|
|
 |
|
|
|
register |
bbs |
search |
rss |
faq |
about
|
|
|
meet up |
add to del.icio.us |
digg it
|
|
|
|
Keep Out magazine Volume 1, Number 1 - The first i
-----BEGIN PGP SIGNED MESSAGE-----
Keep Out
Volume 1, Number 1
August/September 1994
In this Issue:
An Interview with Philip Zimmermann, author of Pretty Good Privacy
A Review of PGP/Off-Line Mail-Reader Shell Programs
Beginners: How Pretty Good Privacy Works
______________________________________________________________________
Preface To The Electronic Edition
By John Schofield, Publisher
This electronic version of Keep Out is being released to
publicize the issues and people discussed in this issue, and to bring
more publicity to Keep Out.
Although Keep Out is a subscription- and advertising-funded
magazine, there will always be a free, electronic version of Keep
Out. This information is too important to limit to those who can
afford a subscription.
Since Keep Out does have bills that need to be paid, this
electronic version will be released roughly one month after the paper
version, to encourage people to subscribe.
If you would like to receive a free sample issue of Keep Out,
with no strings attached, simply send your postal address to
[email protected], or to "Keep Out" at 1:102/[email protected], call
(voice) (818) 345-8640, or mail it to:
Keep Out Sample Issue
P.O. Box 571312
Tarzana, CA 91357-1312
If you enjoy Keep Out, either in the electronic or printed
versions, I strongly encourage you to subscribe. Subscriptions only
cost $15 per year, for six full issues of electronic privacy
information. Foreign subscriptions are a little more expensive, at
$25, to cover the increased mailing costs. See the advertisement at
the end of this file for more information on subscribing to Keep Out.
______________________________________________________________________
Publisher's Note
By John Schofield, Publisher
I have been interested in codes and ciphers since I was a child,
simply because, like secret passages and tree-houses, codes were neat.
I was not interested in abstract concepts like civil liberties or
freedom when I read about the history of cryptography as a child. (I
just knew it was fun.) I still think cryptography is fun--but now
that I am older, I recognize the true importance of cryptography in
maintaining freedom.
The United States remains one of the most free countries in the
world. However, there seems to be a relentless trend here towards
reduction of personal liberties, in the name of practical goals like
fighting crime.
Elsewhere in the world, civil liberties are even more endangered,
or simply do not exist.
In this environment, electronic privacy becomes vastly more
important.
There are many resources available to people interested in
cryptography--for example ALT.SECURITY.PGP and the Cypherpunks mailing
list on the Internet, or the PUBLIC_KEYS echo on Fidonet.
However, for technology to fulfill its potential to liberate
people, it can not--and must not--be limited to any particular group
of people.
Information on cryptography, on anonymity, on anything else that
can keep Big Brother from peeking in your keyhole must be made
available to as many people as possible.
That is where Keep Out comes in. I want Keep Out to publish the
most complete, accurate, and up-to-date information possible about the
multiple worlds of cryptography, civil liberties, electronic
anonymity, digital cash, and everything else that could possibly
affect your privacy.
There aren't many staff members here at Keep Out, and our budget
is laughable. It is a big task we have before us. But we're going to
do our damnedest here. I want to be able to tell my kids, if I ever
have any, that I did my best to preserve freedom, and liberty, and the
Constitution--to do good, in short.
I hope you'll stay along for the ride.
______________________________________________________________________
Keep Out Policy Statements
Mission Statement
Electronic Privacy will become increasingly important in each of
our lives as computers and telecommunications bring people closer
together.
Keep Out is dedicated to the idea that everyone has the ability
and the right to decide their own destinies. That no one should
decide what people read or write or whom they talk to.
New technologies exist that make it a great deal easier than in
the past to monitor whom people talk to and what they say and do.
Keep Out's mission is to investigate ideas and products that make
it harder to monitor and control people, and to popularize those ideas
and products by making them easier to understand and use.
Through this, Keep Out aims to preserve the existence of
individual liberty and freedom in the USA and the world.
Advertising Policy
Keep Out reserves the right to refuse an advertisement if the
advertisement advocates illegal activities. Keep Out reserves the
right to refuse an advertisement if, in the opinion of the Keep Out
Editorial Board, the advertisement would tend to mislead Keep Out
readers. Keep Out's editorial content is completely independent of
its advertising.
Letter Policy
Letters should be brief (shorter than 300 words) and will be
printed exactly as received. Letters must be signed and include a
valid mailing address and telephone number. Pseudonyms and initials
will not be used, but names may be withheld by request upon approval
of the Keep Out Editorial Board. Keep Out will not publish letters
that are libelous. In addition, Keep Out will not publish as letters
literary endeavors, publicity releases, poetry or anything the Keep
Out Editorial Board decides is not a letter. Because of space
limitations, it may not be possible to print all letters received;
the Keep Out Editorial Board reserves the right to print only those
letters it deems most of interest to Keep Out readers.
