Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is Crypto Solely for Criminals?

michael posted more than 13 years ago | from the my-lock-my-key dept.

Encryption 179

deran9ed writes: "Interesting outlook from an article on IDG detailing the use of encryption, and the negative campaigns against it. "When the Feds -- be they CIA, FBI, NSA, or Treasury Department -- discuss crypto, they make it sound as if anyone using it must be a child pornographer, drug smuggler, or terrorist." I wonder if the government feels the same about corporations encrypting their business plans in order to avoid having them stolen. Here's the article." The author has a point. SSL and SSH (or whatever it's called now) are widely used. But how many people routinely encrypt their email?

Sorry! There are no comments related to the filter you selected.

Crypto for Bad boys only... My opinon (1)

Khelbenvasq (267255) | more than 13 years ago | (#371320)

Having been watching the trend in all things related to Privacy on computers I have noticed many things suddenly getting outlawed... Before anyone goes thinking another pariniod is posting. I want to point out the fact it is becomeing more common about good techs fired because of thier bosses reading something that is in thier email. Most of the time being unpopular opinion against said boss or company. This level of invasion of privacy we have come to expect. In my honest opion this is a sad state of affairs. Now it has gotten worse the only protection to keep yourself protected (Correct me if I am wrong but was not anonymy recently stepped on) is crypto. So now the control of information is in the big business and big brothers hands. This means they have to stomp crypto which was the only thing that was protected last time around. The best way to stomp on it is to make it Illeagle for the common Joe to have and or use. After all if your suspected of computer crime even if your innocent there are no protections from having the poilice or (insert your favorite three letter group here) confiscate you computer and all electonical media you have. Rumor has it in England you have to surrender you crypto keys in such an event. And this is also happening somewhat in the US. It seems to me when it comes to computers your constusional rights no longer apply. From not having your unpopular speach protected to having crypto means you must be a crook thus no protection from self incrimnation. Sheesh makes me wonder why I even bothered to spend 6 years to protect the land of the free when freedom no longer truly exists...

Khelben H. Vasq

I know I know "Bad LICH back to your Floor Boards"

Re:I don't get it (1)

Shadow99_1 (86250) | more than 13 years ago | (#371321)

It actually does't seem to matter anymore what you do... I was invloved in an accident in which the primary instegator drove off, but I ended up being pushed into a full sized pickup truck (parked) which then totaled my car. Because the person that hit me drove off & their were no witnesses & the police needed someone to blame they decided I'd make a nice target & hence decided I would be guilty of negligence while driving until I prove I am innocent... I frankly don't believe anyone in law enforcement believes that 'innocent until proven guilty' thing anymore...

Internet or no internet you are just one step away from being proclaimed guilty in the states...

Re:If crypto is outlawed... (1)

SumDeusExMachina (318037) | more than 13 years ago | (#371322)

very private emails to girlfriend [...] if the competition gets a hold of them, im screwed.

Wow, you must have a stressful life. What do you have to do, beat the suitors off with a stick?

Re:Crypto convenience (1)

shokk (187512) | more than 13 years ago | (#371324)

I think the likelihood of all of the above happening is laughably low as you describe a cracker doing all that. A crew of feds on a sting with a search warrant, however...

sorry :( (1)

Arker (91948) | more than 13 years ago | (#371326)

Ack! Looks like you are right, the Mac version is way behind and no longer linked. This post [tu-graz.ac.at] explains it, sort of. Looks like Dave ran into some problems doing the port quite awhile back, since he relies on Novell libraries, and Novell quit supporting Macs. From the date of the post one might deduce that the problems proved insurmountable, or at least more trouble than he thought it was worth.

Not being a Mac user I remained blissfully ignorant of this till now. Sorry :(


"That old saw about the early bird just goes to show that the worm should have stayed in bed."

Re:As an experiment... (1)

Digital Mage (124845) | more than 13 years ago | (#371328)

Lower storage costs and less network traffic are dependent upon how you encrypt. If you do a plain old encrypt a file and send it as an attachment, the file will be a little smaller (just zipping the file can get it smaller than that). But, if you do ascii ciphertext it will take 761 characters (not including PGP declarations) with a 2048/1024 DH-DSS bit key just to say 'hello'.

Depending on how they were encrypting, the mail admins may have been justified in reducing the load on their servers.

Re:Automatic (1)

Betcour (50623) | more than 13 years ago | (#371335)

This is possible with Outlook Express (and Netscape or Outlook too I think), using the standard SMIME. The problem is that to use it, you need a certificate, and to get a certificate you have to pay (Verisign or Thawte : doesn't matter, they are the same company holding now a monopoly). What is really sad is that, even if you are ONLY interested in encryption and don't care about authentification, you still need a certificate from a CA.

I once tried to make some home-made certificate with OpenSSL, but it's really complicated and not very compatible with Outlook Express... until someone makes a "point and click" certificate generator for Win32, SMIME will never take off.

Routine encryption of email (2)

StarOwl (131464) | more than 13 years ago | (#371336)

Michael asked: But how many people routinely encrypt their email?

As much as I hate Lotus Notes, I do have to give it credit in one regard: Notes can be configured to encrypt mail by default. Within the large corporation I work for, every piece of intracompany email is encrypted.

Feds want to hog the crypto to themselves (2)

wideangle (169366) | more than 13 years ago | (#371337)


"When the Feds -- be they CIA, FBI, NSA, or Treasury Department -- discuss crypto, they make it sound as if anyone using it must be a child pornographer, drug smuggler, or terrorist."

Edsfay areway ealousjay ofway ourway yptocray. Eythay antway otay oghay itway allway otay emselvesthay.

Re:Automatic (2)

Tabbycat (116349) | more than 13 years ago | (#371338)

I run exim [exim.org] at work as our SMTP server. It supports TLS for using ssl when sending and receiving (if it converses with a mail client or other server that supports it).

I've educated the users about ticking the ssl option on their email clients, so emails are automatically encrypted at least to our mail server, and sometimes on the next hop too (I have spotted in the logs a few other servers talking via ssl to us).

This doesn't give you the same benefits of encrypting the message before you send. The mail is unencrypted when in the mail spool, there's no guarantee the hops'll all be encrypted, but it's a start at least - and if more servers do bring TLS facilities online, then you'll get encryption happening automatically without the users having to worry about it.

Re:As an experiment... (1)

Trepalium (109107) | more than 13 years ago | (#371339)

Actually, it depends. Some mail servers (MS Exchange, for example) have a 'single instance' store of messages, so that each unique message only exists once in the database. Adding encryption means it must be encrypted for each recipient, which means that single instance just isn't possible. Granted, this is a rather poor excuse for trying to get a small group of people to stop using PGP.

Canada vs. US (3)

Gandalf360 (194169) | more than 13 years ago | (#371340)

In this case it's interesting to note the difference between Canada and the US's stance on encryption. This [ipc.on.ca] is from the Goverment of ontario, and tells you that you SHOULD encrypt your email.

Passive Privacy System (2)

ajs (35943) | more than 13 years ago | (#371341)

This seems like a horribly contrived lead-in, but I can't resist. I've been planning the announcement of the Passive Privacy System proposed specification [ajs.com] for a week or so, but we seem to have a window.

PPS is a propposed way of getting everyone to exchange public keys and passivlely encrypt email without a) burdoning the average user with the details of cryptography or b) providing enough impact on the average non-PPS user to matter.

It requires a great deal of work, both on the spec side and the coding side to come up with plugins for MUAs. But, in the end I think that the world will benefit from the resulting increase in passive key exchange and encryption.

Please, feel free to send mail about PPS to me [mailto] .

Thanks.

hmmm (1)

Anonymous Coward | more than 13 years ago | (#371347)

I wonder what side the slashdot community is going to take on this issue...

