Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
GNU is Not Unix

CNN On Story on GnuPG 1.0 189

Dan Schleifer writes "Good to see that main-stream media has picked up on the release of GnuPG 1.0, and run a story on it. This is an especially GoodThing(tm) as, it's not just free software, but free encryption software that says: 'Haha, you silly little export regulations...' " Several nitpicky errors that I'm most of you will notice, but all in all great to seen the mainstream reporting on this, and starting to hit the issue of privacy exportation, if only skimming the surface.
This discussion has been archived. No new comments can be posted.

CNN On Story on GnuPG 1.0

Comments Filter:
  • I'm sick of the Net community pretending that the world isn't made of of governments that represent (for better or worse) local people all over the world. This is a perfect example of the technical arrogance of the Net community thinking they have an electronic battering ram and can just shut down due process and the rule of government.

    Look for the wire cutters in the near future. It's not "for the children," it's for a 4000 year old legacy of ethical behavior that can't just be switched off because someone thinks they have a keeno electronic gizmo to replace it with.
  • by Anonymous Coward
    Hopefully this will help show the legislature the folly of these export restrictions.[...]God knows the legislature doesn't act on real issues, but if we can make this a PR issue, then things might actually change.

    Can we relate it to "the children" in some way?

  • by Anonymous Coward
    15 minutes, 37 seconds by my watch. And they say cops are slow....
  • by Anonymous Coward

    Yes, there has been at least one case where someone left the US to work on encryption. Vince Cate renounced his US citizenship [] and moved to Anguilla.

    (I think this was a Slashdot story a while back, but it's much faster if I don't have to search the /. archives....)

  • by Anonymous Coward
    Doesn't this kind of contradict what the FSF is all about? RMS has the goal of creating a better society. In such a society, people wouldn't need to hide things from each other. I know that, for quite some time, RMS refused to use a password on his account at MIT. How does GnuPG fit in in terms of helping the FSF achieve it's goals? Or is just the fact that it's the first free encryption program enough to make it worthy of being part of the GNU system.
  • by Anonymous Coward
    from keygen.c:

    else if( nbits > 4096 ) {
    /* It is ridiculous and an annoyance to use larger key sizes!
    * GnuPG can handle much larger sizes; but it takes an eternity
    * to create such a key (but less than the time the Sirius
    * Computer Corporation needs to process one of the usual
    * complaints) and {de,en}cryption although needs some time.
    * So, before you complain about this limitation, I suggest that
    * you start a discussion with Marvin about this theme and then
    * do whatever you want. */
    tty_printf(_("keysize too large; %d is largest value allowed.\n"),

  • by Anonymous Coward
    Except for the fact that the GNU project was not founded to create Linux, now was Linux created by it.
  • Hmm.. looks promising... Although I don't particularly care for XForms...

    Of course, I'm using Netscape Mail right now, so I bet pretty much anything would be an improvement.. ;-)

    I read somewhere that you can build plugins for Netscape mail in Java... anyone know anything about this?
  • Well, last time I installed the s-utils, one of them was sftp. (I could never get that one to work, though.) mjt
  • OK, so explain why Outlook can plug into PGP (at least, Outlook 97...haven't used anything later than that).

  • Not just CNN. CNet, Ziff-Davis, CMP (InfoWorld) and Wired are all apparently reading /., as are some of the more esoteric trade rags.

  • Sure, if by 'big enough' you include all the matter in the known universe to build it. Better go reread Applied Cryptography.

  • Can't do it. The laws say that not only can't you have encryption, you can't even have any hooks that can be used for encryption.

    So you have generic hooks. A hook to apply some plug-in to a mail message before it is sent. Your standard distribution contains plug-ins to pass your mail through a spell-checker, grammar-checker, whatever, and you leave those sneaky for'ners to come up with a GPG plug-in. Easy!

  • mostly functional..?
  • There is also "lsh."

  • This comment isn't really related to the story, but it is related to encryption and the reasons people use it. I see at least once per encryption-related discussion the envelope / encryption analogy. It goes like, "you don't write letters on a postcard, you use an envelope so people don't read your correspondence. Likewise you should use encryption so people don't read your e-mail."

    Actually, I put my letters in envelopes for reasons completely unrelated to security--I don't want them being soiled or becoming illegible because of moisture, etc. The envelope is simply protection from accidental damage.

    An envelope will not keep other people from reading my postal mail! Have you ever tried opening one of those things? I open dozens a week, and I've become so good with them that it takes me hardly a second to get one open.

  • I wonder what would happen to its export status if the maintainers received and applied even one bug fix or ehancement derived from a USofA based reviewer/user.

    First of all, GPG can be legally exported from its home, Germany, into any country, including the US. It cannot be re-exported from the US. It can never be put on a US FTP server, for example.

    Now if the program gets contaminated with a US-written patch, nothing changes. It is still legally exportable from Germany. The writer of the patch may be thrown in jail as an illegal arms dealer, but I wouldn't bet on it.


  • If you used the most flexible mua in the world, namely mh, then you could easily write a simple script that would add seamless support for gpg, such as I did one afternoon.

    No, you must use your monolithic mua which makes it hard to add features. Otherwise, you're too lazy to hack the source to add the feature yourself.

  • Mutt has extremely good support for pgp, pgp5, and gpg.

