Slashdot Mirror
PGP & GPG
Ben Rothke writes "PGP (Pretty Good Privacy), as most Slashdot readers know, is one of the most popular software encryption programs ever. It is so good and so effective that in the early 1990s the FBI launched a multi-year investigation against Phil Zimmerman, the creator of PGP, for possible violation of federal export laws, especially ITAR (International Traffic in Arms Regulation). After many years of investigation, the FBI ultimately dropped its case against Zimmerman. Even though PGP is synonymous with end-user encryption, there have only been a few books written on the subject. Jump to 2006, and PGP & GPG: Email for the Practical Paranoid is a welcome title." Read the rest of Ben's review.
PGP & GPG: Email for the Practical Paranoid
author
Michael Lucas
pages
216
publisher
No Starch Press
rating
8
reviewer
Ben Rothke
ISBN
1593270712
summary
Pretty good overview of PGP & GPG
On page 167 in Appendix A of the book, the author candidly writes that PGP "comes with a very good and complete manual at over 300 pages". With that, one may question why one would spend $24.95 on a book which covers much of the same information as the bundled documentation.
The reality is that there is a large class of people that will simply not read any form of documentation. Rather, they prefer something with an ISBN number. Such people are a boon to authors (of which I am one) and publishers. For that group, PGP & GPG: Email for the Practical Paranoid provides a pretty good overview of how to use PGP.
The book is written for an end-user who, while comfortable with the workings of technology, is new to the sometimes strange world of public key cryptography. The author writes in an easy-to-read style and, through repetition, inculcates the principal ideas of encryption and cryptography to the reader.
The introduction and first chapter provide a good presentation of the concepts of encryption, cryptography and public-key cryptography. The idea of public-key cryptography, on which PGP is based, is not so intuitive, and many people struggle with the basic concepts. The first chapter, appropriately titled 'Cryptography Kindergarten' is a good read for those who are public-key cryptography challenged.
On a side note, the notion that even smart end-users can be intimidated by public key cryptography was detailed in a now seminal research paper 'Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0.'
The premise of the paper is that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent. The authors argue that effective security requires a different usability standard, and that it will not be achieved through the user interface design techniques appropriate to other types of consumer software. The authors conclude that PGP 5.0 is not usable enough to provide effective security for most computer users despite its attractive graphical user interface. Even though PGP is in version 9.x, it still suffers from usability flaws.
Cryptography purists may recoil when the author repeatedly uses the term 'military-grade encryption.' Military-grade encryption and military-grade cryptography are overused terms, most often by marketing departments, but there is no real definition of 'military-grade encryption' -- and even if there were, it would be classified. Most people use 'military-grade encryption' to mean really strong crypto, much like those who use the term 'Olympic-size swimming pool' to refer to a really large pool. But the term 'military-grade encryption' is so misused by so many people that it is a lost cause to try to fight it.
In the rest of the book, chapters 2 - 11, the author details the varied usages of PGP & GPG. The book also details the differences between OpenPGP, PGP and GPG.
The difference between them is that PGP is a commercial piece of software, GPG (Gnu Privacy Guard) is open source, and OpenPGP is a protocol that defines a standard format for encrypted messages, signatures, and certificates for exchanging public keys.
The author astutely writes that while PGP provides really strong security, this is only if, and this is a huge if, it is implemented correctly. Chapter 11 notes that although OpenPGP provides a reliable method of authentication and encryption, it is also not unbreakable. OpenPGP can be vulnerable to many different types of attacks and weaknesses, including poor implementation, hardware or software compromise, fake keys and more. It is important to realize that OpenPGP provides significant, but not unbreakable security.
At 180 pages and priced at $24.95, PGP & GPG: Email for the Practical Paranoid is an excellent book that shows the end-user in an easy to read and often entertaining style just about everything they need to know to effectively and properly use PGP and OpenPGP.
For those that want to save money and perhaps save a few trees, the free documentation that comes along with the product is similarly worth reading.
You can purchase PGP & GPG: Email for the Practical Paranoid from bn.com.
Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
On page 167 in Appendix A of the book, the author candidly writes that PGP "comes with a very good and complete manual at over 300 pages". With that, one may question why one would spend $24.95 on a book which covers much of the same information as the bundled documentation.
The reality is that there is a large class of people that will simply not read any form of documentation. Rather, they prefer something with an ISBN number. Such people are a boon to authors (of which I am one) and publishers. For that group, PGP & GPG: Email for the Practical Paranoid provides a pretty good overview of how to use PGP.