I don't get it (5)

RPoet (20693) | more than 13 years ago | (#371352)

There's always been the principle of innocent until proven guilty. But as soon as there's anything electronic in the picture, it's suddenly the opposite; you're under suspicion for anything and have to prove your innocense, and nobody seems to complain.
--

Why would i encrypt my e-mail always. (2)

Anonymous Coward | more than 13 years ago | (#371355)

I don't normally encrypt my e-mail. Most of the time it really doesn't matter. I'd expect that many people are the same way.

Realisticly, there's no reason to encrypt a message asking if a co-worker goes to lunch. The business plan for the next year though is a different storry.

MPM

Email Always Encrypted (5)

Alpha Prime (25709) | more than 13 years ago | (#371357)

At our company we encrypt all email. Since a lot of the discussions are about patented or patent pending ideas, due dilligence requires that any email going over the net be encrypted. We expanded that to be all email to add to the noise factor should someone be watching.

Encryption is a double-edged sword (1)

Anonymous Coward | more than 13 years ago | (#371359)

While I will not argue that encryption is an absolute necessity these days I will say that, from a security administrator's perspective, it can certainly be a pain in the ass. Previously we could setup intrusion detection systems and watch for attack signatures. Now with SSH, SSL, IPsec tunnels, VPN's, encrypted e-mail, etc. we're blind to what's coming through our perimeter. That leaves us with two options: 1. Let the encrypted traffic pass through transparently and hope for the best.. (i.e. let's just assume SSH is not able to be compromised on that system, or that your SSL web server running IIS doesn't have some unknown exploit on it), or 2. Stop it all at the border and force it to authenticate and then let it pass through.

Now, option 1 is probably what most of us are doing at this point but it's going to come back and bite us in the ass one of these days. Crackers are probably more than happy to expand their reach on your chewy internal network after they've penetrated your firewall and IDS by coming in via an SSH exploit or an Apache/SSL exploit. Option 2 becomes a major inconvenience to the users and you're still relying on even these authenticated encrypted users not to do anything that goes against your security policies. So what does that leave us with? We're between a rock and a hard place. We would need to move IDS onto all the servers as well.

Crypto convenience (3)

TheSHAD0W (258774) | more than 13 years ago | (#371360)

An enormous part of the problem with having routinely encrypted email is that without taking basic manual security precautions it is impossible to eliminate man-in-the-middle attacks. If Alice has never sent email to Betsy, how does she go about getting her public key? From a PGP key server, say? How do you know the [insert government/industry black hat name here] isn't standing between you and them, replacing the real key for one they have the password to, and then passing on the email re-encrypted so Betsy would never know?

Perhaps you're smarter than I am, but every _transparent_ method of key verification I can think of is foiled by someone in control of your link to the outside world. In order to keep this from compromising your security, you'd need a different verification method. This would require, for instance, Alice calling Betsy over the telephone and having her read back her encryption key's fingerprint, and comparing it with the key she got over the net. This isn't something a casual computer user is willing to do regularly in order to check his security.

Do they? (1)

kalleanka2 (318385) | more than 13 years ago | (#371361)

I have never seen statements from any government organisation suggesting crypto software is used only (or mostly) by criminals.

Have you?

But I have seen allot of statements about worries about criminals using crypto software from government organisations.

In the end the problem is that the police has had the possibility to tap phone wires etc to hunt down criminals like pedofiles and drug lords and those possibilities fades away with the arrival of better technology. In the end this means more drugs and child abusers in the world.

Of cause there is always the issue of personal integrity but I doubt anyone would suggest that those crimes aren't important to fight or don't you care about your children's future?

There are two sides of this coin.

Re:I don't get it (1)

Alpha State (89105) | more than 13 years ago | (#371362)

That principle is used in our courts, but the police do not subscribe to it. In their eyes they have to assume you are guilty and try to prove it. No suprise that our lawmakers and the media are following their lead.

The real question is, when are we going to start facing up to real problems? How many people are killed in the world by terrorism each year, and how many by drunk drivers or polluted water supplies? How many people in your city die from drug overdoses and murders while congress makes pointless laws that affect you and I more than any criminals. It's things like this that remind me the media doesn't really care at all. And the politicians are doing their best to pretend to care, while publicising any small problems they think they can solve with a law or four.

Do Such Email Clients exist? (1)

RatFink100 (189508) | more than 13 years ago | (#371363)

From the article...

"Another problem with many crypto offerings is that they can leave you vulnerable to forensic-grade tools that can pull data from supposedly deleted files, including the temporary files that your e-mail application uses as a placeholder for the message before it's encrypted. It seems to me that the only way to get a truly secure solution is to write a mail application that has the encryption built in at the most fundamental level, so that even if temporary files are recovered, they may be rendered useless. "

Anyone know of clients like that?

Crypto in industry (1)

OpCode42 (253084) | more than 13 years ago | (#371364)

Encrypting your email is very often nessecary in industry. Take for example, a large company who registers domain names by way of an email template. That template contains sensitive information about them, which if intercepted as plain text, could allow anyone to register domains as that company. That email needs to be encrypted.

I recently produced an online recruitment and jobsearch site that allows recruitment agencies to post jobs by email (I'll resist a shamelss plug). The job post emails are encrypted, mostly at the request of the agencies who were worried about their usernames and password being intercepted as plain text.

-----

For those of you who employ Junkbuster (2)

deblau (68023) | more than 13 years ago | (#371365)

Linkage to the article here [infoworld.com] .

Re:keeping it private (2)

phantumstranger (310589) | more than 13 years ago | (#371366)

Since people are granted the "flimsy" protection of an envelope, without really having to worry about their privacy being invaded, would it be far-fetched if we were granted "flimsy" encryption as well?

What I mean is, envelopes aren't the most protective of barriers for the ingegrity of our letters, but it suits the purpose for general mail. I don't hear of many drug lords sending kilos of heroine in an envelope (and if they do, then they should be prosecuted to the fullest extent of the law on the principle of being a dumb-ass-at-large alone). If goverments think that sending email with a not-so-heavy-encryption is a sign of wrong doing than envelopes should give off the same feeling.

If people were given the opprotunity to know that they could send messages with a low-level encryption, I seriously doubt it would do the unlawful abiding citizens any good to use it as well. There has to be some sort of privacy granted to the people that use it for that sake of it, as opposed to those who just want to cover their tracks. Instead of taking rights away from people, goverments should be trying to make sure that there are ways to protect ourselves (which, they say, this is all about anyhow, right?). If I could be guaranteed that my email sent using PGP was safe enough to fly across this vaste open network of computers and be safe from prying eyes, as well as the prying eyes of the goverment, I would be pretty darn content. I mean, that is the same feeling one gets when they drop a letter into the mail box, right?

Something else to think of is that, if one were to play the devil's advocate, and believe that all of this controversy was the goverments trying to keep the law abiding citizens safe, than it really shouldn't matter. That is, unless it's in the case of one of the other posters that used encryption to send root passwds. I think back to the story [slashdot.org] about the U.S.P.S. and what they would and wouldn't send. More specifically the fact that they opened up a package because the weight seemed ill-proportioned to the size of the package (it was a brick wrapped in gift-wrap). If the anaology of the envelope would hold true, than doesn't the same for encryption?

I'm not saying that I agree with invasion of privacy for the sake of it, but, if you're really not doing anything that's wrong, why worry about it? Maybe people have to stop watching Conspiracy Theory and actually do something to help goverments embrace encrytion for the rights of citizens.

Solution Re:Automatic (2)

Arker (91948) | more than 13 years ago | (#371382)

The problem is, encrypting email is a lot less automatic than when encryption is used for secure web transactions. When I visit and want to buy something I don't have to manually get their key, click the encrypt button, enter keys, send. No all you have to do is check that you've entered a secure zone. If in email programs all you had to do was click the "use encryption" tickbox and have the program sort all the details out then a lot more people would use encryption.

Pegasus Mail [pmail.com] does this. By default it uses the built-in encryptor, a variant of the old crypt program, to encrypt the message with the passphrase you give it, but it also has a documented interface for third parties to add decryption modules. The QDPGP plugin [wow.net] handles PGP. It's pretty damn slick.

