where to start?....


What products do you think will take the place in Corporations?

tw

http://www.cnn.com/2002/TECH/ptech/04/21/encryption.future.ap/index.html

that link doesn't seem to be working. can you repost please?

I guess they archived or just deleted the article...

TW

Anyone heard of the PPIRT security suite. For some reason it just does not impress me. Maybe it was the look of there page. BTW, I'm I the only one that thinks it is strange that after years and years of the feds trying to gid rid of PGP, that McCaffee buys the program....then takes it off the market?

From what I understood they were trying to sell it, but no one would buy it. I don't think that McAffee buying it in the first place ever stopped any of the other free/open versions of PGP from being distributed. Last I checked there were at least a half dozen various pgp/gpg programs available for free.

simple3

http://download.nai.com/products/media/nai/support/PGP-DesktopEncryption-CustomerLetter.pdf
(as of Feb 26 2002 NAI stopped all development efforts on their version of PGP and will only honor current licensed support).

Did NAI approach this whole scenario wrong? I wouldn't be sure, but selling something that is freely available for pretty much any platform makes it difficult to buy, even at the corporate level. Before they retired this software I was planning to use a Spyrus FIPS-3 usb token and the PGP-smart card token integrated suite (for their disk encryption) and use it to house the private keys to mount and unlock the drive... unfortunately this did not come through. Currently I use a version of the last freepgp versions that had the disk encryption and load it into a usb flashdrive key.

It would be sweet if someone would develop a usb flashdrive key with FIPS-3, and use an onboard entry keypad to decrypt/unlock the drive... think of a hybrid of SecureID and a USB flashdrive.

All in all I haven't seen a decent crypto package that would create a seamless environment for the user with Single-Sign On, password wallets, Windows Smart Card Logon all in one package. Of course it is all a matter of time.

actually GnuPG is a PGP equiliant and in recent/future versions it's soon to be even more powerful. PKC is a great tool to have in verifying users ID's (even just using nicknames when you are familliar with the user) to prove they actually sent the mail etc.

GnuPG rocks, and with mutt (my favorite) or a graphical email client such as Evolution (good too) use gpg and is supported well.

you should try them out :)

Originally posted by zoloto
you should try them out

Also if you just want to do web mail you can use hushmail which uses hushtools (implementing a branded flavor of PGP). You can do most PKI operations using their java interface.

https://www.hushtools.com/

No non-java applications though...why would a secure e-mail server be so hard? I want to keep mail on my PC, not out in cyberspace.

Originally posted by astcell
I want to keep mail on my PC, not out in cyberspace.

yikes, I never keep anything local...

You can't hack whats' offline!

Originally posted by astcell
You can't hack whats' offline!

true but i can't run my hard drive from Kansas to China in seconds either.. :) ;)

At CompUsa todasy I saw all this software for security. Norton Firewall, BlackIce, etc. Is all this stuff giving users a false sense of security or is there anything that is any good out there? PGP is good but not intuitive.

Originally posted by astcell
At CompUsa todasy I saw all this software for security. Norton Firewall, BlackIce, etc. Is all this stuff giving users a false sense of security or is there anything that is any good out there? PGP is good but not intuitive.

How do you like PGP's Tempest Viewer?

Anyway all it takes is someone to put a keyboard sniffer on the machine, either hardware or software and all their crypto is SOL.

I find it very strange that NAI tried to sell something that was free myself. However I am greatful I have a copy of their PGP Corporate Desktop Suite. Has some nice options.........

In fact its a bit like their firewall product, Gauntlet.....looked alot like freeware to me too.

However they did manage to sell Gauntlet off to Secure Computing in Minneapolis........I feel bad for anyone wanting support on it now.

If anything, anyplace that intends to use encryption will most likely have someone in house who knows about it or have access to someone (a contractor or consultant perhaps) who does. GPG immeditately comes to mind. The great thing about it is that it can be used on the server side for scripting and whatnot) and the client side to handle email messages or encrypted files. This assumes some ability on that luser's part but there are some pretty good tools out there for use with GPG.

Originally posted by SigningiS
If anything, anyplace that intends to use encryption will most likely have someone in house who knows about it or have access to someone (a contractor or consultant perhaps) who does.

I know of several places that use a central type of cert management that allows the keys to be saved and recreated at a later date.. I think this is the worst thing that anyone could do with PKI.. because all someone needs is the admin's key and the whole system has been compromise.. PKI should exist in a decentralized existence.

http://newsforge.com/newsforge/02/07/01/1411226.shtml?tid=21

Zimmermann to Network Associates: Sell PGP back to me, or open-source it
excerpt:

Tuesday July 02, 2002 - [ 09:27 AM GMT ]
Topic - Privacy - - by Bruce Tober -
Philip R. Zimmermann, author of encryption program Pretty Good Privacy, is suggesting current owner Network Associates open-source PGP's code as one alternative to the program dying on the vine at the company. "I would strongly prefer PGP be Open Source compared with the current scenario, because right now it's locked in intellectual property prison and no one can get it," he says. "Open Source would be much better."

Originally posted by blackwave


I know of several places that use a central type of cert management that allows the keys to be saved and recreated at a later date.. I think this is the worst thing that anyone could do with PKI.. because all someone needs is the admin's key and the whole system has been compromise.. PKI should exist in a decentralized existence.

