|
-----BEGIN PGP SIGNED MESSAGE----- *** Frequently Asked Questions about PGP *** by Andre Bacard, Author of> THE COMPUTER PRIVACY HANDBOOK [Version January 11, 1995] ============================================================ This article offers a nontechnical overview of PGP to help you decide whether or not to use this globally popular computer software to safeguard your computer files and e-mail. I have written this especially for persons with a sense of humor. You may distribute this (unaltered) FAQ for non-commercial purposes. =========================================================== What is PGP? PGP (also called "Pretty Good Privacy") is a computer program that encrypts (scrambles) and decrypts (unscrambles) data. For example, PGP can encrypt "Andre" so that it reads "457mRT&%$354." Your computer can decrypt this garble back into "Andre" if you have PGP. Who created PGP? Philip Zimmermann <prz@acm.org> wrote the initial program. Phil, a a hero to many pro-privacy activists, works as a computer security consultant in Boulder, Colorado. Phil Zimmermann, Peter Gutmann, Hal Finney, Branko Lankester and other programmers around the globe have created subsequent PGP versions and shells. PGP uses the RSA public-key encryption system. RSA was announced in 1977 by its inventors: Ronald Rivest of MIT, Adi Shamir of the Weizmann Institute in Israel, and Leonard Adelman of USC. It is called "RSA" after the initials of these men. PGP also employs an encryption system called IDEA which surfaced in 1990 due to Xuejia Lai and James Massey's inventiveness. Who uses PGP encryption [or other RSA-based systems]? People who value privacy use PGP. Politicians running election campaigns, taxpayers storing IRS records, therapists protecting clients' files, entrepreneurs guarding trade secrets, journalists protecting their sources, and people seeking romance are a few of the law abiding citizens who use PGP to keep their computer files and their e-mail confidential. Businesses also use PGP. Suppose you're a corporate manager and you need to e-mail an employee about his job performance. You may be required by law to keep this e- mail confidential. Suppose you're a saleswoman, and you must communicate over public computer networks with a branch office about your customer list. You may be compelled by your company and the law to keep this list confidential. These are a few reasons why businesses use encryption to protect their customers, their employees, and themselves. PGP also helps secure financial transactions. For example, the Electronic Frontier Foundations uses PGP to encrypt members' charge account numbers, so that members can pay dues via e-mail. Thomas G. Donlan, an editor at BARRON'S [a financial publication related to THE WALL STREET JOURNAL], wrote a full-page editorial in the April 25, 1994 BARRON'S entitled "Privacy and Security: Computer Technology Opens Secrets, And Closes Them." Mr. Donlan wrote, in part: RSA Data Security, the company founded by the three inventors, has hundreds of satisfied customers, including Microsoft, Apple, Novell, Sun, AT&T and Lotus. Versions of RSA are available for almost any personal computer or workstation, many of them built into the operating systems. Lotus Notes, the network communications system, automatically encrypts all it messages using RSA. Other companies have similar products designed around the same basic concept, and some versions are available for free on computer bulletin boards. Donlan continues: Without security, the Internet is little more than the world's biggest bulletin board. With security, it could become the information supermarket of the world. RSA lets people and banks feels secure putting their credit-card numbers on the public network. Although it still seems that computers created an age of snoopery, the age of privacy is at hand. Aren't computers and e-mail already safe? Your computer files (unless encrypted) can be read by anyone with access to your machine. E-mail is notoriously unsafe. Typical e-mail travels through many computers. The persons who run these computers can read, copy, and store your mail. Many competitors and voyeurs are highly motivated to intercept e-mail. Sending your business, legal, and personal mail through computers is even less confidential than sending the same material on a postcard. PGP is one secure "envelope" that keeps