Slashdot Mirror

There are already many good Windows programs for GnuPG. Look at the fine WinPT program which let you encrypt texts with every mail program available. Not as comfortable as a build in program but still easy to use. For key management you can use GPA. In Germany there is already a project which combines all these programs in one windows installable program with a very good documentation: GnuPP. There is also a plugin for Outlook available (not Express).

The problem with GPG is that it lacks an easy-to-use interface and Windows plugins.

This pageprovides a fairly nice listing of some of them. Check them out, kick the tires, see if they work for you. YMMV.

One thing to note - WinPT is shaping up nicely as a general GnuPG interface (although it doesn't provide a selection of MUA-specific plugins, they do also offer GPGOE, a plugin for Outlook Express). WinPT is Open Source under the GPL license. And unlike other frontends, WinPT is more tightly integrated by using GPGME, GnuPG's new API.

Theoretically PGP in the early days could use RSAREF from RSA Labs but it needed some calls that were not in the published interface and thus broke RSA Labs non-commercial licence.

The thing is that Phil requested that none of our software was GPLed as he wanted to try to use parts of it commercially. Fair enough, he would keep the non-commercial version as open as he could. Actually it was pretty open by then because contributors were working in France, Germany, even, I think, Russia.

When the program was first passed to Viacrypt. They had there own licensed RSA engine and could drop it into PGP. However PGP still used another patented algorithm, IDEA. This had to be licensed (about $15) for commercial users.

Viacrypt then got swallowed by NAI or at least PGP was transferred with it together with Phil Zimmerman. PGP moved away from algorithms like RSA and IDEA so didn't have so many patent issues. We ended up through Phil's efforts with a version of PGP free for non-commercial use an a licensed version for the corporates. However, many of the platforms were dropped.

The source code of PGP was printed by MIT in an OCR freindly font and the whole thing was exported legally to Norway, scanned nd put up on the pgpi server. Later, NAI did something similar to get the code to their office in Switzerland and with the availability of commercial PGP in Europe, the free version went non-commercial only.

NAI stopped publishing source code after 6.5.8 so a lot of people stopped there with that release. Strangely, a commercially licensed user was not allowed to recompile from the free source.

Ok, history lesson over. PGP always has had a bit of a chequered past because some people don't like it one little bit. It was a difficult product to sell but NAI seemed to have had a steady business with it. That they dropped it after 9/11 came as no suprise to anyone (it may have been making money but not enough to want to compromise sales of other s/w to the US government). However, in the background we have the OpenPGP standard (well, RFC) being developed that gave a chance for other interoperable programs like GnuPG to be developed. This project has the backing of the German government, who seem to believe in strong encryption for the masses. The software is currently far from perfect (try recompiling the Windows version), but it works and without the patented algorithms. There are some front-ends that make it reasonably user friendly. It isn't there yet, but it will be.

In the mean time, I have seen PGP in use in Central Asia, not by terrorists, but by a Central Bank for interbank money transfers. That terrorists and criminals have used PGP is certain, but so do people like Amnesty and the Red-Cross. The use of PGP to co-ordinate attacks against the US is a massive red-herring to cover up incompetence by the FBI and INS.

I know gnupg has made some very big strides in this area, but clearly, now is the time to devise a framework upon which popular encryption is allowed to survive PGP.

The point isn't whether the geeks can do it. The point is whether some poor, persecuted soul in some totalitarian country, like -- um, you know -- can click a button and send an email out of the country or to his best friend, securely.

Clearly we would like to see front-ends developed for all the popular email applications that can accept code implementing any kind of encryption scheme whatsoever, and encryption algorithms that can fit into any popular email application available.

If somebody comes up with a new encryption algorithm, they shouldn't have to write code to support Evolution, Eudora, Outlook Express, so forth and so on.

Likewise, somebody should be able to write a front-end for a email application according to a specific API and expect to see every available encryption algorithm thus far implemented available from within that email application.

And of course, it all needs to be open source. If anything needs to be open source, it is this.

gnupg is great, but it presumes a single algorithm, doesn't it? Wouldn't it be much better to make it easier to introduce new algorithms into the mix? Put yourself in the position of the GS-7 analyst sitting in Virginia who has to run all these decipher jobs. If he gets to *assume* that the encryption being used is pgp-style, his workload is modest, he just needs to feed the file to the program.

But if he first has to figure out what algorithm is being used, suddenly his job becomes many orders of magnitude harder. Especially if there are hundreds if not thousands of algorithms out there, each and every one available to the common man for his use.

