×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

An Introduction to GNU Privacy Guard

michael posted more than 11 years ago | from the can-never-be-too-cautious dept.

Encryption 121

An anonymous reader writes "This is a great article about GnuP . . . "In the first half of this article David Scribner discussed the various uses that GNU Privacy Guard could bring to your business or personal life in enhancing security of your digital documents and files, as well as the basics in getting started with GnuPG. As there is so much more to public-key security than command-line operations, in this second half I will continue with importing and exporting keys, building (and keeping) your 'web of trust' sound, and a few of the more popular GUI front ends available for GnuPG . . ."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

121 comments

FP! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4339266)

Do you? [fuckedcompany.com]

Yes. (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4339336)

Yes! Yes! Yesssssssssssssssssssssss...

Sorry, just reading that thread resulted in a spoogefest. It won't happen again, I promise.

Well, unless you care to join me in a group jerk. But no taco-snotting, please, I'm Swedish.

Should I aerate my lawn tonight? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4339273)

Well? Should I aerate or just seed it?

Re:Should I aerate my lawn tonight? (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4339291)

You should fuck it. With a traffic cone. And then place the pointy end of said cone in your ass, so you can fill it - remember, faecal matter can be great compost material.

Your fellow uphill gardener,

Anonymous Coward

Re:Should I aerate my lawn tonight? (-1)

Yr0 (224662) | more than 11 years ago | (#4339301)

aerate aerate, then masturbate.
its good plant food.

Ok... (1)

GreyWolf3000 (468618) | more than 11 years ago | (#4339295)

Warm and fuzzy feeling aside, how do we convince companies to use this? Is it at all possible? Are there any success stories (I know it's new and all)?

Re:Ok... (0)

Anonymous Coward | more than 11 years ago | (#4339634)

The team I'm in implemented gpg for simple file en/decryption and transfer. It has worked flawlessly.

Re:Ok... (2, Interesting)

Anonymous Coward | more than 11 years ago | (#4339892)

One small success story for our small e-commerce company. We need a method of securing credit card numbers for long-term storage after the sale (yes we needed to do this). To do this we used GNUPG to create a "data vault" that ensured that credit card numbers in storage would be safe even if a hacker gained complete control over the machine.

We used GNUPG to split the public key and private key across two machines. The first machine is our public web server and can encrypt and store the credit card numbers with the public key but not decrypt the them. The second machine (very secured and locked down) can encrypt the data but doesn't have access to the stored credit card numbers. A third machine (in this case a browser) shuttles the between the systems when it is needed. Since the machines are widely separated it makes any successful attack much harder.

We chose GNUPG because it already had robust public/private key encryption built in and used an open standard for representing data so that data recovery would be possible even 10 years from now. The only complaint is that there was no API available so we had to create a COM wrapper for it (yeah I know it was a IIS/ASP site).

If anybody is interested in the source code for the COM wrapper it can be downloaded here:

http://www.i15.com/video/gpg2.zip

Normal disclaimers apply. I take no responsibility for what it may do but we have used it without complaint. Only works when GNUPG is in batch mode. It is one of those things that I always meant to release under the GPL but didn't get around to it because I never did documentation. BTW here is how it works:

Set gpg = Server.CreateObject("qwerksoft.gnupg")
gpg.SetPath %Path%
gpg.SetRecipient %Recipient%

s = "Text to be encrypted"
Response.Write s + vbNewLine

s = gpg.Encrypt(s)
Response.Write s + vbNewLine

s = gpg.Decrypt(s)
Response.Write s + vbNewLine

Maybe if a few more people use this it will reduce the number of stolen cards floating around.

Re:Ok... (1)

Alexander (8916) | more than 11 years ago | (#4340091)

Yep. OS X - GPG with Mail, Fire (chat), and for file storage.

Inter and Intra company communications.

Combine it with SSH access to file servers and other resources, OpenSSL web services, hey who needs a Checkpoint/Cisco VPN?

Re:Ok... (2)

Bagheera (71311) | more than 11 years ago | (#4340370)

Yes, we can at times convince companies to use it. I work for "a small hardware manufacturer in the Valley" that has/had a licensing arrangement for the commercial PGP application - that cost a fair amount of money per seat. Many of our Engineers adopted GnuPG for thier Solaris and Linux boxen and use it daily. I (and several of my co-workers) use it in our department, and we actively promote it's use throughout the company.

It can work quite well, especially when you get a couple of tech-savy executives clued into the concept of using digital signatures on their documents.

Technology triumphs qjkx (0)

Anonymous Coward | more than 11 years ago | (#4339297)

Remember this can be used to copyright stuff as well. But technology should always win, and we can defeat it or more likely ignore "copyrighted" stuff.

The Anonymous Reader (3, Interesting)

Amazing Quantum Man (458715) | more than 11 years ago | (#4339305)

"the first half of this article David Scribner discussed ..., in this second half I will..." (emphasis mine).

Gee, could the "anonymous reader" be David Scribner giving himself a shameless plug? See the above quote.

Re:The Anonymous Reader (2)

Amazing Quantum Man (458715) | more than 11 years ago | (#4339320)

Whoops! Sorry, the section was blatant cut and paste, not plugging.

Re:The Anonymous Reader (1, Interesting)

Anonymous Coward | more than 11 years ago | (#4339397)

Yes. The summary listed on slashdot's front page is a quote from the second half of the article. I believe the reason that the awkward phrase exists is because David was worried about continuity issues when DesktopLinux republished the article in two parts. When David originally wrote the article for LinuxGuru.net, he had intended the work to be one long part.

Did David submit it hismelf? Probably either he or one of a small handful of people that know him (not I personally).

