SSL Encryption Coming To The Pirate Bay

An anonymous reader writes "The Pirate Bay, in response to Sweden's new wiretapping law, will start offering SSL encryption to its user base this week. Although copyright issues really have little to do with national security, The Pirate Bay knows its population is uneasy with the recent legal change. The encryption will mostly benefit Swedish users living under the current law. Since The Pirate Bay and its servers are not hosted in Sweden, the additional security offered to outside users could be comparatively minimal."

speed

[youthoftoday]

Won't that slow things down quite a lot?

Re:speed

Won't that slow things down quite a lot?

Better slow downloads than meeting your new Swedish boyfriend in jail.

Re:speed

Hmm... A Swedish jail boyfriend.

A List? Lets.

Pros:
Funny Accent? Check
Athletic? Check
Likes Wooden Shoes? Check
Digs Meatballs? Check

Cons:
Makes you scream in a funny accent? Check
Athletic (in all the wrong places)? Check
Likes pain and Abuse? Check
Digs _your_ Meatballs? Check

It's a hard call.

Re:speed

[ozamosi]

The actual file transfers are peer-to-peer, so they won't be effected (also, they're usually encrypted already, to avoid bandwidth throttling). This is for accessing the website and/or for contacting the tracker.

Web pages have been using SSL for years without being especially slow.

Contacting a tracker is a lightweight request that is being performed once every 30 minutes or so - if it was a few seconds slower, nobody'd notice anyway.

Re:speed

[SirLurksAlot]

Possibly, but it's a trade-off. Do you want speed or do you want security? (Yes yes, I know, everyone wants their cake and wants to it too.)

Re:speed

[Zero__Kelvin]

Most likely not, and it depends ...

On the server side, presumably the bottleneck is the network connection or the storage medium access times, and not the CPU of the server. The network overhead to an SSL connection is minimal, to the point where it is negligible. The access times to the storage medium will not change to any measurable degree. The only way this will slow downloads considerably would be if the CPU was already at or close to 100% utilization, or if it is pushed "beyond 100%" utilization (i.e. the bottleneck becomes the CPU) due to the need to calculate SSL certificates, etc. Since The Pirate Bay is doing this in a planned and intentional way, they have almost certainly thought of this and will likely add processing power if need be on the server end.

From the client side, YMMV, but the above holds true in general. If you are downloading and doing CPU intensive things in parallel, then yes, things will slow down considerably.

Re:speed

[duguk]

(Yes yes, I know, everyone wants their cake and wants to it too.)

Of course I want my cake and want it too.

Its when you eat your cake and still want it you've got problems.

Re:speed

[SirLurksAlot]

You know the worst part? I actually took the time to "proofread" my post before making it too :-P Stupid word-skipping brain.

Re:speed

[youthoftoday]

There's your answer! The fruit of your speed trade-off!

Re:speed

Won't that slow things down quite a lot? We're talking 20KB files here. The encryption will only affect the tracker search portal and the torrent file serving. I'd rather have an encrypted site that takes a couple of ms more to respond than something fast that spews out visible data left and right. All the data transfer is run by the peers and there encryption depends on the individual client settings (and many people already use full stream encryption w/o any slowdown). So "not really" would be an appropriate answer to your question.

Re:speed

... nor will they be affected.

Re:speed

[Bandman]

There are really a lot of hardware solutions to speeding up SSL.

The real issue is that, typically speaking, the server which is responsible for the server-side processing is also responsible for encrypting the stream.

By putting a hardware or software solution in front of the client-access machine, you offload encryption to that host, leaving the application server free to concentrate on serving applications.

This can also be useful for debugging sessions, as you (the provider) have an unencrypted stream to examine.

Securing that stream between the application and the encryption device becomes of paramount importance, in that case.

Re:speed

[thermian]

Um, no, this change has nothing to do with torrent swarms, so downloading of the files referenced inside a torrent would be unaffected.

Re:speed

[WhatAmIDoingHere]

You're only download the actual .torrent file through the encrypted connection. All the downloading done with your client will go through your normal (unencrypted) connection. Unless you sign up for TPB's paid encrypted connection service.

Re:speed

[RAMMS+EIN]

It's not just about processor time, but also about network latency. Adding encryption is likely to introduce a couple more round trips, which can be very noticeable, depending on the latency-sensitivity of an application and the way things are implemented.

Re:speed

[just_a_monkey]

There are pros and cons to living in Sweden. This law is a big con. So are the taxes, and the regulations. A penal system which is not based on homosexual rape is a pro, though.

Re:speed

[maxume]

I notice myself doing this more and more frequently. The hard part is deciding whether I am skipping words more often or noticing more often that I am skipping words. It and is are also frequently interchanged.

Re:speed

[JamesTRexx]

Its when you eat your cake and still want it you've got problems.

And don't look at me for sympathy because everyone knows the cake is a lie.

Re:speed

[igibo]

A penal system which is not based on homosexual rape is a pro, though. Speak for yourself.

Re:speed

There are pros and cons to living in Sweden. This law is a big con. So are the taxes, and the regulations. A penal system which is not based on homosexual rape is a pro, though. Wouldn't that make it a penile system?

Re:speed

[Zero__Kelvin]

"Adding encryption is likely to introduce a couple more round trips"

If only I had thought to address the network connection issue somewhere. I think if I could do it all over again I would have done it in the first sentence of the first paragraph of my post.

"Adding encryption is likely to introduce a couple more round trips, which can be very noticeable, depending on the latency-sensitivity of an application and the way things are implemented."

... and in this case we know the application. It is downloading large files. The two round trips you describe represent negligible overhead in this case. Again, if only I had mentioned that. If I could do it all over again, I would choose the second sentence of the first paragraph of my post :-)

Re:speed

[Curtman]

Apparently it's Google's fault. Anybody in for some class action? :)

Re:speed

[orzetto]

In Scandinavia, there are no "federal pound-in-the-ass" prisons. The prisons are top-notch, just google around: here is a couple of articles.

Re:speed

[Haeleth]

Better slow downloads than meeting your new Swedish boyfriend in jail.

Even better, how about paying for your movies, games, and music? That way you can download them as fast as you like, and the government won't try to put you in jail even if they spy on you doing it!

I realise this is Slashdot, where "not getting busted for copyright infringement" is apparently categorised as a "right", so I'm probably about to be modded into oblivion -- but hey, that's life, isn't it?

Re:speed

[Maxo-Texas]

I agree with your general point and agree that recent material that is still in print should be either paid for or ignored.

That being said, I torrent.

I use it for
1) Movies that I can't buy if I want to.
2) Comics that I grew up with and can't buy if I want to.
3) Anime that isn't for sale in the U.S. (This has lead to be buying anime when it does become available- like Stand Alone Complex)

And I do draw the line 28 years (the original terms before our governments sold out to disney and other companies and sold away the public domain to them). And I could get fined or go to jail for that activity. I keep that in mind, so I use peer guardian and other techniques to keep a low profile. But mainly, I stay away from new hot shit. Mostly, new hot movies you can buy for $5-$7.50 within 18 months of them coming out. Why risk prison/ fines to see a movie 18 months early? And more importantly, creators do deserve *some* compensation for creating.

Re:speed

[WeblionX]

Wait, so I can now buy HD movies online and download them as fast as my connection allows legally? I thought I had to drop a wad of cash on a new disc drive then had to either go out and buy or wait for it to ship to get the movie, then I had no option to put it on my computer (legally). This is all news to me.

Re:speed

Oh, I'll pay, when they offer me what I want to buy, not what they want me to buy.

I certainly don't want to pay for drm, which I can't play in Linux without having to circumvent their stupid restrictions.

Re:speed

[BrentH]

I daresay such prisons don't exist in all of non Anglo-Saxon West.

Re:speed

[alexandreracine]

Possibly, but it's a trade-off. Do you want speed or do you want security? (Yes yes, I know, everyone wants their cake and wants to it too.)

The cake is a lie!

Re:speed

The Swedish pen system is based on bean sacs and tv games with three months for rape and five years for tax fraud.

With such small times inside the rapers never get the time to build up enough lust.

Now let's hope FRA doesn't read this...

Re:speed

[aliquis]

No.

Re:speed

Wait... you mean I can get faster downloads AND a boyfriend by ceasing to encrypt my web traffic? DAMN!

Re:speed

[ultranova]

All the downloading done with your client will go through your normal (unencrypted) connection.

Actually, many BitTorrent clients nowadays can use encrypted connections for data transfer. I don't know if the tracker connections are encrypted, though.

Re:speed

...creators do deserve *some* compensation for creating.

Which is EXACTLY the point. They're product isn't *worth* anything if it isn't scarce. With digital medium nothing is scarce making it worth whatever the public is willing to pay - simple economics. What pisses me off is that media companies are allowed to force artificial scarcity. I have no sympathy and don't believe hiding their greedy little faces behind corrupt bureaucrats should be tolerated by the general public.

Re:speed

[mollymoo]

Don't lump the rest of us Anglos-Saxons in with the Americans. UK prisons may not the most pleasant in the West (though they are currently overcrowded), but they're a damn sight more civilised than those in the USA.

Re:speed

[cliffski]

so everyone who loses sales to thepiratebay is evil and greedy eh?
welcome to the new world of the internet, where anyone can create new original pieces of entertainment and sell them to the entire world in digital form, freeing us from the tyranny of the few megacorps who controlled bricks and mortar!
except it all falls apart because people like YOU are happy to steal from EVERYONE, including the independents and the little guys.

You still want to enjoy high quality entertainment, but you want tens of thousands of people to work to produce it while you spend not a single cent on it.
And you have the fucking arrogance to call the content creators greedy?
grow up.

Re:speed

Meanwhile, back in reality, not all of us are willing to pay exhorbitant prices to have untrusted (with reason) software installed on our systems to "buy" said shows, without any of the rights that one usually gets when "buying" something.

I would cheerfully pay a small, reasonable fee for the service of downloading a known quantity (bitrate, quality, etc). But I can't buy that now, and the problem is not the market, my friend, and I am part of the market.

