Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

PGP & GPG 157

Posted by samzenpus
from the lock-it-up dept.
Ben Rothke writes "PGP (Pretty Good Privacy), as most Slashdot readers know, is one of the most popular software encryption programs ever. It is so good and so effective that in the early 1990s the FBI launched a multi-year investigation against Phil Zimmerman, the creator of PGP, for possible violation of federal export laws, especially ITAR (International Traffic in Arms Regulation). After many years of investigation, the FBI ultimately dropped its case against Zimmerman. Even though PGP is synonymous with end-user encryption, there have only been a few books written on the subject. Jump to 2006, and PGP & GPG: Email for the Practical Paranoid is a welcome title." Read the rest of Ben's review.
PGP & GPG: Email for the Practical Paranoid
author Michael Lucas
pages 216
publisher No Starch Press
rating 8
reviewer Ben Rothke
ISBN 1593270712
summary Pretty good overview of PGP & GPG


On page 167 in Appendix A of the book, the author candidly writes that PGP "comes with a very good and complete manual at over 300 pages". With that, one may question why one would spend $24.95 on a book which covers much of the same information as the bundled documentation.

The reality is that there is a large class of people that will simply not read any form of documentation. Rather, they prefer something with an ISBN number. Such people are a boon to authors (of which I am one) and publishers. For that group, PGP & GPG: Email for the Practical Paranoid provides a pretty good overview of how to use PGP.

The book is written for an end-user who, while comfortable with the workings of technology, is new to the sometimes strange world of public key cryptography. The author writes in an easy-to-read style and, through repetition, inculcates the principal ideas of encryption and cryptography to the reader.

The introduction and first chapter provide a good presentation of the concepts of encryption, cryptography and public-key cryptography. The idea of public-key cryptography, on which PGP is based, is not so intuitive, and many people struggle with the basic concepts. The first chapter, appropriately titled 'Cryptography Kindergarten' is a good read for those who are public-key cryptography challenged.

On a side note, the notion that even smart end-users can be intimidated by public key cryptography was detailed in a now seminal research paper 'Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0.'

The premise of the paper is that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent. The authors argue that effective security requires a different usability standard, and that it will not be achieved through the user interface design techniques appropriate to other types of consumer software. The authors conclude that PGP 5.0 is not usable enough to provide effective security for most computer users despite its attractive graphical user interface. Even though PGP is in version 9.x, it still suffers from usability flaws.

Cryptography purists may recoil when the author repeatedly uses the term 'military-grade encryption.' Military-grade encryption and military-grade cryptography are overused terms, most often by marketing departments, but there is no real definition of 'military-grade encryption' -- and even if there were, it would be classified. Most people use 'military-grade encryption' to mean really strong crypto, much like those who use the term 'Olympic-size swimming pool' to refer to a really large pool. But the term 'military-grade encryption' is so misused by so many people that it is a lost cause to try to fight it.

In the rest of the book, chapters 2 - 11, the author details the varied usages of PGP & GPG. The book also details the differences between OpenPGP, PGP and GPG.
The difference between them is that PGP is a commercial piece of software, GPG (Gnu Privacy Guard) is open source, and OpenPGP is a protocol that defines a standard format for encrypted messages, signatures, and certificates for exchanging public keys.

The author astutely writes that while PGP provides really strong security, this is only if, and this is a huge if, it is implemented correctly. Chapter 11 notes that although OpenPGP provides a reliable method of authentication and encryption, it is also not unbreakable. OpenPGP can be vulnerable to many different types of attacks and weaknesses, including poor implementation, hardware or software compromise, fake keys and more. It is important to realize that OpenPGP provides significant, but not unbreakable security.

At 180 pages and priced at $24.95, PGP & GPG: Email for the Practical Paranoid is an excellent book that shows the end-user in an easy to read and often entertaining style just about everything they need to know to effectively and properly use PGP and OpenPGP.

For those that want to save money and perhaps save a few trees, the free documentation that comes along with the product is similarly worth reading.


You can purchase PGP & GPG: Email for the Practical Paranoid from bn.com.

Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This discussion has been archived. No new comments can be posted.

PGP & GPG

Comments Filter:
  • by neonprimetime (528653) on Monday June 26, 2006 @03:10PM (#15608143) Homepage
    The first chapter, appropriately titled 'Cryptography Kindergarten' is a good read for those who are public-key cryptography challenged.

