Slashdot Mirror

Encryption is especially going to work when the data is only crossing electronically. They can keep it as long as they want, and it won't do them any harm.

Remember folks, if there is just one person (you) or two person's who share an alternative safe means of correspondence, then TrueCrypt works well. Otherwise, GNU Privacy Guard or similar systems work just as well (assuming that everyone involved knows how to use them).

Proof that it isn't partly an ad for PGP, when GPG is available.

Do people who don't agree with the policies of the U.S. government really buy their encryption software online, using their credit cards? From a company in Menlo Park, California?

Shouldn't all encryption software be open source? Otherwise, how do you know it is secure? Maybe an unhappy employee built in a back door.

Oh, and TrueCrypt encrypts entire hard drives, including the boot partition.

The mention of political enemies of the U.S. government using closed-source software from a U.S. company makes me wonder about the entire article. Quote from the article: "Files are protected using PGP, or Pretty Good Privacy, a virtually unbreakable form of encryption software that is also used by intelligence agencies around the world."

I'm VERY doubtful about that. The U.S. government, under the present administration, has established that it can require companies to cooperate, and to keep the cooperation secret. That means that any U.S.-made product could be suspect. That's one of the unintended consequences of being sneaky.

I doubt it will be used to look for people breaking copyright.

In other news, here's some way to solve the issue:
* http://www.gnupg.org/
* http://www.cypherpunks.ca/otr/
* I feel bad for linking this but atleast they know their encryption: http://www.skype.com/

Here are the links: http://www.gnupg.org/ http://www.axantum.com/AxCrypt/ http://www.rarsoft.com/

Then again, if the encryption key is 'random', how does the decryptor know ?

Maybe the virus can create a signature or message that's sent to the creep, who can then use it to look up the key that will decrypt the docs. If someone's computer was contaminated I'd think there's a good possibility there's no firewall. And if there isn't one it can then contact another computer over the net, perhaps one that's part of a spam or botnet. It could then pass along the encryption key.

IF someone was willing to pay for the decryptor and he actually received said piece of software, and it actually works (if...if...if... ), I surely hope he will send a copy to the major anti-virus companies and relevant OSS forums so they can reverse-engineer the thing.

While decryption could be a separate software program, it could aslo be part of the original virus. Either way I don't think it would help, unless there's an err in it. People have had access to the code of encryption programs, such as GnuPGP, and I don't think it has dune them much good.

If your in darknet mode isnt that the same as a private tracker?

Not really - with a private tracker, the other users (including the tracker) know what you're uploading and downloading. That's not the case in Freenet. Also, any user of a private tracker can invite their friends, who can also see what you're uploading and downloading, so the network becomes less private as it grows. Freenet becomes more private as it grows, because there are more users who might have initiated any given request.

If your not in darknet mode arnt you just as exposed as BT?

No, requests travel for multiple hops through the network, so if you receive a request from an opennet peer it doesn't mean that peer initiated the request - it might be forwarding the request on behalf of another peer.

If you want to carry out conversations, then i suppose BT isnt a good medium, But isnt that what public/private mailing lists are for?

Mailing lists aren't much good if you need to be anonymous. You could use Tor to set up a webmail account, but then the webmail provider can read your email, so you have anonymity but not privacy. You could use Tor and GnuPG and webmail, but by that point it's probably easier to install Freenet.

Another disadvantage of Tor is that even though your traffic is encrypted, it's easy for someone monitoring your network connection to tell when you're using Tor. If they can correlate the times you connect to Tor with the times a certain webmail account is active then your anonymity is broken. By running a Freenet node 24/7 you make it much harder for an eavesdropper to link your activity patterns to anonymous or pseudonymous messages, because your node is always sending and receiving encrypted packets regardless of whether you're active.

Shame on them ISPs. Makes me wanna signup to proxify, so that I can opt out of the ridiculous eavesdropping that's taking place. incase consumers don't know, here are some tools to protect yourself:

Scroogle with HTTPS, -> i use this as my primary interface for searching on google, since your search queries reveal alot of personal information and gets used for marketing purposes. :(

Tor Anonymity Network, with Firefox plugin to quickly enable/disable anonymous browsing.

