Slashdot Mirror

Hooray! I love to see more stuff getting written for the Mac. I am looking forward to the release of Magic Lantern for Mac OS X. In fact, I'll probably write some letters to the FBI demanding Mac OS X support in Magic Lantern.

I really doubt that any of these speculative predictions of yours will actually come to pass.

* They will find a way to make it work in every consumer OS.

* They will find some other way to acheive the same thing with other OSs.


These are basically the same prediction. With Microsoft's 95% domination of the desktop OS market, there's really no need for the FBI to code this thing for Amiga, BeOS, Mac OS 9 & X, Palm, SuSE, MkLinux, Red Hat, Mandrake, Yellow Dog, NetBSD, OpenBSD, and the list goes on with similar obscurities. The mass majority of criminals are going to use the OS used by the mass majority of consumers.

If this changes and terrorists / criminals wise-up to Magic Lantern and circumvent it by purchasing (or stealing) Titanium Powerbooks, then that would make Mac OS X the "criminal's choice" in OS's... hmmm. Sort of gives a new category to add in the Think Different campaign.

* They will outlaw the use of an OS that can be used to evade law enforcement.

Wow. I wonder how much Microsoft stock j. Aschcroft owns. First the slap on the wrist settlement and now the FBI is going to mandate Windows use nationwide because they can't port their trojan to all the obscure minority OS's.

You can be sure that this would NEVER happen. There are all kinds of technologies legally available in the US that thwart surveillance by law enforcement. Cell Phone Encryption, Bug Detectors, or how about plain-old PGP?

My point here is that the FBI would find Magic Lantern totally succeful if it works only on the OS used by 95% of the US population. I really can't imagine Aschcroft getting all huffy in a meeting because there are 5% of all computer users who aren't susceptible to this. There's going to be a MUCH larger percentage of Windows users who simply won't get infected with the thing in the first place.

Copyright © 2001 Michael D. Crawford. Permission is granted to reproduce this document provided it is copied verbatim, in its entirety and that this copyright statement is preserved.

I just feel the need to write right now. Something has gone terribly wrong with the country I was raised to love. The good things that America stands for are being trampled into the dirt by those charged with the burden of protecting them.

I was raised to be a patriotic American. I grew up a military brat - my father was a proud officer of the United States Navy, who served in the Vietnam War. When I was young, I was always told that my father was fighting to preserve the freedoms that were guaranteed us by the United States Constitution.

In the first grade, I attended a school run by the U.S. Navy in Gaeta, Italy, where my father was stationed aboard the U.S.S. Springfield. Each day when we started school we sang patriotic songs and said the Pledge of Allegiance. We were told that America stood for freedom and democracy and justice.

I loved America for what it stood for.

I was told that things like political persecution, detainment without trial, and beating of prisoners were things that happened in other countries, that they would never happen in America. I was told that we fought the American Revolution and wrote the Constitution specifically to ensure such things would never again happen in America.

But today I see the ugly face of repression rising in America. And it is brought to you by the United States Government.

I am not proud to be an American today. I understand well why people in many other countries hate America. I love America, but I despise what it is rapidly becoming.

Something must be done about this.

There are many things that move me to write this, but what moved to me write this right now is that a member of a registered political party was singled out for harassment, first by American Airlines and then by the United States National Guard because of the opinions she holds.

Nancy Oden, one of the U.S. Green Party's top officials, was traveling to a Green Party national meeting from her hometown airport in Bangor, Maine. She had published a statement that calls for Universal Health Care, limitations on free trade, and a stop to the bombing of Afghanistan.

When she got to the American Airlines ticket counter she was told that there was a record in AA's computer indicating that she should be searched anytime she tried to fly.

During the search, she tried to help the security agent with a stuck zipper. The agent grabbed her arm and she pulled it away. The National Guard instructed the airline not to let her fly. The airline told all the other airlines not to let her fly. She was unable to attend the Green Party meeting.

So an official of a registered political party in the supposedly democratic United States was prevented from participating in the political process because her name had been recorded in a computer as someone who should be treated with suspicion.

I fear what America has become.

Also upsetting to me is the recent decision of the U.S. Bureau of Prisons to allow eavesdropping on attorney-client conversations as well as opening of their mail. Read the ACLU press release opposing this.

From the Washington Post article U.S. Will Monitor Calls to Lawyers:

Attorney General John D. Ashcroft approved the eavesdropping rule on an emergency basis last week, without the usual waiting period for public comment. It went into effect immediately, permitting the government to monitor conversations and intercept mail between people in custody and their attorneys for up to a year at a time.