busybodies, competitors, and criminals from victimizing you. I have nothing to hide. Why do I need privacy? Show me a human being who has no secrets from her family, her neighbors, or her colleagues, and I'll show you someone who is either an extraordinary exhibitionist or an incredible dullard. Show me a business that has no trade secrets or confidential records, and I'll show you a business that is not very successful. On a lighter note, a college student wrote me the following: "I had a part-time job at a dry cleaner. One day I returned a diamond ring that I'd found in a man's coat pocket to his wife. Unfortunately, it was NOT her ring! It belonged to her husband's girlfriend. His wife was furious and divorced her husband over this incident. My boss told me: 'Return jewelry ONLY to the person whose clothes you found it in, and NEVER return underwear that you find in pockets!' Until that moment, I thought my boss was a finicky woman. But she taught me the need for PGP." Privacy, discretion, confidentiality, and prudence are hallmarks of civilization. I've heard police say that encryption should be outlawed because criminals use it to avoid detection. Is this true? The next time you hear someone say this, ask him if he wants to outlaw the likes of Thomas Jefferson, the "Father of American Cryptography." Many governments, corporations, and law enforcement agencies use encryption to hide their operations. Yes, a few criminals also use encryption. Criminals are more likely to use cars, gloves, and ski-masks to evade capture. PGP is "encryption for the masses." It gives average law abiding citizens a few of the privacy rights which governments and corporations insist that they need for themselves. How does PGP work? PGP is a type of "public key cryptography." When you start using PGP, the program generates two "keys" that belong uniquely to you. Think of these keys as computer counterparts of the keys in your pocket. One PGP key is SECRET and stays in your computer. The other key is PUBLIC. You give this second key to your correspondents. Here is a sample PUBLIC KEY: - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.7 mQA9Ai2wD2YAAAEBgJ18cV7rMAFv7P3eBd/cZayI8EEO6XGYkhEO9SLJOw+DFyHg Px5o+IiR2A6Fh+HguQAFEbQZZGVtbyA8ZGVtb0B3ZWxsLnNmLmNhLnVzPokARQIF EC2wD4yR2A6Fh+HguQEB3xcBfRTi3D/2qdU3TosScYMAHfgfUwCelbb6wikSxoF5 ees9DL9QMzPZXCioh42dEUXP0g== =sw5W - -----END PGP PUBLIC KEY BLOCK----- Suppose the PUBLIC KEY listed above belongs to you and that you e-mail it to me. I can store your PUBLIC KEY in my PGP program and use your PUBLIC KEY to encrypt a message that only you can read. One beauty of PGP is that you can advertise your PUBLIC KEY the same way that you can give out your telephone number. If I have your telephone number, I can call your telephone; however, I cannot answer your telephone. Similarly, if I have your PUBLIC KEY, I can send you mail; however, I cannot read your mail. This PUBLIC KEY concept might sound a bit mysterious at first. However, it becomes very clear when you play with PGP for awhile. How safe is PGP? Will it really protect my privacy? Perhaps your government or your mother-in-law can "break" PGP messages by using supercomputers and\or pure brilliance. I have no way of knowing. Three facts are certain. First, top-rate civilian cryptographers and computer experts have tried unsuccessfully to break PGP. Second, whoever proves that he or she can unravel PGP will earn quick fame in crypto circles. He or she will be applauded at banquets and attract grant money. Third, PGP's programmers will broadcast this news at once. Almost daily, someone posts a notice such as "PGP Broken by Omaha Teenager." Take these claims with a grain of salt. The crypto world attracts its share of paranoids, provocateurs, and UFO aliens. To date, nobody has publicly demonstrated the skill to outsmart or outmuscle PGP. Is PGP available for my machine? Versions are available for DOS and Windows, as well as various Unixes, Macintosh, Amiga, Atari ST, OS/2, and CompuServe's WinCIM & CSNav. Many persons are working to expand PGP's usability. Read the Usenet alt.security.pgp news group for the latest developments. Are these versions of PGP mutually compatible? Yes. For example, a document encrypted with PGP on a PC can be decrypted with someone using PGP on a Unix machine. As of September 1, 1994, Versions 2.6 and higher can read previous versions. However, pre-2.6 versions can no longer read the newer versions. I strongly recommend that everyone upgrade to Versions 2.6.2 or 2.7. Where do I get PGP? For computer non-experts, the easiest way to get PGP is to telephone ViaCrypt (a software company) in Phoenix, Arizona at (602) 944-0773. PGP is available from countless BBSs (Bulletin Board Systems) and ftp ("File Transfer Protocol") sites around the world. These sites, like video stores, come and go. To find PGP, here are two options: 1) Learn how to use ARCHIE to search for files on the Internet. 