Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Safeguarding Data From Big Brother Sven?

timothy posted more than 6 years ago | from the dear-diary-sven-keeps-reading-my-diary dept.

Encryption 345

An anonymous reader writes "Now that the Swedish government (in its infinite wisdom) has passed a law allowing them to monitor email traffic, a question that I think a lot of people are asking (or at least should be asking) is: 'What can I do to improve my privacy?' The answer is not obvious. So, what are the best solutions for seamless email encryption, search privacy, etc? What are your experiences with PGP vs GPG vs ...? In this day and age, why is the use of this type of privacy technologies still so limited? Why isn't there a larger movement promoting the use of privacy tools? Also, what is in your opinion the largest privacy concern? Search tracking? Email transfer? I believe this is an interesting question not only for Swedes, but for everyone. Lots of traffic is passing through Sweden, but more importantly, the Swedish government is not alone in using this type of surveillance."Reader j1976 writes with a related question: "For most users with email addresses within large organizations, implementing their own email encryption scheme is not feasible, partly because of the technological aspects, but also since users in organizations often do not have administrative access to their workstations. What can an organization do, centrally, to lift the burden of encryption from the users? Are there any transparent schemes for email encryption which could be installed for the organization as a whole?"

cancel ×

345 comments

Someone please remind me... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23862149)

...why sweden matters other than that torvalts character?

Re:Someone please remind me... (4, Insightful)

Anonymous Coward | more than 6 years ago | (#23862259)

Because no matter what country you live in some of your Internet traffic is likely to pass through Sweden. They snoop and tell your government about your stash of __________ (insert your own illegal/grey market goods etc. here). Wala - your government has "proof" you are engaged in illegal activity and busts down your door. Moreover, you apparently haven't been watching the news regarding the change in behavior people exhibit when they know/think they are being watched.

Re:Someone please remind me... (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#23862389)

Wala? It's "voila" you uncultured idiot

Re:Someone please remind me... (2, Funny)

SBacks (1286786) | more than 6 years ago | (#23862457)

I'm an uncultured idiot, you insensitive clod!

Re:Someone please remind me... (1)

sm62704 (957197) | more than 6 years ago | (#23863043)

Wala? It's "voila" you uncultured idiot

It is? [dsokids.com] Wow, learn something new every day. Am I cultured now, or do I need more yeast?

Re:Someone please remind me... (4, Interesting)

sm62704 (957197) | more than 6 years ago | (#23862939)

They snoop and tell your government about your stash of _blackjack-playing, postmoking hookers_ (I'm in the US). Wala - your government has "proof" you are engaged in illegal activity and busts down your door.

Although I agree with your comment, just putting in an email, slashdot comment, or even one of my journals can't get the FBI and DEA and whatever anti-prostitution agency to break down my door. Otherwise it seems they already would have, as although I'm no gambler, my slashdot journals often feature potsmoking and hookers. Maybe I should add some blackjack.

However, adultery is NOT against the law. Do you want your wife to find the email you sent to your girlfriend because Sweden seems to be as anti-freedom as America?

(OT but related; why is it legal for me to fuck my congressman's wife, but illegal for me to pay her for it?)

Re:Someone please remind me... (3, Informative)

AltGrendel (175092) | more than 6 years ago | (#23862279)

Ummm.....

Linus is from Finland,/a>. [wikipedia.org]

Re:Someone please remind me... (3, Informative)

Kozar_The_Malignant (738483) | more than 6 years ago | (#23862627)

Linus is from Finland,/a>. [wikipedia.org]

True, but from the Swedish speaking minority of Finns.

The internet is boundless. (1)

twitter (104583) | more than 6 years ago | (#23862309)

It's as easy to spy on you from Sweden as it is from your front porch.

Re:Someone please remind me... (0)

Anonymous Coward | more than 6 years ago | (#23862687)

...why sweden matters other than that torvalts character?
My bum is on the Sweedish!

Re:Someone please remind me... (0)

Anonymous Coward | more than 6 years ago | (#23862809)

Thank you. You just made me laugh.

The bum is all alone.

Here is what you do (0)

Anonymous Coward | more than 6 years ago | (#23862177)

Stop using email. There are already 17 reasons for that.

Re:Here is what you do (0, Offtopic)

Hyppy (74366) | more than 6 years ago | (#23862369)

Am I missing something? What significance does the number 17 hold?

Re:Here is what you do (3, Interesting)

querist (97166) | more than 6 years ago | (#23862607)

It is an unhappy prime [wikipedia.org] .

Re:17 Reasons... (0)

Anonymous Coward | more than 6 years ago | (#23862791)

Apparently the AC forgot that some non-San Franciscans read /. Check "17 Reasons Because" [ourchart.com] for the backstory.

Re:17 Reasons... (1)

Theoboley (1226542) | more than 6 years ago | (#23863143)

How to Speak San Franciscan - *Tears down pants* VAJOINA!!!

What about PirateBay/Relakks? (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23862203)

I wonder how this affects people using Relakks. If the US intelligence agencies will get access to the data, it wont be long until the MPAA/RIAA get access to it also.

Secure tunnels (5, Interesting)

Gandalf_the_Beardy (894476) | more than 6 years ago | (#23862207)

Many of the financial service companies I contracted for have only been sending sensitive mail to maybe a half dozen clients. It's reasonably easy if the two IT departments get together to establish secure tunnels at the organisation level for transferring mail between them. Doesn't protect the mail outside these of course but it's a reasonably quick solution and effective if enforced with policies within the workgroup about what is and isn't permissible in an email. Requires no extra software and is easy to set up and manage.

