How To Enable Mom w/ Encrypted E-Mail?

mad.frog asks: "Given the recent revelations of the Bush administration spying on US citizens without warrants -- and their promise to continue doing so -- it's clearly high time for me to switch to encrypted email, after years of being too lazy to bother. The real question is how I can get all (or at least some) of my email contacts to switch as well; clearly, encryption does me no good if the recipient can't decode it. What are my options, and more importantly, what are the options that will be comprehensible and usable by my parents, and in-laws? (Keep in mind that good solutions must include robust Windows and Mac support...)"

GPG/PGP: Thunderbird and Enigmail

[Dark+Coder]

Checkout Enigmail extension.

Enigmail project website features are:

• Encrypt/sign mail when sending, decrypt/authenticate received mail
• Support for inline-PGP (RFC 2440) and PGP/MIME (RFC 3156)
• Per-Account based encryption and signing defaults
• Per-Recipient rules for automated key selection, and enabling/disabling encryption and signing
• New: OpenPGP key management interface
• Automatically encrypt attachments for inline PGP messages
• Powerful GUI for easy configuration and management
• User Preferences for advanced configuration
• Integrated OpenPGP PhotoID Viewer
• Supports OpenPGP key retrieval via proxy servers
• Integrates with GnuPG
• Works with the Mozilla Thunderbird, Mozilla Suite, and Netcape 7.x mail clients
• Supports Thunderbird's Multiple Identities feature
• Available for: Windows / Mac OSX / Linux (x86-32, x86-64, SuSe, Debian, Mandrake PPC & x86 ) / UNIX (Solaris 8.0, *BSD i386)
• Language Packs available for localisation

Works for me!

Re:GPG/PGP: Thunderbird and Enigmail

[Anamelech]

This is the route I took, but trying to convince others that it was worthwhile was another story. Most of the individuals I deal with within my family and friends network use the free, web based email services(most of them hotmail) and can't use encryption/signing to begin with.

Some free clients have limited support for GPG/PGP, such as gmail through thunderbird. The last time I tried the encrypted attachments, however, they didn't go through quite as expected(Don't remember what the actual effects were, but the cause was a mishandling of the MIME types.)

As it stands, Thunderbird and Enigmail seems to be the easiest method for sending/receiving encrypted/signed emails, but free services are still a grey area for support. If it handles the MIME type on the encrypted attachments improperly serverside(the basic problem I ran into with Gmail) or they use the web interface regularly, there really isn't much you can do right now.

I hope you know

[missing000]

Encrypting your communications like this will just cause you to be a target. The NSA can most likely crack whatever you can throw at them, and even if not they will not hesitate to use some more creative methods if they want to listen in.

Personally, I just assume that whatever I write or say is being listened to. It sucks, but that's the world we live in. Don't like it? Vote for a non-fascist next time.

Re:I hope you know

[ColaMan]

Can the NSA crack RSA?

Well, I know that they appear to know more than what the general cryptography community knows. For example (lifted from wikipedia, emphasis mine):

During development by IBM in the 1970s, the NSA recommended changes to the (DES) algorithm. There was suspicion the agency had deliberately weakened the algorithm sufficiently to enable it to eavesdrop if required. The suspicions were that a critical component -- the so-called S-boxes -- had been altered to insert a "backdoor"; and that the key length had been reduced, making it easier for the NSA to discover the key using massive computing power.

However, the public reinvention of the technique known as differential cryptanalysis suggested that one of the changes (to the S-boxes) had actually been suggested to harden the algorithm against this -- then publicly unknown -- method of attack; differential cryptanalysis remained publicly unknown until it was independently reinvented and published some decades later.

Re:I hope you know

10 bits, 'twas 10 bits sir! Insecurity in GSM networks

Shamelessly stolen and slightly rewritten with added emphasis from jya.com (via Google Cache).