    So basically 99.9% of users online today.
    • This is currently modded funny, but I'm not sure why.

      So basically 99.9% of users online today.

      You're missing at least one 9, I figure. If there are a billion folks [more or less] online...
      1,000,000,000; 1 in 1000 would mean that 1,000,000 people online have more than a notion of how public-key cryptography works.

      I guess I could believe that there are 10K or more, but I certainly think there are fewer than 100K.
      • What level of understanding are we talking here? I understand how public/private key encryption works well enough to use it securely, and it's not that hard to grasp. I imagine a significant portion of Slashdotters understand it as well. With almost 1,000,000 accounts, if only one in ten of us got it, there's your 100K.

        Now if you mean understand as in "could create a secure public key algorithm," then OK, I see your point.

        • In my experience many /. posters think they understand cryptography but don't. (In no way do I mean to imply that you don't understand cryptography. Nor am I a master on the subject.) Many software developers don't understand cryptography either. This includes many developers coding encryption software. There is far more to good cryptography then just getting the algorithm correct. Secure cryptography requires a complete system of software, hardware, and people. Many geek types look at the software and the
          • In my experience many /. posters think they understand cryptography but don't.

            So if I were one such person, how would I know?

            To paraphrase TFA, there's no real definition of "understand cryptography" (and if there were, it would probably be classified ;-).

            So, if you were to test whether I "understand cryptography", what tests would you apply?

            I'd agree that a lot of people who think they understand cryptography could be fooling themselves. But, OTOH, it's easy to say that someone doesn't really understand.
        • What level of understanding are we talking here? I understand how public/private key encryption works well enough to use it securely, and it's not that hard to grasp. I imagine a significant portion of Slashdotters understand it as well. With almost 1,000,000 accounts, if only one in ten of us got it, there's your 100K.

          Any time we discuss the intelligence of the masses, I have to be a cynic. All one has to do is view Jay Walking on the Tonight Show to see that John Q Public is stupid. My wife recently

  • by Anonymous Coward on Monday June 26, 2006 @03:11PM (#15608162)
    (Pretty Good Privacy), as most Slashdot readers know, is one of the most popular software encryption programs ever.

    This statement may indeed be true. And yet, 98 out of 100 people on the street would have no idea what PGP is. What does that say about software encryption programs.

    No one knows, no one cares and very few have been affected by their ignorance.
    • by Rob T Firefly (844560) on Monday June 26, 2006 @03:27PM (#15608276) Homepage Journal
      No one knows, no one cares and very few have been affected by their ignorance.
      I'm sure many, many people have been affected.. it's just that when they get their email read or their private files exploited, they're ignorant that it could possibly have been prevented. Someone who doesn't know how to lock their front door might still be affected by a burglary.
      • by sahuaro (524043) on Monday June 26, 2006 @03:52PM (#15608464) Homepage
        Mod this poster up! The inventors of public key encryption envisioned a future where encrypting email would be as common as stuffing a letter in an envelope. Phishing would be unheard of since a digital signature would prove that the mail came from who it said it did.

        The US government, of course, didn't want this future to come about and put roadblocks in place to prevent it. So, today we have phoney email scams and unencrypted personnel data that gets scattered to the winds on unsecured government and private sector computers. Encrypt your email? Why you must be doing something illegal!

        Dennisk

    • by Zarel (900479) on Monday June 26, 2006 @03:30PM (#15608296)
      And yet, 98 out of 100 people on the street would have no idea what PGP is.
      That's because nerds usually don't go out on the street. :P
    • "No one knows, no one cares and very few have been affected by their ignorance."

      So what's the problem? I always thought obscurity was a key to security...
    • (Pretty Good Privacy), as most Slashdot readers know, is one of the most popular software encryption programs ever.

      This statement may indeed be true. And yet, 98 out of 100 people on the street would have no idea what PGP is. What does that say about software encryption programs.


      So then, what does this say about Slashdot readers?
  • by Rosco P. Coltrane (209368) on Monday June 26, 2006 @03:12PM (#15608171)
    PGP & GPG: Email for the Practical Paranoid

    title soon to become "PGP & GPG: encryption for the practical suspicious target of the homeland security dept."
    • title soon to become "PGP & GPG: encryption for the practical suspicious target of the homeland security dept."

      (Caveat: I'm the author of the book)

      I thought about such a subtitle, but the book is not just for the average person. Rich Americans can read it, too.