Extra software? (1)

deadzero (1306187) | more than 6 years ago | (#23862383)

Why is it that avoiding "extra software" generally means leaving Windows in place? Windows and the non free software way are the main reasons privacy protecting software is not more widespread.

Re:Extra software? (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23862427)

Windows and the non free software way are the main reasons privacy protecting software is not more widespread.
What? That's just bullshit. Go troll your FUD somewhere else.

Re:Extra software? (2, Informative)

Gandalf_the_Beardy (894476) | more than 6 years ago | (#23862451)

I'm not sure that follows. In all the cases I recall the outgoing mail servers were running Exchange or Sendmail (with one looking at migrating to Exim). There are bolt on packages for all three that do encrpytion serverside if you want to go to the trouble and the expense in money and support time. The reason they didn't move in at least one case was that the servers couldn't easily cope with a large increase in the processing load to encrypt the messages.

Re:Extra software? (3, Informative)

rwxrwx (1310115) | more than 6 years ago | (#23862667)

I agree , although for most windows users if you want (free) privacy you have to install X number of programs for gpg e.g. I think for the common user this is to much of not only a hassle but a technical burden gpg for example.

1.Install gpg4win
2. Thunderbird (or equivilent free email client)
3.) Extensions for email ( case Thunderbird)
4.) make keys
5.) configure programs, get other users pub key etc etc.

This is to much for normal Joe by step 3 or 4 the normal Joe has given up.
If this would be automised or somehow integrated into a email client , I think we would see email encryption more widely used. Although through the automation process problems can arise, security hole here , and their, because all these process's have to be linked automated etc. etc

Whereas with a nix distro, most users are tech orientated, after adding the correct repos or (with some distros these things are even default installed gpg for e.g.) then the only thing left is to configure, which really is pretty painless to the tech user who knows what hes doing in the first place.

Re:Extra software? (0)

Anonymous Coward | more than 6 years ago | (#23863155)

security hole here , and their, because
there
There, spelled like here (ere), indicates location.
Their, Possessive.
The're, contraction of they are.

GET IT RIGHT!

Re:Extra software? (1)

dedazo (737510) | more than 6 years ago | (#23862963)

I don't see what this has to do with Windows or "non-free". The solutions the GP is talking about are server-side, which means that as far as the desktop is concerned, nothing has changed.

If you want software to do the same in Windows, it is available for free as well.

Re:Secure tunnels (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23862401)

help!i have virii on my lunix boxen!!

Re:Secure tunnels (1)

networkconsultant (1224452) | more than 6 years ago | (#23862909)

Options include:
S/MIME, PGP, GPG, VPN's are good too, my personal preference is using hardware accelerated encrypted disconnected networks.
General Dynamics makes a nice product for this:
Taclane [gdc4s.com] They are not cheap but they secure the world.

Re:Secure tunnels (1)

Kingston (1256054) | more than 6 years ago | (#23863041)

It's reasonably easy if the two IT departments get together to establish secure tunnels at the organisation level for transferring mail between them
Wow, I really admire your efforts, it sounds like something from "The great escape". Most people are much lazier than you and would just send email through some sort of vpn, good on you though, happy digging !

SMTP over SSL (4, Interesting)

Skapare (16644) | more than 6 years ago | (#23862215)

One of the things we need to add is SMTP over SSL. It won't prevent all snooping, but at least between 2 people that trust each other, no snooping happens on the path between.

Re:SMTP over SSL (5, Informative)

Z00L00K (682162) | more than 6 years ago | (#23862659)

That part is actually relatively easy - and you have to remember to also implement IMAPS and POP3S - and close the IMAP and POP3 services.

I have already implemented SMTPS, IMAPS and POP3S a few years ago. And it's actually not really necessary to buy a certificate if you are doing this for a closed group. Just use OpenSSL and generate your own certificate.

To send emails to others both ends have to buy an email certificate, like from Verisign.

And then some of those who voted for this law thought that encryption is very easy to crack - so easy that it doesn't matter if an email is encrypted or not. The problem with cracking encryption is that you first have to figure out which one it is - and the history is full of encryption techniques.

So in the end - this law will be a good promotor for encryption more than anything else and the monitors can continue to search with Google and not get a bit of useful information from the real criminals and terrorists.

Re:SMTP over SSL (3, Informative)

Albanach (527650) | more than 6 years ago | (#23862919)

Actually you don't need a certificate signed by a CA for SMTP over TLS.

We have used a self signed certificate for years and hundreds of other MTAs connect to us and happily set up a encrypted session to transfer mail.

Of course this has issues, by making it harder for the other end to be sure we are who we say we are, but given the alternative is simply to failover and send unencrypted that's not really a major concern.

This is with Postfix. Do any of the other big MTAs actually look to check the certificate is trusted before sending an encrypted message with default TLS settings?

Re:SMTP over SSL (0)

Anonymous Coward | more than 6 years ago | (#23862945)

You mean two org's not people. Not to be nit picky but just because two email systems trusts each other, there still chances of interception. No silver bullet at this point in time. But in the olden days, you trusted the USPS.

On NPR... (4, Insightful)

Illbay (700081) | more than 6 years ago | (#23862253)

...(Of all places) there was a pretty good segment this morning regarding email encryption, even including a short interview with Phil Zimmerman. What was VERY interesting about it, to me, was the attitudes of the "man / woman in the internet cafe'" interviews they did, and how most people just "didn't care" about privacy issues regarding email. One fellow naively stated "I try to live my life in such a way that no one would have an issue with what I do." In my opinion, though, what YOU or I might consider innocuous might garner unwanted attention from government. As we are headed seemingly toward a more "European" philosophy here in the USA where the government assumes the duties of "personal watchdog" over your "lifestyle," what you eat, what you drink or smoke, what you teach your kids, etc., this would seem to be a foolhardy attitude.

