Date: Mon, 17 Jun 96 10:21:44 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#048 Computer Privacy Digest Mon, 17 Jun 96 Volume 8 : Issue: 048 Today's Topics: Moderator: Leonard P. Levine Re: Air Force Sergeant Jailed in e-Mail Case Re: Fingerprint Technology Is the Trade-Off Worth It? Re: What's the Word on Cookies? EDUPAGE: Freedom Of Information Net Finders Re: New Chip Renews Privacy Debate [long] Where to get PGP FAQ [long] Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: hermit@cats.UCSC.EDU (William R. Ward) Date: 14 Jun 1996 18:04:09 GMT Subject: Re: Air Force Sergeant Jailed in e-Mail Case Organization: Computing and Telecommunications Services, UCSC References: [Note from Matthew Gaylor: I find it ironic that while our military is sworn to uphold and defend the US constitution, the military brass is busy eliminating personal freedoms enjoyed by our troops. I'd advise my military subscribers to Freematt's Alerts to get a private IP for Email and other net use.] [...] As a result, an Air Force master sergeant will spend the next three months in jail for using his office computer to exchange sexually explicit stories, jokes and comments with other consenting adults. bdonovan@gtn.net (Donovan, Bill) writes: While I believe strongly in personal privacy for email, my position on use of corporate/government accounts and equipment would be that everything is up for grabs, and that only the corporation has a right to privacy. These are *not* personal accounts. I would even extend this principal to listening in on phone conversations made through company phones. (I don't agree with video cameras monitoring staff, though.) Well one peculiarity with the military is that it's a 24-hour-a-day job. You get time off, but you are still using your employer's facilities. I think that what you do in your free time should to a certain extent entitle you to some privacy; i.e. the master sergeant should be punished badly for doing that stuff on duty, but off duty I think the restrictions should be lessened. I reiterate your recommendation that people get a private IP account for private email and other net use. Yes, I think that's a good idea. However even in that case, their phone would likely be a military phone, their housing a military barracks, and they would likely be using other military owned facilities and subject to other military regulations, even off-duty. So where do you draw the line? The military is definitely a different case than just some programmer sending dirty email on his/her work account. -- William R Ward Bay View Consulting http://www.bayview.com/~hermit/ hermit@bayview.com 1803 Mission St. #339 voicemail +1 408/479-4072 hermit@cats.ucsc.edu Santa Cruz CA 95060 USA pager +1 408/458-8862 ------------------------------ From: sarig@teleport.com (Scott Arighi) Date: 15 Jun 1996 00:09:51 GMT Subject: Re: Fingerprint Technology Organization: Teleport - Portland's Public Access (503) 220-1016 References: hans4648@tao.sosc.osshe.edu (CrazySexyCool DC) wrote: I have heard rumors circulated about that individuals CAN alter/change their fingerprints at any time. I am doing a research project concerning the fingerprint identification, and am asking anyone out there to contribute to my project. The question: Is there a way to alter/change your fingerprints easily? And, if so, is it there a temporary way to alter one's fingerprints, or is it only permanent? I have sifted through one hundred or so investigative articles, fingerprint subtitles, and so forth, with no answer to my simple question regarding a temporary and/or permanent way to alter/change your fingerprints! Without dismemberment of the finger/oil glands themselves, is there a way? Thank you, please post or email me There was an interesting comment in the June 13 Wall St. Journal on banking in the ghetto areas in South Africa in which fingerprint ID had been tried as many of the patrons were illiterate. The bank that was trying the experiment with, I presume , a fingerprint scanner, found the some customers " worked so hard that they wore their fingerprints