And go fuck yourself for a fascist, too.

Re:speed

[mOdQuArK!]

Let's see:

1) people who think they deserve special laws so they can extort more money out of people than they would otherwise be able to get in a normal "free" market, vs.

2) people who think they should be able to use their own physical private property that they've bought & paid for without third party restrictions being forced on them.

Who exactly is being "greedier"? Since when do people "deserve" to be paid a lot of money just because they did a lot of hard work?

Re:speed

[init100]

Adding encryption is likely to introduce a couple more round trips, which can be very noticeable

Probably not much. SSL supports connection reuse, so a client can use the same session key (which avoids renegotiation and key exchange) for downloading multiple objects on the same site.

Re:speed

[Slartibartfass]

everyone wants their cake and wants to it too.)

Don't! The cake is a lie!

Re:speed

[mollymoo]

A night in the cells and some community service (in the UK) is as close as I've been to prison. Community service usually means spending a fair amount of time with people with first-hand experience of prison. Anyway, your question is a false dichotomy - there is a whole spectrum between direct experience and mere assumptions. First-hand experience isn't required to gain knowledge about things. Conditions in prisons are reported in newspapers, on the news and in documentaries. Books and academic journals too, though I've never had the urge to delve quite that deeply into this subject.

Re:speed

[duguk]

Apparently it's Google's fault. Anybody in for some class action? :)

oh man, i tried reading that article and got bored and did something else.

actually, and honestly, i did - and i ended up posting this. hmph... maybe the writer of your linked article has got a point.

*annoyed*

hint: if you don't get it, read his linked article

Re:speed

[s7uar7]

The network overhead to an SSL connection is minimal, to the point where it is negligible. Up to a point. By default, Apache has Keep-Alives turned off for SSL connections from IE because of a problem with the SSL implementation in IE5, and no one seems to quite know whether it's fixed in later versions. Consequently, there is a handshake for every request, which can add 5% to 10% to your server's bandwidth use.

Re:speed

[daBass]

No, it won't - as long as the hardware is up to scratch.

There are three ways to implement SSL:

1. Let the server CPU do it. Nice for small sites with tons of spare CPU because those cycles were not used for anything else anyway. Way too many sites use this and it is what gives SSL its bad name for speed. (that and when it first came out, your local PC was slow at crypto as well, now it won't break into a sweat over it)

2. Crypto card. An PCI card that the web server can off-load SSL to. Not very many people use this.

3. External crypto box. Acts as a proxy and the real web server only sees non-SSL requests. This is the optimal solution for most sites, including TPB.

Now your PC is fast enough to decrypt this, forming no bottle neck in the transfer rate. As long as the crypto solution is implemented with putting any more strain on the existing web servers, the throughput will remain the same. (scp transfers between my servers are just as fast as FTP or HTTP)

The only thing that causes some slowdown is latency caused by the initial key-exchange between browser and server. But again, this is way more pronounced when using a normal CPU to do SSL. Optimized crypto boxes are much faster at creating keys.

Re:speed

[complete+loony]

It does however increase the lifetime of each request. The announce handshake (TCP SYN / SYNACK, ssh handshake, http headers in both directions) just gained at least one more pair of packets in each direction.

Re:speed

[mR.bRiGhTsId3]

I agree, although I don't think I would be particularly quick to judge any account of conditions in a prison based on any form of media, since I believe there is a tendency to sensationalize and "make mountains out of molehills."

Re:speed

[Mista2]

Same - My download Priority: TV shows not shown here in NZ, or where the scheduling has been so stuffed around that it is impossible to get every episode. Movies not available in Region4 DVD at the time of release. This is a global market, and the US media companies had better start providing a global service to everyone at the same time if they don't want to suffer this form of piracy. If any of the sudios offered DRM content free outside US borders, I would probably buy it. I'm a Battlestar Galactica fan, but you cannot access any of the episode previews outside of the US, so I simply downloaded them. Not a loss to them as I am not one of their customers and can't buy the product here if I wanted to.

Re:speed

[Mista2]

Now you can have your cake, but only if you eat on approved plates using paid for proprietary knives and forks. and you may not get the same cake as someone else in another country, and it may not even be the cake you want. However you can download a good facsimile of the cake and eat it wherever you want for free.

Re:speed

[westlake]

1) Movies that I can't buy if I want to.

Name one.

Then name one that isn't still in first run theatrical release.

Them name a classic which hasn't been released in a accessible format.

But if the technicolor master print is in a vault somewhere and no one is willing to pay for digital restoration and licensing, you won't find a link to it on Pirate Bay.

And I do draw the line 28 years (the original terms before our governments sold out to disney and other companies and sold away the public domain to them).

The animated feature Cinderella was followed by a Rogers & Hammerstein musical and a Jim Henson special for HBO and the CBC. IMdb lists over 100 versions of the tale dating back to the Nickelodeon days.

The geek doesn't want to learn from Cocteau and Philip Glass. He doesn't want to learn from Disney. He wants a Beauty and the Beast Lego Construction Set with all the hard work done for him.

Pixar takes chances and produces Finding Nemo, The Incredibles, Ratatouille, WALL-E.

The geek's creative imagination and integrity begins and ends with "Limbo of the Lost." He deserves a Uwe Boll.

Re:speed

[Joe+Tie.]

I'd love to pay for my tv,music, and movies. Can you convince someone to sell them to me? I buy when I can, even if with some trepedation about supporting DRM in the process. But it's still fairly common to not have any way to get a product than by downloading. Limited release movies, in particular, are high on that list. They're often better than the mainstream, never make it past festivals, and then just fade away instead of reaching dvd release.

Re:speed

[Zero__Kelvin]

And by logical extension, there may be a bug in some implementation such that when an SSL connection is attempted it can never be negotiated, thereby moving the overhead to approach infinity. News flash. When things don't work the way they are supposed to due to a bug, things work differently, and the analysis of how things are supposed to work won't map to it. Film at 11.

Re:speed

[Firehed]

Why the hell would you pay to steal stuff? More importantly, does doing so make you a douche or just a cheap-ass (in the sense that it's still cheaper than buying or getting sued)?

Re:speed

[generica1]

Pretty sure that thepiratebay.org only serves up .torrent files so it may only slightly slow down the download of these .torrents. However, the person who uses the resulting .torrent to assemble together the file described in the torrent would not be doing so over SSL links to other peers in the swarm. The impact of this on the speed of downloads is actually very minimal, as .torrent files are quite small most of the time.

Re:speed

[TooMuchToDo]

If they have speed issues, SSL hardware accelerator cards in their frontend tracker cluster boxes should fix the problem right now. SSL is damn fast when you're offloading to a hardware card.

Re:speed

[TooMuchToDo]

Depends on the tracker site. Some do encrypt, some don't.

Re:speed

[Samah]

Technically he's also correct with "effected" since the SSL encryption is not the *cause* of the peer-to-peer file transfers, and thus does not "effect" it. :)
But I digress...
http://xkcd.com/326/

Re:speed

[MoogMan]

I'm assuming that it's SSL to the tracker, in which case you'll only need one connection.

SSL is expensive when connecting (using an asymmetric cryptography algorithm such as RSA or DSA), however SSL is relatively cheap when the connection is established - RC4 for instance is known to be pretty quick.

So no, it won't really slow things down. TPB's trackers may get a bit slow if they have to deal with many new connections (and this would be a simple way to DDoS them), but you'd see a delay in connection rather than a general speed issue.

Re:speed

[Dhalka226]

Since when do people "deserve" to be paid a lot of money just because they did a lot of hard work?

They don't -- but if they put a lot of hard work into something and let you use it with the caveat that they be compensated (ie, they offer it for sale) and you choose to use that product or service, then they do deserve to be paid. And they deserve to be paid whatever price they set. If it's too high, you're free to do without.

Your two categories completely ignore the pirates in order to present two cases you can slam content creators with. I have absolutely no problem with you buying a CD and ripping it to your hard drive. I have no problem with you keeping that CD and those mp3 copies and putting another set on your iPod. I have no problem with you making copies for yourself and even your family, or selling your used CDs provided you aren't keeping any other copies for yourself. I have no problem with you removing DRM to do any of these things. To the extent that any of these behaviors are illegal today (some clearly are, some might be, some aren't,) I don't feel they should be.

I DO have a problem with you if you pirate games or movies or software or music or anything else for any other reasons, including "it costs too much!," "copyright is out of hand!," and "the RIAA suxx0rs!" And that's regardless of the fact that I strongly agree with all of those statements. Presenting it as some sort of right of yours to have things you didn't pay for because you didn't like the offer is dishonest at best; personally I think it's unfettered asshattery.

And I'm sorry, but the "who's being 'greedier?'" question is just stupid. The other guy being wrong, even more wrong, doesn't make what you're doing any more right. We learn this idiom in like second grade; it's entirely disheartening to see supposedly intelligent Slashdot readers trotting it out. It doesn't help you OR your argument.

Re:speed

[ryszard99]

everyone wants their cake and wants to it too.)

Don't! The cake is a lie! realise the truth, there is no cake.

Re:speed

[BrentH]

No, I meant non-Anglo-Saxon West, in the way we use Anglo-Saxon currently (FYI: the English-speaking West). Non Anglo-Saxon West therefore is the whole of mainland Europe (which is much more than Latin-Europe) plus Japan.

Next time, before trying to be a pedant douchebag, please consider also than the term Anglo-Saxon refers to /two/ tribes from the time they moved to England, which is, a thousand years ago. Tribes haves moved many times since then in mainland Europe, so even if you somehow managed to equate Sweden with England in your mind, please open your eyes and see /what other people are actually saying/.

Re:speed

[actiondan]

Wouldn't that tendancy be much the same on both sides of the Atlantic though?

The British press is not known for avoiding sensationalism.

Re:speed

[redscare2k4]

You're 100% right Dhalka. I still use the "cost too much excuse" to feel better when I download something, but you're right.

Re:speed

[rohan972]

1) Movies that I can't buy if I want to.
Name one.

