Slashdot Mirror
CNN On Story on GnuPG 1.0
Dan Schleifer writes "Good to see that main-stream media has picked up on the release of GnuPG 1.0, and run a story on it. This is an especially GoodThing(tm) as, it's not just free software, but free encryption software that says: 'Haha, you silly little export regulations...' " Several nitpicky errors that I'm most of you will notice, but all in all great to seen the mainstream reporting on this, and starting to hit the issue of
privacy exportation, if only skimming the surface.
You've totally missed the point. Yes, it is true that one uses encryption so that "nobody will read your mails." I am not sure who would be surprised by this commonplace, but let's set that aside for now. The actual analogy people bring up in these discussions is really about ubiquity.
The point is that if everyone encrypted their emails, nobody (gov, nazis, ralph reed, eeoc, etc) would be able to wade through the vast masses of daily email via keyword searches to find anything. Ubiquitous obscurity means that those in power don't know where to start looking when they want to crack heads.
It is true, as you say, that envelopes do not really keep others from reading your mail en-route. But encryption does do this. The envelope analogy doesn't try to draw an analogy between envelope technology and crypto--it gives an example of the effect of ubiquitous privacy.
In other words, nobody would have any reason to suspect that one of your snailmail letters has anything juicy or illegal in it simply because it's in an envelope. Virtually all letters are in envelopes.
Likewise, because not eveyone uses encrypted email, such email looks a bit suspicious. But it wouldn't be so if most/all emails were encrypted.
amen
Sure one could... However, a big enough cluster could crack any encryption scheme, including PGP, blowfish, Triple-DES, etc. Every encryption scheme is vulnerable to brute force.
Oh no.. now you've .. oh no, now you're.... now you've done it....
It takes dee-mock-raw-see to make us free.
Don't you be mockin' dee-mock-raw-see, boy.
Or we're gonna have to go fetch a rope.
Symmetric: one key encrypts and decrypts. Fast, but how do you decide on a common key?
Asymmetric: two keys. Encrypt with either one, the other one decrypts. Much slower. But this lets you keep one key a secret and tell everybody the other key. Now everybody can encrypt messages with your public key, and only you can decrypt because only you have the matching private key.
And so on. Jump from there to signatures, key management, web of trust. How to avoid getting spoofed. How the passphrase protects your private key, and how big that passphrase needs to be. Etc.
Actually the PGP users manual would be a pretty good model. But boil it down even more, maybe add some pictures. Also, I think a good interface could help a lot. Something that does a lot of handholding--messages like "No one you know has verified that this key is correct. Click here to view fingerprint, or here to gamble." etc.
Sure. Hook every Linux box in the world into one big cluster and run it for a million years, you might be in the neighborhood. If the key length is short enough. If the sender is real paranoid you might have to run until the universe winds down.
both gnus and vm support gpg through the mailcrypt package. VM has some unfortunate bugs in that area though.
By making sure everyone, everywhere can get their hands on it, it nullifies the need for such a law, and I hope the US government realizes this..
Actually, it intensifies the need for funding to enforce the law. Government can route around thumb-the-nose initiatives like this, by banning the encrypted traffic.
You can't just pull down your pants and shake your willy in public because you don't like public nudity laws. Or, rather, you can. For a minute or two.
Richard Stallman is not part of the open source movement. He's said so himself.
Mutt is very compatible with pgp 2.x, 5.x, 6.x, and gpg. IMO it's the best console mailer out there.
Give it a try...
AFAIK it was done by people living "natively" ,
outside of USA, mostly germans
but hey ! why not visit the homepage at
www.gnupg.org
/me is surprised this got moderated so high, it's offtopic, isn't it?
Well, Debian can't distribute non-US from the US either, hence the name, but it does a pretty good job integrating ssh-agent under X. A simple [ -x $sshagent -a -z "$SSH_AUTH_SOCK" ] does it...
You can import it, but you can't send it back out.
If they need to have it explained to them, they don't need to be using it. Next they will want something more "user friendly", more features, etc
The stereotypical Congressman is simply going to listen to whichever bit of advice seems most likely to garner votes.
Any congress person, or other legislator or public servant, who has that attitude has NO RIGHT to be in office. Legislators should be acting in the best interests of their nation/constituents, not to gain votes and get re-elected.
Unfortunately reality is such that politics attracts more than its fair share of those who are "in it for the power".
Crypto enabled criminals are the far less henious option than crypto disabled citizens in a police state.
You present our congressmen as sad, apparently stupid, and clueless. Yet, you offer no excuse for their failure to execute their Oath of office, which is "...to protect and defend the Constitution of the United States...". Nothing in that Oath mentions any duty to impose wayward concepts of "protection" on American citizens.
The Oath is a positive afformation, the only afformation. Ignorance is no excuse, that's why we make them repeat it, out loud, and in public.
Honesty, doing the "right thing", getting votes, and "the best interests of American citizens" have nothing to do with it. The Oath means, in no uncertain terms, you willing lose office before you abridge the Constitution, in even the smallest way.
And just what credit/renumeration did Mr. Coward receive for his moment in the limelight?
Actually, a lot of people do write letters on postcards.
They don't have any illusion that what they write is secret, of course.
Most people don't write that many secret messages.
Guess what? If you use encryption, you're likely to be watched. Those of us who don't (most of us) will be less watched.
Wave that red flag, boys. Wave that red flag.
I dissagree with the nose snubbing bit of the previous poster but blind faith in the governemt(any government! China!, Timor! Iraq!)is foolish. Didn't we "turn off" a certain "ethical" government here in the US some 220 years ago? Hmm?
It they need it explained to them, they don't need it. Furthermore, only people sending things that require secrecy (criminals, conspirators, terrorists) should use encryption. Makes it easier to know who the criminals, conspirators, and terrorists are: the people using encryption.
I hope my sarcasm shows through in the above text.
The 1.2 series of reference ssh packages are free to use for any use. It's the 2.x versions from Data Fellows that are restricted to non-commercial use without handing over cash. I don't know anyone who uses 2.x. Nevertheless, a GNU implementation of the SSH protocol would be a good thing.
Ah, that would be even more factual incorrectness. Debian isn't the "FSF's distribution." Debian is an independant system integrator.
Anyone else a bit irked that PGP has plugins for Outlook Express, Outlook, Eudora, but not for Netscape Messenger?
or thereabouts
It would take a few billion years because your hardware and software suck. My hardware causes the local time of the processor to speed up by a factor of 1e50 using a graviton accelerator and runs the software in dimension 1B5-400A. A simple application of 1B5-400A mathematics allows me to examine keys in log(log(n)) time. Seriously, it's very difficult to prove that something cannot be done. However, I do have some small confidence in one-time ciphers. Until next week when someone attacks my method of generating "random" ciphers.
It is, in fact, GPL The Wassenaar agreement defines 'public domain' saftware as benig widely avaliable for free, which does describe GPG
Now if only we could make re-election contingent on putting the will of the people into practice, we might have something resembling Democracy. ;)
i see what you mean, i agree with you 110% percent
Yes, there are rpms & targzips available from the mirror sites.
Shutting governments down and just slouching over a keyboard doesn't cut it. I think that's the message being delivered a few comments up.
Ah the anonymous coward. I wonder if they still think it the same person over and over.
I'm sorry but many of them really are very stupid. I remember a senator for Illinois. Carol Mosely Brown. ooohh!! Never had an original thought of her own. Just sit there and spew the party line. Most of the time, she would just repeat verbatim what the person to her left or right said. I don't mean to single her out but she was from my state and I was particulary mortified that this human brick was making decisions that effected my life. There are many more of them out there. Beware! And another thing, our elected officials need to be aware that we are paying close attention to what is going on and we discuss these issues and our representitives on a daily basis. Our eyes are wide open.
