Slashdot Mirror

What would be cool would be PGPFone for the P800 - encrypted voice over IP.

Indeed.

If you use GnuPG(GPG) or PGP to encrypt your files, you get compression too. There is absolutely NO reason to use a nonstandard compression utility to do low quality encryption.

If you use GnuPG(GPG) or PGP to encrypt your files, you get compression too. There is absolutely NO reason to use a nonstandard compression utility to do low quality encryption.

"It's as if I left my diary in a car that was in the shop, and all the mechanics started reading it. Except for computers, this is the norm rather than the exception. I don't want someone going through all my personal shit."

PGPDisk

"the person had vile, disgusting, and illegal content on his computer"

'Illegal' is the only one of those three claims that you can prove, unless you happen to have seen the pictures in question.

p.s. "Thumbnail" pictures to me sounds like a browser cache, which is not completely under the user's control. Do you know anyone who would right-click-save thumbnails and not actual pictures? However, we take the judge's word that it was enough to be illegal [in NY].

But then, with unpublished evidence who can tell?

That reminds me of the process used by PGP to circumvent the U.S. cryptography export regulations: they printed out the source code, and scanned it in Europe.

I went to the product site and they don't have a Linux version, nor does it appear under active development. Or is there some other version / download link that is more up to date?

There is in fact PGP fone which does just that: Link here There's aslo SpeakFreely available here. Both support secure encryption, so unless they really do ahve those factoring machines and we don't yet know it...

Well there is PGPFone

Won't people who value their privacy (which, sadly, may also include criminals) just revive a project like PGPfone? I don't think it's been updated in a while, but the source code is still there...

6.5.8 was the last source release. Zimmerman has vouched for 7.0.3 See http://www.pgpi.org/files/PRZquitsNAI.txt

Good points, but do you not expect your traffic to be private because that's "Right"? Or because of the surveillance free-for-all that's been happening in this country?

If the same person (let's say) is trying strenuously to invade your privacy by every available means, largely succeeding, and then arguing for even more liberties with you on the grounds that "look - you already have so little privacy," it's OK to call foul.

I don't expect to be able to leave my doors unlocked and my windows open and not get robbed. But that doesn't mean it's not a crime.

Also, if you want a cheap, powerful way to encrypt your phone calls, consider PGPFone. I haven't looked at in a few years, but it looked rather serviceable at the time.

... remember the days before GnuPG, where if you are not American, you would wait at PGP international waiting for volunteers to scan the source code and ship it out of the country?

The source code is protected free speech, the compiled version is not. Uh... :p

So if you import this supercomputer into the States, disassemble it and scan it using tunneling electron microscopes, and re-export the scanned material, you should be OK...

While I'm thinking about this... you could even run aVMWare virtual machine using a disk image on a PGPDisk encrypted volume. That way you can run any kind of Windows or Linux on a machine where the OS will have no clue that it's entire underlying file system is encrypted.

PGP Disk.

The freeware version is here. I've used it before, and it works like a charm. You create a PGPDisk file on a normal volume - this contains an encrypted disk. You can then "mount" the drive after providing the correct password. I've used it in the past on NT4 and on Win2K to great effect.

Whatever will the terrorists
do?

Seriously though, the advent of projects like Freenet makes this legislation a complete farce. ANY subversive and violent organization who wants to communicate securely and confidentially over the Internet can do so, in a myriad number of ways, with a little bit of research, and have a fairly high chance of escaping detection by a Carnivore-type system.

There's only two possible explanations for this bill: 1) Ignorance on the part of those drafting the legislation, and 2) Terrorism being used as a pretext to clamp down on other criminal activity that would otherwise be difficult to investigate and prosecute, due to Fourth Amendment restrictions.

I don't know which explanation worries and frightens me more.

Might want to rethink your examples. PGP has been ported to both the Amiga and the Atari. RSA, DH, and DSA take a lot of cycles but it's not as if the rest of the app is that complicated.

