NAI to Sell Off PGP Product Line

An Anonymous Coward writes: "Network Associates announced today that they are ceasing development of most of the PGP product line, including PGPMail and PGP Desktop Encryption software. This was apparently due to disappointing sales of the products. See the FAQ for more information on what's being killed and what's being kept." Another anonymous and unverified submitter says, "The entire PGP Business Unit was axed more or less wholesale. I guess selling encryption doesn't really make money. I worked there up until today and somewhere around 250 of the 300 employees were clipped."

Rats... Ship

If my product line was about to become illegal and wasn't selling well to begin with. I'd sell to the highest bidder too (and I'm sure it will sell high).

Causes

Sales were slow...hardly suprising.

The biggest potential users of this would have been the Slashdot types, and we're known for being fierce advocates of open-source and free (as in beer) software. The kind of "Why pay for something when you can write it yourself?" mentality is what helped kill it.

The people that are most concerned about encryption are those least willing to pay for it.

Re:Causes

The people that are most concerned about encryption are those least willing to pay for it.

No, the people that are most concerned about encryption are paranoid enough not to trust commercial apps.

Re:Causes

Not only was it not free, it was horribly expensive. We where looking at getting it for a public (read: poor) hospital that I was doing consulting work for a couple of years back. They wanted like $400 per workstation for their "corporate desktop" edition. There was no way they could afford $60,000 for this project.

I see now the price is $179 per workstation on their website. Still pretty pricey for encryption.

Free software cannibalization and software cycle

Well, PGP had simply reached a level of age and maturity where one should expect a free replacement to come on the scene. My observations are that you have four to five years to squeeze revenues out of a software product before you can reasonably expect a free competitor.

This will simply become part of the arithmetic commercial developers will have to deal with.

My corporation tried to buy PGP... And couldn't.

The biggest potential users of this would have been the Slashdot types

Umm, no. I work for a company that has our own symbol on /., one with a funky dropped 'e' in it. You might be able to figure out who we are. We tried to buy PGP for Unix to secure engineering data--we happen to be one of the largest Microsoft shops on the planet, but all the real work still gets done on Unix/Linux--and NAI wouldn't sell it to us. We were talking THOUSANDS of licenses, ubiquitous deployment to everyone, and they weren't interested in providing a Unix client of the current version.

So we're going to be using GPG.

Get this: NAI have also threatened major bad legal juju if we ever put any GPG-generated keys on their keyserver product, which we also had previously bought (along with hundreds of individual PGP licenses). Hello? If that's not a Microsoftesque move, I don't know what is.

They coulda made millions on our account. WE WANTED TO PAY THEM MILLIONS. Negotiations fell through. So now we're saving the millions and going to be supporting open source even though senior management is still not 100% clued into that this is a good thing.

Re:Causes

While it's offered and appears to be integrated, I think you should actually use it on a regular basis before you say it's transparent. I highly doubt that it is anywhere as easy to use as PGP/GnuPG are-- even in conjunction with Outlook.

First, no good security is transparent. At some point you, the user, have to create and share your own keys and verify that the keys you receive are valid (even with a web of trust, you have to correctly verify at least one other key to get into the loop).

I don't see how the certificates issued for Outlook users have any real trust built in. How did the Certificate Authority verify that the person requesting the key was really who they said they were-- and what about people with same or similar names? Even if they somehow verified the name, how do I know I've got the right "George Bush"?

Second, you still have to train people to understand the process and then to use it. If you tell them they have to fill out some long form just to get a certificate, they are likely to say "forget it", unless they have serious security needs-- in which case, they are hopefully not Outlook users in the first place. :)

Third, seriously, if secure email is your priority, why would you stack two or three proprietary, closed-source solutions one atop the other? Especially when there is an open source option available for both. Believe me, once you've generated your key for GnuPG on Linux and checked two simple options on KMail, the only non-transparent part of secure email is typing in your passphrase (and of course, obtaining and verifying other keys).

And then there's the problem of the fact that the Outlook security features did NOT use an existing standard for personal public key encryption-- PGP. Hopefully, Microsoft will buy them. Really. And integrate PGP into their mailer. That way the established crypto-using community and Outlook users can begin to interact in a meaningful way. I realize S/MIME is a "standard", but I've not seen it used at all... and the very limited uses for personal security that I've seen (even Slashdot didn't get it right when they ran interviews with Phil Zimmermann), all involved PGP, or the OpenPGP standard. I mean, the blink tag is/was a standard too, but...