I know we're not supposed to rely on obscurity for encryption, but that presumes your only interest is in protecting a single channel of communication. If your interest is in protecting *all* channels of communication, obscurity becomes viable. Something as trivial as taking the output of gnupg and exclusive-or'ing with a Erica Rose Campbell jpeg would add another - if - statement to the NSA's decryption code. Add another 100 jpegs every day and very quickly the NSA's job becomes very, very hard.

I never liked PGP. They zip before encrypting, and I could never get an answer from Zimmermann as to whether or not the checksum survived the zip. If the checksum survives, all the NSA has to do is unzip every try at an encrypted file and see if the checksums match. Strip out the checksum, and their job becomes much harder. The checksum needs to go.

Looks like it's time to switch to GNU Privacy Guard [gnupg.org] if you haven't already. Does anyone know if it will be immune to this attack?

It might be worth noting that GnuPG is also being developed with funding from the German government. Even if NAI were to try and block GnuPG with such a DMCA claim, I suspect it would be entirely futile and wouldn't even cause a hiccup in GnuPG distribution and development.

That was a troll, right?

If it wasn't, are you aware that there are free alternatives to PGP available?

It's probably too soon for him to have made a comment; all the same, a little Googling turned up some insightful stuff: apparently, Zimmerman dissed GPG. But that was a couple of years ago. I wonder what he thinks of it now, considering that GPG is about the only PGP replacement worth considering.

:Peter

And for those that haven't found it yet, enigmail should allow you to use GNU Privacy Guard with Mozilla, even under Windows. Haven't tried it myself yet.

I could be mistaken, but I think that GPG plays just fine with NAI's plug-ins. And as for frontends, I don't think you have looked hard enough. Also, Kmail has effortless integration with GPG, and I hear that Evolution does too, although I've heard that there were a couple of bugs in it. Perhaps they've been fixed by now.

:Peter

Good thing there's GPG...

- A.P.

I'd personally feel a lot less invaded if I knew the system was in place and in this form.

I'll personally continue to encrypt my emails - as many as possible of course.
Routine use of encryption (like for the one-liners) defeats to some extent traffic analysys.

The recent improvements in factoring (look here and here) don't affect 1536- or 2048-bit keys (or larger). For the time being, public-key encryption is the best means of protecting your e-mail privacy. Don't rely on some guys' kindness - with a little effort you can be sure your nosy admin/ parent/ spouse/ street cop won't "accidentally" read your stuff.

http://www.gnupg.org

Even with the recent evolution in factoring, there's no match for a properly set-up pgp/gpg.

Why bother to rely on their niceness when you can easily be rather sure nobody reads your important mails?

One great thing about it is that it is a cross-platform solution. I can use it under WinBlows and linux; both with GnuPG and the same keyring. <grin>

One thing I like the sound of is Herbivore. Putting transparent, seamless and automatic encryption and signing into MUA's is the best solution to problems like Carnivore.

I urge people in light of the recent "demise" of PGP to lend their time & support to projects like Enigmail and Ägypten. Even if all you do is report bugs or make suggestions for improvements you'll help with getting these products ready for non-geek end users.

Come on guys & gals! Pitch in!

Craig.

So someone starts sending fake summons via email with faked return addresses. How do you know what's real in E-mail.[?]

I'm personally a big fan of crypto, and the idea that lots of things (for instance, being served legal documents) can be conducted online securely with existing technology.

If you've ever played with PGP, you should know what a signature is. If not, try reading the GNU Privacy Handbook (some parts are GnuPG specific, but lots or most of it pertains to OpenPGP in general). The result is there could very well be a standard public key for every court jurisdiciton (and if you want to get detailed, these keys could have a chain of signatures, higher districts signing the keys of lower districts). These keys could be used to sign documents being served, and the availability of the public keys could be used to verify the document's authenticity.

AFAIK, crypto won't solve the issue of documents being served to dead addresses, or people denying that they were ever served.

If we're going to rely on PKE/PKI, we need to get this "security" (particularly Windows security) travesty in order. Public advocacy of the importance of general system security, and the responsibility of big software vendors (cough, Microsoft) to release patches quickly and make it easy for home end-users to get patched regularly (automatically?) could play a role in removing the number of worms and trojan horses spreading on Windows-based PCs. Lack of system security compromises the integrity of people's online identities and the potential role of PKE in the legal system.