I do not want to start a flame war, nor do
I intend to hurt anyone's feelings but
one only needs to remember the Gnome 1.0
fiasco to realise that all software development
paths can become corrupt with preannouncements
and vapor- or crashware.
And I forgot the HURD and Freedows,
both of which are still vaporware,
although HURD seems to be getting there
(sloooooooowly).
Yeah, I almost laughed my balls off when I read that sentence...
Anyway, it is very cool to see mainstream news reporting on free software, and open encryptation in particular... Hopefully a few more people will try it out because of this coverage..
i was under the impression that the GNU os is to be called HURD...
My GPG key
Mail me
>I have this vision of RMS grinding his teeth and launching himself at >his CRT while screaming.
I guess he never heard "Be careful of what you wish for, you just might get it..."
I'm sick of the United States trying to control everything and anything. This is a perfect example of the Net Community proving its world wide. National lines mean nothing, phone line mean more.
Hopefully this will help show the legislature the folly of these export restrictions.[...]God knows the legislature doesn't act on real issues, but if we can make this a PR issue, then things might actually change.
Can we relate it to "the children" in some way?
15 minutes, 37 seconds by my watch. And they say cops are slow....
Yes, there has been at least one case where someone left the US to work on encryption. Vince Cate renounced his US citizenship and moved to Anguilla.
(I think this was a Slashdot story a while back, but it's much faster if I don't have to search the /. archives....)
Doesn't this kind of contradict what the FSF is all about? RMS has the goal of creating a better society. In such a society, people wouldn't need to hide things from each other. I know that, for quite some time, RMS refused to use a password on his account at MIT. How does GnuPG fit in in terms of helping the FSF achieve it's goals? Or is just the fact that it's the first free encryption program enough to make it worthy of being part of the GNU system.
from keygen.c:
/* It is ridiculous and an annoyance to use larger key sizes!
else if( nbits > 4096 ) {
* GnuPG can handle much larger sizes; but it takes an eternity
* to create such a key (but less than the time the Sirius
* Computer Corporation needs to process one of the usual
* complaints) and {de,en}cryption although needs some time.
* So, before you complain about this limitation, I suggest that
* you start a discussion with Marvin about this theme and then
* do whatever you want. */
tty_printf(_("keysize too large; %d is largest value allowed.\n"),
Except for the fact that the GNU project was not founded to create Linux, now was Linux created by it.
Hmm.. looks promising... Although I don't particularly care for XForms...
;-)
Of course, I'm using Netscape Mail right now, so I bet pretty much anything would be an improvement..
I read somewhere that you can build plugins for Netscape mail in Java... anyone know anything about this?
Well, last time I installed the s-utils, one of them was sftp. (I could never get that one to work, though.) mjt
-----------
-----------
100% pure freak
Not just CNN. CNet, Ziff-Davis, CMP (InfoWorld) and Wired are all apparently reading /., as are some of the more esoteric trade rags.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Sure, if by 'big enough' you include all the matter in the known universe to build it. Better go reread Applied Cryptography.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Can't do it. The laws say that not only can't you have encryption, you can't even have any hooks that can be used for encryption.
So you have generic hooks. A hook to apply some plug-in to a mail message before it is sent. Your standard distribution contains plug-ins to pass your mail through a spell-checker, grammar-checker, whatever, and you leave those sneaky for'ners to come up with a GPG plug-in. Easy!
mostly functional..?
There is also "lsh."
--
This comment isn't really related to the story, but it is related to encryption and the reasons people use it. I see at least once per encryption-related discussion the envelope / encryption analogy. It goes like, "you don't write letters on a postcard, you use an envelope so people don't read your correspondence. Likewise you should use encryption so people don't read your e-mail."
Actually, I put my letters in envelopes for reasons completely unrelated to security--I don't want them being soiled or becoming illegible because of moisture, etc. The envelope is simply protection from accidental damage.
An envelope will not keep other people from reading my postal mail! Have you ever tried opening one of those things? I open dozens a week, and I've become so good with them that it takes me hardly a second to get one open.
--
First of all, GPG can be legally exported from its home, Germany, into any country, including the US. It cannot be re-exported from the US. It can never be put on a US FTP server, for example.
Now if the program gets contaminated with a US-written patch, nothing changes. It is still legally exportable from Germany. The writer of the patch may be thrown in jail as an illegal arms dealer, but I wouldn't bet on it.
--
If you used the most flexible mua in the world, namely mh, then you could easily write a simple script that would add seamless support for gpg, such as I did one afternoon.
No, you must use your monolithic mua which makes it hard to add features. Otherwise, you're too lazy to hack the source to add the feature yourself.
Mutt has extremely good support for pgp, pgp5, and gpg.
Daniel
Hurry up and jump on the individualist bandwagon!
They might read it, but I'm not sure about the polish.. :)
Daniel
Hurry up and jump on the individualist bandwagon!
Given current factoring technology, no. I don't have the numbers handy, but they're super-astronomical -- imagine computers the size of atoms, each testing one key in the time it takes light to cross said atom, communicating via ansible (instantly), packed bumper-to-bumper, filling up a sphere with the radius of one of the planet's orbits. This structure would take a few billion years to do this crack. (Source: sci.crypt, with numbers.)
Unless you're talking about just the weakest level, of course. But that's no challenge -- it's already been done, although for RSA rather than ElGamal.
-Billy
First, let me weasel out of this by noting that I was talking about Beowulf, not technology in general :-).
However, quantum computing is NOT just a way to make more powerful computers; it's a completely different way of working, and to my understanding, although it's solved the factoring problem (or at least there's an algorithm for it), that doesn't mean that it's solved the discrete log problem used in ElGamal.
Solving the DL problem would also solve the factoring problem, but not the other way around.
Now, one thing I don't know: have they solved the DL problem using quantum computing? I have no idea.
-Billy
What makes you think that would improve anything? The majority of people don't have a clue about security or even democracy. Thier opinion is less than worthless.
I'm glad we don't have a democracy -- and I hope we never move any closer to one than we are. Democracy makes the fatally flawed assumption that the will of the masses outweighs the rights of any.
-Billy
mutt is a text-mode editor which integrates VERY well with GPG and PGP.
-Billy
I seem to recall a major crypto company moving to Australia.
-Billy
You can have encryption in software, and you can also have hooks in place to be used for encryption. You just can't export these versions. It would be nice if Mozilla had a convienent hook built into it's email application that GnuPG could take advantage of.
It's not entirely sucksville if you live in the US. But most of it is still sucksville.
Joseph Elwell.
AFAIK, mutt has gpg integration. Dunno exactly how it works, but I'm told it's there. At least that's what somebody told me the last time he tried to convert me from pine. :P
This is a perfect example of GNU and the open source community. We provide free alternatives to commercial products that are available, and as an added bonus, it has no export restrictions!
Clarification: It has no export restrictions because it was developed outside the United States, NOT because it is open-sourced.
Well, isn't the Wassenaar restriction avoided because it's free (beer)? I _suppose_ you could do a binary implementation and give it away for free...
PGP is free. They gave the source out. Still do for the old (2.6.2 and older) versions. Dunno what effect the RSAREF licensing has on that, though.
I've seen people use closed-source crypto products, and I wonder when someone is going to discover a backdoor that was put there by some government.
Somebody already did.
>Actually, a lot of people do write letters on
>postcards.
You misspelled "idiots".