Privacy Statement
Keep Out's mailing list will not be released to anyone for any
reason. All information about Keep Out subscribers is confidential.
Contact Information
Internet: [email protected].
Fidonet: "Keep Out" at 1:102/903.0
Voice: +1-818-345-8640
BBS/FAX: +1-818-342-5127
Postal Mail: Keep Out
P.O. Box 571312
Tarzana, CA 91357-1312.
Keep Out magazine is published bimonthly by Keep Out, founded by
John Schofield. Copyright Keep Out 1994. All rights reserved by
Keep Out. Reproduction without permission is prohibited. Keep Out
is not responsible for unsolicited materials. Printed in the USA.
______________________________________________________________________
Keep Out Staff Roster
Publisher and Editor In Chief: John Schofield
Associate Editor: Matthew A. Carey
Copy Editor: Amy K. Hood
Consultant: Julie Bailey
Consultants and Patron Saints: Don Adler and
Michael Bendgen
Cover art by Matthew A. Carey
Layout for the printed version of Keep Out was done on a 486dx-50/2,
using Microsoft Windows 3.1 and Microsoft Word 6.0a. Output was done
on a Compaq Pagemarq 20.
______________________________________________________________________
Advertisement
Pretty Good Privacy(tm)
* Privacy
ViaCrypt PGP is the perfect tool for anyone who values the
privacy of their proprietary or sensitive information.
* Strength
ViaCrypt PGP is the strongest privacy program available to the
civilian world.
* Interoperability
All versions of ViaCrypt PGP are completely interoperable.
* Control
With ViaCrypt PGP you are in complete control of your privacy.
YOU create your keys. YOU decide who to trust.
Versions available for Macintosh, DOS/Windows and UNIX.
ViaCrypt(tm) PGP(tm) is the world's most popular and secure software
program for e-mail and file privacy. ViaCrypt PGP is fully licensed
for personal, commercial, and government use.
Single User Prices:
ViaCrypt PGP for Windows (Sept.) $124.98
ViaCrypt PGP for MS-DOS $99.98
ViaCrypt PGP for Macintosh (Sept.) $124.98
ViaCrypt PGP for UNIX $149.98
ViaCrypt PGP for WinCIM/CSNav $119.98
ViaCrypt
2104 West Peoria Avenue
Phoenix, Arizona 85029
Orders: (800) 536-2664
Information: (602) 944-0773
FAX: (602) 943-2601
Internet: [email protected]
CompuServe: 70304,41
______________________________________________________________________
Pretty Good Phil;
The story of Philip Zimmermann, author of Pretty Good Privacy
By John Schofield, Publisher
Philip Zimmermann is an entrepreneur. Like most entrepreneurs,
he risked a lot in order to reap a big reward. Unlike most
entrepreneurs, though, his risk was not only financial. And the
reward he reaped had little to do with money.
In December of 1990, Zimmermann began developing Pretty Good
Privacy (PGP), a data encryption program that today is in wide use
around the world.
Human rights groups in Central America, political opposition
groups in Burma and the Tibetan government in exile are all using PGP
to protect their privacy, along with many thousands of individuals in
the United States and abroad, Zimmermann said.
Zimmermann, who received his bachelor's degree in computer
science from Florida Atlantic University in 1978, said he developed
PGP because he was concerned about the government having too much
power to invade people's privacy.
"I was concerned about the information age bringing about an
imbalance of power between government and individuals in the area of
privacy."
Zimmermann, 40, said he was specifically concerned about Senate
Bill 266, a proposed 1991 law that would have suggested that
manufacturers put backdoors in communications products. The bill did
not pass, but a similar bill mandating backdoors has been introduced
this year.
Senate Bill 266 said that manufacturers should "ensure that
communications systems permit the Government to obtain the plain text
contents of voice, data, and other communications when appropriately
authorized by law." This would apply to, among other things,
telephones, computers with modems, and faxes.
"I had hoped to make some [encryption] product some time that I
could sell commercially, but when I saw this legislation I abandoned
my hopes for making money from it and got into a race against time to
get it out to inoculate the body politic," said Zimmermann, who lives
in Boulder, Colo.
Zimmermann said he considers PGP "the most important thing I've
done. It may be the most important thing I'll ever do in my career."
But privacy is not the first big battle Zimmermann has fought.
In the 1980's, Zimmermann was an anti-nuclear weapons activist
and, "taught a class on military policy a couple of times, did a lot
of public speaking in churches and schools, was a policy advisor to
some US Senate and House races. And I did get arrested twice at the
Nevada nuclear test site."
Zimmermann said his experience fighting against nuclear weapons
has "given me a perspective of speaking truth to power. It's made me
more aware of government abuses. It taught me to stand up for what's
right, taking a principled stand and sticking with it. It can be hard
to stick to your position in the face of very powerful forces."
