Slashdot Mirror

Actually they can, if they want to.
Licenses can't just override laws willy-nilly, for example you can't contract people into slavery.
That means that it is perfectly possible to write laws that overrides GPL.
While one assume that such laws would exist in China or Russia the only real world example I can think of would be the laws regarding exporting cryptography algorithms in the US.
To circumvent them the PGP algorithm had to be printed as a book.

Essentially you can already end up in situations where the GPL says that you have to send someone the source code but it might contain information that isn't legal for you to distribute.
Either you violate GPL or you break the law.
Chances are that if you choose the violate GPL in that case you can use the law as a defense should someone decide to drag you to court over it.

Given a choice between the advice of an AC and the advice of every encryption specialist I've heard of since Phil Zimmermann wrote his "snake oil" warnings in 1991 ... you know, I think I'll pass on the AC.

Some of us have been pointing this out since...

1991?

Or were you going to point out that people have really been talking about it since WW2? Oh, you old fogie!!

It's funny that you should mention that. Werner Koch still uses a 1024D key for email. In fact, nearly everyone at g10code.com either has no key listed or uses 1024D. Most of the people involved in the development of GnuPG use ancient 1042D keys.

It's not just GnuPG, though. Phil Zimmermann only uses 1024D.

Perhaps there's something we're missing?

Show us where P.Z. ever said this would be "completely secure". Such a claim is the hallmark of snake oil, as described at http://www.philzimmermann.com/EN/essays/SnakeOil.html

This is quite interesting because if you make a project open source there is much much less that the government can do to stop your project. The thing that makes this even more interesting is this is being started by exactly the same person who PUBLISHED the source code for PGP IN A BOOK just to protect it from the government!

I hate to respond to my own post; but in the interest of fairness, here's what PZ has to say about backdoors, et al.

I also note that he says the source to PGP is still Open.

http://www.philzimmermann.com/EN/zfone/index.html

What of Zfone?

> The idea that they had a change of heart in the .com boom, seems strange.

They didn't have a change of heart. AFAIK, you can thank this man for making NSA powerless against the now lowered barrier to entry for crypto systems:

PGP History, In particular, the part about the book form of the source code which was used to circumvent export restrictions. Remember downloading Netscape? You had to pick if you were in the US - you then got the strong ciphers. If you picked elsewhere, you got weak ciphers - thanks to the export restrictions. Due to the widespread availability of PGP, that distinction became moot. Also, read the part about the Clipper chip in here. That was the strategy of NSA at the time. It failed.

I think that the NSA might have thrown in the towel and moved on from encryption-decryption onto a more "meta" analysis. for example, like you said, connect the IP dots and you get the general gist of the activity even if you can't really get at the content. All you'd have to do is record the src and dst fields of the IP packet at all the major network carriers and you know who is talking to whom at what times and frequencies (i know that's overly simplistic but given the budget, i'm sure they can get far more sophisticated). Play "6 degrees of kevin becon" and you get a lot more info than you would if you listened in on a voice conversation alone.

I'm sure there are some people in the computer security world who you admire. So ask yourself, what would these people do if they had discovered the exploits? What would Phil Zimmermann, or DJB do? Some of these people were unhappy with the current situation, and took their own road and created some good, secure software.

Also, maybe your code isn't as good as you claim. Or maybe it mostly uses known exploits. It's time for a reality check. You should try to find some peers, and discuss it with them to determine how dangerous your product really is.

Don't buy into that bogey man of kiddie snuff. It is being used to get a carte blanche for all kinds of restrictions against democratic principles like freedom of the press, freedom of speech and the right to peaceably assemble. The way it works is simple, a corporate or political interest has its skunk works bombard a service or site with offending material then they run to their co-investors in the media and whine for restrictions. Lather, Rinse, Repeat.

Keeping encryption and privacy in the mainstream is a very strong reason to promote Tor and one of the reasons mentioned for creating PGP in Phil Zimmermann's Why I Wrote PGP. Technology cannot police social problems.