Proxify with HTTPS, although for advanced stuff they want you to signup to their service :(

Last but not least: GnuPG, for encrypting your private data.

[root@dbserver root]# dd if=/dev/zero of=tmp.fil bs=1M count=20
20+0 records in
20+0 records out
[root@dbserver root]# ls -al tmp.fil
21M -rw-r--r-- 1 root root 20M Feb 21 17:56 tmp.fil
[root@dbserver root]# /usr/bin/gpg -z 0 --no-tty --batch --output tmp.fil.gpg --encrypt --recipient "XXX XXX <XXX.XXX@XXX>com> tmp.fil\
[root@dbserver root]# du -sh tmp.fil*
21M tmp.fil
21M tmp.fil.gpg
[root@dbserver root]# gzip -9 tmp.fil
[root@dbserver root]# gzip -9 tmp.fil.gpg
[root@dbserver root]# du -sh tmp.fil.*
21M tmp.fil.gpg.gz
20K tmp.fil.gz
[root@dbserver root]#

[root@dbserver root]# gunzip tmp.fil.gz
[root@dbserver root]# /bin/ls -al tmp.fil*
-rw-r--r-- 1 root root 20971520 Feb 21 17:56 tmp.fil
-rw-r--r-- 1 root root 20975344 Feb 21 18:05 tmp.fil.gpg.gz
[root@dbserver root]#
[root@dbserver root]# gunzip tmp.fil.gpg.gz
[root@dbserver root]# ls -al
[root@dbserver root]# /bin/ls -al tmp.fil*
-rw-r--r-- 1 root root 20971520 Feb 21 17:56 tmp.fil
-rw-r--r-- 1 root root 20972114 Feb 21 18:05 tmp.fil.gpg
[root@dbserver root]#

The only thing I can say, is I've started some major "learning" about encryption and various other personal privacy applications.

So far, what I've found and like are:
TrueCrypt - "On-The-Fly" Disk/Storage Encryption. Actually, I've been using this for 24 hours and love it. I've also seen great reviews of this, and some of its very interesting features, such as plausible deniability. Oh, and its Free Open Source Software. Available for Windows 2K/2K3/XP/Vista, Linux, and soon MacOS (v5.0, due in Jan 08)
KeePass - Encrypted Password Storage Database. I've been using this for years, and love it. Also good reviews. If you wish to try it, there are two versions, v1.x and v2.x. v1.x (1.10 being current) is the original independent version. Can be run standalone, no system requirements (.Net or the like). Can be run from a USB Key. v2.x (2.04 being current) is a total rewrite of the application based on the .Net libraries and are required. This version is ALPHA quality and does not yet meet the current functionality of the 1.x branch. This was started due to the fact of people requesting features that would require significant rewrites to implement. Also FOSS. Available for Windows 98/98SE/ME/NT/2K/XP/2K3/Vista 32 and 64 bit. Third party ports also available for PocketPC, Linux, MacOSX, J2ME, Blackberry, PalmOS.
Gnu Privacy Guard - An open source PGP implementation. I use a port of this, GPG for Windows. It seems a bit clunky, and am actively looking for something to replace it so suggest away if you do know something better. I will say though that it does work as advertised, and its FOSS. GPG is distributed mainly as source code I believe, where as G4W is as binaries.

People have looked at some of us who use PGP/GPG, and other encryption/digital signatures for a few years with the look of "why do I need that, I have nothing to hide." I keep waiting for people to finally wake up and realize that the concept of "inherent privacy" (meaning anything not actively publicly published is not publicly known) is gone. We have entered the age of "explicit privacy." If you want something to be private, you must make explicitly so, especially on your computer, with these recent news articles of laptops being fair searching territories at Customs, or the reports that the NSA has feeds from AT&Ts offices to intercept everything.

Well, that's the rub isn't it, OSS being conceptually antithetical to DRM. Most open source licenses (hi BSD guys) require contributing your own work back to the collective good.

I second the earlier idea that encrypting your data is the best option, and submit for review the existence of libcrypt as an efficient means of accomplishing said goal.

http://gnupg.org/

Gnu Privacy Guard (or other PGP) + Judge: Man can't be forced to divulge encryption passphrase = safety in communications.