>They don't have any illusion that what they write
>is secret, of course.
>Most people don't write that many secret
>messages.
That is a meaningless argument. What if those
messages that *are* encrypted *must* be encrypted?
What if it's a patient discussing an AIDS
treatment with their doctor, or a manager
dicsussing a classified manufacturing method with
his or her employees? You may not need to use
encryption much, but when you do, you *really*
need it.
>Guess what? If you use encryption, you're likely
>to be watched. Those of us who don't (most of us)
>will be less watched.
Being watched doesn't bother me. What important to
me is that casual observers not read *my* private
email. I like my privacy. My god! I must be a
terrorist or a child pornographer or a communist
or something!
>Wave that red flag, boys. Wave that red flag.
Keep writing on postcards, boys. Keep writing on postcards.
Well, isn't the Wassenaar restriction avoided because it's free (beer)? I _suppose_ you could do a binary implementation and give it away for free...
Unfortunately, the US export regulations *do* work.
I'm in Europe, using the insecure ('export-grade') version of IE5. At other times, I use insecure Netscape 4.61. So does everybody else - very few people can be bothered to hand-edit the Netscape binary to enable encryption. Heck, most users don't even understand what key length is.
The export regulations make it inconvienient for most users to get strong crypto. And if something is inconvienient, most people won't use it. The laws may not stop those who know what they are doing, and are prepared to take security seriously, but there are still lots of easily-tappable, interesting communications out there.
-- Ed Avis ed@membled.com
Recently I was asked how to use PGP to encrypt mail from a form on a business so that no one could see it as it traveled between the web-hosting business and the actual owner of the site.
I mentioned the (then upcoming) command-line version of PGP, but also GNUPG.
S/MIME has a good architecture, but the business versions of PGP also have good key management on other features intended for business users.
And as far as "real world" use, S/MIME is new and has announced support from vendors, but on the Internet "email encryption" and "PGP" are all but synonymous. Recent versions of PGP integrate well with the most popular Windows mail clients (except Netscape Messenger). It also features clipboard integration with any other text-processing application.
Can't do it. The laws say that not only can't you have encryption, you can't even have any hooks that can be used for encryption.
Yes, I know this is stupid, but there's no way a company is going to do this, when the very thing it wants is to remove the encryption restriction altogether. Its simple politics...
And if you think this sucks, welcome to the real world... This isn't software, its not logical, its life...
You big goober! You missed the joke completely. Gonwyn deliberately misused 'Linux' in place of 'Linus.'
--
A host is a host from coast to coast...
A host is a host from coast to coast...
Unless it's down, or slow, or fails to POST!
Oops... sorry georgeha.
--
A host is a host from coast to coast...
A host is a host from coast to coast...
Unless it's down, or slow, or fails to POST!
Gnus (which has more features than many people would know what to do with) supports GNUpg (as well as PGP) using mailcrypt.
Exported from where?
The USA is not the only country in the world. If GNUpg is integrated outside of the USA (or other country with crypto export regulations) then it just needs to be imported into those countries, not exported from them. So only import regulations need be a problem, not export ones.
I'm also in Europe, but i have strong crypto! When using netscape i rely on Fortify. This is a fully automated patch, just type install (or whatever) a few stupid questions, and voila... then you can repackage it and even distribute... When using IE, then there are strong versions on replay.com (Even a 128 bit WinCE IE is downloadable here).
You would be fine as long as the patch was pseudo-code. (I wonder if you could call something pseudo-code if it could not be read by the compiler directly...) That makes it a pain for the maintainer, but... it's fairly minimal.
...at least not until we get something like "ncscp" or something, or even an equivalent of the ftp program. It'd be nice if it had an interactive mode.
Can't do it. The laws say that not only can't you have encryption, you can't even have any hooks that can be used for encryption.
Any computer has "hooks" that can be used for this purpose, and therefore should be illegal to export. Consider that you can take an email program, and patch in encryption hooks with a debugger if you have to. That means the program has hooks in it because it has places where you can patch in the encryption code.
Ok, now that we can see how silly and unenforceable the "no hooks" policy is (as long as you don't put in hooks that are specifically for encryption everything should be allright), lets consider how our encryption program could hook itself into mozilla. Hmm, remember, Mozilla is all held together with scripty-goo, and consists to a large extend of dynamically loaded modules. There's a way, for sure, and even an elegant way that fits nicely with the Mozilla architecture. Or, maybe there should be a law that browsers with scriptable components are illegal to export?
--
Life's a bitch but somebody's gotta do it.
I once read an article in a local newspaper that talking about Web design and mentioned HTML as being a programming language.
The sad thing is that to most people HTML is a programming language. Remember we live in a society where most people's solution to the blinking 12:00 on a VCR is to cover it with electrical tape.
-matt
---
---
1) The Declaration of Independance is a letter, not a law.
2) Governments can make any laws, grant any "priviledges" they want.
What the Declaration of Independance was saying is that is a "Human" right, not a legal one, to be free. That can never be actually taken away from you. On the other hand things like life, liberty, and any hope of happiness CAN be taken away by the Government.
Freedom tends to be more of a priviledge granted by your Government, rather than an actual right. If some Government decides to come to your house, take you away and throw you in jail forever, are you still free? Where are your "inalienable" rights then?
-- Remember: Wherever you go, there you are!
Ok, lemmie get this straight: Because the previous poster doesn't have a perfect government, and there are worse governments in existance then the USA is the best and y'all should shut up about it?
I happen to be a US citizen as well, in fact I was just Honorably Discharged from the US Military. I just believe that freedom and privacy have been thrown into the crapper. True to our Constitution this gaping atrocity has been commited by none other than our own people. The average Joe would sell his soul to have his wife, 2 car garage, 2 1/2 children and the closest thing to world politics would be the World Cup Soccer Tourney.
My $0.02 US
-- Remember: Wherever you go, there you are!
Of course that was what everyone said when PGP was released, many moons ago. Last I checked it hasn't happened yet!
-- Remember: Wherever you go, there you are!
I have to apologize, I hate to be a troll. What I was trying to say, crudely, is that defending your argument by saying that the previous poster isn't perfect, therefore shouldn't voice their opinion is no defence of an argument. I find this idea endemic in US society, that if you aren't morally perfect then your opinion doesn't matter. Unless this is the second coming, nobody is perfect, therefore everyone elses opinion can be discounted using this logic.
-- Remember: Wherever you go, there you are!
It seems to me that since encryption is useful for
communication software, it would be nice to
integrate it fully with Mozilla and other
browsers (konqueror, opera, lynx etc.) as well as
with collaboration tools (cvs, lotus notes and
whatever OS/FS clones there are of it, etc.).
On second thought, Apache integration may be
more important, because it'd be nice to serve
encrypted pages, then there'd be a market for
encryption capable browsers.
Disclaimer: I do not know to what extent any of
this has been done.
I don't know if scp counts as a replacement for ftp (though I'm not knocking scp in general) as you can't browse directories etc with it (granted, you can use ssh to find what you want and scp to grab it) but kerberos is a good thing too.
> Actually, it intensifies the need for funding to > enforce the law. Government can route around > thumb-the-nose initiatives like this, by banning > the encrypted traffic.
> You can't just pull down your pants and shake > your willy in public because you don't like > public nudity laws. Or, rather, you can. For a > minute or two.
Ah, but I can go somewhere where public nudity is okay (another country, or my own home, which wouldn't be public, but oh well) and do so, and then point out that nothing horrible happened (oh no, I got cold!)
well, okay, I couldn't shake my willy around (at least not unless I went to the adult store first) but you get the picture.
