Sunday, January 17, 2010

Want really secure Gmail? Try GPG encryption



Perhaps Google's announcement that Chinese cyber attackers went after human rights activists' Gmail accounts has made you skittish about just how private your own messages are on the Google e-mail service.
Well, if you want to take a significant step in keeping prying eyes away from your electronic correspondence, one good encryption technology that predates Google altogether is worth looking at. It's called public key encryption, and I'm sharing some instructions on how to get it working if you want try it.
Unfortunately, better security typically goes hand in hand with increased inconvenience. But some human rights activists who used Gmail right now likely wish they'd put up with a little hardship to help keep hackers at bay. I'm not going so far as to recommend you use e-mail encryption, but I think this is a good time to take a close look at it.
Specifically, I'll show here how to use a collection of free or open-source software packages: GPG, or GNU Privacy Guard, Mozilla Messaging's Thunderbird e-mail software, and its Enigmail plug-in. CNET Download.com also hosts Thunderbird for Windows and Mac and Enigmail for all platforms.
But first, some background about how it works.
Public key cryptography
Encryption scrambles messages so that only someone with a key (or a tremendous amount of computing horsepower, or knowledge of how to exploit an encryption weakness) can decode them. One form is called, curiously, public key encryption, and this is what GPG and Enigmail use.
Here's the quick version of how it works. You get a private key known only to yourself and a public key that's available for anyone else to use. The person you're corresponding with also has such a pair of keys. Although the public and private keys are mathematically related, you can't derive one from the other.
To send a private message, someone encrypts it with your public key; you then decrypt it with your private key. When it's time to reply, you encrypt your message with the recipient's public key and the recipient decodes it with his or her private key.
Messages in transit from one machine to another are a bunch of textual gobbledygook until decoded. If you're being cautious enough to encrypt your e-mail, you should be aware that there's still some information that leaks out to the outside world. The subject line isn't encrypted, and somebody might take interest in the identity of your active e-mail contacts and the timing and frequency of communications.
So how do you find out what your correspondent's public key is? You can either fetch the key firsthand from the correspondent, or you search for it on public computers on the Net called key servers--mine is stored at pool.sks-keyservers.net.
This form of encryption has another advantage: you can sign your e-mail electronically so the recipient knows it really is from you. This time the process works in reverse: you sign your e-mail with your private key, then your recipient verifies it's from you using your public key.
Drawbacks aplenty
Weighed against the encryption advantages of privacy and message signing is the fact that you'll lose access to service you may like or depend on.
When you see an encrypted e-mail in the Web-based Gmail, it's gibberish. Google doesn't index it, so Gmail search doesn't work. And the strong points of cloud computing--reading your e-mail from your mobile phone, your friend's computer, a computer kiosk on the airport--isn't possible. You're once again anchored to your PC with the encryption software installed.
Gmail won't be able to make heads or tails of your encrypted e-mail.
Gmail won't be able to make heads or tails of your encrypted e-mail.
(Credit: Screenshot by Stephen Shankland/CNET)
Another doozy is that the technology, while conceptually manageable in my opinion, quickly gets complicated. It's the kind of thing where you benefit from some hand-holding from your technologically sophisticated pal. Encryption is chiefly used by the expert crowd, so the documentation quickly gets technical, the options quickly go beyond most people's comprehension, and the help quickly can shift from Spartan manuals to grasping at straws on a search engine results page.
Given time and experience, intractable technology can be beaten into submission, though. The bigger problem with encrypted mail is convincing others to install the software and use it. Until then, you'll be like the proverbial owner of the world's single fax machine: nice technology, but there's nothing you can do with it until someone else gets one.
My personal hope is that encrypted e-mail will become more common and that wider use will encourage some flavor of it that will work more transparently with existing systems, perhaps through local plug-ins on a computer such as FireGPG, though there appears to be challenges getting it to work with Gmail.
Meanwhile, here's one collection of software that's available today for public key e-mail encryption.