The book is written for an end-user who, while comfortable with the workings of technology, is new to the sometimes strange world of public key cryptography. The author writes in an easy-to-read style and, through repetition, inculcates the principal ideas of encryption and cryptography to the reader.
The introduction and first chapter provide a good presentation of the concepts of encryption, cryptography and public-key cryptography. The idea of public-key cryptography, on which PGP is based, is not so intuitive, and many people struggle with the basic concepts. The first chapter, appropriately titled 'Cryptography Kindergarten' is a good read for those who are public-key cryptography challenged.
On a side note, the notion that even smart end-users can be intimidated by public key cryptography was detailed in a now seminal research paper 'Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0.'
The premise of the paper is that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent. The authors argue that effective security requires a different usability standard, and that it will not be achieved through the user interface design techniques appropriate to other types of consumer software. The authors conclude that PGP 5.0 is not usable enough to provide effective security for most computer users despite its attractive graphical user interface. Even though PGP is in version 9.x, it still suffers from usability flaws.
Cryptography purists may recoil when the author repeatedly uses the term 'military-grade encryption.' Military-grade encryption and military-grade cryptography are overused terms, most often by marketing departments, but there is no real definition of 'military-grade encryption' -- and even if there were, it would be classified. Most people use 'military-grade encryption' to mean really strong crypto, much like those who use the term 'Olympic-size swimming pool' to refer to a really large pool. But the term 'military-grade encryption' is so misused by so many people that it is a lost cause to try to fight it.
In the rest of the book, chapters 2 - 11, the author details the varied usages of PGP & GPG. The book also details the differences between OpenPGP, PGP and GPG.
The difference between them is that PGP is a commercial piece of software, GPG (Gnu Privacy Guard) is open source, and OpenPGP is a protocol that defines a standard format for encrypted messages, signatures, and certificates for exchanging public keys.
The author astutely writes that while PGP provides really strong security, this is only if, and this is a huge if, it is implemented correctly. Chapter 11 notes that although OpenPGP provides a reliable method of authentication and encryption, it is also not unbreakable. OpenPGP can be vulnerable to many different types of attacks and weaknesses, including poor implementation, hardware or software compromise, fake keys and more. It is important to realize that OpenPGP provides significant, but not unbreakable security.
At 180 pages and priced at $24.95, PGP & GPG: Email for the Practical Paranoid is an excellent book that shows the end-user in an easy to read and often entertaining style just about everything they need to know to effectively and properly use PGP and OpenPGP.
For those that want to save money and perhaps save a few trees, the free documentation that comes along with the product is similarly worth reading.
You can purchase PGP & GPG: Email for the Practical Paranoid from bn.com.
Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
The first chapter, appropriately titled 'Cryptography Kindergarten' is a good read for those who are public-key cryptography challenged.
So basically 99.9% of users online today.
Outlook supports it natively, no craziness like with PGP / GnuPG. Users much prefer the simpicity of an X.509 solution. I like PGP and think it has its place, but that place is only for the paranoids / techies who want to deal with its complexities.
PGP (Pretty Good Price)
GPG (GNU - Free)
-- Brought to you by Carl's JR
(Pretty Good Privacy), as most Slashdot readers know, is one of the most popular software encryption programs ever.
This statement may indeed be true. And yet, 98 out of 100 people on the street would have no idea what PGP is. What does that say about software encryption programs.
No one knows, no one cares and very few have been affected by their ignorance.
PGP & GPG: Email for the Practical Paranoid
title soon to become "PGP & GPG: encryption for the practical suspicious target of the homeland security dept."
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
That was the most difficult google search I've ever done ... Gnu Privacy Guard
GNU privacy guard. Duh!
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
"On page 167 in Appendix A of the book, the author candidly writes that PGP "comes with a very good and complete manual at over 300 pages". With that, one may question why one would spend $24.95 on a book which covers much of the same information as the bundled documentation.
The reality is that there is a large class of people that will simply not read any form of documentation. Rather, they prefer something with an ISBN number. Such people are a boon to authors (of which I am one) and publishers. For that group, PGP & GPG: Email for the Practical Paranoid provides a pretty good overview of how to use PGP."
Okay, I stopped reading there. Basically you're saying "hey, you could look this stuff up, but if you're in the habit of spending money on information that is freely available in order to support a generally obsolete and overpriced/monopolized way of communication, go for it." Mind you I'm not railing against all authors/publishers, but technical manuals need some distinguishing reason other than "hey, it has an ISBN."