Just because an entity has the *power* to do something to you does *not* make it legal, or right. The constitution does not grant rights, it enumerates them. This is a fundamental difference, and one the founding fathers explicitly expressed in the 9th and 10th amendments. (sorry for the US-centric argument)
Trampling on your rights does not remove them, as our current government proves every day.
"Those who would give up essential liberty for temporary safety deserve neither liberty nor safety" - Benjamin Franklin,
Well, there is a legal process for striking a Constitutional right like free speech.
...
No there is NOT! Your rights are inalienable. Meaning ALWAYS WITH YOU. Just because it is or isn't in the Constitution or any other document doesn't mean that you don't have the right. Rights are not granted by the government, priviledges are. There is a very big difference.
inalienable \In*al"ien*a*ble\, a. [Pref. in- not + alienable: cf. F. inali['e]nable.]
Incapable of being alienated, surrendered, or transferred to another; not alienable; as, in inalienable birthright.
Can't get any clearer than that
"Those who would give up essential liberty for temporary safety deserve neither liberty nor safety" - Benjamin Franklin,
Oh, I'm not claiming that there are no stupid legislators. But the fact that they tend to blindly follow party leaders doesn't disprove my point. There are always people who actually make decisions, and you can bet that these people, high up on the party ladders, have seen and understand the results of their export policy.
/* The beatings will continue until morale improves. */
I agree. And that's why we're beginning to see the anti-crypto legislation. Because the obscurity period is gradually coming to an end.
/* The beatings will continue until morale improves. */
Why does everyone assume legislators can't understand this?
They DO understand what export restrictions do to American companies. (Sorry to say the same thing over and over, but these "boy are those lawmakers dumb" messages just won't stop coming)
The laws are intended to keep American companies from effectively promoting the use of crypto in the states. No widespread use => no real need to regulate => no publicity nightmare.
/* The beatings will continue until morale improves. */
Well.. Call this a little Trolly, maybe a little offtopic, but is anyone else slightly irritated at the self-superior tone that RMS has on gnu.org when discussing Linux vs GNU/Linux?
When will he figure out that GNU would be just a few alternate apps for Unix boxen if it weren't for Linux? Of course, there would be no Linux without GNU.
So what's my point? Well maybe it's time RMS took a miss. This is a little like the Chuck the Daemon argument. The people call it Linux. Boo Hoo if that name doesn't give credit to GNU. People still call the BSD daemon Chuck. What's in a name, really?
RMS seriously needs to revise his attitute a little. People might actually take kindly to calling it GNU/Linux if he wasn't yelling so damn loudly. Something he needs to learn is that people who 5 minutes ago didn't care will suddenly be against you if you come on too strong or are rude.
Then again, this press is just bad anyway. But in the end, it's not like this was a product of some people in Boston or whatever. It was a product of the entire Open Source Movement. From a need came a product, and it was Better. In the end though, don't be petty about it.
There already is an extension to normal addressbooks for certificates (it's a pretty standard attribute in LDAP) and it would be very simple to include a key attribute in an LDAP entry.
Screw this shit, I've had it/I ain't no mister cool./I'm a pig, I'm a dog/Excuse me if I drool./stm
The article says GnuPG is in the public domain. Is this true? No GPL or LGPL? If its really in the public domain they must have abandoned the copyright too. This must, if it is correct, be very unusual for GNU.
Good one, Russ.
(Yes, this is VERY funny. Please moderate it up)
Help achieve Liberty in your lifetime - join the Free State Project - http://www.freestateproject.org
What one might do is put generic APIs into Mozilla which can be used with any software, and some mechanism for writing and registering interfaces to specific programs. This is a Better Way To Do It, anyway, and avoids any export problems involved in actually imbedding the software.
Use mutt. I believe it has support for gpg as well as pgp, natively.
Alternatively, if your editor supports a pipe-through-command function (! in vim, etc) you can pipe the whole mail through pgps -at and enter the signing password blind, and hey presto, it'll replace the mail with a PGP-signed version of itself...
~Tim
--
~Tim
--
Rushing on down to the circle of the turn
The US Government does not allow some, rather most, of today's computer technology to other countries, ie: China. This is just an example of the computer industry will just get through this by working out side the US. As slashdot users we should all lobby our senators, how can they resist all 700,000 of us? At least it would make a start. If China needs supercomputers I am sure they can get thier hands on them, I'm sure Russia will sell them some of their old ones.
"To know what you know and know it, and to know what you don't know and know that. That is wisdom."
So what's stopping me downloading the mozilla source, adding in some hooks for GPG, puting the new version on my UK based web server and letting anyone who wants it downloading it?
I'm allowed to import to the US aren't I? If the hooks can be made into a fairly simple patch then immediately the current version of the code is released I can apply the patch and have a GngPG Mozilla online within hours.
That's a thought. I know that's something to think about for my senior project which should be starting in about a month. hmmm, especially since they're changing the format for the senior projects (AT THE LAST FRIGGIN MINUTE!!!! [not that I'm bitter like old road salt.]) means I need to find a different project than what I had in mind (PLANNING IT FOR TWO FELCHIN' YEARS!!!) but I'm 'Just Fine' Thank You for asking.
Many mail clients have support for PGP. Someone has written a wrapper called pgpgpg which accepts PGP arguments and sends a translated set of arguments to GPG. This makes integration into existing mail clients much easier.
If you can't use the wrapper for some reason, all is not lost. Many PGP command-line arguments translate directly into GPG. Although PGP has some vestigal DOS-isms in its command-line syntax -- e.g., you need to use the -f switch to get it to DTRT with pipes, which is not necessary in GPG -- it's simple to flense them out in most cases.
--
Some keywords for the NSA in the Lord of the Rings universe: One Ring bind find Sauron quest Nazgul freedom
128-bit symmetric-key crypto is quite secure. The problem is distributing the key. The 128-bit key is encrypted using the public key, which may be up to 4096 bits. It can then only be decrypted using the private key, and thence the message decoded.
-russ
Don't piss off The Angry Economist
and I haven't been following GPG's development. What's the algorithm here if it's not using RSA for public-key cryptography? Am I just totally clueless about the ways of the crypto-world?
I find it easy to imagine a non-DES symmetric key algorithm...but why is it I always had the impression that RSA was the only viable solution for public-key crypto out there?
Here's a readme file describing how.
--Ryan
--bdj
Well, factoring primes is easy. :-) However, factoring other numbers into primes (which is probably what you meant), does not require exponential time.
As far as I know, this has not been proven (if you know otherwise, please provide a reference). However, in practice advances in factoring seems to leads to advances in discrete logarithms and vice versa.
From crypt()'s man page on linux (Red Hat 6.0):
The DES algorithm itself has a few quirks which make the use of the crypt(3) interface a very poor choice for anything other than password authentication. If you are planning on using the crypt(3) interface for a cryptography project, don't do it: get a good book on encryption and one of the widely available DES libraries.
And the man page on solaris I know will say something quite similar. So don't consider yourself a security guy because you can crack crypt() or know that user passwords should be expired on a regular basis. All you've got is enough knowledge to be dangerous. Read Applied Cryptography for some info on real cryptography.
Jherico
What can the average user can do to ensure his security? "Nothing, you're screwed"
Yes, but you can give a "Generic plugin interface", and then design a quick&easy wrapper for your crypto program, and then you have the crypto program seamlessly embedded in the app.
No problem.
-- The act of censorship is always worse than whatever is being censored. Always.
Actually what I want is a S/MIME compliant stuff, so that anyone with Outlook/Netscape can check my signature and encrypt email. Stuff like PGP/GnuPG sounds fine from the technical side but is hardly of any use in "the real world" (think about business world and sales people, not a group of linux geek friends...)
