Toronto's eye weekly
Thursday, August 7, 1997

Speaking in codes

by Ingrid Hein, iggi@odyssee.net

In the last couple of weeks I've asked a slew of computer users if they use PGP or any other method to encrypt their email.

"No, I have nothing to hide", most people respond. "Only paranoid schizophrenics use PGP."

Or they say, "It's a pain in the ass to use."

But every time you call tech support at your ISP and tell them your password, there's a chance that someone is reading your electronic mail. It's only a keystroke away.

People may feel they have nothing to hide, but then why bother shutting the door when you go to the bathroom? Why leave the room when you pick your nose?

Maybe it's time to secure your ASCII with a little bit of mathematics. Encryption scrambles your text so that it becomes undecipherable until you give someone your "public key", which "unlocks" your encrypted messages. PGP (it stands for Pretty Good Privacy), a program developed by Philip Zimmerman about five years ago, is one option. The latest version, 5.0, was just released. Unfortunately, it's cumbersome to use and can be really intimidating if you're a point-and-click computer user.

Solo, a program recently liberated by Ottawa-based Entrust Technologies, might be better for Luddites, especially if you don't like reading manuals. It has a WYSIWYG (What you see is what you get) interface, and is manageable for a novice computer user. And it will encrypt your information up to 128 bits -- a current encryption standard.

Unfortunately, there's a catch with Solo. Encryption software has to meet a number of government rules and regulations before it can be distributed. Most of all, a copy of the public key has to be accessible by law enforcement "if necessary" -- in other words, if they want it.

"You have to prove that software supports key recovery so that if the U.S. or Canadian government needs access to encrypted files for legitimate legal reasons, they're able to get hold of the encrypt key", said Shauna White, director of marketing and communications at Entrust. "But only if they have a valid search warrant", she added.

There's more. Because of U.S. crypto laws, certain countries are prohibited from having the software. The Solo online documentation states: "Currently there are seven countries to which export is restricted: Libya, Iran, Iraq, Cuba, Angola, Syria and North Korea. In France, Russia, and Singapore, restrictions are in place which require permits for the import of cryptographic software.

"We apologize for any inconvenience this may cause."

White said they are "countries considered by the U.S. to be a serious threat." So the Entrust home page does a quick check on where your server is located by tracking your email address to its IP residence to verify that you're in a country where download is legal.

The U.S. sure has a way of limiting individual security.

Even downloading PGP has its limitations. Until the archaic encryption laws of the U.S. government are changed, if you live outside the U.S. or Canada, you have to be careful about what site you download it from. Philip Zimmerman, who wrote the PGP program, was up on charges for three years for distributing PGP. American law enforcement officials finally dropped the case last January.

So who should use PGP?

If you're doing something you don't want anybody to know about, like mailing company secrets or a financial transaction, or something you think should be legal but isn't, encryption is not a bad idea. Email is extremely open to unauthorized access, with a couple of keystrokes and a little know-how. In fact, most companies have a policy that employee email is an open book.

If you have a police record, don't bother: it might just end up raising suspicion.

If you're not interested, but want your computer files to be more secure, you could start by using certain precautions. One of the first things you learn before using PGP is that, for typed text, commercial word processors are extremely insecure. In Microsoft Word, for example, every time you create a new document, a backup file is created. You don't even have to save the file. The program makes back-ups of everything as you go, so you can undelete and edit.

Until the section of the hard drive where you saved your file gets overwritten, that data is still there, recoverable by the "undelete" function. Only the name of the file gets erased until that part of the drive is needed to store something more recent. Straight text editors don't bother with backups.

Be aware that some people will read your email just for the heck of it.

The BOFH (Bastard Operator From Hell), a system operator based in New Zealand, writes fictitious stories poking fun at how gullible people are about giving away passwords over the phone and leaving data insecure.

"I'm bored senseless, so I pass the time by reading users' email. I must admit that today's lot is particularly boring, not one good message in all of them. I was expecting at least some veiled reference to a grope in a storeroom, but nothing. So I'm bored senseless by the usual drivel about some relative's surgery and how the weather is over the other side of the world -- that sort of crap.

"To relieve the boredom, I remove an e-mail party invite from a user's mail and post it under the sender's username to alt.singles.with.severe.social.dysfunctions on news, and make a note in my diary to be there with my camcorder. Should be a blast!"

Is your life too boring for encryption? Maybe. But it doesn't hurt to understand it.

Don't forget to close the bathroom door.


Copyright © 1997 by eye weekly. All Rights Reserved. Reprinted with permission.