off". Although standard fingerprinting techniques might still work, apparently the scanners didn't. -- Scott Arighi Those who ignore history are doomed to repeat it. ------------------------------ From: levine@cs.uwm.edu (Anomynous) Date: 16 Jun 1996 00:47:40 GMT Subject: Is the Trade-Off Worth It? Has technology reach a point to where we as humans can no longer decide for ourselves, where privacy is longer an issue but a burden? We must protect what we have left of it (privacy) or suffer the consequences. not only is it a responsibility but an obligation and duty for all citizens to perform. Polititians usually say "...and to reduce crime we will put 200,000 new police officers on the street, plus increase their powers...". Now don't get me wrong, we do need this, but they are only human just as you and me. What would prevent them from taking liberties of all that they chose, with the new found privledges it would be almost impossible to stop them. Citizens, it is up to us to insure privacy for future generations to enjoy. ------------------------------ From: hgoldste@mpcs.com (Howard Goldstein) Date: 16 Jun 1996 18:05:41 GMT Subject: Re: What's the Word on Cookies? Organization: disorganization References: Ken Peterson wrote: What is the current wisdom on Netscape Cookies? I have tried to configure Netscape 3.0b4 (Macintosh) to "ask" before accepting a cookie, but some sites try to send 10-20 of the damn things during loading the first page and during the simplest navigation of their site. So endlessly clicking NO in the Ask dialog is a tremendous hassle. Interestingly enough one of these sites is www.anonymizer.com, a browser anonymizer! (and the other c2.org pages). If my xwindow cluttered with dialog boxes is any indication, c2's setup is quite insistent upon cookie passage. I wonder what c2 does with the state information? I received numerous emails in reply to my RISKS posting, a few critical where I stated that I didn't gain anything from eating marketing cookies. One in particular noted a quid-pro-quo between eating a cookie and getting free content. I don't particularly question the logic except for the fact that in most other avenues in life a quid-pro-quo suggests the doctrine it derives from, i.e, contract law doctrine And contract doctrine generally requires a meeting of the minds; agreement upon the terms of the contract. Information gathering sub-rosa is not a known term of the "contract." It is rightly a matter of concern to all internetworkers. -- Howard Goldstein ------------------------------ From: "Prof. L. P. Levine" Date: 16 Jun 1996 16:48:02 -0500 (CDT) Subject: EDUPAGE: Freedom Of Information Organization: University of Wisconsin-Milwaukee Taken from Edupage 6/16/96. From: Edupage Editors To: EDUCOM Edupage Mailing List Subject: Edupage, 16 June 1996 FREEDOM OF INFORMATION Congress will soon be considering a bill requiring federal agencies to provide records online "so that agencies use technology to make government more accessible and accountable to its citizens." The bill would allow the information requester, rather than the federal agency, to choose the format for releasing information. (Computer Industry Daily 17 Jun 96) ------------------------------ From: Hugh Giblin Date: 16 Jun 1996 22:06:55 -0400 (EDT) Subject: Net Finders One of the "net finders" IAF picked up my email address from guess where? Ironies of ironies, yep, the Computer Privacy Digest. Is there no place sacred in this world for privacy? ------------------------------ From: bernie@fantasyfarm.com (Bernie Cosell) Date: 10 Jun 1996 09:19:13 GMT Subject: Re: New Chip Renews Privacy Debate [long] Organization: Fantasy Farm Fibers References: "Prof. L. P. Levine" wrote: A recent copyrighted article in the New York Times (6/4/96) describes a powerful data-scrambling chip-set that is now being quietly sold by Nippon Telegraph and Telephone Corp. According to John Markoff, the author of the Times article, the product is likely to severely undermine the Clinton Administration's efforts to restrict the international export of the fundamental