The source code to PGP has been available for a long time from pgpi.com. Indeed, there is the freeware copy (it actually links you back to the main PGP page) of PGP 8.0 available there.

Could you use PGPhone which you could compile yourself for your laptop, a head set and a cellphone to become secret agent man?

or better yet use some featherweight linux and get it running off your iPaq!

PGP addresses the problem of transporting private data securely across a public medium. Traditional cryptography involved a private key, in which you and your correspondent both need to know the unique cryptographic key in order to read the encrypted method. The problem with this method was that, while easy to program and use, real-life applications were complicated. After all, if you have a secure medium to transfer the key, why not just transmit your entire message that way? PGP was a major breakthrough (or implementation of, rather) in public key cryptography. Using this system, no secure channel is ever needed. Both the recipients public key and the message can be transmitted (or even broadcast publicly) via an insecure network. Because of the way data is encrypted, PGP is also good at guaranteeing the authenticity of a message - the idea that while others may have looked at your encrypted message while in transport to the recipient, if they have changed so much as a space, the recipient will be aware.

PGP (or any other program for that matter) can do nothing (or very little) against user malice/stupidity/carelessness. That is beyond the scope of PGP. If you whispered a secret message to Ms. Muslim in a dark alley, there is still nothing preventing her from doing as she wishes with your (until-now) private message. For more on software controlling the users, check out what Microsoft is trying to do (albeit fairly unsuccessfully).

PGP will also do you no good for "traffic attacks" (Alice sends an encrypted message to Bob, Bob murders Alice's spouse, Bob sends an encrypted message to Alice. You guess cop's #1 suspect) and has never intended to. You may want to look into cryptography's little sister, steganography for message hiding.

I would highly recommend browsing to http://www.pgpi.org/doc/faq/ and doing some more reading. I also own O'Reilly's PGP: Pretty Good Privacy and have found it an excellent resource. It was published back when PGP was still Phil's, but applicable today nonetheless. Heavy on theory and application, there's also a very good appendix on the dirty math involved.

You can still get your data. They do not erase it. They do not erase your keys. They do not erase anything, the program just doesn't work anymore. If you want your data back, you can still get it back with the freeware version which will be released by then, or with GPG, or with an older version of the software, or whatever.

The exception is if you have your data on a PGP disk, in which case you will have to go through some trouble, like buying the commercial version. The idea is that you are just testing that feature in the beta, not relying on it to store your data. But, hey, you can always set the date to December 6, launch the program, decrypt your data, and go on your merry way.

A quick Google search turns up this MIT site as the first hit, which has pointers to where the program can be found. They're still listing version 1.0 beta 2, not changed since July 11, 1996! (I never saw that much interest in it...) People know there are so many ways to compromise /eavesdrop on a conversation, and a computer (even a laptop) is a bulky way to make a phone call.

(God, look at how much cellphone tech has changed in 6+ years!)

The PGPi site lists a PGPfone version 2.1 (Windows and Mac), but notes that NAI has the rights to it:

"PGPfone 2.x is a commercial product, but NAI has shown no interest in it, so it is probably O.K. to use it anyway."

I think you're right, though. There's OpenSSL -- heck, there's OpenSSH, too! Set up a heavily-encrypted tunnel, run your favorite VoIP program through that. Since you have to worry about your computer being trojan-free in either case (both software and hardware), you can use a program that's a lot more mature than PGPfone.

.haeger

PGP International offers a nice, friendly, easy to use set of encryption tools. This includes a VPN (for a secure network layer) and nifty things like a quick encrypt for clipboard contents.
PGP for Windows

What's next? Scrambling your voice over the telephone?

http://www.pgpi.org/products/pgpfone/

Phil Zimmerman was disappointed that it wasn't being used by NAI, so it got released on pgpi.

http://www.pgpi.org/products/pgpfone/

There is a text file about the licensing, which sounds real hairy. NAI released the code, but said that no one was allowed to use it. Or something. Phil was hoping other people might submit improvements. Lord only knows what PGPfone's destiny is in this new exchange.