I can't say I ever found any PGP product good for any application. It was way too complicated and just not what was needed.
Instead, I found my holy grail of encryption in Truecrypt (http://truecrypt.org )which simply has rocked for the longest time (I'm in no way associated with it). Its free, and as far as I'm concerned as far as free encryption tools go, nothing can touch it, esp if you use one of the double pass encyption methods down the list, and don't label your volumes as truecrypt volumes or keep the encrytion program and the encrypted data on the same harddrive (use a USB key). No way they can identify what it is if you leave no clues.
Unfortunatly, I found out today on Wikipedia that Truecrypt has a rather lest than sparkling history... it seems rather sordid actually from what its homepage would allude to....
http://en.wikipedia.org/wiki/Truecrypt
PGP's probelm was it was never really integrated into an email system, and it had that totally messy key system that really was not worth bothering with or learning unless you were a highly trained memeber of secret police agency (as opposed to John Q public). There definatly is a begging need for good encryption of plain text ascii emails, but PGP just doesn't step up to the job. It needs to be integrated end to end in sendmail or whatever other mail transport servers, and inside the big heavyweight email programs used out there... PINE, Netscape Mail, the webmail services, and perhaps even OUtlook.
Skip Truecrypt, encrypt your data in a small volume and attach it as a file to who you want to send it to... in fact, encrypt whole harddrives or create files that can be mounted as virtual harddrives.
Truecrypt: http://truecrypt.org/
Zimmerman is more of a posterboy against the man than really than anything else in my practical opinion. I don't know any compgeek that uses PGP, or anyone that uses it to encrypt their mail.
Until Microsoft starts bundling their Certificate Services in Vista Home editions as a My-Identity-broker kind of thing, X.509 is useless for most people. X.509 is in Outlook because Outlook is the frontend for Exchange.
GPG/PGP are asymmetric cryptosystems that don't rely on PKI infrastructure, just per-user public/private keypairs. Not enterprise friendly but they can be used to bootstrap a trusted online relationship.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
There's a Public Key field in the User Preferences page on Slashdot, but does anyone know where you go to pick up other users' keys?
A google search would have saved you about 100 keystrokes.
Attention deficit disorder is a complicated issue, spanning several major... HEY LET'S GO RIDE BIKES!
"Cryptography purists may recoil when the author repeatedly uses the term 'military-grade encryption.' ... there is no real definition of 'military-grade encryption' -- and even if there were, it would be classified."
Ahem, reference http://www.nsa.gov/ia/industry/crypto_suite_b.cfm
While Suite A is classified, Suite B, specifically AES, is specifically mentioned as being suitable for up to TOP SECRET info.
Military grade is not a useless term, as it is therein defined.
HOO-AH!
Yeah, I've noticed this on most IT books. And I'm not one of those people "who want an ISBN". I don't think those people even read the books...
I wonder if there is a book called "Linux man pages explained - with complete printouts"...
OpenPGP can be vulnerable to many different types of attacks and weaknesses, including poor implementation...
So one is vulnerable from poor implementation and the other provides really strong security? Hardware or software compromise is a flaw of only OpenPGP? Seems like a slightly tilted comparison.
Slashdot +1 funny -4 Insightful +1 informative -2 Redundant
Karma: Somewhere between SCO and Microsoft
Actually, the obligatory troll in this case is the old "HELLO WORLD HELLO WORLD" gag.
The failure of secure email to proliferate has nothing to do with PGP's usability issues. 99% of email users already have S/MIME integrated into their mail readers as a standard feature - very usable and secure, yet almost universally unused. It's not about the user interface, it's about perceived need (or lack thereof).
When people say "X.509" when talking about email security, what they mean is S/MIME. It is pretty clear S/MIME is going to win the battle to be the most common form of email security on the Internet. It has built-in support on Outlook, Thunderbird, hell--even mutt.
If people CHOOSE to trust a PKI, S/MIME works WAY better than PGP because key distribution is much easier. If they don't want to do a PKI, they can still trust individual certificates, just like PGP. They can verify certificates by reading thumbprints over the phone, if they like.
Basically, S/MIME can do everything PGP/MIME can do except the "web of trust." And WoT is just WAY too much work for 99.9% of the population. PGP will eventually vanish.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Acronyms should be defined in the summary.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
What I'd like to see is an Outlook plugin (or OExpress) that does the following. (Please note that I wrote O/OE because they are the major players)
* GPG included to make it easy for the user. Just one install for the whole package.
