Date: Mon, 17 Jun 96 10:21:44 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#048
Computer Privacy Digest Mon, 17 Jun 96 Volume 8 : Issue: 048
Today's Topics: Moderator: Leonard P. Levine
Re: Air Force Sergeant Jailed in e-Mail Case
Re: Fingerprint Technology
Is the Trade-Off Worth It?
Re: What's the Word on Cookies?
EDUPAGE: Freedom Of Information
Net Finders
Re: New Chip Renews Privacy Debate [long]
Where to get PGP FAQ [long]
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: hermit@cats.UCSC.EDU (William R. Ward)
Date: 14 Jun 1996 18:04:09 GMT
Subject: Re: Air Force Sergeant Jailed in e-Mail Case
Organization: Computing and Telecommunications Services, UCSC
References: <comp-privacy8.46.7@cs.uwm.edu> <comp-privacy8.47.6@cs.uwm.edu>
[Note from Matthew Gaylor: I find it ironic that while our military
is sworn to uphold and defend the US constitution, the military
brass is busy eliminating personal freedoms enjoyed by our troops.
I'd advise my military subscribers to Freematt's Alerts to get a
private IP for Email and other net use.] [...] As a result, an Air
Force master sergeant will spend the next three months in jail for
using his office computer to exchange sexually explicit stories,
jokes and comments with other consenting adults.
bdonovan@gtn.net (Donovan, Bill) writes: While I believe strongly
in personal privacy for email, my position on use of
corporate/government accounts and equipment would be that
everything is up for grabs, and that only the corporation has a
right to privacy. These are *not* personal accounts. I would even
extend this principal to listening in on phone conversations made
through company phones. (I don't agree with video cameras
monitoring staff, though.)
Well one peculiarity with the military is that it's a 24-hour-a-day
job. You get time off, but you are still using your employer's
facilities. I think that what you do in your free time should to a
certain extent entitle you to some privacy; i.e. the master sergeant
should be punished badly for doing that stuff on duty, but off duty I
think the restrictions should be lessened.
I reiterate your recommendation that people get a private IP
account for private email and other net use.
Yes, I think that's a good idea. However even in that case, their
phone would likely be a military phone, their housing a military
barracks, and they would likely be using other military owned
facilities and subject to other military regulations, even off-duty.
So where do you draw the line? The military is definitely a different
case than just some programmer sending dirty email on his/her work
account.
--
William R Ward Bay View Consulting http://www.bayview.com/~hermit/
hermit@bayview.com 1803 Mission St. #339 voicemail +1 408/479-4072
hermit@cats.ucsc.edu Santa Cruz CA 95060 USA pager +1 408/458-8862
------------------------------
From: sarig@teleport.com (Scott Arighi)
Date: 15 Jun 1996 00:09:51 GMT
Subject: Re: Fingerprint Technology
Organization: Teleport - Portland's Public Access (503) 220-1016
References: <comp-privacy8.46.4@cs.uwm.edu>
hans4648@tao.sosc.osshe.edu (CrazySexyCool DC) wrote: I have heard
rumors circulated about that individuals CAN alter/change their
fingerprints at any time. I am doing a research project concerning
the fingerprint identification, and am asking anyone out there to
contribute to my project. The question: Is there a way to
alter/change your fingerprints easily? And, if so, is it there a
temporary way to alter one's fingerprints, or is it only permanent?
I have sifted through one hundred or so investigative articles,
fingerprint subtitles, and so forth, with no answer to my simple
question regarding a temporary and/or permanent way to alter/change
your fingerprints! Without dismemberment of the finger/oil glands
themselves, is there a way? Thank you, please post or email me
There was an interesting comment in the June 13 Wall St. Journal on
banking in the ghetto areas in South Africa in which fingerprint ID had
been tried as many of the patrons were illiterate. The bank that was
trying the experiment with, I presume , a fingerprint scanner, found
the some customers " worked so hard that they wore their fingerprints
off". Although standard fingerprinting techniques might still work,
apparently the scanners didn't. -- Scott Arighi
Those who ignore history are doomed to repeat it.
------------------------------
From: levine@cs.uwm.edu (Anomynous)
Date: 16 Jun 1996 00:47:40 GMT
Subject: Is the Trade-Off Worth It?