NB: Yes I know, OpenSSL makes OE/Netscape compatible certificates usable for signing/encrypt, but it still has lots of compatibily issues.
Outside the United States, you can get Bones via anonymous ftp from ftp.funet.fi (128.214.6.100) in pub/unix/security/kerberos. A DES library is available from the same place.
Copies of the Kerberos Bones with DES routines and calls added back in by foreign programmers are called `eBones', and are available by anonymous FTP from machines in Sweden, Germany, Israel, Finland, Australia, and France (so far); check with "archie".
After having had to use Eudora w/pgp before, I'm ecstatic to be able to use pgp/gpg with pine. The integration is good, and having the filter option pop up when I'm sending is like a dream come true. I think it's the most hassle-free mail encryption setup I've ever used. There's a good page linked from the gpg main page that's a cookbook for setting pine up with pgp/gpg in minutes...
I think someone at CNN reads Slashdot dilligently and polishes the stories for mainstream consumption!
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
Actually, I think that PGP has support in the newest version for 4096 bit encryption, or at least thats what it says I'm using.
The CNN article said " Like PGP, GnuPG uses 128-bit encryption." Doesn't PGP support up to 2048 bit encryption? Well, you can't expect technical perfection from mainstream media. :-)
--- "So THAT's what an invisible barrier looks like!" - Time Bandits
But they can! All you need is a cluster with 2^10000000 nodes and you are sorted so long as the key size is kept manageable.
I have one on order.
I've seen filters for Elm to deal w/PGP I think, I've heard Mutt works great with it, and I personally use a set of filters called pinepgp. You just add a sending filter and a display filter to Pine, and it'll automatically check signatures and/or decrypt incoming PGPized mail, as well as offer you a choice of sending mail that's either PGP signed, encrypted or both. It also has an option on the PGP menu to finger the To: address for the public key. Short version of this post: The tools to do what you want are already there, you're just not looking hard enough.
Mike Markley - *NIX Sysadmin and all-around geek - finger for PGP key
Considering that GnuPG was developed outside the US, and that people moving in and out of the country to work on encryption software was discussed last week on Ask Slashdot, has anyone actually left he US permanently in order to work on encryption software? Or is it all just theory?
Sig:
Barbeque is a noun. Not a verb.
I can guarantee that at least one reporter at cnn.com is reading slashdot. click on this and scroll down to the bottom of the story to see cnn.com quote an anonymous coward regarding the recent Hotmail debacle.
I thought you could already do that in Netscape.. under the mail sending options tab (to the left of where you'd type in the address you're sending to) there's a bunch of check boxes, including ones for encrypted and signed.
I realise I'm probably way out in left field with this, stating something that everyone already knew, and that there's more to encrypting and signing email than this. If I am, I apologise.
Iron Gorilla
Quantum computing has great potential (sic) but it is essentially a Brute Force Attack. It's just like a massively parallel attack.
Nothing complicated in how you use quantum computing -- it's just how to make them that's the big problem!
ouch! - "Open-source software group GNU" - I am sure Stallman must be thrilled with that.
A bit more on topic, I've been using GPG for a little while now, and have been real happy. As someone who likes to do too much, other than integration with mail clients, what other GUI interfaces would people want to use gpg with? I have used NAI's gui for windows, and have been thinking of doing something similar for Linux (or maybe just helping out gnomegpg) but am curious as to what other people think.
-chris (gandalf@darkcorner.net)
I've noticed it going more and more this way recently too.
The best software is usually that which is written to solve a particular problem or implement a particular system that its author(s) themselves wanted to do, rather than for commercial purposes. That doesn't necessarily mean it is released as freeware, or open-sourced, but it was definitely not designed to make money.
Software designed for primarily commercial reasons may often suffer from:
The latter point is becoming more and more pernicious in commercial software, I think. It's often just not possible to buy a simple tool for a simple task.
--
Back in 1979 0r 1980, someone wrote a series of articles in a technical magazine. It included a good discussion of encryption by position changes and symbol changes. It also included a software program (I hate the word "implementation")for DES that would run on a computer with 1K (one kilobyte) memory. I returned the magazines to the owner, and no longer remember the title. The series was easy to understand, education level high school algebra.
Yeah, that's what I meant...
maybe I should start reading over what i post
I guess that's that that preview button is for...
Quantum computers do solve discrete log.
Also, factoring becomes polynomial time,
but not (necessarily) linear.
It's all a matter of degree. If the patch is fairly small, and only applies to a subset of the source, then it can't be argued that the code being sent comprises a cryptographic product.
I think you would need to be making some very large patches to be at risk.
In the extreme, simply print the patches in an OCR-friendly font and use snail mail....
-- BtB
Just a guess here guys, but I believe what he meant was 'Won't Linus be pissed."
--
Jeremy Tout
photon-atsign-home.com
resistance to allowing users to have things like strong crypto is actually very simple.
Through my own experience, when I mixed security and the court system, I came to the
conclusion that people (non slashdot readers) are a little afraid.
It seems that people are afraid of what they don't understand and when they do not
understand they try to control as a contingency measure.
It seems that even though the situation is reasonably plain to us it may not be plain to
the masses thusly not plain to legislation. I would propose that law enforcement agencies
fear strong encryption as a matter of course. They cannot use the methods of gathering
information that they have relied on for years (i.e. wiretapping) so as a logistic measure
they wish to make it an illegal act to use encryption that they cannot break (so as to gain
the warrants necessary or whatever) . I personally do not blame them as they have a
reason to fear in this respect.
I do not blame any of them I simply think they are wrong. Dead wrong. The argument is
very flawed in the fact technology is, for the most part, benign. Regulating gnowelege and
the derivatives of such knowledge is asinine. Total regulation will probably never happen
as this proves somewhat (hopefully).
The bottom line is that people fear technology. And the idea that someone being able to
communicate so securely that our beloved protectors cannot listen in makes people fear.
At least those people who trust their neigbors/government/competition/wife not to listen
in on private discourse.
As one of those 'security guys' I would submit that it really is a matter of computing power.
For example, Through mine own experiments I would have to say that a password that is encrypted using the standard 'crypt' function should be outdated every 2 weeks. It would take me a maximum of 29 days to brute force attack ANY password using that function using 24 pentium 166's. This is mathimatical to me.
With a sizable cluster this would of course become much less. My point is that data should become outdated as to its efectiveness and that encryption standards should rise as the availability of computing power rises.
No encryption is unbreakable. It just takes time.
I'm not sure which I'm happier about, that the 'mainstream media' recognizes that this is important, or that v 1.0 is out. Now I guess we can all wait for psst (the GNU ssh clone).
-pate
at the risk of being labeled a free software bigot, ssh doesn't cut it. It is *not* free for commercial use. psst is the gnu project to implement a truely free ssh clone.
Congress convenes again shortly, and I believe export regs are one of the first things on the agenda. How convenient that GPG was released just beforehand. :-)
everything you know is wrong
This technology will be outdated in two decades. Quantum computers make factoring primes a linear rather than exponential problem. Don't trust modern cryptography with even the strongest keys to keep your data safe for more than 20 years.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I never said anything about the U.S. being the best. I never even said anything at all about the original poster's government. Where do you people get these loony ideas? I'd rather live in Canada. That still doesn't mean that the U.S. is the worst, or that I don't believe in a lot of things it stands for (in theory at least), as far as governments are concerned. This, however, does not make the U.S. any better, or worse, than any other part of the world. I thought I had made this clear. I don't ask a lot (or maybe I do..?), just that people think. The reason the U.S. is so screwed up today is because of ignorance, prejudice, and the fact that many good people do.. nothing. I see no further point in pursuing blatant flamebait.