      ==ml

    • If you get lonely, just borrow the book from your local library. Before you can even return it, you will be "visited" by the DHS and NSA.

      And, if you are fortunate enough to have read the book before they get there, one way ticket to Gitmo! If you need to secure your email, you MUST be a terrorist. Then you can not worry about being lonely anymore, indefinately.

      Win-Win.
  • Pretty Poor Privacy (Score:2, Interesting)

    by Anonymous Coward
    I can't say I ever found any PGP product good for any application. It was way too complicated and just not what was needed.

    Instead, I found my holy grail of encryption in Truecrypt (http://truecrypt.org )which simply has rocked for the longest time (I'm in no way associated with it). Its free, and as far as I'm concerned as far as free encryption tools go, nothing can touch it, esp if you use one of the double pass encyption methods down the list, and don't label your volumes as truecrypt volumes or keep
    • >I don't know any compgeek that uses PGP, or anyone that uses it to encrypt their mail.

      -----BEGIN PGP MESSAGE-----

      Version: PGP for Personal Privacy 6.0

      qANQR1DBwU4DA/vEixf2Zr4QB/95c5uv6mCv4yYel3qStih a bGzW7Ekfi4STPs1T CJf/fgp3S0SHUFmCgJXL4QNdkoo37wdVD/4v5xWWj7tXPfA2KQ 8bYueHIWp8QXIx TIxxRIQhw/69WXT/RAAtRBdvFPfucphQZ8xSxOc6gPlMYnPOVC PjXqXaZcZXwk8R Cv9yICy+S8ipGiGb3miPOfvqv/FAOT/uVCHv/VGrVJhDD29xfM 7TWk25LLXlbQW5 pOjgO30DNdbdhQMdsOSmQXTQdRDJDjbwQeWWk3CFZtpLmlbjXL U0hvZ7PtAGlQKh iIboJl+HM+jsEtHurqmgXR1

    • I don't know any compgeek that uses PGP, or anyone that uses it to encrypt their mail.

      ... or any geek for that matter, probably.
    • Check out eCryptfs (Score:1, Informative)

      by Anonymous Coward
      Check out eCryptfs, which has recently been accepted upstream into the
      -mm Linux kernel:

      http://ecryptfs.sf.net/ [sf.net]

      This encrypts on a per-file basis, so that you can grab and copy the
      file from the lower filesystem (which can be pretty much anything --
      ext3, jfs, reiserfs, nfs...) without even having to mess with all that
      partitioning stuff.

      It's a great cryptographic filesystem now with just passphrase
      support. It looks like they're going to be done with the public key
      subsystem (with pluggable PKI support) before to
    • You're right - neither you nor I know anyone that openly encrypts all their mail, however that doesn't mean PGP/GPG is useless...

      Personally, if I have some data I want secured and backed up, I use duplicity, and that backs up and encrypts the data using GPG. If I want to save a note for myself somewhere, I email it to myself, encrypted. The VAST majority of my email is GPG signed so that recipients know that the mail came from me.

      It's really useful in the geek community. Trust me, have a play - it's a great
    • by QCompson (675963)
      Apples, oranges, pears, and bananas here people. Truecrypt is a fantastic program, but how in the world would it be easier to:

      encrypt your data in a small volume and attach it as a file to who you want to send it to...

      How would they know the passphrase to open your attachment? That's the whole point of the public/private key system.
    • -----BEGIN PGP MESSAGE-----
      Version: GnuPG v1.2.3 (GNU/Linux)

      hQIOA4seTkmA59QxEAgAjvJZlP/vX6EXZMqFtz8VR1Vhm3VbAX zunwF7/Q6PuSEG
      szO/y/q8g7nH+nrMO4RX6D/bNY6eSwwigUsMaHYUQ5Ow1WsflD Srr2A+G6b8OgDs
      8+YxR1Sg9/gJSlhtFkc46MaTXRhILF4ob2J8FGKTPPgDSlXF7y grF5hOSeQBscyp
      OONNqmG7lB8d54ngWjrPUebTqaysZ8u4+/mjMubRDTUDxqRYpu skMkO4dlzHRjc3
      9o0wQWP+vfvs7UMh89xh4i/iedXnbK5GIx5VquuaXO4+W/E1pm Liiv0SmSSgv9ot
      wMMHyXmtx6RiE/LmspMbkJrHxwbFtkDwj35ktxbNDwf+IrhW7c bAgYmkvwzmdHra
      cLhsgP9mtPwSrvaUFtLa2P/XoWeCsL3fqBFLb5a1cAe3QuJfVQ 060xDUtFqv+
    • "I can't say I ever found any PGP product good for any application. It was way too complicated and just not what was needed."