"I worked pretty hard on [the arms race]. But now the world has
changed, issues have changed, and I've moved on to other things. When
I worked on the nuclear freeze, I was one person out of a million. So
I was, relatively speaking, not as effective in the general scheme of
things. But on this issue, which is not as important, perhaps as the
one from that time, my ability to impact the issue is much, much
higher."
Costs of Writing PGP
Zimmermann paid a heavy price for writing PGP.
For six months, he worked on little else, devoting most of his
days to his unpaid work on PGP.
"I came within inches of losing the house," Zimmermann said. "I
blew my credit record to hell. I was late on a lot of bills. It just
pretty much wiped me out. In fact, I still can't get a credit card
even today, three years later, because it would be declined because of
what happened then."
Zimmermann, who was born in Camden, New Jersey but grew up in
south Florida, said he was "a recluse" while writing PGP, working on
it during "all of my waking hours, except for eating and taking a
shower and that sort of thing."
"Entrepreneurs often miss mortgage payments in the hopes of
getting rich. But I didn't do it for that, I did it for political
reasons," Zimmermann said.
In the end though, PGP has helped Zimmermann financially.
"Now it turns out that as a consultant in cryptography it's much
easier for me to find clients because I'm pretty well-known these
days. It's helped my consulting work."
Crime and Punishment?
Now that Zimmermann is recovering from the financial damage that
writing PGP did to him, he faces possible criminal charges relating to
PGP that are much more serious than money troubles.
Zimmermann is being investigated by the U.S. Attorney's office
and U.S. Customs for possible violations of State Department
regulations on exporting strong cryptographic products.
The State Department's International Traffic in Arms Regulations
(ITAR) regulate the export of munitions from the United States. These
regulations, intended to keep the United States from arming its
enemies, cover nuclear and conventional weaponry, as well as
cryptography.
Steven Shefler, chief assistant United States attorney for
Northern California, had no comment about the Zimmermann case, "other
than the fact that it's under investigation."
Philip Dubois, Zimmermann's lead defense attorney, said he does
not know exactly what theory of prosecution the government will pursue,
if it ever does.
It would be a serious first amendment issue, "if their argument
is that simply permitting his program to be freely distributed in the
United States by electronic means is the same as exporting the
software," Dubois said.
"Borders are pretty meaningless with the current information
networks," Dubois said. He added that the Massachusetts Institute of
Technology (MIT), which released the latest version of PGP, "took all
reasonable precautions to keep the new release of PGP from being
exported from their site, and we have reason to believe [their version
of] PGP had reached Europe within hours of its release."
Dubois said he thinks the investigation is taking place in
Northern California instead of Colorado, where Zimmermann lives,
because, "the location of the investigation is unimportant. Whoever
exported [PGP] likely reached in from outside the United States to get
it."
Zimmermann is understandably worried about the investigation.
"Any time you're under criminal investigation you have to be
concerned about it, whether you are guilty or innocent. You know,
some people might think that if you're innocent you don't have
anything to worry about, but that's not true. I think the innocent
worry more than the guilty."
Trevor Burke, a supervisory criminal investigator with United
States Customs' San Jose office, refused to confirm that an
investigation of Zimmermann was taking place.
"We won't be able to help with any information whatsoever
relative to any information on any investigation of a Mr. Phil
Zimmermann," Burke said.
Zimmermann, "did not do any exportation of PGP. Anyone could
have exported PGP," Dubois said.
Zimmermann has established a legal defense fund operated by
Dubois to help pay for his legal expenses.
"I'm not indicted, but it still costs me legal defense fees. I
need contributors to help me out with this. It's like having cancer
without medical insurance," Zimmermann said.
Zimmermann described his defense team as very strong.
Although other people occasionally help Zimmermann, Dubois said,
the core team consists of Ken Bass, who was a Justice Department
lawyer under President Carter, Curtis Karnow, a former federal
prosecutor who has been published in Wired magazine, and Eben Moglen,
a law professor at Columbia University who was a clerk to U.S.
Supreme Court Justice Thurgood Marshall.
All except Dubois are working for free, Zimmermann said.
Zimmermann strongly believes the State Department regulations
are unjust.
"I think they're suppressing free speech. I don't think they're
appropriate for a democracy. Plus, they're futile. Cryptography is
something that people in foreign countries know how to do already. We
have to import cryptography into this country because the domestic
availability of it is suppressed by these laws," Zimmermann said.
The Future of PGP
Despite his fears, Zimmermann was eager to talk about the future
of PGP.
"There's a lot of good, really important features for [PGP
version] 3.0," he said.
One feature Zimmermann mentioned is a graphical user interface
(GUI), "wrapped around it the way it's supposed to be. Not some
external GUI shell that is kind of glued to it, but [an integrated]
GUI the way God intended GUIs to be." Zimmermann said there would be
multiple versions of PGP, with the GUI being limited to Windows and
Macintosh versions at first.