Re:On NPR... (2, Informative)

Paranatural (661514) | more than 6 years ago | (#23862375)

...(Of all places) there was a pretty good segment this morning regarding email encryption, even including a short interview with Phil Zimmerman.
Why the 'of all places' comment? I've actually heard several good and tech-savvy news pieces on NPR.

Re:On NPR... (4, Interesting)

bsDaemon (87307) | more than 6 years ago | (#23862831)

The rest of his comment implies that he tends to the right of center -- an area of the political spectrum where NPR is not exactly loved and any information which backs up their preconceived notions, no matter what the topic is, is viewed as being "out of place."

Of course, I used to be one of those people, too. I started out listening to NPR because I liked classical and jazz music... eventually the news wore on me and I realized that I had been sort of a dick prior. Now I really like NPR news.

Re:On NPR... (1)

InlawBiker (1124825) | more than 6 years ago | (#23862757)

If I have something important to encrypt I encrypt it but otherwise it's not worth the trouble to hide everything just because I can.

Also, on a personal level it evokes an unpleasant "paranoid" feeling that is only slightly more off-putting than feeling like somebody could be reading my email. Maybe I just don't like the thought of Big Brother so I avoid thinking about it, who knows.

So in other words somebody might be reading my email but so what. Of the billions of emails floating around the 'net mine are just as boring as anybody else's.

Now, if I thought the Government were monitoring my email on an ongoing basis as a matter of policy I would encrypt everything just to screw with them. FU Sven and GW!

Re:On NPR... (1)

SputnikPanic (927985) | more than 6 years ago | (#23863103)

I heard this segment as well. The woman they interviewed at the end of the piece was a model of almost willful ignorance. As for the man, he was an example of idealism taken to the nth level of idiocy. I realize that the segment had to do with the possibility of private eavesdropping but you can't talk about privacy very long without entering into the topic of governmental policies and powers -- and it's there where this simple-minded notion of "well I have nothing to hide..." becomes terribly pernicious. What the two who were interviewed don't get is that it's not about them, it's not about what they personally may or may not have to hide. They seemed to have no capacity to think at any level more abstract than their own self, and in that regard, they unfortunately have a lot of company.

Re:On NPR... (1)

urcreepyneighbor (1171755) | more than 6 years ago | (#23863151)

and how most people just "didn't care"
That's why the Clinton administration gave up on it. They realized most people just wouldn't use. Those that would (and are), well, they wouldn't be bothered by any sort of ban. ;) It's like gun control, in a way.

Zimmermann, maybe? (1)

ricebowl (999467) | more than 6 years ago | (#23862275)

In this day and age, why is the use of this type of privacy technologies still so limited? Why isn't there a larger movement promoting the use of privacy tools?

Only terrorists have anything to fear from this! Are you a terrorist?

Yeah, it's turning into an old joke now, but, sadly (and in the words of Homer J.) it's funny 'cause it's true. Sort of (the perception, not the reality).

As for the "why are privacy technologies so limited?" question I think that probably, though not certainly, has something to do with Phil Zimmerman [wikipedia.org] 's experiences [wikipedia.org] ; I'm not sure, but I suspect that the prospect of criminal investigation puts many people off researching privacy technologies.

Sweden's just being honest about it (4, Interesting)

Hektor_Troy (262592) | more than 6 years ago | (#23862277)

I think we're rather naïve if we believe, that Sweden is the only country in the Western world to do this. They're just (one of) the first to be honest about it.

As the submitter points out, you cannot be sure where your data is being sent on the route between you and your recipient. For all you know your "Dear Mom" email might go through Sweden, the US, the UK, Denmark, Russia and China even though you live within 50 km of eachother.

And your Skype call? Well, that's likely to do the same thing with its routing feature.

Your SSL connection isn't any safer from snooping - not sure about MitM attacks, but if you're just listening in, do you really need to be a MitM?

Re:Sweden's just being honest about it (2, Informative)

Hyppy (74366) | more than 6 years ago | (#23862335)

Your SSL connection isn't any safer from snooping - not sure about MitM attacks, but if you're just listening in, do you really need to be a MitM?
Care to explain to me how to reliably intercept SSL communication wholesale without a very sophisticated man in the middle attack?

Re:Sweden's just being honest about it (3, Informative)

11223 (201561) | more than 6 years ago | (#23862437)

It doesn't need to be an especially sophisticated attack if the government's doing it. Most uses of SSL just check that the other side has a properly signed certificate by a trusted authority. No doubt the government can generate trusted certificates at any time.

Re:Sweden's just being honest about it (2, Informative)

Hyppy (74366) | more than 6 years ago | (#23862599)

Well, I know that in order to verify most U.S. DoD SSL certificates you must install the U.S. DoD root certificates locally. Example. [army.mil]

Re:Sweden's just being honest about it (1)

pclminion (145572) | more than 6 years ago | (#23862981)

And how do you acquire these certificates in a secure manner? How do you know the cert you've installed is the real DoD cert? Is it delivered to you in person on a USB key by armed guards?

Re:Sweden's just being honest about it (0)

Anonymous Coward | more than 6 years ago | (#23863059)

No doubt the government can generate trusted certificates at any time.
Now it's a time to stop trusting all certificates, unless PirateBay generates 'em.

