, luckily, the NAI Labs section of PGP was exempt from all this change and will be shuffled around more, but we're still here =) It's a bit disappointing to see your company admit failures like this, even if it's for the best interest of the company.

  • Encryption is alive - but PKI is dead (Score:5, Insightful)

    by Ars-Fartsica ( 166957 ) on Thursday October 11, 2001 @11:49PM (#2418450)
    PGP and its ilk are really only useful in the scope of a meaningful PKI infrastructure, which doesn't exist and never will, as there are insurmountable educational hurdles for home and even business users.

    How many among even the savy group here maintains a valid PGP key that is available online? Of those, how many maintain their key in a searchable index? I presume the answer is less than 2%.

    How many of you have received an email either signed or encrypted in such a fashion and then actually used the sender's public key to decrypt/verify?? Probably 10% of readers here or less.

    And that folks, is why PKI and hence PGP are dead-ends.

    • -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1

      Well, it's all about convienence. I use pgp4pine which does automatic decryption/signature checking on incoming email, would automatically try to fetch public keys from PGP key servers, let you choose if you want to encrypt outgoing messages, just sign them or don't bother....

      Appearantly mutt has some decent PGP tie-ins. Hell, I remember Eudora used to have a PGP mode.

      Unfortunately, the implementation across OS's and mail packages are inconsistent, and that will probably be the demise of PGP/PKI.

      *shrug* What do I care? I don't mind using the clear envelope theory of sending email 98% of the time... The other 2%, it's usually to a friend or colleague who also has PGP.

      EOF
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1.0.6 (FreeBSD)
      Comment: For info see http://www.gnupg.org

      iD8DBQE7xmqUKZYQqSA+yiURAiDRAJ9G3rMyNRJOHfpRDt+g 1V 2SLuQH9ACfU/HG
      9yhh23ifyYH57o1h5c+Y3Gg=
      =VK6P
      -----END PGP SIGNATURE-----
    • ...particularly with new versions of PGP and GnuPG, which can send keys straight to the keyservers and retrieve them from there on an as-needed basis.

      In short, I can't see there being very many users at all who have a current version of PGP and chose *not* to send their key into the keyserver -- it's just that tightly integrated. It takes a little more work with GnuPG, but the folks who know about it are the exact same folks who care.
      Thus, I can't possibly see your 2% estimate being on the mark -- few may use OpenPGP-compliant crypto, but of those who do, nearly all use the keyservers.


      • In short, I can't see there being very many users at all who have a current version of PGP and chose *not* to send their key into the keyserver -- it's just that tightly integrated.


        Our group was pushing the Corporate populas towards PGP as a standard desktop app. And for it to become a commonly used app, at that. We were actually making some progress. And that's when people began asking (if not demanding) the company's key server.


        The company had an "official" internal key server at one time. There was even a DNS entry for it still. In actuality, this keyserver had been a side project on an individual's Solaris desktop machine. He had become burdened with other tasks and the keyserver fell in to disrepair until it had been taken offline. We didn't have the time / funding to deal with it either.


        Our suggestion was to use the excellent network of public key servers in the meantime. It was odd. People were rather horrified at the idea. Public keyservers was just too scarry. No ammount of discussion would change their minds. They needed a nice, safe internal one or no key server at all would do.


        We scored a hit in getting PGP out there. But I suspect it was an overall miss by somehow failing to educate the population on what they had.

    • I had given PGP several chances. For one reason or another I'd get all fired up about it. I'd go an generate new keys, submit to keyservers, etc.

      Then it hit me. Who can I send this to? If I encrypt something, nobody is going to know what to do with it, not even most of my tech savvy friends. Even they don't have current keys that I could get hold of, so I couldn't encrypt it for them.

      I settled for signing my messages if for nothing else to spread the PGP word. That ended when I actually had someone who I respected on a mailing list tell me to stop waisting space by including all that "garbage" in every one of my messages.

      Geez.

  • Why I use PGP... (Score:5, Interesting)

    by Bonker ( 243350 ) on Thursday October 11, 2001 @11:54PM (#2418467)
    I just happened to have it installed instead of GPG, but I will probably make the switch now that it's being discontinued.