IANARC (I Am Not A Real Cypherpunk); there's probably a host of issues I haven't covered that must be taken into consideration.

I know you might not see this, but I suggest that whoever modded your post Insightful is on crack.

In case you are really not aware of this, GPG comes with a GUI tool, the Gnu Privacy Assistant.

I know you might not see this, but I suggest that whoever modded your post Insightful is on crack.

In case you are really not aware of this, GPG comes with a GUI tool, the Gnu Privacy Assistant.

It's true that currently GPG's user interface is terrible for beginning users if they have to use it directly. So, clearly, you want to use programs that embed GPG (like Evolution). Also, note that the German government is funding further development of GPG. They specifically say that their funding will be used to make GPG more usable by less experienced users, including porting the software to other operating systems, developing graphical user interfaces (GUI) and writing a handbook.

Thus, this sounds like a short-term problem at worst.

How 'bout putting the algorithm into a library?

GPGME is a project to do this. From the website: "It provides a High-Level Crypto API for encryption, decryption, signing, signature verification and key management."

It's a work in progress. It's useable, but of course, there is the standard disclaimer. Compiles fine on most Linux distributions. It needed a small amount of help to compile on Mac OS X. Not sure about any other OSes.

• It works well,
• and is ported to many platforms, including windows
• And has even 3rd party outlook plugins.

I'd encourage you to switch to an open source project such as GnuPG just out of principle, but I do believe it can also interact with PGP encrypted things (to certain limitations... see the GnuPG FAQ on the subject. Basically if it's implementing OpenPGP, GnuPG can read it.

I think it's time we started using highly encrypted messengers and email.
We have stuff like GnuPG and PGP, but hardly anyone seems to use it...
Why? Because many think it's too much work to do so.
Well people, then stop making such a big deal about the government reading your mail and checking you IM logs...
Face it, it's the only form of protection we have agains governments that do not respect privacy. And I'm not talking about governments like China here, but the US goverments and the European ones.

Another thing is, here we only speak about governments... everhad the idea that companies may be doing it a bit sooner, the illegal way?

Imagine this: You are working for a major company. You have an ADSL Internet connection at home and use IM systems and email.
I know of one company (in .be) that is doing huge research involving ADSL modems that will give the major company the possibility to 'listen' into your IM and email conversations.
And that is just one of the possibilities.

Face the facts, encrypt!

• You're using a computer that could have a keystroke logger installed. http://www.keyghost.com is an example of a tiny & cheap hardware logger.
• You need to use your personal GPG keys at work, school or a web hosting facility where you don't trust or own the equipment.
• If you maintain a PGP Certificate Authority or signing key and have to have a safe place to use the CA key.
• If you simply don't want to risk putting a PGP key on a hard drive where someone else might have access to it.
• The Illuminati are watching your computer, and you need to use morse code to blink out your PGP messages on the numlock key.

• readme.txt, also on the floppy image
• The source code for files on the floppy
• The tinfoilhat linux floppy image plus disk signature file Transfer this image to disk using rawrite (on windows) , dd on unix (dd if=tinfoil.img of=/dev/floppy ), or Diskcopy on a MAC.

• Q: Why doesn't the floppy I got at codecon match the signature above?
  A: because I screwed up & wrote a nvram.md5 file to the floppy I then used as a master. I had to remove that file from every floppy. The result is that the MD5sum of the codecon floppies should be: 3608290765de7d5283a1a22813677a56
• Q: How do I undo that horrible screen in paranoid mode?
  A: Type "contrast" at the command prompt, or play with ctheme.
• Q: Is this really a 1.0 stable release?
  A: Think of this as a linux kernel 1.0 . Yes, it's stable to the best of my ability, and has been tested, but not for very long or by many people.
• Q: What sort of hardware is required to run tinfoil hat?
  A: Any 386DX or faster IBM compatible with more than 8 megs of RAM. Pretty much any PC made in the last 8 years will work fine.
• Q: where do I send complaints, bugs & feature requests?
  A: anonymous AT nameless DOT cultists.net
• Q: What is the license for this distribution?
  A: The scripts, documentation, and the distribution as a collection are released under a modified BSD license. Obviously, other people's software in this distribution retain their original licenses.

• Aluminum foil deflector beanie from zapatopi
• The man in the Tinfoil Hat . A good example for people confused by the tinfoil hat reference.
• http://www.gnupg.org
• Joelm's comprehensive TEMPEST site.
• Tempest for Eliza A fun tool for observing the radiation from your computer. If anybody ports this to Direct FB, I'll put it on tinfoil hat in a flash.
• Diceware a tool for generating very secure passphrases.