Chauchesku, Big Bush & Little Bush, various politburos and national Party committees have a problem with Usenet, Tor or anything else decentralized. Even e-mail and mailing lists, though centralized, seem a little to Free for them.

I don't see request for Tor by default in Ubuntu. What about other distros or other onion routers? That would increase the base. Amnesty or Human Rights Watch or The Democracy Center all have a stake in onion routing. To take the thread in the same direction, but further, the group that backed Bush may have left the top offices in the administration, but it has not entirely left power. And the voting machine problem is not yet solved. Those are still under their sphere of influence.

Phil Zimmermann's Why I Wrote PGP and OpenSSH's SSH FAQ are two works that come to mind first about privacy. Most countries recognize the natural right to peaceable assembly. Do the corporations that now have larger budgets and more political clout than some small countries also those rights? You know the answer. The price of freedom is not just eternal vigilance, the cost also includes acting to proactively resolve threats to that freedom.

This might sound unfair, but it's really very simple. If a reporter comes to ask you about your research, and comes away printing something totally inaccurate or just completely wrong then that is your fault.

Shortly after 9/11, Phil Zimmermann was interviewed about the possibility that PGP was used in planning the attacks. He carefully stated that he had no regrets, but that's not what the Washington Post ran.

He was already very experienced with handling the press by that point. He even had the journalist read the entire article over the phone before sending it to the editor. So apparently, there is no defense against a bad editor misrepresenting something, unless you ignore the press altogether.

including a level of encryption that is so high it would take the NSA days to decrypt it

Keep in mind that encryption, right now, can be strong enough to take millions of years to decrypt.

You, sir, are correct. Although, I must inquire that if you're making several thousand transactions a week and you're writing software to whereby the transaction frequency matters to you (probably down to the millisecond) do you have the time to waste in encrypting/decrypting this? I would imagine that while it would take millions of years to decrypt it would also take several seconds to encrypt. That's time they don't have.

Also, if you are doing transaction with foreign institutions or exchanges then you may incur the wrath of exporting a weapon and putting national security at risk by deploying your software overseas. I know that sounds stupid for me to say. But you see, ever since Phil Zimmerman's arrest and subsequent release (and even more subsequent celebration), people have been wary of crossing that line.

Well, if they haven't gone after PGP .. yet

They did but the citizens won.

Same with technology, I have friends that do everything with PGP, 3DES, AES etc. It will only make them get put under more scrutiny.

This is why it's so essential to get everyone to use strong encryption by default. Philip Zimmermann said it best back in 1991, in the original PGP user's guide:

What if everyone believed that law-abiding citizens should use postcards for their mail? If a nonconformist tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he's hiding. Fortunately, we don't live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. There's safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their email, innocent or not, so that no one drew suspicion by asserting their email privacy with encryption. Think of it as a form of solidarity.

But really, go and read the entire essay, it's important stuff.

Same with technology, I have friends that do everything with PGP, 3DES, AES etc. It will only make them get put under more scrutiny.

This is why it's so essential to get everyone to use strong encryption by default. Philip Zimmermann said it best back in 1991, in the original PGP user's guide:

What if everyone believed that law-abiding citizens should use postcards for their mail? If a nonconformist tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he's hiding. Fortunately, we don't live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. There's safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their email, innocent or not, so that no one drew suspicion by asserting their email privacy with encryption. Think of it as a form of solidarity.

But really, go and read the entire essay, it's important stuff.

This is a little reminder that we need a lot more users and exit nodes before TOR is reasonably safe.
This is a little reminder to encrypt your data end-to-end rather than through another network; anonymity is not security.
This is a little reminder that you really do need to check your SSL certificates.

TOR's encryption fools some into thinking it is a security model. It is not. TOR facilitates anonymous transactions using encryption internally. It eliminates the possibility of people spying on you by name, but it does not stop them from spying on "the people" (which includes you). You still need another encrypted transaction between you and your endpoint for real security.

The more exit nodes there are, the less likely a snooping entity will get ahold of your data. The more users there are, the more data those snoops need to filter through to get something meaningful (caveat: statistical analysis. workaround: encrypt data past the TOR network).