What I find amazing...

What I find amazing is that most people labor under the foolish misconception that if only American encryption products (like PGP) were either backdoored, effectively export controlled, or discontinued altogether, that foreign criminals and terrorists would suddenly have nothing to hide their data with. Let's explore why only stupid people would think so:

1) Source code to most versions of PGP is available and published internationally on many sites. If a terrorist wants PGP, and PGP has been discontinued, he can just download a binary from one of these foreign servers, or get someone computer literate to compile this source code for him. It's already in the wild on the net, and spread to servers in nearly every free or partially free nation; it will never disappear now.

2) Since the source code is available for even some very recent versions, overseas programmers will pick it up and improve it and release newer builds for newer OSes if it is discontinued or shown to have backdoors.

3) GPG is arguably just as good, plus it's truly Free and GPLed. It's not as shiny, but makes a good drop-in replacement for most people, terrorists included. And again, GPG is "in the wild" and not going to disappear from the Net even if the U.S. and half the world outlaw strong encryption, and since the source code is there people will hack on it and improve it, even if only overseas people.

4) Contrary to the beliefs of the ignorant, the U.S. is not so much more advanced than other countries that no other people from overseas can write strong encryption products as good as ours. Encryption is universal math, not American voodoo. In fact, the best symmetric encryption product currently comes from the U.K., Scramdisk. If America and the U.K. were to ban encryption, any country with competent mathematicians and programmers could take the lead.

5) Encryption is based on well-documented and easily available math, and many proven algorithms are already published and cryptanalyzed and shown to be secure enough. Even if by some extraordinary miracle all traces of encryption products and source code were wiped from the Net by the unprecedented cooperation of every nation on Earth--something truly impossible--people like Osama could hire any competent mathematician and programmer to write a decent encryption product using a proven cipher and simple calls. As long as it's kept simple and uses proven ciphers, it would likely be as secure as PGP or GPG or Scramdisk.

So, it doesn't really matter what the download page says, or if it bothers to ask, or even if the U.S. were to enact the most Draconian encryption legislation tomorrow. PGP is nothing special. Its key functionality has already been duplicated in GPG and can be duplicated again and again by any number of competent non-U.S. residents. Therefore it doesn't matter who can download it, since they can get their hands on encryption technology that's just as strong.

Re:No one buys it because

In 1785, a resolution authorized the secretary of the Department of Foreign Affairs to open and inspect any mail that related to the safety and interests of the United States. The ensuing 'inspections' caused prominent men, like George Washington, to complain of mail tampering. According to various historians, it led James Madison, Thomas Jefferson and James Monroe to write to each other in code - that is, they encrypted their letters in order to preserve the privacy of their political discussion.

Government has shown time and again that it cannot be trusted not to eavesdrop without warrant and cause, whenever it thinks it can get away with it. The infamous FBI bugging of Martin Luther King and just about everyone else with political clout comes to mind. It was little more than thirty years ago, too, so don't complain my example is outdated. Or how about the recent study which found over 2,000 illegal, unwarranted wiretaps were performed last year? And that's just the ones we found out about after the fact.

The dissemination of information and ideas is one thing. Not leaving people alone long enough to gether information and form ideas, without fear of the Secret Police wondering why we're looking at that particular information and forming those particular ideas that it may not like, is a potential downfall of civilization.

Civilization is only advanced where ideas, even new and very jarring ones, are permitted to flourish. Today Socrates is considered to be the bedrock of all Western philosophy, since his pupil Plato wrote all the founding philosophical explorations. But recall that in his own time his ideas, nearly universal in the West today, were considered dangerous and he was executed for expressing them by the then-most-free society in existence, the birthplace of Democracy, Athens.

Encryption is the only way to express ideas without fear of reprisal by regimes which are not on the cutting edge of human rights, much as the U.S. is not. It is the sole way to protect one's privacy with any certainty from arbitrary invasions. Therefore we would do well to promote encryption, as a way to ensure that our rights are protected and respected. I trust myself to protect my rights with encryption, more than I trust the FBI, ATF, DOJ, etc., to do so with empty platitudes. And on this point I am in the company of George Washington, Thomas Jefferson, James Madison, and James Monroe--I'll take them to John Ashcroft, Janet Reno, the FBI and ATF agents who murdered innocent people at Ruby Ridge, and their ilk, any day.