The right to a vigorous legal defense is one of the cornerstones of our democracy. It is one of the bulwarks that comes between official repression and those who are repressed, underprivileged, despised, outcast, or working for legitimate political change. You can read about the guarantee of legal representation in our Constitution:

Amendment VI

In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the state and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the assistance of counsel for his defense.

I don't have a URL to link you to ( mail me one), but I read that among the hundreds of "suspects" and "material witnesses" rounded up in the days after September 11, many were held without charge and some were beaten by their jailers. Also some were held without being given access to attorneys or their families. I thought that could not happen here...

The recently signed USA PATRIOT act is an assault on our civil liberties the likes of which have not been seen in decades.

Read the Electronic Frontier Foundation's Analysis of USA PATRIOT Act, which largely discusses the law's impact on online activities - did you know that the government can now spy on the key words you search for at search engines like Google and AltaVista? Because computer cracking is now considered terrorism, searching for exploitz can result in your lengthy imprisonment.

The truth is the first victim of war.

Shortly after the September 11th attacks, President Bush said something to the effect that the reason the U.S. was attacked was because the terrorists hated our freedom, and that we must fight the terrorists in order to preserve it.

But Osama bin Laden does not care either way about our freedom. He has made it very clear why he hates the U.S., and none of this has been acknowledged by any official statements that I have heard. What bin Laden objects to are the stationing of U.S. troops in Saudi Arabia, the land of the holy city of Mecca, U.S. support for Israel's repression of the Palestinians, and the continued U.S. bombing of Iraq. More than anything, he feels that the presence of U.S. troops in the Islamic Holy Land is a sacrilege.

Whatever your position is on bin Laden's objections to the U.S., you must agree that it is wrong for our President to lie to us. Get informed, and work to understand the complexities behind the enmity between the Islamic and Western world. It's not as simple as our government would have us believe.

You might be interested to know what the Pentagon is doing to improve the United States' image in the Islamic world. Well, I'll tell you. It has taken out a $400,000 contract with Madison Avenue public relations firm The Rendon Group in an effort to help it "orient to the challenge of communication to a wide range of groups around the world". In addition, former advertising executive Charlotte Beers has been apointed to the post of Undersecretary of State for Public Diplomacy, a position she qualifies for because of her previous work promoting such products as Head & Shoulders shampoo.

Read about it in Propaganda Wars.

Well, its comforting to know that we'll be winning friends in Central Asia by showing professionally produced TV commercials depicting friendly Americans in between the news reports of mutilated and starving Afghani children.

If you, like myself, feel that something is wrong with America these days, or with whatever country you find yourself in, speak out about it.

In this troubled times, speaking openly to inform others of injustice or to protest may result in a backlash against you from government officials or others. Please read this speech on the importance of speaking your mind. Have courage - it is only by having the courage to speak and to work against injustice that we can prevent it from getting a lot worse.

Among the ways you can speak out

• Participate in online communities
• Send email to people you know
• Write web pages like this one and post the URL around
• Write letters to the editors of your local newspapers
• Staple leaflets to bulletin boards in your community
• Pass out leaflets in public places
• Call in to talk radio shows

Secondly, participate in what we have left of the democratic process. Our government has at least the appearance of having been elected, and the easiest way to make a change is to vote out the ones who have brought this upon us.

• Volunteer for political candidates you believe in
• Get a bunch of voter registration cards and stand in a public place to register voters
• Donate money to political candidates and parties who respect civil liberties
• Vote
• Write letters to your elected representatives. While you can send email, Congress gets so much spam that they pretty much ignore email these days. Instead, you can find your Congressperson's postal address at www.congress.org - write them a paper letter.

Use encryption to protect your privacy. Please read my page Why You Should Use Encryption as well as my letter Protect Your Rights with Encryption.

You can get encryption software for free - you can use either Pretty Good Privacy or The GNU Privacy Guard. Both offer excellent, military strength protection of your data, and the source code to each is freely available so that programmers are able to inspect it for security defects and back doors.

Teach the people you correspond with to use encryption.

Teach people who work for political change to use encryption. If you don't think political candidates and their staff need to use encryption, you're too young to remember Nixon's Plumbers getting caught breaking into the Watergate Hotel to wiretap the Democratic National Committe.