But if that's the case, why as an "Anonymous Coward?" I can only speak for myself, but I so rarely make comments or submissions at slashdot that the need to remember another password and the storage space for account info at slashdot would be wasted.

James Blackwell, LinuxGuru.net [linuxguru.net]

Excellent article! (1)

I Am The Owl (531076) | more than 11 years ago | (#4339309)

I'd just like to commend the author for an excellent article on how to protect your privacy from spying government eyes on the Internet. Now all my friends can:
  • Read PGP messages I send them
  • Encrypt messages they send to me
  • Sign their messages and
  • Verify messages that came from me
This is just the first step in the great battle for our Constitutional online rights, but it's a good one. As long as I have something to keep them from tying all my information together in a giant government database and crossreferencing them to steal my organs when I die, I can sleep at night.

Re:Excellent article! (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4339379)

This is just the first step in the great battle for our Constitutional online rights, but it's a good one. As long as I have something to keep them from tying all my information together in a giant government database and crossreferencing them to steal my organs when I die, I can sleep at night.

Dear Sir,

We don't give a flying fuck about your rights. But what we do care about is being able to fuck you in the ass. Turn around and spread, please.

Yours sincerely,

The White House Crew [whitehouse.gov]

Really that useful yet? (5, Informative)

wackybrit (321117) | more than 11 years ago | (#4339321)

I know new systems and apps create a bit of a chicken-and-egg situation.. but what about this:

Today, I use GnuPG for a variety of tasks. Whether it's to sign and encrypt documents and contracts submitted to businesses, encrypt local files, or merely sign email and files to ensure others that no modifications have occurred to its content, I have found GnuPG to be a 'must have' utility kept close at hand when using my PCs.

Documents submitted to businesses? Signing e-mail and files?

Signing these sorts of things is a good idea, but just how many businesses are going to have GnuPG at this time. And, since you can get the files out of the e-mail without HAVING to use GnuPG (GnuPG just checks the authenticity), it doesn't really encourage people to go get it either.

Considering most people are Joe Schmoes using Windows, I can't see how using GnuPG (or even PGP, for that matter) to sign things is going to help anyone at this stage.

Outlook Express is the most common e-mail client out there today and from all the e-mail I get.. I'd say that far less than 1% of its users actually use the signing and encryption features that are BUILT IN! GnuPG is an add-on, at best.. so can we really see millions of people using this?

Until the public learn more about security, how it works, and why it should be used, I think not.

Re:Really that useful yet? (1)

AxelTorvalds (544851) | more than 11 years ago | (#4339552)

It's OpenPGP compatible. There are a fair number of businesses that have PGP. I've been using it daily with someone that is using PGP 7.1 for a couple months now.

There are plugins for Outlook on windows too, it works great.

Re:Really that useful yet? (2)

reverse flow reactor (316530) | more than 11 years ago | (#4339565)

location: a non-descript office

user receives email. Around the message is a GPG signature. "Hmm. what's that for?" the user asks of the person who sent the signature.

The PGP signer replies back "That is my PGP signature. That is your assurance that the email that you just received from me is authentic. You can trust emails that are PGP signed"

user: "How do I use this PGP? Where do I get it?" ....

and thus it is introduced to the people the PGP user emails as a tool for verifying email authenticity.

Re:Really that useful yet? (0)

Anonymous Coward | more than 11 years ago | (#4339848)

More like...

user receives email. Around the message is a GPG signature. "I couldn't read your fucking email, send it to me in a word .doc like you're supposed to".

Seriously, people aren't like that. They want to believe that the way they're doing things is the right and only way, and they're unwilling to try and figure things out.

Re:Really that useful yet? (1, Informative)

Anonymous Coward | more than 11 years ago | (#4340033)

A more likely scenario (and one that I've witnessed personally) is that the recipient asks "Hey, can you please stop attaching that annoying signature thing to all your emails?"

Re:Really that useful yet? (5, Insightful)

mcelrath (8027) | more than 11 years ago | (#4339696)

I know new systems and apps create a bit of a chicken-and-egg situation.. but what about this:

...

Until the public learn more about security, how it works, and why it should be used, I think not.

So you state it's a chicken-and-egg problem and then go on to demonstrate it's a chicken-and-egg problem, adding nothing to the discussion. Then you say we all shouldn't use it, because it's a chicken-and-egg problem. Give me a break! Here are a few ways to crawl out of the chicken-and-egg situation:

Signing your e-mail makes GPG visible to those that don't know yet. Every once in a while someone will actually look at that attachment, follow the little link, and maybe learn something. For technically saavy users, this is simply tech evangelism. Someday we will all learn in high school how to manage our private keys, instead of teaching us how to fill in the blanks on a check. I have personally converted 4 or 5 friends (and my dad!) to using it.

I use GPG to store sensitive information. I keep a GPG-encrypted file with passwords (mostly for websites) in it. That way for each %@#(&@$ vendor that insists on storing my credit card info, I can generate a 20-character random password, put it in this file and forget about it.

As a system administrator, I have had many occasions where people want an account but I'm not physically nearby for them to type in a password. I usually point out GPG saying that if they used it, I could send them a password. Since they don't, they'll have to wait a few days until we can be in the same room. Again, it's evangelism.

I pointed out gpg to my bank [umbrellabank.com] for account-related communications (but they don't seem to get it yet...they're a bank). Everybody else ask your bank about it too. It's evangelism. The squeaky wheel gets the grease.