Speaking of ignorance, do I even use the word "troll" correctly and in proper context? Ha! If anyone would like to enlighten me as to an actual definition of a word rather than my half thought out notion of what it probably means, feel free to let me know.
~ Kish
I, likewise, would hate for others to believe that I think that other's opinions don't matter.. regardless of the circumstances. Of course, since all of this is a rather convoluted and somewhat obfuscated issue, it's hard for me to be very clear. For this, I apologize.
Let me try again.. One of the points that I wished to make is that while the U.S. has its problems, and is certainly worth of criticism, I find it dismissive and lacking validity to snub the country, its inhabitants, or its government simply for the fallacies of a few of its inherent members. Were we to squelch all "negative" influences in our society, we would be some seriously totalitarian bastards, wouldn't we? Trust me, it would be better that we not live up to those kinds of stereotypes.
Everyone's opinion matters, but I find it to be in bad form to snub others simply because of the country there were born in or happen to live in at the time. That's prejudice. The reason why I don't think that any place in the world is any better or worse than the other is because there are good and bad people everywhere. Even in places where the government is horrible, there are wars and bloodshed rampant all across the land, what have you.. There are still good people, innocent victims of these atrocities. What the world needs is a little more understanding.. open minds and open hearts..
Hopefully I am being a little more clear this time? Sorry for my previous, rather inflammatory responses. Whee..
~ Kish
Come on people. Does anybody out there consider Netscape (now owned by AOL) and/or Mozilla to be an "Evil Thing"? Ever wonder why most of the development of Mozilla is done by Netscape despite their open source invitation? If you really want something "insightful" or "informative", I suggest that you check out this page on the GNU Project Web site. Maybe I'm just a loon, but after reading this, it seems to me that trying to integrate an official part of the GNU Project into such software would be a rather silly notion at best.
~ Kish
Surely you all haven't forgotten about sftp. Yes it is too included in ssh and enable by default even. The sftp client isn't too bad either. sftp, secure ftp, gives you the same interface in the client as /bin/ftp does :)
--
rm -rf ~/.signature
Mutt!
Yes it's flexible, it's great, it has tons of features, it's Mutt! It does autoencrypting, encrypting, autosigning, etc. Even better, It directly supports different pgp versions and, TADA, gpg! I run mutt 1.0pre2 (yes it is also about to be stable!) and it interfaces with GNUpg 1.0 really well. Very nice work all ye mutt developers.
rm -rf ~/.signature
Crypto is used by human rights groups. It is despised by the US Government. Draw your own conclusion.
Crypto is used by criminals. It is despised by the US Government. Draw your own conclusion.
As you can see, these statements are fairly worthless. The stereotypical Congressman is simply going to listen to whichever bit of advice seems most likely to garner votes. So he has people like Louis Freeh and Janet Reno whispering in his ear about the evils of encryption. Criminals abroad MUST NOT be allowed to operate without our surveillance, or so they say.
Except, of course, as we all know - encryption technology is already widely available outside the U.S. And then there's the old saying about "criminalize guns, and only criminals will have guns".
But if you want to really frighten yourself, turn on CSPAN sometime and see if you can find a Congressional proceding related to crypto. The sheer cluelessness will astound you. And these are the people making decisions for an entire nation.
Many of these congressmen honestly think that they are doing things that are in the best interest of protecting American citizens. Unfortunately they often become too separated from their constituents. But I wouldn't label them all as malicious, or traitors. The real criminals are the people behind the scenes, whispering their own agendas at the legislators, and stifling the voice of the American voters.
SEAL
About 8 years ago I worked on a cancer screening project in the Twin Cities. Our results got reasonably decent coverage, but it was amazing to watch the story migrate on CNN.
... and these are the same people who get on Dan Quayle's case for adding an extra e to potato :-)
We started out in the 4 o'clock segment as being researchers at the University of Minnesota, and the facts slowly slipped until by 7:30 we were, researchers in Boston.
It would have been funny if it wasn't so sad
It makes it unreasonable for normal people to aquire and install crypto. You have to download it from off shore, then patch it into your environment.
Like they say...
Crypto is used by human rights groups. It is despised by the US Government. Draw your own conclusion.
In my book, Civil servants using patent lies to justify the destruction of the Constitution isn't just a breach of Oath, it's treason. And, every judge, congress person, and president that allows it to continue is a co-conspirator. Treason, you say? Well, there is a legal process for striking a Constitutional right like free speech. Failing to use that process suggests the powers that be are working for some other country; they clearly have an intent to defeat those of us that live under said Constitution; and they are US citizens. That is the very definition.
They're WAY past folly.
Yes, the half they got write was the "GNU" half. The GNU Project's goal was (and is) a completely free UNIX-like operating system, which they named the GNU OS (or just plain GNU). Currently, plugging the Linux kernel into this (mostly completed) OS provides you with a mostly functional OS known as GNU/Linux.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Interesting.. The second paragraph in the article begins with "The privacy-protection program, which is available now". That puzzled me for a second -- of course it's available now if it's announced! Only five seconds later did I realize how much used I became to our world, where software is announced when it's available, and announcements are not fluff and vapor just to outrun the competition... Funny how CNN is talking in traditional terms which sound so strange here.
Hopefully someone ingenious person will integrate GnuPG into Mozilla's email client. Hopefully that would encourage other email clients to adopt the integration and create wide spread use of signed email.
Joseph Elwell.
Also, there is still a great deal of debate over the entire Linux vs. GNU/Linux thing, I personally go with Linux but that's just me. Actually had they replaced Linux with Hurd it would have been entirely accurate.
-matt
Lets say I encrypt all of my emails and on in a given week I send 100. 99 of these emails are along the lines of "happy birthday" or "can we meet friday by the new, expensive, super-trendy coffee shop". 1 is "I'm going to rob the bank in 2 days". Now lets pretend that the government has some kick ass crypto cracking computers and they can decrypt one of my emails a day and that they pick emails at random to decrypt. Lets say that that they get really lucky and pick the 1 bad email, out of the 99 good emails on the 25th try. Jackpot, they found out I'm going to rob a bank, oh wait, it's 23 days after the bank was robbed, oh well, they know who did it atleast, but wait, in those 23 days I made arangements to fly to some country that has no extridition treaties with the US.
Basically my point is that the government can be as suspicious of me as they want to be, it makes no difference in the end so I doubt that they'd bother trying. Also, people write letters on post cards, but most are in envelopes and they'd be extremely pissed if the envelope got delivered and it had been opened. It doesn't matter that it was just a letter saying "happy birthday."
-matt
Well that shouldn't be too hard. ;-)
"We must ensure that our country remains the technological leader of the universe in order to reserve the rightful place in the hierarch of mankind that our children deserve. Therefore, I submit to this distinguished body, that we must dis-allow the importation of any encryption technology onto our hallowed American soil that would seek to undermine the very moral and ethical fabric of our socienty and force our children to submit to functioning on the same pathetic level as the children of all the other nations on this Earth!"
(to be read in the monotone drawl of your favorite clueless bible-belt Senator).
...for "newbies" to encryption, that is?
I'm really pleased to see GnuPG getting attention -- it deserves it. After using PGP for a while now, and reading all about various encryption algorithms this afternoon, I'm feeling pretty pumped about protecting my personal privacy.
That said, PGP & GnuPG are only useful if more people start to use the software.