Has technology reach a point to where we as humans can no longer decide
for ourselves, where privacy is longer an issue but a burden?
We must protect what we have left of it (privacy) or suffer the
consequences. not only is it a responsibility but an obligation and
duty for all citizens to perform.
Polititians usually say "...and to reduce crime we will put 200,000 new
police officers on the street, plus increase their powers...". Now
don't get me wrong, we do need this, but they are only human just as
you and me. What would prevent them from taking liberties of all that
they chose, with the new found privledges it would be almost impossible
to stop them.
Citizens, it is up to us to insure privacy for future generations to
enjoy.
------------------------------
From: hgoldste@mpcs.com (Howard Goldstein)
Date: 16 Jun 1996 18:05:41 GMT
Subject: Re: What's the Word on Cookies?
Organization: disorganization
References: <comp-privacy8.47.1@cs.uwm.edu>
Ken Peterson <kmp@spiritone.com> wrote: What is the current wisdom
on Netscape Cookies? I have tried to configure Netscape 3.0b4
(Macintosh) to "ask" before accepting a cookie, but some sites try
to send 10-20 of the damn things during loading the first page and
during the simplest navigation of their site. So endlessly clicking
NO in the Ask dialog is a tremendous hassle.
Interestingly enough one of these sites is www.anonymizer.com, a
browser anonymizer! (and the other c2.org pages). If my xwindow
cluttered with dialog boxes is any indication, c2's setup is quite
insistent upon cookie passage.
I wonder what c2 does with the state information?
I received numerous emails in reply to my RISKS posting, a few critical
where I stated that I didn't gain anything from eating marketing
cookies. One in particular noted a quid-pro-quo between eating a
cookie and getting free content.
I don't particularly question the logic except for the fact that in
most other avenues in life a quid-pro-quo suggests the doctrine it
derives from, i.e, contract law doctrine And contract doctrine
generally requires a meeting of the minds; agreement upon the terms of
the contract.
Information gathering sub-rosa is not a known term of the "contract."
It is rightly a matter of concern to all internetworkers.
--
Howard Goldstein <hg@n2wx.ampr.org>
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 16 Jun 1996 16:48:02 -0500 (CDT)
Subject: EDUPAGE: Freedom Of Information
Organization: University of Wisconsin-Milwaukee
Taken from Edupage 6/16/96.
From: Edupage Editors <educom@elanor.oit.unc.edu>
To: EDUCOM Edupage Mailing List <edupage@elanor.oit.unc.edu>
Subject: Edupage, 16 June 1996
FREEDOM OF INFORMATION
Congress will soon be considering a bill requiring federal agencies to
provide records online "so that agencies use technology to make
government more accessible and accountable to its citizens." The bill
would allow the information requester, rather than the federal agency,
to choose the format for releasing information. (Computer Industry
Daily 17 Jun 96)
------------------------------
From: Hugh Giblin <ulysses@acpub.duke.edu>
Date: 16 Jun 1996 22:06:55 -0400 (EDT)
Subject: Net Finders
One of the "net finders" IAF picked up my email address from guess
where? Ironies of ironies, yep, the Computer Privacy Digest. Is there
no place sacred in this world for privacy?
------------------------------
From: bernie@fantasyfarm.com (Bernie Cosell)
Date: 10 Jun 1996 09:19:13 GMT
Subject: Re: New Chip Renews Privacy Debate [long]
Organization: Fantasy Farm Fibers
References: <comp-privacy8.46.8@cs.uwm.edu>
"Prof. L. P. Levine" <levine@blatz.cs.uwm.edu> wrote: A recent
copyrighted article in the New York Times (6/4/96) describes a
powerful data-scrambling chip-set that is now being quietly sold by
Nippon Telegraph and Telephone Corp. According to John Markoff,
the author of the Times article, the product is likely to severely
undermine the Clinton Administration's efforts to restrict the
international export of the fundamental technology for protecting
secrets and commerce in the information age.
this is almost certainly correct. Given the current availability of
crypto-information about in the world, I'd be amazed if some overseas
supplier didn't come up with a secure communications module. note that
you don't need any particularly new crypto-theory to do so, either ---
the details of DES have been available for over a decade and there is
not even a *theoretical* way to crack a triple-DES encryption. I've
been outof the spook business for a while, but as far as I know, the US
govt has no way of stopping anyone from producing such a module [and
I'm pretty sure that it would be legal to *import* it, so that a
foreign vendor would be able to market such a thing back to US
companies, even!].
