[ Previous Article | Next Article | Index of Articles]
This article first appeared in the April 2000 issue of the Louisville Computer News. It was written by Lee Larson.
When I was in high school, I played chess by mail with a Danish teen whose family was temporarily living in China. As the game progressed, we got pretty friendly, and soon the notes I was sending were too long to fit on a postcard, so I started sending letters in sealed envelopes. After two or three of these, my opponent wrote back and told me to just use postcards because they got to him a few days earlier. He explained that the Chinese government was "secretly" reading all mail from outside the country, and it was a lot quicker for them to read a postcard than a sealed envelope.
For some reason, it really bothered me that some anonymous Chinese bureaucrat was reading my mail. Neither of us was writing anything of interest to the Chinese, but it was sort of like an impassive stranger being allowed to silently sit and listen to our private conversation. The intimacy was gone. The open friendliness disappeared, and the game dragged on to a dull draw several months later.
When you think about it, regular e-mail is a lot like writing a postcard. It's sent as a bunch of TCP/IP packets, hopping from computer to computer until it gets to its destination. The only things stopping the computer operators in between from reading the mail are the sheer volume of traffic and their own sense of ethics and privacy. E-mail does not have the same privacy and freedom of speech protections as regular paper snail-mail.
This gets to the heart of one of the reasons e-mail cannot now be used for general business communications; there's an awful lot of communication we want to keep private. We don't want to publicly share such things as medical data, pricing information and love letters.
There's another reason--authentication. With snail-mail there are various generally accepted ways to make sure the letter you're reading actually came from whom you think it did. The easiest of these is a signature at the bottom. More paranoid people may call for registered mail and notarized documents.
With e-mail, on the other hand, it's actually pretty easy for a moderately skilled hacker to "spoof" the e-mail header so the message appears to be a personal invitation from Bill Clinton to a state dinner at the White House in your honor. This ability to transform your e-mail into someone else's opens up a very lucrative new avenue for scam artists and makes it very hard for Congresswoman Ann Northup to find out whether those hundreds of helpful e-mails appearing in her mailbox come from a large group of her constituents, or one angry teenager living in New Zealand.
Could this be why it's so hard to send e-mail to Representative Northup? There's no e-mail address on her web page (www.house.gov/northup), just series of links to a general e-mail form that requires patience to find. Do you know your whole Zip+4 code?
Of course, both of these problems have easy solutions. In fact, the same solution works for both: Pretty Good Privacy, a.k.a. PGP. The problem is our Government--including Representative Northup--has been fighting it for years. PGP is the closest thing we have to world-wide standard for strong encryption, and the government thinks strong encryption is too dangerous to let just anyone use it.
Strong encryption is an umbrella term for a large number of methods using mathematics to code messages so they're nearly impossible to decode by anyone who doesn't have the key. The basic idea in all these methods is that there are certain mathematical operations that are easy to do, but very hard to undo. Multiplying and factoring large integers is the simplest example. It's easy to multiply two big numbers and very hard to factor the answer to get the original numbers back.
The idea with PGP is that everyone has a public key and a private key. The public key is available to everyone, but the private key is closely guarded. When someone wants to send you a message, they use a combination of your public key and their private key to encode the message. Only you can descramble it, because descrambling requires your private key and their public key. In this way, only you can read the message and only one person could have sent it--assuming both private keys are secure.
Another benefit of PGP is the ability to put a secure signature on regular non-encrypted e-mail. The way this works is that before the e-mail is sent out, a hash number is computed using the characters in the message. Then, this hash is used with your private key to compute a signature that's attached to the message. Anyone reading the message can use your public key to check the signature. Only your public key can verify the signature, so the reader knows you wrote the message. If any character is changed in the message, the hash won't match, so the reader knows the message isn't what you wrote. Anyone can read the message, and the source can't be spoofed!
For non-commercial use, PGP is free and distributed by MIT (web.mit.edu/network/pgp.html). To use it easily, you also need a PGP aware e-mail program. On the Mac, PGP comes with plug-ins for Eudora, Outlook Express and Emailer. The newest version of PowerMail (www.ctmdev.com) has built-in support. Mulberry (www.cyrusoft.com) has a beta plug-in available. Any of these e-mail programs make using PGP as easy as falling off a log.