This is a call-to-arms; everybody needs to use encryption and anonymization to enable the system to work, otherwise somebody can set up a few nets and read the whole network's content, even brute-force decrypt it due to its low volume. Take a look at what Zimmerman's justification for PGP:

What if everyone believed that law-abiding citizens should use postcards for their mail? If a nonconformist tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he's hiding.

last time I checked you cannot "waive away" your constitutional rights.

You can effectively (i.e. defacto) waive them away. I always liked this quotation, written (coincidentally enough) by PRZ's lawyer when celebrating the dropping of charges against PRZ (last paragraph):

There are forces at work that will, if unresisted, take from us our liberties. There always will be. But at least in the United States, our rights are not so much stolen from us as they are simply lost by us. The price of freedom is not only vigilance but also participation.

In some sense, the constitution really is "just a piece of paper." If the people don't really believe in it, don't hold it to be truly representative of their values, and don't participate in defending it, then it is not the law. It isn't in force; it's just ink on a page, part of a fairy tale.

I see signs that a shockingly high fraction of Americans really don't feel any reverence for the rights asserted by the constitution. They think the law is wrong, and that it is unjust and undesirable that police are hampered by court oversight. A society where police have to get warrants, isn't the society they want, and it's probably not going to be one they vote for.

If the constitution asserts rights that people believe do not really exist, and public policy does not recognize those rights, then those rights are not protected. They've been waived.

What, only one referance to Phil Zimmermann? One of the main reasons Philip Zimmermann created Pretty Good Privacy in 1991 was because of the US government wanting to install backdoors in encryption software.

My question: is there ever a case for letting national security issues dictate the limits of an open source project?

"Yesterday morning, I received word from Assistant U.S. Attorney William Keane in San Jose, California, that the government's three-year investigation of Philip Zimmermann is over."

Article here. More info here.

Phil Zimmermann covers it all in his "why I wrote PGP" article, from waaaay back
http://www.philzimmermann.com/EN/essays/WhyIWroteP GP.html

Well, Phill Zimmerman not only gave a heads up in 1991, he gave to the tools to use to do something about it. According to even a slow beast as the European Parliament, you should already be encrypting your e-mail. It's warning is from 2001, read and weep:

here's some encryption for ya

http://www.philzimmermann.com/zfoneproject/index.h tml

also, skype's encryption and how they do it is not viewable to me. thus, there are blatant issues with me talking over skype and hoping that their encryption is 1) strong enough, 2) they won't divulge my key, 3) they will establish the keys well, 4) there aren't hidden back doors. i personally can't really tell what's going on with skype. i use it when i talk to the unenlightened, but i don't talk about anything that requires encryption to them, and really don't use voip much anyway. i tell them that if they want to be able to talk to me about such things via voip, that it'll be through something that shows me some source.

as a bit of a crypto buff, encryption means a lot to me--but the fact that you're trusting skype means that it probably doesn't mean much to you.

( um, sorry if that came off a bit harsh... )

Privacy hasn't gone anywhere. If anything the world today has given us MORE privacy than ever before.

You should read this: http://www.philzimmermann.com/EN/essays/WhyIWroteP GP.html

A quote:

But when the United States Constitution was framed, the Founding Fathers saw no need to explicitly spell out the right to a private conversation. That would have been silly. Two hundred years ago, all conversations were private. If someone else was within earshot, you could just go out behind the barn and have your conversation there. No one could listen in without your knowledge. The right to a private conversation was a natural right, not just in a philosophical sense, but in a law-of-physics sense, given the technology of the time.

First, the Order affirms that the CALEA compliance deadline for facilities-based broadband Internet access and interconnected VoIP services will be May 14, 2007, as established by the First Report and Order in this proceeding. The Order concludes that this deadline gives providers of these services sufficient time to develop compliance solutions, and notes that standards developments for these services are already well underway.

Zfone uses a new protocol called ZRTP, which is better than the other approaches to secure VoIP, because it achieves security without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world.