The device also underscores fundamental differences that exist
between Japan and the United States on the issue of privacy in the
Information Age. While U.S. officials have struggled to maintain
their ability to conduct electronic surveillance, Article 21 of
Japan's Constitution specifically forbids wiretapping.
WAIT A MINUTE. As far as I know, there is no law or legal precedent or
anything else in the US to prevent US citizens from taking steps to
make their conversations tap-proof. The US gov't doesn't like it
[obviously], but if there is a legal precedent by which the govt could
*prevent* it, I'd be interested to hear about it.
Oh, but were we talking about exports? Do you really believe that
crypto-technology is the *ONLY* one which cannot flourish in the US
unless it has an export market, too? Does US robotics make all of its
money on modems because of the strong Italian market? does Motorola
make all of its profits by exporting cellular phones to Brazil? In
fact, things are more subtle: as far as I know, US telephone equipment
doesn't work elsewhere in the world; US video equipment doesn't work
elsewhere in the world, does anyplace else in the world use 110v/60~
AC? None of that seems to hurt the market for domestic electronic
doodads [and indeed, foreign manufacturers make useless-to-their-market
stuff *just* so they can export stuff to *US*!]
As for Japan's constitution, I wonder what it really says. It is
certainly possible that it forbids wiretapping, but I'd bet that it
only means "domestically"... I guess it is possible for a major
international player to NOT do any sort of signal intelligence, but
that seems pretty unlikely [and naive] to me.
Next, the article quotes Mark Rotenberg, director of the Electronic
Privacy Information Center as saying: "It's very interesting that
the Japanese regard for privacy in their Constitution translates
into better cryptographic technology."
Not at all. There is nothing in what's been reported here that
indicates that Japan has any better cryptographic technology than we in
the US already do. So far, I have never heard *anything* about any
foreign source being able to provide any better crypto technology than
US folk already have available. We can't *export* it, but domestically
there's no problem. This chip will for-sure affect the market
situation for US companies attempting to export crypto technology, but
it shouldn't make a whit of difference for US citizens.
It is reported that the chips were far more powerful than the
so-called Clipper chip, a data-scrambling system that the
administration proposed for the nation's telephone system.
I'm missing something here. what does the ability to export a chipset
have to do with "the nation's telephone system"? *right*now*, if
anyone actually cared enough [which the market has *overwhelmingly*
shouted "THEY DO NOT"], you could buy unbreakably secure crypto-phones
and call and fax your friends [*in*the*US*] it total security from
prying gov't eyes.
According to the article, those laws restrict the export of
encryption systems which employ digital "keys" of more than 40 bits
in length. The new NTT chips, however, use a 56-bit key, and
actually triple the strength of that standard. Such a scrambling
system is believed to be beyond the capability of the most powerful
code-breaking system.
Well, this isn't a crypto newsgroup, but this is an interesting
statement. The only common and very-powerful cryptosystem I know of
that uses a 56-bit key is DES. They're going to market DES *back* to
US citizens and claim that it is somehow stronger than just use a
"domestic" version of DES? Also, where'd the 'triple the strength'
come from. Also, most of the crypto-mavens will aruge that DES can be
cracked [but only by brute-force: no weakness has EVER been found in
the system --- the crackability comes only with the aviailability of
not-too-expensive custom LSI technology to fabricate custom key search
engines]. Ah, but there's the hook I bet: there is an encryption
technique called "Triple DES". It uses a DES engine at its heart, and
what it does is _doubles_ the effective key length of DES. Since DES
has no systematic weaknesses, doubling the key length puts the
brute-force search WAY beyond any even forseeable crypto cracking
techniques. So it looks even more like they're going to try to market
TDES back to US citizens, who can just go buy/build such things *now*
if they chose...
In addition to the "private" key system for scrambling data, NTT
uses RSA Data's "public" key method to permit computer users who
have not previously exchanged information to swap private key
information safely. The NTT system uses the RSA Data key which is
1,024 bits in length, also far stronger than the U.S. export
regulations permit.