Re:Sweden's just being honest about it (1)

Hektor_Troy (262592) | more than 6 years ago | (#23862621)

Well, in the end, you're just sending bits back and forth. If you know that one of the ends of the communication is a person/entity of interest, you just have to copy the communication. Since the bits are running past your equipment, I don't see why you couldn't copy it now, decrypt it later.

Copying it doesn't really require you to be the man in the middle, and it's not like a "please don't copy"-flag would be respected anyway.

Re:Sweden's just being honest about it (2, Interesting)

pipatron (966506) | more than 6 years ago | (#23862709)

How would you decrypt it?

Re:Sweden's just being honest about it (3, Informative)

k1e0x (1040314) | more than 6 years ago | (#23862421)

I've done MitM on SSL as a demonstration before. It would be reasonably hard to do in the real world even by an ISP. It involves generating a cert on the fly and passing it to the client.. today's browsers will warn on that.

I'd be more worried about a super hardware AES cracker that the NSA isn't telling us about.

Re:Sweden's just being honest about it (0)

Anonymous Coward | more than 6 years ago | (#23863013)

As always, it only gets easier [sourceforge.net] .

I remember using that several years ago to as a demonstration. But it wasn't particularly hard to get up and running. I think I spent all of 30 miuntes on it...

Why can't it be simple. (4, Interesting)

k1e0x (1040314) | more than 6 years ago | (#23862285)

I use s/mime and gpg. I have for years.. but I believe this is too much of a hassle for people who can't even figure out Yahoo Mail or tell the difference between Internet Explorer and Firefox.

Some time ago I suggested someone write a thunderbird extension that was a "one click" encryption setup. On clicking "encrypt" it would create a gpg key > send the pub key to a key server > and if it does not have someone elses key it can suggest thunderbird and itself to that person.

I know this is not a good way to do this, but I can't see people using pgp/gpg it any other way.

Re:Why can't it be simple. (0)

mckorr (1274964) | more than 6 years ago | (#23862439)

My question has always been what is to stop the government (or anyone else for that matter) from going to the public key server and getting your key to decrypt your email?

Seems to me, unless I physically hand a copy of my key to the people I email, my public key is unsecure and pgp/gpg is pointless.

Re:Why can't it be simple. (0)

Anonymous Coward | more than 6 years ago | (#23862585)

You really don't understand how PGP or GPG works do you?

Re:Why can't it be simple. (1)

Z34107 (925136) | more than 6 years ago | (#23862689)

My question has always been what is to stop the government (or anyone else for that matter) from going to the public key server and getting your key to decrypt your email?

Because the public key can only encrypt e-mail.

I suggest a Google of "private public key encryption" because my knowledge is fuzzy at best. But, reverse-engineering the private key (the one that can decrypt) from the public one requires factoring big numbers. On a typical machine, this takes until the sun burns out. On an atypical machine, this takes longer than the average lifespan of a human.

OK, just making up numbers. But, only the private key can decrypt, and getting the private key from the public is non-trivial. Especially if you have a few hundred/thousand/million public keys on that server to crack.

Re:Why can't it be simple. (5, Informative)

ahugenerd (1310771) | more than 6 years ago | (#23862721)

You have it backwards. Your public key is used to encrypt messages that are being sent TO you, which you can then only decrypt with your master key. The idea is that you (Alice) would send your message encrypted with Bob's public key to Bob. Since only Bob has his own master key (since it doesn't get posted to the server), then only Bob can decrypt it. Bob would then reply to you by encrypting his message with your public key. And so on.

Re:Why can't it be simple. (4, Informative)

Godji (957148) | more than 6 years ago | (#23862731)

The public key server only holds your public key - the one that was meant for anyone to see. Your private key, which is the only one that can be used to decrypt messages addressed to you, stays with you. Nobody other than the parties involved in the communication ever holds one or the other's private keys.

The "public" in "public key server" means BOTH that the key server is public AND that it is a server for public keys. The most anal-retentive name for it would be a "public public key server".

See http://en.wikipedia.org/wiki/Public-key_cryptography [wikipedia.org] for all the details.

Re:Why can't it be simple. (1)

Godji (957148) | more than 6 years ago | (#23862777)

I forgot: While in symmetric cryptography your problem would be "how do I get my key to the other guy securely", with public key cryptography the question becomes "how do I prove to the guy who sends me stuff that my public key is really MY public key as opposed to someone else's, where said someone pretends to be me". This is where the certificate exchange stuff comes in.

Re:Why can't it be simple. (2, Informative)

k1e0x (1040314) | more than 6 years ago | (#23862789)

Well.. yeah, you have a point. but at least they can't data mine this way unless they control the key server itself all the time.

When your dealing with an entity like government .. it's pretty difficult to stop them from doing something. I mean.. they could just make encryption itself illegal if they wanted.

It is our duty to stop them from doing that.. You have a right to privacy, you have a right to not show someone the inside of your house, the inside of your gym locker, the inside of your bank account, or the inside of your private letters. Governments should respect that right. A good paper came out a while ago called "'I've Got Nothing to Hide' and Other Misunderstandings of Privacy" http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 [ssrn.com]

Re:Why can't it be simple. (1)

Neoncow (802085) | more than 6 years ago | (#23863091)

While I respect the spirit of the post, The first part is not informative. There's a reason key servers are called public key servers. When you upload your key to the server, you only upload the public half of the key. By definition, this part is meant to be distributed and does not compromise the security of your key-pair.

Re:Why can't it be simple. (1)

k1e0x (1040314) | more than 6 years ago | (#23863123)

Your right. My mistake. (my excuse is I just didn't use my brain.. more concerned on the government angle and the legal angle than the technical angle.. I know how this stuff works..)

