Slashdot Mirror
Elegant Email Encryption for Everyone?
"The problem is that in order to use public key encyrption, both parties (sender and receiver) must be using something like PGP. Most of the people I correspond with consider encryption either too complicated or too bothersom to use... with its key generation, signing, encrypting, decrypting, exchanging keys and such. There are always non-public-key systems, but that usually requires both parties to use the exact same software at each end. And then there is the issue of everyone using different operating systems (Windows, Solaris, Linux, etc.). And then there is cost involved for any commerical packages. Of course, there is always HushMail and its ilk, but I don't want to be tied to a web-based system.
For people like me and you, encryption is easy. But that's not the case for everyone else in the world. Why is it still difficult? And what is the best solution to date?"
Sylpheed has been able to do GPG for a while, though I only got it going yesterday. I put some [S]RPMs up here
--
Which is good, but my boss uses communicator for email (and even likes it for some reason!).
Outlook and eudora are fine, but right now I'm stuck with x509 verisign certs (which only work on communicator under linux, no other clients) because pgp (which we wanted to go for) doens't work for netscape under linux or windows.
Anyone got a solution for this? Either
a) x509 support for a linux client that isn't netscape
b) pgp support for netscape under windows and linux
TIA
Compress it. Simple ZIP compression will defeat packet-sniffers looking for keywords or credit card numbers. And the braindead password protection in PK(and Win?)Zip will stop people going the extra step of simply opening attachments. Unzip software is pretty ubiquitous nowadays.
Outlook Express & Communicator are good & full-featured???
I prefer Outlook Express to all other email clients I've tried, including Communicator (Netscape or Moz), KMail, Pine, Mutt, Eudora, Mulberry, Sylpheed, Kiltdown and probably another half dozen which I've forgotten the names of.
Why do I prefer Outlook Express? It's ONE app for mail and news. It's straightforward, has pretty damn good filtering (No I don't need regexps, thanks for asking), multiple POP, IMAP and NNTP accounts, works with LDAP, doesn't barf on attachments or HTML mail (ewww...), I've never had it crash out on me and it is pretty damn fast unless there's a 10M attachment. NO OTHER EMAIL APP WORKS AS WELL FOR ME. Get it? Got it? Good.
Believe you me, I want an OE clone for Linux. I run Linux on my laptop but run Win4Lin so I can get OE, IE, Office and my Win32 dev tools. I don't use IE all that much (Opera and Konq rock my world) but there has been nothing which works as well for me as Outlook Express for email and news. And that's sad because I could do a lot of my work without booting Win4Lin if I could only get a decent email client.
Security? Yeah OE blows for security. I run qmail on my mail servers and the HTML-trap procmail script cleanses all my incoming messages. I've never seen an ILOVEYOU, autorun .vbs or Word macro virus. If I were running OE in a "wild" environment I'd be crazy but I have a nice firewall at work and a decent firewall at home. I'm not running "in the wild." OE works nice for me.
They are bloatware and foist HTML and MS DOC format into emails.
I've never had MS Word or .DOC emails come out of OE. And it certainly doesn't foist HTML email on me. One configuration switch and it's all plain text, baby. As far as bloatware goes, OE is actually pretty nice in that respect.
Oh well. You could do all that with emacs and have a real editor
Sure, call up the bloatware app of the open source world. Hell even Moz doesn't meet the bloat that emacs has.
And, you could be doing other, real work, instead of farting around pointing and clicking on menus when two or three commands on the keyboard would have the job done.
I am generally a keyboard kind of guy. Like the keyboard, however, mice have their place. In a multi-pane email app, the mouse wins out over the keyboard for quick selection. After that I use the keyboard to scroll up and down, selecting different messages, deleting, etc.
I will never, in all the time I'm on this earth, understand why people obsess with mousing around on menus. It is demonstrably NOT faster than using the keyboard to do the same job.
For most circumstances I would agree with you on the speed issue. Try calming a crying infant in one arm and read the latest CBC news with just a keyboard. The mouse is demonstratably faster in situations such as those. And it has also been demonstratably proven that the WIMP interface is more intuitave than [esc]:wq (Yes I use vi).
Like a lot of other people, I've used multiple clients and I have no doubt that the text-based clients are the fastest and easiest to use. You can't do anything with fatal OE that I can't do as well or better in emacs -- well, except produce HTML mail.
For me, OE is the best. I personally don't care what you use unless I haven't heard of it before and thus perhaps persuade me to try it. As far as emacs goes -- well I'm not going to open up that can of worms. I don't like it and that's all there is to say on that particular subject. It works for you and that's good; I'm happy you're happy. It won't do it for me, though.
And since when did this become a pissing match as to what the OS-that-thinks-its-an-editor and an app which has a specific defined purpose can do? I stated what I liked about OE and why because someone (possibly you) had said that OE was a bloated piece of shite. I feel I've proven my point.
Check it out!
Wrong. I want to be able to send emails to my friends in the US without the NSA being able to build a profile of me that will be incorrect in 20 years. I want to be able to send email without some unscrupulous (sp?) company logging everything from their SMTP server and then selling my demographic information. Personally, I'm worried about the companies running the internet than the governments. I want to be able to express opinions today that I might not agree with in the future without worring about some arsehole company like Experian being able to build an incorrect profile about me - companies like Experian already have too much power over our lives.
It's possible that the NSA can crack PGP. But they probably can't do it easily. Right now most of the email you send get streamed all over the place in PLAIN TEXT. That means that the NSA can literally search everyone's email for interesting regular expressions. The sys admin at your ISP can do this with your mail as well (and probably not just the sys admin).
Even elementary encryption methods (like rot-13 or reversing the entire message) will defeat these types of random computerized searches. That means that in order to read your email someone at the NSA (or your ISP) would have to actually want to read your email in particular. Instead of being able to use a computer to sift through your private conversations they have to pay some human to do this.
PGP raises the bar another level. The NSA might be able to read your PGP encrypted email, but they probably can't do it easily or inexpensively. They would have to schedule time on their super computers, and it would probably take a considerable amount of time. In fact, it probably would be easier to simply drive down to your house and put a gun to your head and demand the passphrase.
After all, if the NSA really wants to read your mail, you are screwed.
Nope. Every answer I've seen here is looking at it from the wrong viewpoint. Anything that requires application support is doomed from the start. Sure, as soon as something gets into Outlook, it'll be adopted by the world as a whole, but only until the next version, when MS will replace it with something else that's completely incompatible.
