best pgp software question

I think this thread got off from the original topic, as practically speaking
gnupg or PGP will do what the poster wants. I most cases, if people
intercepting data see that it is encrypted and they have strong reason to find
out what the content of the data is, there are usually cheaper and easier ways
to go about getting it than trying to decrypt it.

I asked one of my professors who is an expert mathematician and cryptologist,
about this issue once, and he said that most of the ways organizations like the
NSA get to your data is through implementation flaws (OS, encrypting program,
key-loggers, encoding methods) not through algorithm flaws. He also said he
thought it VERY unlikely the NSA could, in a reasonable time frame,
"brute-force" a 256-bit symmetric key like AES.

If we assume the computer system itself, encryption implementation, and encoding
methods are secure (the biggest pitfall), and we assume there are no known ways
better than brute-force to crack a symmetric cipher like AES, a 256 bit key
would mean, on average, a search through 2^255 key permutations. While no one
(outside the government) knows the NSA's capabilities, assume they can try
1,000,000,000,000,000 (one quadrillion) keys a second, the average time needed
to find the key would be 1.83*e^54 years. The universe is estimated to be about
20 billion years old. I've heard based on our understanding of particle
physics, there is not enough energy in the known universe to run these kind of
calculations.

So if done absolutely right, the encryption itself is solid. It's everything
around it that usually breaks down.

~David~

clark wrote:[color=blue]
> On 5 May 2006 22:57:46 -0700, "jennifer1988" <bk2884@hotmail.com>
> wrote:
>[color=green]
> >John Wunderlich wrote:[color=darkred]
> >> "jennifer1988" <bk2884@hotmail.com> wrote in
> >> news:1146809706.745775.253190@j73g2000cwa.googlegroups.com:
> >>
> >> > I apologize for this very basic question. I have a number of files
> >> > that I want to encrypt with pgp. They are letters, legal documents
> >> > and other similar files that I don't want anyone to see. I'm
> >> > looking for a software package to buy. Something free is good too
> >> > if it does what I want. I have many folders and many files. I
> >> > could take all the files in a folder, put them in a zip file and
> >> > then encrypt the zip file. Or, I might want to encrypt each file
> >> > individually. Is there a software package that will take 100 or so
> >> > files and encrypt each one of them individually with a few strokes
> >> > by me? What software is best?
> >> >
> >>
> >> I would recommend the (IMHO) excellent freeware "Truecrypt".
> >> It works by creating a virtual disk that exists as an encrypted
> >> container file on your compter and when given the correct password will
> >> mount as a drive on your compter. Once mounted, you have free access
> >> to read/write anything on this virtual disk until it is dismounted --
> >> at which time it reverts to an encrypted container file. Many options.
> >> Much less messy than working with encrypted zip files.
> >>
> >> The functionality is similar to "PGP Disk" at a fraction of the cost
> >> and does not depend on PGP being installed on a given system.
> >>[/color]
> >
> >Thanks for telling me about it. How secure is it?[/color]
>
> Truecrypt has a good pedigree, and the designers use serious methods
> of protection based on known-good practice.
>
> If you choose a strong password and keep it secret the security
> offered in Truecrypt is strong (high) security.
>
> Do not forget to keep a copy of that password somewhere safe as if you
> forget your password, there is no way to recover the data.
>
> The documentation is good and they have a "Beginners Tutorial" to get
> you going.
>
> And Truecrypt is a free product.
>[/color]

Is it better than PGP? What are its advantages over PGP?
[color=blue]
> And remember that that using any combination of current or past names
> and numbers (telephone, street address, SSN, friends names, lover's
> names, children's names, pet's names, birthdays, model of car,
> favorite colors, cuss words, slang terms, or famous passages of text)
> will allow your password to be recovered in a short period of time.
>
> This is true for any security product, yet over 95% of people's
> passwords are derived from those very same parameters, so the large
> majority of folks are not using strong passwords.
>
> A good, strong password is generally hard to remember at first, and
> that is why you need to be able to refer to it, until it gets
> engrained in your memory.
>[/color]

In your opinion, should passwords be longer than 16 characters?
[color=blue][color=green]
> >
> >Jennifer
> >[color=darkred]
> >> <http://www.truecrypt.org>
> >>
> >> HTH,
> >> John[/color][/color][/color]