And most importantly, I encrypt love letters to my girlfriend. Don't want anyone reading that stuff. ;)

Making the public aware that this kind of technology exists is, in my mind, the single most important revolution happening today. It is the key to take back freedom from our oppressive government (and the even more oppressive governments out there). It is the key to the electronic money of the future. It is the key to the electronic contract of the future (this click-to-accept shit has got to go). I definitely don't want to "click" to buy a house. As long as we keep them ignorant and don't evangelize, we can guarantee we will never see the electronic future we read about in books.

-- Bob

Banks are teh sux. (1)

wackybrit (321117) | more than 11 years ago | (#4340305)

I pointed out gpg to my bank [umbrellabank.com] for account-related communications (but they don't seem to get it yet...they're a bank). Everybody else ask your bank about it too. It's evangelism. The squeaky wheel gets the grease.

That might be possible in the US since you have regional banks and actually get to talk to people there.

In the UK, all of our banks are national, and very very faceless. Not many people have 'bank managers' anymore, and even people with big money have 'account handlers' instead. You can talk to stupid 'business advisors' at the bank, but only at certain branches. Good luck trying to give a bank advice in this country!

And most importantly, I encrypt love letters to my girlfriend. Don't want anyone reading that stuff. ;)

I wouldn't want a girlfriend who's geeky enough to decrypt encrypted e-mails though!

Re:Banks are teh sux. (1)

mcelrath (8027) | more than 11 years ago | (#4340553)

I wouldn't want a girlfriend who's geeky enough to decrypt encrypted e-mails though!
Hey now, my girlfriend is HOT (ask anyone!) and loves PENGUINS and yeah, she can figure out GPG. She's the one in CS after all.

Yeah, I'm lucky.

Re:Banks are teh sux. (2)

wackybrit (321117) | more than 11 years ago | (#4340591)

Chance of Slashdotter having a girlfriend: 1 in 10.
Chance of that girlfriend being HOT: 1 in 214
Chance of a HOT girlfriend studying Computer Science: 1 in 4,735,286

Oh no, all your combined probabilities have lead to the world's lowest probability and have caused the inprobability drive from 2217 to go into a spasm and cause a quantum paradox! WE'RE ALL GOING TO DIE AND IT'S ALL YOUR FAULT!

Re:Banks are teh sux. (2)

F1re (249002) | more than 11 years ago | (#4340969)


My girlfriend is HOT and so are the GPG messages she sends me when she knows that nobody else can read them...

Re:Banks are teh sux. (2)

wackybrit (321117) | more than 11 years ago | (#4341007)

Question..

If you have girlfriends, why the hell are you on this site? This site is for sad assholes like me who have nothing better to do than troll to get some attention in our pathetic little lives (I'm not joking, and I'm not going to post this on Anonymous Coward for once).

Chickens and eggs (1)

Vainglorious Coward (267452) | more than 11 years ago | (#4340318)

I have never understood why people use this phrase. The answer to "which came first?" is quite clear : the egg, by many millenia. The first chicken was a mutated version of its non-chicken parents, but it hatched from an egg.

In this case, "chicken & egg" actually is a useful metaphor, but not in the way the original poster means. We already have the egg (ability to use strong encryption); tech evangelism of the kind you describe will bring us chickens.

Re:Really that useful yet? (0)

Anonymous Coward | more than 11 years ago | (#4340824)

did you also convert 4 or 5 friends (and your dad) to homosexuality as well?

MOD PARENT UP (0)

Anonymous Coward | more than 11 years ago | (#4340877)

mwahwhwahwaha!!! That is great.

Sure (1)

_KhlER3L (601441) | more than 11 years ago | (#4340443)

Signing a document could limit legal-liability / job-problems in the case that a modified form of a document is released with your name on it. By having signed the original document, you can prove that the problematic document is a modification and not the original.

Sometimes the utility of GPG has little to do with the capabilities of the recipient.

khl

What are you hiding? (0)

Anonymous Coward | more than 11 years ago | (#4339328)

What are you doing that you don't want the government to know about?

Re:What are you hiding? (3, Insightful)

RatBastard (949) | more than 11 years ago | (#4339411)

Well, there's your collection of bestiality porn.

Why is it that people assume that anyone who wants to communicate in private has something to hide?

Re:What are you hiding? (2, Interesting)

z-man (103297) | more than 11 years ago | (#4339507)

Crypto is not necessary about hiding, but can be (as coined Ayn Rand I believe), the minorities protection against the oppression of the majority. And this is something that is vitally important.

Re:What are you hiding? (2)

Amazing Quantum Man (458715) | more than 11 years ago | (#4339513)

What are you doing that you don't want the government to know about?

How about you? When you snail mail, is everything on postcards? Or do you use envelopes, you terrorist?

Re:What are you hiding? (1, Interesting)

Anonymous Coward | more than 11 years ago | (#4340375)

because they dont have a right or even a need to see it. just like you dont.

i may not have something incredibly important to protect.

but just because i its not important, doesnt mean im going to put a billboard up

Re:What are you hiding? (2)

ReadParse (38517) | more than 11 years ago | (#4340392)

So I suppose you use postcards for all of your mail. Love letters, hate mail, whatever... you have nothing to hide so why should you use an envelope?

Or when you do get mail that's in envelopes (hmmmm, why do they presume your need for all that secrecy?), I suppose you take all the bills and letters out, scan them, and post them on the internet? No?

Then just what is it that you're trying to hide? You're clearly either a terrorist or a pornographer (both are generally held in approximately the same regard in most places). Or could it be that you just want the smallest amount of privacy? Could it be that it's not the damn business of every postal worker who comes in contact with your letters to read them?

