Slashdot Mirror

GnuPG comes to mind as open-source encryption software. Are there any Windows or Linux solutions that offer the same relatively transparent, on-the-fly disk encryption that's built-in to XP Pro?

http://www.gnupg.org/

I've only just begun using TrueCrypt, but my experience, also, is that it just works, also. I like making and maintaining a container, which can be moved to a thumb (flash memory) drive for traveling.

I like the command line options of TrueCrypt.

Most importantly:

1) Reading the web site and documentation gives me the impression the developers know what they are doing. I like it that, in the comments above, the developers are criticized for an incorrect statement about block chaining, and the error was corrected immediately.

When I read the web sites and documentation of commercial encryption products, so much is written by bored marketing people that I fear that the company is controlled by someone who majored in English Literature. (Nothing against majoring in Eng. Lit., but such people should not have control over products that require advanced understanding of technology.)

2) To me, it is absolutely necessary that any encryption software I use be Open Source. I fear that a rogue employee or a an owner of a commercial encryption software company would put in a back door, or would introduce a weakness.

The U.S. government has decided that it can secretly force companies to help in surveillance. This means that commercial companies cannot be trusted. (The drawbacks of secret action are called "Blowback" by some in the U.S. government. Blowback is not seen as a bad thing, because if decreases the political stability in the world, which means that employees of U.S. government secret agencies will get raises and promotions.)

For conventional encryption, like sending encrypted files automatically to a private FTP site for safe offline storage, I use Gnu Privacy Guard. Also Open Source, of course.

[ Amendment IV ]
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Want to read my stuff? Go ahead and crack it - no warrant necessary.

Get the rabbit installed on a machine behind your firewall
==> http://freenet.sourceforge.net/
Faster than freenet
==> http://www.i2p.net/
Encrypt Jabber
==> http://www.vanemery.com/Linux/Jabber/jabberd.html
Onion Routing
==> http://tor.eff.org/
Emerging Network To Reduce Orwellian Potency Yield
==> http://entropy.stop1984.com/
Free Internet telephony
==> http://skype.com/
GNU-ified P2p
==> http://www.gnu.org/software/gnunet/


DO NOT DENY yourself about 2 hours @ InfoAnarchy.org
OMG! ==> http://www.infoanarchy.org/wiki/index.php/Main_Pag e
LearnLearnLearnLearn ==> http://en.wikipedia.org/wiki/Cryptography

=================EMAIL ENCRYPTION===============
GPG (Free PGP)
==> http://gnupg.org/
Integrated with Thunderbird
==> http://enigmail.mozdev.org/
Mutt can't be beat as a mailreader and integrates GPG wonderfully.
==> http://mutt.blackfish.org.uk/
==> http://www.mutt.org/links.html
==> http://wiki.mutt.org/index.cgi?UserPages

!!! Please do not immediately send newly created keys to the keyservers (as many HOWTOs instruct new users to). They are already overflowing with "test keys" and other people's experiments from over the years THAT HAVE NO EXPIRATION and will never be deleted. These keys are "orphans" and most will never be used. As keyservers sync together, and most keys are never deleted once submitted - GET YOUR KEY SETUP CORRECTLY AND HAVE PRACTICE WITH IT BEFORE SENDING IT OFF TO THE KEYSERVERS!!! Otherwise storage requirements will continue to grow and using these in the future will become more difficult FOR ALL. Please, if you are just starting out with PGP or GPG or GnuPG or anything similar (the last two are in fact the same thing) use manual key distribution to begin (ascii armor your public key with


$ gpg --export --armor my@email.address.org

and copy and paste it into an email body or attach it to an email


$ gpg --export --armor my@email.address.org > myPubKey.txt

to gain practice with GPG before uploading your key. This way if you need to create another you won't have uploaded your mistakes. Many choices need to be made and it's worth getting things right before "going public" with your new digital ID. Experiment with yourself and a few different email accounts or with some friends first.)