For non-technical reasons, which GSM MOU and its members refuse to disclose, the upper bounds of GSM voice privacy features was reduced by a factor of 1024. Curiously enough, this reduction of voice privacy solely benefits mobile call interceptors lacking a court authorized wire tap, since wiretaps conduced under court order can be performed at the base station or further upstream the telephony network.

Re:Don't bother

[waytoomuchcoffee]

Don't bother using encrypted emails, because if you're not sending anything incriminating, THERE'S NO NEED.

I love this type of thinking.

Check out the 60 minutes inteview on Echelon:

KROFT: (Voiceover) Is it possible for people like you and I, innocent civilians, to be targeted by Echelon?

Mr. FROST: Not only possible, not only probable, but factual. While I was at CSE, a classic example: A lady had been to a school play the night before, and her son was in the school play and she thought he did a--a lousy job. Next morning, she was talking on the telephone to her friend, and she said to her friend something like this, 'Oh, Danny really bombed last night,' just like that. The computer spit that conversation out. The analyst that was looking at it was not too sure about what the conversation w--was referring to, so erring on the side of caution, he listed that lady and her phone number in the database as a possible terrorist.

KROFT: This is not urban legend you're talking about. This actually happened?

Mr. FROST: Factual. Absolutely fact. No legend here.

http://www.freerepublic.com/focus/f-news/1543347/p osts

Re:Hushmail

[waytoomuchcoffee]

May I reccommend a hush.ai address, as they're offshore.

They used to be. The servers are in Canada now. You know, the Country that tried to pass the Lawful Access bill last session to "compel all telephone and Internet companies to create and maintain infrastructures that are intercept capable and to provide access to basic subscriber contact information such as a name, address or telephone number."

GMAIL and Thunderbird/Enigmail

[Dark+Coder]

To send email securely over your Google's gmail account, just configure Thunderbird mail account to retrieve gmail email using your Google POP3 account information.

Thunderbird/Enigmail combo neatly address your privacy issues for both sending and receiving.

With PGP/GnuPG perfect forward-secrecy protection, you can leave all your emails in your gmail account and not bother to delete them (EVER or until your GnuPG passphrase is compromised).

Google deux-machination of trying to find AdWords in your email for their massive onslaught of advertisement campaign will come to a screeching halt when your gmail InBox contains nothing but psuedo-random data.

Good riddance to invasive AdWords into your emails...

Ciphire

[Custard]

Anyone know about Ciphire?

https://www.ciphire.com/

Re:Don't bother

[name773]

i read the whole thing, and i'm not sure how much of it i actually believe. Mr. Frost says they get a lot of info from baby monitors... they'd have to be pretty close to the originating house to do that, because even if the range extends far enough (which it probably doesn't, it costs money and takes fcc licenses to do long range broadcasting), baby monitors are on a band that is used by a lot of other things as well, and their transmissions would join a flood of others.

so i can only think of a few ideas to explain this guy: he might be sensationalizing his story, possibly on behalf of his former employer, possible to his own ends. that, or when they hired him, the cse or whatever may have shown him a demo that made him believe they had more capabilities than they really did. maybe 60 minutes ran out of ideas for shows and hired an actor to spout off things they based off of conspiracy websites. ok, maybe not, but i still find this hard to believe, especially former workers talking about it to a television show.

Enigmail does not work with HTML.

[Futurepower(R)]

Enigmail does not handle HTML.

PGP

[Detritus]

The commercial version of PGP (PGP Desktop) supports the Macintosh and Windows. It will automatically sign and encrypt email.

If changing the mail client isn't an option

[Curmudgeonlyoldbloke]

How about WinPT ("Windows Privacy Tray") for your Windows relatives? It front-ends gpg with something that sits in the system tray. Can encrypt from the clipboard or the foreground window.

Re:The best plaintext is encryption

[ivan256]

I'll be darned if I'm going to live my life in fear that some TLA will mistake some perfectly innocent activity for terroristic proclivities.