Another important change Zimmermann mentioned is giving everyone
two pairs of keys. One pair would be used exclusively for digital
signatures, and the other pair would be used solely for encryption
and decryption.
"Here's what would happen. You would collect signatures on your
public key that is used for checking your signatures. But you would
not collect signatures on your other public key, used for encrypting
messages. There would be one and only one signature on your public
key that people would use for encrypting things. And that signature
would be made with your signature key."
In current versions of PGP, users have only one pair of keys.
These keys are multi-purpose, used for both encrypting and signing.
The change to two pairs of keys that Zimmermann describes would
have several advantages over the current system.
One problem with the current system is related to how keys are
verified. You collect people's digital signatures on your key. Each
signature helps to verify that the key actually belongs to you, and
not to some impostor.
The problem comes when you want to change your key.
"If you had reason to believe that your secret key may have been
compromised or soon will be compromised by duress--and duress is
something that I'm pretty familiar with--then you could revoke it and
reissue a new one," Zimmermann said.
Deleting the old key prevents any of your old encrypted messages
from being decrypted.
With Zimmermann's new system you would not have to go through the
painstaking process of gathering signatures on your new key all over
again.
"This means that you can revoke and reissue new encryption keys
on a routine basis without having a major disruption. With the system
in place now you'd have to go back and get everyone who signed your
old key to sign your new key," Zimmermann said.
Another major change Zimmermann envisions is allowing people who
are not the owners of keys to issue revocation certificates.
A revocation certificate is a signed statement that can not be
forged, made by the key's owner, that tells PGP that the key is not to
be trusted. It could be used, for instance, if a secret key were
accidentally made public or when the key's owner no longer has the
secret key necessary to read messages encrypted with the public key.
Right now the only one who can revoke a key is the person who
created the key. That creates problems if the secret key has been
lost or destroyed, because then it is impossible to generate a
revocation certificate.
In PGP 3.0, revocation certificates would work on the same system
as key signatures. Anyone can generate a revocation certificate for
anyone else, but if the person who generated the certificate is not
trusted, the certificate is ignored.
VoicePGP
Zimmermann is also working on VoicePGP, a product that will allow
real-time encryption of telephone conversations using personal
computers.
VoicePGP, which will be available for free, together with
multimedia hardware available for a few hundred dollars, will turn
personal computers into secure, untappable telephones. Anyone tapping
the line would hear only gibberish.
"We're making progress slowly [on VoicePGP] because there's no
funding," Zimmermann said.
Zimmermann plans to put the encryption routines in after the
other work on VoicePGP is done to avoid breaking any export
regulations.
"I don't know how I'm going to put it in. I'll either put it in
off-shore, have someone else put it in off-shore or put it in here and
publish it as a book. There are three or four different plans. They
all have to be done so there are no laws broken."
* * *
Three years after Zimmermann released PGP, it continues to change
people's preconceptions about privacy. Without PGP, the multiple
worlds of anonymous remailers, digital cash and data encryption may
not have been as popular as they are. PGP introduced many people to
the idea of electronic privacy. There is now a team of people working
on PGP, making sure it continues to grow and improve as it has in the
past.
And PGP's creator? Right now, Philip Zimmermann is "pretty much
saturated with trying to stay out of prison and still save the world."
______________________________________________________________________
Philip Zimmermann's Legal Defense Fund
Philip Dubois
2305 Broadway
Boulder, CO 80304
Voice: (303) 444-3885
Internet: [email protected]
Send checks and money orders payable to "Philip Dubois" to the address
above. Credit card donations are accepted through encrypted e-mail or
at the telephone number above.
_____________________________________________________________________
How to get a copy of PGP
*If you live in the USA or Canada
By modem:
The Ferret BBS in Arkansas at (501) 791-0125. Log in as PGP USER
with a password of PGP.
The Sprawl BBS in California at (818) 342-5127.
The Catacombs BBS in Colorado at (303) 772-1062.
Exec-Net BBS in New York at (914) 667-4567.
Over the Internet:
To get PGP 2.6 from the Massachusetts Institute of Technology,
telnet to net-dist.mit.edu, log in as getpgp and answer the questions.
Then FTP to net-dist.mit.edu and change to the hidden directory you
learned about in the telnet session.
Commercial Version:
If you want a version of PGP that can be used for commercial
purposes, contact Viacrypt Inc. at (602) 944-0773. They sell a
completely licensed version of PGP that is legal for use in the
USA and Canada.
*If you live outside the USA and Canada
By Modem:
No information available
Over the Internet:
For source code to PGP 2.6ui:
ftp://ftp.demon.co.uk/pub/pgp/pgp26uis.zip
ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp26uis.zip
For DOS PGP 2.6ui executables:
ftp://ftp.demon.co.uk/pub/pgp/pgp26uix.zip
ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP.pgp26uix.zip
[email protected] and Michael Paul Johnson ([email protected])
contributed greatly to this list.