SET AN EXPIRATION OF 2-5 YEARS OR SO AND MAKE SURE YOU HAVE YOUR PREFERENCES THE WAY YOU LIKE THEM BEFORE SENDING TO A KEYSERVER! Better yet is to HOST YOUR

I'm the "Anonymous Reader" who submitted this "article". I'm from Germany, so my command of the English language is limited at its best (it's impressive how many comments bitch about that billion/million typo ... my apologies to the /. editors).

My request was a serious one, answers as The Moon http://ask.slashdot.org/comments.pl?sid=171228&cid =14261341/ are funny to some extend, but not very helpful. Bugmaster asked http://ask.slashdot.org/comments.pl?sid=171228&cid =14262445/ which solutions there are. Moving out is one, keeping a low profile another, also encryption keeps bubbling up. Encryption is not much of a help if the connection data, who spoke to whom, is stored (but I use it anyway). On the other hand, I know about tools/services like the Freenet Project http://www.freenetproject.org/, TOR http://tor.eff.org/, JAP http://anon.inf.tu-dresden.de/index_en.html/ and GnuPG http://www.gnupg.org/ -- but most of my peers do not. If asked, their answer is similar to this one http://ask.slashdot.org/comments.pl?sid=171228&cid =14262263/, which, in my eyes, IS crazy. In addition, if more and more people start to use these services, any estimate much time it will take to outlaw encryption technologies as such?
So, keeping a low profile is sort of an option, but not calling grandma for her 90th anniversary is HARD to explain, don't you think?
Last solution, move along. As said, my request was serious, not intended as anti-european flamewar http://ask.slashdot.org/comments.pl?sid=171228&cid =14261813/, nor as troll http://ask.slashdot.org/comments.pl?sid=171228&cid =14261813/.

Somalia was mentioned http://ask.slashdot.org/comments.pl?sid=171228&cid =14261597/ ... to be honest, I prefer not to be shot. Then, New Zealand http://ask.slashdot.org/comments.pl?sid=171228&cid =14261456/ which seems to be sort of an option ... unfortunately this seems to be the one and only serious answer =(

One comment (sorry, no link) stated, that as long as one can purchase SIM cards without ID ... hey guy, here you can not! At least, neither in Germany nor in Switzerland ahref=http://www.heise.de/newsticker/meldung/35261 /rel=url2html-19262http://www.heise.de/newsticker/ meldung/35261/> (sorry, German only). Admitted, Switzerland is not a member of the EU and I don't know about all other members, but I assume that it is not possible to purchase a prepaid card anonymously anywhere on the continent -- and no, in my eyes, privacy is NOT a luxury http://ask.slashdot.org/comments.pl?sid=171228&cid =14261289/

Btw, I heavily agree with bmh129 ... how is this possible? http://ask.slashdot.org/comments.pl?sid=171228&cid =14262340/.

Regards

It seems nobody has said the obvious yet ...

Encrypt your private communications.

Use anonymous remailers.

If you actually get charged, they'll require you to give up your keys, but they won't be snooping at your E-mails behind your back.

pgp.com
gnupg.org

I can encrypt my email use by connecting to the Gmail server using https - how do I do that using Thunderbird? No doubt it depends on my ISP, right?

Depends. If you're intention is to send an email that the recipient, and only the recipient, can read, you should use something like GPG. GPG is independant of your ISP.

If your intention is to only encrypt the communication between you and your ISP, then yes, you need to contact your ISP and see if they offer something like SMTP over SSL. Yeah, it's confusing to talk about. That's one reason virtually nobody does it.

Encrypting individual emails using something like GPG is the only private way to get an email from you to the recipient. The data you encrypted cannot be decrypted until it gets to your recipient. If you use something like SMTP over SSL, your data is only encrypted between you and your ISP. Once it reaches your ISP, it's decrypted and sent to its destination as plain text.

Hope that helps. Go ahead and email me if you have more questions.

In other news, smart people can avoid being caught by doing stuff...

I mean, any dolt can PGP or GnuPG encrypt a message or just hand deliver messages. Things like wiretaps are good for the duller knives in the drawer. We should still use them to "grab the low hanging fruit" and look elsewhere to capture the rest.