AHA.. Now this whole thing becomes clear. It is a marketing ploy by
RSA, and there has never been any real privacy implicatiosn in any of
this.
Note that any US citizen who wishes to is perfectly free to license
[i.e., "pay RSA"] to use their crypto system to exchange keys in front
of a TDES encryptor. If there has been some legislation recently
making any step of the above illegal, do let me know because I've not
heard of it and this article doesn't even hint and any such
restrictions.
"If there is anyone in the government who hasn't already seen the
writing on the wall, here it is," the article concludes.
What "writing on the wall"?? That some clever marketer is going to try
to sell to US citizens something they could *already* buy if they felt
they wanted it? That cleverly packaging up their marketing campaign
will create a demand where there wasn't one previously??
Let me speculate on what is really going on here [and has been going on
*consistently* throughout the massive misinformation and propaganda
campaign the crypto-export folk have been mounting over the last while].
US citizens are free to encrypt anything they wish however they wish.
Moreover, they have available to them a variety of [truly!] uncrackable
crypto systems. There is no reason why any an US citizen who cares enough
to do something about it to have to worry that their communications with
other US citizens might be intercepted and read/listened to.
The problem from the crypto-marketer folk, however, is that this isn't
enough of a market for them to make enough money selling crypto gear.
Simply put, the US public just doesn't care enough about this stuff to
want the bother and expense. Where's the market? Not overseas -- as I
mentioned above, if it *were* overseas, then this would be about the
first and ONLY high-tech market [Amiga computers and soccer equipment
excepted, perhaps :-)] which required overseas sales because there
wasn't enough of a US market. Where the market is, I suspect, is in
multi-national corporations. That's where the *big* bucks are. But
they can't go after that market, because while the big corporations are
mostly US based [or have US subsidiaries], to be useful to the
corporations they would have to 'export' the gear [to their home
offices, other branches, etc], and that's not legal.
So what to do: how to get that really big-bucks market and make themselves
a fortune? And so they come up with a brilliant marketing ploy: they need
to somehow undo the 40+-year-old export restriction machinery, and so they
came up with the perfect plan: thump the drum of "privacy". Of course, it
is hard to _find_ the privacy issue [for US citizens, at least].. but
that's not important, since the folks following along aren't worrying much
about the details. You say the "P-word" and you get an uncritical army
marching along just saying the mantra "privacy privacy privacy...". And as
with mantras, it is the *saying* that makes the difference, not that it has
to mean anything.
And what's best and cutest, is that if this campaign succeeds [as it
might well], then there will be *nothing* that will have changed for US
citizens. We will be no more secure or 'private' than we were... the
only thing that'll change is that RSA Inc and a few other
crypto-producers will get very very rich. A noble cause to be sure, so
keep thumping that drum!!!
--
Bernie Cosell Fantasy Farm Fibers
bernie@fantasyfarm.com Pearisburg, VA
--> Too many people, too few sheep <--
------------------------------
From: mpj@csn.net (Michael Johnson)
Date: 13 Jun 1996 01:27:42 -0600
Subject: Where to get PGP FAQ [long]
Organization: The Web of Trust
-----BEGIN PGP SIGNED MESSAGE-----
WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ
Revised 6 June 1996
Disclaimer -- I haven't recently verified all of the information in
this file, and much of it is probably out of date.
For questions not covered here, please read the documentation
that comes with PGP, get one of the books mentioned below, or search for
other relevant FAQ documents at rtfm.mit.edu and on the alt.security.pgp
news group.
A NOTE FROM THE FAQ MAINTAINERS
Peter Herngaard <pethern@datashopper.dk> is taking over the maintenance
of this FAQ until further notice.
Some of you sent me (Mike Johnson) corrections and suggestions for
this FAQ, and I stored them away on my hard disk to edit from. Then,
Windows 95 got indigestion (induced by a sound card) and destroyed
all of the data in that partition. If you suggested changes and they
aren't in this FAQ, please send them to Peter Herngaard
<pethern@datashopper.dk>.
WHAT IS THE LATEST VERSION OF PGP?