So, with that in mind:
Does anybody know where there is a simple explanation of how encryption works? Something that you could show your non-geek friends, or, even (gasp) your Mom, and have them understand the basics?
Getting friends and family on email is a hurdle I've basically crossed. Now I'd like to do the same with email encryption. [ In fact, I may write such a "newbie encryption" document myself, but may as well check to see if something already exists. ]
The Right Thing (tm) to do would be to have the mail client check the first time it tried to send mail to an address to see if that person had a key (assuming we set everyone up to use the same key-server network). Then automatically encode it and send the message to them. Sure have a checkbox to turn it off, or to only do it to people you explicitly tell it to. But the whole action (including getting the key) should be as invisible as possible to the user.
On the receiving end, when you receive encrypted mail from someone, your program should automatically go out to your HD (ask for password of course) and run GPG/PGP on it and show it to you unencrypted. Maybe just putting an encrypted icon in the status bar or wherever to tell you the mail was encrypted.
I'm waiting for this kind of functionality in a mail client personally. I think this would be a reasonable drop in replacement for regular email. I know I would use it, maybe someone could add this as a plugin or something to mozilla mail.
Well, it still has a few HURDles to pass.
I see that GPG runs under the Free Software Foundation's distribution of Linux, alternately called "Debian" or "GNU/Linux". Does it also support other Linux distributions?
-russ
Don't piss off The Angry Economist
An easy description of what encryption and signing (don't forget signing, its an important concept) do can be provided by offering analogies to postal mail and signing of contracts.
However... the actual how and why of encryption and signing is not something that will easily fit into someone's head. The basic problem is that while its obvious to the lay person exactly how an envolope protects their letters from casual examination, understanding how encryption protects their documents either requires that they take some things on faith or that they understand the math. There is no physicality to the protection, nothing that can be seen, touched or obviously understood.
You can go a certain distance with the postulate that "some mathmatical functions are easier to do in one direction than the other" and from that get the basics of cryptography, both signing and encryption, but again, the layperson has to either understand why the postulate is true, or take it on faith. Even so, the simplest explanations leave out a lot of important details (leaving the explainee not knowing how to distinguish between good crypto and bad crypto, and thus giving them more stuff to take on faith). One of the most concise set of basics is in Schneier's E-Mail Security which goes over the juicy bits in chapters 1-5.
Jherico
What can the average user can do to ensure his security? "Nothing, you're screwed"
The GNU Project, based in Boston, Massachusetts, was launched in 1984 to develop a free Unix-like operating system, called GNU/Linux.
Oh well, they got it half right.
George
XFMail has support for it now (well, a recent version, and everything should be current soon). Please consult http://xfmail.slappy.org for more info. :)
"Hope for the best, but prepare for the worst."
Exporting a crypto-enabling API without the strong crypto is just as illegal as exporting the strong crypto itself. Therefore what we need now is a mailer developed outside the US. I can envision a flood of other crypto-enabled software that US programmers won't be able to develop in the States because of the export regulations.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
We don't because the US Government raises the spectre of "Criminals, terrorists and pedophiles" (Oh my!) Well that's just fine, until you start to wonder, who decides what makes a criminal? In China I could be arrested for sending a mail talking about how my wife was forced to be sterilized after our first child. Suspecting that everyone is a criminal and reading their mail to make sure they're being good little citizens may make sense if you're Chinese, it should never make sense here. In a decade or two, this very message might be considered "subversive" by the US Government and I might be visited in the middle of the night and shot in the back of the head because I don't follow the sheep-like inclinations of 90% of the public.
We should be demanding severe reforms in the privacy and cryptography arena. We should also be letting candidates know that we consider this to be a vital issue, one which will gain our lose our votes in the next election. We should not be tolerating the current status quo. We should never let it be assumed that a person is guilty until proven innocent.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Won't.. Linux.. be pissed? Pardon, but I seem to be a bit confused. Of course, while it is true that it would be a more technically accurate assertation to make if one said that the Free Software Foundation was based in Boston, Massacusetts than the GNU Project (although the two are practically synonymous, there are a few key differences).. or perhaps that the GNU Project was launched to accomplish a number of goals, of which releasing a free operating system was only the first. Of course, anyone who was interested could easily pick up all of this information at the GNU Project's Web site. But then, the media never has been known for doing their research, eh? I once read an article in a local newspaper that talking about Web design and mentioned HTML as being a programming language.
Other than that, the statement remarked upon by the original poster is mostly accurate. After all, the OS that the GNU Project eventually came up with was called GNU/Linux. Many people (mostly the media and the people who believe them) think that when one says "Linux kernel" that what is really meant by that statement is "the kernel for Linux" when the truth of the matter is that Linux is the name of the kernel used in the GNU OS. Therefore, as Richard Stallman states (and the Debian distribution respects), it is more appropriately referred to as GNU/Linux. Richard wants to have another GNU OS using Hurd as the kernel, but there's not too much development in that area from what I know.
I guess what originally drew me to comment on this post was simply.. how can a kernel for an OS get pissed off at anything? I would love to see posts that are a little more specific. Vague comments without a lot of backing tend to be.. well, vague. Not to mention annoying.
By the way, no, I'm not trying to detract from the work of Linus Torvalds. His is just as important as many (well, more than most, actually), although Richard Stallman is rarely given the credit he truly deserves.
~ Kish
Pardon this excessively opinionated foray further in the realms of off-topic discussion, but.. Well, let me try to get this straight.. What is the perfect example of the Internet community proving it's world wide (well, beside the fact that the World Wide Web isn't just a funny misnomer), GPG or snubbing your nose at America? Personally, I think snubbing your nose at a pair of continents (which are actually north and south, rather than one single land mass.. sort of) is really silly, but hey.
I'm pretty sure the original poster meant the United States government, but then again, I'm also pretty sure that they're rather confused and have no idea what they are talking about. At any rate, this sure is some serious flamebait. Don't get me wrong, even though I'm a United States citizen I have a number of issues with my country's government, and don't believe us or our country is necessarily all that better than those of other parts of the world. However, I can't agree with the idea that a community can prove itself as being world wide (which seems to me to mean that it excludes no one) by excluding a certain group (namely the United States).
National boundaries mean a lot. More than the original poster can apparently imagine. A lot of us would love to live in a better world, but being a practical realist as well as a dreamer, I can certainly attest to the fact that ignoring cold, harsh reality is quite bad for your health. Besides, the United States stands for freedom. There are a few corruptive influences in our country, but it is that way with any society. I don't like those elements of our society, but unless you can claim yours to be perfect, I don't think that you have room to talk. There are certainly much worse places in the world to live. I like what the United States as a whole stands for. And apparently a number of its opponents don't care for them as much as I do. Such as the idea that you should cast off the yolks of oppression and ignorance? Silly me.
~ Kish
How about an open-source keyserver project. Make the code needed to take advantage of the keyserver available to everyone and hopefully we would have a bunch of encryption/keyserver-ready mail programs in no time. Keys should be associated primarly with email-addresses and everyone could register their own keys, with email confirmation to that specific email-address of course. This could really boost the use of encryption.
An ideal model would be that when i have say pine and pgpg installed in my system, pine would automatically offer the option of encrypting the message(autodetect the presence of an encryption program). Signing the message with my own private key would of course also be automatic. When you receive an encrypted message, your mail reader would automatically attempt to decrypt it with your private key.
Of course there are some securite implications involved with automating the use of encryption keys but as long as your account/files aren't compromised these shouldn't really be a problem.
Sure. Some of what I'll say is kinda pulled from what I read in a PGP release many moons ago.