  • They might read it, but I'm not sure about the polish.. :)

  • Given current factoring technology, no. I don't have the numbers handy, but they're super-astronomical -- imagine computers the size of atoms, each testing one key in the time it takes light to cross said atom, communicating via ansible (instantly), packed bumper-to-bumper, filling up a sphere with the radius of one of the planet's orbits. This structure would take a few billion years to do this crack. (Source: sci.crypt, with numbers.)

    Unless you're talking about just the weakest level, of course. But that's no challenge -- it's already been done, although for RSA rather than ElGamal.

  • First, let me weasel out of this by noting that I was talking about Beowulf, not technology in general :-).

    However, quantum computing is NOT just a way to make more powerful computers; it's a completely different way of working, and to my understanding, although it's solved the factoring problem (or at least there's an algorithm for it), that doesn't mean that it's solved the discrete log problem used in ElGamal.

    Solving the DL problem would also solve the factoring problem, but not the other way around.

    Now, one thing I don't know: have they solved the DL problem using quantum computing? I have no idea.

  • What makes you think that would improve anything? The majority of people don't have a clue about security or even democracy. Thier opinion is less than worthless.

    I'm glad we don't have a democracy -- and I hope we never move any closer to one than we are. Democracy makes the fatally flawed assumption that the will of the masses outweighs the rights of any.

  • mutt is a text-mode editor which integrates VERY well with GPG and PGP.

  • I seem to recall a major crypto company moving to Australia.

  • You can have encryption in software, and you can also have hooks in place to be used for encryption. You just can't export these versions. It would be nice if Mozilla had a convienent hook built into it's email application that GnuPG could take advantage of.
    It's not entirely sucksville if you live in the US. But most of it is still sucksville.
    Joseph Elwell.
  • I'd encrypt / sign all my mail if it were easier... I guess I'm way too lazy to type a message, run it through GNUpg, then replace the text in the email all by hand... I've seen some decent apps for Win32 that do nice things (e.g. adding a right click option on text to do PGP encryption / signing)...

    AFAIK, mutt [] has gpg integration. Dunno exactly how it works, but I'm told it's there. At least that's what somebody told me the last time he tried to convert me from pine. :P

  • This is a perfect example of GNU and the open source community. We provide free alternatives to commercial products that are available, and as an added bonus, it has no export restrictions!

    Clarification: It has no export restrictions because it was developed outside the United States, NOT because it is open-sourced.
  • Well, isn't the Wassenaar restriction avoided because it's free (beer)? I _suppose_ you could do a binary implementation and give it away for free...

    PGP is free. They gave the source out. Still do for the old (2.6.2 and older) versions. Dunno what effect the RSAREF licensing has on that, though.
  • I've seen people use closed-source crypto products, and I wonder when someone is going to discover a backdoor that was put there by some government.

    Somebody already did. []
  • >Actually, a lot of people do write letters on
    You misspelled "idiots".

    >They don't have any illusion that what they write
    >is secret, of course.
    >Most people don't write that many secret
    That is a meaningless argument. What if those
    messages that *are* encrypted *must* be encrypted?
    What if it's a patient discussing an AIDS
    treatment with their doctor, or a manager
    dicsussing a classified manufacturing method with
    his or her employees? You may not need to use
    encryption much, but when you do, you *really*
    need it.

    >Guess what? If you use encryption, you're likely
    >to be watched. Those of us who don't (most of us)
    >will be less watched.
    Being watched doesn't bother me. What important to
    me is that casual observers not read *my* private
    email. I like my privacy. My god! I must be a
    terrorist or a child pornographer or a communist
    or something!

    >Wave that red flag, boys. Wave that red flag.
    Keep writing on postcards, boys. Keep writing on postcards.
  • Well, isn't the Wassenaar restriction avoided because it's free (beer)? I _suppose_ you could do a binary implementation and give it away for free...
  • Unfortunately, the US export regulations *do* work.

    I'm in Europe, using the insecure ('export-grade') version of IE5. At other times, I use insecure Netscape 4.61. So does everybody else - very few people can be bothered to hand-edit the Netscape binary to enable encryption. Heck, most users don't even understand what key length is.

    The export regulations make it inconvienient for most users to get strong crypto. And if something is inconvienient, most people won't use it. The laws may not stop those who know what they are doing, and are prepared to take security seriously, but there are still lots of easily-tappable, interesting communications out there.
  • Recently I was asked how to use PGP to encrypt mail from a form on a business so that no one could see it as it traveled between the web-hosting business and the actual owner of the site.

    I mentioned the (then upcoming) command-line version of PGP, but also GNUPG.

    S/MIME has a good architecture, but the business versions of PGP also have good key management on other features intended for business users.

    And as far as "real world" use, S/MIME is new and has announced support from vendors, but on the Internet "email encryption" and "PGP" are all but synonymous. Recent versions of PGP integrate well with the most popular Windows mail clients (except Netscape Messenger). It also features clipboard integration with any other text-processing application.
  • Can't do it. The laws say that not only can't you have encryption, you can't even have any hooks that can be used for encryption.

    Yes, I know this is stupid, but there's no way a company is going to do this, when the very thing it wants is to remove the encryption restriction altogether. Its simple politics...