If a person knows he's being wire tapped, he won't say anything incriminating anyway, and if the feds/cops don't get what they want over the phone, they'll just bug some offices instead.

Do not bother with password protected zipfiles. Use Gnu Privacy Guard.

G P G

Gnu Privacy Guard. Get it and use it.

Is it time to increase the default keysize in GPG?

Currently, the default key generation method in GPG is to create a 1024 bit DSA master key and Elgamal subkeys. The GNU Privacy Handbook admits that a key size of 1024 bits is "not especially good given today's factoring technology."

If the authors of GPG know that 1024 bits is not a good key length for an asymmetric cipher, why not set the default length for the master key at 2048 bits? If that would require switching to RSA as the default signing algorithm, why not do it?

Why should I have to register with Verisign to send an encrypted email to my girlfriend, co-workers etc.

You don't. The third-party CA is not at all a requirement for encrypting and signing your email.

Why can't I just click a button and generate a random 128 bit key set and use PGP?

You can, although I think the minimum key length might be 1024 bits.

why can I send a MIME encoded attachement anywhere, but not a PGP encoded plain text email?

You can. See Enigmail for example. Anybody with PGP and a key can receive, verify, and decrypt, even if they don't happen to use Enigmail on their end.

I think (and hope) your point was that this isn't built-in and/or integrated into every email client by default, which is absolutely true. But I'd suggest you download GPG and install Enigmail as a plugin to Mozilla or Thunderbird, and actually see that there is a point-and-click solution. You literally click a little key icon in the message as you compose to encrypt, or a pen icon to sign. You can even encrypt and/or sign everything by default.

Idea is not much used because it is patented, (see the stance of e.g. Gnu privacy guard ).

Materials: 1 Linux server, 1 winxp desktop, 2 removable HD cartridges.

The desktop has a removable hard drive cradle.

1. Every week I plug in one of the HD's to the XP machine and mount it onto the linux box via samba.
2. I tar my entire linux box, piped through GNU Privacy Guard (to protect against unauthorized access) and 'split' (to avoid the 2GB file limit) and store it on the HD in date-stamped directory.
3. I store the removable HD offsite.

My windows box stores all of its critical files (ie My Documents) on a samba share on the server.

I also do a daily rsync of the most critical / volatile files offsite nightly.

You're kidding, right?

If you like the Google interface (my main reason for using it), and you don't want Googlebot "reading your email", you don't have to let it.

"Friend added"

I'm not so worried about the national ID card at the moment, maybe I see things differently, but I highly doubt it will actually come into play SOON. As in less than 10 years. Governments have a tendancy to move extremely slow. Much of what I understand in their intent on such an ID, would be standardization of certian things within the ID system so it would be technically simpler in terms of accessing data.

The system has been in place for decades to share information, but never in electronic form... yet. This would allow easier access, but they'd still have to go through the red tape to access such information. Maybe I'm too utopian about the idea of such. Let me know if you think I'm wrong.

Now back on topic.

I love my privacy. I seperate my online transactions with what I want to keep anonymous and what I don't mind being put in the public. Journals, Emails, whatever software I happen to be writing, business plans etc. No one has a right to see them. Encryption is merely a means to an end for me in privacy. I lock the bios, user authentication with linux or Windows (with the NSA's help), and GPG with WinPT

All said cyrptographers should buy a non hyperthreaded cpu, or turn it off.

I mean if you use GPG on most machines, it will issue you a warning about Insecure Memory. That is someone could potentially harvest data from disused pages in memory.
These cryptographers would use a secure memory system. I'm happy hoping that MI6 isn't running a remote memory exploit on my box.

So if I encrypt using GPG, does that mean all my e-mails are covered by the GPL? Yikes.

If I take a Maxtor 300GB portable usb drive, plugs it into my pc, loads up with movies, and ships of to a friend? Huge capcity, overnight, or in a few days at least. And besides, ??AA has no real chance of uncovering such transfers.

Well, realistically. What about VPN? Having hard encryption easily obtainable, it should be trivial to share files with friends. If a key is signed by a large enough number of friends, trust it. Otherwise, discard. If a p2p net included strong cryptographi, and trust levels and/or ratings to users, it would be far more difficult for ??AA to eavesdrop those connections. At very least, they'd have to build up a trust, which would probably mean sharing...