    1. Private Data... There's a lot of stuff that I do and say through email that is perfectly kosher, but is none of my company's or coworker's business, like emailing my wife whilst at work. I know for a fact that there are nosy people in my networking department, but 2048 bit D-H encryption makes this Somebody Else's Problem (tm) even thought I am forced to use Exchange at work.

    2. Insecure Mail Servers... By the same token, I am forced to keep sensitive data on an Exchange server. It doesn't take a genius to see that any given company's Directory/Mail/Personal Info server is going to be one of a malicious cracker's first targets, if he or she is interested in doing anything other than 0vvnZ'ing the website. When the time comes... and it will... I will be able to say... 'No, my sensitive data was NOT compromised, because it was securely Encrypted.

    3. Personal Liability. I'm a freely spoken individual. Some people don't appreciate it. If I say something in an email that could possibly be used against me later by the owner of a mail server, it goes in encrypted. By the same token, any personal files on my work PC belong to me, and not my company. Without my passphrase, they can't do shit with them.

    4. Geek factor. It is oh, so cool to be able to 'sign' an email, and advertise your public key. Mine is:

    http://www.furinkan.net/key.txt [furinkan.net]

    • Re:Why I use PGP... (Score:2, Interesting)

      by indiigo ( 121714 )
      If you use windows, slack space, temp files, etc. They can 99% of the time recover your "Safe" data.

      Trust me on this. Just went to a lecture for litigators for Corporate IP cases where IP was stolen, and they state they can recover data past the DoD 7 wipes, at a cost of 1 million. Likely not your case, but if they want it, they can likely get it.

      Unless you are wiping free space on your disk over 7 times after every "confidential" message, discovery teams using tools like safeback can get to it.

      • Re:Why I use PGP... (Score:3, Informative)

        by edmudama ( 155475 )
        I am a firmware engineer for a large hard drive company, and though I guarantee I know how to make the disk unreadable by these tools, it is impossible to do with any "user" program.

        The way I imagine most of these recovery tools work is by reading sideband data off of the drive... When the write head is hauling ass around the platter and you want it to write to a given LBA, it never writes in exactly the same place twice. It might be in slightly different phase with the start of the LBA (5-20ns is common), and since it is a mechanical system, an LBA isn't a perfect arc... it can tend to wobble.

        Using in-house diagnostic tools we can "force" the servo code that is supposed to keep the read/write heads centered to a prescribed amount off to the side... If you had an event where the sensitive data was written .1 tracks towards the outer diameter from center, and on a subsequent pass (the 7x overwrite) you wrote your data smack down the center of the track, then it would be possible to position your read head around .3 to .4 tracks towards the OD, crank up the gain in the read channel, and recover that "sideband" data. It would be an absolute pain in the ass, but it is possible. Of course, this setup would probably take roughly 30 mins-2 hours per LBA to calibrate, read, and decode, and on a 100 gig disk that'd take a LONG time...

        --eric



    • 4. Geek factor. It is oh, so cool to be able to 'sign' an email, and advertise your public key.


      That sparks up a bit of paranoia that might be interesting to discuss.


      I maintain at least 1 active keypair. I put it out on distributed key server groups. I post it on web servers. I use it to encrypt private communications.


      But I use it very sparingly when it comes to signing email. I have to see a really good reason to verify who I am before I sign anything. If paranoia causes one to take up using PGP, its an even more selective paranoia that causes one to not use all its potential.


      So why am I so paranoid? After watching the subpoenas [wired.com] fly a couple of years ago, I've decided that I'd prefer to make it a little more difficult to prove any bad attitude [jwz.org] really is mine. Granted, there's other ways to try and link email to an individual. But why make it a habit to provide that trail for every mail list post, friendly banter, and interoffice discussion message you fire off?


      And that's a really important point - a majority of our (or at least mine) email is of a fire-and-forget, trivial nature. Its less a written letter and more a verbal conversation encapsulated in text. Without the bandwidth hit of wav file attachments. In this informal environment, things are often said... or ideas expressed... that one would not set to a permanent record. Yet email, and other forms of electronic communication, have an odd way of sticking around far beyond its intended life.


      Do you really need to give a lawyer the means to prove them came from you? And sure, there are other ways to link an email to an individual. But I'd prefer to make anyone giving me a hard time jump through those extra hoops.