technology for protecting secrets and commerce in the information age. this is almost certainly correct. Given the current availability of crypto-information about in the world, I'd be amazed if some overseas supplier didn't come up with a secure communications module. note that you don't need any particularly new crypto-theory to do so, either --- the details of DES have been available for over a decade and there is not even a *theoretical* way to crack a triple-DES encryption. I've been outof the spook business for a while, but as far as I know, the US govt has no way of stopping anyone from producing such a module [and I'm pretty sure that it would be legal to *import* it, so that a foreign vendor would be able to market such a thing back to US companies, even!]. The device also underscores fundamental differences that exist between Japan and the United States on the issue of privacy in the Information Age. While U.S. officials have struggled to maintain their ability to conduct electronic surveillance, Article 21 of Japan's Constitution specifically forbids wiretapping. WAIT A MINUTE. As far as I know, there is no law or legal precedent or anything else in the US to prevent US citizens from taking steps to make their conversations tap-proof. The US gov't doesn't like it [obviously], but if there is a legal precedent by which the govt could *prevent* it, I'd be interested to hear about it. Oh, but were we talking about exports? Do you really believe that crypto-technology is the *ONLY* one which cannot flourish in the US unless it has an export market, too? Does US robotics make all of its money on modems because of the strong Italian market? does Motorola make all of its profits by exporting cellular phones to Brazil? In fact, things are more subtle: as far as I know, US telephone equipment doesn't work elsewhere in the world; US video equipment doesn't work elsewhere in the world, does anyplace else in the world use 110v/60~ AC? None of that seems to hurt the market for domestic electronic doodads [and indeed, foreign manufacturers make useless-to-their-market stuff *just* so they can export stuff to *US*!] As for Japan's constitution, I wonder what it really says. It is certainly possible that it forbids wiretapping, but I'd bet that it only means "domestically"... I guess it is possible for a major international player to NOT do any sort of signal intelligence, but that seems pretty unlikely [and naive] to me. Next, the article quotes Mark Rotenberg, director of the Electronic Privacy Information Center as saying: "It's very interesting that the Japanese regard for privacy in their Constitution translates into better cryptographic technology." Not at all. There is nothing in what's been reported here that indicates that Japan has any better cryptographic technology than we in the US already do. So far, I have never heard *anything* about any foreign source being able to provide any better crypto technology than US folk already have available. We can't *export* it, but domestically there's no problem. This chip will for-sure affect the market situation for US companies attempting to export crypto technology, but it shouldn't make a whit of difference for US citizens. It is reported that the chips were far more powerful than the so-called Clipper chip, a data-scrambling system that the administration proposed for the nation's telephone system. I'm missing something here. what does the ability to export a chipset have to do with "the nation's telephone system"? *right*now*, if anyone actually cared enough [which the market has *overwhelmingly* shouted "THEY DO NOT"], you could buy unbreakably secure crypto-phones and call and fax your friends [*in*the*US*] it total security from prying gov't eyes. According to the article, those laws restrict the export of encryption systems which employ digital "keys" of more than 40 bits in length. The new NTT chips, however, use a 56-bit key, and actually triple the strength of that standard. Such a scrambling system is believed to be beyond the capability of the most powerful code-breaking