Re:Why can't it be simple. (1)

Kozar_The_Malignant (738483) | more than 6 years ago | (#23862839)

My question has always been what is to stop the government (or anyone else for that matter) from going to the public key server and getting your key to decrypt your email?

Two reasons:

  1. You can't decrypt anything with any public key. You only use it to encrypt email to the key owner.
  2. Possession of the public key provides absolutely no clue to the private key.
For a brief explanation of why, read this [wikipedia.org] .

Re:Why can't it be simple. (1)

Simon (S2) (600188) | more than 6 years ago | (#23862923)

Your public key is public, and there is no problemwith that. Nobody can decrypt your email with your public key. You encrypt a mail with the public key of the person you send it to, and the receiver decrypts the mail with his private key. So only the private key has to be secret. That's why it's called private and public key pair.
Ex.:
Person A has a public key (PubKA), and a private key (PrivKA) and wants to send an email to Person B, who has PubKB and PrivKB. Public keys are public, so person A and person B know eachothers pubkeys. Person A encrypts the email he sends with PubKB, and only the person who has PrivKB will be able to read that email.
The sender can also encrypt that email with two pubkeys together, say with his own pubkey, so he will be able to decrypt his own email as well.

Re:Why can't it be simple. (1)

zehaeva (1136559) | more than 6 years ago | (#23862957)

errr .. a public key can only be used to encrypt a message, your private key decrypts it. you tend to keep your private key someplace ... private. so sure let the government come and grab my public key and use it to encrypt as much stuff as it wants! since i should be the only person with the private key only i will have the ability to decrypt said material and read it.

~z

Re:Why can't it be simple. (1)

cinnamon colbert (732724) | more than 6 years ago | (#23862485)

agree that current pgp programs way to techie and hard to use. I finally got a program from MIT or someplace to run, but it was a real pain (for /.nerds: one click installation program, and a button that says encrypt email, anything more is to complicated)
on top of pgp, how about an email track me not - you can program thunderbird or firefox, to work with your friends family etc, to create dozens of fake temporary email accounts and just send out stuff all day long..

Re:Why can't it be simple. (1)

zix619 (802964) | more than 6 years ago | (#23862665)

I believe you finger point a fundemantal problem here: there is no one click addition in thunderbird because many people they still don't care about thier privacy. The situation slowly changes, you see more and more people concerned about privacy. BTW, I believe that thunderbird has a secure email add-on: enigmail

Re:Why can't it be simple. (2, Insightful)

Anonymous Coward | more than 6 years ago | (#23862855)

Here's a simple solution : OVERTURN THE STINKIN LAW. Law isn't written in stone. That's the whole point of having a legislature. Get a referendum together and have the thing repealed. It won't stop the eavesdropping - nothing will - but it will make it illegal to use said information.

Re:Why can't it be simple. (2, Insightful)

k1e0x (1040314) | more than 6 years ago | (#23862913)

And how many tyrannical laws are overturned?

I'm still waiting on the Patriot act.. it breaks what the 1st, 4th, 5th, 6th, and 8th amendments to the constitution and its law.

Org-wide encryption (1)

gnick (1211984) | more than 6 years ago | (#23862287)

Are there any transparent schemes for email encryption which could be installed for the organization as a whole?
Entrust [entrust.com] works pretty well. I know of a couple of medium sized organizations (~14,000 employees) that use it. One ties it in to Eudora and the other, I believe, ties it into Outlook. Of course, if you want to exchange e-mail with customers, you'll have to make sure they have compatible software and keys (as with any encryption scheme.)

GeoIP? (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23862305)

How about browser and mail client extensions that run a lookup on the A or MX and show the user a warning when sending requests/mail to a box located in Sweden.

Obviously it doesn't cover routes but it's a start.

Nobody cares. (1, Insightful)

twatter (867120) | more than 6 years ago | (#23862307)

Personal encryption is not widespread because most people don't know anything about security or privacy. They figure the "stuff" going through the "tubes" is safe and only the intended recipients can see it.

Then again most people only send chan letters, lame jokes and soccer practice announcements, so its not like they needed a lots of privacy to begin with.

People with a clue know what they need to do and do it. Everyone else can carry on as usual.

Re:Nobody cares. (1)

Drakonik (1193977) | more than 6 years ago | (#23862759)

Don't mod this guy down. He's right. The reason people don't use public-private key cryptography is because they don't know what the hell it even is. Unfortunately, explaining why it's a good idea to a non-geek would be just as hard as explaining that even though that popup is flashy and says "Free Awesome Smileys", it's actually a Bad Thing.

Exchange servers can do messaging tunnels (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23862355)

If you pass the SSL keys between two corporate Exchange servers, you can have all communication between them be encrypted.

However, not everyone runs Exchange, and not everyone is willing to set dedicated send/receive connectors.

SMTP over SSL/TLS would be a great thing. Its already implemented, but few mail servers take advantage of this.

They'll (0)

fishthegeek (943099) | more than 6 years ago | (#23862367)

hafe to hide der data in der chickens or dey'll be bork bork borked!

Terrorists use encryption! (0)

Anonymous Coward | more than 6 years ago | (#23862411)

This whole thing is ridiculous because any real bad guy is already using encryption and data hiding techniques. However....this kind of snooping is great for political purposes. You know, snooping in on the personal affairs of your political enemies and then using that info to embarrass them out of office.