PGP...

Pretty Good Pinkslips
oh wait...oxymoron

Once is coincidence...

Twice is enemy action...

First ZKS shuts is services, now PGP is orphened...it does not take a conspiricy fan to put this together.

ttyl
Farrell

*sigh*

Now I'm going to have to bust out my old Hardy Boys Detective handbook to learn how to encrypt my messages. Everybody jump to OSDN as I'm officially starting the HaBOSEP (Hardy-Boys Open Source Encryption Project). Just send me 2$ for your secret decoder ring.

Say it ain't so, PGP, say it ain't so.

Dissapointing sales?

This product never ceased to amaze me. PGP 7.1 included, among other things:

- an encrypted IPSEC/IKE compliant VPN
- encrypted hard drive software (public key or shared secret encryption)
- Encrypted Email with multiple mail client integration
- Myriad windows hooks, like "encrypt clipboard"
- A secure file and hard drive wiper
- A full-blown INTRUSION DETECTION SYSTEM with email alert that would attach itself below the NDIS level.

...all for $30. I'm not a big fan of buying software, but I bought this religously because it was a steal, just for the IDS. I always wondered how they could afford to put so much top-notch development into such a cheap product (I never found a serious bug, and I've worked it over hard. That's a rare thing to be able to say about a windows networking application).

The answer appears to be that they were dumping serious development funds into this product and got were expecting massive sales. If you asked me to point a finger at the cause of death, I'd say they were overambitious. Too many developers building too much functionality made it far too expensive. All anyone ever really wanted was encrypted email. And perhaps if that's all they developed, supply would have matched demand.

Then again, hindsight is 20/20.

Coincidence?

Okay, since September 11, we've seen Zero Knowledge Systems shut down their Freedom anonymizer service due to "lack of sales". Now we're seeing Network Associates dropping their encryption products due to "disappointing sales". We've seen encryption developers renounce their creations.

Is this a coincidence? Or is there some government pressure in action here? What's the next step? Pressuring ISPs of distribution points for Open Source encryption products? When that happens, I'm sure we'll be re-assured by the ISPs that they have sound economic reasons for disallowing encryption software; but that won't make it go over any easier with me.

Re:Damn, and I was just going to email Will Price

Don't worry; Disk Copy in OS X 10.1 has the ability to create AES-encrypted disk images (128-bit). The key can be stored in your keychain.

Not the strongest encryption in the world, but it'll keep prying eyes away. You might have some issues exchanging disk images with non-OS X users, though.

-jon

Yeah :-/

It was a pretty somber PGP all-hands meeting today; I didn't expect it, really, but I wasn't paying that much attention. TIS^H^H^HNAI Labs exists really pretty separate from PGP except for being part of that "business unit", and considering that we aren't "losing market share", costing the corporation money, or anything like that....

So, luckily, the NAI Labs section of PGP was exempt from all this change and will be shuffled around more, but we're still here =) It's a bit disappointing to see your company admit failures like this, even if it's for the best interest of the company.

Encryption is alive - but PKI is dead

PGP and its ilk are really only useful in the scope of a meaningful PKI infrastructure, which doesn't exist and never will, as there are insurmountable educational hurdles for home and even business users.

How many among even the savy group here maintains a valid PGP key that is available online? Of those, how many maintain their key in a searchable index? I presume the answer is less than 2%.

How many of you have received an email either signed or encrypted in such a fashion and then actually used the sender's public key to decrypt/verify?? Probably 10% of readers here or less.

And that folks, is why PKI and hence PGP are dead-ends.

Why I use PGP...

I just happened to have it installed instead of GPG, but I will probably make the switch now that it's being discontinued.

1. Private Data... There's a lot of stuff that I do and say through email that is perfectly kosher, but is none of my company's or coworker's business, like emailing my wife whilst at work. I know for a fact that there are nosy people in my networking department, but 2048 bit D-H encryption makes this Somebody Else's Problem (tm) even thought I am forced to use Exchange at work.