system. Well, this isn't a crypto newsgroup, but this is an interesting statement. The only common and very-powerful cryptosystem I know of that uses a 56-bit key is DES. They're going to market DES *back* to US citizens and claim that it is somehow stronger than just use a "domestic" version of DES? Also, where'd the 'triple the strength' come from. Also, most of the crypto-mavens will aruge that DES can be cracked [but only by brute-force: no weakness has EVER been found in the system --- the crackability comes only with the aviailability of not-too-expensive custom LSI technology to fabricate custom key search engines]. Ah, but there's the hook I bet: there is an encryption technique called "Triple DES". It uses a DES engine at its heart, and what it does is _doubles_ the effective key length of DES. Since DES has no systematic weaknesses, doubling the key length puts the brute-force search WAY beyond any even forseeable crypto cracking techniques. So it looks even more like they're going to try to market TDES back to US citizens, who can just go buy/build such things *now* if they chose... In addition to the "private" key system for scrambling data, NTT uses RSA Data's "public" key method to permit computer users who have not previously exchanged information to swap private key information safely. The NTT system uses the RSA Data key which is 1,024 bits in length, also far stronger than the U.S. export regulations permit. AHA.. Now this whole thing becomes clear. It is a marketing ploy by RSA, and there has never been any real privacy implicatiosn in any of this. Note that any US citizen who wishes to is perfectly free to license [i.e., "pay RSA"] to use their crypto system to exchange keys in front of a TDES encryptor. If there has been some legislation recently making any step of the above illegal, do let me know because I've not heard of it and this article doesn't even hint and any such restrictions. "If there is anyone in the government who hasn't already seen the writing on the wall, here it is," the article concludes. What "writing on the wall"?? That some clever marketer is going to try to sell to US citizens something they could *already* buy if they felt they wanted it? That cleverly packaging up their marketing campaign will create a demand where there wasn't one previously?? Let me speculate on what is really going on here [and has been going on *consistently* throughout the massive misinformation and propaganda campaign the crypto-export folk have been mounting over the last while]. US citizens are free to encrypt anything they wish however they wish. Moreover, they have available to them a variety of [truly!] uncrackable crypto systems. There is no reason why any an US citizen who cares enough to do something about it to have to worry that their communications with other US citizens might be intercepted and read/listened to. The problem from the crypto-marketer folk, however, is that this isn't enough of a market for them to make enough money selling crypto gear. Simply put, the US public just doesn't care enough about this stuff to want the bother and expense. Where's the market? Not overseas -- as I mentioned above, if it *were* overseas, then this would be about the first and ONLY high-tech market [Amiga computers and soccer equipment excepted, perhaps :-)] which required overseas sales because there wasn't enough of a US market. Where the market is, I suspect, is in multi-national corporations. That's where the *big* bucks are. But they can't go after that market, because while the big corporations are mostly US based [or have US subsidiaries], to be useful to the corporations they would have to 'export' the gear [to their home offices, other branches, etc], and that's not legal. So what to do: how to get that really big-bucks market and make themselves a fortune? And so they come up with a brilliant marketing ploy: they need to somehow undo the 40+-year-old export restriction machinery, and so they came up with the perfect plan: thump the drum of "privacy". Of course, it is hard to _find_ the privacy issue [for US citizens, at least].. but that's not important, since the folks following along aren't worrying much about the details. You say the "P-word" and you get an uncritical army marching along just saying the mantra "privacy privacy privacy...". And as with mantras, it is the *saying* that makes the difference, not that it has to mean anything. And what's best and cutest, is that if this campaign succeeds [as it might well], then there will be *nothing* that will have changed for US citizens. We will be no more secure or 'private' than we were... the only thing that'll change is that RSA Inc and a few other crypto-producers will get very very rich. A noble cause to be sure, so keep thumping that drum!!! -- Bernie Cosell Fantasy Farm Fibers bernie@fantasyfarm.com Pearisburg, VA --> Too many people, too few sheep <-- ------------------------------ From: mpj@csn.net (Michael Johnson) Date: 13 Jun 1996 01:27:42 -0600 Subject: Where to get PGP FAQ [long] Organization: The Web of Trust -----BEGIN PGP SIGNED MESSAGE----- WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ Revised 6 June 1996 Disclaimer -- I haven't recently verified all of the information in this file, and much of it is probably out of date. For questions not covered here, please read the documentation that comes with PGP, get one of the books mentioned below, or search for other relevant FAQ documents at rtfm.mit.edu and on the alt.security.pgp news group. A NOTE FROM THE FAQ MAINTAINERS Peter Herngaard is taking over the maintenance of this FAQ until further notice. Some of you sent me (Mike Johnson) corrections and suggestions for this FAQ, and I stored them away on my hard disk to edit from. Then, Windows 95 got indigestion (induced by a sound card) and destroyed all of the data in that partition. If you suggested changes and they aren't in this FAQ, please send them to Peter Herngaard . WHAT IS THE LATEST VERSION OF PGP? Viacrypt PGP (commercial version): 2.7.1 (4.0 is due out Real Soon Now) MIT & Philip Zimmermann (freeware, USA-legal): 2.6.2 Staale Schumacher's International variant: 2.6.3i for non-USA (2.6.3ai source code only); 2.6.3 for USA WHERE CAN I GET VIACRYPT PGP? Just call 800-536-2664 and have your credit card handy. WHERE IS PGP ON THE WORLD WIDE WEB? U.S. only availability: PGP: http://web.mit.edu/network/pgp-form.html PGPfone: http://web.mit.edu/network/pgpfone International availability: PGP and PGPfone: http://www.ifi.uio.no/pgp/ WHERE CAN I FTP PGP IN NORTH AMERICA? If you are in the USA or Canada, you can get PGP by following the instructions in any of: ftp://net-dist.mit.edu/pub/PGP/README ftp://ftp.csn.net/mpj/README.MPJ ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp/ ftp://ftp.gibbon.com/pub/pgp/README.PGP ftp://ftp.wimsey.bc.ca/pub/crypto/software/README WHERE IS PGP ON COMPUSERVE? GO NCSAFORUM. Follow the instructions there to gain access to Library 12: Export Controlled. AOL Go to the AOL software library and search "PGP" or ftp from ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp or another site listed above. It is possible to get PGP from ftp sites with hidden directories with the following trick: (1) View the README file with the hidden directory name in it, then quickly (2) Start a new ftp connection, specifiying the hidden directory name with the ftp site's address, like ftp.csn.net/mpj/I_will_not_export/crypto_xxxxxxx (where the xxxxxxx is replaced with the current character string). WHAT BULLETIN BOARD SYSTEMS CARRY PGP? MANY BBS carry PGP. The following carry recent versions of PGP and allow free downloads of PGP. US 303-343-4053 Hacker's Haven, Denver, CO 303-772-1062 Colorado Catacombs BBS, Longmont CO 8 data bits, 1 stop, no parity, up to 28,800 bps. Use ANSI terminal emulation. For free access: log in with your own name, answer the questions. 