Yes, indeed it could. It's called privacy. And the public will continue to insist on more internet privacy once they begin to understand it. The problem right now is that they actually THINK that nobody can read their e-mail but the person they're sending it to. Boy are THEY in for a surprise.

RP

The weakest link (4, Insightful)

FreshMeat-BWG (541411) | more than 11 years ago | (#4339337)

Ok, so I have n-bit keys protecting my super secret confidential data that is going to take x-million computers y-thousand years to crack and I feel pretty good knowing the CIA won't spend $z trillion dollars finding out my grandma's secret cookie recipe.

Now, how do I keep my passphrase a secret while the CIA is bashing my toes with a hammer?

I guess my point is that public/private key encryption is only as good as the passphrase which is often not good enough, and that the ecryption is way stronger than your personal torture threshold anyway.

Re:The weakest link (5, Insightful)

tbmaddux (145207) | more than 11 years ago | (#4339394)

I guess my point is that public/private key encryption is only as good as the passphrase which is often not good enough, and that the ecryption is way stronger than your personal torture threshold anyway.
That's true, which is why it was originally well-named as "Pretty Good Privacy." It solves the lowest-order problem, that your email is transmitted as plaintext across the Internet for anyone to read.

And of course, the CIA doesn't really need to bash your toes; they can just put a keyboard sniffer on your machine, or put a spy camera to capture your keystrokes while you type your password, or lots of other interesting things that only require a warrant and don't require torture.

GPG was easy to setup (on our Macs, even!) and now I don't have to worry about whether or not the script kiddie down the road can sniff the private messages I send to my wife. That's Pretty damn Good Privacy.

Book on Encryption - Methods of Attack (2, Informative)

Dareth (47614) | more than 11 years ago | (#4339433)

An actual method of attacking encryption listed in a text book on it in my university library listed the "Rubber-hose" method. The point is to remind people that if you are protecting something of value, monetary or other to someone else, you can not just rely on encryption. Beating you and/or your loved ones,ie. wife, children, pets is an effective means of getting access to something protected by encryption. Luckily I never tell my wife any of my passwords, and last time I checked my cat wasn't talking.

Re:Book on Encryption - Methods of Attack (4, Funny)

SirSlud (67381) | more than 11 years ago | (#4339468)

> and last time I checked my cat wasn't talking.

The CIA has a way around this. They drop 2 tabs of acid, each, wait a while, and then furiously start writing down anything your cat says.

They're way ahead of you.

Re:Book on Encryption - Methods of Attack (3, Funny)

unicron (20286) | more than 11 years ago | (#4339584)

:"Gentlemen, let me begin by saying that the litter box you have provided me is completely inadequite. While I know I am a creature prone to walking in it's own shit while I shit some more, I must insist you clean it out post-haste.

: From this point on I will always be fucked in the head.

: Ditto.

Re:Book on Encryption - Methods of Attack (1)

Wumpus (9548) | more than 11 years ago | (#4339571)

Luckily I never tell my wife any of my passwords

Great, but unless you can prove it, they'll keep on beating her. You might consider giving her at least one unimportant password to give them in exchange for them stopping the beating.

Not that the CIA would ever do that, of course...

Re:Book on Encryption - Methods of Attack (0)

Anonymous Coward | more than 11 years ago | (#4339920)

Well, not to an american wife...

Re:The weakest link (2)

SquadBoy (167263) | more than 11 years ago | (#4339451)

http://www.rubberhose.org at least in part addresses just that concern.

Re:The weakest link (2, Insightful)

Wumpus (9548) | more than 11 years ago | (#4339641)

Sort of. If I remember correctly, they claim to have a proof (using game theory) that the best an interrogator can do if you use their software, is keep beating you. They can't prove that you're holding anything back from them. This is valuable in some extreme situations (if you're guarding a secret important enough to die for), but doesn't really stop you from giving them what they want, hoping that they'd stop anyway. Pain is funny like that.

This has been said elsewhere, but it's worth repeating: Cryptography alone won't solve all your security problems. Especially if you live in a country where the use of cryptography is illegal, the secret police assumes that you're guilty until proven innocent, and they have the authority to try to extract secrets from you by any means they consider necessary.

Re:The weakest link (1)

SquadBoy (167263) | more than 11 years ago | (#4339782)

No one said it would solve all your problems but it can be a *very* useful tool. You should also go read their stuff on novel keying methods. Very cool and worth thinking about. Also the question at least in a "democracy" like the USA is how important is the inforamation to the government and how far will they go to try and extract it. For example in the US I could use rubberhose cough up 2 or 3 passphrases and then "forget" the rest of them. Also with the novel keying methods you limit their ability to torture passphrases out of you. I mean hell even without novel keying methods my typical passphrase is the average of two or three paragraphs from a book, with semi random "misspellings" thrown in for good measure, they would have to stop well short of any serious torture to be able to get that kind of information out of me. So while no crypto is not perfect it can be used and torture based methods can be fought.

Re:The weakest link (0)

Anonymous Coward | more than 11 years ago | (#4339525)

The favorite way that I heard is to make your password something incriminating, related to the naughty stuff you have encrypted, and (ideally), protected by the 5th amendment.

For example, the key "I killed Jimmy Hoffa" on GiantsStadium.doc.

That way, they may be able to beat it out of you, but not use what they find in court.

Of course, that's a U.S. thing.

Re:The weakest link (1)

FreshMeat-BWG (541411) | more than 11 years ago | (#4339541)

Or maybe "I forgot the passphrase" is the passphrase.

Agent: What is the passphrase?
Me: I forgot the passphrase
Agent: [bashing smallest toe with hammer]
Agent: Now, what is the passphrase?
Me: I FORGOT THE PASSPHRASE!