2. Insecure Mail Servers... By the same token, I am forced to keep sensitive data on an Exchange server. It doesn't take a genius to see that any given company's Directory/Mail/Personal Info server is going to be one of a malicious cracker's first targets, if he or she is interested in doing anything other than 0vvnZ'ing the website. When the time comes... and it will... I will be able to say... 'No, my sensitive data was NOT compromised, because it was securely Encrypted.

3. Personal Liability. I'm a freely spoken individual. Some people don't appreciate it. If I say something in an email that could possibly be used against me later by the owner of a mail server, it goes in encrypted. By the same token, any personal files on my work PC belong to me, and not my company. Without my passphrase, they can't do shit with them.

4. Geek factor. It is oh, so cool to be able to 'sign' an email, and advertise your public key. Mine is:

http://www.furinkan.net/key.txt [furinkan.net]

PGP wish list

PGP had a few of strikes against it:

A. Little perceived need by the masses
B. Hassle to use

and more recently

C. Government rumblings

A. could be dealt with by some good old FUD. I've always been amazed that NAI and others have resisted the evil urge to play on naive users' fears of "hackers." Come on, companies with lame IDS and Firewall products have been playing the fear card for a while. Imagine how effective a campaign would be if the product were actually good... (Not that I'm a fan of these tactics).

B. is a more difficult problem. Although the product has come a long way since the old DOS version with it's confusing options, it has a way to go to acheive true ease of use. People don't necessarily "get it." I'm not a huge fan of dumbing down interfaces, but a real simple set of wizards that handled all the stages of key creation and software integration would be helpful. Plug-ins for email are good, but a deal with MS or Eudora to bundle it would be better. Plug-in with ICQ is good but a bit clumsy at times. Maybe playing up the Envelope metaphor in email programs would be better... Also, encouraging users to get their email contacts to install the freeware version would be great. Maybe, a window that popped up when people tried to send an encrypted email to a person whose key isn't know. The window could mention the problem, and offer to send the recipient an email with a link to the freeware (or perhaps a free "reader" that allowed for key creation and email integration).

With C. the issue is just a big hassle. At some point you'd hope the Gov't would realize that restricting strong encryption will have no effect on criminals, only business and home users.

Expensive stuff

We looked into it for our company, turns out the head of our sales group sent a copy of the commision $$$ amounts to everyone in our sales group by mistake and we wanted to prevent that in the future. But that's another story.

Anyway they wanted about $175 a copy, I think for what we needed. Then I found the PGP Freeware link on their site. I thought, hey why pay for it when they give it away for free?

No wonder its going away. Could you imagine going to the Ford dealer and the dealer saying "here's the new Ford for $20,000". And you ask, "what about the Mercury over there exactly like it" and the dealer says "Oh those, they're free, take as many as you like" Where is the choice here?

There are two kinds of encryption users...

There are two kinds of encryption users...

1) There are ordinary folks who want an easy-to-use encryption solution out of the box, and don't want to read a manual to get that level of security. While NAI's software has been getting better and easier-to-use over the years, it's still not 'easy'. Concepts like 'ring of trust' & 'key signing' might still too academic for ordinary folks, and NAI has not made much of an effort to explain why these ideas are important.

2) There are encryption-geeks, who don't really trust the security of a closed-source product, or who are happy enough with ssh, pgpi, gpg, etc.

OK, I guess there is a third type of encryption user, the user who wants an easy to use encryption product for her business, and isn't concerned about fears like 'FBI backdoors' in their product, but they're probably a small segment of the market.

What could 250 people be doing to PGP???

I went to the NAI website and tried to buy PGP about 18 months ago. There were problems with the site. The product was poorly explained, and I got error messages.

Also, would you buy encryption software from ANYONE who wasn't offering the source code? I had read that NAI would give the source code to someone who bought the product, but I was unable to find mention of that on their web site.

I sent NAI an e-mail message, and no one replied.

Finally, I just gave up and used the free version. I paid less (zero) and got more.

The story says, "I worked there up until today and somewhere around 250 of the 300 employees were clipped."

Do I understand this correctly? What could 250 people be doing with PGP, a product that was written by one man, and was changing very slowly?

Maybe they were selling special versions in Arabic to Saudis living in Afghanistan? (When you have 4 wives, you have to keep a lot of secrets.)