Join organizations that work to protect civil liberties. Among these are:

• The American Civil Liberties Union - Join Here
• The Electronic Frontier Foundation - Join Here - the EFF works to protect our civil liberties in the online world, including working to ensure that the work of computer programmers is protected as free speech under the First Amendment, thereby ensuring you access to software that guards your security and privacy.
• The Center for Democracy and Technology - Get Involved - working "to promote democratic values and constitutional liberties in the digital age"
• The Electronic Privacy Information Center - Donate Here - "established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.

One might think, and one certainly hopes, that the ultimate safeguard against these threats to our civil liberties lies with the Supreme Court of the United States. But I am not so certain myself. The Supreme Court has ruled against the dictates of law and the Constitution during other troubled periods in our nation's history.

And we should remember that the current President received a minority of the popular vote and was only declared to have a majority of the Electoral Vote after an obviously politically motivated ruling by the Supreme Court, a decision that has few pretenses of being based on the rule of law. Even had all the ballots been counted, enough Black Florida citizens were prevented from going to the polls that the election would clearly have gone for Gore had they been allowed to exercise their right to vote.

As said in the dissenting opinion by Justices Stevens, Ginsberg and Breyer in Bush v. Gore (note - this is an Adobe Acrobat document):

What must underlie petitioners' (nb. - George W. Bush') entire federal assault on the Florida election procedures is an unstated lack of confidence in the impartiality and capacity of the state judges who would make critical decisions if the vote count were to proceed. Otherwise, their position is wholly without merit. The endorsement of that position by the majority of this Court can only lend credence to the most cynical appraisal of the work of judges throughout the land. It is confidence in the men and women who administer the judicial system that is the true backbone of the rule of law. Time will one day heal the wound to that confidence that will be inflicted by today's decision. One thing, however, is certain. Although we may never know with complete certainty the identity of the winner of this year's Presidential election, the identity of the loser is perfectly clear. It is the Nation's confidence in the judge as an impartial guardian of the rule of law.

We must work together to restore the rule of law in our country - or we shall surely suffer for it. If you do not agree that Fascism can arise in the United States, take heed of the fact that Adolf Hitler was elected as the leader of his country too.

November 12, 2001

For this kind of thing, I use PGPdisk. Let's you allocate space into an encrypted pseudodrive. Much more secure than a simple password-protected drive. As long as your software is uncomprimised, it's totally non-hackable. But don't lose your pass phrase!!!

Does this surprise anyone else? If it does, shame on you for not being wary. You should know better; the NSA wasn't the end, ECHELON wasn't the end, Carnivore wasn't the end, and this won't be the end either. Anyway, I don't care if they put a box between my computer and the wall, because I use GPG for everything I don't want Big Brother to know.

I'm sure there are many reasons why pgp is not taking off. People don't generally know about encryption on computers, and even if they do that awareness is due to all the hype about it on TV.

Those who do know (and especially in the open source camp) use GNUpg. Even then there is the PGP international page. From here you can download the free versions of the last international release (with source) and even the new 7.0.3 free versionwhich NAI sells.

I think that the clued up people go for this. I think it lacks a couple of features but it still has the core encryption for emails/files on hard disk base. If you know i think you would go for the free version as well. Anyway I though they were bundling PGP with virusscan and the like to make their money anyway.

PGP always boggled my mind. I had two choices. I could either buy the US version from NAI or download the international version for free. Now I wonder why sales could have been low.

links
win32
macos
gnu
thanks to pgpi.org

links
win32
macos
gnu
thanks to pgpi.org

links
win32
macos
gnu
thanks to pgpi.org

links
win32
macos
gnu
thanks to pgpi.org

So how do you plan to enforce this backdoor rule? How do you keep me from using my copy of PGP that I've already downloaded from pgpi.org? If I take the results of encrypting my message with PGP and then further encrypt it with your backdoored protocol, you'll never even know I was using PGP unless you use my backdoor, and then you won't be able to read my messages. So how will this help anything?

Last I checked, Bruce Schneier (in his book Applied Cryptography) recommended PGP.

I can understand how this would be implemented on a web-based mail system, since you are actually *composing* the message on their server, using whatever script/component they are running.

However, if this were to be implemented on an ISP level, by adding advertisements to outgoing email messages, I would suggest you add an X-Copyright header to your mail! This coupled with using PGP or GnuPG, and cryptographically signing your email would enable the receiver to see if the mail had been tampered with (the message hash would have changed, and the authentication would fail) and you could attack the ISP for invasion of privacy or mail tampering.