• A source stream of data
• A stream of random keys
• Block encryption to secure the stream in transit
• An RSA encoded stream of the above keys, encoded for each applicable user
• Broadcast the block encoded data, and the RSA'd key streams on a shared channel
• Decoding of the key stream at the user
• Decoding of the data stream with the keys

I'm fairly confident some variant of this scheme is being used by all of the major satellite systems.

You should be able to extract most of the code you need for thi from the GnuPG source.

--Mike--

[ Amendment IV ]
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Want to read my stuff? Go ahead and crack it - no warrant necessary.

Get the rabbit installed on a machine behind your firewall
==> http://freenet.sourceforge.net/
Faster than freenet
==> http://www.i2p.net/
Encrypt Jabber
==> http://www.vanemery.com/Linux/Jabber/jabberd.html
Onion Routing
==> http://tor.eff.org/
Emerging Network To Reduce Orwellian Potency Yield
==> http://entropy.stop1984.com/
Free Internet telephony
==> http://skype.com/
GNU-ified P2p
==> http://www.gnu.org/software/gnunet/


DO NOT DENY yourself about 2 hours @ InfoAnarchy.org
OMG! ==> http://www.infoanarchy.org/wiki/index.php/Main_Pag e
LearnLearnLearnLearn ==> http://en.wikipedia.org/wiki/Cryptography

=================EMAIL ENCRYPTION===============
GPG (Free PGP)
==> http://gnupg.org/
Integrated with Thunderbird
==> http://enigmail.mozdev.org/
Mutt can't be beat as a mailreader and integrates GPG wonderfully.
==> http://mutt.blackfish.org.uk/
==> http://www.mutt.org/links.html
==> http://wiki.mutt.org/index.cgi?UserPages

!!! Please do not immediately send newly created keys to the keyservers (as many HOWTOs instruct new users to). They are already overflowing with "test keys" and other people's experiments from over the years THAT HAVE NO EXPIRATION and will never be deleted. These keys are "orphans" and most will never be used. As keyservers sync together, and most keys are never deleted once submitted - GET YOUR KEY SETUP CORRECTLY AND HAVE PRACTICE WITH IT BEFORE SENDING IT OFF TO THE KEYSERVERS!!! Otherwise storage requirements will continue to grow and using these in the future will become more difficult FOR ALL. Please, if you are just starting out with PGP or GPG or GnuPG or anything similar (the last two are in fact the same thing) use manual key distribution to begin (ascii armor your public key with

$ gpg --export --armor my@email.address.org

and copy and paste it into an email body or attach it to an email

$ gpg --export --armor my@email.address.org > myPubKey.txt

to gain practice with GPG before uploading your key. This way if you need to create another you won't have uploaded your mistakes. Many choices need to be made and it's worth getting things right before "going public" with your new digital ID. Experiment with yourself and a few different email accounts or with some friends first.)

SET AN EXPIRATION OF 2-5 YEARS OR SO AND MAKE SURE YOU HAVE YOUR PREFERENCES THE WAY YOU LIKE THEM BEFORE SENDING TO A KEYSERVER! Better yet is to HOST YOUR KEY ON YOUR WEBSITE (or try using http://biglumber.com/ instead to host your key and help c

"let's say that unbroken SHA-1 represents a 100 meter (328 ft) wall. if a
break allows a collision to be found in merely 2^69 operations (on
average), that would mean the wall has crumbled to 4.9 cm (1.9 in) tall.
that's broken!!

OTOH, let's say that unbroken MD5 represents a 100 meter (328 ft) wall.
comparing unbroken MD5 to broken SHA-1 means the wall would actually grow
from 100 meters (328 ft) tall to 3.2 km (1.99 miles) tall. SHA-1, even if
it's broken enough to find a collision in 2^69 operations (on average), is
still stronger than MD5 was ever meant to be.

again, using unbroken MD5 as our reference of a 100 meter (328 ft) wall,
unbroken SHA-1 would be a wall 6553.6 km (4072 miles) tall. SHA-1 was
intended to be incredibly stronger than MD5."

