<5012ea4a2cinvalid-***@invalid-domain.co.uk> <***@clara.co.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Paul Vigay wrote in alt.security.pgp on December 25, 2008 03:12 in
Post by Paul Vigay[Snip]
Post by Nat Queenexist. With the right software, Big Brother snooping can be
defeated!
Actually, you make a very valid point. It's all well and good having
useful software to hand, but the biggest problem I find is that of
*educating* people. Too many people seem to be apathetic to what's
going on around them in the world. Too many people have the "I've got
nothing to hide so why should I bother" type mentality.
Paul, you've hit the nail right on the head, here. One of the dreams of the
Cypherpunks for was for universal adoption of crypto to render massive
surveillance of the type we've seen in recent years essentially impossible.
I well remember how law-enforcement officials, such as the FBI's then-
Director Louis Freeh, were publicly proclaiming how the sky was falling due
to the adoption (by criminals) of non-key-escrowed cryptographic software.
They were literally /terrified/ of this prospect.
What they (and the Cypherpunks) didn't count on was the exceeding sloth and
disinterest of the general public.
Even amongst those who /did/ have some desire to make use of encryption,
they didn't want to *learn* anything--they wanted instant gratification,
complete with a point-and-drool interface. As a result, they flocked en-
masse to services like Hushmail that violated the basic principle of public-
key cryptography--i.e. the separation of public and private key pairs. By
keeping both halves of the keypair, and using a modified Java applet to
snag the passphrase, Hushmail made it simple for law-enforcement to pierce
the veil of secrecy afforded by the encryption; additionally, since all the
alleged perpetrators were using Hushmail, they provided the authorities, in
essence, with one-stop-shopping or a single point of failure. [*]
Post by Paul VigayBig Brother snooping will only be defeated when everyone routinely
uses secure encryption for all electronic communications, irrespective
of how trivial it may be.
Precisely. This was the philosophy espoused by the Cypherpunks; they assumed
that: "If you build the tools, they will come" and unfortunately for all of
us, it didn't turn out that way.
Post by Paul VigayGenerations of people have fought and died for freedom and liberty,
yet a worryingly high percentage of the current generation seem to be
squandering (or trading) it away.
The sad fact of the matter is that they don't know any better. I've spoken
with young people, and they've described the world wars as "ancient history."
Even in the former East Bloc nations, there is now a generation born and
raised after the fall of Communism, who know little of what their parents
and grandparents went through.
Here in the West, there are fewer and fewer people with direct experience
of fascism. I've read comments made by ostensible former East Bloc citizens
who spoke of wanting to return to their countries of origin. They stated
that the signs they were seeing in Bush's America post-9/11 reminded them
of what they had fled the East Bloc to get away from. Some further commented
that they felt more free back in their home countries now than they do in
the so-called 'free' United States. I've seen others comment that the
surveillance they'd experienced in Britain by far exceeded anything that
they had endured under the Communist regimes.
I've also seen travelers comment that travelling to the United States today
and dealing with U.S. Customs is more reminiscent of entering the Soviet
Union in the mid-1970s than anything else.
Post by Paul VigayOne of my favourite sayings is Benjamin Franklin's "Those who would
give up Essential Liberty to purchase a little Temporary Safety,
deserve neither Liberty nor Safety." which seems even more relevant
today.
Excellent advice, then, and now--but then Franklin and his contemporaries
had direct experience of governmental abuses by the British Crown.
Post by Paul VigayYou owe it to yourself as well as future generations, to protect your
privacy and freedom. Make a New Year resolution to start using strong
encryption (such as GnuPG) NOW!!
Agreed. I fear that you are preaching to the converted, however. The great
unwashed masses have their creature comforts, convenient enemies to hate,
e.g. Dateline NBC's "To Catch A Predator," (TCAP), etc. (I've described TCAP
as 1984's two-minute hate expanded to a full hour, including commercials.)
It's the old Roman maxim, as described by Juvenal: Panem Et Circenses or
Bread and Circuses.
[*] Excellent summary of Hushmail debacle:
Posted by JimC to http://forum.no2id.net/viewtopic.php?t=20244
Posted: Sat, 12 Jan 2008 10:19:53 +0000
Post subject: Reasons to avoid Hushmail
Until September 2007, Hushmail received generally favorable reviews
in the press.[1] [2] It was believed that possible threats, such as
demands from the legal system to reveal the content of traffic through
the system, were not as imminent in Canada as they are in the United
States and if data were to be handed over encrypted messages would
only be available in encrypted form. However, recent developments
have led to doubts among security-conscious users about Hushmail's
security and concern over a backdoor in an OpenPGP service. Hushmail
has turned over cleartext copies of private e-mail messages associated
with several addresses at the request of law enforcement agencies under
a Mutual Legal Assistance Treaty with the United States.[3] One example
of this behavior is in the case of U.S. v. Tyler Stumbo. [4],[5], [6].
In addition, the contents of emails between Hushmail addresses were
analyzed, and a total of 12 CDs were turned over to US authorities.
The issue originally revolved around the use of the non-java version of
the Hush system. It performed the encrypt and decrypt steps on Hush's
servers and then used SSL to transmit the data to the user. The data
is available as cleartext during this small window; additionally the
passphrase can be captured at this point. This facilitates the
decryption of all stored messages and future messages using this
passphrase. Hushmail has stated that the java version is also
vulnerable in that they may be compelled to deliver a compromised
java applet to a user. [7] [8] Hushmail recommends using non web-
based services such as GnuPG and PGP Desktop for those who need
stronger security. [9]
References:
1 http://www.pcmag.com/article2/0,1895,1136652,00.asp
2 http://www.npr.org/templates/story/story.php?storyId=5227744
3 http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html
4 http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf
5 http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html]
6 http://blog.wired.com/27bstroke6/hushmail-privacy.html
7 http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html
8 http://blog.wired.com/27bstroke6/hushmail-privacy.html
9 http://www.hushmail.com/about-security
SOURCE: http://en.wikipedia.org/wiki/Hushmail
Baal <***@Usenet.org>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1E92C0E8
PGP Key Fingerprint: 40E4 E9BB D084 22D5 3DE9 66B8 08E3 638C 1E92 C0E8
Retired Lecturer, Encryption and Data Security, Pedo U, Usenet Campus
- --
"Sed quis custodiet ipsos Custodes?" -- "Who will watch the Watchmen?"
-- Juvenal, Satires, VI, 347. circa 128 AD