      As a side note, memo and file retention policies existed well before email became an indispensable tool to business. Email only compounds the problem these policies were really designed to address (and no, storage of files isn't the real issue here). With the lines slowly fading between personal and professional data, it might be worthwhile to think about your own home shredder and review your own document retention policy [pbs.org].


      Of course - this all doesn't cover the real reason all this signing happens. Geek appeal. That's easy to handle. Include your PGP Key ID and fingerprint in your .sig and business cards. Stylish and practical, with a bit of geek attitude.

    • Re:Why I use PGP... (Score:2, Insightful)

      by trongey ( 21550 )
      ...like emailing my wife whilst at work...
      ...any personal files on my work PC belong to me, and not my company. Without my passphrase, they can't do shit with them...

      Probably no one will ever raise a stink about stuff like this, but it's good to keep in mind that, unless you work at the world's most liberal company, both of these are probably against company rules.
      When the time comes that they need to cut staff, and don't want to pay severance, this stuff can put you out the door "with cause". Fired, not layed off.
      If you can't trust them with your email then you're crazy to trust them with your future.

  • The US Government says that they can't crack certain types of encryption, and that this is hampering their ability to deal with the Terrorist Threat.

    NAI, who has been selling virtually uncrackable encryption technology for years, suddently drops their top-of-the-line encryption product.

    Coincidence? I wonder.

    I'm not implying a conspiracy between NAI and the US Government, but I wonder if NAI stopped shipping their product because it "wasn't worth the trouble".

  • PGP wish list (Score:3, Interesting)

    by 4n0nym0u53 C0w4rd ( 463592 ) on Thursday October 11, 2001 @11:56PM (#2418481) Homepage
    PGP had a few of strikes against it:

    A. Little perceived need by the masses
    B. Hassle to use

    and more recently

    C. Government rumblings

    A. could be dealt with by some good old FUD. I've always been amazed that NAI and others have resisted the evil urge to play on naive users' fears of "hackers." Come on, companies with lame IDS and Firewall products have been playing the fear card for a while. Imagine how effective a campaign would be if the product were actually good... (Not that I'm a fan of these tactics).

    B. is a more difficult problem. Although the product has come a long way since the old DOS version with it's confusing options, it has a way to go to acheive true ease of use. People don't necessarily "get it." I'm not a huge fan of dumbing down interfaces, but a real simple set of wizards that handled all the stages of key creation and software integration would be helpful. Plug-ins for email are good, but a deal with MS or Eudora to bundle it would be better. Plug-in with ICQ is good but a bit clumsy at times. Maybe playing up the Envelope metaphor in email programs would be better... Also, encouraging users to get their email contacts to install the freeware version would be great. Maybe, a window that popped up when people tried to send an encrypted email to a person whose key isn't know. The window could mention the problem, and offer to send the recipient an email with a link to the freeware (or perhaps a free "reader" that allowed for key creation and email integration).

    With C. the issue is just a big hassle. At some point you'd hope the Gov't would realize that restricting strong encryption will have no effect on criminals, only business and home users.

  • Expensive stuff (Score:4, Insightful)

    by bubblegoose ( 473320 ) <bubblegoose@ g m a i l . c om> on Thursday October 11, 2001 @11:58PM (#2418491) Homepage Journal
    We looked into it for our company, turns out the head of our sales group sent a copy of the commision $$$ amounts to everyone in our sales group by mistake and we wanted to prevent that in the future. But that's another story.

    Anyway they wanted about $175 a copy, I think for what we needed. Then I found the PGP Freeware link on their site. I thought, hey why pay for it when they give it away for free?

    No wonder its going away. Could you imagine going to the Ford dealer and the dealer saying "here's the new Ford for $20,000". And you ask, "what about the Mercury over there exactly like it" and the dealer says "Oh those, they're free, take as many as you like" Where is the choice here?
    • For some companies, support and maintainance is more important than the cost of the original software and they'll gladly pay for the peace of mind.

      Crypto is one of those places. If your crypto solution goes wrong it could seriously fuck up your company, especially when you have to explain to investors their entire solution was based on unsupported software "downloaded free from the internet". Yes, PGPFreeware is totally unsupported, less so even than GPL software where at least you can legally pay for someone to support it and hack it if necessary.

      Even for individuals, the vast majority would be more than happy to fork out $50 for PGP if it came bundled on a single CD with a whole bunch of other NAI crap such as McAfee, Nuts & Bolts etc.
    • Do you mean PGPi with "PGP Freeware"? If so, maybe your company ought to read the license ...