Pegasus has been around a long time, it's free-beer, and it's by far the best email program around IMHOP. Very regularly I hear or read someone wanting their email program to do this or that, and almost always pmail does it already. The only good reason not to use it is it doesn't run on linux. If you use windows, dos, or mac, I really can't see why anyone would use anything else. And the Linux port [pmail.com] might materialise soon.


"That old saw about the early bird just goes to show that the worm should have stayed in bed."

Re:I routinely encrypt my e-mail (2)

Cyberdyne (104305) | more than 13 years ago | (#371383)

and send it to random friends all over the country, none of whom use encryption.

They have no idea what's in it, but more importantly, neither does the NSA!

Actually, this is a very important way to help keep your mail secure. If I send one piece of e-mail to a friend, that one message can be "cracked" with enough effort - the NSA will run it through some dedicated hardware or whatever.

Alternatively, I send you ten messages, all about the same size. We've agreed on the algorithm already, and I have your public key. So, I send you one encrypted message, and nine chunks of /dev/random. You just decrypt all ten; nine fail, and you delete them, the other is the message. The NSA, meanwhile, have ten message to brute-force instead of one - which makes their lives ten times harder.

Better still, I send ten messages, all encrypted with keys of yours - nine of which are just junk. Again, this makes life much harder for those trying to crack your messages...

does it make sense... (1)

shokk (187512) | more than 13 years ago | (#371384)

...that the feds should waste their time worrying about people who are using crypto for *good* purposes? Should we establish a billion dollar fund to help them track down people sending their grandmother a get well email with PGP?

Of course they're going to concentrate on kiddie porn and terrorists. For their intents and purposes the world of crypto might as well be comlpetely composed of that type of person. Just so long as they do not make absolute and blanket statements painting crypto users as such.

Problems with Encrypting Email (5)

rjh (40933) | more than 13 years ago | (#371400)

  1. Crypto software is hard to use.

    Before anyone even thinks of refuting this one, think about this: anything that requires more technical know-how than Outlook Express or Eudora is automatically going to fail in the marketplace. Why? Because 95% of the market finds their own technological skills tapped out at the level of using Outlook Express for basic email, to say nothing of doing something as advanced as (gasp) installing a crypto plug-in.

    As long as crypto software has any kind of significant learning curve, crypto software is not going to be widely-used. SSH is widely-used today, mostly because for casual use it's indistinguishable from telnet--the sysadmin (who has tech savvy) takes care of key management and the users just have to be told "type ssh instead of telnet".

  2. Public-key infrastructure is still mostly a myth.

    For all the millions which have been invested in PKI, it's mostly a crapshoot. The typical user still doesn't have a bat's chance in hell of using a public-key infrastructure properly. If Joe User wants to encrypt a message for John User, Joe doesn't know where to find John's public key, wouldn't know how to import the key even if he had it, and wouldn't know to do an out-of-band fingerprint verification before using it.

  3. Crypto requires learning.

    Sometime, take a look at the documentation that comes with PGP. It's pretty good, all things considered. It's also about the heftiest documentation I've ever seen for a consumer software product.

    Users don't want to learn. Users think (not unreasonably) that programmers should make programs work the way the users think they should, instead of demanding that users learn the way the programmers think the program should work.
... Those reasons are the big ones for why more email isn't encrypted. 95% of the population lacks the technical skill to use encrypted email, and 95% of the population doesn't recognize the need to encrypt mail anyway.

For the record, my public key is available on Slashdot. I encourage anyone who sends email to me to use it. Even without a fingerprint verification, it's better than nothing.

Re:I routinely encrypt my e-mail (1)

shokk (187512) | more than 13 years ago | (#371401)

The problem is that there is still one person who knows about the keyphrase or certificate...you. A better encryption system would make use of one-time keyphrases or certs that not even you know of. Recent announcements on /. sound like they're headed this way. The only question is will the public ever see it or will someone get kidnapped in the middle of the night a stuffed into the trunk of a car.

Email is encrypted (1)

mashy (135839) | more than 13 years ago | (#371402)

Unless I'm sending something absolutely unimportant, like "meet me at the movies at 8", I almost always use encryption when talking about anything personal, like "meet me in front of the bank at 8 with car running". It's not really that I worry about people intercepting the message while being routed across the net, since I'm not exactly a criminal and anyone who knows me is not smart enough to intercept my email, but I fear that someone will gain access to the recipient's mailbox (boss monitoring email, friend is over playing around on computer..) and reads a message I would rather they not see.

A problem with relying on encryption of email solving this problem is that most mail clients will allow you to save the message in a decrypted form for filing once it has been received and decrypted. It would be much more secure if mail clients didn't allow you to save a message in decrypted form, and required you to identify yourself to the decrypter every time you wanted to go back and read an email.

The biggest problem with email encryption is that so few people have keys. I have tried to encourage friends and family members to use encryption by helping them create PGP [pgp.com] /GnuPG [gnupg.org] keys and encrypting everything I send them. Sometimes they encrypt when they send back. Encryption of email might be more common if all the major mail clients shipped with encryption software bundled and installed/setup keys with the default installation.
More people would probably use encryption if they were aware they can do it, had access to the software to do it, and had it setup/knew how to use it.

crypto is necessary for security (1)

bahamat (187909) | more than 13 years ago | (#371403)

I live in San Diego, and work for an ISP in Oaklahoma administering the network systems remotely over SSH. The guys out there handle all of the sales and such then e-mail to me the usernames and passwords, credit card info, demographics, etc. This is exactly the kind of information that /needs/ to be encrypted when sent over the Internet, especially for such an insecure system of data transfer as e-mail. If that stuff was sent in plain text I'd have hundreds of sucessful crack attempts, instead of a pretty tight and secure box. Even the best security measures will ammount to nothing if we broadcast user/pass combinations to just anybody who's watching.

Re:Encryption is a double-edged sword (2)

shokk (187512) | more than 13 years ago | (#371404)

For everything in life, gaining convenience means losing some form of security. Getting pissed at having to type that long keyphrase in all day long? You can set PGP to memorize it, but then anyone can walk in and fire off an email when your screensaver doesn't kick in. It's a trade off.

Re:keeping it private (2)

Moosbert (33122) | more than 13 years ago | (#371405)

I think the whole "envelope" analogy is mostly phony. The real reason that most people use envelopes is for physical protection (wear and tear, dirt) and for packaging convenience (folded letters, more than one sheet). If I had to send something secret I sure would try harder than an envelope.

A more appropriate analogy are the specially shielded and sealed envelopes that banks occasionally use to send you new PIN codes. But when was the last time you used one of those?

Re:I routinely encrypt my e-mail (1)

348 (124012) | more than 13 years ago | (#371406)

I genrally just don't send anything I wouldn't want the gov't to read. It's simpler to be safe rather than sorry.

Re:I sign more than I encrypt. (2)

CrusadeR (555) | more than 13 years ago | (#371407)

Same here.

The difficulty with encrypting everything at this point is that I communicate frequently with people who don't really feel inclined (at least, not yet) to get PGP or GPG; that and most of my e-mails aren't terribly confidential.

However, by signing everything, it may encourage people to find out for themselves what digital "signatures" and encryption involve after they repeatedly see "BEGIN PGP SIGNATURE" at the bottom of all my correspondence, in addition to the direct benefit of having some form of verification for e-mails.

Data hiding (1)

ostap (324734) | more than 13 years ago | (#371408)

Hm, if it is going that way then the bad guys will have no choice except to start hiding their encrypted data. I am trying to imagine FBI and CIA scanning all bypassing images and mp3 files for hidden patterns of data. Perhaps then someone will try to ban the steganography? Funny. Instead of making noise more money should be invested in developing cryptoanalysis techniques.