Install the software
First, install Thunderbird e-mail software, if you haven't already. I recommend the new version 3.0, which is available for Windows, Mac OS X, and Linux. One particularly nice feature is that the software will ask you for your e-mail address and password on its first launch, and Gmail users will find the software automatically handles the tangle of configuration details that previously had to be manually set.
Next up is GPG, the command-line software that handles the actual encryption, decryption, and key management behind the scenes. Fetch the appropriate copy for your operating system from the "binaries" links at the GPG downloads page. Technophiles will like using this actual software from the command line, but don't worry--you don't have to.
Last is installing the Enigmail plug-in for Thunderbird. Fetch the appropriate version from the Enigmail download site and make a note of where you save the file.
Enigmail isn't the kind of file you double-click to install. Instead, go to Thunderbird, open the Tools menu and click Add-ons. In the lower-left corner of the dialog box that appears, click "Install..." When prompted for a location, point to where you saved the plug-in; the filename should be "enigmail-1.0-tb-win.xpi" or some other operating system-appropriate variation.
Set up the software
Next, it's time to get started. Enigmail offers useful instructions that generally are up to date, though they don't mention Thunderbird 3.0 and some other matters.
You'll likely get a setup Wizard from Enigmail, which is fine. My advice: set it to sign encrypted messages by default but not to encrypt messages by default unless you're confident you're going to use it a lot.
The first task is generate your public and private keys--your "keypair." Enigmail can handle this chore. In Thunderbird, click the OpenGPG menu, then the "Key Management" option. A new window will pop up with its own set of menus. Click the rightmost one, "Generate."
The default options are pretty good, though setting the key not to expire might be preferable for some people. That can be changed later, if you have second thoughts. For your passphrase, the usual password rules apply: the longer it is and the farther away from anything in a dictionary it is, the harder it is to crack.
Now comes the best part of the whole thing: helping out the random number generator while the keys are being generated. It doesn't take long, but doing something else while it happens--browsing a Web page or loading a word processing file, for example--creates events that actually inject a little helpful unpredictability into the algorithm. It's one of those wacky computer science moments.
Once the keys are generated, upload yours to a key server so your pals can find your key. It's easy: click the "Keyserver" menu, "Upload Public Keys," and go with the default pool.sks-keyservers.net server.
Try it out
Now it's time to get viral. You have to find somebody to experiment on. Go through your list of nerdy, security-minded, perhaps somewhat paranoid friends and start recruiting. A tinfoil hat isn't a prerequisite for using e-mail encryption, but there's a connection.
Once you've got a companion--or set up a second keypair with another e-mail account--start a new e-mail message and type in a subject line and some text. In the OpenPGP menu, select "sign message," "encrypt message," and if your message recipient is using Enigmail, "Use PGP/MIME for this message." (The latter option has some advantages, but isn't supported universally.)
When you send the message, you'll need to use your recipient's public key to encrypt the message and your own passphrase to sign the message with your private key.
When it's time to read, you'll need the public key of your correspondent to verify the signature and your own passphrase to decrypt it.
Sending and receiving is where those public key servers come in handy. Seek, and if ye don't find, ask your friend to e-mail you the public key.
There's a whole new world of encryption out there--the web of trust, key signing, fingerprints and such--that I won't get into here. I recommend a look at the Enigmail configuration manual and the Enigmail Handbook.
If you're a command-line nut, I recommend Brendan Kidwell's practical introduction and, with my usual reservations about the utter lack of informative examples, the GPG man page. History buffs can check the Wikipedia pages (the saga of Phil Zimmermann vs. the U.S. government concerning GPG's precursor, PGP, or Pretty Good Privacy, is particularly notable), and one 10th-anniversary GPG retrospective from founder Werner Koch.
In closing: backup your key
There is one last task you should attend to: export your keypair. Enigmail can handle this fine: In the search field, type your name until your key appears, click it to select it, then click "File" and "Export Keys to File."
This backup will be useful for decrypting your mail on a new computer, installing software from scratch, or otherwise managing the inevitable digital transitions in your life. But be warned: that private key is what somebody needs to crack your encryption, so don't leave it where somebody can find it.
I'm not convinced that GPG will rule the world. Indeed, I'm concerned that so much documentation I encountered for this article was written before Windows Vista arrived.
But I am convinced there are serious holes with our current security and privacy arrangements. A 2,048-bit encryption key won't thwart phishing scams or other social engineering attacks that appear to have been employed in the Google-China case, but it's a good place to start.
And using encryption sends a message to the technology world: perhaps it's time to start taking our security more seriously. Google opted for encrypted Gmail network connections, even though it will tax their servers with more processing, which is a good start. Better security can be inconvenient and expensive, but don't forget to consider the drawbacks of poor security.
 Via:Cnet