The Last Starfighter, as far as I can tell not available in region 4. If I have to commit a crime (breaking the encryption) to access it, then they aren't making it available to me to buy.

I don't think freeloading off other people's work is the answer, but I can see why people see that as better than complying with the idiocy of the movie and music industries.

Re:speed

[Nullav]

I just barely R'd TFT, thanks to that entire page of header.

Re:speed

[rootooftheworld]

im not sweadish, but would you settle for a BG boyfriend? *prays with all heart and soul to god for a "yes"*

Re:speed

[mR.bRiGhTsId3]

Yeah. I was speaking in general so I would say yes, although, I have a great deal of respect for the BBC News at least. Every so often I watch it and I am struck by the feeling (irrational or not) that they aren't trying to shock me. Then again, it could just be a different presentation style that I'm not picking up on.

Re:speed

[Sloppy]

CPU is cheap. In 2008, a $100 CPU will blow your mind when it comes to how many SSL connections it can handle. In 2009, a $100 CPU will blow your mind again once you've come to grips with what the 2008 model can do. In 2010...

And if you buy a $180 CPU instead .. oh damn, I just blew my own mind. I don't even want to think about what a $350 CPU can do, because my head might explode.

Re:speed

[Sloppy]

Even better, how about paying for your movies, games, and music?

That's a good idea, assuming device-interoperable (i.e. DRM-free) content is for sale.

But aside from that, there's a bigger picture. The old joke is that porn drives a lot of internet innovation and economy-of-scale. If piracy contributes to that too, then so much the better. Most websites should be using SSL (or something like it) anyway, and if this gets people to accept that as the norm, that's great. Ride the wave.

Re:speed

[colesw]

Then do without the product, just because they don't offer it how YOU want it doesn't give you the right to use it without paying for it. Heck I don't even call it stealing, but your enjoying the efforts of other people without compensating them the price they set.

Heck I'll admit I pirate stuff all the time, but I'm not going to sugar coat it. I can't afford all the stuff I download, its as simple as that. Would I buy more if I had more money? Probably, but who can really say (if you'd like to give me money to test it out I'm open for that).

Re:speed

[Shadow99_1]

Great efforts have been made in state & federal prisons in the US to where they live better than they ever did outside...
Now private prisons in the US... those can be bad o.o

Re:speed

[internewt]

Really? I feel the BBC have gone horribly downhill chasing the commercial channels, especially the news.

I watched an episode of ITN's News at Ten the other evening, and it was like watching/listening to a tabloid newspaper. You know how the tabloids but key words in bold (like I have in the paragraph above) in their articles, for whatever reason they do? [1] Well, watching ITN's news was like that.... but you could barely hear the words inbetween "terrorist", "paedophile", "the McCann's" and psuedonews about the latest products on the market - which are coincidentally advertised on the same channel.

I feel the BBC has gone down a similar path. They don't have the same financial interests as commercial stations, but they feel to remain competitive they need to do what the commercials channels do. The new generation of news readers are more like actors - they don't seem to show any emotion taking about awful things, and can they switch seamlessly to the fluff news pieces that get run every day.

And the BBC never questions the state anymore. Opposition to the government may be reported on, but it is always in the same way: at the end of what little analysis there is, and then it is somehow painted in a bad-light.... as if they truly believe that if you don't toe the line perfectly, the next stop would be blowing up the houses of parliament!

[1] Thick readerbase, and/or the paper has an agenda.

Re:speed

[BrentH]

A private prison? What is that?

Re:speed

[Crayon+Kid]

Its when you eat your cake and still want it you've got problems.

I thought that's what those anorexic chicks were doing.

Ohhh, I see the problem now...

Re:speed

[Crayon+Kid]

The actual file transfers are peer-to-peer, so they won't be effected (also, they're usually encrypted already, to avoid bandwidth throttling). This is for accessing the website and/or for contacting the tracker.

Won't SSL trackers also help curb the throttling? I know that's the main reasons I use Tor for my tracker connections: encryption. One classic throttling technique is peeking at tracker connection, reading peer IP's and messing with connections to them. If all torrent trackers used SSL this technique would become obsolete.

Re:speed

[Maxo-Texas]

For a long time...

1) You could download and watch "battle star galactica" but it wasn't even viewable for free in the US until a year later. These days I watch it on Sci-Fi because it is current.
2) Ally McBeal for some ODD reason had 5-8 episodes available here but all the rest were only available on UK encoded disks.
3) "Circle of Iron" was only on video tape for several years. I downloaded a rip of a video tape and then purchased the DVD when it FINALLY (after several years) became available.
4) The "Time Travelers" is STILL NOT available except as a burned rip (which I purchased and it wouldn't play).
5) Several science fiction shows (Like Logan's Run), D&D Animated
6) Get Smart (Watched some horrible encodings of it for several years before the DVD set finally came out (And I BOUGHT it).
7) The American Success Company (retitled "Success")(Video Tape only- out of print for years)

That's just off the top of my head.

A LOT of shows and movies go out of print and do not come out on the newer technologies. There will be a lot of movies printed on DVD that you will not be able to purchase (on DVD) a few years into Blu Ray and they won't be out on BluRay yet.

Likewise, they don't make handy 700mb versions of the DVD's I already own. I lost TWO DVD's last trip alone.
 

Re:speed

[pbaer]

I've often "pirated" a game, because it came with DRM, or I've lost the original disc. The publishers have still made money, but as far as the law is concerned they're equally illegal.

Re:speed

[Shadow99_1]

Privately owned prisons that are contracted out by the state. It's the invention of those who say that business can always provide cheaper solutions than the state does... They have standards they are supposed to be held to, but...

A broader lesson

[dfaulken]

While this particular instance doesn't concern me, it seems that, more and more, we're seeing reasons to start encrypting most data that we send across the Internet--certainly we would encrypt IMAP/POP3 sessions, Jabber and whatnot--why not HTTP as well?

Yes, there might be some performance drawbacks, but, on the whole, it seems to me like the less data we send in plaintext, the less we open ourselves up to identity theft, and being spied on by governments (not necessarily our own, mind you).

So I tend to think that this is just a manifestation of this broader trend towards encryption in all Internet transactions. I think the real question is whether we'll see people using SSL/TLS for things like checking the weather or sports scores.

Re:A broader lesson

[GIL_Dude]

I agree with you here.
I think it will be an escalation though between the people who want to know what everyone is doing and those of us who want privacy. For example, if we encrypt everything - how long will it take these same wiretapping morons to pass more laws requiring that sites make the decryption key available for all "official agencies" or some such?

Re:A broader lesson

[oodaloop]

It's about time. If you look at the postal system, people have been using security envelopes or at least sealed envelopes since pretty much the beginning. The only mail postal employees are allowed to read are postcards, since it's pretty hard to stop them. Unencrypted email is basically like a postcard, and it pains me to hear people complain that governments are reading them. Do they complain that postal employees are reading their postcards? If it's important or private, use a security envelope or encryption. Otherwise, don't complain when someone reads it.

Re:A broader lesson

[dfaulken]

If you look at the postal system, people have been using security envelopes or at least sealed envelopes since pretty much the beginning. This is exactly the problem, though--people are accustomed to using envelopes, whereas getting people to use e-mail encryption requires some serious additional effort, which most people aren't willing to put in.

Re:A broader lesson

[Bandman]

I really think the issue is that people expect a modicum of privacy from their government, and our governments are not really willing to accede to their requests

Re:A broader lesson

[nine-times]

Yeah, it seems to me that it was an oversight that networking wasn't encrypted in the first place. When lots of these protocols were being developed, security didn't seem to be much of a consideration.

It's about time that these things got rectified, but I'm not sure what the best course is. For example, using SSL concerns me in that we've accepted the convention that certificates should be issued by certain set organizations that require exorbitant fees. I mean, hundreds or thousands of dollars per year for an SSL cert? Seems a bit much to me. Yeah, I know you can generate your own, which will cause you to get complaints from your websites' users when they see what looks to them like an error message.

I'm not a security expert, but I get the sense someone needs to go back to square one and figure out how to build a coherent, open, and secure model for networking that doesn't rely on giving such control to a small number of companies.

Re:A broader lesson

[Znork]

and being spied on by governments (not necessarily our own, mind you)

These types of laws typically have provisions against 'domestic spying'. As does the swedish law.

The traditional way to get around that is to simply listen on foreign traffic, then exchange that info with foreign intelligence services (A method which the swedish law explicitly allows).

whether we'll see people using SSL/TLS

Perhaps.

If you really want to make things hard for the listeners, start putting encrypted input from /dev/random as a .sig to every mail you send. They'll never to be able to either decrypt it or verify it contains no real encrypted info...

Then if you ever wanted to send anything you actually mind having listeners to you can just stick it there; either your mail will already have gotten whitelisted to avoid clogging their filters, or it'll get stuck in a queue so deep the sun will have gone out before they can decrypt it.

Re:A broader lesson

[oodaloop]

Right, a modicum of privacy in a medium that is as inherently open as sending a postcard. It seems private to regular users, but it's no more private than talking on a cell phone in public; anyone can listen in, from governments to individuals. If it's out in the open, expect people are listening. If you don't want them listening, use something more secure. Don't blame the government because they're reading your open emails or postcards.

Re:A broader lesson

[99BottlesOfBeerInMyF]

This is exactly the problem, though--people are accustomed to using envelopes, whereas getting people to use e-mail encryption requires some serious additional effort, which most people aren't willing to put in.

The real problem is that people have to put in additional effort, because their e-mail program doesn't handle it seamlessly. Their e-mail doesn't handle it seamlessly because it isn't easy to do, because there is no one dominant standard, but there is one dominant e-mail client (Outlook) which is controlled by a monopolist who has no incentive to make things better for their customers (because they have a monopoly). This is one of the many hundreds of ways the computing industry is constantly being held back by MS's monopolies.

Re:A broader lesson

[Free+the+Cowards]

If TCP/IP had been encrypted from the beginning, we'd be worse off, not better.

