-----BEGIN PGP SIGNED MESSAGE-----
*** Frequently Asked Questions about PGP ***
by
Andre Bacard, Author of>
THE COMPUTER PRIVACY HANDBOOK
[Version January 11, 1995]
============================================================
This article offers a nontechnical overview of PGP to
help you decide whether or not to use this globally
popular computer software to safeguard your computer
files and e-mail. I have written this especially for
persons with a sense of humor. You may distribute this
(unaltered) FAQ for non-commercial purposes.
===========================================================
What is PGP?
PGP (also called "Pretty Good Privacy") is a computer
program that encrypts (scrambles) and decrypts
(unscrambles) data. For example, PGP can encrypt "Andre"
so that it reads "457mRT&%$354." Your computer can
decrypt this garble back into "Andre" if you have PGP.
Who created PGP?
Philip Zimmermann <prz@acm.org> wrote the initial
program. Phil, a a hero to many pro-privacy activists,
works as a computer security consultant in Boulder,
Colorado. Phil Zimmermann, Peter Gutmann, Hal Finney,
Branko Lankester and other programmers around the globe
have created subsequent PGP versions and shells.
PGP uses the RSA public-key encryption system. RSA was
announced in 1977 by its inventors: Ronald Rivest of MIT,
Adi Shamir of the Weizmann Institute in Israel, and
Leonard Adelman of USC. It is called "RSA" after the
initials of these men. PGP also employs an encryption
system called IDEA which surfaced in 1990 due to Xuejia
Lai and James Massey's inventiveness.
Who uses PGP encryption [or other RSA-based systems]?
People who value privacy use PGP. Politicians running
election campaigns, taxpayers storing IRS records,
therapists protecting clients' files, entrepreneurs
guarding trade secrets, journalists protecting their
sources, and people seeking romance are a few of the law
abiding citizens who use PGP to keep their computer files
and their e-mail confidential.
Businesses also use PGP. Suppose you're a corporate
manager and you need to e-mail an employee about his job
performance. You may be required by law to keep this e-
mail confidential. Suppose you're a saleswoman, and you
must communicate over public computer networks with a
branch office about your customer list. You may be
compelled by your company and the law to keep this list
confidential. These are a few reasons why businesses use
encryption to protect their customers, their employees,
and themselves.
PGP also helps secure financial transactions. For
example, the Electronic Frontier Foundations uses PGP to
encrypt members' charge account numbers, so that members
can pay dues via e-mail.
Thomas G. Donlan, an editor at BARRON'S [a financial
publication related to THE WALL STREET JOURNAL], wrote a
full-page editorial in the April 25, 1994 BARRON'S
entitled "Privacy and Security: Computer Technology Opens
Secrets, And Closes Them."
Mr. Donlan wrote, in part:
RSA Data Security, the company founded by the
three inventors, has hundreds of satisfied
customers, including Microsoft, Apple, Novell,
Sun, AT&T and Lotus. Versions of RSA are
available for almost any personal computer or
workstation, many of them built into the
operating systems. Lotus Notes, the network
communications system, automatically encrypts
all it messages using RSA. Other companies
have similar products designed around the same
basic concept, and some versions are available
for free on computer bulletin boards.
Donlan continues:
Without security, the Internet is little more
than the world's biggest bulletin board. With
security, it could become the information
supermarket of the world. RSA lets people and
banks feels secure putting their credit-card
numbers on the public network. Although it
still seems that computers created an age of
snoopery, the age of privacy is at hand.
Aren't computers and e-mail already safe?
Your computer files (unless encrypted) can be read by
anyone with access to your machine. E-mail is notoriously
unsafe. Typical e-mail travels through many computers.
The persons who run these computers can read, copy, and
store your mail. Many competitors and voyeurs are highly
motivated to intercept e-mail. Sending your business,
legal, and personal mail through computers is even less
confidential than sending the same material on a
postcard. PGP is one secure "envelope" that keeps
busybodies, competitors, and criminals from victimizing
you.
I have nothing to hide. Why do I need privacy?
Show me a human being who has no secrets from her family,
her neighbors, or her colleagues, and I'll show you
someone who is either an extraordinary exhibitionist or
an incredible dullard.
