So what's the bittorrent name for the file? I've got to grab it just in case the Hindu fanatics win.

I am an American citizen. I have had seven children; my children have five mothers. Two in America, one in Thailand (died), four Thais still alive.

I prefer my children to be Thai. Indeed, if it were possible, I would give up my American citizenship and become a Thai citizen myself.

IANAL, but ... You make the normal mistake that any kid of yours is an American citizen at birth. I disagree. AFAIK only YOU can get your kid an American passport. Uncle Sam, in all his egocentric power, cannot force him to be a US citizen. The USA passes laws that regulate the behavior of U.S. citizens even when they live overseas. For example, sex with a girl under 18 is a federal felony. What the hell will that mean when my son is 14 years old and discovers 15 year old girls? My bank refuses to open accounts for US citizens because of IRS regulations, how is that going to affect my offspring?

After our divorce, my ex-wife asked me to get our son a US passport, so I did. He's in Australia right now.

As a practical matter, a boy is not a US citizen unless the US government knows about him. If a boy is eligible for dual citizenship, I have heard that he must decide on one or the other before he's 18. My son is now 7; I figure he's got another 10 years to go before he has to make his own choice. Then it's up to him. Until then, let Uncle Sam ignore my son.

Andy Canfield (www.andycanfield.com)

I would e-mail, not telephone. Phone calls are too short and simplified.

Before you hit Send, trace through an exact example and describe every step in the e-mail message. I expect that the Customer Service Representative won't understand it. But with an e-mail he can forward it to somebody who will understand the security flaw.

That's what I would do.

Sorry, the way I read it was "PGP has a bad user interface". Nothing in the original post tells me about anything that has a better user interface. Moxie Marlinspike hates to get PGP-encrypted e-mail because the gnu implementation is hard to use (OK, arguably true). I use Thunderbird with Enigmail. I can agree that Enigmail could be better. The one option I'd like to have is "If there is no encryption key in my list, what should I do? [A:ask, B: ask a keyserver, C:don't encrypt].

I only send encrypted e-mail to correspondents for whom I already have their encryuption key, so I know they can use it. You want enryption that any dumb Windows secretary can use, that's a whole 'nother ball game.

MITM = Man In The Middle? Not likely. There are several other web sites on that server; you get one or another depending on what DNS name you use. Subverting the name requires subversing the DNS system, and I'm on 8.8.8.8 (Google's DNS server). Subverting the IP address will bring down other companies' production sites. And of course MITM requires a man *IN*THE*MIDDLE*, and you have no idea where the cables are.

I use PGP to correspond with two people. I told them about this exchange. One answered "Well, I'd certainly be happy if he create a better alternative. Until then, I'm using what works." If you've got a better tool for end-to-end e-mail encryption, tell me about it. Maybe nobody uses PGP, but I know of no alternative. And I don't care if you use PGP or not; send me your key and I'll use it, otherwise you get plain text like everybody else. I got enough work solving my own problems without solving the world's problems too.

Hey, gang, let me add a data point here. This discussion has been going on for day or so on Slashdot. During that entire time my web site URL has been in the comments. The web site includes my e-mail address. During that time NOBODY has sent me any e-mail related to this discussion. Nobody said "Hello", nobody said "Here is my PGP public key", nobody said "Andy you're a dumb-ass." (well, here, yes, but not in an e-mail).

The article misses one partial solution: be uninteresting. I've got a bank account in a non-US bank. It's got several hundred dollars in it. Nobody's going to bother to steal that. I've got a password I use all over the Internet, including Slashdot, but you can't do anything with it but post stupid comments. My bank password was a different one. I look just like a million other Amerians living overseas, and that is my ultimate protection. Of course, the cheaper hard disks get, the more data the NSA can store, so the protection is only partial. But for now it is a factor. Of 200 million Americans, how many are worth tracking?

I'd make sure to use zip; as I recall unzip has an automatic check on the format of the input. So if you copy W to X and X to Y it might come out wreong, but if you zip W to X.zip and try to unzip X.zip onto anything, it will warn you if there was some loss of bits in the intermediate medium X.

A fall-back solution: e-mail the (zip) files to yourself. Of coures this assumes an internet connection on the old machine, but even an old dial-up modem can be used. This is how I get pictures off from my (new) Android phone. If you've got an RS-232 socket on the old machine you can hook both machines to a LAN router and transfer the files faster. Again, though, in call cases, use zip to provide confirmation of contants.

I don't use Reddit, but - how the H* is Reddit going to judge, evaluate, or confirm the pemission? I can post a picture of Julie Smathers naked. Is Reddit going to contact every person in the world name "Julie Smathers" to see if any of them gave their permission? And even if they did, how can they tell if she's the one in the picture? Or do I have to send an e-mail to with an attached signed autographed copy of the photo? This seems like a "call the cops" theory gone wacko.

I never opted out of it. I simply never opted into it. I don't think the mechanism is trustworthy because it is under the control of organizations which are not under my control. I have not put any burden onto anyone else; you can still go to http://www.andycanfield.com./

I "remove my key from the set able to be considered trustworthy without effort."? Again, I did not remove my key; I just never put it in. To me, the Internet is not trustworthy. None of it is. Any trust is an illusion. And "without effort"? You mean like Windows?

You come very close to saying that you want the Internet to be automatic and trustworthy. Pick one or the other; both are not possible today.

Just check it out. Address in Israel. No thanks.

Try the command "ping andycanfield.com". It should be pinging 210.213.49.151. If some other number appears, your DNS server has been hacked; switch to 8.8.8.8 and try again.

You can retain a copy of my public key on your compter. Then you can trust any signed message from me to be from the same source as the previous signed message from me.

"get it to me somehow, and I would have no choice but to accept it"? You allow random strangers to update your hard disk? I don't.

I correct myself. The truth is that as far as I can recall I have never put it on any keyserver. What other people may have spidered and copied I can not control. I was under the impression that KeyServers were voluntary. I guess they're just a newer kind of insecurity.

Actually I've had two keys. A year or two ago I lost my private key and had to create a new key pair. I don't know whether the keyserver you listed has the old one or the new one. I hated to do that; my old PGP key pair predated the Internet. How did I distribute it? By hand.

The new one has more bits. I guess that the number of bits you need in your key depends on how powreful computers are; I think my first key had only 256 bits which was safe from cracking back in 1992. Maybe we'll have to change all our keys every few years.

In my defense I said "confirm the signature, not prove the signature. The public key on my web site confirms the source of the message matches the site, but it does not 'prove' anything.

Proof? Don't make me laugh. A few years ago I lost my passport and had to go to the U.S. Consulate in Vientiane to get a new one, so even my passport can be doubted. You could ask my mother or father to vouch for my name, but they're dead. If you want fun, search for "Andy Canfield" on Facebook; there are maybe a hundred of us scattered all over the planet.

I will look into that; I could not get a free cert when I studied HTTPS a few years ago.

You could say that I have my own 'web of trust' which are people who have personally met me. You want to join? If you ever come to Thailand say "Hello".

Wrong. You can retain a copy of my public key on your compter. Then you can trust any signed message from me to be from the same source as the previous signed message from me. Who is "me" is an unanswerable issue. You can use my public key to encrypt something to me, and be confident that only the guy with "my" private key can decode it. But once again, who is "me" is an unanswerable issue.

Thinking about it, I suggest the most confidence you can get is by sending me an e-mail arranging for a Skype call. Then in real time you can see my face, hear my voice, and I can show you my passport. But I don't run Skype all the time.

You can try setting your DNS server IP address to 8.8.8.8. That's Google's dedicated DNS server. Whatever Google says is by definition true.