      2.2. Can I use PGPi for commercial purposes?
      Yes, you can, but you must obtain a commercial use license from Network Associates Inc. or its authorized representatives. (The GNU Privacy Guard can be used for commercial purposes without any license.)

  • There are two kinds of encryption users...

    1) There are ordinary folks who want an easy-to-use encryption solution out of the box, and don't want to read a manual to get that level of security. While NAI's software has been getting better and easier-to-use over the years, it's still not 'easy'. Concepts like 'ring of trust' & 'key signing' might still too academic for ordinary folks, and NAI has not made much of an effort to explain why these ideas are important.

    2) There are encryption-geeks, who don't really trust the security of a closed-source product, or who are happy enough with ssh, pgpi, gpg, etc.

    OK, I guess there is a third type of encryption user, the user who wants an easy to use encryption product for her business, and isn't concerned about fears like 'FBI backdoors' in their product, but they're probably a small segment of the market.

  • I went to the NAI website and tried to buy PGP about 18 months ago. There were problems with the site. The product was poorly explained, and I got error messages.

    Also, would you buy encryption software from ANYONE who wasn't offering the source code? I had read that NAI would give the source code to someone who bought the product, but I was unable to find mention of that on their web site.

    I sent NAI an e-mail message, and no one replied.

    Finally, I just gave up and used the free version. I paid less (zero) and got more.

    The story says, "I worked there up until today and somewhere around 250 of the 300 employees were clipped."

    Do I understand this correctly? What could 250 people be doing with PGP, a product that was written by one man, and was changing very slowly?

    Maybe they were selling special versions in Arabic to Saudis living in Afghanistan? (When you have 4 wives, you have to keep a lot of secrets.)


    Secrecy and weapons sales corrupt democracy: What should be the Response to Violence? [hevanet.com]
    • Maybe they were selling special versions in Arabic to Saudis living in Afghanistan? (When you have 4 wives, you have to keep a lot of secrets.)

      Naah. Not when your wives can't divorce you and have no meaningful rights to speak of that aren't granted to them by you.

      Go ahead. Mod me down. :)
  • I hope development continues of PGP freeware.

    I admit I haven't tried out GPG yet but I probably will soon.

    In any case, if you don't use either PGP or GPG then please read my article Why You Should Use Encryption [goingware.com]

    Yes I know the link to the canadian article I mention is busted and someday I will even fix it. Not right now though.

  • PGP always boggled my mind. I had two choices. I could either buy the US version from NAI or download the international [pgpi.org] version for free. Now I wonder why sales could have been low.

  • To Care or not to Care (Score:5, Insightful)

    by TightByte ( 5833 ) on Friday October 12, 2001 @12:15AM (#2418532)
    It's very interesting to notice that a majority of people indicate that they do not care about personal encryption, primarily for their electronic mail communication. I recall reading in the PGP readme, when I first discovered it - version 2.x or 3.x at the time, I think - how it made perfect sense to use encryption to ensure your privacy. After all, did you not prefer to send your most personal thoughts using letters within envelopes rather than postcards?

    However, when I try to advocate encryption to those I know and hope to influence, they all seem to indicate that they aren't all that concerned about their email. And yet those same people never fail to be annoyed when I walk up to their computer and pretend to read their email in order to prove my point.

    Perhaps most people are unaware of how easy their email can be intercepted and read? After all, an email address might appear to be like a telephone number - a direct link to whomever one might wish to contact. And we're comfortable with the phones - after all, wiretaps seem hard (or at least laboureous) to obtain, and we suspect that capacity prevents wiretaps from being universally applied. Not so with email, though - it's child's play to intercept any SMTP communication that passes through your network. And if you happen to be centrally located, in a network topological sense, there's no theoretical limit to the amount of communication you can eavesdrop on.

    I must admit that I'm not being entirely altruistic when I advocate encryption - my wish for broad adoption of personal encryption technology is first and foremost self-serving. To tap again into the old PGP readme files; sending mail in "sealed" envelopes is not currently suspicious due to the fact that the practice is so widespread. Untill encryption becomes commonplace it remains far too easy to label it suspicious behaviour.