I agree with regarding decentralize existence of key server though the question is how you will get the other users key?

Anyone know about this site www.keyserver.com? Are they affiliate in openpgp.org?

Originally posted by TheWatcher
I agree with regarding decentralize existence of key server though the question is how you will get the other users key?


There are several public key servers out there on the net that allow you to insert or extract a key based on keywords, etc. Though it does take a while for them to synchronize... but it works :) Since the private keys are generated and kept locally(on drive, floppy, usb toke, whatever) there is no worries about someone else using your private key...

Thanks man.

Originally posted by TheWatcher
Thanks man.

http://www.keyserver.com/ is another example of a public keyserver.

For more private keyservers you can use Hushmail's (http://www.hushmail.com/) excellent set of HushTools (https://www.hushtools.com/hushtools/verify/) https://www.hushtools.com/hushtools/user-tools/retrieve-public-key.html?<?=SID?> which is what I use more than not since I have several hushmail accounts, and Hushmail provides seamless integration with this 'secure' web mail service and OpenPGP standard support.

www.ziplip.com is worth to mention regarding securing your message.

the receiving end don't need to be a member to read encrypted message, this is cool. I've been using this free web mail for more than a year.

Before ziplip.com, I've used hushmail too.

Originally posted by TheWatcher
Before ziplip.com, I've used hushmail too.

I used to use ziplip a long time ago too, but stopped after reading this(has this changed as far as you know?):
Check Section: Web-Based Encrypted E-Mail(a few other web mail service reviews, inclusive)
http://www.counterpane.com/crypto-gram-9908.html

ZipLip <https://www.ziplip.com/zlplus/home.jsp> is different. Both parties do not need an account to communicate. The sender logs onto the ZipLip Web site and, using SSL, sends a message to someone else. ZipLip then sends the recipient a message telling him that your message is waiting. The recipient then logs onto ZipLip to receive the message. Encryption, outside the two SSL connections, is completely optional.

ZipLip won't identify the encryption algorithm used, which is enough to discount them without further analysis. But they do something even stupider; they allow the sender to create an encryption key and then give the recipient a "hint" so that he can guess it. ZipLip's own Web site suggests: "The name of the project we're working on," or "The restaurant where we had dinner last night." Maybe there are 100,000 restaurants, so that's a 17-bit key.

The threats here are serious. Both the sender and receiver need to verify their SSL connections, otherwise there is no security. The ZipLip server is a major attack target, both because many messages will not be encrypted, and because those that are will have keys weakened by the requirement that both parties remember them.

On the plus side, ZipLip claims a policy of deleting all mail 24 hours after delivery, which provides a level of lawyer-proofing that HushMail does not have...if they implement it properly.

They already updated some of their approach though I still can't tell what algorithm they are using right now :D

I haven't tried to sniff my message yet using ziplip. I will try sometime after attending conference this weekend.

blackwave,

they think you're AWOL ...

http://forums.netstumbler.com/showthread.php?s=&postid=19068#post19068

check this out.

Originally posted by TheWatcher
blackwave,
they think you're AWOL ...


Hahaha, yes I know :) I am a fickle-script.

give them some sign ... that you still exist... hahaha

Originally posted by TheWatcher
give them some sign ... that you still exist... hahaha

I did!... I posted something around the second page after I was spotted on late night IRC, and gave the word to spread that I have risen... :)

ok.

Originally posted by TheWatcher
ok.
:)

For what it's worth I am trying to organize a PGP keysigning. Send me an email with your public key and I'll be sending more information during Defcon.

I always thought it would be neat if there was some server level encryption of email so that even if you chose not to encrypt your email, that the mail servers would talk to each other encrypted.

Basically each mail server would generate a public and private key. The public key would be hosted on numerous key servers. When I send email from my pacbell.net account to someone at earthlink.net, pacbell's smtp server would connect to a number of key servers (the number varying on paranoia level to ensure that the public key being requested matches on more than one server) and encrypts all mail going to earthlink.net with earthlink's public key so that it goes from point A to point B encrypted to deter sniffing somewhere in the middle. The same concept could be used between mail client and smtp server.

Maybe something already exists like this. If so I'd like to hear more about it. I haven't paid much attention to gpg and what it is currently able to do.

Originally posted by Neural
I always thought it would be neat if there was some server level encryption of email so that even if you chose not to encrypt your email, that the mail servers would talk to each other encrypted.

Basically each mail server would generate a public and private key. The public key would be hosted on numerous key servers. When I send email from my pacbell.net account to someone at earthlink.net, pacbell's smtp server would connect to a number of key servers (the number varying on paranoia level to ensure that the public key being requested matches on more than one server) and encrypts all mail going to earthlink.net with earthlink's public key so that it goes from point A to point B encrypted to deter sniffing somewhere in the middle. The same concept could be used between mail client and smtp server.

Maybe something already exists like this. If so I'd like to hear more about it. I haven't paid much attention to gpg and what it is currently able to do.

server to server encryption, only exist if you use VPN as your connection, though disappearing mail technology is similar to this concept and both server need to be their client to use public/private keys.

server side email encryption - unicrypt (http://www.unicrypt.com.au/home.html)

bit of a different approach, definitely worth having a poke around on their web site

Thanks for the info, checked out the site. It seems promising because they support both PGP and S/MIME. I hope I can check the tool.

cheers,
tw.