PGP E-mail Encryption
 

Any opinions on these services? So far I have looked at husmail and mailvault.

Which would appear to be more immune from prying eyes, to include the gooberment?

M8

Hushmail is as good as I've seen for a free service. Also, the fact that the email header is completely anonymized (is that a word?) to 127.0.0.1 for the sender means no receiver can know where it was sent from via Hushmail.

"Anonymized" is apparently becoming a word.

I am actually thinking of going dark on all my e-traffic due to security concerns.

(This of course would mean dropping off of the e-boards I goof around on. Do I hear cheers? :D )

I'm particularly concerned with client data being intercepted. I'm looking at paid for services. mailvault.com looks pretty interesting, and they also sell a tunneler.

M8

You can get PGP through Phil Zimermmann's Web site (the father of PGP). The program comes with the PGP Mail plug-ins. I've used it with MS Outlook before and it's a pretty seamless integration.

http://www.philzimmermann.com/EN/sales/index.html

The problem with something like MailVault is that they store your private key on their servers. The biggest threat to the security of encryption is the security of your private key. How can you trust that this company is going to keep it secure? They'll have access to it, hackers and spies could get access to it, and possibly law enforcement.

If you are the only one with access to your key then you're in a much better position: anyone who wants to get access to your encrypted files would have to break both your key and your passphrase. If you use mailvault, all someone has to do is break into your account using a simple username/password combo, which is not particularly secure, then they'll have access to your private key. They may still have to break your passphrase (I'm assuming that MailVault doesn't store this for you).

Of course, it is probably easier to use a service like MailVault, but I'm not convinced that it's worth it for questionable security benefits. And you have no way of knowing how trustworthy these people are or what the "back end" of this thing looks like.

Finally, with MailVault you have no way of knowing if your security has been compromised. If you control your private key, you're in a much better position to know if it has been stolen.

Okay, once again, Doppy to the rescue ^ That's pretty good poop on mailvault. I did hear about Phil Zimmerman on the hushmail site, and have now bookmarked the link.

Thanks ^

M8

agreed! no need to pay for a PGP service

Laptop theft is my other concern. If I have PGP on my own machine can the e-mails be left encrypted on the laptop. I'm thinking the thieves would need to know the pass phrase in order to read anything that's left encrypted on the machine.

I did a test with hushmail. The note I sent to myself [from my hushmail account to my commercial account] directed me to their site where I had to type in a know phrase to decrypt. I'd like the same type of protection for my laptop. Anyone know if this is possible.

M8

Go for PGP if you want to stop almost everyone being able to read your mail. I was told by someone I trust, that the USG had only relaxed the encryption export laws when they had managed to figure a way of breaking most stuff easily. Although I wouldn't take this as fact, I don't see much reason to doubt it, I believe in theory that it could be done, using/compromising the OS on which the encryption software runs.

I'm researching that myself. But I don't think USG has control on this or the breaking of PGP code. I do understand that they have consulted with Zimmerman on developing similar code for themselves. But I think it is like the Enigma machine in that if the cams are different in each machine, then you have to have a machine with the same cams, otherwise decrypting is not possible [I remember this from reading UK Brig. Ronald Lewin's books]

Anyway, I'm not worried about USG as much as I am about general theft and business type snoopers.

M8

No. They relaxed the laws once it became clear that the proverbial cat was out of the bag, it was perfectly legal to export crypto code in printed (book form) and it became increasingly clear that the circuit court would have smacked them around in Zimermmann had it continued.

It's possible that the government made some breakthru in factoring or the underlying traditional crypto in PGP. It's far easier to simply tempest your machine or keylog it to figure your passphrase, though.

If your private key is on the machine then they just need the passphrase. Your passphrase has to be about 100 characters to provide a high level of security in this situation. For most people, coming up with a relatively random passphrase of this length is going to be difficult. (Generally speaking you want a long passphrase regardless of whether you think your private key will be stolen/intercepted.)

Put your private key on a USB drive and have the drive implanted in your body, with only the plug sticking out. Then you can just plug yourself in as necessary, and if you lose the laptop, your files will still be secure. :)

The Clinton administration wanted to mandate that that all computers had the "Clipper Chip" in them. It would provide an OK level of encryption, except that there was a back door that the government could easily use to decrypt anyone's data. Of course, as any idiot should realize, that "back door" would probably be kept secret for about 10 minutes before it was leaked or someone else figured it out, thus compromising the security of every computer. Fortunately, that terrible idea never got any traction.

Or use a microphone :cool:

http://www.freedom-to-tinker.com/?p=893

I know about the clipper chip, I looked into that myself whilst at Uni. However I've dug out the email I was sent containing a link about this, and that's I guess where he got his info from before talking to me.

Interesting stuff, although no certainty that its accurate!

Tools to go "anonymous' in the same sort of way exists for e-boards too. There's always remote browsing too. Can you tell that I want you to stick around? And no, I don't need The Little Back Book. :D

Oh, I know about the stealth surfing stuff. Actually the going dark is because of the locations I will be at, very remote. Last few trips into Angola I had very little e-access and had to travel a distance to get a hook up at an internet cafe where I could slave in my laptop. Just enough time for business and personal mail, but no leisure time for "causing trouble" on my favorite e-boards. I am amazed at how internet cafes can be found in some of the most remote and underdeveloped areas of the world ^

What's a Little Back Book? :D

Yes, I seem to remember reading about that at some time.

Funny, but not too far from reality. I carry a couple of memory sticks that are generally roped to me. One of them is a HASP key that enables the license for some special software I use in my work, and the other is a stick I use for transferring data. I’m thinking based on what you suggested of just carrying the PGP key on this memory stick. Usually these sticks are around my neck, or looped to my belt, or in a safe. I’m paranoid about losing the HASP because it’s a real pain to get a replacement with codes enabled on it if I am in a remote area. The memory stick also has my scanned passport(s) on it and other critical data since it's on me all the time when I am remote. That way if I wind up as a dead body somehwhere, hopefully I can be identified. provided I am not looted.

M8