Of course, you can also download utilities (such as my own FakeFiles - see
www.vigay.com/software/fakefiles.html) which use PGP to generate 100s of
genuinely encrypted but fake messages for which you *CANNOT* produce a key,
because the computer has randomly generated the key, encrypted junk data
and then deleted the key.

This provides a valid level of "plausible deniability", as you can prove
that you have genuinely PGP encrypted messages for which you do not know
(and have never known) the passphrase. These files/messages are
indistinguishable from genuine encrypted files.

Reading from news:alt.security.pgp,
Of course, law enforcement and military are definitely *not* ignorant
when it comes to psychological tactics. I trust Phil Zimmermann. I
trust his integrity and what he says about there being no back door in
PGP, and that he means it and believes it, himself. At the same time,
I've heard enough other things that have gone on to know that if there
is a "master key", to lull those using PGP for nefarious purposes into
a false sense of security, they would occasionally have news stories
published talking about their trouble with trying to break it. They
would think that this would attract the attention of others to start
using it.

Law enforcement could even be so sneaky as to not even act on
information they recover from PGP-encrypted files, but just use it as
evidence that something *IS* happening, so they just watch for more
that isn't encrypted. This would be so they could keep users thinking
they're actually hiding something. But reporters often get their
information by asking "trusted law enforcement" for answers. Law
enforcement, like the military, has rules about what they can and
can't say, or won't say publicly if it affects current or future
investigations. With something as strong as PGP, I imagine that
counts double and triple.

I'm not against PGP at all. But since I didn't see for myself
everything that went on and all the circumstances surrounding the
technology, to just accept someone's word that there's no way to
quickly decypher a message puts too much faith in the unknown.

I'm also not a privacy nut. I just like PGP.

Damaeus

<5012ea4a2cinvalid-***@invalid-domain.co.uk> <***@clara.co.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Paul Vigay wrote in alt.security.pgp on December 25, 2008 03:12 in
Paul, you've hit the nail right on the head, here. One of the dreams of the
Cypherpunks for was for universal adoption of crypto to render massive
surveillance of the type we've seen in recent years essentially impossible.

I well remember how law-enforcement officials, such as the FBI's then-
Director Louis Freeh, were publicly proclaiming how the sky was falling due
to the adoption (by criminals) of non-key-escrowed cryptographic software.
They were literally /terrified/ of this prospect.

What they (and the Cypherpunks) didn't count on was the exceeding sloth and
disinterest of the general public.

Even amongst those who /did/ have some desire to make use of encryption,
they didn't want to *learn* anything--they wanted instant gratification,
complete with a point-and-drool interface. As a result, they flocked en-
masse to services like Hushmail that violated the basic principle of public-
key cryptography--i.e. the separation of public and private key pairs. By
keeping both halves of the keypair, and using a modified Java applet to
snag the passphrase, Hushmail made it simple for law-enforcement to pierce
the veil of secrecy afforded by the encryption; additionally, since all the
alleged perpetrators were using Hushmail, they provided the authorities, in
essence, with one-stop-shopping or a single point of failure. [*]
Precisely. This was the philosophy espoused by the Cypherpunks; they assumed
that: "If you build the tools, they will come" and unfortunately for all of
us, it didn't turn out that way.
The sad fact of the matter is that they don't know any better. I've spoken
with young people, and they've described the world wars as "ancient history."
Even in the former East Bloc nations, there is now a generation born and
raised after the fall of Communism, who know little of what their parents
and grandparents went through.

Here in the West, there are fewer and fewer people with direct experience
of fascism. I've read comments made by ostensible former East Bloc citizens
who spoke of wanting to return to their countries of origin. They stated
that the signs they were seeing in Bush's America post-9/11 reminded them
of what they had fled the East Bloc to get away from. Some further commented
that they felt more free back in their home countries now than they do in
the so-called 'free' United States. I've seen others comment that the
surveillance they'd experienced in Britain by far exceeded anything that
they had endured under the Communist regimes.

I've also seen travelers comment that travelling to the United States today
and dealing with U.S. Customs is more reminiscent of entering the Soviet
Union in the mid-1970s than anything else.
Excellent advice, then, and now--but then Franklin and his contemporaries
had direct experience of governmental abuses by the British Crown.
Agreed. I fear that you are preaching to the converted, however. The great
unwashed masses have their creature comforts, convenient enemies to hate,
e.g. Dateline NBC's "To Catch A Predator," (TCAP), etc. (I've described TCAP
as 1984's two-minute hate expanded to a full hour, including commercials.)

It's the old Roman maxim, as described by Juvenal: Panem Et Circenses or
Bread and Circuses.
[*] Excellent summary of Hushmail debacle:

Posted by JimC to http://forum.no2id.net/viewtopic.php?t=20244

Posted: Sat, 12 Jan 2008 10:19:53 +0000
Post subject: Reasons to avoid Hushmail

Until September 2007, Hushmail received generally favorable reviews
in the press.[1] [2] It was believed that possible threats, such as
demands from the legal system to reveal the content of traffic through
the system, were not as imminent in Canada as they are in the United
States and if data were to be handed over encrypted messages would
only be available in encrypted form. However, recent developments
have led to doubts among security-conscious users about Hushmail's
security and concern over a backdoor in an OpenPGP service. Hushmail
has turned over cleartext copies of private e-mail messages associated
with several addresses at the request of law enforcement agencies under
a Mutual Legal Assistance Treaty with the United States.[3] One example
of this behavior is in the case of U.S. v. Tyler Stumbo. [4],[5], [6].
In addition, the contents of emails between Hushmail addresses were
analyzed, and a total of 12 CDs were turned over to US authorities.

The issue originally revolved around the use of the non-java version of
the Hush system. It performed the encrypt and decrypt steps on Hush's
servers and then used SSL to transmit the data to the user. The data
is available as cleartext during this small window; additionally the
passphrase can be captured at this point. This facilitates the
decryption of all stored messages and future messages using this
passphrase. Hushmail has stated that the java version is also
vulnerable in that they may be compelled to deliver a compromised
java applet to a user. [7] [8] Hushmail recommends using non web-
based services such as GnuPG and PGP Desktop for those who need
stronger security. [9]

References:

1 http://www.pcmag.com/article2/0,1895,1136652,00.asp
2 http://www.npr.org/templates/story/story.php?storyId=5227744
3 http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html
4 http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf
5 http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html]
6 http://blog.wired.com/27bstroke6/hushmail-privacy.html
7 http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html
8 http://blog.wired.com/27bstroke6/hushmail-privacy.html
9 http://www.hushmail.com/about-security

SOURCE: http://en.wikipedia.org/wiki/Hushmail


Baal <***@Usenet.org>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1E92C0E8
PGP Key Fingerprint: 40E4 E9BB D084 22D5 3DE9 66B8 08E3 638C 1E92 C0E8
Retired Lecturer, Encryption and Data Security, Pedo U, Usenet Campus
- --

"Sed quis custodiet ipsos Custodes?" -- "Who will watch the Watchmen?"
-- Juvenal, Satires, VI, 347. circa 128 AD

Plausible Deniability as the files are on her computer, but could have
been placed there by another party through a windows share C$ is
always shared as is Admin$.

I have files on my kid's computer as well as my wife's computer that I
placed there via shares......

Encryption is useless if the law will require compliance to give up
keys which will then compromise other data not related to the "crime".