Slashdot Mirror

Email is plain text. clear text. not encrypted. Now if this covered IPS right to read their users mail if it were encrypted, then that would be something else.

It's clear text though, what do you expect?

encrypt it

1. Dev Todo is a wonderful outliner and task manager. Today I ported it to win32 using mingw to use at work (it pisses me off that windows dropped ANSI color support in their crappy CMD! I knew it was bad, but I still use it more than msys or cygwin because it is quicker on my slow box). Dev Todo stores everything in beautiful XML. I intend to make a filter for XSLT for my biweekly progress reports. My boss wants me to list things I've gotten done & what I plan to do & this great app can store all of that.
2. Pine-I don't care if RMS doesn't consider it free. It is the best IMAP client. I do like Mulberry as well, though.
3. GNU Screen-I mostly just detach/reattach. I'd like to learn to use it more.
4. VIM-My editor. Again, need to learn it better.
5. Lynx on windows and ELinks on Linux for browsing.
6. I have aliased "fuck" to use cowsay to tell me to calm down. Great stress relief.
7. GPG
8. LaTeX. I hesitated to include this, but I use it on both linux and windows & it is technically interactive. I have started using it more than standard word processors (WordPerfect>OpenOffice>MS Word) and I want to use it instead of impress/powerpoint/whatever.
9. OpenSSH because my box is so much better than the one I use at work
10. NcFTP best ftp client I found, though I have been having much less need to use it.

Don't forget...gmail currently doesn't require personally identifiable information, such as address, zip code, name of first born, social security number, size of anatomy elements. Spymac requires all info, including demographic information, and if I remember correctly phone number. At least if gmail doesn't ask in the future, that means my ISP still remains the 'bottleneck' for any real identity linking. I could still just use transparent anonymous proxies who don't care who I am to access gmail...which makes that even nicer. All someone in the government would have to do is send one email to spymac.com, and if they cave...it means exactly one thing: The government gets everything in about 75 miliseconds. ;p Of course, this is just a Big Encouragement for encrypted emails that the email service can't really touch, like GnuPG and PGP. It's not a matter of gmail linking 'certain information' with 'other certain information' if it becomes harder than it's worth to track you down for exercising your right to free speech.

What they need now is GPG integration. ( Windows, Linux )

Make it so!

GNU DRM software is already available.

Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive.

That's a flat out lie.

$ man mlock

I made a password list for a customer, that, over time, has grown to 3,849 words. (There is a lot of explanation about how accounts are configured.)

I encrypted that list with an unguessable password that includes punctuation and numbers, using the excellent GnuPG.

I sent the encrypted file by email to every responsible person who works for the customer, including the CEO. I demanded that everyone learn the master password, because otherwise, if something happened to me, they would have problems with their accounts and web site. I also copied the file to their hard drives.

Although I have made several demands in strong language, no one, NO ONE, has bothered to get the master password from me, even though I have suggested it in person to several people several times. So, they have the file, but have no access to it.

The fact is, the new world of computing (okay, not new to me or you) requires a huge cultural change, and the average person has mostly not gone very far in making that change.

OpenPGP is a standard implemented by a few programs including PGP (non-free), and GnuPG (aka GPG) (Free). GnuPG support is either integrated into or supported via plugins on Kmail, Eudora, Mutt, Outlook, and many other clients. See http://www.gnupg.org/(en)/related_software/fronten ds.html for more details. There are a couple of Mac related links there. About the last two, GPG's privacy lies in the key, and thus you wouldn't want anyone else to be able to use your key -- they could sign messages as you otherwise. A hackish way to use GPG with these would be to manually use gpg to sign (and possibly encrypt a message) on the commandline, and then pasting them in. Someone could write client side code for dealing with webmail (Browser plugins that allow one to replace the current contents of a text input field with a signed message, but they could easily be security holes if not written correctly).

OpenPGP is a standard implemented by a few programs including PGP (non-free), and GnuPG (aka GPG) (Free). GnuPG support is either integrated into or supported via plugins on Kmail, Eudora, Mutt, Outlook, and many other clients. See http://www.gnupg.org/(en)/related_software/fronten ds.html for more details. There are a couple of Mac related links there. About the last two, GPG's privacy lies in the key, and thus you wouldn't want anyone else to be able to use your key -- they could sign messages as you otherwise. A hackish way to use GPG with these would be to manually use gpg to sign (and possibly encrypt a message) on the commandline, and then pasting them in. Someone could write client side code for dealing with webmail (Browser plugins that allow one to replace the current contents of a text input field with a signed message, but they could easily be security holes if not written correctly).