    And if you think this sucks, welcome to the real world... This isn't software, its not logical, its life...
  • how can a kernel for an OS get pissed off at anything?

    You big goober! You missed the joke completely. Gonwyn deliberately misused 'Linux' in place of 'Linus.'

    A host is a host from coast to coast...

  • Oops... sorry georgeha.

    A host is a host from coast to coast...
  • Gnus (which has more features than many people would know what to do with) supports GNUpg (as well as PGP) using mailcrypt.
  • Exported from where?
    The USA is not the only country in the world. If GNUpg is integrated outside of the USA (or other country with crypto export regulations) then it just needs to be imported into those countries, not exported from them. So only import regulations need be a problem, not export ones.
  • I'm also in Europe, but i have strong crypto! When using netscape i rely on Fortify []. This is a fully automated patch, just type install (or whatever) a few stupid questions, and voila... then you can repackage it and even distribute... When using IE, then there are strong versions on [] (Even a 128 bit WinCE IE is downloadable here).
  • You would be fine as long as the patch was pseudo-code. (I wonder if you could call something pseudo-code if it could not be read by the compiler directly...) That makes it a pain for the maintainer, but... it's fairly minimal.
  • least not until we get something like "ncscp" or something, or even an equivalent of the ftp program. It'd be nice if it had an interactive mode.
  • Can't do it. The laws say that not only can't you have encryption, you can't even have any hooks that can be used for encryption.

    Any computer has "hooks" that can be used for this purpose, and therefore should be illegal to export. Consider that you can take an email program, and patch in encryption hooks with a debugger if you have to. That means the program has hooks in it because it has places where you can patch in the encryption code.

    Ok, now that we can see how silly and unenforceable the "no hooks" policy is (as long as you don't put in hooks that are specifically for encryption everything should be allright), lets consider how our encryption program could hook itself into mozilla. Hmm, remember, Mozilla is all held together with scripty-goo, and consists to a large extend of dynamically loaded modules. There's a way, for sure, and even an elegant way that fits nicely with the Mozilla architecture. Or, maybe there should be a law that browsers with scriptable components are illegal to export?
  • I once read an article in a local newspaper that talking about Web design and mentioned HTML as being a programming language.

    The sad thing is that to most people HTML is a programming language. Remember we live in a society where most people's solution to the blinking 12:00 on a VCR is to cover it with electrical tape.

  • They got it completely right!!


  • 1) The Declaration of Independance is a letter, not a law.
    2) Governments can make any laws, grant any "priviledges" they want.

    What the Declaration of Independance was saying is that is a "Human" right, not a legal one, to be free. That can never be actually taken away from you. On the other hand things like life, liberty, and any hope of happiness CAN be taken away by the Government.

    Freedom tends to be more of a priviledge granted by your Government, rather than an actual right. If some Government decides to come to your house, take you away and throw you in jail forever, are you still free? Where are your "inalienable" rights then?
  • Ok, lemmie get this straight: Because the previous poster doesn't have a perfect government, and there are worse governments in existance then the USA is the best and y'all should shut up about it?

    I happen to be a US citizen as well, in fact I was just Honorably Discharged from the US Military. I just believe that freedom and privacy have been thrown into the crapper. True to our Constitution this gaping atrocity has been commited by none other than our own people. The average Joe would sell his soul to have his wife, 2 car garage, 2 1/2 children and the closest thing to world politics would be the World Cup Soccer Tourney.

    My $0.02 US
  • Of course that was what everyone said when PGP was released, many moons ago. Last I checked it hasn't happened yet!
  • I have to apologize, I hate to be a troll. What I was trying to say, crudely, is that defending your argument by saying that the previous poster isn't perfect, therefore shouldn't voice their opinion is no defence of an argument. I find this idea endemic in US society, that if you aren't morally perfect then your opinion doesn't matter. Unless this is the second coming, nobody is perfect, therefore everyone elses opinion can be discounted using this logic.
  • It seems to me that since encryption is useful for
    communication software, it would be nice to
    integrate it fully with Mozilla and other
    browsers (konqueror, opera, lynx etc.) as well as
    with collaboration tools (cvs, lotus notes and
    whatever OS/FS clones there are of it, etc.).
    On second thought, Apache integration may be
    more important, because it'd be nice to serve
    encrypted pages, then there'd be a market for
    encryption capable browsers.
    Disclaimer: I do not know to what extent any of
    this has been done.
  • Um. huh?

    1. Open source doesn't mean open life. It's not contradictory to write open source software but not publish your credit card numbers

    2. Ideal society != (all members are ideal)
    Destructive people have always been with us. There will always be people who want more than what they are entitled to, and don't care if they hurt others to get it. Hence, we protect ourselves and we spend less time destroying those people.

  • I don't know if scp counts as a replacement for ftp (though I'm not knocking scp in general) as you can't browse directories etc with it (granted, you can use ssh to find what you want and scp to grab it) but kerberos is a good thing too.

  • > Actually, it intensifies the need for funding to > enforce the law. Government can route around > thumb-the-nose initiatives like this, by banning > the encrypted traffic.

    > You can't just pull down your pants and shake > your willy in public because you don't like > public nudity laws. Or, rather, you can. For a > minute or two.