Tom McCune wrote:[color=blue]
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> "jennifer1988" <bk2884@hotmail.com> wrote in
> news:1146978712.563514.20970@j73g2000cwa.googlegroups.com:
>[color=green]
> > Thanks for all the information.
> > I too am afraid of anything that's closed sourced. But, I also wonder
> > if the NSA has
> > a supercomputer no one knows about that has cracked PGP. And I wonder
> > if the NSA has a secret satellite that can hear everyone's keystrokes.
> > Maybe it would be safe to try and use PGP in a deep underground cave.
> > Jennifer[/color]
>
> I don't know about these possibilities, but in my opinion, if the NSA is
> really after my data, there is probably little I can do to prevent them
> from getting it. At least for me, protecting against attack by the NSA is
> just not worth the time, effort and expense it would take.
>[/color]

Sure, if they were after you, that's true. I don't have anything
illegal to hide. Some people, like me, believe law-abiding citizens
have the right to some privacy. Even if it's nothing special, I want
the right to keep it private from anyone. The NSA wants to see
everything, not matter what it is. They want to destroy privacy.
[color=blue]
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.0.6 (Build 6060)
> Comment: My PGP FAQ: [url]http://www.mccune.cc/PGP.htm[/url]
>
> iQEVAwUBRF3fcWDeI9apM77TAQPQSAf9FZS9TscpcjBJZgVTv1vl9r7sWGBhULdV
> 3G26PBbmrzlqwNHVVP4cu+zugcPBC/aiARrkNPDI3/Wbkk/eA4yU2TfhOKnGt/Uz
> XJ2zkxu0LP6NqboH2+3PSjnMaFFmHsTo5rGDjfHO0GkIeDADXCXBBafb06twDWzn
> xHZDkzZCz702e5afHEEnLTAlmStstLAzjIWtAIH8bD2zl2nn+C1cLQJ+G44oLYjx
> DzEBHGfCqmXUlgmS4Jy0DXRg9PNqxpssH2pA4MueHq6EyYBWtLmmhxzv2Qidk0dR
> ZM8fWm564BaqrSz+3cTzPZmqjIDcFavkOuUseMk6TFuk+bDC/ZQVHA==
> =XcIM
> -----END PGP SIGNATURE-----[/color]

Borked Pseudo Mailed wrote:[color=blue]
> jennifer1988 wrote:
>[color=green]
> > Thanks for all the information.
> > I too am afraid of anything that's closed sourced.[/color]
>
> Why would you feel fear?[/color]

I fear them because they could have backdoors no one knows about.
[color=blue]
> Closed source encryption algorithms and
> applications just aren't as trustworthy.[/color]

Ok. So why don't you feel fear?
[color=blue]
> Peer review is essential for
> algorithms and highly desirable for applications using well reviewed
> algorithms, but it's not any sort of guarantee.
>[/color]

True. But it's better than nothing.
[color=blue][color=green]
> > But, I also wonder if
> > the NSA has
> > a supercomputer no one knows about that has cracked PGP.[/color]
>
> You're either worrying way to much about information isn't that important,
> or way to little about "State Secret" caliber data. In which case you
> wouldn't be discussing it here, so we have to assume the former.
>[/color]

You can assume the former. I believe in the principle of privacy, even
of my boring things.
[color=blue]
> What do you have, that the NSA or anyone would want to waste time
> decrypting?
>[/color]

Nothing criminal or anything like that. The NSA wants to take away my
privacy. I hate anyone who wants to take away a freedom.
[color=blue]
> There's no such thing as absolute security in the practical world, it's
> all about risk assessment and mitigation. If you need to secure something
> you need to make an intelligent decision about how to secure it from the
> sort of attacker you're likely to encounter. If you're dealing in NSA
> level information you're already screwed the pooch by asking about it in a
> public forum. You should be using private couriers with fake passports,
> exploding briefcases, and cyanide pills.
>[/color]

I need to get those.
[color=blue][color=green]
> > And I wonder if
> > the NSA has a secret satellite that can hear everyone's keystrokes.[/color]
>
> Why would the need a satellite? It's much more cost effective to sit
> across the street in a van. :)
>[/color]

True. But they could be data mining, looking at millions of people at
one time.
[color=blue][color=green]
> > Maybe
> > it would be safe to try and use PGP in a deep underground cave. Jennifer[/color]
>
> Maybe the cave doesn't matter. Your biggest threat is during transmission,
> and more importantly, your own recklessness in divulging the very
> existence of your cave hideout.
>
> Strike two...... :)[/color]

True. But I'm sure the NSA has thought of people in caves long before I
did.