Secure WinZip: Put files together with WinZip. Then run The GNU Privacy Guard.

With PGP you might just think you'd be able to throw a mathematician/programmer at the kit and get them to check it.

Nope. With GPG you could do that. But PGP is closed source, so you have to trust the vendor that a particular executable does what it claims. (Unless you're willing to disassemble the binary, which is difficult, error-prone, and sometimes illegal)

Not that this is a POSIX call. Here is an example of its use in GnuPG. They use it for security reasons.

Note: before the tin-foil hats start screaming about Google using their cluster to brute-force decryption of encrypted mail. If enough people use encryption, brute-force becomes highly unfeasible.

It boils down to this:

If you have something to say that you don't want other people to read, encrypt it. There are plenty of simple tools to help you do this.

And the more we do this, as a matter of routine, the more the non-dweeb population will start to do so.

I dream of a day when you can immediately distinguish spam from personal communications because notes from your brother-in-law will routinely be encrypted.

No, I think he was talking about the gnu privacy guard.

I got a better idea. How about we stop terrorism by fixing the problems that cause it? Turning the world into a police state is obviously not the solution anyone wants and, so far, has only led to more terrorism. People are not born wanting to fly planes into buildings, so what has driven these people to such a level of desperation that they're willing to sacrifice their lives to kill thousands of innocent people?

By any other name it's GNU Privacy Guard and the "web of trust". A verified, accountable network of friends.

I use Enigmail on Mozilla Thunderbird. Enigmail uses GNU Privacy Gaurd (GPG) to do the actual PGP related stuff (which means that other applications that also use GPG have access to the same keyring and trust rules). GPG is a little hard to use, but I don't typically interact with it except when I need to setup something. Enigmail takes care of all the signing, verifying, encrypting, and decrypting for me. When it needs my passphrase, it asks me. When it can't find a key to verify, it prompts to download it from the keyserver. The only thing it doesn't do is help manage trust relationships.

It takes a little to setup and understand, but once it's working, it is just as efficient as regular email, and certainly doesn't triple the amount of time I spend working on email. I'm sure there are other solutions for other mail clients, and if not then you should lean on the vendor to provide them.

I don't know why people are so averse to using security technologies when it comes to email. They don't have any problem accepting SSL to secure HTTP or using ssh over telnet (well, most people don't). But all I can say is that the solution begins with you. Only you can prevent spam, lophophore. Hmm... maybe that would make a good public service announcement :)

Windows Privacy Tray and GnuPG Made Easy libraries. Works for me, except for a bug when I try to sign and encrypt at the same time ... the clipboard tools work for that.

Address: email@domain.com
Inbound: pop.domain.com
Outbound: mail.earthlink.net

It suffers from one serious drawback though: it has no revocation information. If your key pair is stolen, you are pretty much doomed. There is no infomation on whether your key is still yours, and if not, from what point of time?

As far as figuring out whether a signature is valid given a known-revoked cert, the web of trust does require that signatures be timestamped. But a malicious agent with a copy of a compromised key and root privileges somewhere (to reset the clock) could create bogus signatures with bogus timestamps that would look valid.

Doesn't X.509 have the same flaw? It seems that you shouldn't trust any signatures from a given key (no matter what the signature timestamp) if the key is known to have been revoked, under any PKI trust model.

Average end users don't care about HOW things are done, they just want a reliable infrastructure. Th problem is that there's no such thing if you don't care about the details...

Why should each CA have the same trustworthiness value to every user? Joe could think that Verisign was the best thing since sliced bread, while Maria might want to give them a low score, and instead might want to trust CAcert.org more highly.

Furthermore, why relegate trust just to official "Certificate Authorities"? If i know that my brother will do a good job verifying identities of organizations that he deals with, why can't i choose to trust him for these tasks as well?

Once you start to distribute the responsibility for certification, you are building a web of trust, in which each entity can both certify and be certified, and the middlemen/brokers/leeches we use today as CAs would be forced to actually do identity validation or become irrelevant and useless.