And didn't you guys bash Google when their personalized ads rolled out? Here it comes Microsoft.

Luckily, we still have products like GPG for those who concern.

http://lists.gnupg.org/pipermail/gnupg-users/2005- February/024862.html

Atom Smasher atom at smasher.org
Wed Feb 16 21:56:25 CET 2005

Hash: SHA256

this should help put the (alleged until proven otherwise) SHA-1 break into
perspective. thanks to Sascha Kiefer for giving me the idea.

let's say that unbroken SHA-1 represents a 100 meter (328 ft) wall. if a
break allows a collision to be found in merely 2^69 operations (on
average), that would mean the wall has crumbled to 4.9 cm (1.9 in) tall.
that's broken!!

OTOH, let's say that unbroken MD5 represents a 100 meter (328 ft) wall.
comparing unbroken MD5 to broken SHA-1 means the wall would actually grow
from 100 meters (328 ft) tall to 3.2 km (1.99 miles) tall. SHA-1, even if
it's broken enough to find a collision in 2^69 operations (on average), is
still stronger than MD5 was ever meant to be.

again, using unbroken MD5 as our reference of a 100 meter (328 ft) wall,
unbroken SHA-1 would be a wall 6553.6 km (4072 miles) tall. SHA-1 was
intended to be incredibly stronger than MD5.

- -- ...atom

isn't this what geam does. ftp://ftp.gnupg.org/gcrypt/geam/

Agreed - I think OpenPGP is simpler to implement and use (due to the lack of a need for a centralized "certificate authority"), but S/Mime is what always gets built in[1]. Either way, between OpenPGP and S/Mime there are already two documented standards with one or more genuinely open implementations available, so I don't imagine this new one is going to go very far.

[1] - Although I like the idea of blaming it on a proprietary software conspiracy, who prefers to encourage the "pay someone else to deal with things for you because you just can't handle it" model [e.g. a Certificate Authority], I think the reason S/Mime gets in is because it seems to use the same algorithms and methods that SSL does in the first place. Since any real email client has to support SSL for secure communication with servers anyway, extending that code just a bit to add S/Mime is a lot less work that adding support for OpenPGP would be. I'm just hoping Enigmail and other OpenPGP[2] interfaces for email clients become ubiquitous and trivial to install and use. If they do, I can imagine OpenPGP taking back the role of "preferred mail signing and encryption standard"

[2] - In case anyone doesn't already know - "OpenPGP" is the name of the standard. "PGP" is the company that currently owns the original implementation of that standard and still provides semi-proprietary[3] software for it. "GnuPG" and others (including, obviously, PGP Corporations products) are implementations of the OpenPGP standard (and therefore interoperate with each other just fine).

[3] - they are a "software license fee" company and the software isn't properly "open source". However, they DO apparently publish their source code for peer-review (just not for redistribution).

For OS X, you have to dig into an RTF document to figure out:

Finally, one must-have program which anyone who uses Apple's Mail client, must get is, GPGMail <http://www.sente.ch/software/GPGMail/>
To Install:
*Quit Mail.app
*Copy GPGMail.mailbundle into $(HOME)/Library/Mail/Bundles/
*In the Terminal, type:
defaults write com.apple.mail EnableBundles YES [Return]
*Restart Mail.app

Ciphire has serious problems as discussed by many others in this thread. But at least they care about ease of use!

GnuPG is fine, too. These are alternatives, and alternatives are good. I am currently adding GPG support to a popular Windows email client (will go unmentioned ;) Because GPG has been out there for some time it will have a head start for being integrated with other software. The interface, whether within UNIX software or Windows software, is easy to do to GPG but the difficulty is all the key mangement stuff. So in my case I'm assuming there's an existing installation, not handling management details. This is an area where Ciphire offers an easier global solution.

Remember that there was a recent court decision allowing ISPs to read your email when it touches their hard drive.

