Protect your Email Privacy

G

galt

New member
I just finished installing the latest version of PGP (Pretty Good Privacy). EXTREMELY simple. This is a free program that allows you to send encrypted email to other people running the program. It is the most used encryption technology on the net, and is extremely resistant to hacking. I suppose that the NSA MIGHT be able to read your email with some effort but no one else can, probably including the FBI's new email monitoring program. I think we should all use encryption just to keep the government from being too nosy. After all, you seal your snail mail, don't you?

It installs VERY easily (about five minutes), and will recognize and attach
itself to your email client. If you think this would be fun to install, you can check it out and download it for free at: http://web.mit.edu/network/pgp.html

If you have any questions about how to install or use it, I would be delighted to help you. Email me or post questions here.

During installation:

Just take the defaults if you are not sure of the answer to a question. For key size, 2048 is the suggested size. When it asks if you want to register your key with the central server, the answer is YES.

Also, a note about passphrases:

It will ask you to set up a passphrase. This will be typed a LOT for encrypting and signing any PGP email. Pick something not too complex, but not so simple it could be easily guessed. Do not use a single word, but a phrase of some sort, with punctuation in it to make cracking it harder. The passphrase is NOT the actual key used, it is just used to access they key (complicated to explain). It should be VERY easy for you to remember, and very hard for anyone else to guess.

Some sample passphrases

ilovebananas$$ (silly, note special characters)
MyFleaHasDogs. (note capitals and period at end)
My Birthday is July 13th. (spaces allowed, note period at end)
I luv my Glock!!! (intentionally mis-spelled words are good, 3 exclamation points)

Once you start using it, you will probably want your friends to get on board too. You may use this system for decades, so pick a good passphrase you can remember. You can change it later too, so it's not worth agaonizing over. But try to pick agood one you can remember.



------------------
galt
Speak Out on the Net http://www.netcitizen.org
 
Just to keep with the paranoia theme... you're sure selling this awfully hard! Anything we should know? ;)
 
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by JJR:
Just to keep with the paranoia theme... you're sure selling this awfully hard! Anything we should know? ;)[/quote]

Sure. There is a lot you should know. Read the web site referenced, and follow links from there to your hearts content. Knowledge is Power. Of special interest to you are the links about Phil Zimmerman and his statement about cryptographic integrity of the product.


------------------
galt
Speak Out on the Net http://www.netcitizen.org

[This message has been edited by galt (edited September 22, 2000).]
 
Nothing paranoid about it. You don't send personal mail via the postal service without placing it in an envelope first, why is E-mail any different? PGP is just a better envelope that can only be read and verified by the intended recipient. I use PGP and like it alot.
 
Art, if they don't use PGP, you can't send them messages that are encrypted. If they don't have a computer, you can't send them email either. Actually, there is a way to do it with the commercial PGP product, but it is not terribly secure against crackers.

Donny,
What is your point ? None of these proposals went anywhere, and PGP is much more secuire than any other commercial technology out there, due to it's international nature and public source code. Read the links on the MIT page about Phil Zimmerman and his comments about the security of PGP for more details.

Spreading fear about using PGP is counter-productive. It is like saying you will never buy a gun because someday the government might require you to give them up. No encryption is perfect forever, and someday PGP will be cracked. It is a question of computer power and time. Using a 2000 bit key, a single message could be cracked today in a couple of decades using a supercomputer array. The question is how hard it is to do and who has the technology to do it.

------------------
galt
Speak Out on the Net http://www.netcitizen.org
 
I use PGP, for my part. As I said - discussing anything sensitive should only be done encrypted or from face to face. Think about it.$

And yes, my keys are on certserver.pgp.com - just download and start to mail. ;)
 
PGP is still the best product on the market today. However, like Britain, the US govt. is in the process of moving towards the requirement that all personal keys be escrowed by the govt. This is a no-no, and I would never comply...I would quit using anything that the govt. could compromise. Having said this, PGP has one fault, although this is not truly an enctryption fault. When you send someone an email with PGP, neither your email address or the person's that you are sending to is hidden, therefore allowing the govt. to at least see that you are communicating with someone whom they may wish for you not to. The way around this is to create a VPN, although this cannot be done by the vast majority of users who are ignorant to the technology requirements.