Re:Terrorists use encryption! (3, Insightful)

JSBiff (87824) | more than 6 years ago | (#23862595)

You make a fundamental assumption that there are no stupid criminals or stupid terrorists. Yes, *some* terrorists and criminals are smart enough to encrypt their emails. But I'm sure there really are people out there stupid enough to talk about their criminal plans/exploits in plaintext email, or plaintext IMs, because they are just stupid. The Swedish government, will, no doubt catch some of those stupid criminals through such spying on email, then point to those cases whenever they talk to the media/public about why this is a 'good thing'.

      As with any invasive authoritarian law, the government can always present anecdotal examples of it 'working', and so 'justify' the law, despite the fact that it's fundamentally a bad law, and probably not necessary.

Mod parent up. You are SO right. (1)

querist (97166) | more than 6 years ago | (#23862767)

You are quite correct. It's scary, but you're right. The thing that is frightening is not the fact that there are stupid criminals, like my favourite example of the night-time purse snatcher with the light-up trainers, but that these stupid criminals who are not bright enough to use encryption will be used as "proof" that this new invasive law "works".

I am quite confident that this _will_ be abused. There is an established history of laws like this being abused, such as that anti-terrorist law that was used against that family in the UK with regard to someone thinking they were registering their kid in the wrong school or some such non-terrorist activity. I'm saddened to see this happening to Sweden, or to any other country. I'm fairly confident it's already happening here in the USA to a much wider degree than most would suspect.

Privacy Ruling today in U.S. (1, Offtopic)

crazytisay (1283264) | more than 6 years ago | (#23862429)

EFF running story on 9th Circuit Court of Appeals ruling that email and text messages should be considered private, subscribers cannot get the ISPs to release without user consent or a warrant. At least in the U.S. email at work, as long as its 3rd party, cannot be released to your boss. Not entirely on point, but as far as privacy is concerned, this is at least a step in the right direction. http://www.eff.org/deeplinks/2008/06/new-ninth-circuit-case-protects-text-message-priva [eff.org]

Existing SMTP encryption, but on the server side? (0)

Anonymous Coward | more than 6 years ago | (#23862459)

I've mostly dealt with SMTP encryption on the client-to-server end, i.e. in the context of preventing the client from sending the server a password for something like SMTP AUTH. I usually act with the assumption that client-to-server communication for SMTP AUTH is the only purpose for encrypting SMTP, and understand that server-to-server communication will go over the wire unecrypted.

But maybe someone can answer this. Do MTAs also attempt to use things like STARTTLS for server-to-server communication when available? Again, I've always assumed that these were only used to protect passwords, and that SMTP as used today by servers is inherently insecure. Am I wrong on this?

(Of course, whether or not some MTAs do is irrelevant, as inevitably lots won't. A lot of them don't even support STARTTLS or AUTH and nothing requires them to.)

Too complex (4, Insightful)

croftj (2359) | more than 6 years ago | (#23862469)

It's too complex for most. If it were as simple as me putting code on my machine and sending encrypted emails to my family and friends I would do it. Sadly, I have to step them ALL though putting GPG or PGP onto their machines, creating a pair of keys then sending my and all of their friends their public key. Want to place bets how many of them would send their private key themselves?

      If MS would simplify it and make all of this just happen. I bet that there would be a big gaping hole for the gov't to make use of. Not to mention the security holes that would go along with it as well.

Why not make the government's job easier (4, Funny)

bigtrike (904535) | more than 6 years ago | (#23862517)

And CC all of your email to the everyone in charge of this agency. Any good patriot should do this, just be sure the nation is secure even if the email monitoring system goes down.

Seamless, no. Pretty darn close, yes. (4, Informative)

querist (97166) | more than 6 years ago | (#23862519)

There is no "seamless" encryption method that will give you enough protection. Sorry.

However, there are plenty of options if you're willing to do just a little work.

Install GPG or PGP. I use GPG because I can give it away legally to my friends who are less technically saavy and it works on Linux, OS X, and Windows.

Enigmail will integrate nicely into Mozilla's emailer and automate nearly everything once you have the person's public key. It will even notice who your recipient is and automatically pick the correct key.

There is something similar for the OS X Mail application (and I have it installed) but I don't remember the name of the application. It's not as bright as Enigmail and won't figure out who the recepient is automatically and pick the correct key.

FireGPG is a plug-in for FireFox (and it works for "Mozilla" because the web browser _is_ FireFox) that will allow you to use GPG with GMail.

I have an email account in which _all_ of the traffic is encrypted because I use these tools. I never send anything unencrypted on that account.

It's not seamless, but it's not that hard and it is not very intrusive.

I do not know if I should pity you because of your government reading your emails or if I should at least feel happy for you that they are honest enough to admit it (supposedly) before starting. Either way, I doubt things are any better here in the USA.

I find it amusing that the CAPTCHA is "incided", as in this new law inciting a riot.

Re:Seamless, no. Pretty darn close, yes. (1)

JohnWhitney (707445) | more than 6 years ago | (#23863039)

OS X's Mail.app already has full support for email signing and encryption (and has since at least 10.4, when I started using the feature). Public keys can be exchanged by exchanging signed emails. Signing and encrypting are as simple as clicking the appropriate button on the "new message" window (the encryption button is only available when you are sending email to an address you have a public key for).

Well as Phil Z. has said.. (4, Insightful)

X86BSD (689041) | more than 6 years ago | (#23862523)

The reason PGP, and GPG as well, fail is because PKI is just too difficult to setup and maintain. I'm sure some nerd who lives in his mom's basement is going to contest this but the fact remains it's too difficult to do in most corporations let alone end users. Making a key, remembering the password, managing keys, revoking keys, it's all just a total pain in the ass. If you truly want secure email for the masses it has to be transparent. This is just a given. People are not going to do PKI. This is the main reason we don't have mass adoption of PGP encrypted email.