The solution is not encrypted email. It lies in the use of opportunistic encryption at the network layer. That way, all traffic is encrypted, whether it contains an email message, a web page, a DNS lookup or anything else.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
...richie - It is a good day to code.
I've always wondered myself why MTA-to-MTA encryption isn't more prevalent. It's not all that difficult; all you have to do is run SMTP over SSL. There's even a port number assigned for it (465/tcp).
Sending MTA's simply need to try port 465 first, and if they can get an SMTP-over-SSL connection, transmit the mail that way.
The only caveat is, when you trust your privacy to this paradigm, you are assuming that everything downstream from the mail server is secure. This is fine if The Enemy is government-sponsored wiretappers at the major Internet backbones, but if you are afraid that someone's snooping the in-house LAN, you'll have to use something that's integrated into your client program.
--
Tired of FB/Google censorship? Visit UNCENSORED!
Are you clearsigning your emails, or are you making a separate signature file? If you just clearsign, it shouldn't come through as an attachement.
Engineering and the Ultimate
Hence, I use A=65, B=66, C=67, etc...
I've called this encryption code "ASCII", which stands for "Absolutely Secret Code for Idiocy Interchange".
-- Faré @ TUNES.org
-- Faré @ TUNES.org
Reflection & Cybernet
MTA-to-MTA encryption protocol : STARTTLS. It doesn't specifically encrypt the body as does S/MIME and PGP/MIME, but it encrypts the entire MTA-to-MTA session. However, once the mail reaches another MTA that doesn't support STARTTLS (or doesn't have the SSL/TLS certs from the connecting server) the mail is in plaintext. There are a few RFCs for STARTTLS in IMAP and MTA if you want to look into that.
STARTTLS answers all of your requirements as stated. Sendmail 8.11+ in particular is very good with STARTTLS and notes whether one, several, or all of the MTA-MTA connections in a given message's route used STARTTLS successfully.
Side note: if you are concerned about performance and security in Sendmail, look no further than 8.12b10. I've heard it rips postfix to shreds and drops setuid entirely now.
Jubal
As mentioned by another poster PGP hooks into Outlook, Eudora, Pegasus, and Outlook Express. You can set it to decrypt on opening which makes it generally transparent, apart from entering your passphrase when your cache timeout expires.
Msft buys up PGP and integrates it into LookOut.
( Boo! Hiss! -5 BlameFait )
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I think the best thing to do is just sign (not encrypt) all your email to your non-crypto using friends. That way they can still read your email, but they'll have to use a pgp aware mua to verify your sig.
I do this, and to date not a single person has switched email clients in order to be able to process my signatures.
The only responses I get that acknowledge it at all are:
1) Emails warning me my attachment was "corrupt" because they couldn't read it. I get these often.
2) Emails demanding I stop sending them "useless attachments". These are less frequent, but usually devolve into profanity when I say "no".
3) Bounce messages from AOL subscribers who are set to not accept messages with attachments. I get these every time I post to certain mailing lists.
4) One person who continually bitches that he won't read my emails because he fucked up notepad, and his MIME types are set to use notepad for text/plain attachments that Outlook deliberately mis-presents, and he's too lazy to fix notepad or change his MIME settings, so therefore I should be banned from all his favorite mailing lists until I stop persecuting him.
5) Another idiot who has Eudora automatically saving attachments, and refuses to install an automatic cleaner or turn off that setting, so therefore I should be banned from all his favorite mailing lists until I stop persecuting him.
Keep in mind that Microsoft's email products all deliberately mis-present a properly-signed PGP email (I.E., MIME-attached signature, as opposed to the inline kludge) as being a blank email with a notepad document attached, and be prepared to deal with this when you begin signing all your messages.
Interestingly, the folks using Hotmail, Yahoo, Excite, MailandNews.com, etc., don't bitch at all. Those services handle things properly (albeit not checking the signature), and their users thus don't have a problem. Of course, they don't have the option of verifying my signatures in any rational manner, either.
-
Mutt makes it about as easy as it gets. It has builtin pgp support. Red Hat 7.1 ships with that enabled in the RPMS, so I assume others do as well.
Add the line:
set pgp_autosign=yes
In your config file and it will automatically sign all your outgoing messages.
To encrypt a message, you just compose it and then before sending hit 'p' to go to the PGP menu then 'e' to encrypt, or b to sign and encrypt. It prompts you for your PGP passphase and off it goes. It also remembers the pass phase for the duration of the mutt session to save retyping it. If you want to tell it to forget the pass phrase during the session just hit ctrl-f.
This all great and wonderful, but you have to have installed mutt, installed pgp or gpg, have setup your PGP keyring, and it doesn't hurt to have registered with pgp.net so that everyone can find it. That's not hard to do if you have instructions, but it isn't clear and easy for most users.
Absolutely.
I'm not so full of myself to think the FBI/CIA/NSA are out there looking for specific stuff I write. However, I _am_ sure that there's an echelon/carnivore out there gathering any and all information it can - SOME of which is mine.
True, there is so much data there that there's no way someone's reading it all. It's obviously some machine scanning for keywords.
But the point is, they CAN go in there and see the cutsie things I Email to my wife. A bored NSA employee CAN go in there and, bu accident, of course, find my secret tofu steak recipe. Someone CAN be reading stuff I write that, while not illegal in any way, shape or form, is still PRIVATE.
Thus it gets PGPed, and thus if I am ordered by a court of law to surrender my decription keys, it will NOT be a real problem.
--
In the land of the blind, the one-eyed man is kinky.
PGPDesktop and PGPFreeware for Windows do indeed hook into, at least, Outlook and Eudora. They make encryption and decription transparent - you have to click the little "Encrypt" thinggie on the toolbar and you're done. Unless it can't find the right keys, and then it'll ask you to choose them.
--
In the land of the blind, the one-eyed man is kinky.
That's a pretty reasonable tradeoff for most people, though.
No. PGP encrypts the message with a symmetric session key, and then that one session key is sent several times encrypted with each reciever's public key. Thus, when I send a PGP message to Bob and Alice, the message includes these three things:
- The session key, RSA-encrypted with Alice's public key
- The session key, RSA-encrypted with Bob's key
- The message, IDEA-encrypted with the session key.
