Encryption Archives

German Data Retention Law Passed

The German government has passed a law that’s going to rip another hole in privacy.  The new law will take effect next year.  When it does, quite a bit of data about communications will be kept for at least six months.  From what I’ve read the actual content of the communications will not be stored, just the basic connection data that identifies where it’s origin, destination and so on..

Data saved for each phone call will include date, time, length of the call and what numbers were involved. This will apply to landline, cellular or VoIP calls.  For Cellular calls they also want the location of the phone at the time of the call and the phone’s IMSI code and the SMS connection data

All Internet access will have the date, time, length of connection, the line used and the IP address assigned at the time

Each email sent will have all email addresses involved and the message header saved.

Basically they want to know who connects to who, along with where they were at the time and when.

If that isn’t a wake up call, then think about the fact that there are plenty in our own government (and outfits like the RIAA) that would love to see this (and a lot more) data recorded on all communications here in the US.

Do yourself a favor and make some time to learn how to use simple encryption tools like PGP and GPG.  A good place for a beginner to learn is the PGP Basics Yahoo! group.

Technorati Tags: , , , , ,

A Case For Encryption

This article is perhaps one of the best arguments for using encryption in your day to day emails that I’ve ever seen.

No email privacy rights under Constitution, US gov claims

On October 8, 2007, the United States Court of Appeals for the Sixth Circuit in Cincinnati granted the government’s request for a full-panel hearing in United States v. Warshak case centering on the right of privacy for stored electronic communications. At issue is whether the procedure whereby the government can subpoena stored copies of your email – similar to the way they could simply subpoena any physical mail sitting on your desk – is unconstitutionally broad.

Essentially, there are several arguments that are being used to try to get courts to agree that email is not subject to any “reasonable expectation of privacy”.  The arguments are several…  Your email provider probably has language in their Terms Of Service that allow them to examine your email.  It almost certainly has language in it that says that if they get a supoena for copies of your email they’ll happily hand over everything it demands.

in 1963 the US Supreme Court ruled in Katz v. United States that the user of a payphone could claim a right to privacy.  That’s when the standards for “reasonable expectation of privacy” were established.

1. Do you think that what you are doing is private?
2. Is this something that society will accept that your belief is objectively reasonable?

An email message is basically text that has been formatted according to a standard and is then transmitted from one server to another until it arrives at it’s destination.  This email is in plain, unencrypted, text form.  Which means that if you know what file to open, you can read an email in a text editor.  Some emails do use a form of encoding to allow binary content to be sent over a text medium, but that encoding (Base 64) is a well known standard that is not indended to keep anything private.

The only way to make email private is to actually encrypt it.  The easiest way to do this is to use PGP or GnuPG (GPG) to encrypt the text of your email so that only the intended recipient can decrypt and read it.  Here’s a tutorial I wrote about how to install and use PGP.

You wouldn’t write private physical mail on the back of a postcard would you?  When you do send a letter in snail mail that contains anything private you put it in an envelope and seal it with the full expectation that it won’t be opened except by the person it’s addressed to.

Encrypting email is the same principal.  If I send an email, especially if it’s private for whatever reason, then I’m going to get the recipient’s PGP key and use that to encrypt the email so that only they can decrypt and read it.

Technorati Tags: , , , , ,

Preventing Headaches with Encryption

These days it seems like every few days you can find a story about a laptop being stolen or lost.  Inevitably it seems that when these machines go missing there is almost always some kind of sensitive information on them.  Often it seems it’s just a case of somebody taking some work home and then their laptop is stolen.  Next thing you know their company is having to notify thousands of people that some of their personal information or customer data… something…. could potentially be in evil hands.  Now I may be stating the obvious here, but if they had used some simple Computer Protection system, such as encrypting sensitive files or maybe even the entire hard drive, it would at lest make sensitive data harder to get at.

Of course, even with such a system in place, the next hurdle is to get users to exercise proper care with regard to passwords.  You can’t just use your wife’s birthday or you old locker comination.  This kind of thing is not only subject to people (if they’re determined enough, it does depend on what you’ve got encrypted.) digging into your life and past, finding out information about you and your family and using it to aid in cracking the password.

Then again, even if you do have a better password than that, if it’s less than 8 or 10 characters long then it’s going to be fairly easy to be cracked by “brute force” alone… trying every possible combination until the right one is found.  That’s why it’s better to use an actual passphrase instead of just a word.  Ideally it should contain both upper and lower case letters, numbers, and other special (printable) characters that you can type (such as @#$%^_) and it should be at least 15 characters long.  Ideally it should be 30 characters or more.  At the very least, it needs to be as long as you can consistently remember.

Above all, if you’ve got important data to keep secure and you’ve gone to the trouble of getting and using strong encryption and creating a strong passphrase, NEVER, EVER, EVER write it down!  That just makes it too easy for the “bad guys”.

Technorati Tags: , , , , ,

 Page 8 of 8  « First  ... « 4  5  6  7  8