Since they've never (at least that I've ever heard) disclosed how their encryption scheme works, so nobody outside of Skype really knows how secure it is, or if there are any backdoors. Sure, they say it doesn't have any backdoors, but they're not exactly an unbiased source.

And they never claim not to hold keys in escrow for "lawful requests from relevant authorities," as the Skype head of security puts it, in the article you linked to.

Basically, Skype is probably (okay, almost certainly) better than just using an enencrypted landline, but nobody knows by exactly how much.

http://www.philzimmermann.com/EN/zfone/index-start .html

Phil Zimmermann has put out some freeware that will provide strong voice encryption. You have to be using a soft phone, and obviously the person you're talkin to has to be using it as well. The interesting thing is that every call is a different encryption key, and you never knew what they were in the first place, so you can't give it up.

http://www.philzimmermann.com/EN/zfone/index.html

Zfone, like Off-the-Record Messaging, doesn't use a pre-shared key to prevent man-in-the-middle attacks. Rather, it uses a code (conceptually similar to a key fingerprint) which each person reads for the key they have from the other person, to the other person. By ensuring this code matches what is expected, and observing that the voice is not being artificially replaced between the two people.

As long as those codes are correct, the call is secure.

The second part is that a bit of information is kept from each call, and used in an authentication process in the next call. Because both systems will know this information (if they are the same systems), authentication can occur without either person needing to deal with it directly. If the systems for the second coll are not the same as for the first, the code-reading process must occur again.

There is more to it than that, but that's the quick dirty summary.
For more details, try:
http://www.philzimmermann.com/EN/zfone/index-faq.h tml
http://www.cypherpunks.ca/otr/Protocol-v2-3.0.0.ht ml (not the same, but very similar)
http://en.wikipedia.org/wiki/Perfect_forward_secre cy
http://www.ietf.org/internet-drafts/draft-zimmerma nn-avt-zrtp-01.txt

Do you really, really think the people who developed this had never heard of certificates and smart cards? They chose not to do this because it is very bad solution. CA's are a dismal failure, and they can guarantee nothing except that you have enough money to pay them.

Meanwhile, the hash solution is quick, simple and secure, requiring no secure exchange of secrets beforehand, nor trusting completely unreliable CAs. Zfone uses the exact same method: http://www.philzimmermann.com/EN/zfone/index.html

But maybe you know something about these matters that Phil Zimmerman doesn't?

it doesn't tell you who you are talking to. GSM calls are never point to point, so there is always a "man in the middle".

ah, but this point was made well with Zimmerman's Zfone - you do the authentication yourself by having a conversation with the person on the other end and determining if he is the person he claims he is. Relying on complex certificate authorities and key management schemes makes most secure communications systems unfeasable - the old usability vs. security paradox.

Additional security and integrity is ensured by a calculated HASH checksum that is indicated on the display

and it seems you also stop Man-in-the-Middle attack similarly as in Zfone, by being able to read and confirm the hash checksum with the person you're talking to...

it doesn't tell you who you are talking to. GSM calls are never point to point, so there is always a "man in the middle".

ah, but this point was made well with Zimmerman's Zfone - you do the authentication yourself by having a conversation with the person on the other end and determining if he is the person he claims he is. Relying on complex certificate authorities and key management schemes makes most secure communications systems unfeasable - the old usability vs. security paradox.

Additional security and integrity is ensured by a calculated HASH checksum that is indicated on the display

and it seems you also stop Man-in-the-Middle attack similarly as in Zfone, by being able to read and confirm the hash checksum with the person you're talking to...

Mr. Zimmermann, the registration page that is being refered to only asks for you email address, thus your argument is invalid in this case.
http://www.philzimmermann.com/EN/zfone/index-regis tration.html
So why do you require registration?

Tapping and recording the bit stream is not a case of Man-in-the-middle attack. This is just simple Eavesdropping. The Diffie-Hellman key exchange is in fact vulnerable to a Man-in-the-middle attack. To address this, what is needed is some form of authentication, such as Public-key cryptography or Password-authenticated key agreement.