    Ah, but I can go somewhere where public nudity is okay (another country, or my own home, which wouldn't be public, but oh well) and do so, and then point out that nothing horrible happened (oh no, I got cold!)

    well, okay, I couldn't shake my willy around (at least not unless I went to the adult store first) but you get the picture.

  • Just because an entity has the *power* to do something to you does *not* make it legal, or right. The constitution does not grant rights, it enumerates them. This is a fundamental difference, and one the founding fathers explicitly expressed in the 9th and 10th amendments. (sorry for the US-centric argument)

    Trampling on your rights does not remove them, as our current government proves every day.
  • Well, there is a legal process for striking a Constitutional right like free speech.

    No there is NOT! Your rights are inalienable. Meaning ALWAYS WITH YOU. Just because it is or isn't in the Constitution or any other document doesn't mean that you don't have the right. Rights are not granted by the government, priviledges are. There is a very big difference.

    inalienable \In*al"ien*a*ble\, a. [Pref. in- not + alienable: cf. F. inali['e]nable.]
    Incapable of being alienated, surrendered, or transferred to another; not alienable; as, in inalienable birthright.

    Can't get any clearer than that ...
  • Oh, I'm not claiming that there are no stupid legislators. But the fact that they tend to blindly follow party leaders doesn't disprove my point. There are always people who actually make decisions, and you can bet that these people, high up on the party ladders, have seen and understand the results of their export policy.

  • I agree. And that's why we're beginning to see the anti-crypto legislation. Because the obscurity period is gradually coming to an end.
  • Why does everyone assume legislators can't understand this?

    They DO understand what export restrictions do to American companies. (Sorry to say the same thing over and over, but these "boy are those lawmakers dumb" messages just won't stop coming)

    The laws are intended to keep American companies from effectively promoting the use of crypto in the states. No widespread use => no real need to regulate => no publicity nightmare.
  • Well.. Call this a little Trolly, maybe a little offtopic, but is anyone else slightly irritated at the self-superior tone that RMS has on when discussing Linux vs GNU/Linux?

    When will he figure out that GNU would be just a few alternate apps for Unix boxen if it weren't for Linux? Of course, there would be no Linux without GNU.

    So what's my point? Well maybe it's time RMS took a miss. This is a little like the Chuck the Daemon argument. The people call it Linux. Boo Hoo if that name doesn't give credit to GNU. People still call the BSD daemon Chuck. What's in a name, really?

    RMS seriously needs to revise his attitute a little. People might actually take kindly to calling it GNU/Linux if he wasn't yelling so damn loudly. Something he needs to learn is that people who 5 minutes ago didn't care will suddenly be against you if you come on too strong or are rude.

    Then again, this press is just bad anyway. But in the end, it's not like this was a product of some people in Boston or whatever. It was a product of the entire Open Source Movement. From a need came a product, and it was Better. In the end though, don't be petty about it.
  • There already is an extension to normal addressbooks for certificates (it's a pretty standard attribute in LDAP) and it would be very simple to include a key attribute in an LDAP entry.
  • The article says GnuPG is in the public domain. Is this true? No GPL or LGPL? If its really in the public domain they must have abandoned the copyright too. This must, if it is correct, be very unusual for GNU.
  • by Anonymous Coward
    Obviously the controls aren't meant to target the specified boggie man. Mr. Boogie has had very strong crypto for very many years. The fact that pretty much anybody seems to be able to cobble together strong crypto rather removes it as the lever of power between nation states. Yet, they continue to justify themselves on this basis.

    It makes it unreasonable for normal people to aquire and install crypto. You have to download it from off shore, then patch it into your environment.

    Like they say...

    Crypto is used by human rights groups. It is despised by the US Government. Draw your own conclusion.

    In my book, Civil servants using patent lies to justify the destruction of the Constitution isn't just a breach of Oath, it's treason. And, every judge, congress person, and president that allows it to continue is a co-conspirator. Treason, you say? Well, there is a legal process for striking a Constitutional right like free speech. Failing to use that process suggests the powers that be are working for some other country; they clearly have an intent to defeat those of us that live under said Constitution; and they are US citizens. That is the very definition.

    They're WAY past folly.

  • Yes, the half they got write was the "GNU" half. The GNU Project's goal was (and is) a completely free UNIX-like operating system, which they named the GNU OS (or just plain GNU). Currently, plugging the Linux kernel into this (mostly completed) OS provides you with a mostly functional OS known as GNU/Linux.
  • Interesting.. The second paragraph in the article begins with "The privacy-protection program, which is available now". That puzzled me for a second -- of course it's available now if it's announced! Only five seconds later did I realize how much used I became to our world, where software is announced when it's available, and announcements are not fluff and vapor just to outrun the competition... Funny how CNN is talking in traditional terms which sound so strange here.
  • Hopefully someone ingenious person will integrate GnuPG into Mozilla's email client. Hopefully that would encourage other email clients to adopt the integration and create wide spread use of signed email.