* Automatically create keypair during installation
* Default option to keep passphrase cached (not safe, yes I know, I know)
* Automatically decrypt/sigcheck all incoming emails
* Automatically encrypt/sign all outgoing mails.
* Attach the pubkey to all outgoing mails where the address isn't in my keyring.
* Automatically (just ask for password confirmation or something) addition of incoming pubkeys to my keyring.
* GPL
* The people who got the pubkey would also get a link to where to download the plugin.
I'm sure someone can expand this list quite a bit and I'm sure I forgot half of what I wanted to put on that list, but it's a start anyway.
Anyone care to write such a plugin? Or is there one already that I don't know of?
I do think that if there was something to that effect that you would see a spike in encrypted emails going across the globe.
I used to encrypt/sign everything but since I was the only one using pgp/gpg it was kind of pointless.
You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison
Just the other day I saw the following on the website of an author selling her own book directly:
Sigh...
Secession is the right of all sentient beings.
Post like this make me crave the moderation "-1 lazy bastard"
... when you could just read the fine review?
...
From the ninth paragraph:
The difference between them is that PGP is a commercial piece of software, GPG (Gnu Privacy Guard) is open source,
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
(Pretty Good Privacy), as most Slashdot readers know, is one of the most popular software encryption programs ever.
This statement may indeed be true. And yet, 98 out of 100 people on the street would have no idea what PGP is. What does that say about software encryption programs.
So then, what does this say about Slashdot readers?
never bring a twinkie to a food fight.
John: Cool. Here's mine.
Et voila - we can now start sending private messages back and forth (neglecting man-in-the-middle issues with the key exchange that can be trivially avoided with a single phone call or in-person meeting). Notice the missing step: neither of us paid Verisign or another CA for the privilege of saying "Hey, wanna go to lunch?" in private.
Dewey, what part of this looks like authorities should be involved?
So a large class of people prefer to read, what, barcodes??
Check out eCryptfs, which has recently been accepted upstream into the
-mm Linux kernel:
http://ecryptfs.sf.net/
This encrypts on a per-file basis, so that you can grab and copy the
file from the lower filesystem (which can be pretty much anything --
ext3, jfs, reiserfs, nfs...) without even having to mess with all that
partitioning stuff.
It's a great cryptographic filesystem now with just passphrase
support. It looks like they're going to be done with the public key
subsystem (with pluggable PKI support) before too long. HMAC
(integrity verification) will come next, and then when they get into
the policy stuff, eCryptfs will go beyond any crypto filesystem that
anyone has ever written, Open Source or not.
Coincidentally, the header format is inspired by the OpenPGP
specification (RFC 2440).
If you're really paranoid then you're going to know better than to rely on encryption for your communication.
Just as a an example, I set up a shopping cart of the type I mentioned and they thought it was the mutts nutz until I showed them that I was receiving both parts of the credit card numbers by email at a private email account. Even then I don't think they thought it was a problem. I left shortly afterwards.
I wonder whose harvesting those numbers now...
BTW, I deleted that shopping cart, so I am not guilty of abusing the system. It was done to prove a point.
|/usr/games/fortune
All-in-all, I think it's a practical down-to-earth simple solution. Seriously, don't laugh just because it's not technical enough for you.. So while you're busy being a tech-snon, the world will be busy getting stuff done. This works; for now.
"" How about taking the safety labels off everything, and let the stupidity-problem solve itself? """
For those who are curious: "The dimensions of an Olympic pool are required to be 25 metres by 50 metres." http://www.faqfarm.com/Q/What_are_the_dimensions_o f_an_Olympic-sized_swimming_pool
I am still looking for the definition of 'military-grade encryption'.
that's pretty secure compared to this site
http://www.rncca.com/
why they have a password is beyond me when they list the password on the site?
Haha, and if you click cancel, you still get directed to the page.
x.509 has a useful niche. PGP has a useful niche. I believe you are confusing tools.
I admin a PKI system inside the company I work for and it's the bees knees. I add public keys to the keychain. If you aren't on the keychain, then you won't have access to some things on the LAN. Simple, discreet control.
Let me be clear: There is a way around *every* security system. Running PGP/PKI systems meaningfully raises the bar.
Declaring x.509 "the winner" sounds like you have a very serious investment in it's success as opposed to the more professional perspective, right tool for the job.