______________________________________________________________________
Advertisement
Chatterbox! BBS
LA's Best Entertainment BBS!
(818) 718-1600
8-n-1
* 11+ GIGABYTES OF FUN!
* DATING AND MATCHMAKING
* NATIONWIDE FAX SERVICE
* 12 CD ROM's ON-LINE
* OVER 80,000 LIBRARY FILES
* THOUSANDS OF PHOTOS (ADULT, ETC.)
* INTERNET ACCESS (chatrbox.com)
* RIP-VGA GRAPHICS-USE YOUR MOUSE!
* MULTI-USER GAMES (D&D, CHESS, SCRABBLE, MANY OTHERS)
CHATTERBOX! BBS - Your REST STOP on the INFORMATION SUPER HIGHWAY!
HAVE YOUR OWN INTERNET ADDRESS WITHIN MINUTES OF CALLING.
28.8K HIGH SPEED ACCESS NOW AVAILABLE
____________________________________________________________________
Off-Line Mail-Readers and PGP; A Match Made in Heaven or Hell?
By Matthew A. Carey, Associate Editor
Algorithms, prime numbers, factoring. Words like those make
cryptography as intelligible to the average user as the encrypted
messages PGP produces.
The mystifying nature of cryptography is one of the biggest
challenges to its popularity.
Off-line reader/PGP interface programs have made encryption
real for me. And I suspect that I am not the only one.
What follows is a review of four such programs. I gave each
of these programs as critical an evaluation as I possibly could. One
or two of the programs may have taken a bruising.
Before we get to the program reviews, I would like to mention
that I think that the authors of these programs should feel proud of
their roles in the cryptography movement.
Just attempting to write an off-line reader/PGP interface is a
quiet triumph in the battle to bring privacy to everyday people.
But still, now that these beasts have been born, they must be
pitted against each other so that the fittest may survive and pass its
bits on in the brutal quest for Ubercode.
I used these programs on a Compaq ProLinea 4/33 with the Bluewave
off-line mail-reader. The operating system was DOS 6.2.
PGP 2.5 and 2.6 were released while I tested these programs, but
I chose to use PGP 2.3a under the assumption that the off-line reader
interfaces were written for it. Having no prophetic knowledge of what
changes would be made in PGP should not be held against the writers of
these interface programs. In any case, these programs are generally
compatible with later PGP versions.
=============================
AutoPGP version 2.0beta5
© 1993, 1994 Felix Shareware
Shareware $10
By Stale Schumacher ([email protected])
Available from: http://www.ifi.uio.no./~staalesc/AutoPGP or from the
Sprawl BBS at (818) 342-5127.
=============================
AutoPGP uses a creative method to run PGP on off-line mail.
It opens each outgoing mail packet and checks it for directives
that the user places in the individual messages.
For instance, to sign a message, at the beginning of the message,
you would enter [PGP SIGN BOB], and AutoPGP will automatically sign
the message with Bob's key.
For incoming mail, AutoPGP opens all QWK packets and looks for
PGP messages. It puts every key it finds on the user's key ring,
checks every signature and decrypts every encrypted message for which
the user has a secret key.
This is an exceptionally good way for someone to interface PGP
with their off-line mail-reader if they are not interested in the
specifics of cryptography, only the security it provides. It is
possible, using this program, to never again see a single bit of
PGP-encrypted text, or ever have to type out a PGP command.
AutoPGP supports QWK-format message packets, as well as several
formats not as widely used as QWK.
There are one or two habits that the user may have to change to
be able to use this program. I am used to executing a macro from
Bluewave to get to my terminal program. Using AutoPGP forces the
user to exit the mail-reading program before uploading mail, so that
AutoPGP can execute the directives.
Using AutoPGP also means having to keep a list of the directives
nearby, on paper or perhaps in a memory resident notepad.
A nice thing about AutoPGP is that it allows the user to insert
files into a message, something none of the other programs reviewed
here can do.
Entering [ADD FILE c:\location\filen.ame] in the message will
cause AutoPGP to load the file, whether it is ASCII or binary, insert
it into the message and ASCII armor it so it can be sent as e-mail.
This can be very convenient for sending files over networks. These
files can also be encrypted and signed using AutoPGP's directives.
This program is useful for file insertion, and is also more fun
to use than the other three programs. For anyone who is already
closing their off-line reader before sending their mail, AutoPGP
is a good program to interface PGP and off-line readers.
Registration is $10 after a 30-day trial period. The
documentation claims that AutoPGP will cease to function if it is not
registered by the time the trial period ends.
Registration also includes free upgrades, e-mail support and
removal of shareware reminder notices.
=============================
PGPBLUE version 2.0
© 1994
By Carl Forester
Shareware $10.00
Available from the E-mail Central BBS at (904) 836-5143
=============================
PGPBLUE has improved since the first time I gave it a spin. Now
it looks as if it is actually a part of the Bluewave off-line reader,
which lends more credence to its slogan "You never have to leave
Bluewave again."
