[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Who Else is Reading your Email? (From Cu Digest, #7.67)


Normally, I don't like reposting things to this list.  However, I am 
going to report this from the most recent version of CuD, because I think 
it hits a very important nail right on the head.  Not just that PGP is 
going, but it puts all of the terms we on this list have been bantering 
around for the last couple of years into ones that laymen can understand.

I sincerely thing that this is the kind of push we need to make as a 
whole to bring about social change on the net (and social change is what 
is needed).  Ie, PGP is good because 1) it keeps people from reading your 
email (like an envelope) and 2) it makes sure nobody forges your messages 
by allowing you to digitally sign them.

Anyways, sorry for the report, please flame lightly :-)

- ---------------------------------------------------------------------

Date: Wed, 09 Aug 1995 19:25:49 -0400
From: [email protected](K.K. Campbell)
Subject: File 1--Who Else is Reading your Email?

eye WEEKLY                                                June 29 1995
Toronto's arts newspaper                      .....free every Thursday
eye.NET                                                        eye.NET

                    WHO ELSE IS READING YOUR EMAIL?
                   Part 1 of a 2-part series on PGP

                            K.K. CAMPBELL

I recently conducted an overseas interview with a "computer security
person at a highly sensitive facility." Mr. Security explained that the
potential misuse of the computer resources of this site was a serious
concern, a danger to thousands. This instilled in him a peppery dash of
paranoia about who was using what machine for what purpose.

In discussing this, the name of a certain, rather net.famous individual
arose. I was surprised to learn this individual was well-known in
international security circles. This individual is considered a "risk."
I was informed that this person's email is "monitored."

To spell it out: people were reading and collecting all the email the
"risk" wrote. Without the target's knowledge. Without any form of

Most netters think such intrusion involves someone "hacking a
password." Wrong. When you hit the "send" command for email, your
missive seems to (poof!) magically appear in the recipient's mailbox.
Person to person. The ultimate intimacy. Wrong again. Email is actually
passed through a number of computers. The operator of one of those
machines can effortlessly read your email. Any one who "breaks into"
such a machine can inspect your mail. Once in, they can tamper with
files so that all your email is copied to another location, without you
being aware of it.

But not everyone wants to "break into" a computer. In the above case,
email was copied "in transit." When email is transferred from machine
to machine, it is made readable. So if you intercept a copy (through
"sniffers"), you can read it. Everything this individual had written
over the last couple of years has apparently been intercepted and read.
His file is huge.

With Canada news media in a tizzy about "regulating the net," how long
before CSIS requests funds to start collecting posts with buzzwords in
the network data flow?


It should be the first lesson every newbie learns: email ain't secure.
An email is like a postcard: it travels through the many sets of hands
in delivery and any set of hands can read it if so inclined. Most
postal employees don't, for two reasons: there is so much mail they
haven't the time, and most postcards are so boring, who the hell wants

The same goes with the system administrators who oversee the shunting
around of all your cyberscribbling. Most don't snoop, but some do. Need
I remind you that, er, sysadmins are not a monolithically
mature-and-well-adjusted breed imbued with highly developed moral

What can you, the lowly downtrodden, rights-less end-user, do? You have
three strategies:

 -- no precautions: who cares if anyone reads what you write/receive;
 -- minimal coding, easy to crack, but enough to stop casual snoops --
  kind of like "virtual envelopes"; and
 -- PGP.

PGP stands for Pretty Good Privacy -- a humble title to be sure,
considering that the U.S. government/military wants to ban the thing.
And why? Because PGP has the power to thwart their zillion-dollar spy
efforts by imbuing everyday folk with the cryptographic might of the
best "puzzle palaces" around the world.

The elegantly powerful encryption device is the offspring of Colorado
resident Phil Zimmermann ([email protected]). He basically took all the (very
public) papers on cryptography, stirred it together and voil=E1: instant
"threat to democracy" -- if you buy the government/military propaganda.
(More on Zimmermann and the cryptographic spook backlash next issue

What PGP does is solve that decades old spy/cryptography dilemma: How
can one send secure messages to absolute strangers over an insecure

PGP exploits two historical developments:

 -- home computers gave commoners the computational power to use the
  sophisticated cryptography algorithms; and
 -- the advent of public key encryption in the late '70s bade
  farewell to Ilya Kuryakin and Napoleon Solo.

Computers were originally designed (back in World War II) to be
sophisticated code breakers. Today, government/military bureaucracy
(especially in the U.S.) still operate with that attitude: computer
cryptography is a military weapon.

In those Cold War days, the only way to send secure messages over
insecure channels (telegraphs, phones, mail, etc.) was to first
deliver a "cryptographic key" via secure channels. The key was
something like a little code book; the secure delivery channel was
usually a dour-faced courier with a black bag handcuffed to his wrist.
"Deliver this or die doing so, 007..."


Governments and mega-corps could afford to send satchel-toting couriers
overseas, but us proles had little hope of doing that. So citizens were
always vulnerable to mail-opening, phone-tapping spooks.

PGP uses two keys -- a public key and a secret key. Anyone can use your
public key to encrypt a message to you, and only you can then decrypt
it with your secret key. As long as your secret key remains secret, no
one can read that message -- not even the person who encrypted. The
idea is to spread your public key around in Key Exchanges, like phone

For details on this complex subject, try _PGP: Pretty Good Privacy_ by
Simson Garfinkel (O'Reilly & Assoc., http://www.ora.com, $29.95 paper).
Or _The Computer Privacy Handbook_ (Peachpit Press,
http://www.peachpit.com/peachpit, $31.95 paper). Both go beyond
technical details and delve into the sociopolitical issues around

Where can you get PGP? All around the world. PGP is freeware -- you can
use it endlessly without cost. But remember: The U.S. State Department
export restrictions classify cryptographic materials to be munitions.
Exporting it from the U.S. is a serious matter. For those uninterested
in becoming international arms smugglers, do an Archie search for "PGP"
or try Toronto's Interlog at ftp://ftp.interlog.com/pub/pgp . Read
newsgroups alt.security.pgp and sci.crypt for discussions.

Version: 2.6.2
Comment: PGP Signed with PineSign 2.2

____           Robert A. Hayden      <=> [email protected]
\  /__     Finger for Geek Code Info <=>    Finger for PGP Public Key
 \/  /           -=-=-=-=-=-                      -=-=-=-=-=-
   \/        http://krypton.mankato.msus.edu/~hayden/Welcome.html

Version: 3.0
GED/J d-- s:++>: a-- C++(++++) ULU++ P+! L++ E---- W+(-) N++++ K+++ w---
O- M+ V-- PS++>$ PE++>$ Y++ PGP++ t- 5+++ X++ R+++>$ tv+ b+ DI+++ D+++
G++++>$ e++ h r-- y++**