Re:keeping it private (1)

Bios_Hakr (68586) | more than 13 years ago | (#371409)

Once upon a time, we sent mail via telegraph, messenger, smoke signals, etc... Now almost everyone would shudder at the thought of sending anything more than "Hi, wish you were here." in the open via mail. People understand that things like:

1. Confirmation of product orders
2. Notifications of important events
3. Upcoming job changes

need to be kept private. If I want my mom to know that my wife is pregnant, I should have the right to tell her and noone else. If I order a large, black, metal-studded dildo for myself, only I should be able to see the confirmation.

Call me an optimist, but I belive that people will eventually see that privacy is a right. If you are in your own home, on the street, at work, or in legal trouble you have the right to a private conversation.

Also, why has noone pointed out that our government encrypts almost everything? I work for a government agency and nothing at all comes into or out of my office without encryption. If our government has the right to demand that information be kept secret from its citizens and enemies, don't we have the right to pprivacy from our government and out enemies?

Re:Feds want to hog the crypto to themselves (3)

Jerf (17166) | more than 13 years ago | (#371410)

Dear wideangle:

While I'm sure that your message is extremely interesting, informative, and thought provoking, I find that I am unable to legally decrypt it under the terms of the DMCA.

Would you please consider posting a message "in the clear" so we can all read the unprotected version, or is your message only for those who have licensed your decryption product so as to read your protected, copyrighted text? If the latter, where can we obtain such a license?

Sincerely, Jerf

How many really use it? (1)

tiny69 (34486) | more than 13 years ago | (#371411)

How many people _REALLY_ use encrpytion on a regular basis?

And I'm not talking about ecryption that is fairly transparent to the user, such as SSL or SSH. I mean, how many people go out of their way to encrypt every email they send? Not many. With all the people in this world who send email, I'd be surprised if one percent or two actually make a habit of encrypting email. And that's being generous.

How many of those that do use encryption use it for other than legal purposes? I bet that the percentage he higher than those who send email without encryption. Then law-enforcement officials step in and do one of the things they are best at (regardless on how illegal it may be), stereotyping. With that they can make broad claims such as "Criminals are more likely to use encryption when sending email." Regardless that there is no evidence to back that up. They do this to help fight crime by narrowing the focus of their resources.

The media and politicians take general statements such as the one above and distort it until it suits there own purposes. "Only criminals use encryption!" What's really scarey is the average citizen will not question such statements and accept them as being true! If they do question it, it along the lines of "I don't use encryption, my friends don't use encryption, so it must be true."

"When the Feds -- be they CIA, FBI, NSA, or Treasury Department -- discuss crypto, they make it sound as if anyone using it must be a child pornographer, drug smuggler, or terrorist."

Statements like that, as disheartening as they are, don't really surprise me. Don't be surprised either when politicians start passing laws making the use of encryption to further criminal activity a crime. Yeah, it sounds stupid, but laws similar to that already exist.

Re:I don't get it (1)

T. Emthrie (198024) | more than 13 years ago | (#371423)

Yeah, but in our society(ies) it seems to be simpler to just not write anything that you wouldn't want others to read.

Re:Why would i encrypt my e-mail always. (1)

philipm (106664) | more than 13 years ago | (#371424)

why is the bplan a different story? The big guys only buy who the voices in the head tell them to buy and the little guys buy what the voices in the tv tell them to buy.

The article writer doesn't understand that all corporations ARE "child pornographers, drug smugglers and terrorists"? Corporations are leaglly people and they are ALL assholes. They keep the profits to themselves and beat you, and so on.

You know, if you actually have nothing to say then you don't have to "encrypt it"? Why bother? You think your "secrets" are worth something?
Have you ever heard of having the courage to express yourself in public? No? I didn't think so.

In a way... (2)

Syberghost (10557) | more than 13 years ago | (#371425)

In the United States, we have such a bewildering array of confusing and, in some cases, contradictory laws, it is very nearly impossible to go through the day without violating a few.

So, since we're all criminals, in way anybody who uses cryptography is a criminal. But so is anybody who doesn't.

-

what's the point? (1)

sparkane (145547) | more than 13 years ago | (#371426)

Well, it's /.-ed. If the article is simply along the lines "Why don't people really use encryption on a daily basis? Is it just because it's for doing bad things?" then I have this to say:

Until people in general take a more serious-minded approach to computer security in their daily lives, speculating about why people don't use one tool or another tool is pointless, and basing speculations about the nature of the tool on that speculation is also pointless.

It all comes down to what we expect to be an adequate security awareness in the general net population. Apparently, not even sysadmins really take the time to truly safeguard the systems they run, as witnessed by the latest big credit card hack [slashdot.org] . If sysadmins themselves don't take security seriously enough to plug holes in their setup that are two years old, what will this imply about the general populace's attitude toward computer security?

Come back when electronic security has become more of an accepted part of our daily lives, and we can talk about whether crypto is for criminals or not.

Re:I don't get it (1)

fatphil (181876) | more than 13 years ago | (#371427)

They were obliged to weaken the law slightly when some activist types hinted that if the home secretary were to be sent "encrypted allegedly illegal information", which would almost certanly be just random data, he'd have to prove that he didn't know how to decrypt it. Impossible. So they weakened the law so that the authorities have to prove that you have a reason to know the decryption keys now.
Either way, it still sucks.
FatPhil
--

Re:Problems with Encrypting Email (1)

Higher Authority (245970) | more than 13 years ago | (#371428)

Why waste so much time to convey a simple thought? People (ESPECIALLY Americans; I being one of them can say that) are LAZY.

Re:I don't get it (2)

fatphil (181876) | more than 13 years ago | (#371429)

"Our societies"?
Do you live in China? In Iran? In Afghanistan? In Zaire? In Angola?
"simpler"?
jeeesus, I'm for once speechless.

You really need to get a perspective.

FatPhil
--

Re:Crypto convenience (1)

shokk (187512) | more than 13 years ago | (#371430)

When a person first sends you a PGP signed mail, you verify the message by checking to make sure that the contents of the email have been signed correctly and not modified. That way they email you the key and you can verify.

Also, if their key is compromised, any *encrypted* messages after that should be unreadable by them at some point. They could alert you with a plain text that they can no longer read your mail, which should be a clear sign that something is wrong. Of course, there's always the status of that last email you sent before the key was compromised...

What we need is a system that will verify transparently each and every time. Since getting a PGP encrypted mail is a rare occurrence for me, I always verify when I see it come in. For those that get them all the time, I can see where they might miss verifying that one email. I believe the X.503 cert system in use on most commercial email systems does this.

Since we don't know Thawte's or Verisign's hiring policies compared to the NSA, we can't assume that there are no black hats altering certs there, so similar precautions should be taken. Sign the first few mails to establish the trust, and encrypt from then on to always be sure.

Re:Problems with Encrypting Email (2)

mystik (38627) | more than 13 years ago | (#371431)

Encryption is not hard. Netscape, LookOut and LookOut express all have one-click access to e-mail encrytpion. The problem of course, is that users have to fork over $50 or so to verisign or whomever is the cheapest CA to get an e-mail encryption certificate. This is not pgp, but rather s/mime. (i believe that's what it's called) I currently have an OpenCA certificate (because they're free) but this does me no good because every install of Outlook will complain because OpenCA is not a trusted CA. (BTA, CA=Certificate Authority)

If we could get affordable (read: free) certificates to work with these clients,i believe e-mail encrytion usage would grow quickly.

Re:Routine encryption of email (1)

Skater (41976) | more than 13 years ago | (#371432)

We use Notes, too. Although I've seen the sign/encryption options in the setup (and I have signed checked), I'm hesitant to trust it. Here's why: I'm familiar with PGP and GPG, where you have to enter your passphrase, but Notes doesn't require that. (It's more of a personal expectation that causes me to hesitate rather than an actual problem.)

If I select encryption, will it automatically encrypt and decrypt the message? (I.e., the receipient will not have to do anything?) It's not encrypted from the sys admins using that scheme, right?