    Joseph Elwell.
  • Also, there is still a great deal of debate over the entire Linux vs. GNU/Linux thing, I personally go with Linux but that's just me. Actually had they replaced Linux with Hurd it would have been entirely accurate.
  • I really hate to shatter your illusion but in times of national crisis the government can suspend ALL of your constitutional rights. Look at what happened to Japanese Americans during WWII. Most of them on the west coast were put into concentration camps, oops, I forgot, the history books leave that detail out. Also, Congress once did prevent a news paper (I forget which) from printing for a day because it had an article that could be harmful to national security or some such drivel. Or martial law, that's also unconstitutional, but in times of "national crisis" the government will suspend your rights for "the good of the nation."
  • Look at programs like "zero tolerance" for an example of the government trampling over people's rights. Under zero tolerance the government could arrest someone, confiscate ALL of the property, and sell that property, on the SUSPICION of you being a drug dealer. That's right, no trial, no rights, go directly to jail do not pass go, just because an ex-girl/boyfriend made an anonymous call to the police telling them you were dealing crack. Scary ain't it?
  • Lets say I encrypt all of my emails and on in a given week I send 100. 99 of these emails are along the lines of "happy birthday" or "can we meet friday by the new, expensive, super-trendy coffee shop". 1 is "I'm going to rob the bank in 2 days". Now lets pretend that the government has some kick ass crypto cracking computers and they can decrypt one of my emails a day and that they pick emails at random to decrypt. Lets say that that they get really lucky and pick the 1 bad email, out of the 99 good emails on the 25th try. Jackpot, they found out I'm going to rob a bank, oh wait, it's 23 days after the bank was robbed, oh well, they know who did it atleast, but wait, in those 23 days I made arangements to fly to some country that has no extridition treaties with the US.

    Basically my point is that the government can be as suspicious of me as they want to be, it makes no difference in the end so I doubt that they'd bother trying. Also, people write letters on post cards, but most are in envelopes and they'd be extremely pissed if the envelope got delivered and it had been opened. It doesn't matter that it was just a letter saying "happy birthday."
  • It cannot/will not be integrated into mozilla, simply because it can no longer be exported if this is done...

    my $.02

    Steve Ruyle
  • Well that shouldn't be too hard. ;-)

    "We must ensure that our country remains the technological leader of the universe in order to reserve the rightful place in the hierarch of mankind that our children deserve. Therefore, I submit to this distinguished body, that we must dis-allow the importation of any encryption technology onto our hallowed American soil that would seek to undermine the very moral and ethical fabric of our socienty and force our children to submit to functioning on the same pathetic level as the children of all the other nations on this Earth!"

    (to be read in the monotone drawl of your favorite clueless bible-belt Senator).
  • ...for "newbies" to encryption, that is?

    I'm really pleased to see GnuPG getting attention -- it deserves it. After using PGP for a while now, and reading all about various encryption algorithms this afternoon, I'm feeling pretty pumped about protecting my personal privacy.

    That said, PGP & GnuPG are only useful if more people start to use the software.

    So, with that in mind:

    Does anybody know where there is a simple explanation of how encryption works? Something that you could show your non-geek friends, or, even (gasp) your Mom, and have them understand the basics?

    Getting friends and family on email is a hurdle I've basically crossed. Now I'd like to do the same with email encryption. [ In fact, I may write such a "newbie encryption" document myself, but may as well check to see if something already exists. ]
  • The Right Thing (tm) to do would be to have the mail client check the first time it tried to send mail to an address to see if that person had a key (assuming we set everyone up to use the same key-server network). Then automatically encode it and send the message to them. Sure have a checkbox to turn it off, or to only do it to people you explicitly tell it to. But the whole action (including getting the key) should be as invisible as possible to the user.

    On the receiving end, when you receive encrypted mail from someone, your program should automatically go out to your HD (ask for password of course) and run GPG/PGP on it and show it to you unencrypted. Maybe just putting an encrypted icon in the status bar or wherever to tell you the mail was encrypted.

    I'm waiting for this kind of functionality in a mail client personally. I think this would be a reasonable drop in replacement for regular email. I know I would use it, maybe someone could add this as a plugin or something to mozilla mail.
  • Well, it still has a few HURDles to pass.
  • I see that GPG runs under the Free Software Foundation's distribution of Linux, alternately called "Debian" or "GNU/Linux". Does it also support other Linux distributions?
  • Something that you could show your non-geek friends, or, even (gasp) your Mom, and have them understand the basics?

    An easy description of what encryption and signing (don't forget signing, its an important concept) do can be provided by offering analogies to postal mail and signing of contracts.

    However... the actual how and why of encryption and signing is not something that will easily fit into someone's head. The basic problem is that while its obvious to the lay person exactly how an envolope protects their letters from casual examination, understanding how encryption protects their documents either requires that they take some things on faith or that they understand the math. There is no physicality to the protection, nothing that can be seen, touched or obviously understood.

    You can go a certain distance with the postulate that "some mathmatical functions are easier to do in one direction than the other" and from that get the basics of cryptography, both signing and encryption, but again, the layperson has to either understand why the postulate is true, or take it on faith. Even so, the simplest explanations leave out a lot of important details (leaving the explainee not knowing how to distinguish between good crypto and bad crypto, and thus giving them more stuff to take on faith). One of the most concise set of basics is in Schneier's E-Mail Security [] which goes over the juicy bits in chapters 1-5.

  • That's a part of the SSH2 package.
  • That's fine if you want to use SSH2. SSH2 has a very restrictive license. Its my understanding that SSH2 does not have as great a install base as SSH1 because of this. I've also seen some grumblings about performance - but nothing solid.
  • The GNU Project, based in Boston, Massachusetts, was launched in 1984 to develop a free Unix-like operating system, called GNU/Linux.