Phil Zimmerman was disappointed that it wasn't being used by NAI, so it got released on pgpi.

http://www.pgpi.org/products/pgpfone/

There is a text file about the licensing, which sounds real hairy. NAI released the code, but said that no one was allowed to use it. Or something. Phil was hoping other people might submit improvements. Lord only knows what PGPfone's destiny is in this new exchange.

What they don't know is that the floopy disk is stored in my safety deposit box at the bank, and the actual private key is on multiple encrypted loopback devices. Oops. I shouldn't have said that. Now I have to bury the disk behind the barn. I shouldn't have said that either.

What they don't know is that the floopy disk is stored in my safety deposit box at the bank, and the actual private key is on multiple encrypted loopback devices. Oops. I shouldn't have said that. Now I have to bury the disk behind the barn. I shouldn't have said that either.

Available on a shitload of platforms
And pgpi is a very trusted site

(I could also mention the Cyber Knights Templar builds. Also very trusted + open source)

Available on a shitload of platforms
And pgpi is a very trusted site

(I could also mention the Cyber Knights Templar builds. Also very trusted + open source)

That's already in PGP. You can make split keys easily. And it is easy to program your own: to make an m-of-n system, where you need m of the n pieces to recover the password, let r_1 through r_m-1 be lists of random integers 0 to 256, with lengths equal to that of the password.

Then share number s of the password, part i is r_1[i]+s*r_2[i]+s^2*r_3[i]+...+s^(m-2)*r_m-1[i]+s^ (m-1)*password[i] all mod 257. If you have m of the shares, say keys numbered s_1...s_m, you reconstruct (leaving out the [i]'s this time) as password=key_s_1/((s_1-s_2)(s_1-s_3)...)+key_s_2/( (s_2-s_1)(s_2-s_3)...)+...+key_s_m/((s_m-s_1)...).

I hope that isn't patented, it's just a back-of-the-envelope calculation with VanderMonde matrices. All you have to do then is have everyone encrypt their share(s) with a different password, and integrate the key-rejoining routine with the password-entry system so that the employees don't get to see it after reconstructing it, and you're done. The cool thing about the system is that m-1 of the shares give no information about the password, assuming the random number generator you used is good enough.

Many versions for many platforms available here: PGPi.
Information wants to be free.

So which version was being hosted that led to NAI sending out the copyright violation notice? Was this a commercial version that truly was a `pirate' copy, or was it the same version hosted at pgpi.com? (http://www.pgpi.org/products/pgp/versions/freewar e/) The pgpi site doesn't seem to have any information regarding this, and you would think they would given the impact of it to them.

Is that not what PGPFone does?

I've not used PGPFone yet (got it installed but nobody to call) but that's supposed to do encrypted phone calls over the internet, using your normal headset, and without paying for phone calls, hardware, or software.

That also adds a secure connection ontop any normal phone conversation.

I use pgpfone, and I'm pretty happy with it. It's windows-only, but this drawback pales in front of the advantage of having a snooper-proof connection; I don't discuss state-secrets over it - I don't evan know *any* state-secret - but I grin each time I hear about "internet wiretapping" and "more powers to the cops"...

WTF?!? Why did Tiny launch 8 different 0-second redirect windows to try and fuck-up by "Back" button?
Is it just me, or are corporate sites being childish?

p.s. How many of us are already using PGP-Fone?

Let me assure all PGP users that all versions of PGP produced by NAI, and PGP Security, a division of NAI, up to and including the current (January 2001) release, PGP 7.0.3, are free of back doors.

Here's a quote:

Let me assure all PGP users that all versions of PGP produced by NAI, and PGP Security, a division of NAI, up to and including the current (January 2001) release, PGP 7.0.3, are free of back doors.

I still don't understand why so few people use PGP. If someone wanted to present a legally binding contract, to confirm it was from them, PGP would probably be the way to go.

