CNN On Story on GnuPG 1.0

Dan Schleifer writes "Good to see that main-stream media has picked up on the release of GnuPG 1.0, and run a story on it. This is an especially GoodThing(tm) as, it's not just free software, but free encryption software that says: 'Haha, you silly little export regulations...' " Several nitpicky errors that I'm most of you will notice, but all in all great to seen the mainstream reporting on this, and starting to hit the issue of privacy exportation, if only skimming the surface.

Re:Is an "easy" explanation of encryption availabl

Sure. Some of what I'll say is kinda pulled from what I read in a PGP release many moons ago.

You don't write letters to people on postcards, do you? No. Why? Anyone can read what's on the postcard. If you want to write a private letter to someone, you write it on a piece of paper and put it in an envelope. You may even use a security envelope so you can't see what's inside the envelope.

Encryption is (in one sense) the envelope. It makes sure that no casual reader can see what the contents are. It may be credit card information, or it may be happy birthday wishes. It doesn't matter.

Encryption (as PGP/GPG uses) also provides authentication. It makes sure that when you get a letter from a friend, it really came from them and not someone who happened to break into Hotmail and fake e-mail.

Side note: Hrm. This could be a good way at advertising GPG (Hotmail cracked again? Don't worry, GPG keeps you safe!)

-Mark

Re:What's needed now is...

Look on the GnuPG [gnupg.org] web page. There are links to a number of mail clients with some level of support.

Personally, I prefer mutt [mutt.org].

Re:Big enough Beowulf clusters can solve anything

First off, you're parroting what the original poster said, i.e. that a big enough beowulf cluster can break the encryption, but moving it further offtopic by saying a big enough cluster can do anything.

Second, you're dead wrong. Cryptography is based on functions that are easier to do in one direction than the other. Easier by many many orders of magnitude. That means that a computer will always be encrypt a message to such a degree that were all the matter in the entire solar system turned into a huge cluster of computers, it would not be able to break the encryption with a brute force attack. You're home computer can do this RIGHT NOW. So while beowulf clusters are neat and all, don't ascribe magical powers to them. Its a sign of linux zealotry and that's just as bad as any other kind (*cough* M$ zealotry *cough*).

Note that I did however only talk about brute force attacks. There is always the chance that a new algorithm or new kind of technology (read quantum computing) will be found that will render a cryptography function as easy in one direction as in the other.

Jherico

Somebody give RMS a Valium!

It is a great thing that the mainstream media is embracing GNU projects, but I thing that forcing them (the errant journalists) to read a breif 'GNU/FSF/Linux primer' before publication would be a good idea.

A note to Stallman: Take a Valium, wash it down with a few shots of Absolut, (not too much now, we don't need you dead) and sleep off the rage of the HURDs virtual media invisibility.
Linux was below the radar screens for years, and is now up in a big way. HURD may well be the next Linux..

A thought before I go.. We should embrace GPG, for not only is is a good bit of code, but it may well be our best way of fighting the current stupid encryption laws. By making sure everyone, everywhere can get their hands on it, it nullifies the need for such a law, and I hope the US government realizes this..

What's needed now is...

What's need now is an easy way for end users to use encryption in everyday life. SSH is an easy replacement for telnet and ftp (scp, that is)... GNUpg is a wonderful program, but integration into Mail clients and the the like is very important to help people actually use it...

I'd encrypt / sign all my mail if it were easier... I guess I'm way too lazy to type a message, run it through GNUpg, then replace the text in the email all by hand... I've seen some decent apps for Win32 that do nice things (e.g. adding a right click option on text to do PGP encryption / signing)...

I'd love to see more encryption being used... I know a few Linux mail clients "plan" to have support for GNUpg, but none that I know of right now do and offer enough features to be worth using....

That's exactly what they want...

The legislature is fully aware of the effect of their policy. They don't WANT American crypto companies to be competitive. Strong American crypto companies lead to more Americans using crypto.

As long as Americans don't bother using crypto the legislature doesn't have to take unpopular steps to control it. So they stifle the companies who make and promote crypto products and the issue comes to the public's attention as little as possible.

wake-up call

Hopefully this will help show the legislature the folly of these export restrictions. If you won't allow certain things to be exported, then the enterprising individuals will develop them outside the country, and the some of the prestige of "America's technological leadership" will dwindle.

God knows the legislature doesn't act on real issues, but if we can make this a PR issue, then things might actually change.

export regs may not allow USA based peer review

Given that GnuPG is open source, which means it will be peer-reviewed with eyeballs from all over the world, I wonder what would happen to its export status if the maintainers received and applied even one bug fix or ehancement derived from a USofA based reviewer/user.

GNU at its Best

This is a perfect example of GNU and the open source community. We provide free alternatives to commercial products that are available, and as an added bonus, it has no export restrictions! Why is it that free software written by hackers in their basements almost always better than something you would pay for? It all comes down to money... people are rushed to release their programs, and try to patch it together from others' code to try and save time. Corporate giants (primarily Microsoft) have taken the art out of programming. Computer programming is indeed an art, not a money-making scheme.
Let's keep it that way.