(s/RSA/DH/ & s/IDEA/3DES/ for newer versions of PGP and GPG, I think.)Not a bad idea at all. Adding more layers never hurts, especially since CPU is so cheap now.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
You've just gotta try to convince people to use better email clients that make PGP integration easy (mutt has a good rep among Unix guys, and I use SeriousVoodoo on my Amiga). And if they keep using crappy software, then there's just nothing you can do about it: your mail with those people will be insecure.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Exactly what nefarious and diabolical things is the government going to be able to do with a key repository? They could, um, replace your public key with their own version causing people to send encrypted email intended for you that they can read. Except people should be verifying key fingerprints out of band so this doesn't fly. Besides, they could do it anyway if they really wanted to. Er, other than that I'm kinda drawing a blank on what evil things the government could do. Perhaps the conspiracy theorists would care to elaborate?
Ah preyfahr to wraht mah mailings in a riduculous Frahnch haccent! :)
It doesn't mean much now, it's built for the future.
6857 2079 6f64 276e 2074 6f79 2075 756a 7473 6420 206f 6f73 656d 6874 6e69 2067 696c 656b 7420 6968 3f73
There's no way people would bother unencrypting messages I send them, my friends would say:
.. '
'wtf, just send it normally you paranoid freak'.
The people on my hockey team would say:
'what is this you are sending me?'
my co-workers and bosses would wonder:
'why is he encrypting all his e-mail? hmmm
There's just no way it will ever take off that much until there's a dramatic shift in culture and computer/privacy awareness, and it's not happening anytime soon.
BilldaCat
Oh, sorry it's text based. But it handles PGP signing and encryption in-line.
I believe one thing that's missing is a generalised E-mail HOWTO. Sure there are HOWTOs about lots of specific topics, but someone who just managed to make it through their Mandrake install will still feel a bit lost. Topics that need to be covered include:
In particular, the only way newbies can evaluate the difference between Netscape, Balsa, and mutt is to look at screenshots (assuming they don't just choose whichever appears first in their menus). More handholding is needed!
Aside: And if everyone agrees that mutt is wonderful except for its lack of GUI, why hasn't someone written a front-end?!
Mozilla is a graphical email client. And it is cross-platform. And it is open-source. Any other graphical, cross-platform, open source mail clients out there?
Currently, a PGP plugin interface is being added to Mozilla. It should show up in the next release or the one after that. It will allow PGP to be used almost transparently.
Hopefully, this will bring PGP a little closer to the mainstream.
One problem is that, currently, PGP keys require a password in order to use them for signing or encrypting email. People don't consider having to type in a password "easy to use." However, if you create a MUA that remembers the password, you've reduced the security, because now whoever can get at the machine can get at the key. This is the same old tradeoff between security and ease-of-use.
Maybe the MUA could use biometrics for identification: One way is to use face recognition software and a webcam. That should be better than no security, but it's not foolproof. A better way would be to encode the user's private keys into a smartcard. The user just removes the smartcard and keeps it with him, giving about the same security that car & house keys give. That should be good enough, we're talking about ordinary people who usually don't have too much sensitive stuff going over the net, not state secrets. The downside is that the user needs to buy a smartcard and a smartcard reader.
Meldroc, Waster of Electrons
Whoa??? You obviously don't know much about freenet. Obviously you'd need to set it up a bit different so that old keys don't get lost. But I digress
Eudora PRO has all that except for the OE security holes.
Instead of having a central depository for public keys, why not make a P2P public depository. It may periodically require you to republish your key, but the server would never disappear.
So what. It's a way of speaking. Does the fact that it is primarily associated with blacks somehow make it sacrosanct? Would you feel that talking about any of the following accents being racist?
Southern Drahwl, y'all!
Noo Yawk
Tayxis
Bahstahn (Pahk the Cah)
Valley Girl (fer sher!)
Swedish Chef (Bork!)
Comic-book Guy (Worst Post Ever!)
It's a harmless joke. Get over it.
You are in a maze of twisty little passages, all alike.
IIRC, You can also make Outlook automatically encrypt (or sign) all outbound messages as well. That way, the recipient can know without doubt that the trojan on your system did, in fact, use Outlook to spread itself via email....
First, you're right that a single system (or maybe an agreed upon wrapper (sorta like MIME (maybe even MIME)) has to be adopted by a large number of people for this to work.
The other gremlin is in the key repository. For a public key system to be fully functional we need a trusted public key repository (to facilitate checking signatures and obtaining public keys for people whom you wish to send a message to). That's a sort of tough one to pull together though, because we obviously can't trust government, and it's such a basic and simple service that not many people would pay for it. It's also a high volume service, which means that volunteers will quickly be put out of house and home with bandwidth charges, plus it's a service that begs for a well established institution, because if it goes away all the sudden, it'll really suck for a lot of people.
Any good ideas? Public key encryption will still work without a public key registry, but it's subject to some limitations, because you have to be sure that the public key you get is really the key of your intended recipient, and for the same reason, checking signatures is sort of out.
---
Play Six Pack Man. I
The person who mod'd this down didn't bother to check out the link. It's steganography in spam. Quite clever.
What are you going to do? Solve a problem like this for everyone you might want to send an email to?
Here's a solution. Make each message a MIME multipart where one part is encrypted and the other is copy in plain text. That way you're sure that the recipient can read it!
load "linux",8,1
Ick. I wish mutt would *die*, because of the broken way it puts the message body into an attachment. It's really annoying when I get mail from a mutt user and I have to open the attachment just to see the message text.
Slashdot - News for Herds. Stuff that Splatters.
BZZZT! Wrong. I know the standards, and it's mutt that's in error. Thanks for playing.
Slashdot - News for Herds. Stuff that Splatters.
Ok, it's slight OT - But does anyone know of a regular keysigning in NYC, or does anyone want to set one up? I'm game
Charlie
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
I'm mad I didn't see this earlier, so that more folks could see this comment.
PPS is exactly what you're looking for, but it's still in the starting phases. Currently, I'm looking for the following folks to help out:
1. Anyone who has written RFCs in the past, and wants to help get this one into the process.
2. Folks familliar with OpenPGP who wish to touch up the spec to account for that standard.
3. Anyone who's good in C and wants to help with plug-ins for various mailers or the reference library.
4. Others who just want to comment on the existing specification....
Please feel free to send me any comments you might have, but be aware: my goal is creating an infrastructure that makes good crypto available to everyone. This means that I make some pretty harsh compromises in the general case, but then allow capable souls to undo all that on their own. That's by design and pointing it out to me is, well... pointless. Suggesting ways to compromise less is always welcome, of course.