Forgive me for adding a hint of rationality to this discussion, but really... Just don't live in fear. Sure, there may be some reprehensible things going on that you should oppose, but you shouldn't be afraid. How many people have been investigated? Give it your best bet. Hundreds perhaps? Divide that by the number of people out there and then compare it to the posibility that your house will get hit by a meteor, or better, that you'll be killed by a drunk driver on the way to work. Oppose what you disapprove of, but don't live in fear of somthing that there's no rational need to be afraid of. It's likely that opposition will put an end to the spying well before there's any reasonable chance that it will happen to you.

Use S/MIME / personal certificate

[patrick42]

You can get a free personal certificate from Thawte that works great. Once you've setup your account with them, you can create a signature for each email address you use. On the Mac side, you just download the certificate, and the Mac takes care of automatically installing it. Mail will also detect the certificates you install, and you'll see sign and encrypt (provided you have the recipients public key) buttons when you compose new messages. Here's a tutorial on getting it up and running with Mail:

http://joar.com/certificates/

It also works with Outlook, Outlook Express, Thunderbird, and Mozilla:

http://www.marknoble.com/tutorial/smime/smime.aspx

Reality Check...

[vwjeff]

The law which enables the President to "spy" has been on the books since 1978. The scope of the law was expanded in 1994 and 1998. The EFF has a great writeup about the law which can be found here There are certain requirements that must be met before a "warrant" is issued by a judge. In reality it is really not a warrant because the person investigated is unaware of the pseudo-warrant. Please read the EFF writeup so you have a better understanding of your rights. Blaming this law on the current administration is unproductive and misguided. The law was passed under a democrat administration (Carter) and expaned under another democrat administration (Clinton) We can bitch and moan about the current administration and their use of the law. This doesn't change the fact that the it is on the books. I have already contacted my representatives regarding this law. I am glad the NYTs shed light on this because I would not have known about it otherwise. Disclaimer: I don't support the Democrats or the Republicans. I am a Libertarian. You don't have to vote for a giant douche or turd sandwich you know.

Re:Reality Check...

[Grym]

Has the Bush administration actually invoked FISA as their legal basis?

No they have not. Interestingly enough, the FISA court itself became quite alarmed when evidence started to appear in its proceedings which was obtained through the executive order.

The current justification for the wire-tapping executive order is based upon the War Powers Act. As I understand it, the basic gist of this position is (1) we are at war and (2) any surveillance gathered is therefore military intelligence, exempt from the usual proceedings and review. This is, of course, is quite a dubious position to take and is probably why the president personally requested that the NYT editors not release the story about a year ago.

Remaining unsettled are some of the following questions:

• Does such a broad interpretation of the War Powers act apply in a war not involving any particular nation-state?
• Can the president specifically violate a congressional law using the War Powers Act?
• If the old FISA standard of evidence was "more likely than not" which was supposedly too much (ex. being on a known terrorist mailing list), what is the new one?
• Could this be grounds for impeachment?
• Should those responsible for leaking this story to the press be prosecuted?
• Exactly why didn't the NYT release the story when they first knew about it? Seeing as how they released it now, national security seems unlikely. More to the point: why now? Was it to scoop the James Risen's forthcoming book?
• And, probably most importantly, was this executive order really necessary to further the War on Terror?

It's going to be interesting to see how it all unfolds over the next couple months, but it looks like it's going to get REAL ugly. Those interested should check out the new book from James Risen, the NYT reporter who did all the legwork, which should have more details. It's called "State of War," and should come out later this week.

-Grym

Secret Laws

Actually, John Gilmore is not on the "no-fly list", but he has taken his fight against secret laws to the US Supreme Court.

More information here.

Here's the right to privacy

[Alien54]

Its there in the 4th admendment.

Forth Amendment

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

pretty much covers privacy, since you can't violate privacy without viloating something in the above, not at least without twisting the meaning and intent of the words.