How To Enable Mom w/ Encrypted E-Mail?

mad.frog asks: "Given the recent revelations of the Bush administration spying on US citizens without warrants -- and their promise to continue doing so -- it's clearly high time for me to switch to encrypted email, after years of being too lazy to bother. The real question is how I can get all (or at least some) of my email contacts to switch as well; clearly, encryption does me no good if the recipient can't decode it. What are my options, and more importantly, what are the options that will be comprehensible and usable by my parents, and in-laws? (Keep in mind that good solutions must include robust Windows and Mac support...)"

One word

[CGP314]

How To Enable Mom w/ Encrypted E-Mail?

Don't.


-Colin

Re:One word

[ClamIAm]

If you [are worried] about your regular communications with your Mom, then you might want to ... get a life.

The issue here is not being concerned about what you might disclose in a letter home to your Mommy. The issue is that nearly anything you do can be watched. And we have nearly no oversight to make sure that US governmental agencies are conducting this surveillence in a legal and ethical manner. Also, if you write something that could sound a little strange out of context (paintball, for example), you could end up with some big hassles because you seemed a bit "suspect". Your argument is nearly as bad as the "you shouldn't have anything to hide" ones.

GPG/PGP: Thunderbird and Enigmail

[Dark+Coder]

Checkout Enigmail extension.

Enigmail project website features are:

• Encrypt/sign mail when sending, decrypt/authenticate received mail
• Support for inline-PGP (RFC 2440) and PGP/MIME (RFC 3156)
• Per-Account based encryption and signing defaults
• Per-Recipient rules for automated key selection, and enabling/disabling encryption and signing
• New: OpenPGP key management interface
• Automatically encrypt attachments for inline PGP messages
• Powerful GUI for easy configuration and management
• User Preferences for advanced configuration
• Integrated OpenPGP PhotoID Viewer
• Supports OpenPGP key retrieval via proxy servers
• Integrates with GnuPG
• Works with the Mozilla Thunderbird, Mozilla Suite, and Netcape 7.x mail clients
• Supports Thunderbird's Multiple Identities feature
• Available for: Windows / Mac OSX / Linux (x86-32, x86-64, SuSe, Debian, Mandrake PPC & x86 ) / UNIX (Solaris 8.0, *BSD i386)
• Language Packs available for localisation

Works for me!

Re:GPG/PGP: Thunderbird and Enigmail

[Anamelech]

This is the route I took, but trying to convince others that it was worthwhile was another story. Most of the individuals I deal with within my family and friends network use the free, web based email services(most of them hotmail) and can't use encryption/signing to begin with.

Some free clients have limited support for GPG/PGP, such as gmail through thunderbird. The last time I tried the encrypted attachments, however, they didn't go through quite as expected(Don't remember what the actual effects were, but the cause was a mishandling of the MIME types.)

As it stands, Thunderbird and Enigmail seems to be the easiest method for sending/receiving encrypted/signed emails, but free services are still a grey area for support. If it handles the MIME type on the encrypted attachments improperly serverside(the basic problem I ran into with Gmail) or they use the web interface regularly, there really isn't much you can do right now.

I hope you know

[missing000]

Encrypting your communications like this will just cause you to be a target. The NSA can most likely crack whatever you can throw at them, and even if not they will not hesitate to use some more creative methods if they want to listen in.

Personally, I just assume that whatever I write or say is being listened to. It sucks, but that's the world we live in. Don't like it? Vote for a non-fascist next time.

Re:I hope you know

[ColaMan]

Can the NSA crack RSA?

Well, I know that they appear to know more than what the general cryptography community knows. For example (lifted from wikipedia, emphasis mine):

During development by IBM in the 1970s, the NSA recommended changes to the (DES) algorithm. There was suspicion the agency had deliberately weakened the algorithm sufficiently to enable it to eavesdrop if required. The suspicions were that a critical component -- the so-called S-boxes -- had been altered to insert a "backdoor"; and that the key length had been reduced, making it easier for the NSA to discover the key using massive computing power.

However, the public reinvention of the technique known as differential cryptanalysis suggested that one of the changes (to the S-boxes) had actually been suggested to harden the algorithm against this -- then publicly unknown -- method of attack; differential cryptanalysis remained publicly unknown until it was independently reinvented and published some decades later.

Re:I hope you know

[Glonoinha]

That is ridiculous, and does not follow.
Actually it is pretty simple.

As far as most of us know, cracking RSA (and DES, and all the 'good' encryption) can be done, but it can only be done via brute force (ie, trying different keys until one is found that works.) There is a little more to it than that, but lets just say it is incredibly time and processor intensive. Just like SETI.

One of three things has happened at the NSA, you can pretty well bet :
1. Every year computers get twice as fast, for free.
2. The can add more machines without removing the old ones, (thing Beowulf.)
3. They came up with an algorythm that is faster than brute force, but haven't let on.

That third one is the most scary - it is like when the Enigma was cracked. No longer did it take brute force ... they just applied their 'crack' and cranked out the answers. Even if it hasn't happened, the combination of 1 and 2 mean that anything that takes brute force doesn't necessarily take a lot of time. Heck, my home Beowulf can outrun the $5.5M Cray mainframe AND the $150,000 IBM cluster that matched it back in 1999, on the same benchmark (skyvase.pov)

RSA / DES keeps the honest people honest, and it keeps the first level bad people honest - but the days of keeping the hardcore bad guys honest are pretty much over.

And yes, I mean the gvmt.

Re:Don't bother

[waytoomuchcoffee]

Don't bother using encrypted emails, because if you're not sending anything incriminating, THERE'S NO NEED.