--
Aaron Sherman (ajs@ajs.com)
That's right - extended binary coded decimal interchange code is your ticket to imformation safety! just atoe(message) and your e-mail is safe from prying eyes. And all it takes is a snazzy etoa(message) for the recipient and, POW! Safe e-mail.
--
"It's tough to be bilingual when you get hit in the head."
That's a hack, barely one step above running SMTP over a SSH-forwarded port.
STARTTLS is much better since it is part of the SMTP protocol. This allows it to formalize behavior that a simple tunnel can't, e.g., to refuse to connect to a site because it fails to present the expected cert.
While the SSH layer *could* do this, there's no consistent way to handle this. E.g., if the connection at port 465 fails because of a bad cert, do you send (or accept) the mail anyway at port 23? If so, you've just lost all strong authentication.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
End-to-end encryption requires the cooperation of both parties. If they think it's important, they'll figure out a way to make it work. If they don't think it's important, you can't cram it down their throat.
:-)
However, you aren't completely powerless. My system runs qmail patched to support STARTTLS - any outbound mail that connects to another site that supports STARTTLS will be encrypted. I'm twisting the arm of my ISP to do the same thing for my inbound mail. (My inbound and outbound mail follow separate paths.)
I believe that the latest versions of most MTAs support STARTTLS now - either directly or via patches. Personally, I consider this upgrade equivalent to a "serious security bug fix," but your package maintainers may disagree.
This is NOT a complete solution - mail is still unencrypted on the disk, and according to a recent, and totally unfathomable, court ruling once mail is backed up to tape by your ISP it loses all ECPA protection. But it *will* stop packet sniffers, traffic analysis (at the user level), and with a bit more work also allows you to provide host-based authentication in addition to encryption.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Recompile exim/sendmail/whatever with TLS support and about 30% of your mails will get sent out encrypted, headers and all.
Other way around, use POP3S at least - et voila, you've drastically reduced the amount of your email that's sent plaintext for sniffers to get at.
Not exactly perfect, but it's better than nothing. The more people who set up their software to use SSL, the better it gets for everyone.
--
mysql> DELETE FROM world.human_race WHERE iq < 100;
Why not use a system like gnutella or freenet for the key repository. Something totally decentralized that nobody could control by which everybody supports through use. A concept like that is not far different from other Internet technologies like DNS when you think about it.
----------------------------
Business users must buy the product - and the recommended "business" version of the software is about $700 a licence. it is also non trivial (if not really THAT hard) to set up, and beating the need for passphrase security into Lusers is a major passtime for anyone who is involved in network security - they write them down, they email them to themselves, they "lend" them to co-workers for rediculous reasons.....
X509 is actually reasonably easy, but few packages support it - OE and Outlook do of course, and as has been noted elsewhere, Thawte hand them out free. Generating them yourself with OpenSSL isn't rocket science either (I could knock together a .zip file in ten minutes you just unzip then run a batchfile from) but of course X509 is hierachical, with awkward steps to shoehorn in any certs not on MS's "preferred CA" list.
--
-=DaveHowe=-
Actually, it already exists. I don't personally use Turnpike, but it supports pgp natively (via pgpSDK)- in fact too well, as occasionally it has been known to encrypt messages to mailing lists where a previous poster has digitally signed a message, and the user has mistakenly associated that key with the list :)
--
-=DaveHowe=-
OE is actually a very good newsreader/mail client indeed - multi-account support with a single inbox, rule processing, multilingual character sets, X509 native support and server authentication.
however, the display engine is the IE component, and if you throw HTML mail at it, it will try and display it (javascript, webbugs and all) and the same goes for Rich Text.
--
-=DaveHowe=-
Security, all security is based on a structure of trust. I trust key x to belong to person y, etc.
The complexities of key exchange, and the difficulties of most person to person systems is that simply how can you ever trust the software? Microsoft could release easy to use encryption for all email, and slip in a back door, and everybody might start using it thinking, 'Heh, now the feds can't read my mail.' Yet they would be kidding themselves because they are not even part of the loop.
Simply put, encryption programs are complex because security is no simple issue to be solved by handing out push buttons to people.
Case and point: most of the broken codes circa world war II were not caused by supreme power or thinking, they were cause by catching german radio operators make mistakes.
Even if you could encrypt something easily to send it to another person who did not need to understand the mechanism by which the text was recovered, what would stop them from accidently forwarding, or intentionally forwarding the plain text to someone else? Nothing.
On the flip side, who do you think cares about your letters home to mom? So much mail fly's across the internet that encrypting yours will only likely draw attention to it. It's fairly safe to assume that the NSA or some other department of the government will be able to read it just the same.
No form of encryption can be secure unless all parties understand the difficult implications of security and take due dilligence to use it properly. If you need encryption that badly, then it's worth the time it would take to teach someone else to use it and make sure they understand why it is encrypted and how to protect the data. If it is not worth the time to teach them, and teach yourself, then it's not worth encrypting at all.
More Caffeine. NOW
The PGP toolbar integration with OE is great, unfortuantely, nobody but me seems to use it.
Is there a near-seamless integration with WEBmail clients(I use IMP at work since I can send/recv over SSH) with PGP? I'd be all over that. That is, if my friends were paranoid enough to use PGP.
Look how far that got Georgie W.
RIT Labs has a product (actually 2 now) that sound like they do what you're looking for, although neither is free, but I've been using the bat for around a year now, and I'm really happy with it, builtin OpenPGP. The 'secure' version also does s/mime though I can't personally vouch for it's quality, I've never used it, though from what I understand it encrypts all of your local data, supports OpenPGP, S/MIME with x.509 certs, and a bunch of other good stuff. Like I said, I only use the normal version, and it's quite well integrated with OpenPGP and quite cheap as well. The other version costs around 140, which most around these parts people will find rather steep I guess. /me prepares to get moderated into oblivion for committing the sin of advocating a non open source solution.
What's good is the popular mail clients are finally starting to support it (I know the latest version Eudora supports it.)
------
No, that's APOP. SSL encrypts the entire session between you and the SMTP server. After that, however, the SMTP server usually sends the mail in a non-encrypted fashion.
------
PGP is the logical solution to use at any cost. Maybe you should try explaining the situation to the other party entirely in order for them to understand the importance of privacy, and how far agencies will go to snoop information on all levels.