    Oh well, they got it half right.

  • I have this vision of RMS grinding his teeth and launching himself at his CRT while screaming.

    I mean, everyone here knows that the GNU project was founded in Cambridge. Silly CNN.
  • XFMail has support for it now (well, a recent version, and everything should be current soon). Please consult [] for more info. :)
  • Exporting a crypto-enabling API without the strong crypto is just as illegal as exporting the strong crypto itself. Therefore what we need now is a mailer developed outside the US. I can envision a flood of other crypto-enabled software that US programmers won't be able to develop in the States because of the export regulations.
  • Current crypto export regulations have made it all but impossible to get strong crypto enabled software in this country. You can roll your own but you can't share. We should already have a strong infrastructure in place with facilities to trade public keys very easily and every mail program should have encrypt and sign features readily available.

    We don't because the US Government raises the spectre of "Criminals, terrorists and pedophiles" (Oh my!) Well that's just fine, until you start to wonder, who decides what makes a criminal? In China I could be arrested for sending a mail talking about how my wife was forced to be sterilized after our first child. Suspecting that everyone is a criminal and reading their mail to make sure they're being good little citizens may make sense if you're Chinese, it should never make sense here. In a decade or two, this very message might be considered "subversive" by the US Government and I might be visited in the middle of the night and shot in the back of the head because I don't follow the sheep-like inclinations of 90% of the public.

    We should be demanding severe reforms in the privacy and cryptography arena. We should also be letting candidates know that we consider this to be a vital issue, one which will gain our lose our votes in the next election. We should not be tolerating the current status quo. We should never let it be assumed that a person is guilty until proven innocent.

  • Won't.. Linux.. be pissed? Pardon, but I seem to be a bit confused. Of course, while it is true that it would be a more technically accurate assertation to make if one said that the Free Software Foundation was based in Boston, Massacusetts than the GNU Project (although the two are practically synonymous, there are a few key differences).. or perhaps that the GNU Project was launched to accomplish a number of goals, of which releasing a free operating system was only the first. Of course, anyone who was interested could easily pick up all of this information at the GNU Project's Web site []. But then, the media never has been known for doing their research, eh? I once read an article in a local newspaper that talking about Web design and mentioned HTML as being a programming language.

    Other than that, the statement remarked upon by the original poster is mostly accurate. After all, the OS that the GNU Project eventually came up with was called GNU/Linux. Many people (mostly the media and the people who believe them) think that when one says "Linux kernel" that what is really meant by that statement is "the kernel for Linux" when the truth of the matter is that Linux is the name of the kernel used in the GNU OS. Therefore, as Richard Stallman states (and the Debian distribution respects), it is more appropriately referred to as GNU/Linux. Richard wants to have another GNU OS using Hurd as the kernel, but there's not too much development in that area from what I know.

    I guess what originally drew me to comment on this post was simply.. how can a kernel for an OS get pissed off at anything? I would love to see posts that are a little more specific. Vague comments without a lot of backing tend to be.. well, vague. Not to mention annoying.

    By the way, no, I'm not trying to detract from the work of Linus Torvalds. His is just as important as many (well, more than most, actually), although Richard Stallman is rarely given the credit he truly deserves.

  • Pardon this excessively opinionated foray further in the realms of off-topic discussion, but.. Well, let me try to get this straight.. What is the perfect example of the Internet community proving it's world wide (well, beside the fact that the World Wide Web isn't just a funny misnomer), GPG or snubbing your nose at America? Personally, I think snubbing your nose at a pair of continents (which are actually north and south, rather than one single land mass.. sort of) is really silly, but hey.

    I'm pretty sure the original poster meant the United States government, but then again, I'm also pretty sure that they're rather confused and have no idea what they are talking about. At any rate, this sure is some serious flamebait. Don't get me wrong, even though I'm a United States citizen I have a number of issues with my country's government, and don't believe us or our country is necessarily all that better than those of other parts of the world. However, I can't agree with the idea that a community can prove itself as being world wide (which seems to me to mean that it excludes no one) by excluding a certain group (namely the United States).

    National boundaries mean a lot. More than the original poster can apparently imagine. A lot of us would love to live in a better world, but being a practical realist as well as a dreamer, I can certainly attest to the fact that ignoring cold, harsh reality is quite bad for your health. Besides, the United States stands for freedom. There are a few corruptive influences in our country, but it is that way with any society. I don't like those elements of our society, but unless you can claim yours to be perfect, I don't think that you have room to talk. There are certainly much worse places in the world to live. I like what the United States as a whole stands for. And apparently a number of its opponents don't care for them as much as I do. Such as the idea that you should cast off the yolks of oppression and ignorance? Silly me.

  • How about an open-source keyserver project. Make the code needed to take advantage of the keyserver available to everyone and hopefully we would have a bunch of encryption/keyserver-ready mail programs in no time. Keys should be associated primarly with email-addresses and everyone could register their own keys, with email confirmation to that specific email-address of course. This could really boost the use of encryption.
  • An update to `substitute your favourite mail reader here` which would add support for automating encryption process. What is needed is an extension to normal addressbooks to accomodate a public key for the individual in question and instead of just the normal send-command also a send encrypted-command.