Then again that sounds find of painful.

Re:The weakest link (2)

TheAwfulTruth (325623) | more than 11 years ago | (#4340194)

Well considering that giving anyone your passphrase so they could decrypt something incriminating is itself an incriminating act, AND that that is not considered protected by the 5th, I doubt any fancier philosophies will hold up in court.

Re:The weakest link (2)

beej (82035) | more than 11 years ago | (#4339693)

Now, how do I keep my passphrase a secret while the CIA is bashing my toes with a hammer?

In Applied Cryptography, Schnier refers to this as "rubber hose cryptanalysis".

Fixing the weakest link (2)

joenobody (72202) | more than 11 years ago | (#4340355)

There's an excellent system called rubberhose [rubberhose.org] that solves the problem of 'rubber hose' cryptography (ie. beating the key out of someone.)

You give it a certain amount of space to play with and then can encrypt "aspects", sets of files, to it. Each aspect is protected with a passphrase and there isn't any way to show how many or few there are. If tortured, the user has no way to prove they've given up all the keys - making it possible for them to hold out.

It's also possible to use it to give people some information and limit disclosure - the documentation has an excellent example using safehouses.

But shouldn't this really be called..... (0, Troll)

Ride-My-Rocket (96935) | more than 11 years ago | (#4339351)

.....the GNU/Linux Guard? After all, GNU runs on Linux............ :)

Re:But shouldn't this really be called..... (2)

bourne (539955) | more than 11 years ago | (#4339745)

I run it on Windows, so rightly it should be the GNU/Windows XPrivacy Guard...

False sense of security? (4, Informative)

Meat Blaster (578650) | more than 11 years ago | (#4339357)

There are a number of applications GPG is good for besides cryptography -- I use it to verify Linux kernels from kernel.org, for example -- but I know several people that think that once you figure out how to encrypt mail you're secure. It's probably good to keep in mind that there are a number of other points at which an attacker can read the mail (swapfile, keyboard logger, trojan, net sniffer, tempest, emp, and buffer overflows) even if the application itself is bugfree and Open Source, so remember that this is just supposed to be a component in a system of security.

Re:False sense of security? (2, Insightful)

dacarr (562277) | more than 11 years ago | (#4339428)

But on the other hand, the ability to get into a system and implement such cracks is, AFAICT, usually due to PEBKAC on the part of either the user or (in rare cases) the admin using an easily guessable password. I know users who I have told again and again to at least l33t their password to hinder a few searchbots. And then there are the people who are just plain too lazy to patch their machines.

Yes, there are the security holes inherent in any operating system, and thank God for Mandrake's patch system (in my case), not to mention the uncanny ability of the open source community to crank out patches within hours of discovering holes. So let's use them.

GnuPGExch (5, Informative)

Rupert (28001) | more than 11 years ago | (#4339406)

If your family and friends insist on using Outlook or Outlook Express, try pointing them at G-Data [gdata.de]'s, GnuPG Plugin [gdata.de]for those MUAs. One downloadable Win32 .exe and a simple installation puts buttons to sign/verify and encrypt/decrypt on the toolbar.

Because let's face it, /we/ all know how to encrypt our email. But until "Your Mom" (TM) can do it, it's not useful.

Re:GnuPGExch (1)

tubabeat (605286) | more than 11 years ago | (#4339780)

G-data's GnuPG plugin is good as far as it goes. unfortunately it only goes as far as a rather inadequate (& ugly) frontend to gpg and has somewhat limited integration into Outlook.

It works fine, so long as the signature is in the body of the mail. Unfortunately if the signature is provided as an attachment (which is how Evolution signs mail, for example) G-data's plugin won't recognise it.

This is a shame, personally I'd rather Evolution put the sig in the body (to encourage the ignorant to ask...) but the G-data plugin should really recognise digital signatures which are attachments. You can't expect everyone to use a standard when different implementations won't co-operate (Yes, unless you're Microsoft, of course - but lets not go there right now).

I sign personal mail by default, not because much I send has any particular value, but because I want to spread the word. I would encourage everyone to do the same.

I am irritated that none of the online banks I have used have ever bothered to even sign their mail. How can we expect to convince the public at large that encryption and siging is a good thing if even the banks don't appear to take this on board?

Re:GnuPGExch (0)

Anonymous Coward | more than 11 years ago | (#4340357)

i dont care if my mom or grandma uses it, i am going to use it.

why does everyone insist on catering to the lowest denominator. they can be left behind

Too much effort (3, Insightful)

mikeboone (163222) | more than 11 years ago | (#4339427)

I've been interested in GPG and encryption for a couple of years, but I can't convince any of my friends to be interested. So all my communications with them must be unencrypted.

I know you can get it as easy as typing in a password when an email gets sent, but that's too much effort for my parents and most of my friends. :(

Re:Too much effort (0)

Anonymous Coward | more than 11 years ago | (#4339496)

Use an agent (ssh-agent).

Re:Too much effort (1)

5lash (589953) | more than 11 years ago | (#4339705)

Yeah thats pretty much my situation. A lot of my friends use Hotmail aswell, which I'm pretty sure wont support PGP/GPG/Any encryption at all? I remember a few months ago when everyone got stressed about the British Government giving free-er access to Government Officials who wanted to read our emails, I was like "hey lets all use PGP, that'd piss em off", but none of my friends could quite grasp the idea. So i'm still the only person i know who uses PGP. Although, quite honestly, I never really send emails that are highly confidential or anything...

crypting for the masses ;) (1)

Skal Tura (595728) | more than 11 years ago | (#4339447)

crypting to the masses, make it mainstream to crypt your messages... i'd like to see one single person who isn't all that paranoid etc... in security things that would use some kind of crypting...

