[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Running PGP on Netcom (and Similar)
A "Cypherpunk RISK" (apologies to the "RISKS" list) to running PGP on
Netcom, Portal, America Online, etc. systems (and on university,
corporate, etc. systems), is the obtaiing of *all* records,
directories, etc. by court order.
This has happened more than once, and will likely happen more and more
in the future, as law enforcement realizes what a treasure trove this
(The person being monitored may not be told about it, of course.)
The latest such case involved Lewis De Payne, a user, and Netcom, his
(and my) Internet provider. Details are being discussed in Usenet
groups, and were brought up also at yesterday's Cypherpunks meeting.
Not that had Mr. De Payne been using PGP on Netcom, with his secret
key stored there, the cops would have it. (The passphrase maybe not,
depending on whether he stored _that_ there, too. And whether Netcom
had logs of keystrokes entered, which strikes me as something they
would probably have--we really need a "zero knowledge" kind of
"reach-back" for remotely-run PGP.)
I just don't think the dangers are worth it. All the theoretical hot
air about whether kestroke timings are "random enough" is moot if
Netcom is turning over records to investigators.
It creates a dangerous illusion of security.
(For those with no home machines, and perhaps those who mainly use
campus services, workstations, etc., I'm not faulting you; people use
what they have to use. Longer term, though, PGP needs to run on secure
hardware. Secure meaning not easily grabbed by the authorities without
even one's knowledge!!)
Timothy C. May | Crypto Anarchy: encryption, digital money,
[email protected] | anonymous networks, digital pseudonyms, zero
408-688-5409 | knowledge, reputations, information markets,
W.A.S.T.E.: Aptos, CA | black markets, collapse of governments.
Higher Power: 2^859433 | Public Key: PGP and MailSafe available.
"National borders are just speed bumps on the information superhighway."