open pgp
PWB
explain the difference between this and email that is 'normally' used
and if there is any advantage , and if so can someone that has an
ordinary email account read it
middl...@gmail.com
PGP is a form of encryption, it stands for Pretty Good Privacy.
One may receive an email such as the following:
-----BEGIN PGP MESSAGE-----
Version: 6.5.8ckt http://www.ipgpp.com/
qANQR1DBwU4DH1+l4lr+ceYQCACG5Wcu6XMFFcWhpvcCIhppmVJYiyYPA2z+CKJC
aKcskXeMMs+iyh+u8uL/0yiKrAvoHSfvBmbq7KGpHV2l+KgF7N0ZVDgq03Fnxnyl
qlly/vfMcmzzc6Xj9GIL7wBSY5vHwmsYaGLclg8jhZcdRrBuokFuGz6q7C6tS2wo
vtghygobkll6I+eWysVvK5XHPP4K7U4q9QSrYyRfzaQrpGuphEmWOusZY3CDavXW
oskj27CxU+5atPAbclpONPqVoXBlX21o6YBVPp/MtPnHEVk3EE42C0wsx45v+jKK
W2AXAPQ97e8WskFI6VQJdLFzqpOSz9CsyM0ShCssbMKmSpM0B/97/sjeN+mQtaeQ
3BTP9vK5E8g/BOBERy4qViLL/t+D8r7WjdJsomRMJjWmmIiDwhUeAecBjC4uEUe+
HYtHeQdSIXfKaTQ+lc/Aj5x3kiWmztrL5xlYHeOgbxnEIao0LoLvmBRCmYVXKzMg
cPKm7PQkubJwIXplkU8jfqK4BVN2w5itXChH2DqLmk+HMQbChEtsQe14H7RyMNi6
qKOeaX+mMoRabdjIGjTZrirevjzWgyVhyaAephBHMk506TkRt0hw2GEGbLEQGHBQ
P+BkuG4NiVsJwOJduoFA6bGEQNNtYL+RPaefz1s4kaJKBPx8dLfOocCMTkg9ACTu
T+LNAxym0sAcAfjK6Y77gi6USwH5njVwwXtllp8lsMUabmlAEla2z2IpbNWvshLp
rNZnoJ/MYTEyyaT6X4tMr3W9ydQQTTa+Ah/zyHiPss0Y38JoDn3Hk3Brx6X/Oz+u
RdmE19LpxMNqravTKr6RJclBQyeqrqxPmmpShnuyo9IH+wzvZE6wW1qNrqkMqaFu
xOIFdXuM+fvqFzEq3Sr5IJgRPxSqGVt5lrT71lRPWIM2AQLx0Ukrl8C062eRPtio
hSDVwK1mOuNeGNb/9hZLbGN/jAXTob1eEoGz38BIoMkOFuoUdQ==
=VvAv
-----END PGP MESSAGE-----
As you can see it's complete non-sense unless you decrypt it using PGP
software, your PRIVATE key (you share your PUBLIC key with the sender)
and the senders PUBLIC key (which they share with you)
Michael Fierro
Let me see if I can come up with a concise answer. There's actually quite a
bit to your question...
PGP is an encryption program. When used with email, it performs two
functions: 1) Digitally signs an email, which can be used to verify that
the email is from who it appears to be from. 2) Encrypts the email, so that
only certain people can read it.
PGP relies on public/private key pairs. I would recommend Googling that term
for more background. The short story: everyone has a public key, which they
give to everyone, and a private key, which they keep private and secret.
If I want to send an email that only you can read, I encrypt it using YOUR
public key. Once it is encrypted, only your private key can decrypt it.
Conversely, to sign an email, I sign it using my private key. Everyone can
still read the email (it's not encrypted). Anyone with my public key can
then verify that the signature was created using my private key. Since
theoretically only *I* have access to my private key, this verifies that
the email actually came from me.
*whew* Those're the basics. You can use encryption programs such as OpenPGP
and GnuPG and others on any email account and with most email clients. But
it does take a bit to set it up. And then you have to convince a lot of
people to start using it, too (which tends to be the hardest part of the
equation).
There should be a custom header on this post with the URL for my public key.
If you want to try it out, grab my key, install OpenPGP, and then send me
an encrypted email. :)
--
Michael Fierro (aka Biffster) biff...@NOSPAM-REALLYgmail.com
http://apt-get.biffster.org Y!: miguelito_fierro AIM: mfierro1
--
Don't you feel more like you do now than you did when you came in?
Frosty
Fierro <biff...@NOSPAM-REALLYgmail.com>, intended to write something
intelligible, but instead wrote :
And other than the nerdy thrill of getting PGP to work and the
prestige of being able tell all your geeky friends that your PGP
Public Key is up on the MIT server, what good is PGP?