Something many people didn't hear about Echelon was the fact that it was being used to snoop against businesses by the US in order to position themselves better in foreign and local markets.
[Full Source (10.7)]
Companies turn a blind eye thinking that Encryption is something criminals use because government makes it seem that way. However think about the following scenario: You work for a company who's just discovered an innovation worth millions and you need to keep in touch with others in offices of your company worldwide but do not want anyone capturing your business plans. Whether its government or a competitor, you're going to want to implement security at all costs. What do you use?
Web based services won't cut sending intraoffice mail because the third party (Hushmail) can read it, (see Is hushmail secure?) using PGP is the safest bet by all means.
Maybe what you should do is make people aware of whats really going on, and help them understand the value of importance behind using PGP. And FYI it's simple as all hell to use, my mother is even using PGP (no bullshit either) and she knows squat about computing.
Want Root?
Next time, use:
<TT>
(PGP stuff)
</TT>
in Slashdot's HTML posting mode.
- Michael T. Babcock (Yes, I blog)
It's definately the integration issues right now /w respect to encryption and the hooks into clients. IMHO, hotmail and yahoo and all the other free-mail services would have to offer encryption features before encryption becomes ubquitous with emailing.
"Old man yells at systemd"
-----BEGIN PGP SIGNED MESSAGE-----
i nm FX5yP6JQ8AnAn4
Hash: SHA1
The windows version of PGP has a slick little system tray icon. You
click on it and it'll give you a menu that lets you sign and encrypt
or decrypt the current clipboard contents. Works great for webmail or
pretty much anything else (like, this form for example) for that
matter.
In addition, I'd like to complain a little bit. There's an awful lot
of posts on this thread about how great PGP is and how the key
infastructure really isn't all that hard. Why haven't you people
posted your keys to the appropriate section of your user pages? eh?
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBOx06D7fXGCgiKZQGEQKuiQCg4VrQbF1vANOzp14
bC4n80/IQRJcBkzE9KPgDrXV
=Yvx3
-----END PGP SIGNATURE-----
________________________
I don't want free as in beer. I just want free beer.
Public Key Encryption with 3rd Party identity verification is the most secure way to encrypt emails. However, it is difficult to achieve, and too easy to fake out the 3rd Party Vendors like Verisign (remember the Microsoft boondoggle!). If you don't want to deal with platform issues, public keys, private key registration, etc, Web-based is the easiest and very secure solution. If you don't trust a provider, do it yourself. Just send people emails with urls to your message. Serve your message up with SSL and some kind of authenitcation. (Obviously you need a server with a static IP and an SSL cert). If you aren't interested in real security, but just want to piss off the NSA, just send your emails as GIF images. So they will be a bit larger. Who cares? No Echelon system is going to scan a compressed bit map to look for the word "Atom Bomb". And, any gerk can look at a gif file.
Someone you trust is one of us.
it isn't the password that is defeating "easy to use," it's the fact that if I PGP encrypt an email in outlook express and send it to a non-savvy OE user, they're never going to read it.
There needs to be some way for the mail clients to automatically grab the public key.
Microsoft .net will introduce identities with its passport service. Knowing the identity of the user, Microsoft can easily generate some encryption keys and deliver them automatically to the Microsoft .net enabled e-mail client. Of course, Microsoft will try to make these encryption schemas for passport users only.
Companies like AOL and Yahoo will probably join shortly afterwards. Security will not be perfect, but much better than now.
What the open-source community can do for encryption is, for example, to make KDE Mail start with a gpg key generation wizard on first use, have a graphical key management utility preinstalled (Gnu Privacy Assistant) and accessible from KDE Mail, and make key distribution even easier (automatically retrieve from key servers, automatically upload to key servers). Finally, KDE Mail should have an option that automatically encrypts to recipients whose public key is known.
Hushmail has some significant points in its favour:
:-(
1) Phil Zimmerman now works for them!
2) Sources available from their website
However, it does have some fundamental problems. I'm still wading through the sources, but EITHER
(a) the private key (which lives on the hushmail server) is sent to your client and decrypted with the passphrase there
OR
(b) the pass phrase is sent to the hushmail server and the private key is decrypted there
(b) would be putting ALL your trust into the hushmail system, which is bad in principle
(a) would be putting ALL your trust into the strength of the pass phrase, which has no particular minimum standards enforced. Oh dear. (The private key still lives on the hushmail server, and even though it would be transported by SSL, it could be SSL-40
Oh, and the keylength sucks too !
Think about this: The whole purpose beind certification (and PGP's key signing is just another kind of certification, make no mistake) is to be able to have some assurance that the public key you're encrypting or validating signatures with belongs to whom you think it does. With PGP there is no certifying authority. I know there was supposed to be a distributed trust model with PGP, but in actual practice it hasn't worked out that way. I don't trust keys unless I have signed them, and I only sign them when I have verified them. Why? Because to do otherwise I would have to manage a list of trusted signers, which is no different than S/MIME, but the number of signatures that those trusted signers would be giving out would be relatively low. My trust would not reap much benefit.
By contrast, those issuing S/MIME certificates by and large are in the business of doing so. They generally have posted policies that allow me to determine whether I trust them or not. So far, that's no different than PGP. But the difference is that there are relatively few organizations that have gone to the trouble of becoming S/MIME CAs, which means that trusting one of them nets me a large number of other users with whom I can interoperate without any prior introduction. I dare say that with a single root CA cert (the thawte freemail one), I can probably get over 90% of S/MIME users all at once, and I have some assurance given the rules for their so-caled Web of Trust system that the identities being offered were properly screened.
Moreover, S/MIME has key expiration mechanisms built into it, which PGP lacks. Turning your key over frequently helps make sure brute force attacks don't result in an attacker being able to forge signatures (by the time they brute-force the keypair, it's expired).
And if Thawte ever decided to either charge for their services or pull the plug, it would be simple to 'fork' to a new free system -- If Thawte certificates are trusted, then simply demanding a prospective user of the free system that they sign a random plaintext and send it back would be sufficient to get proof of their name and e-mail address (which is the only thing Thawte certifies in any event).
Oh, by the way, yes, Microsoft uses it. That doesn't make it evil on its face.
No, S/MIME and PGP both support addressing to multiple parties. You don't actually encrypt the whole message with the recipients public key (that would take forever to calculate anyway.) Instead PGP uses a symmetric key for encrypting the main message, and then encrypts that key with the assymetric algorithm, once for each recipient.