The second reason and it's to a lesser extent but still a strong motivator IMO for the lack of secure options for communication are that corporations and governments don't WANT secure applications being adopted. How else can the government spy on you or corporations steal secrets from each other if things are encrypted. This isn't paranoid fantasy land I live in. I don't think any intelligent person today doesn't know especially over the last 8 years that the governments are doing everything they can to spy on you, record you, monitor you and track you. Wether its the TSA, DHS, warrant-less wiretapping whatever we are living in a 1984'esqe society. Seamless and mass adoption of strong encryption and anonymity by the masses would *seriously* curtail their ability to spy on you and find dissidents and evil doers who read catcher in the rye. So IMO these are the two strongest compelling reasons we don't have encryption for the masses yet. Phil's ZFone project is a good step in the right direction though.

Re:Well as Phil Z. has said.. (0)

Anonymous Coward | more than 6 years ago | (#23862579)

Don't use email then.

Most of my communications are over Instant Messaging, these can be setup to use SSL easily and TRANSPARENTLY since we have to sign on anyway.

Re:Well as Phil Z. has said.. (1)

SanityInAnarchy (655584) | more than 6 years ago | (#23862977)

The reason PGP, and GPG as well, fail is because PKI is just too difficult to setup and maintain.
That's why no one uses SSL. [wikipedia.org]

it's too difficult to do in most corporations
Most corporations aren't smart enough to use S/MIME.

If you truly want secure email for the masses it has to be transparent.
If it was transparent, it wouldn't be truly secure.

Still, I'd argue that we should go for PGP/GPG. It's a lot simpler than a lot of other things people do on a daily basis -- driving a car, for instance. Certainly much simpler than a lot of things which are taught in school.

corporations and governments don't WANT secure applications being adopted.
Hope that tinfoil hat is comfortable... (And you accuse me of living in my mom's basement?)

How else can the government spy on you or corporations steal secrets from each other if things are encrypted.
The government, I can see, but it's not as though they can reasonably outlaw it. There's not really much the government can do, other than use the same encryption themselves when appropriate.

But corporations? Seems to me that if this ever was the case, all it would take is one smart corporation to realize that if they implement crypto and their competitors don't, they can spy on competitors, but not vice versa. Of course, this would lead to an arms race resulting in no one being able to spy on anyone, which would be better for all involved.

we are living in a 1984'esqe society.
There are hints of that, but have you actually read 1984? I don't see thought police or memory holes.

PGP/GPG (3, Insightful)

wilsoniya (902930) | more than 6 years ago | (#23862535)

More people need to use these. Operating without a centralized Certificate Authority, GPG really depends on there being sufficient users to establish a web of trust.

I think people (in the US at least) either don't understand the simplicity of sniffing cleartext, or don't think they care. The aggravating part is that GPG can be really easy to use. Apps like Seahorse [gnome.org] make key and keyring management trivial. There's a great Thunderbird plugin [mozdev.org] that makes signing and/or encrypting your mail no harder than it was before. (Yes, I know not everyone uses Linux and Thunderbird, but I trust GPG tools exist for other OSs/email clients)

Given a safe and ubiquitous encryption scheme, I can't think any reasons for sending text/data in the clear. Now all we need is a ubiquitous encryption scheme.

Re:PGP/GPG (1)

SanityInAnarchy (655584) | more than 6 years ago | (#23863025)

I think people (in the US at least) either don't understand the simplicity of sniffing cleartext, or don't think they care.
Hmm. I propose we start sniffing emails everywhere we can, and put the results up on Wikileaks for the world to see. Then we'll know who really cares.

Why is use limited? (1)

nurb432 (527695) | more than 6 years ago | (#23862543)

Because most average people don't understand what is going on and still have that 'i'm not doing anything wrong' mentality.

And the few that do, dont understand how to mitigate it.

That 2nd is a problem for us techies too, as one way encryption is pretty worthless for communication.

Re:Why is use limited? (1)

John Hasler (414242) | more than 6 years ago | (#23862863)

> Because most average people don't understand what is going on and still have that 'i'm
> not doing anything wrong' mentality.

I don't approve of government snooping (I don't approve of government at all) but the fact is, they are right. The fact is that for most people (including most of us) there is nothing in any of their email such that having it read by any agency of any government would affect their lives in any way.

A real danger, though, is that the governments will get sucked in to some sort of automated "suspicious activity" monitoring and then base pre-emptive action on it.

My largest privacy concern? (2, Insightful)

multisync (218450) | more than 6 years ago | (#23862569)

The fact that the majority of people will happily give up all manner of private information in exchange for a few pennies off the price of a carton of milk. If the threat of identity theft doesn't make people more conscious of their privacy, I doubt the threat of their government reading their email will.

SSL Proxy (2, Informative)

markybob (802458) | more than 6 years ago | (#23862577)

You need to use a proxy that encrypts all traffic to and from you and it. Try dipconsultants.com ...I use it and it's very fast.

Tumbleweed (1)

PIPBoy3000 (619296) | more than 6 years ago | (#23862597)

What can an organization do, centrally, to lift the burden of encryption from the users? Are there any transparent schemes for email encryption which could be installed for the organization as a whole?
I work for a large healthcare organization and we use a product called Tumbleweed. It's not especially magical. If an outgoing e-mail is marked as encrypted (or keywords appear in the e-mail), the recipient gets a link to a secure web portal where they can log in and get that e-mail. It works fairly well, satisfying HIPPA requirements that otherwise prevented us from sending confidential e-mails to outside physician groups.