This greatly disturbs me for many reasons. The commercialisation of the Internet will soon reach its peak, and dreadfully our entire desktops will be filled with gigantic advertisements promoting pornography or silly little trinkets. As if this wasn't bad enough our emails would be full of tags like " WIN WIN WIN 10000$ WIN WIN WIN "

Fight now, your desktop might be too clogged to fight later!

May the source be with you.

Excuse me? I'm sure M$ would like to pick a standard and shove it through everyone's throat. And I'm also sure that in the first one or two versions it would actually be compatible with PGP. But not in the long run. And I am very sure that M$ would build in some back door (what, a back Gate is more likely *grin*).

Nah, I'd rather go for a nice open source project. There's already OpenPGP, no need to let M$ invent the wheel again (they'd come up with a wheel that's incompatible with all wheels used so far anyway and it would require a license). In my opinion, the software isn't really the problem. There's enough software with which you can send decently encrypted messages. Problem is the majority of the users: users who don't know and don't care about their privacy. George W. Bush can serve as a nice example here: he said he quit sending e-mail because it was too insecure. This means he doesn't know about encryption (well, surprise, is there anything he does know about?) but at least he cares (not about world peace or environment, but that's not as important as an e-mail message of course). If people could be taught just a few little things about privacy and security, the situation could change quite dramatically. People don't use encryption because it's not worth the effort. What effort? It's not difficult or complicated if you have any idea of what you're doing. With a decent plugin, all it takes is one extra click and the typing of a passphrase. Explain them the basics of encryption and show them the few extra clicks it takes and they can use it.

Most people here on /. know about security and how to use PGP. Too bad that probably 90% of all people on the Internet don't. Change that and encryption will become commonly used. Explain your nitwit-friends, e-mail your colleagues that don't have a clue, put up a page on the Net that explains a few basic things about encryption and include some links to OpenPGP and PGP and make sure people start wondering what you mean by including the line Public key: http://www.here.com/mykey in all of your e-mails.

No thanks, I sure hope M$ keeps its hands off of PGP. PGP and GPG are nice standards without any backdoors (although I remember PRZ telling something about no backdoors so far before he left) and I fear that if M$ is to put their own version of it into anything, it will very soon break the standard so that everyone will then have to use their version of it.

Indeed, the Freeware PGP installs nicely into every e-mail client I know for Windoze. And yes, it's perfectly simple to use it, for everyone. Problem seems to be that people think it's difficult because it deals with secrets. They have no interest whatsoever in the background of it and yes, then it can be a little confusing.

I tried to solve this by showing some of my friends what it did and how easy it was to operate. My intention was to install PGP on their computers (with their consent of course) and quit sending them unencrypted e-mail. In that way, I thought, they'd have to use it every time I sent them a message and they'd get used to it. Well, I was wrong. The problem started when one of them told me he couldn't install PGP on his machine at work, simply because it was against the policy to have employees install their own software (which is a very good policy, I think). Some others complained that they only wanted to use it when there was actually something secret in the message, which hardly ever occurs. So, exit PGP :(

Organisations could of course install PGP on all of their desktops, but usually the guys who have to decide on that, don't know shit about computers or security (I said usually, ok *grin*). Besides, what good would it be to block out your option to read your employees' e-mail? So maybe it would be a good idea to point out the dangers of unencrypted e-mail in a business environment: competitors who could eavesdrop, wrong addresses that would enable the wrong people to read things (yeah, sure, as if those messages at the bottom help, this is confidential, if you receive this in error, you're not allowed to tell anyone what you just read&#34) and the government snooping your e-mail to read about that great merger you're planning... Maybe some managers could be convinced that installing PGP on the company's network wouldn't be so bad after all. Besides, everyone can get it for free, so money wouldn't play a role.

If more and more organisations would start to realise a few crucial things about security and at the same time see that these risks can be dodged very easily and without any cost, things would change.

Now, who's going to convince the boss that he too would benefit from installing PGP (or any other decent encryption system for that matter)? Put one or two technicians together, add someone who does Sales and I'm sure they can come up with a presentation that's both factual correct and very convincing. So, who's taking the lead? I have my story ready, I think it's time to tell it to my boss. I hope many others will follow.

Someone quick call britain and tell them the price of pgpdisk is down to 12 bucks a copy.

sheesh. all our notebook employees run this, and we're not even... setting anyone up the bomb.

There was already a Word marco virus Caligula that attacked the PGP secret keyring and mails it to codebreakers.org, circa 1998.

You are mainly concerned with your private key ring, since lose or corruption of that would be the most damage. If the public key ring was modified you could alter local trust of a specified key, but it could not sign a public key without the private key.