LibBT: BitTorrent for C - small - fast - clean (Now Versio
Anonymous remailers handle that, AND provide a mechanism to respond to the originator of the message without knowing who they are. There's really good anonymous remailer support in Emacs' VM email client.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
The advantage of putting encryption into your MTA is that the envelope is encrypted, not just the body. Plus, client software doesn't have to be modified.
If you are really paranoid, then you of course would want a combination of encrypted SMTP with a PGP encrypted message body, 'cause that provides end-to-end encryption combined with an encrypted envelope while the email is in transit.
I have written a truly remarkable program which this sig is too small to contain.
Not to say that there couldn't be implementation weaknesses in PGP, but it's certainly reviewed and audited by a lot of folks.
As somebody who has worked on quantum computers (one of the few technologies that could make "cracking" RSA and lots of other NP-hard-ish problems possible), I'll tell you it's not that easy. The Math PhDs might have some luck, since nobody has ever proved definitively that RSA is NP-complete. But this is far from a certain bet.
I do sincerely doubt that the NSA has built a sufficiently large quantum computer than deals with the quantum state cohesion issues over a computational timescale though. :)
Brute force computing power won't even remotely cut it against 128 bit IDEA/ 112 bit 3DES, nor against 1024 bit RSA.
Even more so...that noone uses PGP, sure, a few geeks do. Even those who have pgp and mailers that can use it tend not to use it. I prefer gpg myself)
The answer? PPS - the passive privacy system. There is a spec, but nothing implimented yet.
check out pps.sourceforge.net
Its a great little spec. The idea being that email clients can be made "PPS Aware" and will then use email headers to silently exchange keys and begin encrypting.
When 2 people with pps aware clients exchange mail - every email from the 3rd mail is encrypted (might be 4th) - passivly. Neither of them has to do anything special (unless they want to be paranoid about it - most wont).
Extra nice since it means that every mail becomes encrypted, no way to look at the traffic and say "here is where the juciey stuff begins".
Its really such a simple idea, its almost surprizing that noone has done it yet.
-Steve
"I opened my eyes, and everything went dark again"
That's a cool idea.
Or, how about something like:
where the SSL unlocks with an answer to a question the sender poses as a "suitable" restrictive piece of knowledge that only the sender and recipient are likely to share.There are most certainly some security issues with a scheme like this, since I'm no an expert. It might help if the web page served up how many times it was hit by what IP addresses to alleviate the paranoia in the case of others trying to snoop. Probably should delete the message after the first render as well.
Social engineering could still be a problem, though.
I can just smell the new style spam at fakemail cache asking to be decoded with your SSN, DOB, mother's maiden name and checking account number.
"Provided by the management for your protection."
My apologies.
It looks as if HushMail is pretty close to this already.
"Provided by the management for your protection."
Quite apart from the question of whether the government's reading your email, the point remains: some messages are private-- just as when you write someone a message using the post, you put it in an envelope so that it can't be read in transit.
Don't confuse privacy with secrecy. A CS 101 textbook on object-oriented design I once read made the distinction memorably: "What you do in the bathroom isn't secret, but it's private."
my plan
GROGGS: alive and well and living in
What about sending encrypted mail as html, surounded by a neologist tag:
t ed_text>
<encrypted>
<a href=public.webased.decoder.org/cgi/decode?encryp
click here to decode</a>
</encrypted>
Encrypted-tag aware mail readers would know to ignore the <a>-tag and to directly decode the target address.
Up side: this reaches html-enabled maillers and all updated maillers. Down side: it leaves rmail and old pine users either executing outragious copy-yank operations or running for updates.
Another up side not to be left aside: it would becode the first actualy useful piece of html-based mail.
-
This post was compiled with `% gec -O`. email me if you need the sources
..., said the AC.
One problem is that, currently, PGP keys require a password in order to use them for signing or encrypting email. People don't consider having to type in a password "easy to use." However, if you create a MUA that remembers the password, you've reduced the security, because now whoever can get at the machine can get at the key. This is the same old tradeoff between security and ease-of-use.
Also, if I understand it correctly, you can really only send an encrypted message to one person at a time, because you're encrypting it with their public key (so that their private key decrypts it). So PGP is not really a solution for, say, mailing lists.
So, even though Mutt has great GNUPG support, and so is relatively easy to use for someone like me, I can't really make use of it too terribly often, except for signing my mail.
What would help a great deal is if the mail could be encrypted between the mail servers, thus limiting snooping to localhost exploits. I know that there are protocols available, but with so many people out there running old, insecure, years old versions of Sendmail, I am rather pessimistic about the rate at which we could get people to switch over (much like IPv6, which will help network security in general with its support for IPSEC). Does anyone know of an MTA-to-MTA encryption protocol which satisfies any (or all!) of these:
1. Mail server agnostic
2. Falls back to cleartext if encryption isn't supported at the other end
2a. Gives a warning on this fallback.
3. Uses existing algorithms, rather than trying to invent a new one, and can intelligently support more than one at once (sort of like SSH with IDEA and Blowfish).
Sotto la panca, la capra crepa
WMBC freeform/independent online radio.
"Why bother? You know that the only reason the US lifted the export ban on high encryption is because the boys and girls down at NSA finally figured out a way to crack it with ease."
Vintage computer games and RPG books available. Email me if you're interested.
Why PGP or GPG? Well, primarily because its better than the execrable S/MIME format. Not having to obtain keys from a CA, not having certs that expire and generally faster encryption/decryption are major points in favour of supporting OpenPGP compliant encryption.
OH that was funny till I almost hit the goatcx links...
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
The famous end to end argument is simply that every application has different needs. For example, even if you have connection-level encryption, how are you going to verify the authenticity of the message? For that, you will need something like GPG anyway.
Go read it. It's good.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
Here's my solution: write a program that, whenever you type an email, instead of sending the email, it writes the text in a self destroying webpage, and then sends the link to the page instead of the text itself.
so the email that's actually sent would read something like "Jose Garcia has sent you an email, pres here to see it. and when the user clicks de page, a browser displays the content on a secure server (https). once the page is seen once, it is forever deleted from the server (or whatever settings you provide for number of views and type of deletion). the reader can save the html file in his computer if it wants a copy.
ok, so i didn't sovle the problem, since government can still see the email with the link and click the link, but at least you'll know you're been watched... =)
now if this idea even makes sense, and someone decides to do it, feel free. this post is GPLed (or whatever it is i need to do to make it free information), just put my name somewhere so i can brag to chics ok?