I still can't beleive that encryption, digital signatures and random key generators can be both fast and secure in Java...

- Benad

I have personally seen it in several places , it's out there but the tech-guys often don't shout about it. I don't know why, whether it is internal pressure, or commercial pressure or interoperability between departments.

QinetiQ the UK's commercial wing of DERA (Defense Evaluation and Research Agency) produced this report: QinetiQ_OSS_rep.pdf. Which is the most pro-OSS report I've read.

The German Government support GnuPG and a few other security related projects.

And of course the NSA have SE-Linux, and have put money into research at the university of Utah.

LANL have some pretty serious Linux clustering.

Indeed, that sort of thing is probably why this happened:

The German Federal Ministry of Economics and Technology granted funds for the further development of GnuPG. See our press notice for details. --the Gnu Privacy Guard website

I'm beginning to prefer Yahoo! webmail over using local clients. I can access it whereever there is a web browswer and it's always in one place.

I can download and run PuTTY through the computer's browser or (if the computer supports it) I can plug in my DiskOnKey and run PuTTY off of that. With that going, I can then log into my computer and use mutt to read my mail. With GPG installed, I can sign and/or encrypt outgoing mail and validate and/or decrypt incoming mail. Mailing lists are automatically dumped into their own directories, while other classes of mail (HTML mail and mail from known spammers, mainly) gets bounced. Try doing that with Hotmail or other webmail services.

Project Ägypten (Free Software Sphinx-Clients):

The Sphinx project launched by German authorities aims to improve secure email exchange. The projects technological base is the protocol 'TeleTrust e.V. MailTrusT Version 2'. This includes the standards S/MIME, X.509v3 and others.

Proprietary products are already on the way, but with the project Ägypten there is now also a Free Software solution going to be realized for popular mail user agents (sphinx-enabling KMail and mutt are essential goals).

The Free Software companies Intevation, g10 Code and Klarälvdalens Datakonsult AB are contracted by the German 'Bundesamt für Sicherheit in der Informationstechnik (BSI)' to incorporate the Sphinx protocols into Free Software MUAs. Background is to ensure availability of alternatives to proprietary desktops.

Here is a link to the MIT distribution site for PGP freeware. I haven't tried the GNU Privacy gaurd yet, but the MIT site seems to be more comprehensive in comparison. For instance they have a .exe for Windows 95/98/NT/2000! and the Macintosh and a Command Line version for UNIX. Although you need One of these flavors of UNIX:
Sun Solaris for SPARC version 2.51 or later; AIX 4.2 or later; HPUX 10.20 or later; and of course Linux x86 Red Hat (RPM) 5.0 or later. To encypt mail they use something being developed on sourceforge [woo hoo] called Mailcrypt . It does say on the Mailcrypt site that they now support both PGP and GnuPG. So now I am not sure of the difference between the two.

• Win2K uses DES, which is notoriously vulnerable to today's raw CPU power and dedicated, custom-built machines.
• "Export-grade" US crypto is ridiculously vulnerable, and this has been known for years. People who take crypto seriously outside of the US have other sources of crypto.

• Al-Quaeda/Bin Laden operatives are not the crime geniuses the US government say they are. As a matter of fact, they appear as pretty incompetent to me.
• The [CIA | NSA] should have intercepted that data before 9/11 -- or, at the very least, got those machines before the reporters did. They also appear as pretty incompetent to me, and I don't know if that's good news or not...

If I was anybody anywhere looking for encryption tools, I'd start with GnuPG. This way we can avoid patented algorithms and proprietary/closed source problems altogether from the git go.

Presumably PGP runs on unix?

PGP 6.5.8, the last freeware version

GnuPG 1.0.6, the GNU Privacy Guard, is a free implementation of the OpenPGP spec.

While I agree that it is vitial that people contact their representatives with their concerns and support organizations like the ACLU and the EFF, another thing you can do to defy mass survailance efforts like Carnivore is to use encryption whenever possible online. I'm sure there are other /.ers out there who know a lot more about the subject (please speak up!), but I wanted to add what information I can for those who might not already know. Here are a few suggestions of ways I know to use encryption:

• Email

• You can encrypt your email communications with others who are also willing to get the right tools. Probably the easies tool is PGP (there's also an international page), or for the free software crowd GPG. PGP makes this pretty easy to use under windows with almost any program with its encrypt clipboard contents feature, but there are also plugins for verious email programs.