      PGP is big in the secure file transfer worlds of banking, insurance and the like. It's quite common to "PGP" a file and then send it via FTP or SSH.

      Someone else mentioned S/MIME encryption. I have two things to say about that:

      #1: An analogy: PGP is to S/MIME as SSH is to SSL. The first technologies are designed for individuals to each trust each other; the latter technologies

    • Skip Truecrypt, encrypt your data in a small volume and attach it as a file to who you want to send it to... in fact, encrypt whole harddrives or create files that can be mounted as virtual harddrives.

      Except that using TC doesn't solve your problem of how to transmit the passphrase in a secure manner. (Using TC as a file-transfer medium is no different then using encrypted ZIP files or self-encrypted RAR files, except that TC probably has fewer security holes... maybe. Although TC-encrypted disks do ma
  • by ettlz (639203) on Monday June 26, 2006 @03:25PM (#15608261) Journal
    There's a Public Key field in the User Preferences page on Slashdot, but does anyone know where you go to pick up other users' keys?
    • Public Key field in the User Preferences page on Slashdot

      To be honest, this field reminds me of a common situation I run into when developing ... Management supplies the ABSOLUTE MUST-HAVE fields to be put into the the SQL backend ... and so I develop the website to with that field ... and then they never use it.

      I have never seen this used on Slashdot ... and it's not mentioned in the FAQ that I could see.
    • >does anyone know where you go to pick up other users' keys?

      There are many public keyserves to search. PGP will automatically search them for unknown keys, if so configured.

  • by DarthStrydre (685032) on Monday June 26, 2006 @03:26PM (#15608271)
    "Cryptography purists may recoil when the author repeatedly uses the term 'military-grade encryption.' ... there is no real definition of 'military-grade encryption' -- and even if there were, it would be classified."

    Ahem, reference http://www.nsa.gov/ia/industry/crypto_suite_b.cfm [nsa.gov]

    While Suite A is classified, Suite B, specifically AES, is specifically mentioned as being suitable for up to TOP SECRET info.

    Military grade is not a useless term, as it is therein defined.

    HOO-AH!
    • It's not really the crypto algorithm that makes military grade crypto "military grade". It's how they implement key exchange and management.
  • one may question why one would spend $24.95 on a book which covers much of the same information as the bundled documentation.

    Yeah, I've noticed this on most IT books. And I'm not one of those people "who want an ISBN". I don't think those people even read the books...
    I wonder if there is a book called "Linux man pages explained - with complete printouts"...

  • The author astutely writes that while PGP provides really strong security, this is only if, and this is a huge if, it is implemented correctly.

    OpenPGP can be vulnerable to many different types of attacks and weaknesses, including poor implementation...

    So one is vulnerable from poor implementation and the other provides really strong security? Hardware or software compromise is a flaw of only OpenPGP? Seems like a slightly tilted comparison.

  • by Anonymous Coward
    The failure of secure email to proliferate has nothing to do with PGP's usability issues. 99% of email users already have S/MIME integrated into their mail readers as a standard feature - very usable and secure, yet almost universally unused. It's not about the user interface, it's about perceived need (or lack thereof).
  • S/MIME (Score:5, Interesting)

    by Lord Ender (156273) on Monday June 26, 2006 @03:37PM (#15608350) Homepage
    When people say "X.509" when talking about email security, what they mean is S/MIME. It is pretty clear S/MIME is going to win the battle to be the most common form of email security on the Internet. It has built-in support on Outlook, Thunderbird, hell--even mutt.

    If people CHOOSE to trust a PKI, S/MIME works WAY better than PGP because key distribution is much easier. If they don't want to do a PKI, they can still trust individual certificates, just like PGP. They can verify certificates by reading thumbprints over the phone, if they like.

    Basically, S/MIME can do everything PGP/MIME can do except the "web of trust." And WoT is just WAY too much work for 99.9% of the population. PGP will eventually vanish.
    • I agree. S/MIME, because of the relatively full-featured certificate services bundled with Windows Server 2003, and the ability to manage certificates with Active Directory, appears to have much more institutional momentum than PGP, and that will, I think, ultimately make the difference.
    • Re:S/MIME (Score:3, Insightful)

      by Betabug (58015)
      > It is pretty clear S/MIME is going to win the battle to be the most
      > common form of email security on the Internet.