If the government demands your key, you'll give it up or risk prison,
or you're using it to hide kiddy porn in which case, see above.
Michael Fierro
> And other than the nerdy thrill of getting PGP to work and the
> prestige of being able tell all your geeky friends that your PGP
> Public Key is up on the MIT server, what good is PGP?
Hmmm... Troll?
Some people believe in privacy. If you don't, that's cool.
> If the government demands your key, you'll give it up or risk prison,
I would nuke my private key before I'd turn it over. And I'd go to jail
before I'd give up the passphrase to me key if someone managed to grab my
computer before I deleted the private key. Which would be a pain in the
ass, since all of my passwords for all of my various
banking/investment/shopping websites are in a GPG-encrypted text file...
> or you're using it to hide kiddy porn in which case, see above.
Hmmm... I'm getting the feeling that you're just a troll...
--
Michael Fierro (aka Biffster) biff...@NOSPAM-REALLYgmail.com
http://apt-get.biffster.org Y!: miguelito_fierro AIM: mfierro1
--
"And they're all rated X. M O O N, that spells X." - Tom Cullen, The Stand
Frosty
Fierro <biff...@NOSPAM-REALLYgmail.com>, intended to write something
intelligible, but instead wrote :
>On Monday 26 February 2007 07:43 pm, Frosty ranted on thusly:
>
>> And other than the nerdy thrill of getting PGP to work and the
>> prestige of being able tell all your geeky friends that your PGP
>> Public Key is up on the MIT server, what good is PGP?
>
>Hmmm... Troll?
>
>Some people believe in privacy. If you don't, that's cool.
>
>> If the government demands your key, you'll give it up or risk prison,
>
>I would nuke my private key before I'd turn it over. And I'd go to jail
>before I'd give up the passphrase to me key if someone managed to grab my
>computer before I deleted the private key. Which would be a pain in the
>ass, since all of my passwords for all of my various
>banking/investment/shopping websites are in a GPG-encrypted text file...
Big talker. Ever been to prison, big boy?
You'd give it all up after the first night.
>
>> or you're using it to hide kiddy porn in which case, see above.
>
>Hmmm... I'm getting the feeling that you're just a troll...
Why would stating this fact cause you to assume I'm trolling?
The banks and such use their own 128 bit (or higher) encryption. Why
do YOU need it?
I suspect it's for the stated reasons in my first paragraph, but your
ad hominem attach leads me to suspect otherwise.
No, no. I take it back. I looked at your website and my first thoughts
were confirmed. You are a geek. Hey, no shame in that, man!
:)
Penn...@derrymaine.gov
Court doesn't demand your key anymore, there is a back door in every
current version of PGP, and why I still use 2.6.2g (Dos Version) - the
last truly secure version of PGP.
PGP has it's uses, it will get past a network analyzer like EtherPeek.
One use I used for quite a while was to sign all of my intrenet
messages, so if there was ever a question if I sent it or not, I could
prove if I did or didn't. ahh girlfriends...
--
http://www.onahorse.com/
Mike Easter
> Court doesn't demand your key anymore, there is a back door in every
> current version of PGP, and why I still use 2.6.2g (Dos Version) - the
> last truly secure version of PGP.
A discussion of ADK, key escrow, backdoors, the temporary unavailability
of source code when pgp was NAI, the current availability of source code
to modern versions of pgp beyond 2.6.2g ie to the present is described
here http://www.rossde.com/PGP/pgp_backdoor.html PGP: Backdoors and Key
Escrow
"For a while - when NAI owned the PGP product - the source-code was
unavailable and outside inspection became impossible. As a result,
experienced users of PGP lost confidence in newer versions of the
product. This situation has been reversed by the PGP Corporation in an
attempt to restore confidence. "
--
Mike Easter
Frosty
Penn...@DerryMaine.Gov, intended to write something intelligible,
but instead wrote :
> Frosty < clau...@yahoo.com> wrote:
>
>>On Mon, 26 Feb 2007 14:53:00 -0700 in 24hoursupport.helpdesk Michael
>>Fierro <biff...@NOSPAM-REALLYgmail.com>, intended to write something
>>intelligible, but instead wrote :
>>
>>>On Monday 26 February 2007 02:36 pm, PWB ranted on thusly:
>>>
>>>> I have seen open pgp
<snip>
>>And other than the nerdy thrill
<snip>
>>or you're using it to hide kiddy porn
<snip>
>Court doesn't demand your key anymore, there is a back door in every
>current version of PGP, and why I still use 2.6.2g (Dos Version) - the
>last truly secure version of PGP.
>
>PGP has it's uses, it will get past a network analyzer like EtherPeek.
What is that and why do I want to "get past" it?
>
>One use I used for quite a while was to sign all of my intrenet
>messages, so if there was ever a question if I sent it or not, I could
>prove if I did or didn't. ahh girlfriends...