Show me a business that has no trade secrets or
confidential records, and I'll show you a business that
is not very successful.
On a lighter note, a college student wrote me the following:
"I had a part-time job at a dry cleaner. One day I
returned a diamond ring that I'd found in a man's coat
pocket to his wife. Unfortunately, it was NOT her ring!
It belonged to her husband's girlfriend. His wife was
furious and divorced her husband over this incident. My
boss told me: 'Return jewelry ONLY to the person whose
clothes you found it in, and NEVER return underwear that
you find in pockets!' Until that moment, I thought my
boss was a finicky woman. But she taught me the need for
PGP."
Privacy, discretion, confidentiality, and prudence are
hallmarks of civilization.
I've heard police say that encryption should be outlawed because
criminals use it to avoid detection. Is this true?
The next time you hear someone say this, ask him if he
wants to outlaw the likes of Thomas Jefferson, the
"Father of American Cryptography."
Many governments, corporations, and law enforcement
agencies use encryption to hide their operations. Yes, a
few criminals also use encryption. Criminals are more
likely to use cars, gloves, and ski-masks to evade
capture.
PGP is "encryption for the masses." It gives average law
abiding citizens a few of the privacy rights which
governments and corporations insist that they need for
themselves.
How does PGP work?
PGP is a type of "public key cryptography." When you
start using PGP, the program generates two "keys" that
belong uniquely to you. Think of these keys as computer
counterparts of the keys in your pocket. One PGP key is
SECRET and stays in your computer. The other key is
PUBLIC. You give this second key to your correspondents.
Here is a sample PUBLIC KEY:
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.7
mQA9Ai2wD2YAAAEBgJ18cV7rMAFv7P3eBd/cZayI8EEO6XGYkhEO9SLJOw+DFyHg
Px5o+IiR2A6Fh+HguQAFEbQZZGVtbyA8ZGVtb0B3ZWxsLnNmLmNhLnVzPokARQIF
EC2wD4yR2A6Fh+HguQEB3xcBfRTi3D/2qdU3TosScYMAHfgfUwCelbb6wikSxoF5
ees9DL9QMzPZXCioh42dEUXP0g==
=sw5W
- -----END PGP PUBLIC KEY BLOCK-----
Suppose the PUBLIC KEY listed above belongs to you and
that you e-mail it to me. I can store your PUBLIC KEY in
my PGP program and use your PUBLIC KEY to encrypt a
message that only you can read. One beauty of PGP is that
you can advertise your PUBLIC KEY the same way that you
can give out your telephone number. If I have your
telephone number, I can call your telephone; however, I
cannot answer your telephone. Similarly, if I have your
PUBLIC KEY, I can send you mail; however, I cannot read
your mail.
This PUBLIC KEY concept might sound a bit mysterious at
first. However, it becomes very clear when you play with
PGP for awhile.
How safe is PGP? Will it really protect my privacy?
Perhaps your government or your mother-in-law can "break"
PGP messages by using supercomputers and\or pure
brilliance. I have no way of knowing. Three facts are
certain. First, top-rate civilian cryptographers and
computer experts have tried unsuccessfully to break PGP.
Second, whoever proves that he or she can unravel PGP
will earn quick fame in crypto circles. He or she will be
applauded at banquets and attract grant money. Third,
PGP's programmers will broadcast this news at once.
Almost daily, someone posts a notice such as "PGP Broken
by Omaha Teenager." Take these claims with a grain of
salt. The crypto world attracts its share of paranoids,
provocateurs, and UFO aliens.
To date, nobody has publicly demonstrated the skill to
outsmart or outmuscle PGP.
Is PGP available for my machine?
Versions are available for DOS and Windows, as well as
various Unixes, Macintosh, Amiga, Atari ST, OS/2, and
CompuServe's WinCIM & CSNav. Many persons are working to
expand PGP's usability. Read the Usenet alt.security.pgp
news group for the latest developments.
Are these versions of PGP mutually compatible?
Yes. For example, a document encrypted with PGP on a PC
can be decrypted with someone using PGP on a Unix
machine.
