The importance of encryption
"maddog" recalls some of the history of encryption and PGP and discusses why they should matter to everyone.
At a conference recently, I handed my business card to a young FOSS person, and as he accepted the card he pointed to the PGP ("Pretty Good Privacy") number on the bottom of my business card and asked, "What does this mean?" In the age of Wikileaks, PRISM, and XKeyscore, I find it disturbing that people do not know about PGP and its FOSS offshoot, GPG.
I have been dealing with the US government and issues with encryption for a long time. In the early days of commercial Unix, a lot of companies were shipping either a System V or a BSD version of Unix. Of course, both of these systems rely on encrypted passwords and both systems (at the time) also had a simple crypt(1) command for encrypting data.
Back then, I was working for Digital Equipment Corporation (DEC) and the company was just about to ship its first Unix system for the VAX architecture, when our export department asked the fatal question: "Is there any encryption software in this product?"
At that time, the United States did not allow encryption to be shipped outside the country to many countries, even to some countries we might have considered "friends." After all, the British (yes, they were on the list) did burn our White House in 1814, and there was that nasty skirmish in 1776…
DEC reacted to the encryption rules by removing the crypt(1) command and libraries and putting them in a separate "export restricted" software kit, but we needed the encryption functionality to be linked into the login(1) program and to allow people to change their passwords.
We appealed to the US State Department, but they were firm, so we went back to Bell Laboratories to find out whether they had an argument that would allow the encryption. Bell Labs pointed out that the encryption was basically "one-way" (i.e., it could not be decrypted) and that it was just for authentication. We took this information back to the State Department, and they relented.
After we looked at the issue further, however, we realized that the State Department was really too late. Sun Microsystems was already shipping SunOS all over the world with the encryption in place. System V from Bell Labs and BSD from the University of Berkeley were also being used in many countries with the encryption in place. It was only DEC's export department that raised the issue.
The law around cryptography was so draconian that if DEC had bought a package of encryption software from Canada, had not opened it, but then wanted to sell it back to Canada, we could not have done so. Around that time, I had a good friend working for DEC who was heavily into cryptography. He was Canadian, and because Canada did not have these issues with shipping cryptographic products, he returned to Canada and started a consulting firm around encryption. Some of our best cryptographers were leaving and going to other countries for better opportunities.
Then, in 1991, Phil Zimmerman developed PGP, and when that "escaped" to other countries, all sorts of "investigations" happened. At the time, encryption was considered a "munition," and Phil was investigated for violating the Arms Export Control Act. Somewhere, I still have my t-shirt with the PGP algorithm on the back that says, "I am exporting munitions, so sue me."
Fortunately, President Clinton relaxed this law, and good encryption was able to be shipped. Right after September 11, 2001, however, a senator (who will remain nameless) from my state of New Hampshire ("Live Free or Die") introduced a bill that would reverse President Clinton's decision because some of the planners of 9/11 had used encrypted email. I wrote that senator a four-page letter, discussing encryption and how it is the basis of authentication. I pointed out that most "evil" countries already had knowledge of encryption and that such a law would hurt our allies, not just our enemies. Shortly after I sent my letter, the senator cancelled his bill.
In light of what has recently occurred with the NSA, some major companies are now looking at privacy a little more rigorously than before. Jimmy Wales of Wikipedia, for example, pointed out that his company will be looking at methods and how much data they gather on articles that people read. Jimmy feels that the right of privacy extends to what we read and that no one should be able to see what we have or have not read.
Along these lines, readers might want to review how PGP and GPG work and think about how to use them. Encryption of filesystems might also take a higher priority. Can a determined entity still decrypt encrypted data? Probably, but the careful use of PGP can give you "pretty good" privacy.
Read full article as PDF:
Version 16 of the popular Linux desktop reveals new tools, edge-snapping, and performance improvements.
Symantec says Linux-Darlioz burrows in through PHP.
Dell renews its quest for the ultimate developer machine.
Innovative back door looks like normal SSH traffic.
One of CeBITs most successful forums opens the new year with a new name. The popular Open Source Forum continues in 2014 under the name Special Conference: Open Source. This year, the forum will be bigger and offer a wider range of possibilities for sponsors.
New release offers better graphics drivers and expands filesystem support.
New mail protocol will shut out the NSA and prevent snooping on metadata.
A new web application helps users visualize distributed denial-of-service attacks.
Ubuntu 13.10 takes a step toward convergence, with lots of mobility, but Mir only partly here.
Galileo board is targeted to embedded developers and educational institutions.