Email messages are always tranfered on as they are received, anyone from point a to b can read it in plain text if you send plain text. I understand your point about wanting to avoid your specific ISP but big picture here, even with your ISP mail server out of the path, a plain text email is open to anyone with access along the way legally or not. If someone eavesdropping on your email is that much of a problem for you, your specific ISP is one of many things you need to consider as it is no weaker then the other links in the chain, including the recipients ISP mail server. I suggest GPG or one of the closed source alternatives. Maybe your plan is using your mail server to get directly to someone elses bypassing any middle man or ISP mail server queue, good in theory but seems like much more trouble and still less secure then just using PGP to begin with.

Heh. Most people don't know how email works at all - they somehow think their password protects people from snooping in.

Speaking of which, GnuPG is at 1.4.0 now. For Windows users, GPGShell is a good (closed-source) frontend for it.

There is software such as the GnuPG utility which can verify digital signatures. The GnuPG software can be downloaded at no cost and can be freely used by everyone. There is an issue in making sure that the GnuPG software itself was not tampered with. A signature on the Web page does not help unless the page was obtained securely with SSL encryption, a trusted browser and a trusted OS... The GnuPG site has an Integrity Check section on verifying the download. They mention the use of a SHA1 calculator (which would have to be trusted.) Of interest, they also mention comparing the SHA1 hash to the ones provided by multiple sources. Presumably, it is less likely that all of the sources would have been tampered with. It is possible to contact a trusted party (but not using e-mail) and to obtain an SHA1 hash or a copy of the GnuPG software (i.e. on a CD.) This might involve some cost and going to some trouble. Perhaps parties could sell copies of the GnuPG software on CD-ROMs. It would be convenient if computer systems included copies of software such as the GnuPG utility. Presumably, the computer manufacturer would verify the software before including it.

With public-key encryption, there is also the "web of trust". It is necessary to have at least one trusted public key (or certificate) or a trusted fingerprint for a public key. This lets the user verify other public keys and files. Having more than one is better.

Why don't you just put all your passwords in one file and encrypt it? That's what I do with mine. Now, I don't have a memory key to put it on, but how hard would that be?

GnuPG runs on many platforms.

It would be useful if users could handle encrypted and/or authenticated e-mail messages. The GnuPG encryption software can be freely (as in freedom) used by all users. For it to be effective, it would be necessary to obtain at least a few public keys from others in a trusted manner. Perhaps businesses could generate their public keys and provide them to GnuPG users for authentication purposes. The S/MIME standard is built into certain e-mail clients, but sending (not sure about receiving) secure mail with the user's identity requires obtaining an electronic certificate from a certificate authority company. Perhaps the implementation and support for secure e-mail standards could be made easier for users while still remaining effective. Businesses would hopefully follow up if users demanded secure e-mail.

That's why we have asymetric encryption: you can use your GnuPG public key with any kind of software now, whether it's an e-mail or Jabber client like Psi.

I copied the URL from the wrong tab. Anyways I found a good site starting at GnuPG's site. Silly me, do a preview next time.

No, PGP is a commercial, non-GPL'd product.

They mean GPG, open source software that works in the same way.

I'm finding myself quickly leaving sites that are built, either intentionally or out of ignorance, as IE-only.

With tabbed browsing, fantastic bookmark controls (add bookmark here and synchronized bookmarks), great content tools (bugmenot, adblock), the browser goes almost everywhere.

Folks who are reading this and who made the plunge, but still use Outlook, SWITCH TO THUNDERBIRD! While I wasn't very happy with the seemingly random way my old emails were imported (messages with multiple mime parts dont have the correct items displayed on the pane, and others meant to be displayed as shown as 'part1.1' attachments), I was incredibly happy with the abilities and extensions of the program.

Specifically, I found Thunderbird very happy to deal with my POP3 and IMAP accounts, interface very easily with GnuPG (via Enigmail)

Mozilla really sucked for quite awhile, but these days I'm surprised when I find people who still only use IE. How 2001.

I look forward to the work being done on calendaring.

Though it's currently in alpha, GnuPG 1.3.6 is stable enough for general use, and supports SHA-256, SHA-384 and SHA-512 -- important now that MD5 and SHA1 may be flawed.