I've seen people do that but I've always wondered if any old person
couldn't just ^C^V that into any old message and claim to be you.
Mike Easter
> Penn...@DerryMaine.Gov,
>> One use I used for quite a while was to sign all of my intrenet
>> messages, so if there was ever a question if I sent it or not, I
>> could prove if I did or didn't. ahh girlfriends...
>
> I've seen people do that but I've always wondered if any old person
> couldn't just ^C^V that into any old message and claim to be you.
Almost 100% of the pgp/gpg signed usenet messages you see outside of the
pgp security group and such are totally useless baggage and don't help
prove anything one way or the other.
In the first place, almost all of those messages with pgp baggage are
being read by people who aren't currently holding the public key of the
individual posting them.
In the second place, the process of public key sharing in almost all of
those circumstances is not being 'properly' performed with a
'legitimate' web of trust, but instead there is simply an untrusted bank
of public key servers where anyone can say they are anyone else and post
a public key.
In the third place and regarding ^C^V to a 'wrong' message, that
wouldn't work if the first and second places were actually in place,
which they usually aren't -- because the signature is based on the
message digest, and so pasting the wrong pgp signature on the wrong
message digest wouldn't match.
But, in the third ^C^V place in which there is no 'meaning' to the
signature and no meaning to a public/private key system of clear signing
and no meaning to a web of trust, then a pgp signature is no more
significant than any other non-pgp signature, such as a normal
newsmessage sig.
--
Mike Easter
Michael Fierro
thusly:
> Court doesn't demand your key anymore, there is a back door in every
> current version of PGP, and why I still use 2.6.2g (Dos Version) - the
> last truly secure version of PGP.
I can't comment to that bit. I use GnuPG instead of PGP. If there is a
backdoor, someone would've found it already, since it is open source.
--
Michael Fierro (aka Biffster) biff...@NOSPAM-REALLYgmail.com
http://apt-get.biffster.org Y!: miguelito_fierro AIM: mfierro1
--
Think twice before speaking, but don't say "think think click click".
Michael Fierro
>>One use I used for quite a while was to sign all of my intrenet
>>messages, so if there was ever a question if I sent it or not, I could
>>prove if I did or didn't. ahh girlfriends...
>
> I've seen people do that but I've always wondered if any old person
> couldn't just ^C^V that into any old message and claim to be you.
That wouldn't work. The various *GPs digitally sign each message.
Add/subtract almost anything to the message and *GP will declare it an
invalid signature. There are some ways around that (there's a lot of
information about fooling the SHA1 algorithm, for example), but that would
take a whole lot more than just copying and pasting.
--
Michael Fierro (aka Biffster) biff...@NOSPAM-REALLYgmail.com
http://apt-get.biffster.org Y!: miguelito_fierro AIM: mfierro1
--
Fortune: You will be married within a year, and divorced within two.
Michael Fierro
>>I would nuke my private key before I'd turn it over. And I'd go to jail
>>before I'd give up the passphrase to me key if someone managed to grab my
> Big talker. Ever been to prison, big boy?
> You'd give it all up after the first night.
Oh, I'm not saying that it'd be a pleasant experience. Though I also don't
think that I'd be sent to anything but a minimum-security place for a first
offense like that. :)
>>> or you're using it to hide kiddy porn in which case, see above.
>>
>>Hmmm... I'm getting the feeling that you're just a troll...
>
> Why would stating this fact cause you to assume I'm trolling?
Because it's a common trolling statement about encryption. And about
invasion of privacy, actually. It's the old "If you aren't doing anything
wrong, then why do you care if others/government/law enforcement/X can see
it?"
And using the specific example of child porn is even MORE trollish, since
child porn instantly infuriates even the most rational of people. It's the
equivalent of starting off a conversation with a rabbi with, "wouldn't the
Nazis do that?"
> The banks and such use their own 128 bit (or higher) encryption. Why
> do YOU need it?
First, to secure my passwords for banks and such (surely you agree it'd be
silly to keep usernames/passwords for such services in clear text). Second,
because email is sent in plain-text, and I just don't like people listening
in on my conversations. Same reason I don't like talking on the phone in
public. And why I don't really like cell phones. Third, because I believe
in privacy, even when the protected messages are as mundane as, "Wasn't
that episode of Doctor Who unbelievable?".
And yeah, 'cuz it is geeky. :)
> No, no. I take it back. I looked at your website and my first thoughts
> were confirmed. You are a geek. Hey, no shame in that, man!