OT Info:
As a general warning to all: MS's efforts in x.509 are the usual Embrace, Extend, Extinguish thereby crippling interoperability. Note that they've got Red Hat publicly endorsing their efforts now. http://www.identityblog.com/
Whereas shibboleth http://shibboleth.internet2.edu/ is supposed to be the neutral party.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Who's a bigger fraud, the CS major pretending to write good English or the English major pretending to write good code?
Have you ever thought of this?
All official letters (and normal letters) are signed and sometimes stamped.
Would all banks, insurance companies, ebays, paypals and whatsoevers use _signed_ emails as official communication, the whole issue of phishing, including cross site scritping and other browse issues would be over!
vajk
When I first read the title I hoped the ability for these systems to communicate correctly was what was being addressed. I've been working with a bank for weeks now trying to get things I encrypt with GPG to be decryptable by their PGP "Universal Server" product. They can install PGP Desktop on a PC and decrypt my messages just fine. They have this larger/fancier package that decrypts upstream of their Exchange server and internally passes on the unencrypted emails to their folks. It also has a webmail (https) interface for outsiders to send/receive things to them, etc.. It simply refuses to decrypt something created by GPG and PGP's support has been thoroughly useless so far. Hrm...
Uncanny timing on this article for me -- I just this morning set up both PGP and GPG clients on my Windows machine. I found some inspiration in this tutorial on PGP:
http://www.haltabuse.org/pgp/win/index.shtml
The tutorial talks about version 7 or 8 of the software when it was still freeware. Version 9 it appears still offers the basic functionality for free, but I have to admit that I was a bit put off by the fact that it's presented as a 30 day trial with a EULA that includes passages like this:
You hereby expressly consent to PGP Corp's processing of personal data you provide to PGP Corp (which may be collected by PGP Corp or its distributors) according to PGP Corp's current privacy policy which is incorporated into this Agreement by reference (see ). If "you" are an organization, you will ensure that each member of your organization (including employees and contractors) about whom personal data may be provided to PGP Corp has given his or her express consent to PGP Corp's processing of such personal data. Personal data will be processed by PGP Corp or its distributors in the country where it was collected, or in the location of PGP Corp or its distributors; United States laws regarding processing of personal data may be less stringent than the laws in your jurisdiction.
Standard EULA boilerplate perhaps, but I found it unnerving in a product that's supposed to protect your privacy.
I also downloaded GPG4Win from
http://www.gpg4win.org/
and got it running. I just succeeded in encrypting a message with the one and decrypting it with the other, so I think I'll go with GPG.
Amazing that such tools aren't de rigueur by now.
Innovation makes enemies of all those who prospered under the old regime... -- Machiavelli
"The right tool for the job" argument would lead to everyone being burried in billions of tools. I think email security is one of those areas where people don't want multiple tools, and will eventually settle on one for the vast majority of uses. Nobody can predict the future, so you can falsely accuse me of having a vested interest and claim that the people really want multiple tools if you want... but I think you'll be proven wrong in the long run.
There is 1 SMTP. There is one SSL. There is one HTTP. There will probably be one "email security" system, too. And it will NOT involve maintaining a "web" if the majority of the Internet will be using it.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
My guesses include:
* They've coerced the author to build in a backdoor (a la clipper).
* They've spent enough billions on serious hardware that they can brute-force it in a reasonable time.
* They've got some very clever mathematician to figure out a viable attack.
I think you can safely scratch #1, while also safely assuming #2. The trick is how timely, and how much encrypted traffic there is overall. If you or your message has been flagged as a high priority decrypt, then they're likely to throw a lot of crunch at it.
However, if you're not flagged and more people start to use encryption, you're more likely to get lost in the noise.
Your #3, I have no idea. I don't really have enough math knowledge to have a good grasp on the difficulties such a mathematician would face.
It's not offtopic, dumbass. It's orthogonal.
I would really like to see a good method of using OpenPGP with the major web-based email services. I would, however, not want to upload my private key to their servers.
PGP will eventually vanish.
Don't put too much trusts in certs. For example, you can ssl in the middle, so in theory smime in the middle should be possible. I actually figured out in one case ssl in the middle only works transparently when a valid CA root cert existed. A self signed cert gave it up that my ssl traffic was being intercepted when the popup informed me the host didn't match where I was going. If you don't believe this look as the Bluecoat proxy servers. One hotel I stayed in did this, so I VPNed using ipsec to home to do my banking.