Viacrypt PGP (commercial version): 2.7.1 (4.0 is due out Real Soon Now)
MIT & Philip Zimmermann (freeware, USA-legal): 2.6.2
Staale Schumacher's International variant: 2.6.3i for non-USA
(2.6.3ai source code only); 2.6.3 for USA
WHERE CAN I GET VIACRYPT PGP?
Just call 800-536-2664 and have your credit card handy.
WHERE IS PGP ON THE WORLD WIDE WEB?
U.S. only availability:
PGP: http://web.mit.edu/network/pgp-form.html
PGPfone: http://web.mit.edu/network/pgpfone
International availability:
PGP and PGPfone: http://www.ifi.uio.no/pgp/
WHERE CAN I FTP PGP IN NORTH AMERICA?
If you are in the USA or Canada, you can get PGP by following the
instructions in any of:
ftp://net-dist.mit.edu/pub/PGP/README
ftp://ftp.csn.net/mpj/README.MPJ
ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS
ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp/
ftp://ftp.gibbon.com/pub/pgp/README.PGP
ftp://ftp.wimsey.bc.ca/pub/crypto/software/README
WHERE IS PGP ON COMPUSERVE?
GO NCSAFORUM. Follow the instructions there to gain access to Library 12:
Export Controlled.
AOL
Go to the AOL software library and search "PGP" or ftp from
ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp or another site listed above.
It is possible to get PGP from ftp sites with hidden directories with the
following trick: (1) View the README file with the hidden directory name in
it, then quickly (2) Start a new ftp connection, specifiying the hidden
directory name with the ftp site's address, like
ftp.csn.net/mpj/I_will_not_export/crypto_xxxxxxx (where the xxxxxxx is
replaced with the current character string).
WHAT BULLETIN BOARD SYSTEMS CARRY PGP?
MANY BBS carry PGP. The following carry recent versions of PGP and
allow free downloads of PGP.
US
303-343-4053 Hacker's Haven, Denver, CO
303-772-1062 Colorado Catacombs BBS, Longmont CO
8 data bits, 1 stop, no parity, up to 28,800 bps.
Use ANSI terminal emulation.
For free access: log in with your own name, answer the questions.
314-896-9309 The KATN BBS
317-887-9568 Computer Virus Research Center (CVRC) BBS, Indianapolis, IN
Login First Name: PGP Last Name: USER Password: PGP
501-791-0124, 501-791-0125 The Ferret BBS, North Little Rock, AR
Login name: PGP USER Password: PGP
506-457=0483 Data Intelligence Group Corporation BBS
508-668-4441 Emerald City, Walpole, MA
601-582-5748 CyberGold BBS
612-690-5556, !CyBERteCH SeCURitY BBS! Minneapolis MN
914-667-4567 Exec-Net, New York, NY
915-587-7888, Self-Governor Information Resource, El Paso, Texas
909-681-6221 ATTENTION to Details (ATD BBS)
All lines v.32bis/14.4KBPS minimum
GERMANY
+49-781-38807 MAUS BBS, Offenburg - angeschlossen an das MausNet
+49-521-68000 BIONIC-BBS Login: PGP
WHERE CAN I FTP PGP CLOSE TO ME?
DE
ftp://ftp.cert.dfn.de/pub/pgp/
IT
ftp://idea.sec.dsi.unimi.it/pub/security/crypt/PGP
FI
ftp://ftp.funet.fi/pub/crypt/pgp/
NL
ftp://ftp.nl.net/pub/crypto/pgp
ftp.nic.surfnet.nl/surfnet/net-security/encryption/pgp
NO
ftp://menja.ifi.uio.no/pub/pgp/
NZ
ftp://ftphost.vuw.ac.nz
SE
ftp://leif.thep.lu.se
TW
ftp://nctuccca.edu.tw/PC/wuarchive/pgp/
UK
ftp://ftp.ox.ac.uk/pub/crypto/pgp
HOW CAN I GET PGP BY EMAIL?