You don't write letters to people on postcards, do you? No. Why? Anyone can read what's on the postcard. If you want to write a private letter to someone, you write it on a piece of paper and put it in an envelope. You may even use a security envelope so you can't see what's inside the envelope.
Encryption is (in one sense) the envelope. It makes sure that no casual reader can see what the contents are. It may be credit card information, or it may be happy birthday wishes. It doesn't matter.
Encryption (as PGP/GPG uses) also provides authentication. It makes sure that when you get a letter from a friend, it really came from them and not someone who happened to break into Hotmail and fake e-mail.
Side note: Hrm. This could be a good way at advertising GPG (Hotmail cracked again? Don't worry, GPG keeps you safe!)
-Mark
Look on the GnuPG web page. There are links to a number of mail clients with some level of support.
Personally, I prefer mutt.
First off, you're parroting what the original poster said, i.e. that a big enough beowulf cluster can break the encryption, but moving it further offtopic by saying a big enough cluster can do anything.
Second, you're dead wrong. Cryptography is based on functions that are easier to do in one direction than the other. Easier by many many orders of magnitude. That means that a computer will always be encrypt a message to such a degree that were all the matter in the entire solar system turned into a huge cluster of computers, it would not be able to break the encryption with a brute force attack. You're home computer can do this RIGHT NOW. So while beowulf clusters are neat and all, don't ascribe magical powers to them. Its a sign of linux zealotry and that's just as bad as any other kind (*cough* M$ zealotry *cough*).
Note that I did however only talk about brute force attacks. There is always the chance that a new algorithm or new kind of technology (read quantum computing) will be found that will render a cryptography function as easy in one direction as in the other.
Jherico
Jherico
What can the average user can do to ensure his security? "Nothing, you're screwed"
It is a great thing that the mainstream media is embracing GNU projects, but I thing that forcing them (the errant journalists) to read a breif 'GNU/FSF/Linux primer' before publication would be a good idea.
A note to Stallman: Take a Valium, wash it down with a few shots of Absolut, (not too much now, we don't need you dead) and sleep off the rage of the HURDs virtual media invisibility.
Linux was below the radar screens for years, and is now up in a big way. HURD may well be the next Linux..
A thought before I go.. We should embrace GPG, for not only is is a good bit of code, but it may well be our best way of fighting the current stupid encryption laws. By making sure everyone, everywhere can get their hands on it, it nullifies the need for such a law, and I hope the US government realizes this..
.sig: Now legally binding!
What's need now is an easy way for end users to use encryption in everyday life. SSH is an easy replacement for telnet and ftp (scp, that is)... GNUpg is a wonderful program, but integration into Mail clients and the the like is very important to help people actually use it...
I'd encrypt / sign all my mail if it were easier... I guess I'm way too lazy to type a message, run it through GNUpg, then replace the text in the email all by hand... I've seen some decent apps for Win32 that do nice things (e.g. adding a right click option on text to do PGP encryption / signing)...
I'd love to see more encryption being used... I know a few Linux mail clients "plan" to have support for GNUpg, but none that I know of right now do and offer enough features to be worth using....
The legislature is fully aware of the effect of their policy. They don't WANT American crypto companies to be competitive. Strong American crypto companies lead to more Americans using crypto.
As long as Americans don't bother using crypto the legislature doesn't have to take unpopular steps to control it. So they stifle the companies who make and promote crypto products and the issue comes to the public's attention as little as possible.
/* The beatings will continue until morale improves. */
God knows the legislature doesn't act on real issues, but if we can make this a PR issue, then things might actually change.
-- $SIGNATURE
Given that GnuPG is open source, which means it will be peer-reviewed with eyeballs from all over the world, I wonder what would happen to its export status if the maintainers received and applied even one bug fix or ehancement derived from a USofA based reviewer/user.
This is a perfect example of GNU and the open source community. We provide free alternatives to commercial products that are available, and as an added bonus, it has no export restrictions! Why is it that free software written by hackers in their basements almost always better than something you would pay for? It all comes down to money... people are rushed to release their programs, and try to patch it together from others' code to try and save time. Corporate giants (primarily Microsoft) have taken the art out of programming. Computer programming is indeed an art, not a money-making scheme.
Let's keep it that way.
USA is hitting its own software companies with this regulations. This is good for everybody else, but it will cost the USA a LOT.
Very soon, US companies will start feeling the pressure from all over the place. For one thing, a german company (SuSe) can (and does) put things like PGP, ssh & co. in its distribution, which an US-based company (redhat, Caldera) can not and does not.
Now, adding ssh is just a matter of downloading the srpm package, compiling it and doing an RPM -i, but... Try adding ssh-agent imediately after login for all of your users in a consistent way and you will find out that this task is non-trivial. Then you have to make your PGP (or GPG) work with pine, or whatever you or any of your users use and so on. It is annoying and takes your precious time away.
It is just the same kind of shit as those I used to have with my (german) keyboard not getting properly configured, xdm coming with an completely open configuration file, and simmilar, with ONE major exception - RedHat cannot fix it in the "next version", because it is not even part of the distribution. SuSe can.
By the way, upgrading from RH-5.1 to RH-6.0 has killed my own solution to above mentioned problem of integrationg the ssh-agent in the login-process, so I had to do it again. And I hate repetitious jobs .-).
Do I see a problem for RedHat here?
I'm suprised that people haven't been touting the "free speech" end of GPG as well as the "free beer" when it comes to crypto algorithms. Cryptography that doesn't cost anything is good, but for the truly security-conscious individual i think that we need to stress the fact that he can check the source code for shabby implementations of algorithms (none that i see in GPG) and even blatant backdoors. I've seen people use closed-source crypto products, and I wonder when someone is going to discover a backdoor that was put there by some government. Price and politics are good, but security should be the selling point of GPG.
Andrew G. Feinberg
On the other end, you find people who distrust anything, so give up on encryption altogether. Their logic is, since "hackers" (their term, not mine! Lay off the stones!) can get into anything, there's no point in using convoluted methods to protect their information. That's the same kind of people who refused to use automatic tellers for years because no human being was handling the money.
What's important to put into the public's mind is some of the following points:
Encryption is the practice by which you make it impossible for anyone but the right people to read a message of any kind, be it a credit card number or an email message.
Cryptography is important for everyone, not just spies of military generals. Just because an information is not dangerous to you or someone else if it is revealed doesn't mean it's not private. Do you want love messages between you and your boyfriend/girlfriend/wife/husband to be read by anyone?
It's easy to apply good cryptography to almost anything, unless the nature of your data is highly secret (and we're not talking surprise party plans.) All it takes is a little extra "effort", and you can have secure messages.
No, the Government won't start spying on you because you're using encryption. Many people do it, and they're not terrorists or Russian spies.
Don't trust any company who says they use encrytion. There are two types of encryption: encryption that requires minimal effort to unravel (like tearing open an enveloppe) or encryption that requires some time and good cracking skills (like cracking a safe). If you want good encryption, look for second opinions on the Web, or from cryptography-savvy friends or colleagues.
Good encryption exists nowadays, and some encryption standards make it unlikely that your data will be exposed unless a lot of money and effort is put into it. Be wary of systems that claim they are unbreakable, but don't think your data is automatically vulnerable to any 13 year-old hacker with a modem. Yes, your data can be protected by cryptography.
Good security also means good practice. Your data will not be safe if you use simple passwords, like the name of your dog or your birthdate. Try using unpredictable passwords when you need to. If possible, use numbers and mixed case when choosing your passwords. NEVER use your name.
"There is no surer way to ruin a good discussion than to contaminate it with the facts."