• Terminal Sessions/Telent

• Most people probably know about it, but there's ssh, openssh, and if you're using Windows check out Tera Term and its ssh extension.

• Instant Messaging

• My appologies to the *nix crowd, but I don't yet know much about instant messaging on those platforms (soon); however, if you use windows I have seen several instant messaging clients that support encrypted chatting. I suggest Trillian, which is awsome anyway, free, and has encryption features. As far as *nix goes, I'd check out the big ones (e.g. Jabber) and if it isn't in there by default, look for plugins.

This certainly doesn't solve all the problems. The biggest is web browsing. You can use anonymous web browsing tools such as Anonymizer, but that is admittedly kind of a pain. I don't have any good suggestions there. I'd be interested in any other ways others have found to incorperate encryption into their online communications.

Seems like someone has understood something about patents. According to the Rijndael spec, the algorithm is not patented. Specifically, section 1 of the spec says:
Rijndael or any of its implementations is not and will not be subject to patents.
This should enable Free Software and Open Source Software projects to use the algorithm, and it seems some do already (like GnuPG). It would be interesting to know if the working group has considered patent issues when selecting an encryption algorithm for AES.

Also, the processor time and memory is roughly proportional to key length

In other words, the time to decrypt a message with an n-bit key is O(n). The time to bruteforce a message (decrypt a message with all n-bit keys) is thus O(n*2^n) which is still O(2^n) at high values of n. So you still lose a bit of key length to Moore's law of transistor density every 18 months.

So if you double the capabilities of your computer then you can double the key length without taking a performance hit.

But then you and everybody you communicate with would have to make new keys. And even then, you often can't use more than 128-bit keys across national borders.

Well computers probably got fast enough in the last 80s, but encryption-for-everybody still hasn't really taken off. I guess social factors are harder to model than CPU speeds!

Another problem is that PGP/GnuPG "web of trust" model requires you to know somebody face-to-face who is already part of the web of trust so that you can validate her key and gain access to the rest of the keys. In fact, there must be a path in the graph of PGP users that leads to Phil Zimmermann or to Richard M. Stallman (see also Oracle of Bacon).

I can't see any info about AES being adopted in the PGP framework. Anyone knows how this work is progressing?

You still use crypto software you have to pay for? [Yes, this was a joke, maybe you only use crypto "for personal use".]

GnuPG, on the other hand, developed AES capability less than 2 days after NIST originally approved Rijndael last year. The next public release wasn't for a week or two, but still.... (Well, NIST officially "approved" it just now, but they "recommended it for approval" just over a year ago.) I remember seeing a message from the GnuPG development list about an hour after the NIST announcement saying "I'm working on it."

GnuPG is similar to the command-line version of PGP and supports the same file formats / protocols, but is free for all uses and isn't affiliated with Phil Zimmerman or Computer Associates. I don't know if it has the same depth of plugin support for third-party apps, but hey, it's supported by all the Linux apps I need it for.

RFC2440, which defines the OpenPGP standard, already reserves 3 AES keys sizes (128, 192, 256-bit).

Gnupg already supports AES in all 3 block sizes and so does 'official' PGP v7.0x.

PGP since v7.x hasn't been open source, so you won't find any details at www.pgpi.org. The best way to add AES support to previous 'open source' versions is to use the CKT builds by Imad. These are still based upon the v6.58 code base but contains dozens of fixes and improvements.

RFC2440, which defines the OpenPGP standard, already reserves 3 AES keys sizes (128, 192, 256-bit).

Gnupg already supports AES in all 3 block sizes and so does 'official' PGP v7.0x.

PGP since v7.x hasn't been open source, so you won't find any details at www.pgpi.org. The best way to add AES support to previous 'open source' versions is to use the CKT builds by Imad. These are still based upon the v6.58 code base but contains dozens of fixes and improvements.

1. Install a TLS mail server and tell it to speak TLS to everyone.
   TLS is a way of sending e-mail using SSL. When you send an e-mail from your TLS-speaking server to another TLS-speaking server, it will automatically travel encrypted. TLS also has support for certificate verification. Most popular mail servers, including sendmail and postfix, have TLS support. Debian users: apt-get install postfix-tls and follow the README.
2. Use SSL wherever possible.Simple enough. https for websites. Make websites use SSL even if they don't "have" to.
3. Use IPSec or other VPN technologies.These can help ensure that spies won't even know what protocol of information is traveling down the wire. They'll only know the two endpoints of the connection, when data is sent, and how much.
4. Use GnuPG for all e-mails. This protects your e-mail even if you can't use TLS -- and it protects it while it's in your ISP's spool. Spies can probably figure out who the mail is from and who it's going to, but not its contents.
5. Don't use Windows. The keyloggers used by the FBI apparently target that platform most.