And that is partly the reason nobody bought it.
PGP evolved into a nice e-mail encryption program. NA added so much crap to this (VPN that hardly worked, Firewall, hard drive encyption) they forgot there core market..... secure E-MAIL and convincing people that it was nessisary!
(In a corperate enviroment, people alredy have firewalls etc... NA just made PGP more complex)

I actually bought a version of PGP Personal Security 7.0.3
YTC !!!
NA never published the source code for version 7. That was the reason Phil Zimmerman left NA.
Version 6.5.8 could be downloaded as freeware and is every bit as compatable!

The freeware version on the PGP International site goes up to 7.03: downloads here. This site is not owned by NAI so it shouldn't be affected by this decision.

But can gnomeicu use pgpphone as a plugin ?

• Win2K uses DES, which is notoriously vulnerable to today's raw CPU power and dedicated, custom-built machines.
• "Export-grade" US crypto is ridiculously vulnerable, and this has been known for years. People who take crypto seriously outside of the US have other sources of crypto.

• Al-Quaeda/Bin Laden operatives are not the crime geniuses the US government say they are. As a matter of fact, they appear as pretty incompetent to me.
• The [CIA | NSA] should have intercepted that data before 9/11 -- or, at the very least, got those machines before the reporters did. They also appear as pretty incompetent to me, and I don't know if that's good news or not...

Should the US prohibit the export of high-encryption software?

Sure, why not? It isn't as if there are any cryptographers in any other countries in the world, is it?

Legislation is pointless, and even damaging in this case. The cryptography playing field is fairly level. That's not inherently a good or a bad thing; just as al-Queda can encrypt their files, they are equally prevented from intercepting sensitive information by the same technology. If legislation restricts crypto, we will find ourselves in a situation in which the FBI can't crack terrorist comms, yet terrorists can intercept commercial data. Airline security information, oilrig blueprints, whatever.

Presumably PGP runs on unix?

PGP 6.5.8, the last freeware version

GnuPG 1.0.6, the GNU Privacy Guard, is a free implementation of the OpenPGP spec.

Linux users already have encrypted filesystems and secure file wipeing as standard in all(?) common distro's. (I know that SuSE even lets you overwite the wiped files with zeros to hide its very existance)

Linux users already have encrypted filesystems and secure file wipeing as standard in all(?) common distro's. (I know that SuSE even lets you overwite the wiped files with zeros to hide its very existance)

While I agree that it is vitial that people contact their representatives with their concerns and support organizations like the ACLU and the EFF, another thing you can do to defy mass survailance efforts like Carnivore is to use encryption whenever possible online. I'm sure there are other /.ers out there who know a lot more about the subject (please speak up!), but I wanted to add what information I can for those who might not already know. Here are a few suggestions of ways I know to use encryption:

• Email

• You can encrypt your email communications with others who are also willing to get the right tools. Probably the easies tool is PGP (there's also an international page), or for the free software crowd GPG. PGP makes this pretty easy to use under windows with almost any program with its encrypt clipboard contents feature, but there are also plugins for verious email programs.

• Terminal Sessions/Telent

• Most people probably know about it, but there's ssh, openssh, and if you're using Windows check out Tera Term and its ssh extension.

• Instant Messaging

• My appologies to the *nix crowd, but I don't yet know much about instant messaging on those platforms (soon); however, if you use windows I have seen several instant messaging clients that support encrypted chatting. I suggest Trillian, which is awsome anyway, free, and has encryption features. As far as *nix goes, I'd check out the big ones (e.g. Jabber) and if it isn't in there by default, look for plugins.

This certainly doesn't solve all the problems. The biggest is web browsing. You can use anonymous web browsing tools such as Anonymizer, but that is admittedly kind of a pain. I don't have any good suggestions there. I'd be interested in any other ways others have found to incorperate encryption into their online communications.

I can't see any info about AES being adopted in the PGP framework. Anyone knows how this work is progressing? (or has even started..)