Why? Because any crypto available from that time is trivially crackable today. So instead of an obviously insecure communications medium, you'd have an insecure communications medium that everyone thinks is secure because, hey, it's encrypted! It wouldn't change anything except make people more complacent.

Re:A broader lesson

[David+Jao]

Yeah, it seems to me that it was an oversight that networking wasn't encrypted in the first place. When lots of these protocols were being developed, security didn't seem to be much of a consideration.

You may be too young to remember this, but until 1997, it was for all practical purposes illegal to transmit cryptography software over the internet because of ITAR regulations.

As a result, during the formative years of the internet when networking protocols were being designed, there was no practical way to include security as a requirement. A cynic would interpret this state of affairs as being exactly the goal that the US government had in mind when they made cryptography illegal.

Re:A broader lesson

[Digital+End]

and being spied on by governments (not necessarily our own, mind you)

Because it's okay to be spied on by your own government.

Forshadowing of the next generation...

Re:A broader lesson

[SirLurksAlot]

Yeah, it seems to me that it was an oversight that networking wasn't encrypted in the first place.

Correct me if I'm wrong here, but as I understand it security was outside of the scope of networking technology when it was first created. ARPANET was created in order to facilitate information sharing, and it started out quite small. Encryption at that point would've been counterproductive. Security wasn't much of a consideration because the network was connected and used by trusted nodes, namely research centers and universities.

Re:A broader lesson

[Kjella]

I'm not a security expert, but I get the sense someone needs to go back to square one and figure out how to build a coherent, open, and secure model for networking that doesn't rely on giving such control to a small number of companies. We could, but not without a huge increase in complexity. With a simple tree structure, it's pretty much a binary - either you're trusted or you're not, but it places all the control at the top. Without it, you need to manage who you trust, those that want to get trusted has to get many signatures that others trust them and everybody has to deal with all sorts of partial trust through unauthoritative peers. It's been tried with PGP email and the results are:

1) People want an oracle, not trust management
2) People don't understand how it works
3) People think it's too much work

People ask "is this the real owner of thepiratebay.org" and want an oracle to say YES/NO. If I was to suggest a better way, you should get a SSL certificate free with the domain name, signed through the DNS hierarchy. Site root signs the TLDs, the TLDs sign domains ans the domains sign the subdomains. So slashdot would get a certificate from .org, and could sign their own for yro.slashdot.org. It wouldn't been any certificate of who the fuck that is, only that you're talking to the right host and not some funny man-in-the-middle.

Re:A broader lesson

[HeroreV]

why not HTTP as well? With the current way things are done, that would require millions of costly security certificates, to ensure that the public keys you're getting are really from the people you think they're from. We're talking about enormous amounts of money.

Re:A broader lesson

[Kjella]

If you look at the postal system, people have been using security envelopes or at least sealed envelopes since pretty much the beginning. All I need for an envelope is an address - I'm not in any way guaranteed who'll open it. The mailman could just rip it open and read it if he wanted to as easily as the intended recipient. The thing that's annoying about encryption is that you have to exchange public keys, it's more iike sending a safe that needs a key than an envelope. Exchanging that key in a safe way is really very annoying, since it usually means using some out of band method. It's what you have to do as you can't tell read bits from unread bits, but it's not nearly as simple as using an envelope.

Re:A broader lesson

[NormalVisual]

Quite a while, I'd hope - pretty much all of the court cases that I've read about that touched on the subject ended up treating it as a Fifth Amendment situation, with the end result being that you can't be forced to divulge the passphrases to your keys. I don't know whether any of those cases form precident though.

Re:A broader lesson

[tsotha]

In addition to what others have posted, I'd like to point out nontrivial encryption/decryption takes a fair amount of computing horsepower. For a modern processor it's an afterthought, but if they had included encryption in ARPANET the project would have died in the lab for lack of system owners willing to connect.

Re:A broader lesson

Here in the UK you can already get locked up for failing to hand over encryption keys upon request.

I was wondering though... couldn't you setup a script on a linux server to regenerate keys on a regular basis? You can only hand over the latest set of keys then and I believe there is currently no law requiring you to archive/keep keys.

Re:A broader lesson

[jc42]

... as I understand it security was outside of the scope of networking technology when it was first created. ARPANET was created in order to facilitate information sharing, and it started out quite small. Encryption at that point would've been counterproductive. ...

Well, yes and no. Note that the ARPAnet project was funded by the US Dept of Defense. There were security experts around from the beginning. But it was well understood back in the 1960s that building the security into the low-level networking code was a bad engineering design. Everyone involved pretty much understood that you got (data) security by end-to-end encryption, and doing encryption at any level below the user app was simply a waste of cpu cycles. So the network-level design goal was reliable transport on unreliable ("battlefield") hardware. The design meant that the people working on the network layer could concentrate without distraction on the job of getting the bits reproduced accurately at the other end.

The primary argument against low-level encryption has always been the same: The two endpoints have no reliable knowledge of or control over most of the data path. The history of encryption is full of stories about someone cracking someone else's encryption and reading their messages for a long time before they were found out. We must assume this can happen with any encryption scheme. This means that if a low-level link in the middle of a data path is decrypted (or even intercepted), the endpoints generally have no way of knowing it has happened, and also have no way of changing that link's encryption scheme. Low-level encnryption is thus only usable if you control every piece of hardware in the data path. This requirement would totally eliminate the wide-area networking that ARPA was trying to achieve. So if the ARPAnet was to meet its design goals, encryption of low-level data links was a pointless waste of cpu time.

End-to-end encryption at the application layer, however, is totally under the control of the endpoints. It can be changed at any time, for any reason. It eliminates dependence on the security of the low-level links that aren't controlled by the entpoints.

And there's a reasonable argument that end-to-end encryption increases security: It means that the data packets can be scattered across many different data paths, making it difficult for anyone to intercept all of the packets for a given conversation. Previous secure communication required tight control of the data path, and usually meant that there was a single data path for a given conversation. This is easy to intercept and either block or subvert, giving a copy of the conversation to an enemy. But if your packets are sprayed across all the available paths, interception and packet collection become nearly impossible.

This is, of course, a very loose, off-the-cuff summary. But it's easy enough to find the early ARPAnet docs in various Internet archives, where you can easily spent far too much time learning about the subject.

Re:A broader lesson

[CastrTroy]

As far as email encryption goes. PGP is pretty much the defacto standard. I'm sure there are some other methods, but PGP seems to be the way it's done in most cases. I wouldn't be hard for the mail client, outlook or otherwise to completely automate the system. Key exchange would be a little difficult, but not so much. You could either meet someone in person to exchange public keys, or get their public key from somebody else who already has it, who you already trust and share keys with.

Re:A broader lesson

[nine-times]

That doesn't seem like a very good reason to me. What I mean is, that's a good reason why you wouldn't have everything encrypted at the outset, but that's not a good reason not to build out the protocols/infrastructure with the option of security/encryption in mind. Because even in cases where encryption is computationally too expensive for every transaction, you might still want to offer the option of encryption for for cases where encryption is worth the expense.

I guess it just seems a bit like the Y2K bug-- sure, it probably made sense at the time, but in hindsight it wasn't the best decision. Even now, secure protocols can seem like a bit of an add-on hack instead of an integrated part of the system. FTP is a pretty good example, IMO. FTP is awful security-wise, and FTP with TLS/SSL can be a bit of a PITA. SFTP looks to be a good solution, but ends up having its own headaches. You generally either have to give people remote shell access or go through extra steps to disable the normal shell and jail the user. I guess OpenSSH is now trying to address the issue, but it's still not particularly straight-forward, IMO. Also, SSH keys have none of the benefits that SSL certs have, e.g. identity verification or the ability to transparently revoke keys and issue new ones.

Re:A broader lesson

[CastrTroy]

Don't blame the government because they tap phones without a court order either. Normal phone calls are made in the clear. You just have to get on the actual wire carrying the call between the two recipients. Yet nobody thinks it's ok for the government to snoop on their phone calls. I don't see why the same shouldn't be true for email. Sure you should take responsibility and just encrypt your email. But that doesn't give the government the right to snoop in on your email.

Re:A broader lesson

[devman]

I disagree, email clients have native support for S/MIME and signed PKI certificates. Conversely, most clients do not have native support for PGP, though you can get it through plug-ins (Thunderbird).

Certainly you can get a email signing cert from Verisign by paying for it (It's very inexpensive and integrates well with most email clients). You can also generate your own key pair and get it signed by Thawte (so long as you complete there "Web of Trust" requirements), if you are worried Verisign might keep a copy of your private key (they don't).

The problem with the whole system is that while only you need a PKI cert to sign an email (recipients client will auto verify it), but in order to encrypt an email your recipient must have a PKI cert and you must have there public key. That means both parties must care enough to encrypt email. This is where the envelope analogy breaks down, because to receive a sealed envelope in the mail I don't have to do anything.

Re:A broader lesson

[Vectronic]

"All I need for an envelope is an address..."

And, the cost of the envelope, the time placing the letter inside the envelope and closing the envelope, paying for and putting the stamp on it, and the time it takes to write/print the address (and the return address)

Although the whole mail analogy works fairly well, comparing envelopes to encryption isn't, something like the Enigma Machine would be better, the envelope is simply the "packet" the data is contained in, there are certain things you can find out from it, like sender/receiver, time, and where its been so far, you can look into an envelope without taring it open, and you can look into a packet without destroying it, you can open an envelope attempt to read its contents, put it in a new envelope, and the chances are no one would notice unless it was a special envelope, and same with a packet.

However, if its encrypted, it doesn't matter if its looked at or opened for snail mail, or packets, the information either still gets transmitted (albeit with a delay if an attempt was made), or gets confiscated (data has to be re-sent), either way the data is safe, just delayed.

And yes I know the Enigma machine was eventually "hacked" but, SSL can be "hacked" aswell given enough time.

"...but it's not nearly as simple as using an envelope."

And considering an envelope secure, is about the same as saying "I switched to port 5678, therefore its secure", or "from UDP to TCP"... or in mail, "I used a different mail carrier/truck"... or "I changed to overnight delivery instead of 3 day"...