... but I am as confident as I am that the Sun will rise tomorrow that it will be safe from terrorists. After all, we have the children to think about.

July 12, 2005

Copyright © 2005 Michael David Crawford.

This work is licensed under a Creative Commons Attribution-NoDerivs 2.5 License.

It seems that David Clark, who led the development of the Internet way back in the '70's - did you know there even was a '70's? - wants to create a whole new Internet that will fix many of the problems the current Internet is plagued with. The New Internet's engineers will be much more careful this time around to make sure it works better than the first one did.

I'm afraid, though, that the engineers are not the only ones who will be deciding how our New Internet will work.

If one is able to find any privacy or anonymity in this New Internet, it will be because of some undiscovered security hole, which will be quickly repaired, rather than any kind of conscious design decision. Probably one reason they are accepting proposals before rolling it out is to avoid the sort of accidental security holes that enable pr0n, peer-to-peer filesharing and left-wing political activism.

Microsoft, a leading contributor both to this nation's technology base and to the campaign coffers of its leaders, will embrace this new technology and extend it in such a way that the development and dissemination of Open Source software will be, if not mathematically and physically impossible, at least as intractible as factoring a 2048-bit public key.

Imagine, if you will, Trusted Computing implemented at the router level, in such a way that any packets that go farther than one hop are certified not only to support protocols whose patent licenses are fully paid-up and on file with the legal department in Redmond, but whose content is compliant with the Windows standard. The faintest whisp of a Public License, GNU or otherwise, will result in the dropping not only of the individual packet, not only in the cancellation of the entire file transmission, but, within microseconds, the reporting of the physical location of the offending server to responsible law enforcement personnel. The identities of its rogue administrators will be fetched instantly from the database maintained by the Department of Homeland Security. (You will have to submit fingerprints and DNA samples to obtain a Windows server license, as after all, Internet servers can be used to disseminate explosives r

So everyone who downloads software to provide them with more security from http://openbsd.org/ or http://www.openssh.com/ or http://www.gnupg.org/ is an idiot?

I was recently looking into secure communications and revisited hushmail, discovered it was compromised (this story isn't new). I believe there is no good encryption solution available that doesn't involve both the sender and receiver running the same software.

Once you make that compromise the solutions multiply. For windows I really like truecrypt for file/disk encryption and firegpg with gnugp to do web based email encryption.

That was also mentioned in the "As We May Think" article in the July 1945 Atlantic Monthly. Just in case you don't happen to have a copy of the July 1945 issue of Atlantic Monthly here is a link:

As We May Think (from July 1945 issue of Atlantic Monthly

Of course there was also the "The Final Cut" with Robin Williams from 2004.

The Final Cut

Then there are also various Science Fiction books and articles such as "The Heaven Virus."

The Heaven Virus

I see that Microsoft is looking into this now. I hope that there will eventually be an open-source, GPL licensed alternative for backing up the contents of our brains. If so, I would also like to be able to encrypt the backup with GnuPG which is a free implementation of the OpenPGP.

The Bush administration and Dick Cheney would probably require some kind of built in back door for easy warrantless access by the NSA. They might demand government access, in the name of looking for terrorists, child molesters or perhaps even critics of Bush administration. Another problem might be, that during the discovery phase of a trial, courts might demand a copy of the backed-up contents of various defendants brains. Lets hope that there wasn't anything somewhere in our lives that court system or the government wouldn't approve of. Would courts demand the encryption keys to the backup copy of the memory of my life?

Oh, I almost forgot about the RFID chips that may supposedly eventually implant in our foreheads or the back of our hands. They might even try to tie the two technologies together in some privacy invading way that the average citizen would not like.

TrueCrypt allows hidden volumes, indistinguishable from one volume. The file size is constant.

TrueCrypt works very, very well. I use it with just one volume to protect passwords and other files.

When you don't want to encrypt a volume, but just a file, Gnu Privacy Guard is best.

It's called Seahorse, and you can install it from the mainstream repositories.
apt-get isn't very complex installation in my book.

Also try this: http://www.gnupg.org/(en)/related_software/frontends.html

Here is a better alternative http://www.gnupg.org/

Perfect only if coupled with a lovely image-based signature file from "goatse.cx". If they want to snoop, make them earn the privilege.