As others have stated the private key itself is protected by symmetric encryption (e.g. IDEA, TripleDES) and you need the passphrase to unencrypt this encryption. So, a private key protected by a poor passphrase could be brute forced using a fast dictonary search tool, similar to Alex Muffett's crack for Unix passwords.

There are several ways to increase the security without irrating the user, such as using a floppy based key ring, using a smartcard memory card to store your own public/private keys, using a Dallas iButton, a removable PCCard (PCMCIA) storage device, or using a crypto smart card that stores your own private/public key, and does the RSA calculations on the card, designed in a such a manner as the keys cannot be extracted from the card. This gets into Differential Power Analysis (PDA) and tamper resistance attacks.

For a high security application, you could consider a hybrid smartcard and PDA (e.g. Palm), which forms a small trusted computer. Of course most security experts wouldn't call a out of the box Palm and PalmOS a trusted platform, but it's an example of a smartcard with a direct human interface (human input & output), rather than trusting a larger more complicated computer which is also more flexible because it is designed to be general purpose. Some 3G cell phones plan on having similar smartcard interfaces I believe. I think Nokia had a prototype. Of course since there have been some trojan SMS messages already seen in Europe, and with WAP expected to expand its capabilities rather than die, you can expect this to be a more virus friendly platform as cellphones evolve.

While Bruce's Secrets and Lies shows his change of heart from the absolute security through cryptography that he and cypherpunks dreamt of in the early 90's, he now understands that absolute security in a practial system is a myth, and wants readers to think like engineers in weighing of trade-offs, how easy to use verus how secure, and how expensive vs. how secure. It is not a reason to give up on cryptography, but to realise that in designing and working with secure systems you need to look at more than just which neat cryptographic algorithms to use.

*** PGP Signature Status: good
*** Signer: Philip R. Zimmermann <prz@pgp.com>
*** Signed: 2/19/01 1:54:34 AM
*** Verified: 2/19/01 1:11:18 PM

you might want to check the plaintext version of it on the pgpi website then.
--

"A Clockwork Orange" is in my local Woolworth's, with an 18 certificate on it. You're about a year out of date. We have "The Exorcist" too, now...

BBFC decision on ACO

BBFC decision on The Exorcist

So no, we're not as bad as we used to be. Even then, we still ban all kinds of stuff and FACT will raid markets and/or shops for R1 discs at any chance it gets (ignoring pirated stuff while it does it.) We're not a panacea, and our Customs are paranoid. Still, at least we can import our stuff whenever we like...

I suppose it's like the ban the French had, until a few years ago, on encryption software: a futile attempt to keep their citizens at bay. They seem to be more recipient of this than we are (although we have RIP); no wonder they think their government is screwing them over. Because they are.

Bullshit source is not available for any version later than 2.6.2. Here's the source for 6.5.1i .

Check your facts man.

Zimmerman himself already made his view on this pretty clear, years ago.

The link given for PGP says:

MIT distributes PGP only to US citizens located in the United States, or to Canadian citizens located in Canada. This page is for the United States.

So if that doesn't mean you (it is not I) go to the international site. The link given has versions for many platforms.

This wouldn't be a problem.

When I first looked into PGP, I first downloaded PGP from MIT. I noticed that the source code wasn't available. So I did a little more looking around.

And I found the International version at The International PGP Home Page. Grabbed the Unix PGP50i source code, compiled it and it works fine. When the bug in the randomness generator was found, I just patched it and recompiled!

BTW, if you are looking for all kinds of cool encryption source code for Linux, go to munitions.

This wouldn't be a problem.

When I first looked into PGP, I first downloaded PGP from MIT. I noticed that the source code wasn't available. So I did a little more looking around.

And I found the International version at The International PGP Home Page. Grabbed the Unix PGP50i source code, compiled it and it works fine. When the bug in the randomness generator was found, I just patched it and recompiled!

BTW, if you are looking for all kinds of cool encryption source code for Linux, go to munitions.

• PGP international home
• Direct link for novices at PGP international home
• GNU Privacy Guard
• Using Mutt with PGP
• Info on one of the PGP plugins for MS Outlook

Fucking government assholes... if you weren't such snooping bastards, maybe I wouldn't feel it was necessary to ensure my privacy. My problem is that not-so-savvy friends and business associates require me to use cleartext e-mail. Ah, life is depressing...

---------///----------
All generalizations are false.