Copyright © 2001 Michael D. Crawford. Permission is granted to reproduce this document provided it is copied verbatim, in its entirety and that this copyright statement is preserved.

I just feel the need to write right now. Something has gone terribly wrong with the country I was raised to love. The good things that America stands for are being trampled into the dirt by those charged with the burden of protecting them.

I was raised to be a patriotic American. I grew up a military brat - my father was a proud officer of the United States Navy, who served in the Vietnam War. When I was young, I was always told that my father was fighting to preserve the freedoms that were guaranteed us by the United States Constitution.

In the first grade, I attended a school run by the U.S. Navy in Gaeta, Italy, where my father was stationed aboard the U.S.S. Springfield. Each day when we started school we sang patriotic songs and said the Pledge of Allegiance. We were told that America stood for freedom and democracy and justice.

I loved America for what it stood for.

I was told that things like political persecution, detainment without trial, and beating of prisoners were things that happened in other countries, that they would never happen in America. I was told that we fought the American Revolution and wrote the Constitution specifically to ensure such things would never again happen in America.

But today I see the ugly face of repression rising in America. And it is brought to you by the United States Government.

I am not proud to be an American today. I understand well why people in many other countries hate America. I love America, but I despise what it is rapidly becoming.

Something must be done about this.

There are many things that move me to write this, but what moved to me write this right now is that a member of a registered political party was singled out for harassment, first by American Airlines and then by the United States National Guard because of the opinions she holds.

Nancy Oden, one of the U.S. Green Party's top officials, was traveling to a Green Party national meeting from her hometown airport in Bangor, Maine. She had published a statement that calls for Universal Health Care, limitations on free trade, and a stop to the bombing of Afghanistan.

When she got to the American Airlines ticket counter she was told that there was a record in AA's computer indicating that she should be searched anytime she tried to fly.

During the search, she tried to help the security agent with a stuck zipper. The agent grabbed her arm and she pulled it away. The National Guard instructed the airline not to let her fly. The airline told all the other airlines not to let her fly. She was unable to attend the Green Party meeting.

So an official of a registered political party in the supposedly democratic United States was prevented from participating in the political process because her name had been recorded in a computer as someone who should be treated with suspicion.

I fear what America has become.

Also upsetting to me is the recent decision of the U.S. Bureau of Prisons to allow eavesdropping on attorney-client conversations as well as opening of their mail. Read the ACLU press release opposing this.

From the Washington Post article U.S. Will Monitor Calls to Lawyers:

Attorney General John D. Ashcroft approved the eavesdropping rule on an emergency basis last week, without the usual waiting period for public comment. It went into effect immediately, permitting the government to monitor conversations and intercept mail between people in custody and their attorneys for up to a year at a time.

The right to a vigorous legal defense is one of the cornerstones of our democracy. It is one of the bulwarks that comes between official repression and those who are repressed, underprivileged, despised, outcast, or working for legitimate political change. You can read about the guarantee of legal representation in our Constitution:

Amendment VI

In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the state and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the assistance of counsel for his defense.

I don't have a URL to link you to ( mail me one), but I read that among the hundreds of "suspects" and "material witnesses" rounded up in the days after September 11, many were held without charge and some were beaten by their jailers. Also some were held without being given access to attorneys or their families. I thought that could not happen here...

The recently signed USA PATRIOT act is an assault on our civil liberties the likes of which have not been seen in decades.

Read the Electronic Frontier Foundation's Analysis of USA PATRIOT Act, which largely discusses the law's impact on online activities - did you know that the government can now spy on the key words you search for at search engines like Google and AltaVista? Because computer cracking is now considered terrorism, searching for exploitz can result in your lengthy imprisonment.

The truth is the first victim of war.

Shortly after the September 11th attacks, President Bush said something to the effect that the reason the U.S. was attacked was because the terrorists hated our freedom, and that we must fight the terrorists in order to preserve it.