As of September 1, 1994, Versions 2.6 and higher can read
previous versions. However, pre-2.6 versions can no
longer read the newer versions. I strongly recommend that
everyone upgrade to Versions 2.6.2 or 2.7.
Where do I get PGP?
For computer non-experts, the easiest way to get PGP is to
telephone ViaCrypt (a software company) in Phoenix, Arizona at
(602) 944-0773.
PGP is available from countless BBSs (Bulletin Board
Systems) and ftp ("File Transfer Protocol") sites around
the world. These sites, like video stores, come and go.
To find PGP, here are two options: 1) Learn how to use
ARCHIE to search for files on the Internet. 2) Read
BOARDWATCH magazine to find the BBSs in your area.
How expensive is PGP?
The PGP versions that you will find at BBSs and ftp sites
are "freeware." This means that they are free. People
from New Zealand to Mexico use these versions every day.
Depending on where you live, this "freeware" may or may
not violate local laws.
I use PGP Version 2.7 which is distributed by ViaCrypt in
the United States [see below].
Is PGP legal in the United States?
Yes. MIT's PGP Version is licensed for non-commercial use. You
can it from ftp sites or BBSs. ViaCrypt's PGP Version is
licensed for commercial use. You can get it from ViaCrypt.
+++ Important Note +++. It is illegal to export PGP out of the
United States. Do not even think of doing so! To communicate
with friends in, say, England, have your friends get PGP from
sources outside the United States.
What is a PGP digital signature?
At the end of this document, you will see a PGP
signature. This "digital signature" allows persons who
have PGP and my PUBLIC KEY to verify that 1) I, Andre
Bacard, (not a SPORTS ILLUSTRATED superstar pretending to
be me!) wrote this document, and 2) Nobody has altered
this text since I signed it.
PGP signatures might be helpful for signing contracts,
transferring money, and verifying a person's identity.
How difficult is it to learn PGP?
PGP has around two dozen commands. It is a relatively
easy program to learn.
Where can I learn more about the PGP and related subjects?
The following News Groups are a good place to start:
alt.privacy
[to hear about electronic privacy issues]
alt.security.pgp
[to learn everything known about PGP]
talk.politics.crypto
[to keep abreast of legal & political changes]
Anything else I should know?
YOUR privacy and safety are in danger! The black market
price for your IRS records is $500. YOUR medical records
are even cheaper. Prolific bank, credit and medical
databases, the Clipper Chip Initiative, computer matching
programs, cordless & cellular phone scanners, Digital
Telephony legislation, and (hidden) video surveillance
are just a few factors that threaten every law abiding
citizen. Our anti-privacy society gives criminals and
snoops computer data about YOU on a silver platter.
If you want to protect your privacy, I urge you to join
organizations such as the Electronic Frontier Foundation
<membership@eff.org> and Computer Professionals for
Social Responsibility <info@cpsr.org>.
- -----------------------------------------------------------
Andre Bacard Bacard wrote "The Computer Privacy
Box 3009 Handbook: A Practical Guide to E-Mail
Stanford, CA 94309 Encryption, Data Protection, and PGP
abacard@well.com Privacy Software" [for novices/experts]
Introduction written by Mitchell Kapor, Chairman, Electronic
Frontier Foundation and Founder of Lotus 1-2-3.
* Book Available February 1995. Write for details. *
- -----------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.7
iQCVAwUBLxQjNt6pT6nCx/9/AQFydAQAlTBD8r9cUB0lAk7eUQrCaI5Eidxt37og
Qi8TkCcNSB9GWWtdNVxMEQYHpOdyr98Ww5qZ9gyBXWa4l+rvsu3Fel9saSCRZb8H
kt1BIyE5KEFrDNU/8s29+usUAIHKo6ojIOCrLEo0FWvyQro2fGuo6aJIJAO7ckCA
mJJIuceq5GM=
=P5zM
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
*** Frequently Asked Questions About Anonymous Remailers ***
by
Andre Bacard, Author of
THE COMPUTER PRIVACY HANDBOOK
[Version January 11, 1995]
============================================================
This article offers a nontechnical overview of anonymous
remailers to help you decide whether to use these
computer services to enhance your privacy. I have written
this especially for persons with a sense of humor. You
may distribute this (unaltered) FAQ for non-commercial
purposes.