Meh, I just woke up...

Re:A broader lesson

[devman]

Unfortunately you need some kind of certifying authority to verify keys in a key-exchange between third-parties who know nothing about each other. As you said you can always generate your own SSL cert and sign it yourself, but it will be an untrusted signature, and rightfully so.

Re:A broader lesson

[rubypossum]

Ok, but, nobody has written an easy way to do this! Thunderbird (for example) has no easy, seamless and simple way to do this (and certainly no way that is built in.) Blaming Outlook is a cheap cop-out.

Most business email is a matter of public record anyway. MS has very little reason to push these features. Particularly when the hard-core users don't even care enough to write the features for OSS clients.

It really is kind of sad, since people are sending postcards to everyone and do not know they're doing it.

Re:A broader lesson

[CastrTroy]

I think this is where the envelope analogy breaks down. Envelopes aren't secure in any way shape or form. Sending a letter is an envelope is like sending an email with the important data in an attached zip file. You can't see the contents of either the zipped email, or the letter in the envelope in proper processing methods. However, either is extremely easy to circumvent. Anybody who delivers the mail could easily open the letter, and read it, and pretend it got lost. Or just put it in a new envelope. If you were interested in the mail enough, it wouldn't be hard to create a fake envelope, so you could reseal the original letter, and deliver it. How many letters fail to reach their destination. Would you know if it was truly lost, or was it intercepted and opened by the government. There isn't really a way of knowing. I don't really know if there is a postal mail equivalent of sending an encrypted email. Unless you encrypt the letter itself. Which still presents you with the same set of problems as the encrypted email problem. Except that you have the added problem of actually decrypting the letter when you receive it. Something that can be automated with email.

Re:A broader lesson

Generally speaking no. Not the post office employees. Customs on the other hand, have the right to open parcels though - if they have reason to suspect it contains some sort of contraband, or something you should pay duty on.

Re:A broader lesson

[L4t3r4lu5]

I was wondering about the 'Right to Silence' regarding this particular law, and came across this website.

Briefly, it states that under sections 34-37 of the Criminal Justice and Public Order Act 1994, you would, by not disclosing information to unlock encrypted files, risk adverse inferences being drawn from that silence.

I guess you can have your cake, and eat it, but don't expect it to taste great or not poison you.

Regarding the parent, you ask about automatic regeneration of keys. IANAL, but I would have thought that the reason why you can't supply the key is irrelevant; That seems to be the way these laws are written these days.

Re:A broader lesson

[fluch]

It is sometimes astonishing how little effort people want to put into learning something new. Even if you would give them a hands on lesson which would not take longer than 30 minutes! "It is sooooo complicated!" is equivalent to not more than "I did hear a new word!".

Encrytion is not in every circumstance easy to set up, but for example Thunderbird together with EnigMail... just plain easy to use and doesn't take a long time to teach. It is simple to create a key, to distribute the key by mail or upload it to a key server, it is easy to encrypt or decrypt a message and so on. When I see my parents again I will teach my mother how to send me encrypted mails ... and I will succeed! :-)

Re:A broader lesson

[aliquis]

Yeah, because everyone wants their address, passwords, orders, partnership deals, job applications, so on so on in the open?

Of course there is a reason, it's just that it's to hard to understand and handle for the typical Microsoft user.

Re:A broader lesson

[aliquis]

... if USA was the whole world.

Re:A broader lesson

[aliquis]

What say they won't filter the things they can read and ignore the rest?

Re:A broader lesson

[ultranova]

If it's important or private, use a security envelope or encryption. Otherwise, don't complain when someone reads it.

If it's important or private, meet with the other guy face to face in a crowded and noisy place. That way there is nothing to read.

Re:A broader lesson

[ultranova]

I'm not a security expert, but I get the sense someone needs to go back to square one and figure out how to build a coherent, open, and secure model for networking that doesn't rely on giving such control to a small number of companies.

Well, an obvious fix would be to bundle each domain with a certificate for said domain - that is, have ICANN handle the whole certification thing. In fact you could propably adapt the DNS system to grab the current certificate fingerprint for a site along with the IP address; that should solve the problems with time-based revokes.

Re:A broader lesson

[mrchaotica]

Encrytion is not in every circumstance easy to set up, but for example Thunderbird together with EnigMail... just plain easy to use and doesn't take a long time to teach.

I actually just set that up (literally -- I created my key immediately before typing this), and I think it could be easier. Namely, after installing EnigMail in Thunderbird, it didn't immediately work. Why was this? Because I needed to install GnuPG separately, which was not mentioned in the "how to install in Thunderbird" steps on EnigMail's Thunderbird addon page. Either it ought to be added to that list, or (better yet) GnuPG itself ought to be somehow included in the EnigMail installer itself.

Re:A broader lesson

[houghi]

getting people to use e-mail encryption requires some serious additional effort, which most people aren't willing to put in.

That is where we geeks come in and make it automated and default on both the sender and the reciever side.

The second part might be the hardest.

I asume it should be done in steps. First add the gpg signature by default. Later do the encryption by default.

The problem is that nobody realy cares.

Re:A broader lesson

[aliquis]

I know, but by 1997 all its users wasn't american so what was the problem for us?

Re:A broader lesson

[I+cant+believe+its+n]

Dont blame the government for buying supercomputers using a percentage of your hard earned money to ensure they can listen in on your private conversations.

Or perhaps you should blame them and make listening in really hard?

Re:A broader lesson

[jroysdon]

Enigmail is an OSS plugin for Thurderbird that gives GPG/PGP support.

Firefox and IE also don't have built-in Flash or Java support, but we all fix that within the first 5 minutes of an install, right? Email encryption should be no different.

The hardest problem I find is getting people to maintain their keys and a real trusted way to exchange keys w/o man-in-the-middle attacks.

Just putting your key in pgp.mit.edu or on your homepage doesn't prevent man-in-the-middle attacks any more than an SSL cert not signed by a CA that your browser already trusts is worth anything (again, unless you securely download that self-issued SSL key).

Re:A broader lesson

[irc.goatse.cx+troll]

That would be nice, as you could still have all the autheticity you have now by getting that same cert signed by multiple authorities, and even get away with things like specific authorities for specific things and not have it nearly as complex as it is now. For example your govt's banking oversight group could verify and sign all your banks certificates, and if you didnt see their name/icon/whatever you'd know bankofamerika.com was not legit.

Would just need a secure enough way to get those certs to the end user, but thats what happens now (answer: ship the devices or operating systems with them)

Re:A broader lesson

[DigitAl56K]

PGP is the worst mechanism for e-mail encryption. Sure, it might be strong and mature, but it is an absolute pain the the ass to use, PGP Corporation charges an arm and a leg for it, and GPG is a mess - trying to find all the bits and pieces you need installed, configured, and working well with a clearly make-shift UI that is *not* easy to use is beyond most people.

Re:A broader lesson

[yabos]

S/MIME is built into every email client I can think of. PGP is NOT built into about every email client I can think of. I use S/MIME and getting certs is a little cumbersome but easier than having to install PGP on every computer you want to send encrypted stuff to.

Re:A broader lesson

[Brian+Gordon]

..well if you have the internet, then swapping public keys before encrypting and transferring is hardly out-of-band. And this is talking about SSL encryption to the tracker!! not between peers, which is already done by utorrent encryption support.

Re:A broader lesson

[Mista2]

Mail me your public PGP key and all my reply mail to you will be encrypted. It is staggeringly easy to do. Only mailing people using outlook and windows where it is not pre installed is a problem 8)

Re:A broader lesson

[Mista2]

No, they just wanted to make sure nobody in those dang forren countries could use their "superior" encryption schemes, even though most of the best work has been done outside the US. 8)

Re:A broader lesson

[drinkypoo]

It's about time. If you look at the postal system, people have been using security envelopes or at least sealed envelopes since pretty much the beginning.

Envelopes are regularly opened.

Considering a piece of postal mail to be secure is quite simply ignorant.

There are many methods of inspecting mail, of which opening it is only one. In fact there are numerous means of scanning mail without opening it (one of the easier methods involves using a visible laser) and any message which is not encrypted might as well be written on a postcard. Every piece of mail is externally scanned and OCR'd as a routine means of delivery, so it is trivial to find out which mail they would like to inspect in more detail. (Your email headers are always inspected as a matter of course if they travel over the open internet, as well.)

Re:A broader lesson

[drinkypoo]

Now, I understand that I am not "most people" but just for laughs I installed and tested enigmail on both windows and linux and found it to be actually quite simple (as in, works-as-advertised) on both platforms. Has the situation become substantially more complicated since enigmail was new?

Re:A broader lesson

[jc42]

Yet nobody thinks it's ok for the government to snoop on their phone calls.

Hmmm ... I seem to recall that the US Congress just voted (about 2:1) that warrantless wiretapping is just fine, and despite the laws against it, your phone company can't be prosecuted for assisting the government in such acts.

And I don't hear much of a popular outcry against this from the American population.

Of course, those with a clue have understood that this has been going on for decades. The only real difference is that now they're doing it openly, and thumbing their noses at the few people who think it's wrong.

Re:A broader lesson

[Samah]

Whoops... and here I am encoding all my emails in ROT26... oh crap, they're here...
brb jail

Re:A broader lesson

[generica1]

3. ????
4. Profit!

Re:A broader lesson

[DigitAl56K]

I'm sure enigmail is lovely if everyone you want to talk to uses Thunderbird or Seamonkey.

Re:A broader lesson

[stonertom]

why not HTTP as well? Have you ever found non-dedicated hosting that supports HTTPS?

Re:A broader lesson

[mpe]

1. The law is useless to solve the problem it's marketed as the solution to.

Not as bad as it could be then. Some laws are actually part of the problem they are marketed as being solutions to...