314-896-9309 The KATN BBS 317-887-9568 Computer Virus Research Center (CVRC) BBS, Indianapolis, IN Login First Name: PGP Last Name: USER Password: PGP 501-791-0124, 501-791-0125 The Ferret BBS, North Little Rock, AR Login name: PGP USER Password: PGP 506-457=0483 Data Intelligence Group Corporation BBS 508-668-4441 Emerald City, Walpole, MA 601-582-5748 CyberGold BBS 612-690-5556, !CyBERteCH SeCURitY BBS! Minneapolis MN 914-667-4567 Exec-Net, New York, NY 915-587-7888, Self-Governor Information Resource, El Paso, Texas 909-681-6221 ATTENTION to Details (ATD BBS) All lines v.32bis/14.4KBPS minimum GERMANY +49-781-38807 MAUS BBS, Offenburg - angeschlossen an das MausNet +49-521-68000 BIONIC-BBS Login: PGP WHERE CAN I FTP PGP CLOSE TO ME? DE ftp://ftp.cert.dfn.de/pub/pgp/ IT ftp://idea.sec.dsi.unimi.it/pub/security/crypt/PGP FI ftp://ftp.funet.fi/pub/crypt/pgp/ NL ftp://ftp.nl.net/pub/crypto/pgp ftp.nic.surfnet.nl/surfnet/net-security/encryption/pgp NO ftp://menja.ifi.uio.no/pub/pgp/ NZ ftp://ftphost.vuw.ac.nz SE ftp://leif.thep.lu.se TW ftp://nctuccca.edu.tw/PC/wuarchive/pgp/ UK ftp://ftp.ox.ac.uk/pub/crypto/pgp HOW CAN I GET PGP BY EMAIL? If you have access to email, but not to ftp, send a message saying "help" to ftpmail@decwrl.dec.com or mailserv@nic.funet.fi WHERE CAN I GET MORE PGP INFORMATION? http://www.csn.net/~mpj http://www.mit.edu:8001/people/warlord/pgp-faq.html http://www.eff.org/pub/EFF/Issues/Crypto/ITAR_export/cryptusa_paper.ps.gz ftp://ds.internic.net/internet-drafts/draft-pgp-pgpformat-00.txt ftp://ds.internic.net/internet-drafts/draft-ietf-pem-mime-08.txt http://www-mitpress.mit.edu/mitp/recent-books/comp/pgp-source.html http://web.cnam.fr/Network/Crypto/(c'est en francais) http://web.cnam.fr/Network/Crypto/survey.html(en anglais) http://www2.hawaii.edu/~phinely/MacPGP-and-AppleScript-FAQ.html http://www.pgp.net/pgp http://www.sydney.sterling.com:8080/~ggr/pgpmoose.html http://www.ifi.uio.no/pgp/ http://inet.uni-c.dk/~pethern/privacy.html WHAT ARE SOME GOOD PGP BOOKS? Protect Your Privacy: A Guide for PGP Users by William Stallings Prentice Hall PTR ISBN 0-13-185596-4 US $19.95 PGP: Pretty Good Privacy by Simson Garfinkel O'Reilly & Associates, Inc. ISBN 1-56592-098-8 US $24.95 E-Mail Security: How to Keep Your Electronic Mail Private "Covers PGP/PEM" by Bruce Schneier Wiley Publishing The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data Protection, and PGP PRivacy Software by André Bacard Peachpit Press ISBN 1-56609-171-3 US $24.95 800-283-9444 or 510-548-4393 THE OFFICIAL PGP USER'S GUIDE by Philip R. Zimmerman MIT Press April 1995 - 216 pp. - paper - US $14.95 - ISBN 0-262-74017-6 ZIMPP Standard PGP documentation neatly typeset and bound. PGP SOURCE CODE AND INTERNALS by Philip R. Zimmerman April 1995 - 804 pp. - US $55.00 - 0-262-24039-4 ZIMPH How to Use PGP, 61 pages, (Pub #121) from the Superior Broadcasting Company, Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801 (about US $10-$13). IS PGP LEGAL? Pretty Good Privacy is legal if you follow these rules: Don't export PGP from the USA except to Canada, or from Canada except to the USA, without a license. If you are in the USA, use either Viacrypt PGP (licensed for commercial use) or MIT PGP using RSAREF (limited to personal, noncommercial use). Outside of the USA, where RSA is not patented, you may prefer to use a version of PGP (2.6.3i) that doesn't use RSAREF to avoid the restrictions of that license. If you are in a country where the IDEA cipher patent holds in software (including the USA and some countries in Europe), make sure you are licensed to use the IDEA cipher commercially before using PGP commercially. (No separate license is required to use the freeware PGP for personal, noncommercial use). For direct IDEA licensing, contact Ascom Systec: Erhard Widmer, Ascom Systec AG, Dep't. CMVV Phone +41 64 56 59 83 Peter Hartmann, Ascom Systec AG, Dep't. CMN Phone +41 64 56 59 45 Fax: +41 64 56 59 90 e-mail: IDEA@ascom.ch Mail address: Gewerbepark, CH-5506 Maegenwil (Switzerland) Viacrypt has an exclusive marketing agreement for commercial distribution of Philip Zimmermann's copyrighted code. (Selling shareware/freeware disks or connect time is OK). This restriction does not apply to PGP 3.0, since it is a complete rewrite by Colin Plumb. If you modify PGP (other than porting it to another platform, fixing