Which is not necessarily any more true than it was before this
version, although PGPBLUE is generally a well-done piece of software.
Initial configuration for this program is quick and simple. Just
answer a few questions about where you keep your spell checker, PGP
and your text editor of choice.
The documentation comes as a .COM file and as a text file. This
goes a long way toward making PGPBLUE user-friendly.
The main menu of PGPBLUE has a good selection of functions,
signing a message, encrypting a message, or both signing and
encrypting at the same time. It is also possible to configure PGPBLUE
with a spell checker, which can be selected from the PGPBLUE menu.
PGPBLUE's encryption option works best of all. Simply hitting
"E" from the PGPBLUE menu magically turns the plaintext message into a
PGP-encrypted message. As long as the encryption is done before
returning to the main Bluewave program, the tagline ends up outside of
the encrypted text.
Decrypting messages is almost as smooth. Hitting "D" at the menu
decrypts the message with your secret key and drops you into the text
editor to read and reply to the message.
Unfortunately, the quoted lines do not get marked with the
standard ">" sign most off-line mail-readers add. Adding quote
markers that should have been added by the computer gets to be
tedious--especially when you are doing extensive quoting.
A more important flaw with PGPBLUE is its lack of on-line
configuration. All changes have to be done outside the PGPBLUE
program.
Also, PGPBLUE is unable to configure the PGP command-lines, even
by leaving Bluewave and editing the configuration file manually.
However, that is the only real disadvantage of PGPBLUE. It is an
otherwise very pleasant program to use.
Both adding and posting keys is easy with PGPBLUE. When a PGP
public key comes up in a Bluewave message, it only takes a few
keystrokes by the user to import that key onto his key ring.
If you are reading mail in an area that you would like to drop
your key into, activating the drop-key option creates a reply message
and inserts the key automatically. You do not have to go to the
"enter mail" menu in your off-line reader.
Registration for PGPBLUE is $10. Registration is required after
a 45-day trial period, and removes the "NOT REGISTERED" message from
the PGP Blue menu and the "<NR>" marker from the tearline.
=============================
EZ-PGP version 1.07
© 1994
By John Schofield ([email protected])
Freeware
Available from the Sprawl BBS (818) 342-5127
=============================
It is interesting how programmers choose to integrate PGP with
off-line mail readers. Some opt to run PGP on mail after the reader
is closed, while others run PGP on mail while the mail reader is still
open.
Where PGPBLUE is placed between the mail reader and the text
editor, EZ-PGP is placed between the mail reader and the spell-check
program.
It is often painfully obvious that most of the people who
participate in on-line discussions and write electronic mail do not
use spell checkers.
In that event, EZ-PGP takes the place of the spell-checker, and
uses a previously empty command line in Bluewave. For the rare users
who do spell check their mail, EZ-PGP has a spell checker option,
allowing the user to choose his own spell checker during
configuration.
EZ-PGP was written by John Schofield, the publisher of Keep Out.
EZ-PGP is an easy way to use PGP with Bluewave and the other
readers it is designed to run with. At the same time, EZ-PGP's
on-line configuration options, and its easy-to-understand
documentation give the program a glass-bottom-boat quality that helps
the user learn and understand PGP's various commands and what they do.
This program is also relatively simple to install. It comes as
an executable file, with default configurations. Much of the actual
installation work is done by reading the location of PGP from the
PGPPATH environment variable.
The on-line configuration seems to be designed to allow the user
to change path names and filenames to fit his setup. They also allow
the user to change the actual commands to PGP, to get exactly what the
user wants from the encryption program.
However, the on-line configuration isn't as clean as it could be.
Accidentally blanking the command line leaves the user with no record
of what the command line used to be. To replace a lost command line,
the user has to resort to his own memory or to sifting through the PGP
documentation.
Another shortcoming of EZ-PGP is its lack of an encrypt-only
command. To encrypt a message, the user is forced to also sign the
message. This makes anonymity somewhat difficult.
A decrypting command would also be convenient. Decrypting is a
fundamental part of using encryption, and it is only right that
decrypting be given equal status to encrypting by any PGP-compatible
program.
However, an especially useful component of EZ-PGP is its on-line
access to the file-wiping utility. What good is encryption if the
plaintext files can be undeleted? EZ-PGP makes room for the user to
install as powerful a file-wiping utility as he can find. It is as
easy as changing the command line.
When you first run it, EZ-PGP will set up the file-wiping program
by default to use PGP's "-w" option.
There is also an option to tell the program to look for Fidonet
to Internet addresses. On many Fidonet BBBs, a message is sent to the
Internet by sending the message to user UUCP at a certain address
(which changes depending on where the BBS is), and then having the
Internet address on the first line of the message.