Of course, this all depends on every user knowing what it means to "trust a certificate authority"...

And it depends on web site admins not just wanting the "least hassle" when it comes to getting their SSL identities signed.

If a protocol can be weakened by someone generating a long bit-string, then that protocol isn't worth much in the first place.

Public knowledge of SSL (incarnated in the openSSL source) is not the problem. Rather, the problem is twofold:

I would be willing to pay a good CA for actual verification, even as a client, if i could be sure that they were actually verifying the folks they issued certificates to. But it would need to be big enough to be able to certify a large number of sites to be worthwhile...

The non-hierarchical nature of the web of trust model of PKI is so much better than X.509, so it would fix the untrustworthy hierarchy issue above. But, even more than X.509, it expects all the end users to understand the basic ideas of PKI, not just "look for the little lock and click those dialogs as soon as they come up". sigh...

PGP

gnuPG

Who would issue the certificates?
Would it be a central authority (VeriSign?)?
Would a certificate holder need to provide extensive personal info to the issuer or pay a periodic fee to the issuer in order for the certificate to remain valid?

How are certificates better than signing with PGP/GPG/OpenPGP?
PGP signing is an easy, effective way of identifying a sender that relys on an established web of trust rather than a commercial agreement. It allows for persons to remain anonymous if they need to while providing information on who it is that has signed the senders key as being authentic. The same technology also provides for very effective encryption (using the recipients public key)that can be automated to ensure the maximum level of available privacy without being unneccessarily difficult to implement.

How is this better than rejecting emails that do not originate at a mailserver that has a mx reccord in dns?
Emails can be sent through your providers server using smtp_auth, smtp_after_pop, etc. from anywhere on the internet. This would not prevent you from sending when you are on an unfamiliar network such as when you are traveling. Rejected emails could be bounced back to the sender explation of why it was rejected and asking the sender to contact their provider or system administrator if they have any questions.

I get very wary of certificate based solutions, as I tend to prefer decentralized systems over central authorities. The recent behavior of VeriSign is a good sign of what can happen to any company that is permitted to set itself up as an "official authority", and I cannot help but believe that there will be certificate issuers that abuse their position. Also, I do not like the idea of requiring registration with centralized databases of users personal information, when it is entirely unneccessary for sender identification.

Well, it's really called GnuPG, but you're right, it is the standard that basically states: "the sender's signing key validates against the original key you trusted by signing it with your own key." I've started signing all of my emails in Thunderbird using the help of the Enigmail plugin and encrypting any files I attach in my emails with the help of WinPT. I know this post looks like a giant plug for these "products," but since they're all free, open source software which I have no affiliation with, it's simply me trying to get the word out that there IS a manner in which to get your emails to your friends in a trusted, reliable manner, and hopefully convert a few of your friends and family to using the same method in the future. We wouldn't have to worry about address spoofing if email gpg signing was a defacto standard of every email client! Plus it would be a lot safer and difficult to circumvent (ultimately) than Yet Another Format for email.

I have never understood what those people are thinking when they publish .md5 files. I mean, really! If someone gets far enough to upload a compromised tarball, what stops him from also uploading a matching md5 file?

Exactly. Nothing.

That's why people with more than one brain cell upload .sign files. Those are digital signatures made with the GNU privacy guard. Digital signatures make sure that the guy who owns the secret key (and only him) can create signatures, which then everyone can check.

Of course there are also caveats (some dark three-letter agency could have cracked the key with their Roswell quantum computers, or someone could have stolen the secret key), but those are far less likely than some asshat uploading a md5 sum. Everyone can create matching md5 files for any content, but only I can create sign files matching my secret key.

So please someone hit those GNOME idiots with a clue stick, those md5 files must go. Now.

Oh, and while you are at it, please also tell the gnome people to use a directory structure where mirror programs (and people!) can see whether there were new uploads without having to recurse through the monstrous moloch directory tree from hell. Thanks.

Sheesh. Now that wasn't so hard, was it?

Actually, it's called a Web of Trust, not a ring of trust, and it's the basis behind PGP and GnuPG

Actually, it's called a Web of Trust, not a ring of trust, and it's the basis behind PGP and GnuPG

but I believe that inserting his political beliefs into his work project is less than elegant.