Re:crypting for the masses ;) (0)

Anonymous Coward | more than 11 years ago | (#4339570)

Whoa there! Put down the glue and take a deep breath of clean air. Now, try to post something coherent.

Re:crypting for the masses ;) (0)

Anonymous Coward | more than 11 years ago | (#4339606)

Well look at it this way: If writes indecipherable rubbish like that all the time, he has absolutely no need for "crypting" his messages.

GnuPG is the way to go. (3, Interesting)

wackybrit (321117) | more than 11 years ago | (#4339456)

GnuPG is definitely, certainly, and really the way to go with secure encryption and security systems, here's why..

The simple and undisputed -- and often argued -- fact is that we've come a long way, and the majority of large businesses are now using Linux as both a desktop and server OS which means these things are efficient to do.

GnuPG's (shouldn't that be GNUPG since GNU is an acronym?) ease of use and its (almost) seamless connectivity with most Linux communications applications allows the average workplace user to encrypt documents and files, preventing PR-disasteresque leaks -- such as the recent leak of the salary details of Lycos' staff to InternalMemos.com.. [com.com]

The seamless and very good encryption and decryption system allows staff of lots of big and small companies to simultaneously access and also work on their valuable and secure data as usual, but means that even if sites like F**kedCompany get hold of it, it's no use to them. Copying and pasting will just result in goobledygook being produced.

GnuPG's automated hyperencryption routines also mean that it could have some extremely useful and oblique military functionality, allowing our brave patriots to fight terrorism around the world.

One such example is in the encryption of numeric data such as numbers like digits between 0 and digits under 9. These encyrption routines can improve the efficiency of this by 24%.

Re:GnuPG is the way to go. (2, Insightful)

lamp77 (147098) | more than 11 years ago | (#4339827)

Exactly who modded this up?

"the majority of large businesses are now using Linux as both a desktop and server OS "
where are you working? I almost think this might be satire.

Excellent (3, Insightful)

z-man (103297) | more than 11 years ago | (#4339466)

I use gpg all the time, and I know a lot of other people that use it, it is a great program.

However, a problem is that people just aren't good enough at getting their public-keys out. I hope this article enlightens them on the lovely export option. Which I believe to be one of the most important parts. I receive email from a lot of lists everyday, LUGS, development lists and so on. A lot of this email is signed, but a lot of these people obviously don't get the points of signing completely since they haven't got their public key available in anyway (of course some may not believe in the keyservers and so on, and want to be contacted in other ways for key-exchange, but not all are that pre-cautious, some just don't understand), and thus I cannot verify their signature.

Re:Excellent qjkx (0)

Anonymous Coward | more than 11 years ago | (#4339833)

How does it feel to be ignored???

Advocating privacy (3, Insightful)

tve (95573) | more than 11 years ago | (#4339534)

I don't believe most people with 'nothing to hide' will be convinced by this argument for privacy. So, can anyone come up with a concise line of reasoning that will work?

Re:Advocating privacy (1)

NortWind (575520) | more than 11 years ago | (#4339689)

So, can anyone come up with a concise line of reasoning that will work?

How about a technical solution? If a few kind souls would set up packet snifferes that would intercept random emails, and return copies to the sender with the preface "I saw you were sending this message. I am forwarding this to a few other people I know who might be interested." Crypto use would go up immediately.

Re:Advocating privacy (1)

LordNimon (85072) | more than 11 years ago | (#4339802)

So would the prison population. What your suggesting is illegal.

Re:Advocating privacy (0)

Anonymous Coward | more than 11 years ago | (#4340103)

Hardly. If some idiot sends his 2nd mistress a few nasty pics of him and his 1st mistress across the net unencrypted and one of my servers happens to be between said idiot and said mistress, there are no legalities preventing me from keeping a copy of those bits and showing them to his wife.

Now the promotion I'm extorting from said boss^H^H^H^Hidiot to not do so, that's illegal:)

Re:Advocating privacy (0)

Anonymous Coward | more than 11 years ago | (#4340558)

first you write a song - a country song about how your girlfriend stole your pickup, ran over your dog, and drank all your beer, or a Ramones style song with 3 chords about being crazy; whatever works best for you.

then give it to a few friends. Those who are authorized to have copies.

next you hack a mail server because you "think" that someone "took your music" without permission.

next you look through random e-mail to see if they have stolen your song.

as a courtesy you inform them that you looked through their mail (for whatever reason) and inform them that if they had encrypted their mail, you wouldn't have been able to do so.

Re:Advocating privacy (2)

PeterClark (324270) | more than 11 years ago | (#4339798)

Sure; ask them why they put letters in envelopes instead of sending postcards. Of course, they will probably say, "Because you can't send multiple pages of a letter as a postcard!" But this question is just to get them to start thinking. Then you ask, "Would you approve of a law that mandated that all letters be sent in some easy-to-examine fashion?" (Say in the interest of national security or something like that.) If they are smart, they will realize that they send a lot of stuff by post that they would not want others, no matter how good their intentions may be, to see. I.E., credit card numbers, bank statements, etc. Then apply that to email. If they are still dense, sniff their internet connection (with their permission, of course) for several days, then send them a copy of every email and non-encrypted transaction they made on line. Then ask, "How could the information I gathered about you be used to invade your privacy, steal your identity, etc.?"
:Peter

Re:Advocating privacy (2)

tve (95573) | more than 11 years ago | (#4340210)

Then you ask, "Would you approve of a law that mandated that all letters be sent in some easy-to-examine fashion?" (Say in the interest of national security or something like that.)