Signing or encrypting a message with PGP would normally put the
"-----BEGIN PGP SIGNED MESSAGE-----" line on the first line of the
message, and move the Internet address down.
With this capability enabled, EZ-PGP will remove the Internet
addresses (up to 10) from the message, and return them to the top line
after PGP signs the message.
This may not be useful to everyone, but it is available. This
option can also be left on without interfering with other mail.
EZ-PGP is currently free for use by anyone, and the author said
in the documentation that it will always remain free for non-corporate
use.
=============================
Fixrep version 2.0
© 1994
By Jeffrey F. Bloss
Freeware
Available on the Game Room BBS at (814) 587-6348
=============================
Fixrep is an attempt at interfacing PGP and any off-line mail-
reader that just does not work. The basic idea is that the user can
set up a macro in the Qedit text-editor to call up Fixrep, which will
call up PGP and encrypt or decrypt the text that is being edited.
Fixrep requires that you use Qedit as your text editor in your off-
line mail-reader.
The problem is that the macros do not quite work. I set this
program up to work with Bluewave. It took me a long time and I needed
a lot of help just to get the macros to call up Fixrep. Once that part
was working, Fixrep was unable to find the temporary files it created.
It might be possible to get Fixrep to work, but it would require
a great deal of tinkering and testing. With other programs on the
market that are easier to set up and do a lot more, it is not really
worth the effort.
However, once this program is up and running, it might have some
flexibility that allows the user more control over their encryption.
If you are the type of person who likes to spend lots of time trying
to make things work, then this might be a good program to play with.
But, for all practical purposes, Fixrep does not do anything
worthwhile.
* * *
Except for Fixrep, all of these programs were functional and
relatively easy to use. Their main differences were their available
options and their approach to getting the job done.
Deciding which one to use should be based on what you need from
PGP. The strengths of PGPBLUE are that it is easy to install and use,
and is user friendly. However, it does not have on-line configuration
and costs $10 to register.
EZ-PGP is configurable for any file-wiping program, has on-line
configuration and has no registration fee. It does, on the other hand,
lack an encrypt-only option and a decrypt option. Neither is it
especially user friendly.
AutoPGP is fun to use and includes a file insertion feature.
However, AutoPGP is not entirely easy to use, and is only compatible
with QWK packets.
I wish there was one program that had a combination of all of the
above programs' strengths. If I could find a shareware program that
included on-line configuration, versatile encrypt and decrypt options,
file wiping configurability, user friendliness and file insertion
capabilities, it would be my application of choice for interfacing
PGP with my off-line reader.
In the meantime, I'll just have to keep the above programs
installed on my hard drive.
Matthew Carey is the editor in chief of a community college newspaper
in Los Angeles. He is also the founder of Vision Temple, a not-for-
profit media-research society. E-mail him at [email protected].
______________________________________________________________________
Beginners: How PGP Works
By John Schofield, Publisher
The most important development in the world of cryptography
happened quietly some 16 years ago. Now, that development, public-
key encryption, promises to revolutionize the world of privacy.
Before you can understand public-key encryption, you need to
understand some of the background of cryptography--the science of
hiding messages.
Almost all the different methods of hiding messages can be
grouped into two main classes--secret-key and public-key systems.
In the Beginning
One of the simplest types of secret-key system is called the
Caesar cipher. A cipher is simply a method of hiding the content of a
message so that the message can later be reconstructed.
In the Caesar cipher, each letter is exchanged for another letter
x letters down in the alphabet. For instance, suppose the "key" to a
particular message was three. Then every letter would be replaced
with the character three letters down.
Then "A" in the original message would be replaced by a letter
three down in the alphabet--"D." "B" would be replaced by "E," and so
on. If there is not enough "room" to go three letters down--for
instance if you wanted to add three to "Y"--you simply wrap around to
the beginning of the alphabet. Thus, three letters down from "Y" is
"B."
The process of turning the readable plaintext into the seeming
gibberish of the cyphertext message is called encryption. The process
of making the cyphertext readable again is called decryption.
In a Caesar cipher with a key of three, "CAT" would translate as
"FDW."
However, a cipher this simple is very easy to break--there are only
26 possible keys, so it would be very easy to simply try each key until
you got a readable message.
The Modern World of Secret Keys
Ever since the Caesar cipher, secret-key systems have been
getting more and more complicated.
The most common modern secret-key system is the Data Encryption
Standard (DES).
The DES, developed by the United States government, is commonly
used for commercial encryption and for non-secret government
communications. It is not considered strong enough to use for
classified government messages.
The DES is much harder to break then the Caesar cipher, but it
suffers from the same weakness all secret-key systems suffer from--
the need to transmit the key.
Until both the sender and the receiver have copies of the same
key, secure communication is impossible.
The receiver would be just as baffled as any eavesdropper if he
did not have the key.