There are two kinds of people in the world: Those with good memory.
a) x509 support for a linux client that isn't netscape
b) pgp support for netscape under windows and linux
A little Googling around came up with Bear Software's PGP Plugin for Netscape Messenger. I don't have a user testimonial for you, though.
At some point in the future, practically all communication between devices will at least be encrypted, and not by the application. I don't know if we have to wait for IPv6, or even if it will be ready then, but I know that as an application developer when I open a socket I want to specify the minimum level of encryption I want, the maximum I need, and to be able to get an idea of how secure the connection is. And server certificates should not be a barrier for encryption.
As for establishing identities, I'm sure somebody else will have much better idea (validate against a domain's PK server? a completely centralized repository?)
So basically, what you are saying is there is no need for our right to privacy.
Perhaps I am in correspondance with another in regards to some invention we are developing. I might want to encrypt that information so that it can't be snatched away from me.
Maybe I'm a musician and I want to send some sound bytes to my record label without others obtaining it.
How about a writer who submits chapters of his book to his editor via email.
What I'm trying to get at is, sexual deviants aren't the only ones who want to keep things private. I would suggest "you" get a grip. Just because you have no use for encrypting email does not mean others do not.
Like any network, the utility is proportional to the number of users. And it's fairly non-linear.
So the best thing you can do, *now*, is to set up PGP and put your keys on the public keyservers. You don't ever have to send anything using it, but by being able to receive PGP-encrypted email, you have increased the value of the network.
A well-populated database of keys is a necessary precursor to widespread email encryption. The web-of-trust mechanism for certifying keys means that you don't need to trust the key repository. The existing keyservers work fine.
What, you mean like S/MIME?
It's already there in Outlook (and Outlook Express?)
Assign a number to each letter of the alphabet in order. A=1, B=2, C=3, etc...
Write your messages all in numbers. Snoops will think its something complex, cause lets face it, no one would ever do encryption that simple...
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Well, you're shit out of luck. You just described a watch and it's the best solution.
PGP does everything this person asks for and he seems to already know that. Sheesh!
Try evolution (if you use GNome that is). Despsite being beta, I find it incredibly usable. Filters, PGP, etc all work well. It does occasionally crash, but hey, that's life in beta. I do tend to hit bumps with the gtkhtml snapshots, but hey, this is Linux, deal with the pain. It makes encryption just as easy to use as Outlook. Well done Ximian....
there are no stupid questions, but there are a lot of inquisitive idiots
Huh, I would agree with your point, it needs to be integrated in the clients people use. And I really don't know about this, but I did a search, and it says here that pgp freeware exists as plugins for a few of those....?
Employee of Inrupt, Project Release Manager and Community Manager for Solid
In other words, start petitioning those developers to include PGP or some other, better encryption into the next version of their products. Only by convincing them that there's a high demand for such a thing will it ever happen.
Just add something like
keyserver wwwkeys.eu.pgp.net
to your ~/.gnupg/options and mutt does *all* the work of verifying/decrypting emails.
Yeah it sucks. More people should use software like mutt. It makes dealing with pgp-signed/encrypted messages so easy. (I hear gnus is really good too, but mutt was much easier for me to learn)
I think the best thing to do is just sign (not encrypt) all your email to your non-crypto using friends. That way they can still read your email, but they'll have to use a pgp aware mua to verify your sig. Hopefully, your friend will eventually be encouraged to use decent software to get this function. Then you're 99% of the way there and you can start exchanging encrypted emails.
Point being: Sign everything!
1/ Email is not encrypted on the client side, but all the "tubes" that transmit information (email client -> smtp server -> smtp server/pop server -> email client) are encrypted. I don't think it's the good way because if one part of the tube is hacked or listened by the governement, the concept is down.
2/ Encrypt messages directly - for instance with PGP. With this method, the "tubes" don't have to be encrypted because the message itself is encrypted. This leads to the problem that the sender's client has to know how to encrypt the message intended to the receivers'client. That means that the sender has to know the receiver publick key before sending the message (correct me if I'm wrong).
So if the free-software community could show the example and imagine a standard common implementation for all the email clients, that would be great and at the same time, that wouldn't be too difficult to implement. We can imagine a very simple protocol that includes users' public keys at the very end of every message, under a standard format for everybody. For instange, somthing like " . Or better (because public keys are generally very long): maybe just an URL to the public key could. Or we can also have a standard that understands all the "fashions" of including the a public key.
So if everybody uses that (through non-encrypted emails at the beginning of the process), the email clients can maintain a list of all the email addresses for which they know a public key = for which they can send encrypted messages. Then, by default the clients can encrypt the messages without any human interaction :-)
Now imagine that Kmail/Evolution/Mozilla-mail/Emacs-mail/Mutt... decide to use that system, beginning to Day D. At date D + a few hours (or a few days for those who don't use much email!), most of the open-source community would communicate through encrypted emails and we could claim "Hey Microsoft users! everybody can read clearly your emails because you use Eudora or Outlook, but inside the free-software community, we communicate with strong encryption!".
Wouldn't be that good? Wouldn't be a demonstration that the entire Free-Software community can impose new concepts, new ways of living the Net?
Hell, you could even just use a password-protected zip file for simple stuff. As long as the person you are sending to knows the key, they can decrypt the message.
Well, if you feel ROT-13 isn't secure enough, then double encrypt it. :-)
Hushmail works quite well. It's web-based, which is either a positive or a negative depending on what you want. http://www.hushmail.com/about_hushmail/
Hi! This is the Sig, blatantly attached to the end of this comment.
Sure, outlook gets the job done. I use it everyday for my work email (my personal email is thru pine, naturally). However, my work comp is a mac. The windoze version simply cannot be considered decent software due to the horrible security issues.
-
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
Hooks are no problem, just change your SMTP and POP3 to localhost, and make a PGP encrypted email forwarder/reader. You can even scan the TO: line and see if it's on the list of people who can recieve encrypted email, and scan incoming email for X-ENCRYPT-ENABLED: fields and add them to your lists automatically.
I prefer Outlook Express to all other email clients I've tried. . .
I know it's uncool to say so here, but Microsoft gets things right every now and then, and OE is one of them. It's clean, fast, versatile, and free. So far, I haven't been able to find anything I like better. Now, if someone wanted to argue that Outlook is bloatware, I definitely won't argue there. For standard Internet email though, OE does a great job.