If you have access to email, but not to ftp, send a message saying
"help" to ftpmail@decwrl.dec.com or mailserv@nic.funet.fi
WHERE CAN I GET MORE PGP INFORMATION?
http://www.csn.net/~mpj
http://www.mit.edu:8001/people/warlord/pgp-faq.html
http://www.eff.org/pub/EFF/Issues/Crypto/ITAR_export/cryptusa_paper.ps.gz
ftp://ds.internic.net/internet-drafts/draft-pgp-pgpformat-00.txt
ftp://ds.internic.net/internet-drafts/draft-ietf-pem-mime-08.txt
http://www-mitpress.mit.edu/mitp/recent-books/comp/pgp-source.html
http://web.cnam.fr/Network/Crypto/(c'est en francais)
http://web.cnam.fr/Network/Crypto/survey.html(en anglais)
http://www2.hawaii.edu/~phinely/MacPGP-and-AppleScript-FAQ.html
http://www.pgp.net/pgp
http://www.sydney.sterling.com:8080/~ggr/pgpmoose.html
http://www.ifi.uio.no/pgp/
http://inet.uni-c.dk/~pethern/privacy.html
WHAT ARE SOME GOOD PGP BOOKS?
Protect Your Privacy: A Guide for PGP Users
by William Stallings
Prentice Hall PTR
ISBN 0-13-185596-4
US $19.95
PGP: Pretty Good Privacy
by Simson Garfinkel
O'Reilly & Associates, Inc.
ISBN 1-56592-098-8
US $24.95
E-Mail Security: How to Keep Your Electronic Mail Private
"Covers PGP/PEM"
by Bruce Schneier
Wiley Publishing
The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data
Protection, and PGP PRivacy Software
by André Bacard
Peachpit Press
ISBN 1-56609-171-3
US $24.95
800-283-9444 or 510-548-4393
THE OFFICIAL PGP USER'S GUIDE
by Philip R. Zimmerman
MIT Press
April 1995 - 216 pp. - paper - US $14.95 - ISBN 0-262-74017-6 ZIMPP
Standard PGP documentation neatly typeset and bound.
PGP SOURCE CODE AND INTERNALS
by Philip R. Zimmerman
April 1995 - 804 pp. -
US $55.00 - 0-262-24039-4 ZIMPH
How to Use PGP, 61 pages, (Pub #121) from the Superior Broadcasting Company,
Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801 (about US $10-$13).
IS PGP LEGAL?
Pretty Good Privacy is legal if you follow these rules:
Don't export PGP from the USA except to Canada, or from Canada except to the
USA, without a license.
If you are in the USA, use either Viacrypt PGP (licensed for commercial use)
or MIT PGP using RSAREF (limited to personal, noncommercial use). Outside of
the USA, where RSA is not patented, you may prefer to use a version of PGP
(2.6.3i) that doesn't use RSAREF to avoid the restrictions of that license.
If you are in a country where the IDEA cipher patent holds in
software (including the USA and some countries in Europe), make
sure you are licensed to use the IDEA cipher commercially before using
PGP commercially. (No separate license is required to use the freeware
PGP for personal, noncommercial use). For direct IDEA licensing, contact
Ascom Systec:
Erhard Widmer, Ascom Systec AG, Dep't. CMVV Phone +41 64 56 59 83
Peter Hartmann, Ascom Systec AG, Dep't. CMN Phone +41 64 56 59 45
Fax: +41 64 56 59 90
e-mail: IDEA@ascom.ch
Mail address: Gewerbepark, CH-5506 Maegenwil (Switzerland)
Viacrypt has an exclusive marketing agreement for commercial
distribution of Philip Zimmermann's copyrighted code. (Selling
shareware/freeware disks or connect time is OK). This restriction does
not apply to PGP 3.0, since it is a complete rewrite by Colin Plumb.
If you modify PGP (other than porting it to another platform, fixing a bug,
or adapting it to another compiler), don't call it PGP (TM) or Pretty Good
Privacy (TM) without Philip Zimmermann's permission.
IMPORTANT:
Please note that there is an official distribution site for MIT
PGP and another for the International version:
WorldWideWeb references:
U.S/Canada non-commercial use: http://web.mit.edu/network/pgp-form.html
Norway/International non-commercial use: http://www.ifi.uio.no/pgp/
U.S. commercial use: http://www.viacrypt.com
WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS?
Philip Zimmermann was under investigation for alleged violation of export
regulations, with a grand jury hearing evidence for about 28 months, ending
11 January 1996. The Federal Government chose not to comment on why it
decided to not prosecute, nor is it likely to. The Commerce Secretary stated
that he would seek relaxed export controls for cryptographic products, since
studies show that U. S. industry is being harmed by current regulations.