If an eavesdropper were to get a copy of the key, he would have
complete access to the messages of the sender--messages would be as
easy for the eavesdropper to read as they are for the receiver.
Thus, the sender and receiver have to be very careful in how they
transmit the key. Not only do they have to ensure that the key is not
garbled, but they have to make sure nobody else gets a copy of the
key.
In practice, this often means face-to-face meetings or trusted
couriers. This is awkward, since it has always been possible to meet
face-to-face to exchange information securely.
It is this drawback in single-key encryption that caused the
development of a new technology for encryption, the concept of public
keys.
The Revolution: Public-Key encryption
Public-key systems are a leap forward in encryption that
eliminates the main problem of single-key encryption--transmitting
the key securely.
In public-key encryption, the sender and receiver each generate
two keys--a public key and a private key.
The public key is used to encrypt messages, and the private key
is used to decrypt them. Knowing the public key tells an eavesdropper
nothing about the private key.
That's why public-key systems are so revolutionary. You don't
care who gets a copy of your public key. You want as many people as
possible to have copies of your public key.
A public key is good only for encryption. The private key is
used for decryption only. Thus, there is no need for a secure method
of sending the key, and no need for a face-to-face meeting.
Since your private key never leaves your computer, it is much
harder for a potential eavesdropper to get a copy of it. Rather than
simply intercepting a message containing the key, the eavesdropper
would have to break into your house or office and copy the key from
your computer.
Let's say Alice wants to send a message to Bob. First, Alice
needs a copy of Bob's public key, because the public key is used for
encryption. Bob posts his public key somewhere in a public place,
where anyone can get it. Alice picks up Bob's public key there (as
does anyone else who wants it) and encrypts a message to him.
When Bob wants to read the message, he decrypts it using his
private key, which never left his computer.
When he wants to send a message back to Alice, he uses the her
public key to encrypt the message.
Alice will decrypt the message with her private key, and read
the message.
Under the Hood: Pretty Good Privacy
Pretty Good Privacy (PGP), written by Philip Zimmermann, is the
most widely used public-key encryption program available today.
[Ed. note: See Keep Out's interview with Zimmermann in this
issue.]
PGP uses the RSA public-key method. RSA got its name from the
last names of its inventors--Ron Rivest, Adi Shamir and Leonard
Adleman.
Because the RSA method of doing encryption is secure but very
slow, PGP actually uses both public (two-key) and secret (one-key)
systems.
First, PGP encrypts the message using IDEA, a fast one-key
encryption method that is very secure. Then PGP includes the key to
the IDEA-encrypted message in the message packet, and encrypts the
IDEA key with RSA. That way PGP gets the benefit of fast IDEA
encryption and the benefits of public-key systems, like not needing a
secure method of transmitting keys.
The IDEA keys PGP uses are randomly generated each time a message
is encrypted.
Now you should know the basics of how PGP works, and little bit
about encryption in general. In the next issue, we will learn more
about how PGP works, including digital signatures and encrypting to
more than one person, and then we'll take a look at how you can set
up PGP on your own system.
______________________________________________________________________
Advertisement
Keep Out and the Sprawl:
A perfect combination
(818) 342-5127 (300-14,400 BPS)
(818) 342-5118 (300-28,800 BPS, subscribers only)
(818) 345-8640 (voice)
The Sprawl is Keep Out's home BBS. You can choose from a huge
selection of encryption software, encryption text files, and
information on electronic and conventional privacy.
Full Fidonet access is available, along with Internet e-mail and
newsgroups. The Sprawl is your inexpensive link to the world.
Access to the Sprawl is FREE, but subscribing gets you access to the
second line, unlimited downloads, three hours a day, and the ability
to send Internet e-mail and Fidonet Netmail. A one-year subscription
to the Sprawl costs $20. A six-issue (one-year) subscription to Keep
Out magazine is $15. If you subscribe together, it's only $25.
That's a $10 savings over buying them separately! We can not accept
credit cards, but checks or money orders payable to "Keep Out" are
welcome.
Keep Out/The Sprawl
P.O. Box 571312
Tarzana, CA 91357-1312
______________________________________________________________________
End-Of-File
-----BEGIN PGP SIGNATURE-----
Version: 2.7
Comment: Call 818-345-8640 voice for info on Keep Out magazine.
iQCVAwUBLxWJU2j9fvT+ukJdAQFKQwP/eHcW6MKMbH9hLPpTBsolearDg5uMdvpE
pPhjgBFTb6jZHmkcRE7I1qfcJqcWOtmT+FcaSUkWoK3M0a5youtiS1fbXtGqfNID
+CZugCkvg9/VG45zQu/RGmx5L0XwYmtYHf40exJRqS6emRbasQCVAytYVStQ/4Xj
Vy4IjjtUN3A=
=nkUL
-----END PGP SIGNATURE-----
|
|
|
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.
totse.com certificate signatures
|
|
|
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
|
|
|
|
|
|