Only as long as it remains legal to encrypt your mail.

http://www.gnupg.org/

No problem... let them snoop. Now I'll just be twiddling the "Encrypt and sign all outgoing email" box on my MUA, and finally start using GPG full-time for all of my incoming and outgoing email, instead of with just my friends and close colleagues.

There are plugins for Evolution, pine, mutt, Thunderbird and just about every other Mail User Agent you can find out there.

Another great benefit, is that I can automatically block/quarantine/delete any and all email that does not contain a gpg-signed component (i.e. 99.999% of all email out there, mostly spam). dspam does an amazing job, but being able to just reject it at the MTA level would be great.

And for those that wish to converse with me, please make sure to use my GPG key to do so (also available here with detailed instructions).

Here is a better alternative http://www.gnupg.org/

As others have said, some parts of the U.S. government has become completely lawless. The government is requiring access and requiring that access be kept secret. The Bush administration has become a dictatorship. I think U.S. citizens should demand impeachment and that Cheney and the Decider be tried for treason. Why should the really big criminals be allowed to break the law?

My experience of whoever it is who sells PGP is that there are other issues about they way they do business, too.

That's why open source encryption is so important. TrueCrypt supports Windows and Linux. Supports encrypted devices and encrypted folders, including hidden folders.

To encrypt a file, use the free open source Gnu Privacy Guard.

They can't do whole hard disk encryption, but they are at least honest.

Oh, the joys of closed source... Who is surprised?

Why do I have a deja vu feeling every time this shit happens... Then again, I feel schadenfreude at peeps using such software. And last but not least, there's nothing more stupid than using closed source security apps. Security by obscurity is DOA.

Fuck PGP, embrace GPG http://www.gnupg.org/

Slashdot story quality is often low; apparently Slasdot editors don't even Google the stories. This is the real story; it was an armed robbery: Coppola Says Robbery Cost Years of Data (AP). This poorly edited story has even more detail: Thieves Steal Francis Ford Coppola's Everything.

I suspect that there is more to the story than we know. I suspect that he is more worried about release of information than loss of information. The AP article says he had a backup copy of a screenplay on which he is working.

The moral of the story is: Have proprietary data? Use TrueCrypt. Supports Windows and Linux. As all encryption software must be, it is open source, very mature, and supports both Windows and Linux. Supports encrypted devices and encrypted folders, including hidden folders.

To encrypt a file, use the free open source Gnu Privacy Guard.

> > It requires an additional external program (GnuPG) to function.
> And you have to register somewhere to get it.

Huh?

And next you're going to demand the source code too? Gezz, so demanding.

The only new thing here is the standard format for the compliance with the court order (and the new requirement that you be able to produce the records for the court). Most ISPs have been saying, "yeah, we don't have that information because we wouldn't have the capacity to store it, duh" up until now.

Did you feel like your civil liberties were stripped away when the court authorized a wiretip on so-and-so or whats-his-face? How do you suppose the court or the legislature would react if your telco said, "Yeah, we don't have the equipment to tap that line." I don't think that would go over so well. Thus: CALEA.

What frightens me a great deal more than the ability of the court to order us to produce data (and the requirement that we store it) is the remote control wire tapping device installed at the police station that can listen in on any line at our small phone company.

They're supposed to get a warrant first, but my feelings indicate that if I were a cop (and believed I was helping people) I probably wouldn't bother with a warrant until I knew there was something to get a warrant about. That is much more serious than this. Let me introduce you to my little friends openssl, openssh, openvpn and gnupg.

If you believe the discrete log problem is "hard" then you have no worries. Now try doing that with your phone...

Again, I didn't say without a machine, I said without *PUBLISHED SPECIFICATIONS*. There are hundreds, even thousands, of publicly available schematic diagrams for machines that read vinyl disks or magnetic tapes, check your nearest technical bookstore.

But I think it's safe to say the norm from the 80s on was not to give out the source.

Read again what I wrote: "It was only when computers became commodities used by amateurs that they started selling software as binaries only." When did that happen? Around 1980... Yes, you are right, that was *exactly* what I said. Before amateurs started using computers software was sold with source code. When people became used to the idea that software could be sold as binaries only even professional software started coming as binaries only.