===========================================================
What is an anonymous remailer?
An anonymous remailer (also called an "anonymous server")
is a free computer service that privatizes your e-mail.
A remailer allows you to send electronic mail to a Usenet
news group or to a person without the recipient knowing
your name or your e-mail address.
Why would YOU use remailers?
Maybe you're a computer engineer who wants to express
opinions about computer products, opinions that your
employer might hold against you. Possibly you live in a
community that is violently intolerant of your social,
political, or religious views. Perhaps you're seeking
employment via the Internet and you don't want to
jeopardize your present job. Possibly you want to place
personal ads. Perchance you're a whistle-blower afraid of
retaliation. Conceivably you feel that, if you criticize
your government, Big Brother will monitor you. Maybe you
don't want people "flaming" your corporate e-mail
address. In short, there are many legitimate reasons why
you, a law abiding person, might use remailers.
How does a remailer work?
Let's take an example. A popular Internet remailer is run
by Johan Helsingius, President of a Helsinki, Finland
company that helps businesses connect to the Internet.
His "an@anon.penet.fi" addresses are common in
controversial news groups. Suppose you read a post from
a battered woman <an123@anon.penet.fi> crying out for
help. You can write her at <an123@anon.penet.fi>.
Helsingius' computer will STRIP AWAY your real name and
address (the header at the top of your e-mail), replace
this data with a dummy address, and forward your message
to the battered woman. Helsingius' computer will notify
you of your new anonymous address; e.g.,
<an345@anon.penet.fi>. You can use Helsingius' free
service to forward letters to anyone, even to persons who
do not use his service. His computer sends each user
detailed instructions about his system.
Are there many remailers?
Currently, there are roughly a dozen active, PUBLIC
remailers on the Internet. (Undoubtedly, there are many
PRIVATE remailers that restrict who may use them.)
Remailers tend to come and go. First, they require
equipment and labor to set up and maintain; second, they
produce zero revenue.
Why are remailers free?
There is a simple answer. How can remailer administrators
charge people who want maximum privacy? Administrators
can't ask for a Visa number or take checks.
Why do people operate remailers, if not for money?
People set up remailers for their own personal usage,
which they may or may not care to share with the rest of
us. Joshua Quittner, co-author of the high-tech thriller
MOTHER'S DAY, interviewed Mr. Helsingius for WIRED
magazine. Helsingius said:
"It's important to be able to express certain
views without everyone knowing who you are.
One of the best examples was the great debate
about Caller ID on phones. People were really
upset that the person at the receiving end
would know who was calling. On things like
telephones, people take for granted the fact
that they can be anonymous if they want to and
they get really upset if people take that
away. I think the same thing applies for e-
mail."
"Living in Finland, I got a pretty close view
of how things were in the former Soviet Union.
If you actually owned a photocopier or even a
typewriter there you would have to register it
and they would take samples of what your
typewriter would put out so they could
identify it later. That's something I find so
appalling. The fact that you have to register
every means of providing information to the
public sort of parallels it, like saying you
have to sign everything on the Net. We always
have to be able to track you down."
What makes an "ideal" anonymous remailer?
An "ideal" anonymous remailer is: (a) Easy to use. (b)
Run by a reliable individual whose system actually does
what it promises. In addition, this person should have
the computer expertise to take prudent steps to safeguard
your privacy from civilian or government hackers. (c)
Able to forward your messages in a timely manner. By
"timely" I mean minutes or hours. (d) Holds your messages
for a RANDOM time before forwarding them. This time lag
makes it harder for snoops to link a message that arrives
at, say, 3:00 P.M. with a message that leaves your
machine at, say, 2:59 P.M. (e) Permits (better yet
encourages!) PGP encryption software. If a remailer does
NOT permit PGP (Pretty Good Privacy), reasonable people
might assume that the remailer administrator enjoys
reading forwarded mail.
What makes a responsible remailer user?