    Here's to hoping that free encryption will carry on where the commercial offerings have failed. Cheers.
    • There is a factor you might be forgetting. On privacy most people care if someone they know is reading their private info. But they don't care quite so much that someone they don't know might be reading it.

      That's why they are unhappy when you look over their shoulder

      • There is a factor you might be forgetting. On privacy most people care if someone they know is reading their private info. But they don't care quite so much that someone they don't know might be reading it.

        I think that people don't care not because they don't know the person reading it, but when they don't know if someone is reading their email at all.

        The old addage, ignorance is bliss applies here.

        • No, that's a different issue.

          You readily provide your salary and financial info to banks, but how often would you give up that information to friends and family?

          It's because people you know will do very different things with the information than people you don't know.
    • My mail folders on our multiuser system are kept publically readable, so encrypting them on the wire seem silly.

      However, there is a social convention about not reading other peoples mail, which means someone behaving like you would be rude. It is a public display of disrespect, which is insulting whether or not the victim cares about his mail privacy or not. I'd be annoyed too.
  • This reminds me, does anybody know of any PGP-style email encryption/authentication programs that work under Mac OS X?

    - j
  • Really? 300 people have been working on a product that doesn't sell? I can't blame them for layoffs, just overhiring.

  • I didn't trust it anymore, anyway. (Score:5, Informative)

    by ruebarb ( 114845 ) <colorache AT hotmail DOT com> on Friday October 12, 2001 @12:39AM (#2418576)
    Ever since Phil Zimmerman left because of of "differences" with NAI, I was extremely reluctant to upgrade to future versions for fear of "backdoors" that might have been included in the product - things that wouldn't have happened under his watch but are now more likely.

    So I stopped upgrading the free version at the last version he personally oversaw...7.0.3

    • Ever since Phil Zimmerman left because of of "differences" with NAI, I was extremely reluctant to upgrade to future versions for fear of "backdoors" that might have been included in the product
      Yet Zimmerman said "PGP users should rest assured that I would still not acquiesce to any back doors in PGP" here [slashdot.org] - what's going on?

  • PGP failed because of NAI incompetence (Score:5, Insightful)

    by Effugas ( 2378 ) on Friday October 12, 2001 @01:32AM (#2418668) Homepage
    *laughs*

    Well, yes, it's quite true that PGP had disappointing sales. The company had a nasty tendancy of attempting to bundle about four other products with PGP and *refusing* to negotiate with any company, no matter how large, about perhaps a more reasonable package.

    It's funny that I have this exact story from so many different sources that nobody can say I'm compromising internal information. Go ask your friendly IT Purchasing agent about any adventures they had trying to get a site license for PGP. This was mandate from upper management: Either all the stripes make some cash, or none at all.

    NAI consistently chose the latter. Now, as for all the conspiracy theories...never attribute to malice...

    --Dan
    www.doxpara.com
    • The company had a nasty tendency of attempting to bundle about four other products with PGP and *refusing* to negotiate with any company, no matter how large, about perhaps a more reasonable package.

      Funny you should mention that. The exact same thing happened after NAI bought Trusted Information Systems, makers of the (formerly) superb Gauntlet firewalling software: They bundled it with such in indigestible batch of mandatory other goods and services that all of the professional TIS installers I know switched in disgust to other products, such as Novell Border Manager. Which has more or less killed TIS Gauntlet.

      Rick Moen
      rick@linuxmafia.com

  • GPG (Score:2, Informative)

    by gweihir ( 88907 )
    Not a problem. There is already public funding for GPG in Europe. And encryption of a PGP/GPG type does not need hundreds of developers (of the commercial full time variant).

    I think it is no real problem for the manufacturers of mail software to include GPG support on their own.
  • HEY GUYS! Before you all get your panties tied up, PGP has always existed as freeware, with full source code too. It's not going to disappear! Just like DeCSS, etc -- even if it's made totally illegal by US govt, it will live on.

    Lest we forget, there are libraries available to get around any RSA legal crap, too, in the PGP.
    • PGP has always existed as freeware, with full source code too. It's not going to disappear!

      PGP 7.1 has not been released as freeware, and source release for anything past 6.5.8 is problematic. You can get the crypto engine of 7.1 (but not 7.0), but only if you agree to a truly onerous license. Better to say

      Freeware builds of PGP haven't been made available for 7.1, and there's been practically no source release, too. At this rate, it's going to disappear!