McDonald's Begins Serving Free Wi-Fi At Most US Locations

Hearing that "someone is working on it" is one thing, but now the home of the Golden Arches (and those "all white meat chicken nuggets) has finally done the deed. No, we're not talking about swapping out those juicy, all-beef patties for veggie slabs. We're talking about in-house Wi-Fi, and lots of it. Making good on a promise it made earlier in the year, McDonald's has rolled out free in-store Wi-Fi in "most" of its US stores. As of 1/15, the vast majority of McD's eateries should have Internet signals floating about, and all you'll need to take advantage is a Wi-Fi enabled smartphone or PC.

All told, Wi-Fi has been added to around 11,500 of the company's 14,000 locations, and of course, it's completely free to those who pass by. It will be interesting to see if other fast food chains and stores in general begin to take notice here and try to mimic it. We love having free Wi-Fi at McD's, but considering that it's a "fast food" place, we aren't generally sitting down for long periods of time when dropping by for a large free and a huge tea. What would be awesome, however, is it more and more retail outlets and eateries began to copy this model. Wi-Fi is so easy to get these days that it really should be broadcast pretty much everywhere. If the place that somehow thrives on a "dollar menu" can afford to offer Wi-Fi at no charge to consumers, there's hardly an excuse for everyone else.
It's about time the Internet become truly ubiquitous, don't you agree?
Via: Reuters


South Korean Duo Deemed "World's Fastest Texters"

Think you thumbs are quick? Think again. LG, which has long been a supporter of finding out just who exactly can text the fastest in this zany world of thumb-friendly communicators, has just announced that Yeong-Ho Bae, 18, and Mok-Min Ha, 17, of South Korea are the (new) fastest texters on the planet. Hear that? On the planet!

The duo
defeated a host of challengers to become the world texting champions at the LG Mobile World Cup in New York City, and the competition was no joke whatsoever. The two had to use LG devices (no iPhone or Droid allowed), and they trumped their rivals in a series of tests of speed and accuracy. LG then crowned 'em the champs, and handed them a whopping $100000 for their efforts.






The finals pit 13 two-person teams against one another in New York, with each team having to last through five rounds of team and individual events. All contestants texted in their native language using two of LG's current mobile phones: the LG BL20, which has a numeric keypad, and the LG GW520, which features a QWERTY keyboard. A pair from the USA placed second, and that brought home a nice $20000 payout. Juan Ignacio Aufranc and Agustina Montegna from Argentina took third place, and they netted $10000 from the competition. In addition to the main competition, the players attempted to set a new Guinness World Records record for fastest texting, using the LG enV3 handset. Pedro Matias, 27, from Portugal set a new record by typing a 264-character text in just 1 minute 59 seconds, shaving 23 seconds off the previous record set by Finland's Arttu Harkki in 2005.

If you think you can take the heat, you best start practicing now (on an LG phone) for next year's event. We get the feeling that the competition will get tougher and tougher as this thing gets more and more popular.

In a nod to how far phones have come, the record-setting text read: The telephone was invented by Alexander Graham Bell (UK), who filed his patent for the telephone on 14 February 1876 at the New York Patent Office, USA. The first intelligible call occurred in March 1876 in Boston, Massachusetts, when Bell phoned his assistant in a nearby room and said "Come here Watson, I want you." 
"All the contestants at the World Cup are at the cutting edge of mobile technology and the earliest to embrace the latest mobile trends," said Dr. Skott Ahn, President and CEO of LG Electronics Mobile Communications Company. "LG remains committed to providing them with the smartest technology that fits their lifestyles."
Launched to celebrate mobile culture and advances in mobile technology, the LG Mobile World Cup has become the world's premier mobile festival, expanding from four participating countries in 2008 to 13 in 2010. Between May and November 2009, qualifying rounds were held in the United States, Canada, Indonesia, Portugal, Brazil, Russia, South Africa, Mexico, Argentina, Korea, Spain, Australia and New Zealand. Altogether, more than 6 million people took part in the LG Mobile World Cup in 2009.
For more information on the LG Mobile World Cup in New York, please visit http://www.lgmobileworldcup.com.

VIA:hothardware