Another program Microsoft did right is Money 99. The 2000 and 2K1 versions are getting pretty bloated, but 99 is very nice. I've yet to find a program that does as good a job at handling multiple accounts, and the reports it generates are suberb.
"The guide is definitive, reality is frequently inaccurate."
Ideal what we probably need, is a really good, full-featured, e-mail client with the capabilities of Communicator or Outlook Express, and PGP built-in.
As long as people have to run PGP as a separate program, and then try to hook it in with their favorite mail-reader, it will never catch on.
Everyone should use certificates. Certificates are used in browser apps. By using certificates, we can verify we are ourselves as we connect to a website. Any decent email system supports certificates. You can get a free e-mail certificate from www.thawte.com (which is part of verisign). These can be used not just to encrypt your message but also to sign it (to verify it is from you). According to Versign, Digital Certificates are the only way to electronically sign something (just like your ink signature on a check). You also have the ability to declare multiple e-mail addresses. Since it is handled by a CA, you can revoke your digital certificate at any time, and you do not need to send your public key to everyone who wants to use it (as you would with PGP). Typically, if your receiver has a digital certificate, you can encrypt the data to them (outlook does this, I know off hand) and then sign it with your key, just like in PGP. This is all done automatically through the CA, as opposed to e-mailing someone and requesting their public key.
Besides all of this, it's just a good method. The encryption isn't as powerful as PGP, but for most secure communications it's excellent (how many of us do banking with 128bit encryption daily?)
Anyway, my two cents.
I think you need to flash your brain's firmware.
Most people will say similar things "Oh, I have nothing important" and yet, deep down there *is* an expectation of privacy. Why? Because you do not see the people reading your e-mail! Out of sight, out of mind type syndrome. But put another person in front of their computer and tell them to check out their In/Outboxes from top to bottom and you'll most definitely see the owner jumping right in "What the hell are you doing reading my mail?!!"
:-)
That's the problem...a perceived sense of security and privacy that seems to resist all rationale.
It's the same with other spooky figures...yes, everyone knows, there are bad guys and burglars out there, but most people will continue to assume, that it hit's only *others* (the Susie B.'s from the newspaper), not them.
I propose checkmail.org, where a few thousand random mail messages are captured and put up for general amusement. Then people will get pissed, because, after all, e-mail is private!
Rather than encryption ... consider steganography (or "data hiding").
That is, embedding a message within seemingly harmless text or data. If you send encrypted data, you are immediately attracting attention to yourself, especially since (as you point out) almost no one encrypts email -- if you're not sending plain text, clearly you must have something to hide. And there are ways to get at encrypted data, not necessarily by brute-force decryption, but (for example) by hacking into your desktop and stealing your unencrypted mail files or your private key. Using encryption makes you an inviting target for such techniques.
There are a number of ways in which steganography is done. You can use spammimic, which converts a short sentence into a lengthy document that reads like spam (and has the advantage of being web-based, so anyone can use it). Or you can try embedding messages into images or sound files by changing the LSB of each pixel/sample, which doesn't affect the output. And so on.
If this strategy is employed, you can also encrypt the message prior to hiding, which is your insurance against someone breaking the hiding strategy.
Toronto-area transit rider? Rate your ride.
And while on the subject, why is it that so many people precede any mention of encryption with little "it's not like I have anything to hide, 'cuz I don't" comments? Ugh.
--
I don't really think that the proper place for **EVERYDAY** encryption is in the e-mail message itself. I mean sure if you have a really sensitive message that is for your eyes only to the recipient then sure.
Sendmail supports oppourtunistic encryption between SMTP MTA's, POP/IMAP/LDAP/SMTP from the client can all be SSL'd or TLS'd. Even tween MTA's you can use ESMTP TLS. Notes and Exchange both support encrypted client server and serverserver communication. All of this exists now and I think even those aren't the way it should be handled.
Linux FreeS/WAN support will soon have oppourtunistic encryption via IPSEC. IPv6 requires IPSEC to be compliant. So I think that the answer is that encryption take place at a lower layer than the application. This solves the problem for ALL applications rather than just e-mail. Also this still allows virus scanners and content filters and mail filters and SPAM protection and banner rippers and such to work the way they are supposed too. It allows standard encryption acceleration hardware to be used for all your network traffic.
-Ben.
-----BEGIN PGP MESSAGE----- Version: PGPfreeware 7.0.3 for non-commercial use qANQR1DBwU4DeWuYVIUPTy4QCACe8SyHBZo+3Ag+CZJuS2OBTk vvHViazNX8zQc/
0Tv8Yg+zPyorvxl9eSMEpfiEeuwPyb7sV71XJuFxtWuZ8yGENu iGq8ZjVikXUiog
EHP4YU7BNazufrbZGmDzbMvascbKhCeB9s445vlPK3k2muSxoY fujNVE1t8nxBiI
u1kpNUaPQwIt09HUUdDiKeATc+t2+9jLd2xQemQwsvCwR7S2n0 fDwG1M9ya/eRsH
1dfPRIZTPeIVD168IdFUiNOcnstny9xh+FV9imYiBLSJI3wfY8 UuwCd4r5HbV+Z1
PjhuQNa1LgmhesET0hxLd9jHnjiGtb1uUrhnlhubRhoi3bmhCA DgKwklYvo8mzv/
yIYkX5wfCSjffEYHfM5NvB6L64+y8QdXTbYtrwVYawNdLhr1uI uO8Gt6TycXu2lO
priyr5aIGBCN5atYuIVjUbDkxuHURqlZsAF8txuEs9FLHpaI+B sI+a+jBwt/oCam
pisu7akhIwSoB1OGMFvJjALjqEY2MceqfS5smaOUR6wzeSDA65 TVfmyjjaqJahxH
bZB7bS4ypCbGfIOiNPxEZdveU5BV3MxX0g7qSViHhLBCJhYvRb I0pyO/truj6kky
KS3No+NISoyCu6fGQuBc3DAuuBYI7O1PHeyRHdMfuCETrXU3EZ VGaF0UtJ8bdWlj
ngmOjwNlyTDLUc2ydrH1GZpnbFlBLhAA47WVITQkD31oOohFkE IA7WNm0ZC90tGs
xYd0bM2BbYI=
=STWx
-----END PGP MESSAGE-----