      Of course, my panties are far from in a knot. In the first place, I wear boxers. In the second, I use GnuPG.

  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Friday October 12, 2001 @02:12AM (#2418723)
    Comment removed based on user account deletion
  • Zimmerman was getting all up in arms about something or other and we could get the source for GPG. I did get my manager at IBM to license PGP for sending source to a contracting company in Romania, but I figured if the fed had a backdoor into the cryptosystem, they'd just be apalled at our crappy driver code.

    It is kind of a bummer though. I'm told the Windows version was pretty nice.

  • 250 PGP employees? (Score:2, Interesting)

    by gnomish ( 168308 )
    250 is a lot of employees for such a small product.. at least in terms of what a person would view as a niche product, at best. Perhaps this is just one of the last vestiges of the bloated net economy fading into the distance.

    However, other influences may be involved. It's pretty obvious that encryption schemes, in general, are under scrutiny after the Sept 11 attacks. Any company that is producing an encryption product certainly has taken a look at it's business in recent days.

    Ultimately, I think most people have given into the idea that their correspondence via email.. and really anything that ends up on their computer could be an open book if anyone really wants to look.

    • Re:250 PGP employees? (Score:2, Insightful)

      by Anonymous Coward
      Well, I'd hardly think that 250 people would represent those who work to actually MAKE the products. Plus, the PGP "Business Unit" of PGP made way more than a single encryption product, some of which did not have "PGP" in the name. Regardless, as with a company of its size, many of those people are also going to be "infrastructure" ... HR people, office staff, management, etc. Sure, you can move the programmers to another part of the company (as they plan to do with the ones for the remaining products in this case). But when you eliminate the company altogether, that doesn't leave any place to put the rest of the people that run it's day-to-day operations. But 250-300 working on the product hands-on? The actual number of "little minions" working on the stuff is probably quite a bit smaller.

      Some other comments from what I've read here...

      From actually READING the announcement http://www.pgp.com/other/jump/customer-faq.asp [pgp.com], and listening to the NAI Earnings Conference Call from the same day (thanks Yahoo!), "NAI PGP" isn't being totally scrapped! They've just decided not to keep PGP as a separate business entity, as they see doing so as hindering their potential growth as a company. In doing so, they've evaluated their product lines and have decided to stick with what they think they can SELL, for example, their E-Business Server product. They spell out in their announcement what they feel they need to do to meet that goal. Some products are to be sold off (if possible), some moved, and some having parts extracted, possibly being merged into other similar products they already have in the other BUs. Once that's all done... of course they won't need ALL of their current PGP staff. And well, sounds like 250 is their estimate of what the surplus.

      It's nice to be ulturistic and think "wouldn't it be nice if they just did it for the 'good of all' and gave the products away for free?" But well, that's not what software companies do. They exist to SELL the software they make. They need to make money to survive, as does any corporation, and that's about the only bottom line that their shareholders will care about.

      I've read a lot of posts from a lot of people wanting a nice free version that they can use freely cuz "well, you could easily just write it yourself... why pay for it"? Well, I don't see anyone volunteering their time and efforts to obtain the PGP SDK and grace us all with their programming prowess and their 'for the good of all humanity' ideals. If anyone does... I have my own 'wish list' of features I wouldn't mind being added to PGPmail and PGPdisk. I can pass them along if you wish. Anything to help. :-)

      But, unfortunately for us end-users... NAI seems to think (as indicated by the products that will remain, albeit moved to other business units) that $$$ for their PGP survival is going to come more from big business... not from us. I guess that judging from many of the comments here, they seem to be right, at least on the last bit: "not from us".
  • Apparently Gauntlet firewall is going to. Too bad for those of us who use this product and have paid for long-term support.

    While not the most popular product out there, it is serviceable. In our instillation I think we are pushing it to the limit, but their Webshield e-pliance product was sold as an easy to configure/manage secure product, and was quite secure straight out of the box.

    As for us, we have several issues we are trying to ram through NAI technical support. Will NAI continue to support a product they aren't going to continue to sell? Will our support contracts be transferred with the product when its sold, or will NAI try to honour the support contract even though they don't own the product anymore.