> :)
Amen to that! The original name of my blog was Biffster's Computer Geek
Blog. But I decided that was too narcisistic, so I renamed it. :)
--
Michael Fierro (aka Biffster) biff...@NOSPAM-REALLYgmail.com
http://apt-get.biffster.org Y!: miguelito_fierro AIM: mfierro1
--
'Twas brillig, and the slithy toves did gyre and gimble in the wabe. All
mimsy were the borogoves and the mome rath outgrabe! - JABBERWOCKY by
Lewis Carroll
Penn...@derrymaine.gov
>On Wednesday 28 February 2007 08:19 pm, Penn...@DerryMaine.Gov ranted on
>thusly:
>
>> Court doesn't demand your key anymore, there is a back door in every
>> current version of PGP, and why I still use 2.6.2g (Dos Version) - the
>> last truly secure version of PGP.
>I can't comment to that bit. I use GnuPG instead of PGP. If there is a
>backdoor, someone would've found it already, since it is open source.
My bad, I was referring to PGP, after 2,X Zimmermann went commercial.
The commercial version can't be trusted as no source code is released.
Because of this the commercial version is suspect.
I was pro PGP at the time of Zimmermann problems (PGP was considered a
weapon) - every release, it's source codes was gone over and given the
a thumbs up, until after 2.6,later 2.6.2g - after that nobody would
vouch for it's security, because it was made to work with windows and
one could just go to the swap file to get passwords, text, anything.
This was also after the Government dropped their case against him and
all kinds of rumors were started:
"Q: I heard a rumor that you cut a deal with the US Government to put
a back door in PGP in order to not be prosecuted for publishing PGP.
Is this true?"
True or not 2.6.2.b is the last version of PGP I trust.
I haven't used GnuPG (haven't had a need for encryption for awhile)
but if the source code is released, it's security can be confirmed
easily enough.
--
By being both proactive and willing to inflict welts for Jesus, you can beat
Satan at his own sick game and prevent him from turning your impressionable .
child into an ugly, rotting twig in the family tree crying out for brutal pruning.
-A joke or a very troubling aritcle - http://www.file22.com/?p=366
Penn...@derrymaine.gov
>--
>By being both proactive and willing to inflict welts for Jesus, you can beat
>Satan at his own sick game and prevent him from turning your impressionable .
>child into an ugly, rotting twig in the family tree crying out for brutal pruning.
>-A joke or a very troubling article - http://www.file22.com/?p=366
Must not of gone over well... "this article has been deleted" and the
80 core one taken it's place.
The original article was about beating the gay out of your young son.
--
Frosty
Fierro <biff...@NOSPAM-REALLYgmail.com>, intended to write something
intelligible, but instead wrote :
>On Tuesday 27 February 2007 06:58 pm, Frosty ranted on thusly:
>
>>>I would nuke my private key before I'd turn it over. And I'd go to jail
>>>before I'd give up the passphrase to me key if someone managed to grab my
>
>> Big talker. Ever been to prison, big boy?
>> You'd give it all up after the first night.
>
>Oh, I'm not saying that it'd be a pleasant experience. Though I also don't
>think that I'd be sent to anything but a minimum-security place for a first
>offense like that. :)
When one is sent to a state pen, one is first sent to a "reception
center" which, surprisingly enough is not anything like one would
expect a reception to be. No little sandwiches, no hors d'oeuvres, no
cocktail waitresses. In reality a reception center is a maximum
security facility.
>
>>>> or you're using it to hide kiddy porn in which case, see above.
>>>
>>>Hmmm... I'm getting the feeling that you're just a troll...
>>
>> Why would stating this fact cause you to assume I'm trolling?
>
>Because it's a common trolling statement about encryption. And about
>invasion of privacy, actually. It's the old "If you aren't doing anything
>wrong, then why do you care if others/government/law enforcement/X can see
>it?"
As a (lowercase) libertarian and a Fully Informed Juror, and a free
market economist (among other groovy shit) I'm the last person who
would say that. But it is a fact, as uncomfortable as it may be to
you, that some folks use PGP to hide kiddy porn and to share it with
their brethren. I personally don't care what people do. The idea of
kiddy porn leaves me neutral and uninterested.
>
>And using the specific example of child porn is even MORE trollish, since
>child porn instantly infuriates even the most rational of people.
I never claimed to be rational.
>
>> The banks and such use their own 128 bit (or higher) encryption. Why
>> do YOU need it?
>
>First, to secure my passwords for banks and such (surely you agree it'd be
>silly to keep usernames/passwords for such services in clear text).
I keep mine in my noggin.
> Second,
>because email is sent in plain-text, and I just don't like people listening
>in on my conversations. Same reason I don't like talking on the phone in
>public. And why I don't really like cell phones. Third, because I believe
>in privacy, even when the protected messages are as mundane as, "Wasn't
>that episode of Doctor Who unbelievable?".
I wish Dr. Who stilled played in my market.
I liked #4 Tom baker the best.
IMHO, attaching ones traceable and provable name to a possibly
subversive email ain't such a swift idea.