Agreed. GNU Privacy Guard did the same as they opposed the Iraq war. Even now, they're still featuring a PACE button at the bottom of their home page. I actually had trouble convincing some more conservative companies to adopt GNUPG as a replacement to PGP after this.

I know that also had to change some of the source code of gaim-0.71 (specifically file plugins/ssl/ssl-gnutls.c), since some of the functions in libgcrypt-1.1.43 had changed the number of parameters. The extra parameter is a size_t of the size of the buffer being passed. The older version of libgcrypt had done a sizeof inside the function, but now require the coder to supply the function with the size. I did this by passing the sizeof of the buffer to the function as a parameter.

The reason I went through all this is because the Gaim plugin would not handshake with GNUTls-0.8.11 because of a capability not being installed for certificate checking, which is found in 0.9.90, but 0.9.90 requires the libgcrypt-0.1.43 library. I am sending this post to the Gaim maintainers to let them know about the extra parameter needed to use the 0.9.90 GNUTls library.

After all this I got the handshaking to work (I checked the debug code for Gaim), and am happily able to log on MSN properly.

I know that also had to change some of the source code of gaim-0.71 (specifically file plugins/ssl/ssl-gnutls.c), since some of the functions in libgcrypt-1.1.43 had changed the number of parameters. The extra parameter is a size_t of the size of the buffer being passed. The older version of libgcrypt had done a sizeof inside the function, but now require the coder to supply the function with the size. I did this by passing the sizeof of the buffer to the function as a parameter.

The reason I went through all this is because the Gaim plugin would not handshake with GNUTls-0.8.11 because of a capability not being installed for certificate checking, which is found in 0.9.90, but 0.9.90 requires the libgcrypt-0.1.43 library. I am sending this post to the Gaim maintainers to let them know about the extra parameter needed to use the 0.9.90 GNUTls library.

After all this I got the handshaking to work (I checked the debug code for Gaim), and am happily able to log on MSN properly.

I know that also had to change some of the source code of gaim-0.71 (specifically file plugins/ssl/ssl-gnutls.c), since some of the functions in libgcrypt-1.1.43 had changed the number of parameters. The extra parameter is a size_t of the size of the buffer being passed. The older version of libgcrypt had done a sizeof inside the function, but now require the coder to supply the function with the size. I did this by passing the sizeof of the buffer to the function as a parameter.

The reason I went through all this is because the Gaim plugin would not handshake with GNUTls-0.8.11 because of a capability not being installed for certificate checking, which is found in 0.9.90, but 0.9.90 requires the libgcrypt-0.1.43 library. I am sending this post to the Gaim maintainers to let them know about the extra parameter needed to use the 0.9.90 GNUTls library.

After all this I got the handshaking to work (I checked the debug code for Gaim), and am happily able to log on MSN properly.

I'm having a bit of a hard time defining the fine line between kernel and distro...especially at the driver level. I understand that stuff like Quanta and GIMP are not kernel stuff but are hardware drivers a kernel thing or a distro thing? (Network Cards and modems, for example)

The Kernel is the lowest level code that is running on the machine. Linux IS the kernel. The kernel acts as a sort of translator between the hardware on your computer, and all the software that you run on the computer, including things like X Windows, KDE, Gnome, Apache, GIMP and Quanta. Drivers for your hardware are part of the kernel.

A distro is basically a collection of software that runs on top of the Linux kernel. Redhat packages the kernel up, along with an installation program, and a whole pile of software.

On a different note -- maybe I'm talking out of ignorance here but one of the things I've been looking for is encryption support. As in being to encrypt folders and files, etc. The closest I found seemed a bit scary to try with kernel patching and loopback or whatnot. Am I just looking in the wrong spots?

Check out The GNU Privacy Guard. It is similar to PGP. You were probably looking at encrypted filesystems - An entire partition (or a filesystem contained within a file, thats what the loopback would be) that is encrypted, and uses kernel level code to mount it like any other filesystem on your comptuer, and decrypt/encrypt on the fly as you read/write to it.

Be under a BSD-ish license, so it could be linked in to commercial and non-commercial products. Be a LIBRARY, not a stand-alone executable, so it can be linked into anything at all.

Those GNU folks are just evil; that's why they would never agree with something like the Vorbis BSD license.

Or it could be that most people don't really understand the need for encryption, are hopelessly confused by key management, and won't use it until it is bundled with their computer and employed by default in their email program.