Philip endured some serious threats to his livelihood and freedom, as well as
some very real legal expenses, for the sake of your right to electronic
privacy. The battle is won, but the war is not over. The regulations that
caused him so much grief and which continue to dampen cryptographic
development, harm U. S. industry, and do violence to the U. S. National
Security by eroding the First Ammendment of the U. S. Constitution and
encouraging migration of cryptographic industry outside of the U. S. A. are
still on the books. If you are a U. S. Citizen, please write to your U. S.
Senators, Congressional Representative, President, and Vice President
pleading for a more sane and fair cryptographic policy.
WHERE CAN I GET WINDOWS & DOS SHELLS FOR PGP?
http://www.dayton.net/~cwgeib
ftp://menja.ifi.uio.no/pub/pgp/pc/msdos//apgp22b3.zip
http://alpha.netaccess.on.ca/~spowell/crypto/pwf31.zip
ftp://ftp.netcom.com/pub/dc/dcosenza/pgpw40.zip
ftp://ftp.firstnet.net/pub/windows/winpgp/pgpw40.zip
http://www.eskimo.com/~joelm(Private Idaho)
ftp://ftp.eskimo.com/~joelm
http://www.xs4all.nl/~paulwag/security.htm
http://www.LCS.com/winpgp.html
http://netaccess.on.ca/~rbarclay/index.html
http://netaccess.on.ca/~rbarclay/pgp.html
ftp://ftp.leo.org/pub/comp/os/os2/crypt/gcppgp10.zip
ftp://ftp.leo.org/pub/comp/os/os2/crypt/pmpgp.zip
http://iquest.com/~aegisrcs
WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE?
PGP can do conventional encryption only of a file (-c) option, but
you might want to investigate some of the other alternatives if you do
this a lot. Alternatives include Quicrypt and Atbash2 for DOS, DLOCK for
DOS & UNIX, Curve Encrypt (for the Mac), HPACK (many platforms), and a
few others.
Quicrypt is interesting in that it comes in two flavors: shareware
exportable and registered secure. Atbash2 is interesting in that it generates
ciphertext that can be read over the telephone or sent by Morse code. DLOCK
is a no-frills strong encryption program with complete source code. Curve
Encrypt has certain user-friendliness advantages. HPACK is an archiver (like
ZIP or ARC), but with strong encryption. A couple of starting points for your
search are:
U.S. only availability:
ftp://ftp.csn.net/mpj/qcrypt11.zip
ftp://ftp.csn.net/mpj/README
ftp://ftp.miyako.dorm.duke.edu/pub/GETTING_ACCESS
International availability:
ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/file/
ftp://idea.sec.dsi.unimi.it/pub/crypt/code/
HOW DO I SECURELY DELETE FILES (DOS)?
If you have the Norton Utilities, Norton WipeInfo is pretty good. I
use DELETE.EXE in del110.zip, which is really good at deleting existing
files, but doesn't wipe "unused" space.
US
ftp://ftp.csn.net/mpj/public/del120.zip
NL
ftp://basement.replay.com/pub/replay/pub/security/del120.zip
UK
ftp://ftp.demon.co.uk/pub/ibmpc/security/realdeal.zip
WHAT DO I DO ABOUT THE PASS PHRASE IN MY WINDOWS SWAP FILE?
The nature of Windows is that it can swap any memory to disk at any
time, meaning that all kinds of interesting things could end up in your
swap file.
ftp://ftp.firstnet.net/pub/windows/winpgp/wswipe.zip
WHERE DO I GET PGPfone(tm)?
PGPfone is in beta test for Macintosh and Windows'9 users.
The MIT has shut down their ftp distribution of PGPfone <tm> for
Macintosh and Windows'95, so within the U.S/Canada you must obtain
PGPfone <tm> using a WorldWideWeb browser.
U.S. only availability:
http://web.mit.edu/network/pgpfone
International availability:
DK
ftp://ftp.datashopper.dk/pub/users/pethern/pgp/
NL
ftp://basement.replay.com/pub/replay/pub/voice/
NO
ftp://menja.ifi.uio.no/pub/pgp/mac/
ftp://menja.ifi.uio.no/pub/pgp/windows/
WHERE DO I GET NAUTILUS?
Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a
program called Nautilus that enables you to engage in secure voice
conversations between people with multimedia PCs and modems capable of
at least 7200 bps (but 14.4 kbps is better). See:
U.S. only availability:
ftp://ripem.msu.edu/pub/crypt/GETTING_ACCESS
ftp://ripem.msu.edu/pub/crypt/other/nautilus-phone-0.9.2-source.tar.gz
ftp://ftp.csn.net/mpj/README
ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS
International availability:
ftp://ftp.ox.ac.uk/pub/crypto/misc
ftp://basement.replay.com/pub/replay/pub/voice/
The official Nautilus homepage is at:
http://www.lila.com/nautilus/
HOW DO I ENCRYPT MY DISK ON-THE-FLY?
Secure File System (SFS) is a DOS device driver that encrypts an entire
partition on the fly using SHA in feedback mode.
Secure Drive also encrypts an entire DOS partition, using IDEA, which is
patented.
Secure Device is a DOS device driver that encrypts a virtual, file-hosted
volume with IDEA.
Cryptographic File System (CFS) is a Unix device driver that uses DES.
CryptDisk is a ShareWare package for Macintosh that uses strong IDEA
encryption like PGP.
U.S. only availability:
ftp://ftp.csn.net/mpj/README
ftp://miyako.dorm.duke.edu/mpj/crypto/disk/
International availability:
http://www.cs.auckland.ac.nz/~pgut01/sfs.html
ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/disk/
ftp://ftp.nic.surfnet.nl/surfnet/net-security/encryption/disk/
ftp://ftp.ox.ac.uk/pub/crypto/misc/
ftp://menja.ifi.uio.no/pub/pgp/mac/
ftp://basement.replay.com/pub/replay/pub/disk/
WHERE IS PGP'S COMPETITION?
RIPEM is the second most popular freeware email encryption package. I like
PGP better for lots of reasons, but if for some reason you want to check or
generate a PEM signature, RIPEM is available at ripem.msu.edu. There is also
an exportable RIPEM/SIG.
U.S. only availability:
ftp://ripem.msu.edu/pub/GETTING_ACCESS
International availability:
ftp://idea.sec.dsi.unimi.it/pub/crypt/code/
HOW DO I PUBLISH MY PGP PUBLIC KEY?
Send mail to one of these addresses with the single word "help" in the
subject line to find out how to use them. These servers sychronize keys with
each other. There are other key servers, too.
pgp-public-keys@keys.pgp.net
pgp-public-keys@keys.de.pgp.net
pgp-public-keys@keys.no.pgp.net
pgp-public-keys@keys.uk.pgp.net
pgp-public-keys@keys.us.pgp.net
WWW interface to the key servers: http://www.pgp.net/pgp/www-key.html
http://www-swiss.ai.mit.edu/~bal/pks-toplev.html
For US $20/year or so, you can have your key officially certified and
published in a "clean" key database that is much less susceptible to
denial-of-service attacks than the other key servers. Send mail to
info-pgp@Four11.com for information, or look at http://www.Four11.com/
Of course, you can always send your key directly to the parties you wish to
correspond with by whatever means you wish.
CAN I COPY AND REDISTRIBUTE THIS FAQ?
Yes. Permission is granted to distribute unmodified copies of this FAQ.
Please e-mail comments to Peter Herngaard <pethern@datashopper.dk>
Look for the latest html version of this FAQ at
http://inet.uni-c.dk/~pethern/getpgp.html
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: cp850
iQCVAgUBMbbOGXN4jJfo4ES9AQEqygQAqjTf8dA6JLE9WZ2NF7CImtxoTtc7tjlC
iqxQnomx4joKfmwx5zwx3ms65K2iPfTfiO1TWLp6ba92UfRgj/Dlq1TI7+FINf7j
8sJeJ2QGquBxrL8mwBObR884X22CdAhrFdC9/RVE5ATaK51p4LhyZf17vBJZYA4r
nAiF+PuHrR8=
=/2AM
-----END PGP SIGNATURE-----
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 14 Jun 1996 13:19:56 -0500 (CDT)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #048
******************************
.