A responsible user: (a) Sends text files of a reasonable
length. Binary files take too much transmission time. (b)
Transmits files selectively. Remailers are NOT designed
to send "You Can Get Rich" chain letters or other junk
mail.
Who are irresponsible remailer users?
Here is a quote from one remailer administrator:
"This remailer has been abused in the past, mostly by
users hiding behind anonymity to harass other users. I
will take steps to squish users who do this. Lets keep
the net a friendly and productive place.... Using this
remailer to send death threats is highly obnoxious. I
will reveal your return address to the police if you do
this."
Legitimate remailer administrators will NOT TOLERATE
harassment or criminal activity. Report any such
incidents to the remailer administrator.
How safe are anonymous remailers? [for paranoids only :-)]
For most low-security tasks, such as responding to
personal ads, remailers are undoubtedly safer than using
real e-mail addresses. However, all the best made plans
of mice and men have weaknesses. Suppose, for example,
that you are a government employee, who just discovered
that your boss is taking bribes. Is it safe to use an
anonymous remailer to send evidence to a government
whistleblower's e-mail hot line? Here are a few points to
ponder:
(a) The person who runs your e-mail system might
intercept your secret messages to and from the anonymous
remailer. This gives him proof that YOU are reporting
your corrupt boss. This evidence could put you in danger.
(b) It is possible that the anonymous remailer is a
government sting operation or a criminal enterprise,
designed to entrap people. The person who runs this
service might be your corrupt boss' partner.
(c) Hackers can do magic with computers. It's possible
that hackers have broken into the remailer (unbeknownst
to the remailer's administrator) and that they can read
your messages at will.
Hard-core privacy people do not trust individual
remailers. These people write programs that send their
messages through several remailers. This way only the
first remailer knows their real address, and the first
remailer cannot know the final destination of the e-mail
message. In addition, they PGP encrypt all messages.
Where can I learn more?
Go to the Usenet news group ALT.PRIVACY.ANON-SERVER. Pay
special attention to posts by Raph Levien, "The Remailer
Guru."
Where can I get a list of current remailers?
Raph Levien [see above] generously runs a remailer
pinging service which collects details about remailer
features and reliability. To read Levien's data, finger:
<remailer-list@kiwi.cs.berkeley.edu>.
There is also a Web version of the same information, at:
http://www.cs.berkeley.edu/~raph/remailer-list.html
In addition, Raph Levien <raph@kiwi.cs.berkeley.edu>
regularly posts his "List of Reliable Remailers" at
ALT.PRIVACY.ANON-SERVER.
Anything else I should know?
YOUR privacy and safety are in danger! The black market
price for your IRS records is $500. YOUR medical records
are even cheaper. Prolific bank, credit and medical
databases, the Clipper Chip Initiative, computer matching
programs, cordless & cellular phone scanners, Digital
Telephony legislation, and (hidden) video surveillance
are just a few factors that threaten every law abiding
citizen. Our anti-privacy society gives criminals and
snoops computer data about YOU on a silver platter.
If you want to protect your privacy, I urge you to join
organizations such as the Electronic Frontier Foundation
<membership@eff.org> and Computer Professionals for
Social Responsibility <info@cpsr.org>.
- -----------------------------------------------------------
Andre Bacard Bacard wrote "The Computer Privacy
Box 3009 Handbook: A Practical Guide to E-Mail
Stanford, CA 94309 Encryption, Data Protection, and PGP
abacard@well.com Privacy Software" [for novices/experts]
Introduction written by Mitchell Kapor, Chairman, Electronic
Frontier Foundation and Founder of Lotus 1-2-3.
* Book Available February 1995. Write for details. *
- -----------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.7
iQCVAwUBLxQjL96pT6nCx/9/AQHFxAP/UQj9TAQ7cYjD0OXTclGY9kJoNeNVWFrM
IU4bu4cNPfa8FtRF88Abna3gnDud2gvfjWSFwh0nUKbO5geACKEka66BBoPtSzMj
nrKXXAyFGAxErdVXuwMBFH46/AU6ySzDtrGwUM2b7nQQQVy8mAmTIQEU4TwUChUU
eUJAFskAZwg=
=rmCo
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