But Osama bin Laden does not care either way about our freedom. He has made it very clear why he hates the U.S., and none of this has been acknowledged by any official statements that I have heard. What bin Laden objects to are the stationing of U.S. troops in Saudi Arabia, the land of the holy city of Mecca, U.S. support for Israel's repression of the Palestinians, and the continued U.S. bombing of Iraq. More than anything, he feels that the presence of U.S. troops in the Islamic Holy Land is a sacrilege.

Whatever your position is on bin Laden's objections to the U.S., you must agree that it is wrong for our President to lie to us. Get informed, and work to understand the complexities behind the enmity between the Islamic and Western world. It's not as simple as our government would have us believe.

You might be interested to know what the Pentagon is doing to improve the United States' image in the Islamic world. Well, I'll tell you. It has taken out a $400,000 contract with Madison Avenue public relations firm The Rendon Group in an effort to help it "orient to the challenge of communication to a wide range of groups around the world". In addition, former advertising executive Charlotte Beers has been apointed to the post of Undersecretary of State for Public Diplomacy, a position she qualifies for because of her previous work promoting such products as Head & Shoulders shampoo.

Read about it in Propaganda Wars.

Well, its comforting to know that we'll be winning friends in Central Asia by showing professionally produced TV commercials depicting friendly Americans in between the news reports of mutilated and starving Afghani children.

If you, like myself, feel that something is wrong with America these days, or with whatever country you find yourself in, speak out about it.

In this troubled times, speaking openly to inform others of injustice or to protest may result in a backlash against you from government officials or others. Please read this speech on the importance of speaking your mind. Have courage - it is only by having the courage to speak and to work against injustice that we can prevent it from getting a lot worse.

Among the ways you can speak out

• Participate in online communities
• Send email to people you know
• Write web pages like this one and post the URL around
• Write letters to the editors of your local newspapers
• Staple leaflets to bulletin boards in your community
• Pass out leaflets in public places
• Call in to talk radio shows

Secondly, participate in what we have left of the democratic process. Our government has at least the appearance of having been elected, and the easiest way to make a change is to vote out the ones who have brought this upon us.

• Volunteer for political candidates you believe in
• Get a bunch of voter registration cards and stand in a public place to register voters
• Donate money to political candidates and parties who respect civil liberties
• Vote
• Write letters to your elected representatives. While you can send email, Congress gets so much spam that they pretty much ignore email these days. Instead, you can find your Congressperson's postal address at www.congress.org - write them a paper letter.

Use encryption to protect your privacy. Please read my page Why You Should Use Encryption as well as my letter Protect Your Rights with Encryption.

You can get encryption software for free - you can use either Pretty Good Privacy or The GNU Privacy Guard. Both offer excellent, military strength protection of your data, and the source code to each is freely available so that programmers are able to inspect it for security defects and back doors.

Teach the people you correspond with to use encryption.

Teach people who work for political change to use encryption. If you don't think political candidates and their staff need to use encryption, you're too young to remember Nixon's Plumbers getting caught breaking into the Watergate Hotel to wiretap the Democratic National Committe.

Join organizations that work to protect civil liberties. Among these are:

• The American Civil Liberties Union - Join Here
• The Electronic Frontier Foundation - Join Here - the EFF works to protect our civil liberties in the online world, including working to ensure that the work of computer programmers is protected as free speech under the First Amendment, thereby ensuring you access to software that guards your security and privacy.
• The Center for Democracy and Technology - Get Involved - working "to promote democratic values and constitutional liberties in the digital age"
• The Electronic Privacy Information Center - Donate Here - "established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.

One might think, and one certainly hopes, that the ultimate safeguard against these threats to our civil liberties lies with the Supreme Court of the United States. But I am not so certain myself. The Supreme Court has ruled against the dictates of law and the Constitution during other troubled periods in our nation's history.

And we should remember that the current President received a minority of the popular vote and was only declared to have a majority of the Electoral Vote after an obviously politically motivated ruling by the Supreme Court, a decision that has few pretenses of being based on the rule of law. Even had all the ballots been counted, enough Black Florida citizens were prevented from going to the polls that the election would clearly have gone for Gore had they been allowed to exercise their right to vote.

