If you are like me, you haven't really payed that much attention to email
privacy. I decided to look into it simply because there has been so much
talk these days about an encryption program called PGP (Pretty Good Privacy)
I found some very alarming facts about email and, after a very short learning
curve, found PGP software pretty good.
I started this study by obtaining and reading a book by Andre Bacard called
THE COMPUTER PRIVACY HANDBOOK.
This book has some very interesting information in it about privacy in general,
encryption technology, how to government doesn't really like encryption
technology and how they want everyone to use communications encryption and
scrambling they can decode and read via a Clipper Chip. That is, the government
wants a Clipper Chip in every form of communications we use which scrambles
voice communication and encrypts text communication. That's fine and dandy.
You have a clipper chip and the party to whom you are sending can decode
it. If need be, the government will be able to decode it also. I'm not sure
I appose the clipper chip, I certainly see a law enforcement need for it.
However, I'm sure you can think about a great deal of abuses of it like
I can. The Clipper Chip has become a very big controversy.
The Computer Privacy Handbook goes
into depth about the hows and whys of email and why you should just as easily
be broadcasting your message over a public radio station. Email is just
not secure and anyone with a little computer savvy can intercept email.
When sending email without any coding or encryption, it's like sending a
letter on a postcard. On it's way to the sender, anyone can read it's contents.
When you route electronic mail through the Internet, you don't know how
many systems it's going through to reach the addressee. E-mail messages
can be entercepted easily, automatically and in a why in which you'll never
have the slightest clue someone else read your private message. Scanned
e-mail is more common than the average person thinks. People can scan e
mail for key words and/or scan for mail tocertain addresses or mail from
certain addresses.
The fact that email is a kind of open book for anyone who wants to take
a look alarmed me and it should alrm you. What really alarmed me more than
that is how the government attempted to suppress this encryption program
called PGP.
The book then goes into a detailed discussion of crypto technology and explained
the use of a two key system. You have a public key and a private key. You
send your public key to people you want to open encrypted messages from
you and you, in turn, obtain their public key so you can open encrypted
messages from them.
Unless you have worked around encryption technology before, this seems a
little confusing at first, the two key system. You will have both a public
key and a private or secret key. You give your public key to whomever you
want encrpted messages from. They, in turn, give you their public key. When
you send a message you want encrypted, you use the person's public key to
encrypt. But you have to have both the public key and secret key to decrypt.
Once I got through reading The Computer Privacy Handbook, I felt like I
had gained a much needed grounding in computer privacy and encryption. I
became so impressed with the book that we have added it to the PI Library.
My next logical step was to obtain PGP software and try this stuff out myself.
I first tried to use some of the freeware and shareware programs floating
around but quickly found that you need a little user support, you need some
of what we might call extensions to use with the software and you need a
very good PGP user manual. I have found the this very situation before when
I tried to use other freeware and shareware programs. That is, they either
made my system crash because they had bugs in it or when they where bug
free, they were too hard to figure out without some user support and a well
documented user manual.
You might have a little more luck with some of this freeware stuff. If
you do that's fine. I finally ended up getting the best version of PGP on
the market through Joseph Seanor's office (cibir@netcom.com) for a little
over a hundred dollars called VIACRYPT PGP. I had studied the different
PGP bundles you can obtain and picked this one because of the user support
you get when you obtain it, it's widely known easy to use setup, the well
written user manual and all the other add ons and extensions that come with
it.
When you first start to use this software, there is a short learning
curve but I found , after a little trial and error by sending out a few
messages, obtaining a few public keys of people who were willing to help
me on this and then figuring out what went wrong was easy to work through
with the manual by my side. Here is one of the first messages I decrypted.
I had sent this friend my public key and he sent me his public key. I then
got a message back from him that looked like this:
SAMPLE VIACRYPT PGP ENCRYPTION
Subj: First message
Date: Tue, Jun 25, 1996 1:57 PM EDT
From:
X-From:
To: RThomas007@aol.com
-----BEGIN PGP MESSAGE-----
Version: 2.6.2
-----END PGP MESSAGE-----
(GEE WIZ-TRY RUNNING THE ABOVE THROUGH YOUR SPELLING CHECKER!)