Re:A broader lesson

[CastrTroy]

The point is, is that it doesn't have to be any more complicated than using Enigmail. There's nothing inherently difficult about using PGP/GPG. The problem is that the #1 mail client in the world doesn't deal well with it. Most people like webmail, because it means they can have their email with them anywhere. I would argue that PortableThunderbird on a USB stick would accomplish exactly the same thing. While making it quite easy to accomodate the use of encryption keys. It would also have the added advantage of being able to read your email while not connected to the internet.

Re:A broader lesson

[nine-times]

But what's the advantage of getting a cert issued by someone whose root certificate isn't in browsers, vs. just generating my own?

Re:A broader lesson

[drinkypoo]

I'm sure enigmail is lovely if everyone you want to talk to uses Thunderbird or Seamonkey.

If they're not using web mail, they pretty much do.

You really think anyone I want to talk to uses Outlook Express, or Eudora? Maybe they use pmail? I mean, I'm known far and wide (no, really) as an elitist wank.

Regardless, there are solutions for tying PGP/GPG into other mail clients. It's not my fault that Thunderbird has the best one.

Re:A broader lesson

[steelfood]

Just pick a standard and run with it. Every other "standard" can be supported, and the client can be configured to use it instead of the default, but start with one as the default to use when sending mail.

Re:A broader lesson

[tinkerghost]

Yeah, it seems to me that it was an oversight that networking wasn't encrypted in the first place. When lots of these protocols were being developed, security didn't seem to be much of a consideration.

Um, when most of these protocols were being developed, computers with 8 bit processors and KiloBytes of memory were a pipedream. My $14 disposable cell phone has more processing power than the launch center for the Apollo space missions.

Encryption wasn't included in the protocols because:

1. yes security wasn't a major concern
2. encryption wasn't a practical option for any but the most important transfers, and a tape by classified currier would have been faster than encrypting & decrypting them anyway.

Re:A broader lesson

[Abcd1234]

Because any crypto available from that time is trivially crackable today

Bah, that's just silly. Sure, some cryptographic algorithms of yesterday are crackable today. But the underlying methods that those algorithms (eg, the mechanics of the Diffie-Hellman key exchange, etc) have been well understood for a very long time. Which is why, if you look at, say, IPSEC or TLS, what you have is a framework for establishing a secure connection, along with mechanisms for negotiating capabilities. This allows you to phase out old algorithms or introduce new ones as the technologies change. But the actual mechanics of establishing an IPSEC or TLS tunnel remain the same, because those mechanics are perfectly sound.

Re:A broader lesson

[dfaulken]

If this is an issue, and people are interested in increasing security, then perhaps there could be a viable business in providing this. On the other hand, if you're really concerned about security, is non-dedicated hosting really such a great idea?

Re:A broader lesson

[jalefkowit]

Yeah, it seems to me that it was an oversight that networking wasn't encrypted in the first place. When lots of these protocols were being developed, security didn't seem to be much of a consideration.

When the protocols were being developed, CPU cycles were very expensive.

Encryption is an application that requires a lot of CPU cycles.

Today CPU cycles are trivially cheap, so we can casually think of things like encrypting all network traffic on the fly. But that wouldn't have been practical until relatively recently.

Problem with laws?

Don't like the law? Open source the government.

Re:Problem with laws?

[tompaulco]

It seems to me that the U.S. government is already set up in something of an open source arrangement. Certainly it is not as open as wikipedia, there are checks and balances, thankfully, lest Joe Bumpkin decide that he need to write a law to let him have sex with his sheep. Of course, as you go higher up, the laws get harder for an individual to influence, but you would be amazed at how much influence you can have locally if you decide to get involved in the government instead of just muttering about those fools in city hall. I guarantee that most any city has vacancies on any number of committees, and they are not very choosy when it comes to volunteers. Everybody likes to talk about the government as "them", but "them" is just "us" that decided to get involved. Look at the candidates for president: Obama and McCain are not from some socially elite family. They are just people who rose through the ranks. So was Hillary. Yes, Bush had connections, but looking at history, less than 1/4 of our presidents were from nationally known families.

About time

[nurb432]

Lets hope this is just the beginning.

*everything* should be encrypted by default, and no unencrypted connections should be offered.

I don't care that i'm doing nothing wrong, its no ones business.

ya, there is a performance hit, but thats just part of the deal to have your communications remain private.

Re:About time

[You+ain't+seen+me!]

*everything* should be encrypted by default, and no unencrypted connections should be offered.
If you were to start using unlimited encrypted connections here within the UK, I guess the thought-police will immediately assume you to be a terrorist and bang you up for 42 days.

Re:About time

[Rhabarber]

Lets hope this is just the beginning.

*everything* should be encrypted by default,

YES and YES, I second that.

I always hated that https://slashdot.org just forwards to http://slashdot.org./

I think it would be defenitely enough if my boss/sysadmin knew WHERE I'm surfing most time of the day.
Why do they need to be able to read every single comment directly off the wire as it passes by?

Ah, and don't tell me to use TOR. I tried it. Reading sucks because it is THAT slow.
And posting doesn't work (you probably blacklist exit node IPs to get rid of spammers, don't you, /. ?).

Re:About time

I always hated that https://slashdot.org/ just forwards to http://slashdot.org./

If you're a subscriber it works (though it's been a few years since I've been one, so I might be talking out of my arse with regards to the current setup, here).

Re:About time

[jroysdon]

But how many places do you sign in at which don't offer SSL? Typically the cost is too high and there is little need to offer it. Unless money is involved, there usually isn't money to be spent developing it.

Slashdot doesn't offer it, but then slashdot is free. You'll find many things that are free aren't going to spend money to add cost if there is no one asking for it.

I email with tons of geeks. I've got GPG keys, but no one ever uses them. The only folks that do use encryption with me is my brother and my Wife.

But then we all know all of our phone calls are getting listened to for "keywords" (or because we manage to get on someone's "list"), and how many folks are encrypting that? Cost is too high, and no one wants to spend anything for it, and really, no one is asking for it.

Re:About time

[mollymoo]

I'm looking for a job. £42000 for 42 days (you get £3k a day for the last 14 days if not convicted) would make it by a good margin the best contract job I'd ever had. Being interrogated by MI5 for six weeks surely can't be as mentally damaging as fixing some jerk's shoddy PHP.

Re:About time

[You+ain't+seen+me!]

Yes, I thought about that - but how do you spin it out for 42 days, and then get a new contract on release.

And of course first you've got to get arreste... Oh bugger! they're breaking down my door - I know I should have posted anonymously.

BTW The PHP I write isn't even as good as shoddy :)

Re:About time

[rootooftheworld]

performance hit? todays cheapest computer could be classified, for its intents and purposes, overdesigned, and thats with windows in mind. With linux an' the *BSDs, its spare CPU cycles galore. (Except ubuntu, they should rename it Linux Vista(r).) In conclusion, preach it brother!

Re:About time

[tmosley]

*everything* should be encrypted by default, and no unencrypted connections should be offered. If you were to start using unlimited encrypted connections here within the UK, I guess the thought-police will immediately assume you to be a terrorist and bang you up for 42 days. In a federal pound-me-in-the-ass terrorist detention facility?

Circumventing the law

[nurb432]

Since they are publicly announcing they are using SSL to circumvent a law as its primary goal, can they be held personally liable?

Re:Circumventing the law

[endemoniada]

The law says that the government has the right to listen, nowhere does it demand that everyone speaks loud enough to be heard. We still have every right to encrypt everything we want, and newspapers/tabloids here in Sweden have already been running articles like "5 ways to not get wiretapped" and guides on encryption techniques.

Re:Circumventing the law

[thermian]

No. If they were, then any shopping, banking or other website that used encryption to protect its customers would be too.

Re:Circumventing the law

[nurb432]

The stated intent is different. The bank doesn't say ' we are doing this to circumvent the law'..

Personally i don't have a problem with with what they are doing, but if i ran around "im going to do xyz to circumvent a law" i bet i get arrested.

Re:Circumventing the law

[just_a_monkey]

We still have every right to encrypt everything we want

The key word here being "still".

Re:Circumventing the law

[fluch]

Which law is the Piratebay trying to circumvent? The people in Sweeden which are running the Piratebay are not breaking Sweedish law as far as I know. And enabling SSL is also not against any law there as far as I know.

Re:Circumventing the law

[JamesTRexx]

Circumventing a law isn't illegal, breaking it is.

Re:Circumventing the law

[devman]

I would mod you up, but you are already at max. This is true on so many levels. Governments have been spying on us for years, and laws or lack thereof are not going to stop that. There is no reason to think that any actions you perform on the internet will be private unless you make them so. The internet is a very public place. Until there are laws preventing us from protecting our privacy, there isn't much of a problem. The burden is on you the USER to protect yourself, you shouldn't be trusting other "not to look".

Re:Circumventing the law

[aliquis]

Circumventing what? It's not illegal with encryption in Sweden.

And if it was I'd still use it.

Re:Circumventing the law

[aliquis]

I'd like to say that it would be a cold day in hell before they could forbid / do something that stupid, but then again people have already accepted the current version and I don't really see the difference.

Anyway same issue as with all stupid laws would exist for it, that is people wouldn't respect and follow it.

And considering our small army I guess the government will have a hard time defending themself if they behave to bad against the people ;D

Re:Circumventing the law

[Richard+W.M.+Jones]

you shouldn't be trusting other "not to look".

That's right -- It might not even be the government. Could be your neighbour hopping onto your wifi, or the sysadmin at your local ISP looking to blackmail you.

Rich.

Re:Circumventing the law

[init100]

The people in Sweeden which are running the Piratebay are not breaking Sweedish law as far as I know.

That remains to be seen. I would hold off on making any such statements until the court case is concluded.

Re:Circumventing the law

[I+cant+believe+its+n]

They are not trying to circumvent any law. I think TPB are just taking preventive meassures to ensure the privacy of their users, just in case FRA decides to share some information with the music/film industry.

No, there are no laws in Sweden against encryption yet and I have not heard of any making their way through parliament.

Copyright issues != terrorism

[frdmfghtr]

" Although copyright issues really have little to do with national security... "

Try telling that to the US Gov't.