      If this is going to happen then S/MIME has yet some way to go first. Reality is that I see S/MIME only ever "used" by corporate minions. I put quote marks around "used", because I have yet to receive anything more than a signed mail. On the other hand there are ISPs and domain registrars who work with PGP - you can give them your public key and do business like that.

      Have you noticed how
    • Here's [infoworld.com] an example of how S/MIME certificates can be easily spoofed, and how both Outlook and Apple's Mail.app happily accepts them as valid. Want more trustworthy certs? Expect to pay out the nose.

      • That is not a flaw in S/MIME.

        And as I said, everyone has a choice as to which PKIs they trust. Nobody is forcing you to trust the Thawte Freemail CA.
    • x.509 has a useful niche. PGP has a useful niche. I believe you are confusing tools.

      I admin a PKI system inside the company I work for and it's the bees knees. I add public keys to the keychain. If you aren't on the keychain, then you won't have access to some things on the LAN. Simple, discreet control.

      Let me be clear: There is a way around *every* security system. Running PGP/PKI systems meaningfully raises the bar.

      Declaring x.509 "the winner" sounds like you have a very serious investment in it's su
      • "The right tool for the job" argument would lead to everyone being burried in billions of tools. I think email security is one of those areas where people don't want multiple tools, and will eventually settle on one for the vast majority of uses. Nobody can predict the future, so you can falsely accuse me of having a vested interest and claim that the people really want multiple tools if you want... but I think you'll be proven wrong in the long run.

        There is 1 SMTP. There is one SSL. There is one HTTP. Ther
    • Can an X.509 key be signed by more than one CA? If not, then it doesn't even approach pgp's usefulness.
  • Outlook plugin? (Score:3, Insightful)

    by haeger (85819) on Monday June 26, 2006 @03:39PM (#15608361)
    I've been looking at different plugins for gpg but haven't found anything that's quite what I want. The best one I've found is something that uses the clipboard for encryption/decryption. Works OK for someone who doesn't mind a little work.
    What I'd like to see is an Outlook plugin (or OExpress) that does the following. (Please note that I wrote O/OE because they are the major players)

    * GPG included to make it easy for the user. Just one install for the whole package.
    * Automatically create keypair during installation
    * Default option to keep passphrase cached (not safe, yes I know, I know)
    * Automatically decrypt/sigcheck all incoming emails
    * Automatically encrypt/sign all outgoing mails.
    * Attach the pubkey to all outgoing mails where the address isn't in my keyring.
    * Automatically (just ask for password confirmation or something) addition of incoming pubkeys to my keyring.
    * GPL :-)
    * The people who got the pubkey would also get a link to where to download the plugin.

    I'm sure someone can expand this list quite a bit and I'm sure I forgot half of what I wanted to put on that list, but it's a start anyway.

    Anyone care to write such a plugin? Or is there one already that I don't know of?
    I do think that if there was something to that effect that you would see a spike in encrypted emails going across the globe.
    I used to encrypt/sign everything but since I was the only one using pgp/gpg it was kind of pointless.

    .haeger

    • Re:Outlook plugin? (Score:3, Informative)

      by Fnkmaster (89084)
      Well, it doesn't do absolutely everything on your list but it's a pretty good start: http://www.gpg4win.org/ [gpg4win.org].

      It does the first two, and the third - it does cache passphrases for short periods of time. I don't know off the top of my head how to change the cache duration, but there should be a config option somewhere.
      Sending encrypted or signed email is just a matter of two toggles in a toolbar on every email - you should be able to change a setting somewhere so they always default to on (right now they defa
  • Just the other day I saw the following on the website of an author selling her own book directly:

    Emailing Credit Card Numbers To email your credit card number, we suggest sending two emails. The first email should contain half of the credit card number and expiration date: 1234 5678 XXXX XXXX exp date: 07/XX The second email should contain the other half of the credit card number and expiration date. XXXX XXXX 3141 5926 exp date: XX/05

    Sigh...