--RJ

Only in a Court of Law (3)

redelm (54142) | more than 13 years ago | (#371433)

You are innocent until proven guilty only in a British-origin Court of Law. Not in most Napoleonic-origin courts [Europe]. Not in the press or court of public option [OJ]. And not by the police.

Police have a hard job, but worst I think is the corrosive daily contact with criminals and their horrible acts. Without special precautions, they are sure to eventually see the world as made up of victims, perpetrators and cops [potential or actual].

A user of encryption doesn't much look like a cop, although in one way he is -- enforcing privacy and wiretap laws. A user of encryption doesn't look much like a victim, although they are potential victims of wiretap or other eavesdropping. So encryptors must be criminals.

Re:Do Such Email Clients exist? (1)

Carl Drougge (222479) | more than 13 years ago | (#371434)

Anyone know of clients like that?

No, but you can get more or less the same effect with most clients on OpenBSD:

Store temp-files on an MFS-filesystem (say /tmp).
Use encrypted swap.

Now the only place the file will ever be unencrypted is in RAM, and I doubt you'll ever be free of that. =)

(Well, anyone with r-access to the file while it's "live" in /tmp can read it, but still, it's much better than nothing.)

Riddle me this, riddle me that: (2)

psicic (171000) | more than 13 years ago | (#371435)

I've got a good one for you:
The Republic of Ireland and Britain have widely different laws regarding crytography.
So, take it that one country makes it illegal to withold your encryption keys, even providing for jail time and fines if you 'lose' your key and can't prove that the loss genuine. That same country can have a minister or local authority, among others, issue a warrent to police to seize your encryption keys. Also, ISPs are warrented to have systems set up to intercept and decrypt e-mails.
On the other hand, the other country makes it illegal for the police to force you to give them your encryption keys. Warrents are still the realm of the justice system and e-mails are not intercepted by-in-large.
Now guess which country is which: Ireland, which garners a relatively huge amount of IT investment from across the globe, and Britain, which doesn't get as much investment as its skilled workforce, developed infrastructure and cheap(er) overheads would seem to warrent.
As most of you may know, this big difference all came about with the RIP bill in Britain which introduced a lot of these draconian measures. At the same time in Ireland, legality of electronic signatures, privacy of encryption keys etc... were being insured by new legislation.
I amn't suggesting that this difference is the sole cause of the investment in Ireland, but it doesn't hurt the matter at all. Plus it also shows the demand for the legitimate use of cyrptography by big business.
Read this(old) wired story [wired.com] for more.


8)

Re:I routinely encrypt my e-mail (2)

xigxag (167441) | more than 13 years ago | (#371436)

00DD, ryptoc si oodg orf uttingp p3sm no imsterA!!1

Re:Crypto convenience (2)

SmellMyTeenSpirit (207288) | more than 13 years ago | (#371437)

How about instant messages? I don't know anything on this, but can say aol read your aol ims? Or how about the next step, could you encypt your instant messages? just wondering

ssh remote access (1)

MrChucho (23875) | more than 13 years ago | (#371438)

I use ssh for remote access to my home network. There's no way I'd use telnet... it's not that I have something to hide, it's just that ssh protects my personal information and resources (i.e. my home computers). ssh is as easy to use as telnet, too!

I also use ssh (and ppp) to create a VPN between my computer at work and my network at home since I need to work at home sometimes and my company won't provide a real VPN for non-modem users.

Encryption is safe (safer, at least, than plain-text), easy to use a good way to protect my privacy (which we all know, is constantly threatened).

Wireless (2)

Dust Puppy (63916) | more than 13 years ago | (#371439)

When we are all using wireless internet, cryptography will become essential to stop passers-by sniffing all the internet traffic. It is important that we work the bugs out of the software before then.

Re:I don't get it (4)

Cyberdyne (104305) | more than 13 years ago | (#371440)

There's always been the principle of innocent until proven guilty. But as soon as there's anything electronic in the picture, it's suddenly the opposite; you're under suspicion for anything and have to prove your innocense, and nobody seems to complain.

That's the problem in the UK: our beloved RIP Act reverses the burden of proof - the police can demand your encryption keys, and unless you can prove you do not have the key, you get locked up. Oh, and you aren't allowed to tell anyone else about it. You think the DMCA and UCITA are bad? At least you're allowed to tell people if you're charged with violating them!

keeping it private (4)

steve.m (80410) | more than 13 years ago | (#371441)

One way to look at using crypto is that you don't send postcards discussing private matters, you put a letter in an envelope so the postman can't read it.

I encrypt my email so only the recepient can read it - if the security services here in the UK want to read my email, they will use the RIP bill to get the private key and passphrase from me. At least then I'll know they are interested in me ;)

As an experiment... (5)

Bob McCown (8411) | more than 13 years ago | (#371444)

...about 3 years ago, a bunch of us started pgp-ing our email at work, both internally and externally. Within a week, an email from the IT department went around asking people NOT to use encryption, as 'it is causing an undue load on the mail server'. Baloney, they just couldnt read our mail any more....

Re:Email Always Encrypted (2)

vr (9777) | more than 13 years ago | (#371446)

What kind of software is used for this?

I routinely encrypt my e-mail (3)

Our Man In Redmond (63094) | more than 13 years ago | (#371448)

and send it to random friends all over the country, none of whom use encryption.

They have no idea what's in it, but more importantly, neither does the NSA!
--

Re:I don't get it (2)

LordArathres (244483) | more than 13 years ago | (#371451)

I completely agree with the previous post. Just because you are on the Internet and dont want your mail read as it goes through the various servers people think you are hiding something. The media are the most guilty of this, they jump on crypto technologies becuase "criminals" will use them. Yes they will and so will the Government and considering things sometimes its hard to tell the difference between the two.

Even if you are hiding something, Personal Info, Address, Telephone whatever its your business. I know this seems like a hard thing to fathom for the media but as soon as something is outlawed the only people that get screwed by it are LAW-ABIDING Citizens. Criminals will still get things like crypto and guns and drugs and whatever else government thinks we should not have. The thing that makes criminals criminals is that they dont follow laws so making something illegal wont matter anything to them.

Considering all the privacy issues and things happening on the Net and the world, we NEED crypto. Since I started at my current job I used to not care about personal info and such figuring that I cant be traced and found, ERR Wrong! Having access to public and non-public databases that I am listed in several times at every address I used to live at, I reconsidered my stance. The only people that should know what you wrote is 1. YOU and 2. The Intended Person and until that day comes we need to keep striving for privacy and better encryption methods.

Lord Arathres

Re:Do Such Email Clients exist? (1)

bacchusrx (317059) | more than 13 years ago | (#371456)

I suppose this isn't a spectacular solution for *email* per se, but, let's say you get an encrypted document and you want to decrypt it and read it without leaving any traces on your physical drive. Could you not, say, mount a floppy disk... copy the encrypted file over, decrypt it straight to the floppy disk and when you are done with it... simply burn the disk...?

A little convoluted, but it sounds safe enough.

BRx.

Re:Email is encrypted (1)

shokk (187512) | more than 13 years ago | (#371457)

"Sending meet me at the movies at 8" in plain text is a good way to let that sniper who's been tracking you to know where to park. =)

Gotta run! They're at the door!

Lotus Notes, and automatic crypto (1)

Anonymous Coward | more than 13 years ago | (#371458)

I work for IBM, so of course we use Lotus Notes. Quite frankly my feelings about it are mixed... But, it does allow for both encryption and digital signatures, which most people I work with use all the time. Why wouldn't you encrypt sensitive email? Anything marked "confidential" has to go in a locked drawer if you print it out, so why not a "locked drawer" when you send it?
More to the point, I like the fact that digital signing gives me a much stronger case if someone ever wants to call one of my decisions into question. Producing an email (or ICQ log ala eFront) is easy, but unverifiable. Producing a digitally signed message showing you had clearly stated your position is a godsend. (or a curse I suppose, depending on your actions...)
Anyway, I think cryptography has a much place in the civilian cooperate sector as the military.
Note: Yes, I work for IBM, and I use Lotus notes as an example. This is because it is what I am farmiliar with, and I'm not doing this to troll or advertise. Quite frankly, I don't care if you use it or not.