2) Read BOARDWATCH magazine to find the BBSs in your area. How expensive is PGP? The PGP versions that you will find at BBSs and ftp sites are "freeware." This means that they are free. People from New Zealand to Mexico use these versions every day. Depending on where you live, this "freeware" may or may not violate local laws. I use PGP Version 2.7 which is distributed by ViaCrypt in the United States [see below]. Is PGP legal in the United States? Yes. MIT's PGP Version is licensed for non-commercial use. You can it from ftp sites or BBSs. ViaCrypt's PGP Version is licensed for commercial use. You can get it from ViaCrypt. +++ Important Note +++. It is illegal to export PGP out of the United States. Do not even think of doing so! To communicate with friends in, say, England, have your friends get PGP from sources outside the United States. What is a PGP digital signature? At the end of this document, you will see a PGP signature. This "digital signature" allows persons who have PGP and my PUBLIC KEY to verify that 1) I, Andre Bacard, (not a SPORTS ILLUSTRATED superstar pretending to be me!) wrote this document, and 2) Nobody has altered this text since I signed it. PGP signatures might be helpful for signing contracts, transferring money, and verifying a person's identity. How difficult is it to learn PGP? PGP has around two dozen commands. It is a relatively easy program to learn. Where can I learn more about the PGP and related subjects? The following News Groups are a good place to start: alt.privacy [to hear about electronic privacy issues] alt.security.pgp [to learn everything known about PGP] talk.politics.crypto [to keep abreast of legal & political changes] Anything else I should know? YOUR privacy and safety are in danger! The black market price for your IRS records is $500. YOUR medical records are even cheaper. Prolific bank, credit and medical databases, the Clipper Chip Initiative, computer matching programs, cordless & cellular phone scanners, Digital Telephony legislation, and (hidden) video surveillance are just a few factors that threaten every law abiding citizen. Our anti-privacy society gives criminals and snoops computer data about YOU on a silver platter. If you want to protect your privacy, I urge you to join organizations such as the Electronic Frontier Foundation <membership@eff.org> and Computer Professionals for Social Responsibility <info@cpsr.org>. - ----------------------------------------------------------- Andre Bacard Bacard wrote "The Computer Privacy Box 3009 Handbook: A Practical Guide to E-Mail Stanford, CA 94309 Encryption, Data Protection, and PGP abacard@well.com Privacy Software" [for novices/experts] Introduction written by Mitchell Kapor, Chairman, Electronic Frontier Foundation and Founder of Lotus 1-2-3. * Book Available February 1995. Write for details. * - ----------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.7 iQCVAwUBLxQjNt6pT6nCx/9/AQFydAQAlTBD8r9cUB0lAk7eUQrCaI5Eidxt37og Qi8TkCcNSB9GWWtdNVxMEQYHpOdyr98Ww5qZ9gyBXWa4l+rvsu3Fel9saSCRZb8H kt1BIyE5KEFrDNU/8s29+usUAIHKo6ojIOCrLEo0FWvyQro2fGuo6aJIJAO7ckCA mJJIuceq5GM= =P5zM -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- *** Frequently Asked Questions About Anonymous Remailers *** by Andre Bacard, Author of THE COMPUTER PRIVACY HANDBOOK [Version January 11, 1995] ============================================================ This article offers a nontechnical overview of anonymous remailers to help you decide whether to use these computer services to enhance your privacy. I have written this especially for persons with a sense of humor. You may distribute this (unaltered) FAQ for non-commercial purposes. =========================================================== What is an anonymous remailer? An anonymous remailer (also called an "anonymous