Er... Because of course the outgoing traffic to port 25 isn't trivially easy to analyse at any other point in the ISP's network.

Get GnuPG. It's the only way to be sure.

however, if you have ever tried to get joe-average-desktop-user to set up gpg or pgp then you know that something has to be made easier! even the point-n-click solutions like winpt or mac-gpg (my fave!) make my dad's head ring.

Really, now... I've gotten several of my friends, friends who use Windows, and mostly for games, email, and word processing, to use GnuPG. Naturally, they can't (and don't care to learn how to) use it well on the command-line or really use it to its full potential, but they can use it for email.

It's a matter of downloading the Win32 build from gnupg.org (anybody who uses the Internet can click to download something) and extracting it to c:\gnupg, which nowadays Windows can do without a helper, then installing Mozilla Thunderbird (or the Mozilla suite) and Enigmail. All basically point-and-click. Enigmail even helps you create a keypair.

It's hardly difficult to do, and even understanding the basics ("If I sign this but don't encrypt it, anybody can read it, but they'll know I wrote it... If I encrypt it, then only the person[s] I encrypt it to will be able to read it, but there's no guarantee I sent it... etc.) are not difficult, I think, for the average user. It's just that not enough people know such a thing exists, and is so easy to use.

I point to a short informational page at the bottom of all my email (it's all signed). It's not much yet, mostly links, but it may help spread the awareness of PGP, at least to people with whom I exchange email.

I'd rather have someone who's competent in the language and competent in the application coding whatever Big-Important-Project may be. For instance, take GnuPG. As far as I know, requiring those guys to take a test to prove that they know what they're doing with that particular application would be useless; they understand the design necessities of strong encryption, and they have the programming skills to realize those design needs.

Having a competent and uncertified programmer working on something that s/he has a stake in seems much more important than having someone who doesn't understand the application but can summon the Vast Powers of Certification (TM).

How many of you are using GPG, have a public key and are encryping your email communication?

"But it doesn't work with Outlook."

Your security and privacy were voluntarily given up long ago.

The rest of us ( I didn't put up my hand either ) should go download it now:

http://www.gnupg.org/(en)/index.html

Would backing up to an offsite FTP account or two provide the protection you need? You could host it yourself or have an ISP with its own backups host it for extra protection. It may even be straighforward to automate depending on your setup. You can use GPG to encrypt the backups if you are concerned for their privacy in transit or at the backup storage site.

Having said that there's not much you can do in a previous post, it occurs to me that one can use GnuPG to sign their messages or encrypt as necessary. Do this persistently and hope to God your correspondents have it or PGP or a clone thereof install.

Gaim has GPG (GnuPG) now.

Check out Gaim-E plugin for gaim.

Although I've not used it, I find the gaim-encryption to be a great working plugin for gaim. Even works with the windows port of gaim.

I don't think it's that easy. What would prevent an attacker from modifying the md5sums that were present with the machine so that the backup then contained the modified md5sums of the trojaned applications?

No, the best solution is to have a separate, offline copy of known good md5sums to compare against. Ones that came directly from the developer, preferrably signed by the developer's GPG key.

GnuPG has recieved a lot of support from the German government, IIRC. I think there has been a /. story about it.

The German government is funding open source email encryption software under project Aegypten. Some of this is KDE software, for example work on the kmail mail client.

See Project Aegypten Home Page for details.

zip & use pgp

I guess this is just yet another reason to switch from plain text e-mails to more secure alternatives.

With JabberYou can do Server side logging easily with the msglog Component. Of course this applies to public servers as well (just like any IM where the messages go through the server). If that bothers you you should use something like GPG (which works well with jabber).

If you use GnuPG(GPG) or PGP to encrypt your files, you get compression too. There is absolutely NO reason to use a nonstandard compression utility to do low quality encryption.

This might be absolutely true. But why should I shell out 39.99$ for a piece of software, which is nicely implemented by GPG in the first place? It seems to me that this is a somewhat flawed business model.

In addition I get to see the source and compile it myself. Mind you, not that I have a fucking clue about the specifics of that source, but it's still a nice thought in the age of total information awareness (I couldn't care less, what they call it this week), supermarket shopping cards and bad data that might be stored about you in an airline reservation system.