Of course, to make this work, public keys have to be easily available. There are several public key servers on the Internet. The most well known ones are sponsored by MIT (pgpkeys.mit.edu:11371) and Network Associates, Incorporated (certserver.pgp.com).
With all this support, why isn't everyone using PGP? The simple answer is the government doesn't want us to. For years, strong encryption has been fought by law enforcement and intelligence agencies because they fear widespread strong encryption will make it easier for the bad guys to hide what they're doing. Civil libertarians counter that there are basic principles of privacy and freedom of speech to be considered, and nowhere in the Constitution does it say law enforcement should be easy.
Many Internet advocates feel that until a universally recognized worldwide standard for strong encryption is in place, the 'Net can't reach its full potential.
Both sides have strong arguments. The problem with all this is that Humpty-Dumpty has already fallen off the wall, and all the NSA, FBI and CIA soldiers can't put him back together again.
The story of PGP highlights a lot of this conflict. PGP was written by a Boulder, Colorado programmer, Phil Zimmerman, in 1991. During June of 1991, shortly after the conclusion of the Gulf War, Congress was beginning hearings on the International Traffic in Arms Regulations (ITAR) laws. Provisions within ITAR classified strong encryption programs as munitions, and severely restricted their exportation.
Friends of Zimmerman--not Zimmerman himself--in a protest against the encryption proposals, uploaded the source code for PGP to the Internet. In Internet time, it spread all around the world. Reacting in bureaucratic time, the Justice Department began an investigation in February 1993. Humpty-Dumpty was only a distant memory by that time.
In January 1996, the Justice Department dropped its investigation. No reason was given, and the press release said that "... no further comment will be made." It's pretty clear the case had become moot by 1996.
One big problem with the government's stand on all this is that strong encryption is not high tech. In fact, it isn't even very difficult to write a program that can't be exported. A good example of this is the ITAR civil disobedience Web site (online.offshore.com.ai/arms-trafficker/), where you too can become an international arms trafficker. There you will find a three line Perl program that does strong encryption. There's a button on the page that mails the program to Anguilla, in violation of U.S. munitions export laws.
In May 1997, the government bowed to reality and finally approved PGP for export to most countries. Late last year, the Clinton administration, under pressure from software and financial companies, further weakened the encryption export rules, and made it far easier for some industries to export products containing strong encryption.
The April 25 meeting of the LCS will feature a grab bag of topics presented by Shoun Regan of The Complete Mac.
The Louisville Computer Society meets from 7:00-9:00 P.M. at Pitt Academy, 4605 Poplar Level Road, at the intersection of Poplar Level Road and Gilmore Lane. Everyone is welcome to attend. For more information, on the web go to www.aye.net/~lcs, or e-mail lcs@aye.net.
The Macintosh special interest group of the Central Kentucky Computer Society meets on the first Tuesday of every month at 7:00 P.M. at C.K.C.S, 1300 New Circle Road Northeast, Suite 105 in Lexington. The April 4 presentation will feature Jerry Freeman's tips to make you a power user on the Mac. He'll show tips you can use to increase your Mac productivity, make you more efficient, and show you "hidden" tricks that can help make you a smarter computer user. More information can be found at their Web site (www.ckcs.org/mac.htm).
The Art Software Group will meet at 1:00 April 29 in the Natural Sciences Building on the University of Louisville Belknap campus. Presenters will include: Adobe Systems will demonstrate Golive and give Photoshop tips on Apple's G4 computers; Electric Image will give 3D animation tips and tricks using their Macintosh 3D animation software Electric Image; and, UpdateStage offers CD-ROM and Web multimedia tips using Macromedia Director for both Mac and Windows.
[ Previous Article | Next Article | Index of Articles]
/home2/lee/www/cgi-bin/textcounterdata/ [TextCounter Fatal Error: Could Not Write to File __lee_macwritings_LCN0004_shtml]