• PGP international home
• Direct link for novices at PGP international home
• GNU Privacy Guard
• Using Mutt with PGP
• Info on one of the PGP plugins for MS Outlook

Fucking government assholes... if you weren't such snooping bastards, maybe I wouldn't feel it was necessary to ensure my privacy. My problem is that not-so-savvy friends and business associates require me to use cleartext e-mail. Ah, life is depressing...

---------///----------
All generalizations are false.

First, the UK said it would survey email, then Janet Reno ruled that Carnivore would be allowed to be used, and now this. It seems as each day passes it is getting more and more important to encrypt your emails.

Just in case anyone doesn't know where to get the downloads of PGP outwith the US, they're at http://www.pgpi.com/. Free for non-commercial use and entirely legally exported from the US (unless you're in the Sudan, Iran, Iraq and few other places).

This is just like when pgp was deemed to be a dangerous munition in the USA and forbidden for export. But it was still fully accessable to everyone on the internet, wasn't it?

This is the result of SUBSTANTIAL effort, and exploited a loophole in the cryptographic munions laws, which is a little different from the issues in the current case.

However, your point is still valid and taken - DeCSS is here to stay. The MPAA can complain until they're blue in the face, but they can't make it go away.

We, the people of the world, have already spoken on the matter and we find the defendant innocent.

Unfortunately, we can't stop the legal system from providing "justice" against the defendants, and I suspect that the defendants care at least a little. :)

• As soon as you start talking about sending money over the Net, you come up against the same issues of authentication and certification that have us all paying Verisign et al to vouch for the fact that we are who we say we are.

Alex Bischoff
---

Doh moderator get a grip parent article is 3, informative? - at http://www.pgpi.org PGP is free for all for non-commercial use. (The rest of the PGP stuff is US only, and commercial only.. of course if you'd want it you'd get it)

Kjella

See if you find something useful here. And you're welcome.

Scramdisk (my personal favorite)

BestCrypt

PGP Disk

E4M

And to ease day-to-day operation: SecureTray (Windows tray utility to manage encrypted partitions).

engineers never lie; we just approximate the truth.

http://www.cryptome.org
http://jya.com/crypto-free.htm
Learning About Cryptography
Ritter's Crypto Glossary and
Dictionary of Technical Cryptography
Encryption & Security Tutorial
N.A. Crypto Archives
International PGP site
NSA National Cryptologic Museum
EFF
attrition.org crypto archive
Bruce Schneier's Crypto-Gram

and last, but not least (the archive i developed) ....

PacketStorm Crypto Archives

there are lots and lots of excellent tutorials, docs, glossaries, and links to many of the great crypto sites in the world at all of the URLs above.

for the best info on NSA, ECHELON, misc paranoia, you should first check out Cryptome/JYA. i archived quite a bit of stuff related to your questions at the packetstorm site too - packetstorm.securify.com/crypt/nsa/.

feel free to email me directly if you like too. over the years, i have had some interesting experiences with the NSA, BXA, etc - primarily regarding my hosting of crypto archives, and personal investigations of NSA, ECHELON. if you want to discuss these things, get the pgp key for ken.williams@ey.com from www.keyserver.net, and send your key(s) and crypted msgs to tattooman@genocide2600.com

Probably not supposed to be a comprehensive list of topics there, but just in case... a brief history of PGP/PGPi would demonstrate almost all the issues you seem to intend to cover

========

If only those silly employees had used something sensible like PGP, then agreed amongst themselves not to give out their keys (or more importantly, passphrases) to anyone else. Then the company can search their computers to their heart's content.

Of course, that would be using PGP to carry out an illegal action so if they had done the sensible thing the publicity from this case would easily have turned into a massive 'encryption is evil' media bun-fight. It could also have provided a way for law enforcement to bring key escrow issues back to the forefront.

The moral of the story... don't pull a sickie then leave evidence lying around (isn't a phone call just as good??).

PGPi is available from www.pgpi.org

Because RSA was patented, replacement algorithms were developed and used instead. GNU Privacy Guard as well as PGP 5.0 and later use Diffie-Hellman, DSA and/or ElGamal instead of RSA.

Besides, PGP doesn't use public-key encryption for the whole message. It uses RSA (or equivalent) only to encrypt a random "session key", which is then applied to the whole message using a symmetric cipher. PGP 2.x uses the IDEA cipher, which is also patented, and which is patented more widely than in just the USA.

Because of all the patent nonsense, I urge everyone who still uses PGP 2.x to upgrade to PGP 5.0 or higher, or to switch to GnuPG.

If you don't use any encryption tools yet, I recommend GnuPG.