    An ideal model would be that when i have say pine and pgpg installed in my system, pine would automatically offer the option of encrypting the message(autodetect the presence of an encryption program). Signing the message with my own private key would of course also be automatic. When you receive an encrypted message, your mail reader would automatically attempt to decrypt it with your private key.

    Of course there are some securite implications involved with automating the use of encryption keys but as long as your account/files aren't compromised these shouldn't really be a problem.

  • Sure. Some of what I'll say is kinda pulled from what I read in a PGP release many moons ago.

    You don't write letters to people on postcards, do you? No. Why? Anyone can read what's on the postcard. If you want to write a private letter to someone, you write it on a piece of paper and put it in an envelope. You may even use a security envelope so you can't see what's inside the envelope.

    Encryption is (in one sense) the envelope. It makes sure that no casual reader can see what the contents are. It may be credit card information, or it may be happy birthday wishes. It doesn't matter.

    Encryption (as PGP/GPG uses) also provides authentication. It makes sure that when you get a letter from a friend, it really came from them and not someone who happened to break into Hotmail and fake e-mail.

    Side note: Hrm. This could be a good way at advertising GPG (Hotmail cracked again? Don't worry, GPG keeps you safe!)

  • Look on the GnuPG [] web page. There are links to a number of mail clients with some level of support.

    Personally, I prefer mutt [].
  • First off, you're parroting what the original poster said, i.e. that a big enough beowulf cluster can break the encryption, but moving it further offtopic by saying a big enough cluster can do anything.

    Second, you're dead wrong. Cryptography is based on functions that are easier to do in one direction than the other. Easier by many many orders of magnitude. That means that a computer will always be encrypt a message to such a degree that were all the matter in the entire solar system turned into a huge cluster of computers, it would not be able to break the encryption with a brute force attack. You're home computer can do this RIGHT NOW. So while beowulf clusters are neat and all, don't ascribe magical powers to them. Its a sign of linux zealotry and that's just as bad as any other kind (*cough* M$ zealotry *cough*).

    Note that I did however only talk about brute force attacks. There is always the chance that a new algorithm or new kind of technology (read quantum computing) will be found that will render a cryptography function as easy in one direction as in the other.

  • by technos ( 73414 ) on Thursday September 09, 1999 @07:19AM (#1692387) Homepage Journal
    It is a great thing that the mainstream media is embracing GNU projects, but I thing that forcing them (the errant journalists) to read a breif 'GNU/FSF/Linux primer' before publication would be a good idea.

    A note to Stallman: Take a Valium, wash it down with a few shots of Absolut, (not too much now, we don't need you dead) and sleep off the rage of the HURDs virtual media invisibility.
    Linux was below the radar screens for years, and is now up in a big way. HURD may well be the next Linux..

    A thought before I go.. We should embrace GPG, for not only is is a good bit of code, but it may well be our best way of fighting the current stupid encryption laws. By making sure everyone, everywhere can get their hands on it, it nullifies the need for such a law, and I hope the US government realizes this..
  • by Zack ( 44 ) <<zedoriah> <at> <>> on Thursday September 09, 1999 @07:08AM (#1692388) Journal
    What's need now is an easy way for end users to use encryption in everyday life. SSH is an easy replacement for telnet and ftp (scp, that is)... GNUpg is a wonderful program, but integration into Mail clients and the the like is very important to help people actually use it...

    I'd encrypt / sign all my mail if it were easier... I guess I'm way too lazy to type a message, run it through GNUpg, then replace the text in the email all by hand... I've seen some decent apps for Win32 that do nice things (e.g. adding a right click option on text to do PGP encryption / signing)...

    I'd love to see more encryption being used... I know a few Linux mail clients "plan" to have support for GNUpg, but none that I know of right now do and offer enough features to be worth using....

  • by DiningPhilosopher ( 17036 ) on Thursday September 09, 1999 @08:06AM (#1692389)
    The legislature is fully aware of the effect of their policy. They don't WANT American crypto companies to be competitive. Strong American crypto companies lead to more Americans using crypto.

    As long as Americans don't bother using crypto the legislature doesn't have to take unpopular steps to control it. So they stifle the companies who make and promote crypto products and the issue comes to the public's attention as little as possible.
  • by antizeus ( 47491 ) on Thursday September 09, 1999 @07:06AM (#1692390)
    Hopefully this will help show the legislature the folly of these export restrictions. If you won't allow certain things to be exported, then the enterprising individuals will develop them outside the country, and the some of the prestige of "America's technological leadership" will dwindle.

    God knows the legislature doesn't act on real issues, but if we can make this a PR issue, then things might actually change.

  • Given that GnuPG is open source, which means it will be peer-reviewed with eyeballs from all over the world, I wonder what would happen to its export status if the maintainers received and applied even one bug fix or ehancement derived from a USofA based reviewer/user.
  • by TwistedGreen ( 80055 ) <twistedgreen&gmail,com> on Thursday September 09, 1999 @07:24AM (#1692392)
    This is a perfect example of GNU and the open source community. We provide free alternatives to commercial products that are available, and as an added bonus, it has no export restrictions! Why is it that free software written by hackers in their basements almost always better than something you would pay for? It all comes down to money... people are rushed to release their programs, and try to patch it together from others' code to try and save time. Corporate giants (primarily Microsoft) have taken the art out of programming. Computer programming is indeed an art, not a money-making scheme.
    Let's keep it that way.
  • by deno ( 814 ) on Thursday September 09, 1999 @07:23AM (#1692393) Homepage

    USA is hitting its own software companies with this regulations. This is good for everybody else, but it will cost the USA a LOT.