I am amused to note that the comment that immediately follows contains a reference to using GnuPG on a USB drive....

From the review, seems like the book goes a long way to giving a good introduction for keeping yourself secure, but does it really leave out keeping communications secure?

It wouldn't take more then a few pages to discuss the need for being able to sign or encrypt things and a short tour of PGP/GPG and how they can use it in their everyday life.

How are they going to force non-US VoIP companies to comply with this requirement? It isn't like there aren't already a variety of ways to communicate in a manner that thwarts government snooping, the fact that the old phone system made this relatively easy is no reason to cripple modern communication mechanisms.

OlympicsInColor.com would be for the American viewers and OlympicsInColour.co.uk would be the unfettered site. Simple, cheap, well, perhaps not effective in any way, but worth a shot.

Security thorugh obscurity is always the best, no matter what those GnuPG people tell you. After all the biggest software company in the world is a strong advocate of this.

Just in case his site gets /.'ed, here is his impressive list of links. - Jonah Hex in non-karma whore mode.
Downloads
Linux Wipe Tools: Three shell scripts for securely wiping all data from the swap partition, wiping unused disk space on the root partition, or wiping an entire disk, by Thomas C. Greene.

No Messenger: A batch file that eliminates Windows Messenger and fixes the problem of Outlook Express loading slowly when Messenger is absent, by an anonymous friend of The Register.

FileCheck MD5: A free, simple, lightweight MD5 utility for Windows, courtesy of Brandon Staggs.

Errata: A text file containing my various blunders and ommissions in the book (right-click and "save as," or view as HTML). Last updated 6 June 2004.

Links to Other Goodies
Mozilla: A free, open source Web browser and e-mail client for Linux and Windows, feature rich and far more secure than Internet Explorer and Outlook Express. Recommended for novices.

Firefox: A free, open source, stand-alone Web browser for Linux and Windows. Very light and fast. Recommended for intermediate users.

Thunderbird: A free, open source e-mail and news client for Linux and Windows. Recommended for intermediate users.

GnuPG: Gnu Privacy Guard; a free, open source replacement for PGP, for Windows and Linux.

WinPT: Windows Privacy Tools; a free, open source GUI frontend to GnuPG for Windows.

Anonymizer: Various services for anonymous Web surfing, e-mail, chat, etc.

OpenSSH: A free, open source SSH (Secure Shell) client and server for Windows and Linux.

PuTTY: A free, open source GUI frontend to OpenSSH for Windows.

Ethereal: A free, open source network traffic analyzer for Windows and Linux. Windows users will need to install WinPcap before installing Ethereal.

Ad-Aware: A free, closed source adware/spyware scanner for Windows.

SpyBot Search & Destroy: A free, closed source adware/spyware scanner for Windows.

Sam Spade: CGI gateways to numerous online tools, such as whois, traceroute, etc.

SourceForge: A vast repository of open-source software for Windows and Linux. The site can be overwhelming, but it has a search engine to help users locate packages.

GNU Project: The home base of the open source movement. A repository of open source products, chiefly for UNIX-compatible systems.

Security Information
About Internet/Network Security: An informative and useful site dealing with computer and Internet security, with reviews of security products and books, practical howtos and tips, and links to numerous tools and information resources, geared toward beginners and intermediate users.

SANS Institute: An educational and research organization with a vast archive of security research documents, news, and advisories, geared toward intermediate and advanced users.

CERT/CC: Computer Emergency Response Team Coordination Cente

jabber (http://jabber.org/), does work with servers, but it's not with one big central server, but more like with email: a lot of independant servers. Jabber also allows encrypting your messages with pgp or http://gnupg.org/.

NTBackup that comes with Windows can NOT backup all the Windows system drive, only part of it. Windows XP and 2000 (not Windows 98) have crippled file systems, apparently to implement copy protection.

NTBackup presumes that you are a peon whose time is worth nothing, and you don't mind loading all of your programs again. Some people restore a backup over a working Windows XP installation, but this is said by Microsoft technical support people to be unstable.