And just because some people abuse copyright with DRM doesn't mean we should all lose it's protection

I didn't say we should all lose its protection, only people who abuse copyrights by keeping things secret shouldn't get copyrights. It's a two way street, I assume the compromise of not copying your work if you assume the compromise of revealing everything relevant about that work.

When we license our code to people they have full use of the code they paid for [no DRM preventing debugging, analysis, etc]. So people should be able to just copy and give out the code I write and not pay for it?

Again, I repeat, I'm fully in agreement with *COPYRIGHTS FOR SOURCE CODE*. But if you do not agree to disclose your source code, why do you think I should respect your secrets? What if I develop a similar software and the source code happens to be very similar to yours? After all, we all use several algorithms that are widely known, it could be a coincidence.

If you sell a binary code that does some job, it's just a "magic" set of bits that happen to do that. You are not revealing any new ideas to the world, you are not contributing anything to human knowledge.

If folk like me can't earn some coin, who do you suppose is going to write commercial cryptography in the future?

People like these guys for instance. Oh, but they give their software away for free? Well, it may be time to change business models. Just as companies changed their business model in the 1980s and stopped delivering source code, it's time for another paradigm shift.

I work in the aerospace industry and my company is considering a new satellite control system, a cost of some $5 million. One of the key specifications is that source code must be provided for all the software. We have had too much problem with software in the past, critical libraries were supplied without source code and the company that sold them went out of business.

One example: the Digital Equipment Co. supplied the VAX/VMS computers in our old system. Now we have 3 million lines of FORTRAN code that require the VAX/FORTRAN compiler, our old VAX computers have an ever increasing failure rate, there is no FORTRAN compiler in the market that fully supports the entire VAX/FORTRAN specification (yes, we tested *all* the FORTRAN compilers in the market that claim to be VAX-compatible).

We have several hundred millions of dollars invested in spacecraft that are critically dependent on the control software. Although we do have the source code for the control software itself, it's of little use to us because it cannot be compiled and linked without the compilers and libraries published by a company that does not exist anymore.

So, in the long range, what is exactly the worth of binary-only software? Nothing, all our VAX software will be absolutely, totally, worthless after our VAX computers stop working, and that's true of any binary-only software.

Here are a few other examples of free programs which I forgot to include. Like the others they are available in both Windows and Linux versions.

• GnuPG - The GNU Privacy Guard which can encrypt and sign you data and your communications
• DOSBox the Dos emulator for running many old DOS games and programs
• Firebird the relational database program
• PostgreSQL object-relational database management system
• Stellarium is a free open source planetarium

So whose encryption do we use? Some closed source, proprietary "solution" from Microsoft that has been "approved" by the government? If governments (USA in my case) can send people to jail for sharing a freaking music file, what do you think they can do to outlaw "unauthorized" encryption?

I personally use GnuPG. However, how hard would it be for a government to outlaw any "non-approved" encryption implementation?

I am not trolling here. I am just trying to point out that if "we the people" come up with some good encryption, the government will try to find a way to stop it to "protect us".

On Windows, I believe you can "attach" to a running process with a debugger. On Unix, if you want to debug, you have to start the app in a debugger, because once it's running, the app's memory is its own.

You can, instead, specify a process ID as a second argument, if you want to debug a running process:

gdb program 1234

An implementation of the protected store functionality will allow applications like Firefox, Thunderbird and gpg to have one common place to obtain private keys and certificates rather than maintaining their own individual key-stores.

So have them all use libgpg or something. But what is the advantage?

This is why I think it's very important to use something like GnuPG for email. With a large keysize, it's very hard to break. I encourage everyone who will be affected by this to cryptographically sign and encrypt his or her email, and use something like OTR (Off The Record) to encrypt instant messages.

Conversations are between the intended people, and should stay that way. The last thing we need is people snooping through our emails and private conversations.

Maybe it should be noted in this context that GnuPG 2 has been released recently. No longer a monolithic application, it includes tools for key and passphrase caching, smart card support, configuration, certificate revocation list and LDAP support and more. Thanks to Werner Koch et al for keeping developing this valuable tool.

Good afternoon Mr. Beard,

Thanks for taking the time out to field questions from the /. crowd.