Secrecy and weapons sales corrupt democracy: What should be the Response to Violence? [hevanet.com]

To Care or not to Care

It's very interesting to notice that a majority of people indicate that they do not care about personal encryption, primarily for their electronic mail communication. I recall reading in the PGP readme, when I first discovered it - version 2.x or 3.x at the time, I think - how it made perfect sense to use encryption to ensure your privacy. After all, did you not prefer to send your most personal thoughts using letters within envelopes rather than postcards?

However, when I try to advocate encryption to those I know and hope to influence, they all seem to indicate that they aren't all that concerned about their email. And yet those same people never fail to be annoyed when I walk up to their computer and pretend to read their email in order to prove my point.

Perhaps most people are unaware of how easy their email can be intercepted and read? After all, an email address might appear to be like a telephone number - a direct link to whomever one might wish to contact. And we're comfortable with the phones - after all, wiretaps seem hard (or at least laboureous) to obtain, and we suspect that capacity prevents wiretaps from being universally applied. Not so with email, though - it's child's play to intercept any SMTP communication that passes through your network. And if you happen to be centrally located, in a network topological sense, there's no theoretical limit to the amount of communication you can eavesdrop on.

I must admit that I'm not being entirely altruistic when I advocate encryption - my wish for broad adoption of personal encryption technology is first and foremost self-serving. To tap again into the old PGP readme files; sending mail in "sealed" envelopes is not currently suspicious due to the fact that the practice is so widespread. Untill encryption becomes commonplace it remains far too easy to label it suspicious behaviour.

Here's to hoping that free encryption will carry on where the commercial offerings have failed. Cheers.

I didn't trust it anymore, anyway.

Ever since Phil Zimmerman left because of of "differences" with NAI, I was extremely reluctant to upgrade to future versions for fear of "backdoors" that might have been included in the product - things that wouldn't have happened under his watch but are now more likely.

So I stopped upgrading the free version at the last version he personally oversaw...7.0.3

PGP failed because of NAI incompetence

*laughs*

Well, yes, it's quite true that PGP had disappointing sales. The company had a nasty tendancy of attempting to bundle about four other products with PGP and *refusing* to negotiate with any company, no matter how large, about perhaps a more reasonable package.

It's funny that I have this exact story from so many different sources that nobody can say I'm compromising internal information. Go ask your friendly IT Purchasing agent about any adventures they had trying to get a site license for PGP. This was mandate from upper management: Either all the stripes make some cash, or none at all.

NAI consistently chose the latter. Now, as for all the conspiracy theories...never attribute to malice...

--Dan
www.doxpara.com

Encryption doesn't need to be this hard.

All I want is an e-mail client with an 'encrypt' button. I press the button and it asks me for an encryption key. I enter a key that my correspondent and I have exchanged over the phone, in person, etc. The message is encrypted and sent.

I'm not Osama Bin Laden. I'm not expecting someone to be monitoring my phone, e-mail, in-person conversations, cell phone, etc. I just want to be able to exchange e-mail with friends and not have every nosy guy at the ISP or my company be able to read it.

PGP is just an incredibly complex and painful solution for what should be a simple problem. 99.9% of the public just wants to be able to occasionally send encrypted messages to friends using a private key. I don't care how easy the /. crowd thinks it is to use PGP. Some of my friends aren't computer gurus and it's just too much complication and hassle for them to use PGP.

Re:lack of sales: reasoning

Do you send paper mail in envelopes? Looks like you've got something to hide. Let's hal you down to the Ministry of Truth for some examinations. It's the "something to hide" stigma which is retardedly holding back the use and acceptance of cryptography. Encryption technologies are not just for people hiding warez (I've never even fucking heard of encrypted warez before and PGP is free for non-commercial use anyhow). E-mail is an inherently insecure communication medium. Few if any ISPs actually use or support secure e-mail in any fashion so that responsibility falls onto the user. You don't need illicit reasons for secureity, plain day to day business needs plenty of it. For a dallar of security you saveseveral dollars in losses.

Re:Nice icon!

Actually it's our "Security" topic icon, and yeah it's new, thanks for noticing. We're not upgrading everything, but you'll see a bit of new stuff showing up.

We've only been wanting to add a "security" topic for about TWO YEARS so it's nice to finally have one...