Re:In a way... (1)

shokk (187512) | more than 13 years ago | (#371459)

Sounds like a lot of other things in life get past you besides U.S. law.

Re:keeping it private (1)

Jens (85040) | more than 13 years ago | (#371460)

RIP bill... is that the "Rest in Peace(s)" bill?

"Hello, this is the FBI. We need your encryption keys. <BLAM> <BLAM> Thank you. Have a good day."

Re: Pegasus Mail for the Mac? (1)

namespan (225296) | more than 13 years ago | (#371461)

If you use windows, dos, or mac, I really can't see why anyone would use anything else.

Hmmm. After a brief look at pmail.com, I can't turn up any info about a Mac version -- looks like Dos/Windows only. Am I missing something?

--

Re:I routinely encrypt my e-mail (1)

kinnunen (197981) | more than 13 years ago | (#371462)

So basically you are making brute force decryption ten times more CPU expensive. Why not just add four bits more precision to your key and make brute force attack 16 times harder? Or better yet, add EIGHT bits and make it 256 times harder. Or 16b - no wait, 32 bits and...

--

I encrypt all email... (1)

tswinzig (210999) | more than 13 years ago | (#371463)

that is sent to the remote office... automatically, thanks to VPN.

Re:Crypto convenience (2)

TheSHAD0W (258774) | more than 13 years ago | (#371464)

Here's an example of "man in the middle":

Adam, a new user, generates a public key for himself and uploads it to a PGP key server. Zack, who has cracked and taken control of Adam's ISP, has set things up so all keys uploaded to or downloaded from a PGP key server are instead intercepted and replaced with keys of his own, which he can of course decrypt. From now on, anyone requesting Adam's key will get one of Zack's public keys instead.

Adam then downloads Bill's key from the key server, which is replaced by another of Zack's public keys. He encrypts an email to Bill with that public key, signs it with his private key, and sends it off.

Zack, who has also intercepted that ISP's POP and SMTP functions, intercepts the email. Since it was really his key that was used to encrypt it, he readily decrypts the email, re-encrypts it with Bill's real public key, signs it with the key he has placed on the key server under Adam's name, and sends it on his way.

Bill, receiving the email, has no reason to disbelieve that the message has been tampered with. Checking its signature with the one on file at the PGP key server shows it is genuine.

Given this sort of control, Zack can not only intercept and read all communications between Adam and Bill, he can also alter or generate completely bogus messages, and neither party would suspect unless Adam called Bill on the phone and compared key fingerprints.

The "man in the middle" attack is very powerful, and given control over DNS functions and the ability to provide altered file distributions, can be used to subvert every encrypted protocol used, including https and ssh2. If the upgrade of Netscape you just downloaded has been modified and its root security keys have been changed, you can kiss your privacy goodbye.

The article is completely outdated (2)

Ektanoor (9949) | more than 13 years ago | (#371465)

Crypto is needed to secure information from being sniffed, accidently or purposedly seen by a third party or to avoid its diffusion over the limits you set it to be distributed. And crypto is used not only to exchange informations between different parties, or to hide secrets. For example we and many other networks use ssh, VLANs, VPNs and other tools to administer servers, communication equipment or to create private information channels. And most of these tools possess encryption algorythms to avoid information leakage.

For years many organisations use crypto tools for their tasks. And I am pretty sure that Government Agencies even partially support such use. The problem here is not the use of crypto but which crypto tools are used. Unfortunately, here Agencies do play the wrong hand. Their ideas, porposals about crypto are clearly out of sync with modern needs. They would like to see us using those tools that would ease their work. Sorry but it is pretty clear that today these same tools are just easy enough to be broken, bugged or overcome by criminals, terrorists and spies. Some can even be broken by teenagers due to some stupid design flaw or something similar. Anyway, most agencies may accept their defeat, no matter the hardships they fall in, because they have a duty in priority - secure their countries from different types of menace. So the may say some bad words about PGP, SSH and similars but still don't do a finger against them.

And I do believe that most agencies don't speak about crypto users as crooks... With exception of police forces lacking basic infrastructure and knowledge about Internet. There yes, they think they can "secure the world" for you. They look at you with such wild eyes when you say that you use crypto tools to administer the network. Yes, these ones do ask "what you wanna hide" and similar things and look at you most as a gang boss. But these people are not those who decide should crypto be used or not... First there are regulations and laws. Second the control on the use of crypto tools is mostly given not to police but to intelligence agencies. So you may say "go walk" if the guys don't understand your work.

But there is also a group of organisations that for the last years started to talk too much about crypto, hacks and open standards/sources. And speak about their supporters and users asd terrorists, crooks, pyramid makers and criminals. These organisations are the software corporations. I wouldn't be admired that the author messed things a little bit. Note that he first speaks about Zimmerman vs. Network Associates and the fact that these guys wanna hide something. And only then he speaks about the Agencies. I wouldn't be admired that N.A. started a campaign against Zimmerman and started to claim that opening everything would only help criminals and crooks. And calls to help the poor Agencies that live so badly in this hard crypto world...

Re:I don't get it (2)

Ig0r (154739) | more than 13 years ago | (#371466)

Yes.
You'd better not ever say anything bad about anybody, or especially the State.
We wouldn't want our citizens to be unhappy, so We're outlawing 'bad' thoughts and 'bad' speech.
As long as you don't let anyone else know that you're not happy, then everyone will be happy!

--

Re:Problems with Encrypting Email (3)

Alien54 (180860) | more than 13 years ago | (#371467)

Users don't want to learn. Users think (not unreasonably) that programmers should make programs work the way the users think they should, instead of demanding that users learn the way the programmers think the program should work.

Actually, it is more a matter of thinking that they do not have the time to mess with it. Anything that would take an evening or two of reading and practice will usually get blown off by someone as too much time.

Let's face it, who has an evening or to do something or study something that is not a primary function of your job?

Granted, studying something to get a handle on it makes your job easier in the long run. But you have to be able to get over that first hump. Since many folks have a stimulus response association between pain and study, I wonder why they avoid it when they can.

;-)

Also, the learning curve for technolgy is made up of an awful lot of little things that the average slashdot reader considers intuitive, but which many users are lacking. Anyone who has taken a look at the Computer Stupidities pages has a catalogue of things not fully understood. Once you have finished laughing at the stories, it is an interesting exercise to go through them to a) figure out what is it that the person does not understand, what their blindspot is - and b) how to educate the person in order to handle this. This is excellent training for tech support. It blows you mind after awhile, too.

"No one encrypts mail" but all encrypt credit card (1)

Anonymous Coward | more than 13 years ago | (#371468)

The /. article header makes it sound like crypto is rarely used by the layman. But, what about buying stuff over the web? Nearly all web stores use SSL during the actual sale transaction. *Most& people do use crypto here, even if they don't realise it.

The bottom line is, people use crypto WHERE IT COUNTS. Usually this is when dealing with anything related to money. And no one is coming out against this use of crypto. In fact it's been strengthened in most browsers from 40 to 128 bit strength.

PGP hard to manage with mailing lists (2)

Nonac (132029) | more than 13 years ago | (#371469)

There may be management tools that I am not aware of, but it has been my experience that PGP is hard to impliment when you are sending a message to a large mailing list. You have to know everybody on the list and encrypt the message to each of their public keys.

Don't get me wrong. I am all for PGP, but this is one problem that I haven't found an elegant solution for.

I currently use PGP only for sensitive email, but I would like to be able to use it for all internal email.