Re:Copyright issues != terrorism

[Eudial]

" Although copyright issues really have little to do with national security... "

Try telling that to the US Gov't.

You're getting the lawmaker newspeak confused. Smoking pot is terrorism, piracy is the same as child pornography and paedophilia.

Re:Copyright issues != terrorism

[mini+me]

Do you think terrorists plot their next attack in silence? No, they listen to their favourite Metallica songs downloaded from a P2P networking program. Ergo, copyright infringement = terrorism.

Re:Copyright issues != terrorism

[Mista2]

I thought you new big madia already owned the government, so it is in their interests to protect their copyright. Hence national security.

Re:Copyright issues != terrorism

[rootooftheworld]

BS!! they listen to rap! Ergo, rap = terrorism at least that seems the explanation to me.

Re:Copyright issues != terrorism

[tmosley]

Luckily, they aren't able to decrypt sarcasm yet.

Re:minimal security?

[laederkeps]

The SSL encryption would presumably only be between you and the Pirate Bay web server\tracker. This would prevent the RIAA from seeing what you download from them (20kB .torrent files, tracker data while seeding\leeching), but the actual files you swap via the bittorrent protocol are not further secured by this.
There are encyption options for that too, but what the Pirate Bay folks are announcing here does not affect how you communicate with other peers (Which, presumably, is what the *AAs are busting you for)

Did anyone expect anything else?

[Opportunist]

Now duh. You spy on me, I counter with encryption. No, really? Who would have thought?

Now, let's assume for a moment that those laws are actually enacted to counter terrorism, as they allegedly are. Now, we see how companies and organisations act who are (allegedly) no target for those laws, and behold, they can very easily avoid being affected by the laws.

Question for 500: Are terrorists affected?

Re:Did anyone expect anything else?

[Digital+End]

Well lets see... if I was a terrorist I would *gasp* encrypt my data?

But wait, I'm sure that any decent criminal organization would do that... so... wait who's the law supposed to effect? It would only really help with people who DON'T encrypt their data.

Wonder what the largest group of people who send non-encrypted data are.

Re:Did anyone expect anything else?

[soilheart]

But some encryption can be broken.

Especially if you have the the eleventh fastest computer in the world (and yes, I've heard that just that computer was bought for reasons like this new law)

Re:Did anyone expect anything else?

[Opportunist]

Just increase the key size. The time encrypting/decrypting takes increases minimally, the time to break it multiplies.

It's trivial to increase the key size enough to render any computer pitted against it useless.

Re:Did anyone expect anything else?

[uffe_nordholm]

Precisely. Encryption/cracking is just another arms race.

Although the algorith is known to my enemies, my secret is safe as long as they don't have the key with which it is encrypted. They can get a computer to try all possible combinations though (called brute force attack).

My defence against this is to increase the key length so much that all th computers in the wolrd working together would take longer than the age of the universe to test all possible keys.

If 'the enemy' can brute-force an encryption key that is (say) 1024 bits long, I can increase the key length by any number of bits. Each aditional bit will double the length of time needed to test every single possible combination. Adding 10 bits would multiply the time by one thousand, twenty bits would make the time needed one million times longer. Another thousand bits and 'the enemy' can forget about it: the universe is not going to exist long enough for them to crack my encrypted message with brute force atacks, no matter how many computers they use.

Please note that the above only applies to cracking my encrypted message with brute force. I f 'the enemy' is willing to do it they might get a better resutl grabbing me and putting a gun to my head. Or they might try some other method at cracking the encryption.

Re:Did anyone expect anything else?

[Opportunist]

Trying the gunpoint approach could be interesting when everything's done in a computer program that keeps changing the key used (using the encrypted connection to exchange new keys) without even telling you what keys it uses.

You may be able to make people talk, but if they don't know what to say, you're still where you started.

Re:Did anyone expect anything else?

[Digital+End]

at some point the search for the key has to become less then approaching it from another angle... say 'alright, the front door is locked, how hard is it to build another door'

I know very little about encryption, but there has to be something other then that single way to decrypt it.

Re:Did anyone expect anything else?

[verbatim_verbose]

I know very little about encryption, but there has to be something other than that single way to decrypt it. Sometimes weaknesses are found that reduce the computation required to break particular algorithms. However, if you can't find any flaws in the algorithm, breaking that single key is pretty much all you've got.

Re:Did anyone expect anything else?

[init100]

If 'the enemy' can brute-force an encryption key that is (say) 1024 bits long, I can increase the key length by any number of bits. Each aditional bit will double the length of time needed to test every single possible combination.

Actually, that is only true for encryption systems where the key could be any combination of bits of the given length, such as AES. For other systems, such as RSA, every possible combination is not a valid key, as far from every combination is a number composed of two prime factors. Adding one bit to the key length may not double the size of the keyspace.

I'd say that to get comparable security with RSA compared to AES, you would need a key at least ten times the size, probably more.

Re:Did anyone expect anything else?

[Opportunist]

How about storing it in Ram?

Yes, you better have some backup battery running, but usually, the first thing our police force does when they seize computer equipment is to turn it off.

Re:Did anyone expect anything else?

[Mista2]

I want to encrypt my cell phone text messages too. The are sent in the clear over radio and stored by the cell provider for as long as they want. To make it work though secure SMS must be pervasive enough to get the phone makers to ad it to the phones.

Re:Did anyone expect anything else?

[elucido]

Well lets see... if I was a terrorist I would *gasp* encrypt my data?

But wait, I'm sure that any decent criminal organization would do that... so... wait who's the law supposed to effect? It would only really help with people who DON'T encrypt their data.

Wonder what the largest group of people who send non-encrypted data are.

I doubt the terrorists would be using modern computer systems at all. If you hate the west and everything it stands for, why would you trust western technology? Terrorists probably are using encrypted radio, which would have more military function than email. I just can't imagine Bin Laden or any of these IED building suicide bomber types, using the internet for anything other than releasing videos etc.

And video transmissions present a completely different problem from email, because even if we watch the videos we might not understand or see the signals.

Re:minimal security?

[Entropius]

Because this lot can still connect to the tracker and read off the IP addresses of other people in the swarm.

This week?

[soilheart]

Why would they implement it this week? The new law in Sweden doesn't apply until jan 2009...
Suddenly thinking of everyone else who want encryption to TPB around the world?

Re:minimal security?

[laederkeps]

The question was not concerning what the *AA can or cannot do, but rather how the SSL encryption put in place by the Pirate Bay folks would constitute a "minimal" security increase for users not in sweden.
My post was intended to explain just how this added SSL encryption would help you, the scurvy sea dog, protect yourself against eavesdropping agents of different sorts, and more importantly how it would not.
If you read it again a few times before mouthing off, you'll see that I never said the *AA is looking at your HTTP data, but rather that they (hopefully) base their litigations and such on what you share with your peers in the swarm (the allegedly illegal stuff).
It would, however, not be a far cry to assume that the US government in one way or another (Say, NSA?) is looking at what you do, and as far as I understand, they get payed to look for pirates as well (Who buys your laws?) as "terrorists" and the like. SSL encryption of TPB web servers would mean that they can see whom you are talking to (The Pirate Bay) but not what you are talking about.

And all other x countries that does wiretapping?

Sweden is probably one of the last countries in western world to introduce such a wiretapping law. Other countries are probably not as public about it though.

Think USA, UK, Australia and New Zealand which all members of the Echelon "community" of surveillance. France, Germany, Norway and others also have similar massive internet wiretapping in place.

Regardless where you live, you'll probably want SSL for whatever you do. How many actually uses PGP for their e-mails?

Re:And all other x countries that does wiretapping

[ettlz]

How many actually uses PGP for their e-mails?

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.7 (GNU/Linux)

hIwDupFG1SObtBMBBACAyUZAEDruQO9RlkZ5aGkGYRxv2oxqKdTgg0Glo1ZJk/nF
YS2HUhpzP7r3sVjTQ5h4RDRxUKOGllrFappta3kOfVU7KAS6HSrhmZ3IRU0VJvQP
LTusUO8cVjmon4YB44sMeUksLB/g7Ylm3LuF9abAd8yXH4lNn1OzgExAVtTbf8kf
IS4qtvlxiltgtqYqGw1N8JbFREuKrfyepkKshNxV3w==
=+MLj
-----END PGP MESSAGE-----

A firefox plugin?

[anilg]

I've been thinking about this. Gmail provides a https interface, but i've seen people just type in gmail.com and be done with it (the session then uses http)

So my idea of a firefox plugin would be one that automatically tries for a 'https' version of any site (or lookup a list for it) and move to that if it exists.

Problem

[arthurpaliden]

If you start encrypting all your traffic then will the govenments just have any data the cannot decrypt directed to /dev/null instead of letting pass through.

The gvmts legislating themselves out of options

[mlwmohawk]

As more and more wiretapping laws and eavesdropping systems come on line, the more and more the technology movers will make it impossible.

Every last thing is going to be encrypted, IM, web, email, etc. The more of this crap they pull, the more they will be unable to do. If they break the encryption, we'll make it better.

Re:The gvmts legislating themselves out of options

Do you really believe the government won't make encryption itself illegal? Sooner or later what you say WILL happen - everything will be encrypted.

That's when the government will step in under the guise of protecting our children and defending us from terrorists. It's only a matter of time.

Re:The gvmts legislating themselves out of options

[mlwmohawk]

Do you really believe the government won't make encryption itself illegal?

Seriously, of course they would try, but there are too many big money interests that *need* the security of encryption. When you think of finance, e-commerce, banking, etc. there's no way they can put the genie back in the bottle.

Power is about greed, and the greedy want money, and making encryption affects the bottom line. Governments are run by greedy people. The one thing greedy people want more than power and control is money.

Doesn't really matter at all

[ymgve]

So, they get SSL on their site. That doesn't do anything to hide the fact that you were visiting The Pirate Bay, only what you did when there.

Depending on the circumstances, that visit might be enough probable cause for "further investigation", even if you just hit their front page.

Possible to do 1-sided envelope

[Mathinker]

You have hit the nail on the head that envelopes are not secure, yet they do succeed in making it much harder for the government to scan all of the mail sent in envelopes for keywords.

