On Mon, 15 Oct 2001, Tim May wrote:
I'm surprised there has been little discussion (any discussion?) of the NAI decision this past week to lay off 250 of the 300 PGP employees (*) and to either sell the division to someone or abandon it completely.
Judging from the trouble that company has had over the course of its history, I wouldn't be surprised if this decision would have happened regardless of the terrorist attacks. NAI has been down-sizing over the past year, and recently moved a good number of its positions out of the Bay Area to places like Maryland and (gasp) Canada.
(* As with ZKS and their couple of hundred employees, just how are 300 PGP employees justified? As the comments on Slashdot point out, just how the hell does a product which has been evolving _very_ slowly conceivably justify 250-300 employees? DilbertWorld, obviously.)
Both the 300 employee figure and the PGP name are misleading. My understanding (and this is based on a conversation I had with a PGP employee over a year ago, so it may not be exactly accurate) is that the 300 employees were of the "PGP Security, Inc." business unit. NAI was restructured into four business units in 1999: Sniffer, Magic, McAffee, and PGP Security. PGP Security was responsible for the traditional "Phil's PGP" products and their off-shoots as well as the TIS products (Gauntlet Firewall, etc.) and NAI's IDS software (Cybercop.) This business unit probably also had its own marketing and sales and support divisions. "PGP Security" was far more than just the PGP product Cypherpunks think of. I suspect the business unit was named this to capitalize on the reputation of the PGP name. Taking this into consideration, however, the employee numbers make a bit more sense.
The notion of a central service, located in a known location and subject to some nation's laws, is ludicrous.
Decentralization has been discussed extensively here in the past, so I'm not going to comment on that. However, I haven't seen any really plausible suggestions on how to go about hiding the location of network infrastructure providing a service. Sure, some components of the system can be hidden, such as middleman remailers operating behind nym.alias.net accounts, but this still requires some remailers to be "out in the open." And, of course, if a physical component is required, then the service will be subject to some nation's laws. The best we can do is ensure that there is no nation whose laws affect all components of this system. (Example being the decentralized network of mixmaster remailers scattered around the globe.) This isn't a solution, however. Every nation in which remailers currently reside could pass a resolution banning them, and that would be curtains. So, back to my point. The problems I see with achieving the ideal environment for such services are: 1) How does one avoid being in the jurisdiction of any nation? 2) How does one hide the physical locations of any part of an entire network? The first problem is pretty unsolvable. (Starting your own country is not a feasible solution, in my opinion. For instance, Sealand exists because Britain tolerates it. As soon as it is branded "a terrorist bunker in cyberspace" there would be plenty of justification for bombing it.) I'm interested in hearing thoughts on the second problem, or pointers to work done on this. -MW-