Re:As an experiment... (1)

xigxag (167441) | more than 13 years ago | (#371470)

In actuality, it is good company policy to encrypt email. The evidence against MS would've been much weaker had they used a program like Disappearing email [disappearing.com] , which self-destructs your memos after a predetermined period of time.

Re:keeping it private (2)

Ig0r (154739) | more than 13 years ago | (#371471)

Yes, but citizens also shouldn't be limited to the minimun 'flimsy' encryption. Just as I am free to use as much packaging as I wish to send a letter, I should be free to use as much encryption as I wish to protect the privacy of an electronic message.

And the other thing is that with the USPS, you're using their employees and resources to send a package, so they should be concerned about their safety. But with an electronic message, I'm only using public areas (public networks [the internet], or maybe even sneakernet), and the government (or whomever) shouldn't be concerned with what I'm transporting because it isn't going over their lines.

--

Re:Why would i encrypt my e-mail always. (3)

Sinesurfer (40786) | more than 13 years ago | (#371472)

there wasn't anything new in the article but two points which it did cover were
  • encrypted traffic is easy to detect and
  • ppl tend to forget about temp files which can contain an unencrypted copy.
the first point doesn't bother me until the traffic is easy to decrypt. the second point is a common occurance [even though i hate to generalise]. the only simple solution i've found is an app called evidence eliminator [for which i do not work or hold any type of equity].

this program is more paranoid than me [which is a healthy sign]. my fave feature is that it does clean out your windoze 9X or NT swap files.

if you work with information which is sensitive enough to require encryption then erasing [using multiple passes and re-writes to erase] your temp files is essential to guard against your HDD being compromised.

the issue of authenticating the recieptant wasn't dealt with in this article but a link to this story - http://www.infoworld.com/articles/ca/xml/01/03/12/ 010312camentor.xml [infoworld.com] called USPS delivers a digital, signature-certified mail system dealt with how the US Postal Service is dealing with identity authentication when sending email to a US Federal Govt address.

Personally, i'd be happy if the NZ IRD [Inland Revenue Department] issued me with a personal digital ID. my employer issuing a second for work email would also be great.

Anybody should use crypto on sniffable links (1)

/Wegge (2960) | more than 13 years ago | (#371473)

My company is about to implement a VPN solution that is base on some sort of SSL. I'm not into the details, and I don't really care, as long as we get rid of the dial-up connection as the only way into the system.

The important thing about the setup is that it is encrypted to the point where it doesn't matter if we hook up to a customers network and use their internet connection, not even if we have to discuss exactly how much they are going to pay for an Ad-Hoc change to the system while we are onsite. Anybody can see the benefits of this setup, or rather the problems of not securing the communication.

But when it comes to home broadband access, it's a totally different matter. Here in Denmark, most of the cable companies are also providing a network connection of some sort. In most cases, the setup is such that anybody within a block of flats can sniff the traffic to and from the rest of the flats in the same block. In such a setup, it is vitally important that you believe really much in the integrity of your neighbours, or cover up your network traffic.

If crypto is outlawed... (2)

chabotc (22496) | more than 13 years ago | (#371474)

If crypto is outlawed, only outlaws will use crypto? Its a bit cheesy, but i think in this discussion it makes sence, if we consider crypto to be for outlaws only, we de-educate the people, and tell them that using crypto is like being an outlaw.

However my buisnessplans, source code, very private emails to girlfriend and secret documents, etc are very valueable to me, if the competition gets a hold of them, im screwed. So when i send them out encrypted, am i an outlaw? Hell no, i just dont want every script kiddie to get his hands on my info/passwords/documents/etc..

Crypto is about more then just hiding stuff from 'The Man', its about keeping things private from all people.

Thereby, does paying with a credit card over a SSL connection make me a criminal 'cause i dont want every script kiddie to have it ? :)

-- Chris Chabot
"I dont suffer from insanity, i enjoy every minute of it!"

Automatic (2)

Tarquin Sidebottom (239733) | more than 13 years ago | (#371475)

The problem is, encrypting email is a lot less automatic than when encryption is used for secure web transactions. When I visit and want to buy something I don't have to manually get their key, click the encrypt button, enter keys, send. No all you have to do is check that you've entered a secure zone. If in email programs all you had to do was click the "use encryption" tickbox and have the program sort all the details out then a lot more people would use encryption.

Re:As an experiment... (1)

cicadia (231571) | more than 13 years ago | (#371476)

an email from the IT department went around asking people NOT to use encryption, as 'it is causing an undue load on the mail server'

That's absolutely ridiculous... encryption and decryption have to be performed on your workstations (or else there's not much point to it) and so there can't be any extra load on the server. In fact, there should be less load, since PGP always compresses the plaintext before encrypting it.

Lower storage costs, less network traffic... we should campaign for mandatory encryption just on those grounds :)

Re:Why would i encrypt my e-mail always. (1)

PacMan (15605) | more than 13 years ago | (#371477)

there wasn't anything new in the article but two points which it did cover were
  • encrypted traffic is easy to detect and
  • ppl tend to forget about temp files which can contain an unencrypted copy.
the first point doesn't bother me until the traffic is easy to decrypt. the second point is a common occurance [even though i hate to generalise]. the only simple solution i've found is an app called evidence eliminator [for which i do not work or hold any type of equity].

Or, you can use an encrypted filesystem so even temp files are unreadable without the system keys.

Physical and network secureity then become important, because if they can compromise your system while you are logged-in and the filesystem is mounted, they can read anything.

Here too (1)

Lysander Luddite (64349) | more than 13 years ago | (#371478)

My friend told me he's worried about the same thing here in Melbourne. There's not enough security conscious companies out there and even fewer mainstream users. I think because since WW1 encription has been a primarily governmnet led field. Previous to that a lot of encryption theory was done by mathematicians. At least that's what Discovery Channel says.

But it seems the US government wants to capitalize on the ignorance of encryption to control it's image. Instead they should encourage its use and development.

I sign more than I encrypt. (2)

_Shad0w_ (127912) | more than 13 years ago | (#371479)

The function of gpg I use the most is the signature, I very rarely use the encryption functions, in fact the last time I got an encrypted e-mail was 5 months ago and it was the new root password for a system I admin.

Quite frankly if the police have a desperate need to know the root password on a server I admin, then they can have it...if they want to get in that desperatly they will anyway.

Simple fact is, if the police want into your data, they will get in eventualy...I have nothing that I desperatly need to hide, just things I would rather keep to myself. I mean, if you can't trust the police, who can you trust.

That was irony for the humourly challenge.


--

/tmp files, swap files, and RAM. (1)

Anonymous Coward | more than 13 years ago | (#371483)

ppl tend to forget about temp files which can contain an unencrypted copy.

This used to be a hobby of mine when I was bored back in college.

I'd log on the the local Unix cluster and probe the /tmp directory for anything interesting. I'd look at what people were editing, etc. Sometimes the files were writable (their umask set to 000). Insert some typos! Heh. Binary files would get run through 'strings' to look for goodies.

strings was especially good to use on the swap file. /dev/mem and /dev/kmem may have been protected, but the swap was wide open and often contained things like passwords. Muhahahah!

Other tricks? create a file, seek to some far off location like 10000000L, write a byte there, close the file. Then open and search the file for interesting things. Early unix did not zero out newly created files, so you could browse stuff that was earlier rm'ed and left intact on the disk. Woo hoo! Deleted pr0n!

Ditto memory. malloc some big block of memory and then dump it to disk and search for interesting data left in there. I got the root password with this one. Tee hee!

Where? (1)

pcgamez (40751) | more than 13 years ago | (#371485)

So, if I was very interisted in encrypting data on my HD, where would I go about getting software to encrypt it well enough that then FBI technicians would be swearing my name for a month?

Re:Paranoia level (1)

xigxag (167441) | more than 13 years ago | (#371486)

Most people employ a sort of "steganographic" calculus in their decision that it's not worthwhile to encrypt email to begin with. After all, there are billions of pieces of email sent every day. why would anybody want to read my message to Grandma? In essence, my daily, banal emails are hiding in plain sight.