I love this type of thinking.

Check out the 60 minutes inteview on Echelon:

KROFT: (Voiceover) Is it possible for people like you and I, innocent civilians, to be targeted by Echelon?

Mr. FROST: Not only possible, not only probable, but factual. While I was at CSE, a classic example: A lady had been to a school play the night before, and her son was in the school play and she thought he did a--a lousy job. Next morning, she was talking on the telephone to her friend, and she said to her friend something like this, 'Oh, Danny really bombed last night,' just like that. The computer spit that conversation out. The analyst that was looking at it was not too sure about what the conversation w--was referring to, so erring on the side of caution, he listed that lady and her phone number in the database as a possible terrorist.

KROFT: This is not urban legend you're talking about. This actually happened?

Mr. FROST: Factual. Absolutely fact. No legend here.

http://www.freerepublic.com/focus/f-news/1543347/p osts

The best plaintext is encryption

[Just+Some+Guy]

If a sizable portion of the population encrypted their email, then it wouldn't stand out, would it? And why do you assume he's wanting to "lay low"? Maybe he just wants to discuss private family business through private channels.

I'll be darned if I'm going to live my life in fear that some TLA will mistake some perfectly innocent activity for terroristic proclivities. I only have control over my own mind - it's beyond my abilities to make someone else interpret my actions in the way I want.

So, I'll keep encrypting the emails I send to my friends. I'll also keep locking my door and sealing my envelopes, even though I don't have any secrets the government would be interested in.

Re:mom?

[Just+Some+Guy]

So what emails are you sending to mom that require encryption?

Who cares? Do you write your letters on postcards or do you seal them inside an envelope?

Maybe he has a nosy mailadmin. Maybe he doesn't want his kid sister reading mail meant for his parents. Some of us value our privacy, even though we don't have anything to hide.

Re:Don't bother

[Malor]

If you give me six lines written
by the most honest man, I will find
something in them to hang him.

--Cardinal Richelieu

Re:Don't bother

[Philip+K+Dickhead]

And then, you will be itting, like John Gilmore, on a no-fly list - maintained by secret laws that no American may know about, or make reasonable enquiry.

Only, unlike Gilmore, you are probably not a multi-millionaire...

Re:Hushmail

[waytoomuchcoffee]

May I reccommend a hush.ai address, as they're offshore.

They used to be. The servers are in Canada now. You know, the Country that tried to pass the Lawful Access bill last session to "compel all telephone and Internet companies to create and maintain infrastructures that are intercept capable and to provide access to basic subscriber contact information such as a name, address or telephone number."

GMAIL and Thunderbird/Enigmail

[Dark+Coder]

To send email securely over your Google's gmail account, just configure Thunderbird mail account to retrieve gmail email using your Google POP3 account information.

Thunderbird/Enigmail combo neatly address your privacy issues for both sending and receiving.

With PGP/GnuPG perfect forward-secrecy protection, you can leave all your emails in your gmail account and not bother to delete them (EVER or until your GnuPG passphrase is compromised).

Google deux-machination of trying to find AdWords in your email for their massive onslaught of advertisement campaign will come to a screeching halt when your gmail InBox contains nothing but psuedo-random data.

Good riddance to invasive AdWords into your emails...

Re:mom?

[rusty0101]

The problem with this argument is that the reason one puts messages in envelopes very rarely has anything to do with preventing the mail carrier from reading the contents of that letter.

As a case in point, if you are sending a check, money order, or even cash to someone, most people use some sort of method of further obscuring the contents than simply putting it into an envelope. They pay extra for a box of 'Security' envelopes, printed on the inside with some pattern that makes it difficult to discern writing or printing. They wrap an additional piece of paper around the instruments. And so on. This doesn't happen in every case, but just about as often as not.

It has also been long recognized that if you are sending mail to a country or person that someone has significant concerns about, that there are several ways of opening the envelope, or even extracting the letter from within the envelope without opening it. Read or copy the contents, then return the contents of the letter and send it on it's way.

In a lot of cases the real reason for using an envelope has more to do with protecting the contents of the envelope from smudging or being separated than with preventing anyone from knowing what those contents are. If you are paying a bill, you use an envelope to keep the check and the bill stub together so that the people being paid have some idea of what the check is for.

If you get a multi-page letter from Aunt May, she is more likely to be trying to keep the pages together and in order than otherwise. If you are traveling, you very probably do send post cards, often with a picture of where you are, and a brief note wishing the recipient were along for the trip. An interested party may glean far more from a brief glance at the picture than by reading pages of text.

Note that there are a couple of elements of the above that do make sense when related to encrypting or digitally signing the e-mail that you send. For all practical purposes the e-mail that you send is a single page document. Even if you print it to 100 pages of a single spaced double sided 6 point font as far as the e-mail handling software is concerned, it doesn't matter if the message is zero bytes, or a couple million bytes. If the parts are not all put together correctly at the far end, an error is logged, and the system trys to fix the situation. Likewise the system is mostly proof against smudging or error introduction to the body of the message, as it is being handled by a TCP connection. That does not prevent changes to the headers, nor does it prevent an alteration by a malicious server in the middle. Encrypting or signing the contents does reduce the likelyhood that a change to the contents will be noticed. (Though it does nothing for the headers, including the subject.)

Of course the above is a rather simplistic explanation, and there are other elements involved.

-Rusty

Re:Ah...

[The+AtomicPunk]

Terrorist.

Fighting the drug dealers was the excuse in the 80s. In the 90s it was saving the children. Now it's fighting terrorism. Please, keep up to date on the latest doublespeak - otherwise it's harder for the government to strip us of our rights.