Interesting, but of course this is a different argument (the argument against banning strong crypto).

If they are smart, they will realize that they send a lot of stuff by post that they would not want others, no matter how good their intentions may be, to see. I.E., credit card numbers, bank statements, etc. Then apply that to email.

But they don't send that stuff by e-mail (yet?). The only really sensitive info most people I know send from their computer would be bankingtransactions. But those are either sent over a dedicated dial-up to the bank or using SSL in people's browsers, at least over here (the Netherlands) they are. So those shouldn't be easy to intercept.

I liked your comparison to using envelopes in standard mail (had been thinking along those lines myself), but I don't think we've got the killer salespitch just yet.

Re:Advocating privacy (1)

amitola (557122) | more than 11 years ago | (#4340207)

Have you ever lowered your voice when talking on a public phone, since you didn't want to be overheard?

Have you ever left a party, or a restaurant, or a meeting, in order to continue a conversation you didn't want to have in front of everyone present?

Have you ever closed the blinds when you checked into a hotel room?

Have you ever closed the blinds on the windows of your own house?

Have you ever parked your car down the street, rather than right in front of an establishment of questionable repute?

Have you ever moved your prescription medications out of the bathroom before company came over?

Finally (the classic), have you ever sent a piece of mail in a sealed envelope?

Did you answer yes to any of the above? What are you trying to hide?

Re:Advocating privacy (2)

tve (95573) | more than 11 years ago | (#4340336)

... and then it occurs to them they don't need to do any of those anymore either. :-)

Re:What are you hiding? (2, Insightful)

Bizaff (443681) | more than 11 years ago | (#4339580)

It's all about hiding, actually. Cause that's what cryptography does.. is.. uh.. hide stuff.

Like the example the writer gave, if your ISP tech knows you're out of town, you could come home to an empty house.

If you're just using cryptography for the sake of using cryptography, what's the point?

Re: Re:What are you hiding? (1)

archen (447353) | more than 11 years ago | (#4340576)

An ISP tech can tell you're out of town by the sudden lack of incomming porn on your connection. No need for intercepting e-mail to figure that out.

Integrating GPG with mail - mozilla+enigmail (4, Informative)

bourne (539955) | more than 11 years ago | (#4339721)

One of the problems I always had using pgp/gpg was client support. Getting it to work with outlook/outlook express, then finding something under Linux that would support it, having to scrap together a bunch of tools, all of which were half-written...

I've found a solution. Mozilla [mozilla.org] and Enigmail [mozdev.org]. Yes, Mozilla/Netscape mail used to be putrid. It's better with Mozilla 1.0+, honestly. It has progressed to a competitive state, and I switched over totally about a month ago.

Enigmail is a plugin for Mozilla that handles signing, encrypting, decrypting and verifying mail for you.

GnuPG, Mozilla and Enigmail all work on Windows as well as Linux, so I have the same tools no matter what I'm running.

You still need a key manager, but getting what mozilla+enigmail provides is a great step forward.

Re:Integrating GPG with mail - mozilla+enigmail (1)

z-man (103297) | more than 11 years ago | (#4339764)

Both kmail and evolution use gpg, mutt as well invokes gpg when it is needed, so when it comes to integration of gpg in mail clients (for Linux), it has been there for a while and is supported in many good and stable clients, the fact is mozilla/enigmail was late in supporting it. How things are in Windows, I have no idea.

Re:Integrating GPG with mail - mozilla+enigmail (2)

bourne (539955) | more than 11 years ago | (#4340435)

Both kmail and evolution use gpg, mutt as well invokes gpg when it is needed,

Oh, of course. And there are Pine plugins, and you can get emacs rmail to work with it. And as everyone knows, you can use the pipe command in ed to incorporate PGP functionality.

How things are in Windows, I have no idea.

Well, Pine is supported. The rest, not so much.

I tried Evolution for a while; generally a good app with some serious flaws (at the time I tried it). For example, there's this thing called STARTTLS that makes SMTP halfway secure - evolution didn't support it, it only supported the abandoned smtps protocol. I don't know if kmail or mutt support it, or if either of them supports IMAPS (Pine does, incidentally). Let's assume anyone thinking about GPG probably cares a little about protecting access to their mail store as well.

Even with that, I hung with evolution for a while, but since I spend 75% of my time in Windows and 25% in Linux, I got sick of switching back and forth between evolution and OE. So for anyone not able to live 100% in the Linux world, mozilla+enigmail is news rather than just being a latecomer.

Re:Integrating GPG with mail - mozilla+enigmail (2)

perlyking (198166) | more than 11 years ago | (#4340323)

Dont forget Herbivore, transparent server side handling of encrypting email. Google for it, too wasted to find link :-)

Design problems and license issues hold it back. (0)

Anonymous Coward | more than 11 years ago | (#4340085)

Werner Koch is a great guy and everything but he is very confused about security and good design. What we need is a library form of ths program so we can link it into everything and anything: mail readers, web browsers, databases, Java Native Interface, VoIP, just about anything. Unfortunately the confused Mr. Koch thinks that making gpg available as a library would compromise its security. This is a large part of the reason why pgp encryption isn't available everywhere. The other part of the problem is that it's under GPL, which means that even if it were a license, it couldn't be included in commercial software. pgp didn't take off because of licensing issues and design problems, and gpg isn't taking off because of license issues and design issues. Mr. Koch is a good programmer but he doesn't understand security or design. This is very unfortunate.

Pseudo-random Key-gen Security (2, Interesting)

JojoLinkyBob (110971) | more than 11 years ago | (#4340228)

After reading Crypto, and now this Slashdot post, PGP has really heightened my interest.

