Lawyers Would Rather Fly Than Download PGP 426
An anonymous reader writes "The NYTimes is running a front-page story about lawyers for suspects in terrorism-related cases fearing government monitoring of privileged conversations. But instead of talking about the technological solutions, the lawyers fly halfway across the world to meet with their clients. In fact, nowhere in the article is encryption even mentioned. Is it possible that lawyers don't even know about PGP?" The New Yorker has a detailed piece centering on the Oregon terrorism case discussed by the Times.
S/MIME, anyone? (Score:5, Interesting)
What is it with the Slashdot crowd and PGP? What's wrong with S/MIME?
I can say with some authority, having been evaluating and testing it for my company for some months now, that it is natively supported by current versions of the 3 major email clients (Outlook, Thunderbird, and Apple Mail), and that their implementations are, by and large, compatible.
So...are there any particular issues with S/MIME that make PGP a significantly more desirable solution?
Dan Aris
Re:S/MIME, anyone? (Score:5, Interesting)
What is it with the Slashdot crowd and PGP? What's wrong with S/MIME?
I can say with some authority, having been evaluating and testing it for my company for some months now, that it is natively supported by current versions of the 3 major email clients (Outlook, Thunderbird, and Apple Mail), and that their implementations are, by and large, compatible.
So...are there any particular issues with S/MIME that make PGP a significantly more desirable solution?
Dan Aris
Re:Security not just about encryption. (Score:3, Interesting)
Anyway, who says the NSA can't crack PGP? Some crypto-fanboy showing off how much smarterer he is than lawyers who make no claim of security expertise and have a professional obligation to err on the side of caution?
How my conversation went... (Score:4, Interesting)
"Hey I just finished setting up an encryption system for the e-mail system"
"A what?"
"Encryption, you know to keep your corrispondence confidential..."
"A what what?"
Then about 5 years later I rolled out an automated encryption system that uses lexicons to detect patterns and auto encrypt e-mails if they trip the filters. That conversation with the attorney's went like this.
"You put in a what and why?"
A lengthy explanation later filled with examples of when they should be using it. Finally the lawyer who had just spent a few days at a HIPPA conference sees the light. DING DING DING Clueless I swear.
Re:S/MIME, anyone? (Score:3, Interesting)
In our case, me :-)
We're just using Microsoft's PKI (yeah, I'd rather use something OSS, but requirement #1 is that it work well with Outlook, and I wasn't able, with my limited experience, to get anything else set up to do so...), so the certificate authority is one of our servers. Naturally, it means that anyone who wants to be able to use & trust our user certificates is going to have to install our CA certificate, but that's the price of getting it all for free...
Dan Aris
Re:S/MIME, anyone? (Score:5, Interesting)
OpenPGP software allows you to easily self-generate valid keys. Doing the same with S/MIME (self-signing certificates) is really obnoxious. Further, OpenPGP clients tend to support a web-of-trust introduction model which is strictly better for actual security than the centralized commercial PKI model that S/MIME software tries to force on users.
For sending secure messages within a medium to large sized organization there is some argument for S/MIME using a local CA, but even then simply emulating the same effect with a organization PGP key signer and key server is probably cleaner.
Re:Security not just about encryption. (Score:2, Interesting)
NSA isn't a god-like organization. They have limits like anyone else.
It seems that in the vast majority of cases the NSA handles involving encryption, they don't bother to try breaking the crypto itself. Rather, they find some backdoor (keylogger, mishandled key management, etc.). It may seem like cheating to use human error to break the crypto, but in the real world, humans make errors all the time, so you can rely on it in your investigations.
Therefore, it's likely the NSA can't break PGP, simply because it's a waste of effort to try.
Re:How my conversation went... (Score:5, Interesting)
Don't confuse your specialized knowledge with common knowledge. Your phrasing assumes that encryption, as a word, conjures up images as it would in a geek's mind (and more than five years earlier than now, when it was less well known.) Obviously they explained it better at the HIPPA conference.
Really, I doubt had I not already know what encryption, or the ease of e-mails being read by third-parties, I would have gained nothing from your explaination.
A possible alternative: It is easy for any third party to read your e-mails. Encryption uses a password (or automatic process) on both ends to make sure that only you and your recipients can read the e-mail. It also verifies that the person who claims to have sent the e-mail did, since falisifying the sender of an e-mail is also very easy.
Re:Security not just about encryption. (Score:4, Interesting)
If someone has a 12-character password alpha-numeric password the keyspace is about 104^12. If you can determine when the shift key is pressed and which of the 4 rows of keys each character is in, you can make that 13^12, which is 36 bits less keyspace -- almost a 50% reduction over the original 80 bits.
Re:Of course they thought about it. Not good enoug (Score:3, Interesting)
Oh, I dunno. Unless you're using an encrypting drive, worst case - for the attacker - is long enough alone with it to physically pull the hard drive, clone it, and button the case back up. A couple hours tops, for a well-rehearsed operation. (How good is the laptop's security while you're asleep?) A better case is to boot it in firewire target mode, snarf up the relevant files for analysis and/or execute a scripted keylogger install. Or if you're really paranoid, maybe you'd wonder if they can just pop in bootable media and install a custom keylogging bios (crafted just for your machine) in five minutes flat. Hard to say.
Of course all these attacks have countermeasures - bios passwords, drive passwords, no firewire, truecrypt, keeping the laptop under your pillow at night - but to be really thorough would be pretty inconvenient, and still wouldn't protect against simple theft of the whole laptop for leisurely analysis of past secrets.
"A laptop can be had for less than that plane ticket, so you don't have to take that particular one overseas."
So you're leaving the one with the actual secrets on it back in the office, then? See above.
"If so, you have to assume that the other end of the connection is probably much more thoroughly bugged physically than either of their computers are electronically."
True. But if you assume that level of surveillance on the other end, it wouldn't be safe for your client to use a computer there either, would it?
As has been said often by people much smarter than I, "security is hard".
Re:Extra: Lawyers don't want to go to jail... (Score:3, Interesting)
Re:IANAL, but... (Score:3, Interesting)
Most terrorism suspects aren't Saudi billionaires living in comfortable modern homes in the Middle East, most of them are dirt poor and either holed up in some dark dirty corner of the globe or stuck in the world's largest and most paranoid prison complex. PGP just won't work for these people.
Re:Security not just about encryption. (Score:3, Interesting)
Is PGP breakable by brute force on current hardware? even with NSAs resources this is unlikely.
Has PGP been broken in the crytpographic sense, well given that mathmaticians cant get the maths sorted, unless you belive the NSA has a secret lab of mathmaticians that are years ahead of the rest of them, Hell no.
Can 2GB (or whatever the upper limit is for a key) encryption be broken, again unless the NSA dedicate a cluster of supercomputers to every email (as PGP isnt broken) its unlikely.
In some senses PGP is actually safer than one time pads, you use the same pad to encrypt and decrypt the message meaning there are two pads that could be captured, hell pgp keys can be used as improved one time pad. The only place where one time pads beat PGP is if your message is bigger than your encryption strength, but thats only because a one time pad is effectively one huge encryption.
a) a bunch of supper mathematicians
b) a huge amount of computing power (not feasible)(per email)*
c) an even bigger amount of computing power (probably not even possible)(per PGP key)*
encrypted emails sent to me can only be read by me.
*in the case that the NSA are going to dedicate either of these to me, then I really have to wonder what Im doing to deserver all this attention.
Re:Security not just about encryption. (Score:3, Interesting)
I think it's funny how willing some people are to speculate that US Intelligence agencies have superhuman powers. Haven't their obvious limitations dispelled the idea that nothing gets by them?