I think Phil Zimmermann is smart enough about cryptography to know this. So hopefully, authentication will also be a part of this. The focus of Zfone, however, is the fact that the original Session key, which could be subject to forced disclosure, is not kept. If there is no authentication, then a true Man-in-the-middle attack is possible, but requires something more sophisticated than the fiber optic splitters used in the secret "study group" rooms.

Tapping and recording the bit stream is not a case of Man-in-the-middle attack. This is just simple Eavesdropping. The Diffie-Hellman key exchange is in fact vulnerable to a Man-in-the-middle attack. To address this, what is needed is some form of authentication, such as Public-key cryptography or Password-authenticated key agreement.

I think Phil Zimmermann is smart enough about cryptography to know this. So hopefully, authentication will also be a part of this. The focus of Zfone, however, is the fact that the original Session key, which could be subject to forced disclosure, is not kept. If there is no authentication, then a true Man-in-the-middle attack is possible, but requires something more sophisticated than the fiber optic splitters used in the secret "study group" rooms.

See Phil Zimmermann's FAQ about Zphone.

According to him, there are no ATA devices or any other hardware-based Voip phones that support ZRTP (the zfone encryption protocol). I doubt that Vonage or any other large VoIP service provider will ever offer a phone with ZRTP support due to pressure from the US government.

According to my understanding, Zfone will intercept any SIP call made from your PC and encrypt it on the fly. This means that you should be able to use any software based SIP phone with Zfone.

Phil has a FAQ that, among other things, describes how man-in-the-middle attacks are eliminated or at least mitigated.

http://philzimmermann.com/EN/zfone/index-faq.html

I guess ZFone is right out then. Dynamic encryption key set up by using Diffie-Helman on a call by call basis with an unknown peer using no pre-shared key (PSK). A dynamic way to make VOIP untappable. Even with the incredible tools that the NSA uses from Narus Networks and optical splitters to assemble profiles on every conversation and protocol used by a given source IP address. (The Narus tools used by the NSA can decode all major codecs). Assume your Vonage calls are on a hard drive somewhere.

Funny how even though they were actually capturing voice conversations and full email contents under Clinton, it was totally fine. In fact, the NY Times lauded it as a necessary measure during this day and age. But now that Bush is simply watching the numbers we dial and receive phone calls from it's an impeachable offense. Check THIS out: http://cryptome.org/echelon-60min.htm It's a transcript of a 60 minutes segment on Project Echelon from 2000 - which was obviously before Bush took office in January of 2001. Somehow I imagine that people are going to draw the amazing conclusion that Bush is responsible for Echelon as well as Carnivore during the 90's even though he wasn't President...

So with Clinton it's ok... with Bush it's impeachment and all the while people are allowed to show blatant disregard for the law leaking our national secrets with no fear of imprisonment. Apparently it's our wonderful members of Congress who are above the law (yes I'm talking to you Jay Rockefeller) - not the President. In fact I'd be impressed for someone to prove to me that the powers given to the Executive branch don't allow for the President to approve warrantless wiretaps as a matter of national security. And remember - this is not the first time that the President of our country has chosen to impede on individual privacy for the sake of national security. Ask the Japanese Americans thrown into concentration camps during WWII under Roosevelt. Clinton, Carter, Roosevelt, even Washington and others have taken these kinds of steps.

Don't get your panties all in wad... I've read 1984 too. And believe me, I'm not interested in a police state either. I understand the whole "frog boiling in water" premise in that over time things can be eroded to the point that they are totally gone. But let's not take the slightest movement in that direction as doom and gloom. The President is responsible for protecting the security of this country. Not you. He is the one who we will point to if and when terrorists attack us again. From what I've heard of these programs in the NSA, I think they are the best balance we can hope for between finding terrorists in his country *before* they commit another attack and our individual rights as citizens. It's been almost five years since 9/11. I don't think that the terrorists just gave up. I think they would love to continue to terrorize us and our way of life. And I think these NSA programs and whatever else Bush has been doing have obviously led to these discussions over privacy vs security instead of discussions about the latest terrorist attack and when the next one will come.

