Interview with Phil Zimmerman

A reader writes "PGP's creator is participating in an online interview this week. Phil is mainly interested in clearing the air about the recently discovered ADK bug, but the larger topics of encryption and worldwide organized snoop rings (Echelon) have already come up. The interview is open to questions from anyone; runs through Friday 9/8."

We need secure protocols, not content.

[Tackhead]

The evidence we're seeing - Carnivore being the best example - indicates that The Powers That Be are more interested in traffic analysis than in terms of decrypting your content.

In other words, all the strong crypto in the DATA segment of the SMTP transaction isn't gonna save you if an FBI agent decides he wants to forge a "From: kiddypr0narchive@fbi.gov" in an email to you. For mail to truly be secure, it's clear that we now need to encrypt all headers in the SMTP and/or POP transactions.

Likewise, for safe browsing, SSL on the content of the pages isn't enough; all the metadata in the HTTP GET requests have to be encrypted too.

Traffic analysis makes sense; it's machine-readable data, machine-parsable, and very easy to inject into a database for profiling purposes. Scanning a database for all From: addresses associated with To: fields of osama_bin_laden@secretterroristcamp.iq, or IP addresses associated with Referrer-ID: fields matching the regexp *janetreno*goat*pr0n* is a lot easier than actually trying to examine a terabyte of .JPGs.

We've seen it in the public domain with the "auto-sue" programs used against Napster users.

We're seeing the gummint getting into the act with Carnivore. Whaddyawannabet that 5 years from now, when Jaz and ZIP drives are no longer available, the "physical evidence" ceases to be a piddly 120M disk (which can probably only hold the sniffed headers from a handful of users before it has to be swapped for another disc) and becomes a 200G hard drive (which can hold everyone's traffic for a few days)? Hell, the cost of the "removable hard drive Carnivore" isn't much more than the ZIP drive one today.

At what point will we redesign our basic communications protocols to be snoop-resistant?

What about quantum computers?

[ca1v1n]

I'm sure everyone here has read about the quantum computers that are still in the pre-infancy stages at places like IBM and Los Alamos. Because of their peculiar nature, the quantum computers can factor numbers as easily as they can multiply them, rendering public-key encryption schemes useless. Of course, these systems are still very primitive, the latest ones at around 5 to 7 qubits. Still, it is inevitable that this technology will grow to the point where it could be capable of cracking 128-bit encryption or whatever we are using when the rapidly advancing quantum technology starts to catch up with traditional computers. Quantum computers do offer the possibility of quantum encryption, but due to the inevitable extreme expense of quantum computers at the early stages of development, it is quite likely that intelligence organizations or large corporations will have the ability to crack our codes several years before we gain the ability to protect ourselves from this threat. When this happens, what will we do to protect our privacy against powerful forces that can compromise it at will?

Close, but not quite

[dangermouse]

The reason for encrypting everything you can is a concept called "plausible deniability". If you only encrypt important things, someone can point to encrypted data and say "that's important, he must be up to something, I can tell because it's encrypted." If you encrypt everything, you can deny that any of it (or any given piece of data, more importantly) is at all interesting, and such denial is entirely plausible.

A very large pair...

[DESADE]

Whatever your opinion on encryption is, Phil Zimmerman deserves some respect. He released PGP despite very legitimate threats to his own personal well being.

I read an interview a long time ago about his reason for doing do. He said he had heard of a rebel group (forget which country) that was fighting against an oppressive govermnent was using PGP to communicate.

He decided that if his tool could be used to help people struggling for freedom, it did not matter what would happen to him. He released the software shortly thereafter. In my opinion, he's of the earliest true idealists in the world of hi-tech.

should everything on the internet be encrypted

[daniell]

On NPR I heard a pundit espouse that realistically everything on the internet should be encrypted. [this was the founder of 3com btw]. But I'm of the opinion that this is incorrect in that a lot of stuff doesn't really matter; why for example should you recieve encrypted ad banners (and I'm sure someone will think of a reason they're comfortable with). Arn't we forever going to run into a case where speed is more desireable for some applications (i.e. multicasted video)?

This has to do with the interview topic of encryption as you may be able to see

-Daniel

Re:should everything on the internet be encrypted

[prak]

Come on.. you know the answer to this one. If only "interesting" traffic is encrypted there is a lot less encrypted traffic flying across the lines to confuse big brother like organizations. You encrypt everything to make it more difficult to figure out which encrypted packets are the ones you should be interested in brute forcing.

If big brother like organizations waste a week trying to decrypt your mother's letter about a new recipe she just tried, that is a week they don't have to decrypt the message you reply with explaining why your family has to go into hiding. We need to inject more noise into the system.

-prak

DON'T POST QUESTIONS HERE

[64.28.67.48]

Go to the actual site (http://forums.itworld.com/webx?14@@.ee6 caf5) to post a question. /. is not hosting the interview.

Thrashing...please wait...

-------------