As said in the dissenting opinion by Justices Stevens, Ginsberg and Breyer in Bush v. Gore (note - this is an Adobe Acrobat document):

What must underlie petitioners' (nb. - George W. Bush') entire federal assault on the Florida election procedures is an unstated lack of confidence in the impartiality and capacity of the state judges who would make critical decisions if the vote count were to proceed. Otherwise, their position is wholly without merit. The endorsement of that position by the majority of this Court can only lend credence to the most cynical appraisal of the work of judges throughout the land. It is confidence in the men and women who administer the judicial system that is the true backbone of the rule of law. Time will one day heal the wound to that confidence that will be inflicted by today's decision. One thing, however, is certain. Although we may never know with complete certainty the identity of the winner of this year's Presidential election, the identity of the loser is perfectly clear. It is the Nation's confidence in the judge as an impartial guardian of the rule of law.

We must work together to restore the rule of law in our country - or we shall surely suffer for it. If you do not agree that Fascism can arise in the United States, take heed of the fact that Adolf Hitler was elected as the leader of his country too.

November 12, 2001

But Germany is the country with the most tapped phones per 1000 inhabitants in the whole world, and still growing.

That they fund GnuPG hast something to do with the fact, that the european industry is afraid of Echelon.

But the government is really eager nowadays to enforce an Orwellian police state.

If you are able to understand german, there are some disturbing articles at telepolis about the new European cyber-police called Enfopol.

Anybody know a country which doesn't sacrifice freedom to "fight terrorism" these days ?

If you use GnuPG (GPG) - you can create your own circle of trust.

You sign your own certificates (verifying them over the phone or through some other means) and then you in turn publish your keys to open key servers around the world.

The more places your identity exists the harder it is for someone to steal it - that is why Slashdot allows you to put your public key into your account (you can see the box for it just below the signature box)

The key servers are run mostly by institutions around the world (I think Stanford is a main hub here in the US) - they basically hold a bunch of public keys that have been signed.

So this story isn't a big deal for jo shmoe because if you need to securely transfer something from yourself to someone else you can do that for free using GPG.

So let the companies have their closed ring of trust and you can create your own.

Derek

If you are nervous about your messages being intercepted, get yourself a implementation of PGP and use it religiously. If you are really feeling paranoid, get the source code to 'Gnu Privacy Guard' and compile your own copy.

I am part-owner of one ISP, and know personally top network administrators for at least a dozen other providers, both major and minor. None of them have 'Carnivore' or other government-mandated software or hardware on their networks.

The Feds did make a one-time request of several major providers to scan their logs for email with a certain set of 'From' addresses, but there is no new ongoing traffic analysis at individual ISPs.

There is absolutely no privacy left on the Net any more. None. Keep that in mind when you rant. That's what crypto is for. Ranting on Slashdot is by it's very nature, about as public as you can get.

So what? People have had the ability to listen in on network communications since the dawn of time (well, the dawn of networking, anyway :) If you have to transmit any sensitive or private information, encrypt it! Maybe this will finally get people to get off their asses and start using PGP/GPG like they should anyway.

GNUPG!!! 1024-bit encryption at least!

the German Federal Ministry of Economics and Technology help fund the development of GnuPG.
Check out the press release.

Also was willing to look into GPG but it doesn't integrate well (if at all with Outlook). Since this wasn't a technical oriented group (most of them didn't know how to change a defalt printer). It would have needed to be somewhat idiotproof.

This is not only true for GnuPG, which has funding by the government (for the development of more user-friendly frontends, I think), but there is also a project for the development of an open source anonymity service (JAP) as strong as (or even stronger than) the Freedom anonymizer service, and there is also the Sphinx project to build a PKI for the public authorities and maybe others.

One of the main drivers for the JAP project (and maybe others) seems to be that many consumers (at least in Germany) apparently avoid E-commerce because of privacy concerns.

German government financial support for GPG development started over one year ago, main goal being to provide German companies with reliable protection from economic espionage.
Also, the EU administration recognized that it may be a bit naive to process their most sensitive secrets with foreign closed source software some time ago.
With this motivation in mind, there's no need to worry that there's any country in the world with stronger 'freedom of speech' protection than the US - even though gnupg.org is bold enough to cite a privacy protection article from the German 'Grundgesetz' :)

You won't believe it, but gnupg.org seems to be a german site, and it cites a privacy protection article from the 'Grundgesetz'.
Apart from that, german government finacial support for GPG development started over one year ago, main goal being to support reliable protection from economic espionage. Well, there are areas were we aren't all buddies, are there ?

what's the most commonly used Win9x compatable pacakge I can grab?

Grab GnuPG.

If you want nice, easy, email integration, get Eudora and EudoraGPG.

You can send me a test message if you want. My public key is on my slashdot user page. Use the email address in the key.