server") is a free computer service that privatizes your e-mail. A remailer allows you to send electronic mail to a Usenet news group or to a person without the recipient knowing your name or your e-mail address. Why would YOU use remailers? Maybe you're a computer engineer who wants to express opinions about computer products, opinions that your employer might hold against you. Possibly you live in a community that is violently intolerant of your social, political, or religious views. Perhaps you're seeking employment via the Internet and you don't want to jeopardize your present job. Possibly you want to place personal ads. Perchance you're a whistle-blower afraid of retaliation. Conceivably you feel that, if you criticize your government, Big Brother will monitor you. Maybe you don't want people "flaming" your corporate e-mail address. In short, there are many legitimate reasons why you, a law abiding person, might use remailers. How does a remailer work? Let's take an example. A popular Internet remailer is run by Johan Helsingius, President of a Helsinki, Finland company that helps businesses connect to the Internet. His "an@anon.penet.fi" addresses are common in controversial news groups. Suppose you read a post from a battered woman <an123@anon.penet.fi> crying out for help. You can write her at <an123@anon.penet.fi>. Helsingius' computer will STRIP AWAY your real name and address (the header at the top of your e-mail), replace this data with a dummy address, and forward your message to the battered woman. Helsingius' computer will notify you of your new anonymous address; e.g., <an345@anon.penet.fi>. You can use Helsingius' free service to forward letters to anyone, even to persons who do not use his service. His computer sends each user detailed instructions about his system. Are there many remailers? Currently, there are roughly a dozen active, PUBLIC remailers on the Internet. (Undoubtedly, there are many PRIVATE remailers that restrict who may use them.) Remailers tend to come and go. First, they require equipment and labor to set up and maintain; second, they produce zero revenue. Why are remailers free? There is a simple answer. How can remailer administrators charge people who want maximum privacy? Administrators can't ask for a Visa number or take checks. Why do people operate remailers, if not for money? People set up remailers for their own personal usage, which they may or may not care to share with the rest of us. Joshua Quittner, co-author of the high-tech thriller MOTHER'S DAY, interviewed Mr. Helsingius for WIRED magazine. Helsingius said: "It's important to be able to express certain views without everyone knowing who you are. One of the best examples was the great debate about Caller ID on phones. People were really upset that the person at the receiving end would know who was calling. On things like telephones, people take for granted the fact that they can be anonymous if they want to and they get really upset if people take that away. I think the same thing applies for e- mail." "Living in Finland, I got a pretty close view of how things were in the former Soviet Union. If you actually owned a photocopier or even a typewriter there you would have to register it and they would take samples of what your typewriter would put out so they could identify it later. That's something I find so appalling. The fact that you have to register every means of providing information to the public sort of parallels it, like saying you have to sign everything on the Net. We always have to be able to track you down." What makes an "ideal" anonymous remailer? An "ideal" anonymous remailer is: (a) Easy to use. (b) Run by a reliable individual whose system actually does what it promises. In addition, this person should have the computer expertise to take prudent steps to safeguard your privacy from civilian or government hackers. (c) Able to forward your messages in a timely manner. By "timely" I mean minutes or hours. (d) Holds your messages for a RANDOM time before forwarding them. This time lag makes it harder for snoops to link a message that arrives at, say, 3:00 P.M. with a message that leaves your machine at, say, 2:59 P.M. (e) Permits (better yet encourages!) PGP encryption software. If a remailer does NOT permit PGP (Pretty Good Privacy), reasonable people might assume that the remailer administrator enjoys