Powerful encryption programs does exist outside the US, like PGP. The current US export laws does restrict export of encryption source code in ELECTRONIC form, but it does not restrict the export of source code in BOOK form. This is a very nice "back-door" which can be exploited by anyone armed with the Source code book, a scanner, and OCR software. Of couse, since the source code is currently on over 12.000 pages it does require a lot of work, but the pay-off is a legal version of PGP outside the US. The US version of the source code even have a few limitations and restrictions which is not relevant outside the US, the Non-US version have these removed and a few extra features added. The International PGP can be found at PGPi

So even though the US goverment restricts the export of encryption source code and software, I'm still able to enjoy my legal freeware copy of PGP and my 4096 bit key. :)

- BrightSide -
"Without darkness, there could be no light.
Without light, there could be no darkness"

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.1i for non-commercial use

The post office analogy is not really very accurate when you really look closely at the problem. The program that dumps the headers out for you (an MTA: Mail Transfer Agent, such as sendmail) already accesses and parses the whole message... it HAS to. Said same program can pipe a copy of the headers to a file thereby keeping the "contaminated" part of the process (the one that reads your mail) in the program and the "prying eyes" part of the process (the postmaster trying to fix her network) seperate. (this of course assumes morals, competency and a whole bunch of other stuff.....)

A much better analogy is the telegram (don't laugh!) operated by the old school telegraph operators that could tap out a message without reading it... or better yet, an illeterate operator! If all you know how to do is transpose '---' to 'O' and vice-versa then it doesn't matter if I'm sending a love letter or a creditcard number.

The biggest refrain in this though is that if you want privacy you must encrypt . GnuPG or PGPi or if you must have someone to sue if it breaks... PGP.

You need to be made aware of it if someone is going to read your mail.

In the physical world, this is correct. The effort to prevent someone from doing something they can do must be expended because there is no other way.

On the net, this is not correct because there is another way. Simply make the undesired activity impossible.

How? GnuPG or PGP.

sklein

These days, any form of activism involves events intended to disseminate your message to as broad a base of listeners as is possible. Whether we like it or not, this generally includes specifically-crafted "media events" targetted toward being picked up by mass-market information disseminators, such as the news media.

Like it or not, at this point in time, the general populus still is either unaware or unconcerned about the steady erosions of their online (and offline) privacies and the increasing trend of Orwellian monitoring of even the most simple interchanges by Three Letter Agencies and others.

A one-day action certainly isn't going to overwhelm the NSA's filesystems, and I am certain no one actually believes that it would. But it does have merit nonetheless. In a sense, it enables "the little guy" to feel a sense of empowerment by making an (admittedly token) gesture, somewhat akin to making obscene gestures at surreptitious surveillance cameras. Obviously this doesn't directly change the underlying problem, except in the small measure that the individual is that much more likely to take a slightly larger "rebellious" action the next time. Don't forget that so-called resistive actions are frequently the precursors to more active (and effective) attempts to effect change of the undesirable situation. (Think, "baby steps.")

More importantly, these events bring the subject to the forefront of conversation. How many water cooler conversations might happen in offices thoughout the land, somewhat like this, the day after a similar event gets national coverage on the ubiquitous evening news?

• "Hey, you're into computers; did you see that thing on the news last night about how we can prevent the government from spying on us by jamming their computers?"
• "Well, actually, it's more like this...."

This also provides the opportunity to educate those with recently-awakened awareness of the issues to the importance of routine use of strong cryptography, since it is one of the most effective means of ensuring privacy against such Orwellian systems. Providing a link to GNU Privacy Guard (or even its less-free predecessor you mentioned) as well as an offer of assistance in setting it up, or acting as a mentor, will go a long way toward acheiving the goal of widespread use of cryptography being the norm, rather than the exception.

Oddly enough, your post here on Slashdot is indication that the "Jam Echelon Day" event succeeded, at least from my perspective. The story is covered here, and will generate discussion, hence awareness of the underlying issues is being increased, with opportunity for followup discussion. Obviously, being picked up both other major information dissemination channels will increase the effectiveness.

Emacsen's Mx-spook and its ilk may not directly affect the NSA, but indirect effects via increased public awareness are likely. An idealist would say that Echelon can be ended through the process of representative government. A realist may doubt that, and feel Echelon can be ended only by making it no longer cost-effective, due to the routine use of strong cryptography. Either way, the first step is to bring the issue to the eyes of the populus, as often as possible.

``People from outside (of your organization) can get at your software,'' said Anne Gardner, general manager of desktop systems for IBM. ``People from the outside can't get to your hardware.''