1. What is Mozilla's direction with regards to implementing out-of-the-box email security with Thunderbird? Granted, there are extensions like Enigmail that add the functionality after the fact. However, the average user may not be aware of such an extension, or have the knowledge to use it. Perhaps your company could work closely with the folks at GnuPG to include such a functionality into Thunderbird (along with a friendly UI for the initial setup process) and offer secure email to the masses? In doing so, the end user would also have a trusted source for receiving GnuPG updates (only to the extent of Thunderbird functionality of course) by way of automatic updates.

2. While Firefox has come a long way, there are still some issues with rendering certain web pages that use style sheets. While it is mainly due to the use of non-standard web publishing practices, one problematic page load of a website may be enough to deter a newcomer to Firefox. What is your company doing to address such issues?

3. One of the more widely discussed issues with Firefox has been memory leaks. Whatever the cause, this has also been a deterrent for new users, and thereby affected market share. In this recent /. article titled "Nine Reasons to Skip Firefox 2.0", TFA states "a growing number of users are reporting bugs, widening memory leaks, unexpected instability, poor compatibility, and an overall experience that is inferior to that offered by prior versions of the browser." While there's no doubt that your company has worked hard to bring 2.0 to fruition, what is your company's response to such a backlash? And will such a response prompt a maintenance release to address such issues?

Thanks again for your time!

Granted, the EFF is trying to protect our rights as citizens, and in my opinion they are doing a decent job as such; however, people please.. it is your responsibility to protect your own privacy, and if you are doing something that you do not want others to know about, please please use a Good Encryption system, a Good Anonymizing Proxy for browsing the web, and definately get a Good Web Browser. If people would follow these three little tips, it would make eavesdropping on your communications about 100 times more difficult.

Quote from the CP Lab About Us page: "Our company is located in Kiev, Ukraine. CP Lab's employs high-class experts, ..."

It's difficult to imagine that it would be acceptable to use an encryption product without having the source code. If you have problems, will you go to Kiev and discuss them with the "high-class" experts? Do you speak Russian?

Suppose a database becomes corrupted, and you need to recover your passwords? Will you send the entire database to the Ukraine?

Suppose the company is now selling an entirely acceptable product. However, suppose that later the company is sold to someone else, without notifying the customers, as is usual with software companies. Possibly the new owner will decide to build a back door into a "minor" a version upgrade.

The Ukraine? Isn't that one of the places that the U.S. government's break-the-law department, the CIA, holds prisoners illegally? Is CP Labs owned by the CIA, perhaps? Is CP Labs owned by the CIA, but most CP Labs employees don't know that?

If you use an encryption product, it should be open source. That at least provides some protection. One advantage of open source, free software is that the users can hide the fact that they are using the product from the developers. Paying creates a connection between your company and the developers.

Possibly there is some way of using TrueCrypt and GnuPG that would work for you. Need passwords for your department? Someone in your organization who acts as password manager sends them to you encrypted with your public key. Only someone who has your department's private key can decrypt them.

Products that implement cryptography are probably credence goods. It requires expensive and uncommon skills to verify that data is really being protected by the use of cryptography, and most people cannot easily distinguish between very weak and very strong cryptography.

Can you distinguish, by inspection, between a reliable automobile and a piece of junk that will barely last 2 years? I certainly can't. So I rely on reviews by people I trust when I buy a new car.

In the field of cryptography there are several people who have written peer-reviewed books about cryptography, are trusted in the community, and who occasionally review products. Bruce Schneier is one (there are others, use Google, this is not mean to be a puff for Schneier or his company).

There are also open-source cryptographic programs, which are peer-reviewed and definitely not snake-oil.

Just a thought.

So you have the option of taking credit for what you say when it turns out that you were right.

That was the most difficult google search I've ever done ... Gnu Privacy Guard

From TFA:
People don't want a single dedicated computer. They don't want their whole lives bound up in one piece of hardware.

Also, people generally tend not to care about their sensitive data? Web-based software delivers even more ways to hijack it, as not only it is insecure while being transfered between two computers (that is a problem that can be fixed with, say, GPG), but also while being edited. Ok, your may encrypt it, but never the less the crackers will get quite more samples of your encrypted data than they could get if you only sent a single file. Do you really want this?