a bug, or adapting it to another compiler), don't call it PGP (TM) or Pretty Good Privacy (TM) without Philip Zimmermann's permission. IMPORTANT: Please note that there is an official distribution site for MIT PGP and another for the International version: WorldWideWeb references: U.S/Canada non-commercial use: http://web.mit.edu/network/pgp-form.html Norway/International non-commercial use: http://www.ifi.uio.no/pgp/ U.S. commercial use: http://www.viacrypt.com WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS? Philip Zimmermann was under investigation for alleged violation of export regulations, with a grand jury hearing evidence for about 28 months, ending 11 January 1996. The Federal Government chose not to comment on why it decided to not prosecute, nor is it likely to. The Commerce Secretary stated that he would seek relaxed export controls for cryptographic products, since studies show that U. S. industry is being harmed by current regulations. Philip endured some serious threats to his livelihood and freedom, as well as some very real legal expenses, for the sake of your right to electronic privacy. The battle is won, but the war is not over. The regulations that caused him so much grief and which continue to dampen cryptographic development, harm U. S. industry, and do violence to the U. S. National Security by eroding the First Ammendment of the U. S. Constitution and encouraging migration of cryptographic industry outside of the U. S. A. are still on the books. If you are a U. S. Citizen, please write to your U. S. Senators, Congressional Representative, President, and Vice President pleading for a more sane and fair cryptographic policy. WHERE CAN I GET WINDOWS & DOS SHELLS FOR PGP? http://www.dayton.net/~cwgeib ftp://menja.ifi.uio.no/pub/pgp/pc/msdos//apgp22b3.zip http://alpha.netaccess.on.ca/~spowell/crypto/pwf31.zip ftp://ftp.netcom.com/pub/dc/dcosenza/pgpw40.zip ftp://ftp.firstnet.net/pub/windows/winpgp/pgpw40.zip http://www.eskimo.com/~joelm(Private Idaho) ftp://ftp.eskimo.com/~joelm http://www.xs4all.nl/~paulwag/security.htm http://www.LCS.com/winpgp.html http://netaccess.on.ca/~rbarclay/index.html http://netaccess.on.ca/~rbarclay/pgp.html ftp://ftp.leo.org/pub/comp/os/os2/crypt/gcppgp10.zip ftp://ftp.leo.org/pub/comp/os/os2/crypt/pmpgp.zip http://iquest.com/~aegisrcs WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE? PGP can do conventional encryption only of a file (-c) option, but you might want to investigate some of the other alternatives if you do this a lot. Alternatives include Quicrypt and Atbash2 for DOS, DLOCK for DOS & UNIX, Curve Encrypt (for the Mac), HPACK (many platforms), and a few others. Quicrypt is interesting in that it comes in two flavors: shareware exportable and registered secure. Atbash2 is interesting in that it generates ciphertext that can be read over the telephone or sent by Morse code. DLOCK is a no-frills strong encryption program with complete source code. Curve Encrypt has certain user-friendliness advantages. HPACK is an archiver (like ZIP or ARC), but with strong encryption. A couple of starting points for your search are: U.S. only availability: ftp://ftp.csn.net/mpj/qcrypt11.zip ftp://ftp.csn.net/mpj/README ftp://ftp.miyako.dorm.duke.edu/pub/GETTING_ACCESS International availability: ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/file/ ftp://idea.sec.dsi.unimi.it/pub/crypt/code/ HOW DO I SECURELY DELETE FILES (DOS)? If you have the Norton Utilities, Norton WipeInfo is pretty good. I use DELETE.EXE in del110.zip, which is really good at deleting existing files, but doesn't wipe "unused" space. US ftp://ftp.csn.net/mpj/public/del120.zip NL ftp://basement.replay.com/pub/replay/pub/security/del120.zip UK ftp://ftp.demon.co.uk/pub/ibmpc/security/realdeal.zip WHAT DO I DO ABOUT THE PASS PHRASE IN MY WINDOWS SWAP FILE? The nature of Windows is that it can swap any memory to disk at any time, meaning that all kinds of interesting things could end up in your swap file. ftp://ftp.firstnet.net/pub/windows/winpgp/wswipe.zip WHERE DO I GET PGPfone(tm)? PGPfone is in beta test for Macintosh and Windows'9 users. The MIT has shut down their ftp distribution of PGPfone for Macintosh and Windows'95, so within the U.S/Canada you must obtain PGPfone using a WorldWideWeb browser. U.S. only availability: http://web.mit.edu/network/pgpfone International availability: DK ftp://ftp.datashopper.dk/pub/users/pethern/pgp/ NL ftp://basement.replay.com/pub/replay/pub/voice/ NO ftp://menja.ifi.uio.no/pub/pgp/mac/ ftp://menja.ifi.uio.no/pub/pgp/windows/ WHERE DO I GET NAUTILUS? Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a program called Nautilus that enables you to engage in secure voice conversations between people with multimedia PCs and modems capable of at least 7200 bps (but 14.4 kbps is better). See: U.S. only availability: ftp://ripem.msu.edu/pub/crypt/GETTING_ACCESS ftp://ripem.msu.edu/pub/crypt/other/nautilus-phone-0.9.2-source.tar.gz ftp://ftp.csn.net/mpj/README ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS International availability: ftp://ftp.ox.ac.uk/pub/crypto/misc ftp://basement.replay.com/pub/replay/pub/voice/ The official Nautilus homepage is at: http://www.lila.com/nautilus/ HOW DO I ENCRYPT MY DISK ON-THE-FLY? Secure File System (SFS) is a DOS device driver that encrypts an entire partition on the fly using SHA in feedback mode. Secure Drive also encrypts an entire DOS partition, using IDEA, which is patented. Secure Device is a DOS device driver that encrypts a virtual, file-hosted volume with IDEA. Cryptographic File System (CFS) is a Unix device driver that uses DES. CryptDisk is a ShareWare package for Macintosh that uses strong IDEA encryption like PGP. U.S. only availability: ftp://ftp.csn.net/mpj/README ftp://miyako.dorm.duke.edu/mpj/crypto/disk/ International availability: http://www.cs.auckland.ac.nz/~pgut01/sfs.html ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/disk/ ftp://ftp.nic.surfnet.nl/surfnet/net-security/encryption/disk/ ftp://ftp.ox.ac.uk/pub/crypto/misc/ ftp://menja.ifi.uio.no/pub/pgp/mac/ ftp://basement.replay.com/pub/replay/pub/disk/ WHERE IS PGP'S COMPETITION? RIPEM is the second most popular freeware email encryption package. I like PGP better for lots of reasons, but if for some reason you want to check or generate a PEM signature, RIPEM is available at ripem.msu.edu. There is also an exportable RIPEM/SIG. U.S. only availability: ftp://ripem.msu.edu/pub/GETTING_ACCESS International availability: ftp://idea.sec.dsi.unimi.it/pub/crypt/code/ HOW DO I PUBLISH MY PGP PUBLIC KEY? Send mail to one of these addresses with the single word "help" in the subject line to find out how to use them. These servers sychronize keys with each other. There are other key servers, too. pgp-public-keys@keys.pgp.net pgp-public-keys@keys.de.pgp.net pgp-public-keys@keys.no.pgp.net pgp-public-keys@keys.uk.pgp.net pgp-public-keys@keys.us.pgp.net WWW interface to the key servers: http://www.pgp.net/pgp/www-key.html http://www-swiss.ai.mit.edu/~bal/pks-toplev.html For US $20/year or so, you can have your key officially certified and published in a "clean" key database that is much less susceptible to denial-of-service attacks than the other key servers. Send mail to info-pgp@Four11.com for information, or look at http://www.Four11.com/ Of course, you can always send your key directly to the parties you wish to correspond with by whatever means you wish. CAN I COPY AND REDISTRIBUTE THIS FAQ? Yes. Permission is granted to distribute unmodified copies of this FAQ. Please e-mail comments to Peter Herngaard Look for the latest html version of this FAQ at http://inet.uni-c.dk/~pethern/getpgp.html -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: cp850 iQCVAgUBMbbOGXN4jJfo4ES9AQEqygQAqjTf8dA6JLE9WZ2NF7CImtxoTtc7tjlC iqxQnomx4joKfmwx5zwx3ms65K2iPfTfiO1TWLp6ba92UfRgj/Dlq1TI7+FINf7j 8sJeJ2QGquBxrL8mwBObR884X22CdAhrFdC9/RVE5ATaK51p4LhyZf17vBJZYA4r nAiF+PuHrR8= =/2AM -----END PGP SIGNATURE----- ------------------------------ From: "Prof. L. P. Levine" Date: 14 Jun 1996 13:19:56 -0500 (CDT) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #048 ****************************** .