PGP is viable for some time, but, like all things, will be replaced sooner or later by something better, so for now it is safe until the blighters try and force your keys from you or snoop on who you are emailing.
 
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by internetfish:
Having said this, PGP has one fault, although this is not truly an enctryption fault. When you send someone an email with PGP, neither your email address or the person's that you are sending to is hidden, therefore allowing the govt. to at least see that you are communicating with someone whom they may wish for you not to. The way around this is to create a VPN, although this cannot be done by the vast majority of users who are ignorant to the technology requirements.
[/quote]


Not sure what VPN means. Virtual Private Network ? A simpler choice is to use anonymous remailers if you are worried about traffic analysis.

As to key escrow, I am unclear how they could really enforce this with a program like PGP that has public source code available. When a key escrow law passes, I will be there to support the first person arrested for refusing.


------------------
galt
Speak Out on the Net http://www.netcitizen.org
 
this seems to be a very good program.but i have had my problems with it.
i used it for about 4 days then it had problems. and i never could get it to download right again. never tryed fromt hat site i will try again.
i use a different high bit encryption right now, its taken from a military DOD encryption or so they say, dont remember who wrote it ;) or at least thats what i say.
why do they need to know what i run so they can get somethng to break it?

besides if u need encryption for it its better said face to face or thru messages run by othe rpeople you know well and trust.
but that just IMHO.

[This message has been edited by guerilla1138 (edited September 24, 2000).]
 
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by guerilla1138:
i use a different high bit encryption right now, its taken from a military DOD encryption or so they say, dont remember who wrote it ;) or at least thats what i say.
why do they need to know what i run so they can get somethng to break it?

besides if u need encryption for it its better said face to face or thru messages run by othe rpeople you know well and trust.
but that just IMHO.
[/quote]

There is no doubt that total security can only be done face to face, with appropriate precautions for listening technologies. But privacy and freedom are not just theoretical concepts. If you do not protect them, you lose them. It has little to do with the 100% secure vs. 99.999% secure debate.

My limited knowledge is gonna guess that your military-based encryption is some "dumbed down" version of DES. This is notably insecure and easily cracked on a PC.

One of the nice things about PGP is the way it was developed. The program and all the algorithms are in the public domain. Many many smart people have tried to attack it without success, even knowing exactly how the program works. In fact, this open knowledge was a key factor in developing PGP, as weaknesses were uncovered in early versions and then improved. This is different from older-style encryption that relies on secrecy of HOW the encryption is done. It does not matter if everyone knows you are using PGP versus some other method, because the level of security offered is so high that the knowledge is meaningless to cracking the encryption.

Also, PGP is so easily used that it can be used for all communications if you get your friends installed. Part of your security is in having ALL messages encrypted, so the important ones do not stand out.

For me, I just don't like the concept of the FBI reading all my email anymore than I like the concept of the feds telling me what guns I can own. When it comes down to it, communication is probably a more important component of freedom than bullets. Ask any dictator why they control the radio and TV.

I don't understand why EVERYONE does not use this system.
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gotta speak up here. I've given it some thought and have decided
it's time to start signing my messages as a show of support for PGP
and related technologies.

A couple of replies:

<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Galt, a question: If the recipient does not use PGP, then
what?[/quote]

Then the system doesn't work as nicely.

"Conventional" encryption works like this: I encrypt a message to you
using a passphrase, then I send the message. To decrypt the message,
you need to know the passphrase. This means that we need to arrange
for a secure way to deliver the passphrase, and that can be
difficult.

PGP (and clones like GPG) use public key encryption to get around
this: everyone has 2 keys, and anything encrypted to one of the keys
can only be decrypted by the matching key. This means that you can
go to one of the public key servers on the net and download the
public key matching 0xD7C073AB (my ID). Anything you encrypt to that
key can *only* be decrypted by my private key. Even better -- I can
sign a document/file/whatever by some hand-waving that essentially
boils down to encrypting with my private key, and anyone can verify
that I actually signed it by downloading my public key and checking
the signature.

So, if someone doesn't care to download PGP, then they're missing out
on these aspects of it. If I wanted to e-mail you something
personal, I could use PGP to create a self-extracting executable, but
then we're back to the problem of how to transfer the passphrase in
the first place.