With his public key and my public key and secret key, the sender simple
sent me the above crypted message that only I could open and decode. Once
decoded the message read:
Through a little trial and error, I was able to quickly start using PGP
with ease. This software has some other features that is very nice. You
can select options in which the file you send can only be opened one time
and then not saved to another file. As you can see by reading the decrypted
message, I had not signed my key so Jeff could utilize decryption on his
end to decode my original message. I also used the wrong type of encryption
which was then corrected. The second try, everything worked well. It took
maybe two or three hours to install this program and learn how to use it
but I have found it well worth the protection you get.
After a little time and effort, I was able to configure the software correctly
and sent this message:
Decrypted by the other party, it reads:
You have several levels of encryption you can use. The manual states that
the higher level of encryption you use, the longer it takes to decode and
open files but I found that coding and decoding higher level encryption
doesn't take hardly any longer if you are running a computer at 75 Mhz or
above. It make make somewhat of a difference if you are running slower machines.
When you create your RSA keys, this program asks you the following concerning
your key:
I tried all three and on a 75 Mhz machine, it didn't seem to make much difference
as to speed unless you get down to measurements in seconds.
The other nice thing about this program is it is completely password protected
and the manual goes to great lengths on how to develop a good password that
would be very difficult to crack. Unless you know the password, you can
not use ViaCrypt PGP. Moreover, I keep another password protection program
that locks the actual file in which my PGP resides. Still further, there
is a password boot lock. What all that means is that if you happen to break
into the place where my computer is located and try and use my PGP, you'll
have to:
That's all just extra addded protection from a physical security standpoint.
An alarm will be going off long before anyone could ever attempt to crack
the first code.
One of the strange little twists of PGP is that the US Government does not
want these programs exported outside the USA. That means, of course, that
PGP must work pretty good. Can the files be decoded? Given enough time and
money likely they can. In fact, a group of 900 people who worked on individual
parts of a message were able to crack PGP codes in something like nine months.
I'd say that's still pretty good privacy. If it takes 900 people nine months
to crack such an encryption code, I would feel fairly safe. If, one the
other hand, you are still worried about something you send across the internet
being able to be cracked with 900 people in nine months, that type of stuff
doesn't belong on the Internet in the first place.
AND SOME IMPORTANT INFORMATION ON VOICE PRIVACY
Voice communications can also be very important. Everyone should know that
telephone lines can easily be tapped into with today's technology by anyone
with a twenty dollar bill. Despite the fact that it's illegal, it's widespread.
With a inexpensive scanner and attached tape recorder, anyone can tap into
and record your wireless communications these days over wireless telephones
and cellular telephones. Recently federal government codes took effect that
ban all scanner equipment that scan cellular frequencies. Although you can
no longer walk into Radio Shake and purchase a $79.95 scanner that will
scan cellular frequencies, this type of equipment is still widely available
and scanner frequency ranges are easy to modify.
Just like email can become an open book when sent across the internet, voice
communications over telephone lines can also be an open book. Talking on
cordless phones or even cellular phones is about as private as broadcasting
your communications over a public radio station. Just like PGP will scramble
your text messages, voice scrambling equipment is easy to use and moderately
priced.
If you want to impress and new or important client, give them a portable voice scrambler to call you on.
Not only are you insuring communications between you and your client, your
client is going to be very impressed. You are telling the client that you
are concerned about the privacy of their case and are giving a level of
secure telephone communications to them. Every time I have done this in
the past, a large percentage of clients evidently ask where they can obtain
some of these voice scramblers.
RELATED LINKS
REVIEW NEW BOOK SUBJECT ON COMPUTER INVESTIGTIONS
FOR THE PI
REVIEW COMPUTER PRIVACY HANDBOOK
REVIEW VOICE SCRAMBLER AND OTHER PRIVACY
EQUIPMENT
READ REVIEW OF VIACRYPT PGP SOFTWARE
REVIEW ALL KINDS OF PRIVACY PRODUCTS
RETURN TO NAIS NEWSLETTER MENU