Not Alone? (1)

OldFish (1229566) | more than 6 years ago | (#23862699)

Lots of traffic is passing through Sweden, but more importantly, the Swedish government is not alone in using this type of surveillance." If anything the Swedes are latecomers to this sort of monitoring. It's tough for a politician to resist that sort of power since it requires great strength of character. Our politicians in the USA are the weakest.

Secure browser (1)

markybob (802458) | more than 6 years ago | (#23862723)

This is a perfect use for something like DIP Secure Browser (dipconsultants.com). It encrypt everything on disk, such as your history logs and bookmarks, there's nothing for Big Brother to see. Also, if you use it with their proxy service, all your internet traffic is also encrypted. Take a look

these kinds of stories are philosphically naive (1, Interesting)

circletimessquare (444983) | more than 6 years ago | (#23862817)

it is not that you don't deserve privacy, it is that privacy is philosophically impossible on a wide open network. such that giving up on the notion of privacy on the internet isn't cynical and defeatist, it is merely being realistic. in fact, fighting for privacy on the internet is not heroic and idealistic, it is simply gullible and naive and ignorant of the subject matter

if you take a large, open, sprawling network, there is no law or safeguard that can protect you from eavesdropping. forget the government for a moment, what about companies? what about technically astute oddballs? what about aspects of any country's government that does whatever the hell they want to regardless of what the goody two shoes in the legislature say? what about governments of other countries the network passes through? etc., etc.

let us say sweden instead passed a massive ANTI-eavesdropping law instead of the law it did pass. ok, are you going to celebrate? why? are there people out there who actually believe this would protect them from eavesdropping? who are you and what about the concept of a "vast open network" do you not understand?

the news of what the swedish government did is treated as if it were a ton of bricks here. folks: absolutely nothing has changed, and no law will ever protect you. ever. its called a sprawling, open network. its not a bank vault. your info, once it goes on the wire, is open season for snooping, is subject to thousands of different vectors for attack. by all sorts of entities

and there is no technological or legal to fix to that that does not also break what you like about the network in the first place: its openness. thats the downside to being open, call it a twist on the concept of the tragedy of the commons. its free for you to do anything you want... but that means it is also free for more nefarious interests to do whatever they want to to. there is no way to act against such nefarious interests that does not also somehow inconvenience what you like about the network at the same time

the solution? STOP ASSUMING PRIVACY ON AN OPEN NETOWRK IS POSSIBLE OR EVEN A VALID CONCEPT FOR YOU TO CONSIDER

seriously, get over it. privacy on the internet is a philosophical impossibility

Re:these kinds of stories are philosphically naive (2, Informative)

OldFish (1229566) | more than 6 years ago | (#23862967)

Nonsense. Eavesdropping on an encrypted conversation where the encryption is managed by the two endpoints gives you nothing but the identities of the communicators, and if they have taken steps to conceal their identities an eavesdropper doesn't even get that information. This secure communication exists peacefully alongside your "vast open network". You clearly invested a fair bit of time writing your post. Why? What part of communication security technology do you not understand?

get involved (1)

GIS.thrills (1165879) | more than 6 years ago | (#23862875)

A tech answer to this question may leave you wanting. The best way to protect your privacy is to make it illegal again for the government to infringe on it. Sweden is a parliamentary democracy that has to answer to the people. Organize and get involved in your government. Just don't do it over email for now.

Okay (1)

Auckerman (223266) | more than 6 years ago | (#23862889)

The solution is to migrate TCP/IP to a public key system. The entire protocol.

encryption is irrelevant (5, Insightful)

TheGratefulNet (143330) | more than 6 years ago | (#23862897)

I'll go out on a limb and predict that in 5 yrs or less time, encryption will be a 'self admission of guilt' to ALL governments.

I really hope I'm wrong. but the trend is there if you just look.

we already have people saying 'if you are not a terrorist, you should have nothing to hide'. this is just a half step away from saying 'if you DO use encryption, you MUST be hiding something that we should see'.

mark my words.

you may think that you are out-smarting the governments but they have the money, the guns and all the power. and they're NOT about to give this bit of power (over the people) up.

if you encrypt a laptop and pass thru customs, you are FORCED to reveal your password or at the least, 'open' the disk for them to view the contents of. so tell me, how did encryption help here?

don't give me that crap about truecrypt, either. how long will it take before their border people know how to detect this? ....so depressing ;(

Re:encryption is irrelevant (1)

OldFish (1229566) | more than 6 years ago | (#23863081)

Mod parent up. This is precisely my most pressing concern about privacy. It is a political, not technical issue. Too bad we could resurrect Jefferson - he'd call for hangings for the traitors who have NO respect for the Constitution. PS: the recent rulings regarding compelled production of passphrases within the borders are mildly encouraging.

Not Obvious? (1)

mh1997 (1065630) | more than 6 years ago | (#23862905)

'What can I do to improve my privacy?' The answer is not obvious.
The obvious answer is to overthrow the government. Since that is not a practical or a desireable solution then the next obvious answer is do not send anything private via email.

Sadly, not enough people care about the loss of privacy rights to change this. Look at all the people that say "I don't care, I have nothing to hide."

The fact is the Facebook generation doesn't care (1)

wolfdvh (700954) | more than 6 years ago | (#23863003)

Users of MySpace/Facebook etc. have clearly demonstrated by their actions that they don't care at all about their privacy. They routinely post loads of information about themselves that advertisers, marketers, and other intelligence agencies could not get easily, and probably could not get at all.

Some even think it a virtue to live an 'open life' and not do anything they would not mind seeing in public.

Since they are the future, it is no wonder that software vendors have little incentive to invest money in a product/feature that has no future market going forward.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...