I'm particularly curious about how secure the GnuPG key-gen process is. How "pseudo-random" is it? What's the likelihood that I could generate a private key matching someone else's?
Should I be concerned?

Re:Pseudo-random Key-gen Security (0)

Anonymous Coward | more than 11 years ago | (#4340340)

I'm particularly curious about how secure the GnuPG key-gen process is. How "pseudo-random" is it?

depends on what you're running GPG on. on linux, it uses /dev/random (i'm pretty sure; maybe it's urandom, but i doubt it), but if that's not available, it looks for the userspace entropy gathering daemon egd (serves much the same purpose as /dev/[u]random for unices that don't have the kernel functionality for that), and if that too fails, it asks you to type random noise on your keyboard a lot as an entropy source.

on other OSes (i know there's a win32 gpg, for example), i'm not sure what it uses. presumably digging through the GnuPG website [gnupg.org] would eventually give you an answer, but it's a biggish site and that sort of details might well be buried deep.

Needs a LGPL lib (4, Interesting)

DrXym (126579) | more than 11 years ago | (#4340256)

GPG only runs from the command line meaning apps that wish to call it have to construct a command-line, invoke gpg and parse the results in a pipe. It desperately needs a LGPL lib to relieve this burden. The only lib so far is gpgme which is GPL making it pretty useless for this task.

The GnuPG FAQ covers why GnuPG is not a lib. (1)

jbn-o (555068) | more than 11 years ago | (#4340582)

It [GnuPG] desperately needs a LGPL lib to relieve this burden [of running a CLI program and parsing output].

Have you read the FAQ on this point [gnupg.org]? Apparently many people have been able to get valuable work done with GnuPG as a CLI app, so saying it "desperately" needs to be an LGPL-covered library doesn't follow.

The only lib so far is gpgme which is GPL making it pretty useless for this task.

This makes it seem like your objection has to do with the license chosen, not whether the program is an executable or a library. And yet I see no argument supporting your desire to switch the license to the Lesser GNU GPL.

Re:The GnuPG FAQ covers why GnuPG is not a lib. (2)

DrXym (126579) | more than 11 years ago | (#4340736)

Have you read the FAQ on this point [gnupg.org]? Apparently many people have been able to get valuable work done with GnuPG as a CLI app, so saying it "desperately" needs to be an LGPL-covered library doesn't follow.


Yes it does follow (which I'll explain below), but their brief reasons are not doing a lib are pretty weak. Requiring each client to write a shim that constructs a command line argument, executes the gpg command and parses the data through a pipe is not going to makes things any safer. Writing such a shim and safe is hard. There are just so many extra potential extra points of attack that any benefit of running gpg in a seperate process are totally lost. Not only that, but stuff runs much slower which might not matter.



This makes it seem like your objection has to do with the license chosen, not whether the program is an executable or a library. And yet I see no argument supporting your desire to switch the license to the Lesser GNU GPL.


I could live with a shim if it was one hardened by countless clients hammering on it and developers. Unfortunately gpgme won't get that because it is GPL. What the hell is the point of a GPL library? It might be great for GNU zealots but even other open source projects such as Apache can't link to it.


Widespread adoption needs an LGPL library. It is that simple. I like GPG and I want to see it used pervasively but that's not going to happen while it's threatening to infect everything it touches.

The FAQ is wrong (0)

Anonymous Coward | more than 11 years ago | (#4340799)

The FAQ is just plain wrong on this. Keeping the code in a separate binary does not do the tiniest bit of good for security. In fact it makes security worse because then programs have to figure out how to parse the output and input of gpg in some secure way. History has shown that this is not an easy task. Someday I'll hire someone to write a pgp library under lgpl and we'll solve this problem.

Right on (0)

Anonymous Coward | more than 11 years ago | (#4340597)

I've been saying this for years. Werner Koch is a good coder but he's not very smart about design and security. He believes that making gpg a lib would compromise its security, which is hard to even imagine that someone could think that but there you are. At some point if I have time I will write one.

Re:Right on (2)

DrXym (126579) | more than 11 years ago | (#4340777)

I think the reasoning goes (putting aside licence issues) that if gpg lives in the same process space as the app then if the app can be exploited then so can gpg or vice versa.


Fair enough but consider the alternative which is to invoke the command line gpg and read the results from a pipe. If the app is exploited then it can run gpg any way it please and furthermore all those command-line args, pipes and parsing provides lots of extra points of attacks for the hacker to exploit the app in the first place. So there is no significant reason to do it this way, it just makes stuff run slower and adds a big layer of complexity.

A gentle introduction for Windows users (2, Informative)

Compact Dick (518888) | more than 11 years ago | (#4340771)


A key aspect of GPG's success is to increase its adoption by users of Windows. For those of you wishing to give GPG a whirl, I suggest you get WinPT [winpt.org], an easy-to-use, open-source frontend.

Here are four easy steps to get you up to speed:


If you use Outlook Express, you would definitely want to get GPGOE [winpt.org], a GPG plugin that seamlessly integrates with Outlook. You need to install and configure GPG for this - the easiest way is to install WinPT as described above [WinPT also makes key management very easy, so there's a bonus]. Then you can download and install GPGOE, and enjoy all the goodness of integrated GPG functionality within OE.

Play around with the different options available; make a key for fun; experiment and learn. Spread the word. But most of all, have fun and be excellent to each other ;-)

Good luck.

front end (0)

Anonymous Coward | more than 11 years ago | (#4340802)

although I will probably be using it through enigmail, can anyone recommend a win32 front end ?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...