It is our assertion, concomitant with the Fourth Amendment right to the security of one’s person, house, papers and effects, that no one should have the ability to snoop through your e-mail without your permission. We stand by this, even in light of last week’s terrible hijacking attacks, which have led to calls for the concession of even more intrusive eavesdropping power to the various federal agencies. While we have no intention of revisiting last week’s subject of liberty and the propriety of secure personal communications, we do hope to explain how you can make use of available encryption software to protect your own e-mail.
The most popular solution is PGP, otherwise known as Pretty Good Privacy. Based on the public key/private key concept introduced by Whitfield Diffie and Martin Hellman in 1976, PGP offers a quick and relatively easy way to encrypt your e-mail to ensure that it is not read by your employer, your ISP, packet data sniffers, the NSA’s Echelon system, the FBI’s Carnivore or anyone else with whom you’d rather not share your information. It is perhaps worth noting that while there was some discussion of pursuing PGP’s creator, Paul Zimmerman, for the violation of U.S. export controls a few years ago, there is no law banning the personal use of encryption software. Nor, in our opinion, should there be.
The dual key approach is simpler than you might think upon first looking at the program. The concept is easiest to understand if you forget about the software for a moment. Imagine that you have a mailbox dedicated to your sole use. One key, called the public key, is required to put a letter addressed to you in the mailbox, but cannot be used to open the mailbox. Another key, the private key, is needed to open the mailbox and take the letter out. Without this second key, no one can open the mailbox and read the letter, not even the sender. This is why there is no harm in allowing your public key to be widely distributed, as it is essentially just a means of putting letters into your private mailbox.
Some of the older versions of PGP were a pain to use, but with the new version, 7.0.3, we are pleased to say that operation is almost shockingly smooth. For reasons we are still trying to understand, we are in the habit of using MS Outlook Express for our regular e-mail, and PGP works in such nice coordination with it that the only explanation is that Microsoft is too worried about upsetting the U.S. Department of Justice to directly incorporate PGP and screw it up by making it “more user-friendly.”
Speaking of user-friendly, once PGP is installed, here’s all you need to do to encrypt an e-mail message.
- Type and address e-mail, including subject.
- Press the little yellow PGP ENCRYPT icon that is located below the Compose menu.
- Press Send.
That’s it. The whole process is automated, and what was once a happy little note about the wife and kids takes about five seconds to turn into something that looks like this:
—–BEGIN PGP MESSAGE—–
Version: PGPfreeware 7.0.3 for non-commercial use qANQR1DBw04DQEVVZQ3tZCi30cQD/49
—–END PGP MESSAGE—–
Except it will be longer, a lot longer. Decrypting is also easy. Open up the message, then click on the DECRYPT PGP MESSAGE icon and type in your passphrase when it is requested. That’s it. PGP also works well with other e-mail packages, in fact, it is most commonly associated with Eudora, the popular freeware/shareware e-mail program.
The question of PGP’s security is the occasion for much debate among the sort of folks who have pale green “monitor tans” and a virulent passion for Gillian Anderson. It is an interesting world full of real, if esoteric, concerns about “backdoors,” Van Eck freaking and brute force attacks. If any of this sounds at all interesting, we absolutely insist that you go out and snag a copy of Neal Stephenson’s “Cryptonomicon,” a very good novel and one well worth reading.
Now, this is probably reducing the security debate to a zero degrees Kelvin level, but unless you live in Afghanistan and your e-mail address is [email protected], it is highly unlikely that the NSA or anyone else is going to bother putting in the time and expense needed to crack your key. Given that it took 400 MIPS-years by an array of parallel processors to crack a 116-digit key, the amount of computing power required to break a 1024-bit key appears to be tremendous, even more so for the 4096-bit protection provided by PGP. For a more detailed analysis, check out the PGP ATTACK FAQ.
In summary, we highly recommend the use of PGP for anyone who is in the habit of e-mailing banking or other personal information, or simply is uncomfortable with the realization that e-mail is a highly insecure means of communication. PGP 7.0.3 can be downloaded from http://www.pgpi.org/.
QUESTION OF THE WEEK: [In discussing wireless Net technology], you did not say directly whether 2.4 frequency phone activity, say within the household or at a neighbor’s, or passing by, will interfere with the Net signal during its flight to the PC. I mean, this sort of thing could lead to some sort of hybrid clone peering out of the monitor screen, or someone on the phone hearing gibberish in the midst of a conversation (or automated telephone marketing pitch). Is this a bright question or what?
THUS SPAKE VOX: Ah … no. 802.11b is a digital encryption scheme that can use 11 channels in the 2.41 to 2.46 Gigahertz range. Because the signal is digital, there is more chance that you will spontaneously combust than see strange faces in your monitor screen – unless, of course, we are correct in our suspicion that you may already be prone to seeing such things, in which case we have only the following to say: BEWARE THE LAUGHING CLOWN!
A less sanity-challenged reader would more likely experience missing snippets of conversation or degraded network performance. However, a single phone and a couple of 802.11b cards are unlikely to cause enough degradation to warrant tossing out one or the other. Experimenting with setting the channel for each device may help reduce any interference that does occur.