reading forwarded mail. What makes a responsible remailer user? A responsible user: (a) Sends text files of a reasonable length. Binary files take too much transmission time. (b) Transmits files selectively. Remailers are NOT designed to send "You Can Get Rich" chain letters or other junk mail. Who are irresponsible remailer users? Here is a quote from one remailer administrator: "This remailer has been abused in the past, mostly by users hiding behind anonymity to harass other users. I will take steps to squish users who do this. Lets keep the net a friendly and productive place.... Using this remailer to send death threats is highly obnoxious. I will reveal your return address to the police if you do this." Legitimate remailer administrators will NOT TOLERATE harassment or criminal activity. Report any such incidents to the remailer administrator. How safe are anonymous remailers? [for paranoids only :-)] For most low-security tasks, such as responding to personal ads, remailers are undoubtedly safer than using real e-mail addresses. However, all the best made plans of mice and men have weaknesses. Suppose, for example, that you are a government employee, who just discovered that your boss is taking bribes. Is it safe to use an anonymous remailer to send evidence to a government whistleblower's e-mail hot line? Here are a few points to ponder: (a) The person who runs your e-mail system might intercept your secret messages to and from the anonymous remailer. This gives him proof that YOU are reporting your corrupt boss. This evidence could put you in danger. (b) It is possible that the anonymous remailer is a government sting operation or a criminal enterprise, designed to entrap people. The person who runs this service might be your corrupt boss' partner. (c) Hackers can do magic with computers. It's possible that hackers have broken into the remailer (unbeknownst to the remailer's administrator) and that they can read your messages at will. Hard-core privacy people do not trust individual remailers. These people write programs that send their messages through several remailers. This way only the first remailer knows their real address, and the first remailer cannot know the final destination of the e-mail message. In addition, they PGP encrypt all messages. Where can I learn more? Go to the Usenet news group ALT.PRIVACY.ANON-SERVER. Pay special attention to posts by Raph Levien, "The Remailer Guru." Where can I get a list of current remailers? Raph Levien [see above] generously runs a remailer pinging service which collects details about remailer features and reliability. To read Levien's data, finger: <remailer-list@kiwi.cs.berkeley.edu>. There is also a Web version of the same information, at: http://www.cs.berkeley.edu/~raph/remailer-list.html In addition, Raph Levien <raph@kiwi.cs.berkeley.edu> regularly posts his "List of Reliable Remailers" at ALT.PRIVACY.ANON-SERVER. Anything else I should know? YOUR privacy and safety are in danger! The black market price for your IRS records is $500. YOUR medical records are even cheaper. Prolific bank, credit and medical databases, the Clipper Chip Initiative, computer matching programs, cordless & cellular phone scanners, Digital Telephony legislation, and (hidden) video surveillance are just a few factors that threaten every law abiding citizen. Our anti-privacy society gives criminals and snoops computer data about YOU on a silver platter. If you want to protect your privacy, I urge you to join organizations such as the Electronic Frontier Foundation <membership@eff.org> and Computer Professionals for Social Responsibility <info@cpsr.org>. - ----------------------------------------------------------- Andre Bacard Bacard wrote "The Computer Privacy Box 3009 Handbook: A Practical Guide to E-Mail Stanford, CA 94309 Encryption, Data Protection, and PGP abacard@well.com Privacy Software" [for novices/experts] Introduction written by Mitchell Kapor, Chairman, Electronic Frontier Foundation and Founder of Lotus 1-2-3. * Book Available February 1995. Write for details. * - ----------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.7 iQCVAwUBLxQjL96pT6nCx/9/AQHFxAP/UQj9TAQ7cYjD0OXTclGY9kJoNeNVWFrM IU4bu4cNPfa8FtRF88Abna3gnDud2gvfjWSFwh0nUKbO5geACKEka66BBoPtSzMj nrKXXAyFGAxErdVXuwMBFH46/AU6ySzDtrGwUM2b7nQQQVy8mAmTIQEU4TwUChUU eUJAFskAZwg= =rmCo -----END PGP SIGNATURE-----