This actually means that it's relatively easy to gain security for your email which is analogous to that of putting mail in an envelope, and in a one-sided fashion (the recipient does not need to do anything special). Merely send the important data in an encrypted attachment, with the key "encoded" in the plaintext of the email (obscure the key in a way similar to how Slashdot sometimes obscures email addresses, but not in an automatic fashion).

Example:

The 9-letter key for the attachment is the name of country you live in but with the second letter capitalized instead of the first letter.

... Self-extracting attachment encrypted with key "aRgentina" ....

This is of course totally insecure against a person trying to read your email, but would defend your mail from automatic scanning. Exactly what a postal envelope does!

Better late than never....

[ArIck]

Whereas most of seasonal users have moved to private torrent sites, it is better late than never for those casual downloaders who still havent heard of private sites!

Re:Better late than never....

[Slashcrap]

Whereas most of seasonal users have moved to private torrent sites, it is better late than never for those casual downloaders who still havent heard of private sites! And the best thing about the private sites is that anyone can join!

https://slashdot.org

[ichigo+2.0]

So, when will slashdot be offering SSL encryption? Most of us don't post anything that anyone would want to snoop on, but better safe than sorry.

By encrypting this message...

[Admiral+Justin]

You are denying the RIAA, the MPAA, and Metallica the right to see if you have infringing content, (I.E. lyrics, movie plots, bad reviews). This is in violation of the CANSPY Act of 2009, allowing anyone to see anything they want, if they pay Congress. Please proceed to the nearest prison.

"additional security to outside users = minimal?"

[pantaluna]

I have a question about this part of the article: "The Pirate Bay and its servers are not hosted in Sweden, the additional security offered to outside users could be comparatively minimal." As not being a techy savvy person, why would the "additional security" be less secure to "outside users", with "outside users" I suppose the article refers to users outside of Sweden? Thanks for your answer.

Bullshit: you could allow for upgrading crypto

That's bullshit. They could have made the actual crypto pluggable. Simply have a header that tells what kind of crypto it is, approve a new crypto standard every now and then and filter out packets that are crypted using algorithms that have been cracked at the clients, servers and routers.

I encrypt not for the fear of doing what I do

I encrypt not for the fear of doing what I do, but for the fear of getting CAUGHT doing what I do. More power to the people - encrypt and be FREE !! Down with tyranny !! Down with USA !! Down with your wife !! (and she's loving every monsterous inch of it) !!

Entropy problem.

[elucido]

If the average windows user uses PGP, it does provide a decent level of privacy, however it's not absolutely private because the pseudo random number generators are predictable, and this includes Linux.

The problem will be finding random numbers, and using PGP properly, and most probably wont do either of these things.

But it's still better than nothing.

Re:Entropy problem.

[CastrTroy]

They aren't really that predictable. Under laboratory conditions, you can get a situation where you can predict the key. When stupid things happen, such as in Ubuntu removing the part of the code that asks you to move your mouse around to create entropy, it gets way easier to guess things, but it's still hard if you don't know anything about the state of the system when the key was generated. Things like that can be made more robust anyway. Taking in information from the heat sensors, fan sensors, webcam, and any other device it can get information on while generating the key can greatly increase the randomness of the key.

Re:Entropy problem.

[caluml]

When stupid things happen, such as in Ubuntu removing the part of the code that asks you to move your mouse around to create entropy Uh-oh. Sounds very Debian-esque. Stop making crypto weaker, people. Poor cryptography is worse than no cryptography.

Re:Entropy problem.

[elucido]

When stupid things happen, such as in Ubuntu removing the part of the code that asks you to move your mouse around to create entropy Uh-oh. Sounds very Debian-esque. Stop making crypto weaker, people. Poor cryptography is worse than no cryptography. Actually no, it's not. Poor cryptography gives people a false sense of security. They think when they use Linux they are "safe". This isn't Windows, people don't switch to Linux to find out they are just as insecure in Linux s they were in Windows.

Re:Entropy problem.

[caluml]

Poor cryptography gives people a false sense of security. That's exactly what I said. "Stop making crypto weaker, people. Poor cryptography is worse than no cryptography."

PS. How do you get the nested quoting?

Nobody cares about their security.

[elucido]

And it's these sorts of people who reduce security, privacy, and liberty for the rest of us.

Wouldn't the internet be a better place of these individuals never came online?

Re:Nobody cares about their security.

[rootooftheworld]

Preach it, brother!

It's still trivially crackable.

[elucido]

If TCP/IP had been encrypted from the beginning, we'd be worse off, not better.

Why? Because any crypto available from that time is trivially crackable today. So instead of an obviously insecure communications medium, you'd have an insecure communications medium that everyone thinks is secure because, hey, it's encrypted! It wouldn't change anything except make people more complacent.

If TCP/IP had been encrypted from the beginning, we'd be worse off, not better.

Why? Because any crypto available from that time is trivially crackable today. So instead of an obviously insecure communications medium, you'd have an insecure communications medium that everyone thinks is secure because, hey, it's encrypted! It wouldn't change anything except make people more complacent.

Crypto today is still crackable because the majority of people who use crypto aren't using it properly. Most of the crypto is purely software crypto which is easier to crack by default simply because the key is stored on the harddrive, secondly pseudo random number generators aren't random and these can be cracked to determine what the keys will be for all systems.

PGP and GNUPG is a good idea, but it will never be implemented on a mass scale and the only people who will know how to use it properly will probably be it's inventors, and hackers and other bright folks, but not the sorts of people who need it most.

I propose we build better live CDs, and Linux needs a better pseudo random number generator.

And if you really want to be safe you have to generate your own random numbers.

If encryption is done right it's unbreakable.

[elucido]

If you do encryption properly it's completely unbreakable. The banks do it properly. Governments do it properly. Really smart hackers do it properly.

The majority of people just don't do it properly.

The only reason a brute force attack can work is if the numbers used to generate the key are not completely random, if the numbers are created by a true random number generator, it's impossible to crack the encryption through brute force methods.

But lets be honest, how many of us actually have or know how to make a true random number generator? And even if we could make one, it probably wouldn't be all that useful if the encryption algorithm you use is weak.

For the most part the algorithm you choose isn't important, the most important part is the entropy, but a weak algorithm just makes it that much easier.

Key size alone doesn't change anything.

[elucido]

The algorithm to generate the keys must be good.

And the random number generator must be true.

That and you have to know how to use the encryption after it's set up. Either way, lack of knowledge in how to use it will make it a lot less useful in practice.

If they crack your pseudo random number generator?

[elucido]

Precisely. Encryption/cracking is just another arms race.

Although the algorith is known to my enemies, my secret is safe as long as they don't have the key with which it is encrypted. They can get a computer to try all possible combinations though (called brute force attack).

My defence against this is to increase the key length so much that all th computers in the wolrd working together would take longer than the age of the universe to test all possible keys.

If 'the enemy' can brute-force an encryption key that is (say) 1024 bits long, I can increase the key length by any number of bits. Each aditional bit will double the length of time needed to test every single possible combination. Adding 10 bits would multiply the time by one thousand, twenty bits would make the time needed one million times longer. Another thousand bits and 'the enemy' can forget about it: the universe is not going to exist long enough for them to crack my encrypted message with brute force atacks, no matter how many computers they use.

Please note that the above only applies to cracking my encrypted message with brute force. I f 'the enemy' is willing to do it they might get a better resutl grabbing me and putting a gun to my head. Or they might try some other method at cracking the encryption.

If they crack your number generator then they can figure out which keys will be created by your GNUPG, they'll have a complete list of all the possible keys GNUPG can create, and they'll just go down the list trying each one until it matches your key, and thats how they'll crack your encryption.

This is what happened with SSL, this is what happened with the pseudo random number generator in windows.

The input (including random numbers) becomes the output and if you simply input a very recognizable pattern to generate all your keys, all your keys will maintain that very recognizable pattern, and so will your cipher text.

get some perspective

[ramul]

Big movies are expensive and so if they cant recoup cost or make worthwhile profits they will have to stop making big expensive movies, which is fine by me.
When they cant afford to make big expensive movies they will have to make cheaper movies that use cheaper elements to entertain, old fashioned things like 'engaging plot' and 'interesting characters'. the internet will be responsible for a cinema renaissance.

And like a previous poster said, movies are suddenly only worth what people are willing to pay for them.

Re:get some perspective

[rootooftheworld]

never thought about it that way. Now I realize that I never go to movies, because thats just a big fireworks show, Dr. House and Dr. Who are much more intriuging, and they by movie standarts probably run on pocket change. tnx bro'!

Re:And all other x countries that does wiretapping

[rootooftheworld]

give it up, i read that as if in pure english.

And why aren't they doing that as standard?

[elucido]

There are weaknesses in the Linux random number generator, some of the ideas you talk about would be smart to implement in Ubuntu but so far Ubuntu seems to be giving up on secuity in exchange for ease of use.

Honestly, this should be the main focus of desktop security in linux, the strength and efficiency of the random number generator. I think using the soundcard combined with the webcam would be good enough to stop the majority of criminal organizations from cracking your key.

Linux needs to also better intergrate biometric and smartcard security mechanisms into the OS so that it's literally a plug and play affair.

I want GNUPG to automatically recognize my smartcard or biometric interface. Even voice recognition providers better security than passwords, why don't we use that?

Passwords need to be phased out of linux altogerher and replaced with mouse gestures, voice recognition, face recognition, fingerprint scanning, and vein scanning.

When you use passwords you make it easy for crackers, and when those new GPUs from Nvidia come out it's going to let them crack a strong password in a matter of hours.

Because most people store their keyring under password protection, really to steal someones private key you just have to crack an 8 character password most of the time, and usually it's not a very strong password.

What this means is PGP gives the average user a few hours of privacy, to a few days, to a few weeks, depending on the limited strength of their password.

A smartcard combined with biometrics would solve all of this. Ubuntu should support this, but if not, maybe Redhat or Suse should.