PGP, I prefer the GNU version as the source is visible, veted and verified not to have back doors. And I can check for myself. PGP allows me to trust you without the need for a 3rd party trust. Do you trust all the root and trusted CAs in IE? I sure don't.
Calling for PGP to "vanish" is quite premature.
Here is a secure, perhaps radical approach for secure mail for Windows.
Go to VMWare, download a free version and install it on XP.
Get a Linux Distro, Suse 10 works quite nice, load Linux into a VM partion
Find out where the VMWare virtual files are, encrypt this directory in XP OS (See MS for instructions)
In Linux, setup Evolution for your ISP, generate some PGP keys. Read the instructions.
Once you have learned how to use the above, your PC could be stolen or hard drive copied and they will not get far.
PGP is big in the secure file transfer worlds of banking, insurance and the like. It's quite common to "PGP" a file and then send it via FTP or SSH.
Someone else mentioned S/MIME encryption. I have two things to say about that:
#1: An analogy: PGP is to S/MIME as SSH is to SSL. The first technologies are designed for individuals to each trust each other; the latter technologies are designed to rely on a trusted third party (specifically, a CA).
#2: Despite not-wide-use in email, S/MIME is having its revenge in the form of the AS/x protocols, most commonly AS/2. This protocol is widely used in retail, distribution and pharmas and uses S/MIME encryption to both send files and receive cryptographically secure receipts. (Drop me a line at jonathan.lampe@standardnetworks.com if you want to chat about this further; I'm looking for some beta testers for a related application!)
#2: No, given everything public sector mathematicians and cryptographers know, #2 isn't viable even for the NSA. Even if the NSA owned a galaxy full of conventional supercomputers.
#3: The simple answer is that the mathematicians need to find a shortcut to factor a big number (find that 7 and 3 are factors of 21). Mankind has been working on this problem for a couple thousand years to no avail.
I feel safe because:
A. If the NSA has created huge practical quantum computers to crack assymmetric encryption, they're not wasting the resource or risking the phenomenal secret on me or anything remotely as inconsequential as me.
B. If the NSA can factor large numbers, or has found a practical break to symmetric encryption, again this would be so mondo huge that they wouldn't waste it on anybody but North Korea-types.
I have to say, I don't personally use them, but I think the hushmail.com people really do crypto right. First, it is (now) genuine OpenPGP encrypted email, i.e. as standard as standard gets. And for people who aren't experts, there's really no key exchange to work out. If you both use hushmail.com, you can sign/encrypt your messages and the site takes care of hooking you up.
I'm all for traditional fingerprint checking and GPG keysigning parties, and yes I even got RMS to sign my key for cool factor. But for "mortals" I think the hushmail.com system is about right.
Fair enough. But note that I did say that the NSA would only expend the effort on those they consider high priority, and that all others would blend in as use of encryption increases.
Thanks for the clear and concise explanation of the mathematical breakthrough required for a shortcut.
It's not offtopic, dumbass. It's orthogonal.
Love it, but I'm tied to my state of birth, probably for the rest of my life.
And I'm so far beyond minarchism into anarcho-capitalism now that I think I'd gripe no matter what reforms they implemented. :) But of course I'd be a lot happier.
Secession is the right of all sentient beings.
Funny indeed. The password check is a piece of JavaScript on the page. It seems that they used to accept three different passwords and the code that they use to check the password has been rotten. Whitness the following:
Notice how pass2 and pass3 are undefined? An exception will not be raised if password is not correct and the script will be terminated before it can execute the window.location line. Bonus WTF points for the fact that the password is displayed in the dialog that prompts for it!
_________________________
Spelling and grammar mistakes left as an exercise for the reader.
wrong in so many ways.
Like the fact that they put the password in javascript code in the first place
Read the free docs online, then hand chip a stone axe, and go cut down all the trees you want.
It's free, and you get the personal satisfaction of seeing the trees die yourself, rather than outsourcing that part.
Hi,
If read my give and take below with Abcd1234 about military grade encryption, he refuses to concede that there is no such thing, as the book reviewer stated.
I still challenge anyone to provide an authoritative definition of what military grade encryption is.
Karen
I went there and saw where it tells you the password on the page, but had no clue when and where I was supposed to provide the password, nor what it was for. I clicked the link, and saw the list.
Then I read this post, and realized there's supposed to be a Javascript password check. But of course I don't see it, because I have Javascript turned off! :)
Secession is the right of all sentient beings.