    Very soon, US companies will start feeling the pressure from all over the place. For one thing, a german company (SuSe) can (and does) put things like PGP, ssh & co. in its distribution, which an US-based company (redhat, Caldera) can not and does not.

    Now, adding ssh is just a matter of downloading the srpm package, compiling it and doing an RPM -i, but... Try adding ssh-agent imediately after login for all of your users in a consistent way and you will find out that this task is non-trivial. Then you have to make your PGP (or GPG) work with pine, or whatever you or any of your users use and so on. It is annoying and takes your precious time away.

    It is just the same kind of shit as those I used to have with my (german) keyboard not getting properly configured, xdm coming with an completely open configuration file, and simmilar, with ONE major exception - RedHat cannot fix it in the "next version", because it is not even part of the distribution. SuSe can.

    By the way, upgrading from RH-5.1 to RH-6.0 has killed my own solution to above mentioned problem of integrationg the ssh-agent in the login-process, so I had to do it again. And I hate repetitious jobs .-).
    Do I see a problem for RedHat here?

  • I'm suprised that people haven't been touting the "free speech" end of GPG as well as the "free beer" when it comes to crypto algorithms. Cryptography that doesn't cost anything is good, but for the truly security-conscious individual i think that we need to stress the fact that he can check the source code for shabby implementations of algorithms (none that i see in GPG) and even blatant backdoors. I've seen people use closed-source crypto products, and I wonder when someone is going to discover a backdoor that was put there by some government. Price and politics are good, but security should be the selling point of GPG.
    Andrew G. Feinberg
  • by Jburkholder ( 28127 ) on Thursday September 09, 1999 @07:34AM (#1692395)
    Oh geezus, if that don't set him off, I can't imagine what would!

    I'm not real passionate on the whole GNU/Linux controversy one way or another, but this is pretty irritating. Sheesh, they couldn't go to and steal some of the background there instead of coming up with this boner?

    Back on-topic, it is good at least to get some 'good' press about GNU and Linux and encryption out in the mainstream. The average reader won't notice or care about this misstatement, but will probably pick up on the implications of unrestricted encryption (hopefully).

    Meanwhile, back at the CNN newsroom...

    "Ya come up with any copy today with the word 'Linux' in it yet?"

    "Well, sorta... there's this GNUpg thing, and I think its kinda about Linux, but I don't know what this GNU thing is."

    "Go ask Harry, he did a story last week about RedHat and he knows all about that stuff. C'mon - we got a deadline!"

    "Uh, oh... Harry?"

    "Oh yeah, GNU is that thing that they started in 84, MIT, I think... yeah, right.. they're the ones who claim they invented Linux and want to make sure you call it GNU/Linux. I got yelled at a press conference once by one of their guys."

  • by Enoch Root ( 57473 ) on Thursday September 09, 1999 @07:38AM (#1692396)
    In general, I find that "newbies" don't have a hard time understanding encryption. They understand intuitively the importance of it, and they will tend to recognise encryption is important. However, they fall for buzzwords, so many, for instance, considered Hotmail secure because "it prompts you for a password".

    On the other end, you find people who distrust anything, so give up on encryption altogether. Their logic is, since "hackers" (their term, not mine! Lay off the stones!) can get into anything, there's no point in using convoluted methods to protect their information. That's the same kind of people who refused to use automatic tellers for years because no human being was handling the money.

    What's important to put into the public's mind is some of the following points:

    Encryption is the practice by which you make it impossible for anyone but the right people to read a message of any kind, be it a credit card number or an email message.

    Cryptography is important for everyone, not just spies of military generals. Just because an information is not dangerous to you or someone else if it is revealed doesn't mean it's not private. Do you want love messages between you and your boyfriend/girlfriend/wife/husband to be read by anyone?

    It's easy to apply good cryptography to almost anything, unless the nature of your data is highly secret (and we're not talking surprise party plans.) All it takes is a little extra "effort", and you can have secure messages.

    No, the Government won't start spying on you because you're using encryption. Many people do it, and they're not terrorists or Russian spies.

    Don't trust any company who says they use encrytion. There are two types of encryption: encryption that requires minimal effort to unravel (like tearing open an enveloppe) or encryption that requires some time and good cracking skills (like cracking a safe). If you want good encryption, look for second opinions on the Web, or from cryptography-savvy friends or colleagues.

    Good encryption exists nowadays, and some encryption standards make it unlikely that your data will be exposed unless a lot of money and effort is put into it. Be wary of systems that claim they are unbreakable, but don't think your data is automatically vulnerable to any 13 year-old hacker with a modem. Yes, your data can be protected by cryptography.

    Good security also means good practice. Your data will not be safe if you use simple passwords, like the name of your dog or your birthdate. Try using unpredictable passwords when you need to. If possible, use numbers and mixed case when choosing your passwords. NEVER use your name.

    "There is no surer way to ruin a good discussion than to contaminate it with the facts."

Kill Ugly Processor Architectures - Karl Lehenbauer