For those of you who are so scared about the government listening to whatever you're saying on the phone, I suggest the following: http://www.gizmoproject.com/ coupled with http://www.philzimmermann.com/EN/zfone/index.html

If you really really have a problem with the government doing anything to impede on your privacy you can always move somewhere else. Unlike other countries, you are free to leave this one at any time.

"If Skype bows to FCC pressure (which they will) then they will not provide encryption in their service which means that the people using Skype won't be able to encrypt their calls."

http://www.philzimmermann.com/EN/zfone/

From the link: "Zfone uses a new protocol called ZRTP, which is better than the other approaches to secure VoIP, because it achieves security without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world. It also does not rely on SIP signaling for the key management, and in fact does not rely on any servers at all. It performs its key agreements and key management in a purely peer-to-peer manner over the RTP packet stream. It interoperates with any standard SIP phone, but naturally only encrypts the call if you are calling another ZRTP client. This new protocol has been submitted to the IETF as a proposal for a public standard, to enable interoperability of SIP endpoints from different vendors."

If it's digital, its encrypt-able. They can monitor everything they want, but as long as VoIP goes through an internet connection (which is the whole point of VoIP), it's encrypt-able. The same goes for all things over the internet.

Remember, the NSA is already monitoring lots of internet and phone traffic. They're blanket tapping us all. Right now, if my connection is going out over an AT&T line, they are watching me. No longer is it just paranoia that we're all being watched. If you want privacy, don't just encrypt your phone conversations. Encrypt your searches, encrypt your email, encrypt your downloads, encrypt your files. The NSA may be able to see the traffic, but you can prevent them from red flagging you by your content.

It is no longer akin to an act of civil disobedience to run encryption, it is a survival tactic for what another poster called Joe Sixpack (aka Joe Bloe, John Smith, Average Joe).

It starts out kind of okay, and then gets *sketchy* later. See section 3, reporting bugs

the EULA:

Source Code For Internal Review License Agreement

ATTENTION: The files you are about to download contain the source code for certain Zfone software products owned by Phil Zimmermann & Associates LLC ("Zimmermann) at http://philzimmermann.com/ (spelled with 2 Ns!). Zimmermann is making these source code files available to you for specific limited purposes and you may use these source code files only for these purposes. You should read these license terms carefully and decide whether you are willing to agree to these license terms.

* If you are not willing to agree to these license terms, Zimmermann is not willing to provide the Source Code to you and you must not proceed with the download. By proceeding with the download you are consenting to all of the terms contained herein.

* The Source Code (including its structure, organization, and other non-literal elements) is protected by copyright laws in the United States and other countries. Zimmermann owns and retains all right, title, and interest in and to Source Code, including all copyrights, patents, trade secret rights, trademarks, and other intellectual property rights therein. The unauthorized reproduction or distribution of this copyrighted work is illegal, and may result in civil or criminal liability.

DEFINITIONS:

"Source Code" means the source code for the Zfone software provided pursuant to this Agreement.

"You/you" means the individual person installing or using the Source Code on his or her own behalf; or, if the Source Code is being downloaded or installed on behalf of an organization, such as an employer, "you" means the organization for which the Source Code is downloaded or installed, and the person installing or using the Source Code represents that he or she has the authority to do so on your behalf.

LICENSE TERMS

1. What You Can Do. Under this license, you have the right to:

(a) download the Source Code files and make a reasonable number of copies as necessary to exercise the rights granted below;

(b) review the Source Code in these Source Code files in order to verify that there are no unknown vulnerabilities or the like and in order to make your own assessment of the security features of the Zfone software;

(c) compile the Source Code for the Zfone software program into an executable code version of the program;

(d) run the executable code version solely in order to assist in your testing and cryptographic analysis of the security features of the Zfone software; and

(e) modify the Source Code in the course of exercising the rights granted above.