    • by smoker2 (750216) on Monday June 26, 2006 @04:27PM (#15608776) Homepage Journal
      Add to that the number of web sites using an aging perl shopping cart system whereby half the credit card number is immediately emailed to the admin and the rest is stored as plain text on the server. Also the web sites who claim that your numbers are perfectly safe as they are using 128 bit encryption and the data is not decrypted until it reaches their [colocated, probably virtual] server. I had an argument with some previous employers when they insisted on calling their colocated RAQ3 a "secure server". I pointed out that they had never even seen the facility that it was housed in, and the private data was freely accessable using telnet, because it wasn't encrypted once ssl had done with it.

      Just as a an example, I set up a shopping cart of the type I mentioned and they thought it was the mutts nutz until I showed them that I was receiving both parts of the credit card numbers by email at a private email account. Even then I don't think they thought it was a problem. I left shortly afterwards.

      I wonder whose harvesting those numbers now...

      BTW, I deleted that shopping cart, so I am not guilty of abusing the system. It was done to prove a point. [slashdot.org]

    • Any snooping done is most likely going to be automatic, and this ensures naive snooping won't work. As long as this is not in widespread use it's going to much more secure than not doing it, and it's relativly easy to do and non-obstrusive.

      All-in-all, I think it's a practical down-to-earth simple solution. Seriously, don't laugh just because it's not technical enough for you.. So while you're busy being a tech-snon, the world will be busy getting stuff done. This works; for now.

    • that's pretty secure compared to this site

      http://www.rncca.com/ [rncca.com]

      why they have a password is beyond me when they list the password on the site?
      • Haha, and if you click cancel, you still get directed to the page.
        • [http://www.rncca.com/ [rncca.com]] Haha, and if you click cancel, you still get directed to the page.

          Funny indeed. The password check is a piece of JavaScript on the page. It seems that they used to accept three different passwords and the code that they use to check the password has been rotten. Whitness the following:

          var password;
          var pass1="rncca";
          password=prompt('Please enter the password rncca below!',' ');
          if (password==pass1 || password==pass2 || password==pass3)
            alert('Password Correct! Click OK

          • I went there and saw where it tells you the password on the page, but had no clue when and where I was supposed to provide the password, nor what it was for. I clicked the link, and saw the list.

            Then I read this post, and realized there's supposed to be a Javascript password check. But of course I don't see it, because I have Javascript turned off! :)

  • The reality is that there is a large class of people that will simply not read any form of documentation. Rather, they prefer something with an ISBN number.

    So a large class of people prefer to read, what, barcodes??

  • by paulproteus (112149) <slashdot&asheesh,org> on Monday June 26, 2006 @04:27PM (#15608779) Homepage
    For those that want to save money and perhaps save a few trees, the free documentation that comes along with the product is similarly worth reading.
    I want to save money, but I hate trees. What do you suggest I do?
  • For those who are curious: "The dimensions of an Olympic pool are required to be 25 metres by 50 metres." http://www.faqfarm.com/Q/What_are_the_dimensions_o f_an_Olympic-sized_swimming_pool [faqfarm.com] I am still looking for the definition of 'military-grade encryption'.
  • When I first read the title I hoped the ability for these systems to communicate correctly was what was being addressed. I've been working with a bank for weeks now trying to get things I encrypt with GPG to be decryptable by their PGP "Universal Server" product. They can install PGP Desktop on a PC and decrypt my messages just fine. They have this larger/fancier package that decrypts upstream of their Exchange server and internally passes on the unencrypted emails to their folks. It also has a webmail (htt
  • Uncanny timing on this article for me -- I just this morning set up both PGP and GPG clients on my Windows machine. I found some inspiration in this tutorial on PGP:

    http://www.haltabuse.org/pgp/win/index.shtml [haltabuse.org]

    The tutorial talks about version 7 or 8 of the software when it was still freeware. Version 9 it appears still offers the basic functionality for free, but I have to admit that I was a bit put off by the fact that it's presented as a 30 day trial with a EULA that includes passages like this:

    You hereb
  • I have to say, I don't personally use them, but I think the hushmail.com people really do crypto right. First, it is (now) genuine OpenPGP encrypted email, i.e. as standard as standard gets. And for people who aren't experts, there's really no key exchange to work out. If you both use hushmail.com, you can sign/encrypt your messages and the site takes care of hooking you up.

    I'm all for traditional fingerprint checking and GPG keysigning parties, and yes I even got RMS to sign my key for cool factor. But

One of the chief duties of the mathematician in acting as an advisor... is to discourage... from expecting too much from mathematics. -- N. Wiener

Working...