<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>I suppose that the NSA MIGHT be able to read your email with
some effort but no one else can, probably including the FBI's new
email monitoring program. [/quote]

The numbers are pretty amazing. Assuming there's no super-duper
shortcut to factoring large numbers that no-one knows about except
the NSA, *and* that you can choose a strong passphrase, it goes
something like this:

If all of the computers in the world were used *exclusively* to try
and break your public key, the time required to break it (search half
of the keyspace) exceeds the age of the known universe.

<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>When you send someone an email with PGP, neither your email
address or the person's that you are sending to is hidden, therefore
allowing the govt. to at least see that you are communicating with
someone whom they may wish for you not to. [/quote]

Yep. Traffic analysis is a powerful tool, and encryption can't cover
up the "to:" and "from:" lines if you want your e-mail to get
through. There are solutions to this, though.

One is to use anonymous remailers. It's something of a complex
process, but in effect it looks something like this:
1) Send a message to remailer A, encrypted in such a way that only
remailer A can read it.
2) Remailer A decrypts the message, waits a random amount of time,
and sends the decrypted message to its recipient.

Better than direct e-mail, but still not perfect. So you can "chain"
the remailers, so that step 3 above would be to send the next
encrypted packet to remailer B, which goes through the process again
and sends to remailer C (or A), and so on. I've chained messages
through 26 remailers for fun before, and I'd like to believe that
this is an effective way to cause headaches for those trying to
perform traffic analysis.

Or, we could have the remailer send our message to a News gateway and
post our messages to alt.anonymous, or alt.binaries.test or whatever.

<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>besides if u need encryption for it its better said face to
face or thru messages run by othe rpeople you know well and
trust.[/quote]

Art and I met once. If we'd wanted to, we could have exchanged PGP
keys in person, or (even better) signed each others keys, which is a
way of vouching for the validity or another's key (if you know Art
and trust him to introduce other people's keys, then you could trust
that mine was valid).

If we had something to say now though, and we wanted to keep the
conversation private, then encrypted e-mail is a much better solution
than an in-person meeting. Especially since we live in different
states.

Imaging you're politically active, and your group is trying to make
plans that you *really* don't want your political opponents to know
about (especially if they're *very* powerful). Easy solution:
encrypt your messages so that only the members of your group can read
them. Doesn't solve the problem of moles, but it's better than
living in a world where Carnivore sees-all and knows-all.

I'm done -- sorry for the length. FYI, I'm happy to help out with
PGP and/or privacy related questions. Hell -- I used to run a BBS
dedicated to these issues, and I've just accepted a moderator
position on another forum devoted to privacy...


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBOc7NzY81YgLXwHOrEQIptwCfakm8OeZTIH+fs8gmJu8LhXzvk9UAoIoE
cnOAE/wbEv3p5NMWYWd4BHj+
=N88Q
-----END PGP SIGNATURE-----
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oops. Using UBB code kind of screws things up, making it hard to
verify. Guess I should stop for now. <g>


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBOc7PPY81YgLXwHOrEQLbhgCeJf4jV8E9d8DTHgVPPZJmoN2sqF4AoPP0
AaxqQod7NlZp0bViLmyVngRr
=o5t4
-----END PGP SIGNATURE-----


------------------
I stand before Almighty God and I'll say what I have said for years. I will never again soil my responsibility as a voter by voting again for a candidate who turns their back on the fundamental principle of justice by which this nation's freedom lives or dies. --Alan Keyes, 2/2/2000
 
Adding a PGP signature adds a lot of data to each thread. And if your key is not registered with the keyservers, signing it does no good anyway.

What I have done is updated by profile here to show that I am a PGP user. Since my address has a registered PGP key, people who have PGP are ecouraged to use it if they email me.
 
I use PGP more for encrypting directories and files on my PC and for securely deleting files and occasionally wiping the free space. Though I've skimmed through the documentation, I never quite picked up what PGP does when one securely deletes a file or wipes the free space. Could one of you PGP-familiar folks explain this to me?
 
When you delete a file, the operating system only removes the directory header. The file data remains behind for an indeterminate amount of time. Some programs (like Norton Utilities) can recover this data. Additionally, certain spy techniques can recover data even if it has been overwritten.

PGP writes over the deleted data spaces multiple times with random information, totally removing any chance of someone being able to read your drive even with extreme data recovery techniques.
 
You must log in or register to reply here.
Back
Top