2. What You Cannot Do. Under this license you do not have the right to, and you may not:

(a) modify the Source Code beyond what is allowed above;

(b) make copies of the Source Code files beyond what is allowed above;

(c) remove or alter any notices in the Source Code files relating to patents, copyrights, trademarks, or other proprietary rights;

(d) give (meaning sell, loan, distribute, or transfer) the Source Code files, as originally provided by Zimmermann or as modified by you or anyone else, to anyone else (unless you are downloading the Source Code files in the course of performing duties for your employer, in which case you can share the Source Code files with fellow employees as long as you do not make additional copies and otherwise comply with these license terms);

(e) use executable code versions of the Zfone software program created by compiling these Source Code files for any purpose or reason other than verifying that there are no unknown vulnerabilities or the like or otherwise making your own assessment of the integrity of the Source Code and the security feat

...is "connected". For the people whom I talk to the most -- family and some cyber-aware friends -- strong encryption on top of VoIP is the way I will go. Don't leave the Internet for the traditional POTS world and the CALEA doesn't apply.

http://www.philzimmermann.com/EN/zfone/index.html

Thank you (again), Phil.

  -Charles

that's what they say, but since they don't tell you how, much less provide a means of peer review, it's just snake oil. i use Skype, but i don't trust the encryption; neither should you.

See Zfone.

It's about time to put an user-transparent version of GPG (or symmetric encryption) in about every open source project, which uses communication or stores something. I'm already wondering, why it's not included in Thunderbird by default (I know, the provided GPG plugin is one of the best available for mail systems see http://enigmail.mozdev.org/ ).

Good programs would be:

- encrypted storage for torrent files (F*** off RIAA)
- Generate and upload GPG key when you install Thunderbird by default
- Encryption for VoIP (yeah, Skype has it and it pisses of the feds)
        http://www.schneier.com/blog/archives/2006/04/voip _encryption.html
        or zfone http://www.philzimmermann.com/EN/zfone/index.html
- GPG encryption in HTTP traffic (no more snooping on forms)
- ...

Encryption is the answer to this, and it continues to amaze me that otherwise intelligent software developers continue to create software that does not utilize encryption.

95% of web traffic continues to be by HTTP, instead of the easily deployed HTTPS (and by easily I mean the entire infrastructure to support it already exists, both for clients and servers).

SMTP continues to be plaintext and bounced around like a ping-pong ball. The reasons for using encryption with SMTP are the same reasons for using letters in envelopes and not postcards. Two thousand years ago the Romans used wax seals on their private documents to ensure no one intercepted the message en route, yet every email on the planet is still there to be read.

Instant Messages continue not to be encrypted between recipients, and just like HTTPS the infrastructure is already there to support it. Why is it that it is off by default in a world where you can't buy a system with anything less than a 2+ GHz Celeron processor?

VoIP continues to go unencrypted over the Internet, for reasons that I can't even begin to fathom. We expect to have digital wireless phone calls--on a system first deployed over ten years ago--encrypted, but the brand new digital wired calls not? Thank God there are people like Phil Zimmerman out there.

Seriously, this is the most basic concept in an age where the people have every right to fear their government that most people distrust and believe is corrupt, in an age where the government (allegedly) mandates that all Internet traffic is made available for illegal spying, in an age where people have feared the NSA was already spying on citizens... the list goes on.

It is the responsibility and social responsibility of programmers and standards-makers to pursue wide encryption deployment, or the whole "Daddy, where were you when they took freedom of speech away from the Internet?" cliche will be answered with "With my shoulder to the wall helping the government take away everything else."

FYI,

The source code was printed in a book in order to circumvent U.S. Export Restrictions at the time.

Excerpt from Phil's Site

There are complicated reasons why there were different PGP versions made outside the US back in the 1990s, when there were US export restrictions on cryptographic software. These laws had a loophole that allowed cryptographic source code in printed books to be exported. We cleverly exploited this loophole by publishing books containing the complete PGP source code, exported these books to Europe and then arranged for them to be scanned via OCR back into a computer.

It's good to see that Zimmerman believes strongly in making the source code available. When PGP was first released, Zimmerman disseminated the source as widely as possible, even having it printed and bound. One of the reasons PGP went downhill after it was taken over by a large corporation was the decision to give customers a security product with no way of knowing it was secure.