People want to get access wherever they are, from whatever device they're using.

But keep in mind that it will impact the performance of their main device.

I think we are in one of those major generational changes. And it will be interesting to see how it plays out.

If it doesn't play out the "web-is-our-OS" way, the result will actually be far better for both you and your users. Unless you intended to spy on em. ;-)

For encrypting single files, gpg is probably the simplest solution. Note that you don't have to bother with key-rings, digital signatures, etc. Just use conventional encryption and a GOOD (can't emphasize this enough) password.

A more user-friendly approach would be to use an encrypting file system, such as TrueCrypt, which presents a single file as a drive on your machine, and backup the encrypted file regularly.

I'd like to see the reasoning behind this. Intellectual Property Protection Act doesn't sound like a bad idea. It's a good idea to protect intellectual property, too bad we know the IP is used and abused by big companies. I don't see the need for a bill, though, since there are already laws in place

As for the IP crimes are funding terrorism, duh. I'd like to know how downloading an anti-virus and downloading a crack is funding terrorism. Are all these .ru websites with their porn ads ran by terrorists? And don't get me started with "Open Source invites terrorism". Just because you know how something is made doesn't allow you to bypass its protection. I can see the code of GPG, it doesn't mean I can crack a GPG-encrypted file in less than a few million years.

Last but not least, drug financing terrorism. Well, it sort of does (or did anyway). Drug is the best way to make money with little risks (for the bosses anyway), given the low production cost, and huge street price. Margins are the largest in the world. So yeah, I guess some of the investments of terrorist groups are in there. But hey, big new. If you want to cut down a lot of this market, make the major illegal "drug", the marijuana, legal. It's not like you can't find any if you want to. It'll also lower crime rate, give the governments a new product to tax a,d increase the quality of the product. And it won't turn your youth to potheads ; look at Netherlands, there are actually less people smoking pots there than in countries where it's illegal.

Speaking as an Evil Genius with standards, and one who's read the Warhol Worm paper, I'd say any "decent" botnet doesn't take orders from just any old Bill, Fred, or Otto who wanders by waving an executable at it. A "decent" bot wouldn't run code handed to it unless the executable was cryptographically signed with a private key matching the public key it knows belongs to its One True Beloved Master.

So, all of your plans should work just fine... once you determine how to recover a GPG private key of the 4096-bit keypair needed to sign the RUNME code, using the public key taken from the sample bot.

HANGE. (Have A Nice Geologic Epoch.)

(Note: I have better projects to occupy my Evil Genius than botnets.)

Simple solution: Educate your friend(s) on on-line privacy issues and teach them basic security skills like using http://gnupg.org/ to encrypt your e-mail while you are at it.

Uh, that dosn't sound very simple at all.

It might not be that easy, since OTHER PEOPLE (a friend) could post that about him without posting it under some other handle.

Simple solution: Educate your friend(s) on on-line privacy issues and teach them basic security skills like using http://gnupg.org/ to encrypt your e-mail while you are at it. Someone who still posts embarrassing pictures after you told them not to really isn't a very good "friend".

      1. Generate A Key Pair (already done)
      2. Send Public Key To Designated Keyserver (or Coordinator)
      3. Send Public Key Info To Coordinator
      4. Show Up At The Party
      5. Verify Your Key Info
      6. Verify Everyone Else's Key Info
      7. Verify Everyone Identify for IDs You Will Sign
      8. Sign All The Verified IDs On The Verified Keys
      9. Send The Signed Keys Back Up To The Designated Keyserver (or to the key owner)

What do you think of IRC, is that recorded?

The server admin or ISP can log all traffic (/msg, channel text, etc), and popular channels often have a bot that records and publishes all traffic as well.

How can I encrypt my emails so the person recieving can read them, but everyone else can't?

PGP and compatible tools. PGP Desktop has a free trial. There is also GnuPG, a free & compatible alternative, but the GUI might not be as polished. The recipient must also be willing to use one of these as well, and have set it up in advance of receiving an encrypted email.

There is also S/MIME, an incompatible standard. I believe Outlook supports it, but you have to get a certificate from a 3rd party for that to work (excepting setting up your own CA, whch is more work).