VERY stupid regulations

USA is hitting its own software companies with this regulations. This is good for everybody else, but it will cost the USA a LOT.

Very soon, US companies will start feeling the pressure from all over the place. For one thing, a german company (SuSe) can (and does) put things like PGP, ssh & co. in its distribution, which an US-based company (redhat, Caldera) can not and does not.

Now, adding ssh is just a matter of downloading the srpm package, compiling it and doing an RPM -i, but... Try adding ssh-agent imediately after login for all of your users in a consistent way and you will find out that this task is non-trivial. Then you have to make your PGP (or GPG) work with pine, or whatever you or any of your users use and so on. It is annoying and takes your precious time away.

It is just the same kind of shit as those I used to have with my (german) keyboard not getting properly configured, xdm coming with an completely open configuration file, and simmilar, with ONE major exception - RedHat cannot fix it in the "next version", because it is not even part of the distribution. SuSe can.

By the way, upgrading from RH-5.1 to RH-6.0 has killed my own solution to above mentioned problem of integrationg the ssh-agent in the login-process, so I had to do it again. And I hate repetitious jobs .-).
Do I see a problem for RedHat here?

It's not obscure, so why don't we push that part?

I'm suprised that people haven't been touting the "free speech" end of GPG as well as the "free beer" when it comes to crypto algorithms. Cryptography that doesn't cost anything is good, but for the truly security-conscious individual i think that we need to stress the fact that he can check the source code for shabby implementations of algorithms (none that i see in GPG) and even blatant backdoors. I've seen people use closed-source crypto products, and I wonder when someone is going to discover a backdoor that was put there by some government. Price and politics are good, but security should be the selling point of GPG.
Andrew G. Feinberg

Re:Won't Linux be pissed

Oh geezus, if that don't set him off, I can't imagine what would!

I'm not real passionate on the whole GNU/Linux controversy one way or another, but this is pretty irritating. Sheesh, they couldn't go to gnu.org and steal some of the background there instead of coming up with this boner?

Back on-topic, it is good at least to get some 'good' press about GNU and Linux and encryption out in the mainstream. The average reader won't notice or care about this misstatement, but will probably pick up on the implications of unrestricted encryption (hopefully).

Meanwhile, back at the CNN newsroom...

"Ya come up with any copy today with the word 'Linux' in it yet?"

"Well, sorta... there's this GNUpg thing, and I think its kinda about Linux, but I don't know what this GNU thing is."

"Go ask Harry, he did a story last week about RedHat and he knows all about that stuff. C'mon - we got a deadline!"

"Uh, oh... Harry?"

"Oh yeah, GNU is that thing that they started in 84, MIT, I think... yeah, right.. they're the ones who claim they invented Linux and want to make sure you call it GNU/Linux. I got yelled at a press conference once by one of their guys."

Re:Is an "easy" explanation of encryption availabl

In general, I find that "newbies" don't have a hard time understanding encryption. They understand intuitively the importance of it, and they will tend to recognise encryption is important. However, they fall for buzzwords, so many, for instance, considered Hotmail secure because "it prompts you for a password".

On the other end, you find people who distrust anything, so give up on encryption altogether. Their logic is, since "hackers" (their term, not mine! Lay off the stones!) can get into anything, there's no point in using convoluted methods to protect their information. That's the same kind of people who refused to use automatic tellers for years because no human being was handling the money.

What's important to put into the public's mind is some of the following points:

Encryption is the practice by which you make it impossible for anyone but the right people to read a message of any kind, be it a credit card number or an email message.

Cryptography is important for everyone, not just spies of military generals. Just because an information is not dangerous to you or someone else if it is revealed doesn't mean it's not private. Do you want love messages between you and your boyfriend/girlfriend/wife/husband to be read by anyone?

It's easy to apply good cryptography to almost anything, unless the nature of your data is highly secret (and we're not talking surprise party plans.) All it takes is a little extra "effort", and you can have secure messages.

No, the Government won't start spying on you because you're using encryption. Many people do it, and they're not terrorists or Russian spies.

Don't trust any company who says they use encrytion. There are two types of encryption: encryption that requires minimal effort to unravel (like tearing open an enveloppe) or encryption that requires some time and good cracking skills (like cracking a safe). If you want good encryption, look for second opinions on the Web, or from cryptography-savvy friends or colleagues.

Good encryption exists nowadays, and some encryption standards make it unlikely that your data will be exposed unless a lot of money and effort is put into it. Be wary of systems that claim they are unbreakable, but don't think your data is automatically vulnerable to any 13 year-old hacker with a modem. Yes, your data can be protected by cryptography.

Good security also means good practice. Your data will not be safe if you use simple passwords, like the name of your dog or your birthdate. Try using unpredictable passwords when you need to. If possible, use numbers and mixed case when choosing your passwords. NEVER use your name.

"There is no surer way to ruin a good discussion than to contaminate it with the facts."