    It's a worrying sight when Internet security suppliers go out of business. Unless there were serious problems with the product not in the public domain (and I know about their mail daemon) it was a good security product for small to mid-ish companies and they are saying it's unprofitable. Either firewall products are about to become more expensive, or the quality is about to go down. Neither is a good sign.
  • i've got three reasons it didnt sell.


    1) "encode"? what's that?. (the ignorance fFactor that says 'if it didnt come with M$ office, i don't need it')

    2) modern variant: "encode"? what's that? i heard terrorists were encoding messages .. that must mean it's bad. (yes, i have actually heard this. not a stretch at all)

    3)if you are interested in security, there's a good chance you have something to hide. like all those warez on your desktop. ergo, you didnt really pay fFor that copy of PGP at all.

    • I got 1 more reason:

      NA was going to close the source to PGP. If there's one field where Open Source took off, it's crypto. Any advanced crypto-user wants to have the ability to look at the source to ensure security. Closing source for an encryption program makes that encryption program inherently less trusted.

      //rdj

    • Re:lack of sales: reasoning (Score:4, Insightful)

      by Graymalkin ( 13732 ) on Friday October 12, 2001 @04:56AM (#2418922)
      Do you send paper mail in envelopes? Looks like you've got something to hide. Let's hal you down to the Ministry of Truth for some examinations. It's the "something to hide" stigma which is retardedly holding back the use and acceptance of cryptography. Encryption technologies are not just for people hiding warez (I've never even fucking heard of encrypted warez before and PGP is free for non-commercial use anyhow). E-mail is an inherently insecure communication medium. Few if any ISPs actually use or support secure e-mail in any fashion so that responsibility falls onto the user. You don't need illicit reasons for secureity, plain day to day business needs plenty of it. For a dallar of security you saveseveral dollars in losses.
  • In the wake af the ATA... could it be they want to loose a division which would not be profitable if the ATA falls through?

    The use of uncontrolled encryption would be illegal and who would by the controlled versions?
  • I saw this coming,. Not merely the dot-com boom bust of nai pki division but the implosion that is inevitable once too many people spot collusion between the US NSA and NAI.

    Now the money xfers from NSA to NAI are part of public record but theres plenty of suspicious info even before those press releases of this year. I include some here below,

    NAI (owner of the source) makes money by doing things for the NSA... they themselves admit it. Then theres the key escrow backdoor weakness in new pgps. Plus history of NSA manipulation in other areas. Use older (years ago rsa only) pgp for true security, and compile it yourself and check compilation. Is source for what you used even available at all?

    ( FYI: If comparing macintosh builds: factor out (by hand pasting) the embedded date and time field in the executable header or the pgp singnature of the PEF will not match the distributed signed apps)

    please read the following informative sites :

    written in 2000, before the full NSA connection was revealed. VERY VERY LONG and detailed pgp
    backdoor info
    http://senderek.de/security/key-experiments.html

    an old useful page written right before NAI admitted taking NSA funds
    http://cryptome.org/nsa-sabotage.htm

    old 1998 site written before NAI admitted taking NSA funds for engineering work:
    http://www.proliberty.com/references/pgp/

    in general ... only use original flavor pgp RSA not the freeware "Diffie-Hellman/DSS-keys" pgp keys.

    and avoid all modern pgps..

    The founding author ("z") quit NAI one month before news broke that NAI has one major paying crypto cu$tomer of the division that got axed today : the US NSA!

    You are all ignorant. PLEASE READ MY LINKS.
  • in a company what do you want from your crypto system?

    1. The ability to send secure messages to customers
    (relating to billing or just giving instructions about product that you don't want anyone else to know CUSTOMERS demand that it be secure)

    2. send messages within the company that can be read only by receiver
    (prevents leaks and makes sure that the whispers don't start up e.g. how many mails go to the postmaster )

    3. escrow is needed when an angry employee leaves and you need to read their work
    (the world is full of jerks and they can be hard to spot)

    4. Key servers need to be up to date and manageable
    (from a sysadmin point of view)

    5. Standards for sending e-mail securely and product activation would be nice

    yes its good to be open but some one needs to productise this so that company can buy an Complete Off The Shelf (COTS) solution that a company can buy because not enough people do secure themselves IMHO

    are their anyone that fancies boxing up GPG, a keyserver and manuals on how to do the above I am sure that they could get some money from companies I know

    regards

    john jones

Slashdot Top Deals

BLISS is ignorance.

Close