So there will probably not be a software flash-upgrade for this chip or anything like that: after all, if it can be software-upgraded, it can be cracked: witness the recent virus (forget its name) that wiped your BIOS chip if you had a Flash-BIOS capable motherboard and chip. So the only way to upgrade this thing will be to replace the chip -- and it'll likely be soldered onto the motherboard.

``We want this to become an industry standard,'' IBM's Gardner said. ``We want this on as many desktops as possible.''

Which means that if they get there wish, people who build <buzzword>E-commerce</buzzword> sites will start to rely on their customers having PC's with the chip installed.

The features of the security chip include key encryption, which encodes text messages,

What key length? Is it upgradeable? Considering the "can't get at it with software" statement above, probably not. So either it will have export-grade encryption (weak and insufficient, as most /. readers well know) or the U.S. government will restrict its export from the U.S. Furthermore, what happens when 128-bit keys are no longer secure enough and you need to move to 256-bit keys? Whoops, sorry, can't just get a software upgrade, you need a new computer. More lock-the-consumer-into-the-upgrade-cycle stuff here, even if it's not intentional (and it very well may be intentional).

and ``digital signatures,'' which act as unique ``watermarks'' that identify the sender of the document.

So everything made on a computer can be traced to that computer. Just like typewriters in the olden days (I seem to recall a few detective stories based on that fact). Great -- could be useful in some circumstances; law enforcement would love that, for example. This is where the privacy issues (which I'm not discussing here) come in. BUT this just identifies machines and is useless for identifying people. It will almost certainly, however, be misused for identifying people by what computer they use. What happens when (not if) Joe L. User sits down at one of the public-access PCs at his local library to surf the web, sees a cool "web shopping" site and registers as a customer? Assuming the site uses the chip ID the way IBM seems to be suggesting here, it will send Joe's computer (which is actually the library's) a digital certificate for Joe to make it "easier" for him to shop there since next time he won't even have to log in. Joe likes this, of course: it makes things easier for him. So Joe orders a few things and leaves. (Log out? What's dead trees got to do with things, anyway?) Now Carl Cracker comes along, uses the same computer at the library, and checks the Netscape history to see what he can find. He finds Joe's recent visit to the <buzzword>E-commerce</buzzword> site, checks it out, and sure enough, Joe didn't log out. So he visits the site and their software thinks he's Joe. He orders a bunch of stuff and charges it all to Joe.

Plausible scenario? You bet. Could <buzzword>E-commerce</buzzword> site designers be so clueless as to use a mechanism designed for computeridentification to identify people? No doubt about it.

The real solution to the <buzzword>E-commerce</buzzword> security issue is software. Ubiquitous, open-source, peer-reviewed software. Like, say, PGP (International version), or GNU Privacy Guard, or SSLeay. The hard part is that "ubiquitous" bit. You want real security? Here's how: Convince your boss to go open-source on the security aspects of the company's new <buzzword>E-commerce</buzzword> site. Read the Linux Advocacy mini-HOWTO first, then point out the advantages of using PGP or GnuPG or SSLeay rather than a proprietary solution. It'll be a hard sell, but stick with it. If everyone works at this, we'll eventually achieve the "ubiquitous" part.

The solution is out there, folks. Let's go implement it.
-----
New E-mail address! If I'm in your address book, please update it.

While pgp's license is not exactly GPL, pgp has showed the beauty of open source since well before the term was coined.

The story of how the pgp sources get past the US customs to pgpi.org (located in Norway) is also quite amusing...

While pgp's license is not exactly GPL, pgp has showed the beauty of open source since well before the term was coined.

The story of how the pgp sources get past the US customs to pgpi.org (located in Norway) is also quite amusing...

I wrote what I think is an easy to understand page about why ordinary people should use encryption. I'd like you to check it out, comment on how I might improve it, give me links, and most importantly, link to the page and get people you care about to read and and download encryption software.

It's at http://www.goingware.com/encryption

I'd like you all to consider making an active effort to teach people in your companies and community to use encryption. For example, you could bring a PC down to a community center for an evening and teach people how to use PGP and Speak Freely, then hand them out on CD's (by a burner if you have to, or pay a service to burn 50 of them for you, it won't cost much). Advertise this on bulletin boards, community access TV and so on, radio station community service announcements, etc.

Do you support a particular political candidate? Volunteer to teach them and their staff how to encrypt.

Mike Crawford

GoingWare - Expert Software Development and Consulting

http://www.goingware.com

crawford@goingware.com