The ONLY way to back up a Windows XP and 2000 system drive is to do a sector by sector copy. See my Slashdot story and a discussion of this: Experiences w/ Drive Imaging Software?. The story gives a method of copying under Linux.

However, most sector by sector copies require that you have complete control over the drive.

The only solution I've found is Acronis TrueImage. It costs $50, and it works, although there are some small flakinesses. You can backup a Windows XP or 2000 system drive while Windows is running and being used. You can send the backup over a network to a local Linux machine.

To send the backups over the Internet, you would encrypt the Acronis files with GNU Privacy Guard first. There is a way to submit the password to GPG in a batch file. Since anyone who has access to the password has access to the backup files, this is not a security risk.

Google has more links to GPG.

I'm interested in hearing about any experiences anyone has with this.

Microsoft enthusiasts: Please don't disagree with the facts here, they have been verified many times by Microsoft articles and technical support people. Specifically, the NTFS file system is crippled, and NTBackup cannot back up the working system partition.

In point 5, Neil Gunton cogently observes in the last sentence "A commercial company, on the other hand, can afford to scratch the personal itches of its end-users, because the end-users are the ones paying the bills.". This very true, and I think it provides a useful illustration of a means by which an Open Source company can make money by directly selling software.

I too think that it is very important that we create a cash-flow ASAP, and that it should run through as few hands as possible between the end user and developers.

I think it is vital for the sustainability of Free Software that as many as possible can make a living from writing software directly.

One way to do it, is to convince PHBs that the way of the future is not buying products: "Products are bad, they may or may not do what you want", instead "you can take a free system, which almost do what you need, and pay someone to include the features you need, then, out of enlightened self interest, these changes are submitted back to the project".

German government did this with e.g. Project Ägypten, by paying a small number of small contractors. It works absolutely great, I use it myself often, and it worked great for the developers too. That way, you wouldn't get paid as a charity (which I agree is not a very nice prospect), but you're working with a proper contract. I think if this was common thinking, it would employ a lot of programmers and assure that Free Software would remain prosperous for foreseeable future.

The second thing is that end-users could team up and pay developers to add features they really like to have. For high-profile projects such as Mozilla, KDE and GNOME, I think this could provide very significant income for many developers, who could make a living simply by responding to user wishes.

Third, we need voluntary micropayments. Toss a .1 to developers now and then. It could accumulate to become significant, and while it may not provide a full-time income, it could get a newbie started.

Finally, I have this possibly socialist idea that governments should employ hackers rather than lawyers to find technological rather than legal fixes to obvious problems.... For example, the European Commission is trying to extend the right to reply to online media. While present proposal is not as totally hopeless as the first one, it is still unhealthy. Instead, what they should do is to hire a bunch of hackers to replace the very limited "right to reply" with an RDF based almost unlimited opportunity to reply.

The security of the protocol itself is just fine; it's the surrounding factors that make it hard to use, especially for someone who hasn't thought about these things well enough ahead of time.

I disagree. I was a big proponent of PGP back in the old days (mid-90's). Back then, it was more cumbersome than complicated. Regardless of the effort to set it up, it still required too much effort on my part to encrypt or sign or decrypt each and every message. My circle of co-workers, contractors, and friends gave up on it after a short while.

Recently, I have begun using Enigmail with GPG. It integrates quite nicely with Thunderbird, and I assume it would with Mozilla as well. We use it companywide, with Macs and PCs (ie OSX and Windows), and we convinced a contractor that uses Linux to use it as well.

While the initial configuration did require some degree of effort, it was not too tough. Encrypting, decrypting, signing, and verifying is almost automatic now, requiring very little effort per message. My PGP (I mean GPG) password is queued for 15 minutes, so from time to time I have to re-enter it. All my messages are signed, and if the recipients are in my keychain, it is encrypted as well.

I think if it is set up by a Slashdot-type person (and let's face it-- that's what most of us are paid to do), an "average" user should have no problem with it.

No bills neccessary. Save your court costs. Download: GNU PGP and Enigmail.

I think it may be a good time for people to start looking into ecryption.