And when it comes to more sensitive information that really does need to be encrypted, such as credit card info, it's customary to go to an SSL-enabled site to do so. So most people, I think, instinctively choose a level of security which is appropriate to their situation.

On more than one occasion I have accidentally received incorrectly addressed email intended for another recipient. In the vast majority of cases, it's like, "See you Thursday at the ball game, Michael." However, I did once receive a large (>1 MB) corporate spreadsheet with sales figures and such. I wrote back to the sender and she asked me to please delete it asap. It would certainly have been better for this person had she encrypted the message beforehand.

Re:I don't get it (1)

KyleCordes (10679) | more than 13 years ago | (#371488)

How could you possibly prove, ever, that you do *not* have the key?

Anecdotal evidence (1)

GeorgeH (5469) | more than 13 years ago | (#371489)

I used to be really proud that I signed all my e-mail with a PGP signature so that everyone knew that it was really me sending the e-mail. Then I got curious as to whether anyone was actually checking my signature, so I copied a signature from an old message into a few messages to mailing lists that I'm on. These are fairly geeky mailing lists, one regularly talks about crypto, another was a LUG list. Not a single person noticed the wrong signature. I don't bother to use PGP anymore.

Crypto is only as good as the other people using it.
--

Re:Do they? (3)

jimhill (7277) | more than 13 years ago | (#371491)

The Holy Trinity for law enforcement is terrorsists, drug lord, and pedophiles. Whenever they argue for an expansion of power or a diminution of personal freedom they cite the Trinity and count on people like you to fall in line.

See, unlike (apparently) you, I don't happen to believe that the world is filled with wave after wave of pedophiles, held back only by the heroic efforts of American law enforcement. I believe that there are a few (relative to the hundreds of millions of Internet users of the world) who are some truly sick and demented bastards -- but I don't see how giving the government the authority to limit my encryption capability is going to reduce that.

I don't happen to believe that drug lords are a bigger threat to The American Way Of Life than the War On Drugs is. The wholesale discarding of the Bill of Rights (save the 3rd Amendment) in pursuit of the goal of eliminating a product that millions of Americans have decided for themselves is morally acceptable despite being illegal is what _I_ see as a threat. No one ever worries about Cotton Cartels and the evil ill-gotten gains of the textile lords. Make drugs a legal product whose business is conducted in the light of day with FDA and IRS oversight and the drug lord billionaires will go away. And it doesn't even require encryption limits!

Lastly, terrorists. This one got a huge boost after Tim McVeigh expressed his displeasure with American policy and the destruction of TWA Flight 800. The fact that 800 was destroyed in what was most likely a highly improbable but not impossible set of coincidental circumstances has had no effect on the certainty of many Americans that somehow, Moslem Extremists were involved. After all, planes with Americans on them never have anything bad happen to them unless there's a Moslem in the picture. McVeigh's actions, on the other hand, were horrible, evil, unjustifiable, and utterly unstoppable with limits on encryption. There was face-to-face communication with his partners and the purchases, truck rentals, etc. were all done in the light of day. Reductions on _our_ freedom could not have stopped him anymore than they could have stopped the men who bombed the World Trade Center.

Ah, you say, but some terrorist groups _have_ been caught when their coded messages have been intercepted and broken. We _have_ saved lives and preserved the order and safety of our American Way Of Life.

I don't care. I really don't. The fact that expansion of police power leads to expansion of arrests is a given; the question under discussion is "To what degree are we prepared to accept limits on our freedom and our privacy in exchange for the increases in a dubious public safety?" I say None. Yes, advances in technology make law enforcement's job harder. Tough titty. My life as a free man doesn't come with conditionals that can be dialed back if John Law finds himself having a tougher time. If encryption makes the time-honored wiretap (itself a disgusting violation of privacy) obsolete, then so be it.

Responding to your concluding comment that the crimes of the Trinity aren't important to fight: they are -- but they aren't nearly as important as the continuation of freedom and privacy. If my privacy means that one more child gets used in a porno flick made by a deviant, so be it. If it means that one more kilo of cocaine sneaks into the US undetected, bravo. If if means that US-Irish are able to raise money and ship it to Northern Ireland to further a bullshit revolution that kills innocents or that the bullshit revolution comes to my own soil, I can accept that. I do accept that. I would urge you to do so as well.

Crypto at work (1)

Kondoor (135852) | more than 13 years ago | (#371492)

I just recently wrote a company wide policy regarding the use of email. In the policy it is now mandated that when sending any information over the internet that may contain client information it must be encrypted. Each user is then audited at a random basis and checked to ensure they are following the procedure if not, termination of that employee is possible.

Paranoia level (2)

cheezehead (167366) | more than 13 years ago | (#371493)

It all depends on how paranoid you are. Most of the time, I don't care at all if someone reads my e-mail. Just wasted time for the fool that goes through the trouble of intercepting it.

Sometimes I do care, so I'll encrypt it. A bit more hassle for the recipient, but worth the trouble. We're talking competition sensitive stuff here.

Then, if you're really concerned about interception, you should probably think about steganography. This is the art of hiding the encrypted message so that it won't be obvious that there's an encrypted message being sent. For example, you could hide your encrypted bits inside a picture or an audio file. There is software available to do this automatically. The security advantage is that the message needs to be recognized as being encrypted in the first place, which is not all that trivial.

For most of my messages, all this is way too much trouble. But I guess criminals would find this attractive...

Re:Email Always Encrypted (1)

Alpha Prime (25709) | more than 13 years ago | (#371494)

Netscape and M$ both support SMIME, so most of us use Netscape under Linux while some of the others use OE under M$. Its a mixed shop. Verisign has a personal cert available for $14.95 a year and everyone at the shop has one, even the secretary.

Plus, we try to be a bit terse with the subject so that it will not provide targeting information.

Antagonise the spies (1)

RiotXIX (230569) | more than 13 years ago | (#371495)

I'd consider using crypto just to piss off carnivore.

Re:keeping it private (3)

cicadia (231571) | more than 13 years ago | (#371496)

if the security services here in the UK want to read my email, they will use the RIP bill to get the private key and passphrase from me

I wonder, what grounds could any government, especially one which wants digital signatures to be binding [parliament.uk] , possibly have to ask for your private key and passphrase?

I could understand the utility of a bill like that if it allowed the government access to a session key for a particular message. Without giving them your private key, they would be able to decrypt that message only, and they could get the information they were after. Hell, if they wanted to, they could even ask for the key to each and every encrypted document on your computer, and there's no reason why your crypto software couldn't provide it to them.

If you have to give up your private key, though, they have automatic access to every document which has ever been encrypted to you, or will be in the future (cancelling a compromised keypair is still one of the messiest areas of cryptography, and it gets worse with every person who gets your public key). Not only that, but the government could then use that key to impersonate you, forging any document they want and digitally signing it.

I don't know of any crypto software right now which would give you access to just the session key for a particular message... or whether lawmakers would consider restricting their power in this way... are there any UK privacy advocates out there with more insights on this law? How far does it go? Could we use something like this to get a bit of privacy back?

Hacked email account (1)

Anonymous Coward | more than 13 years ago | (#371497)

The question should be "Is not using crypto begging for trouble?" in which I would promptly answer yes. I've recently had my email account hacked (or I'm under that suspicion) and I've had to move to a more secure online email service which offers encryption among other security features. The breached account wasn't my primary address where I send and receive ultra-sensitive email, but whenever you recieve attachments of your own log-in screen (among other odd events) it still pisses you off.

I'll be the first to admit I got sloppy, but now I encrypt all my email. If that makes me look like a criminal, so be it.

Just to annoy them... (1)

RussGarrett (90459) | more than 13 years ago | (#371498)

I routinely use crypto for every message I send. If it is confidential, nobody can read it - so much the better. If it's a routine meneal message, it's pissing the NSA/GCHQ off - none the worse.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?