Jennifer

David Eather wrote:[color=blue]
> I heard once (on a post on sci.crypt)that v9 of PGP will run for 30
> days as a full featured demo and then switches to a free ware mode (no
> disk encryption) Hope that help (HA)
>[/color]

Is there something better than v9?
[color=blue][color=green]
> > I apologize for this very basic question. I have a number of files that
> > I want to encrypt with pgp. They are letters, legal documents and other
> > similar files that I don't want anyone to see. I'm looking for a
> > software package to buy. Something free is good too if it does what I
> > want. I have many folders and many files. I could take all the files in
> > a folder, put them in a zip file and then encrypt the zip file. Or, I
> > might want to encrypt each file individually. Is there a software
> > package that will take 100 or so files and encrypt each one of them
> > individually with a few strokes by me? What software is best?
> >
> > I went to:
> >
> > [url]http://www1.pgpstore.com/product.html/?productid=524508&currencies=USD[/url]
> >
> > and looked at:
> >
> > PGP Desktop Home 9.0
> >
> > This is the link:
> >
> > [url]http://www1.pgpstore.com/product.html?productid=300023321&sessionid=381637284&random=afc3c8595062196d98ecc03ba24e9ff2&currencies=USD[/url]
> >
> > It costs 99 dollars. Would anyone recommend that one or not? Is there
> > one better? Is there one cheaper?
> >
> > Please help.
> >
> > Jennifer
> >[/color]
> )[/color]

charlie kroeger wrote:[color=blue]
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> 05/07/2006
>
> jennifer1988 wrote:
>[color=green][color=darkred]
> >> Ok. What I worry about though is hardware or spyware that records or
> >> hears keystrokes. That seems to me hard to guard against.[/color][/color]
>
> That's a scary thing to be sure. I don't know what to tell you. For
> myself, I use Password Safe to copy directly to the clipboard some
> impossible password (all of them are in fact impossible to remember
> that's what machines are for) and then it's pasted into an
> application. Of course if you are being logged they will log your
> password to open Password Safe anyway so you're humped there too.
> It's like James Thurber said, "there's no security in numbers or
> anywhere else." Welcome to the world Wash.
>[/color]

Even in George Orwell's 1984, there seemed to be places to hide from
Big Brother's eyes.

Suppose you do this: erase a hard drive, install the OS, then install
PGP, that guards against spyware.
[color=blue][color=green][color=darkred]
> >> Ok. But is it possible that the NSA has a highly advanced supercomputer
> >> that no one knows about that has cracked PGP and has a backdoor? Or
> >> maybe the NSA has a secret satellite that can hear the keystrokes of
> >> everyone?[/color][/color]
>
> Have you heard of quantum computers? I pasted this directly from the
> Wikipedia, the free encyclopedia:
>
> A quantum computer is any device for computation that makes direct
> use of distinctively quantum mechanical phenomena, such as
> superposition and entanglement, to perform operations on data. In a
> classical (or conventional) computer, the amount of data is measured
> by bits; in a quantum computer, it is measured by qubits. The basic
> principle of quantum computation is that the quantum properties of
> particles can be used to represent and structure data, and that
> quantum mechanisms can be devised and built to perform operations
> with this data.
>
> Experiments have been carried out in which quantum computational
> operations were executed on a very small number of qubits. Research
> in both theoretical and practical areas continues at a frantic pace,
> and many national government and military funding agencies support
> quantum computing research, to develop quantum computers for both
> civilian and national security purposes, such as cryptanalysis.
>[/color]

Thanks for posting this. It is scary. Even when there are limits to
supercomputers, they'll increase speed and effectiveness with better
algorithms.
[color=blue]
> It looks like puny algorithms and passphrases would be cracked
> before lunchtime. I also read that you're right, the sound of your
> keyboard can reveal what keys you're touching. As for secret
> satellites I bet they're up there already with names like the Cheney
> fighting module and the Bush advanced laser detecting appliance.
>[/color]

Maybe they have some Orwellian name like 'Freedom Protector' or 'civil
liberty protector'
[color=blue][color=green][color=darkred]
> >> Please send them to me. I looked and looked and couldn't find them.[/color][/color]
>
> I'll make it so.
>[/color]

Thanks.
[color=blue][color=green][color=darkred]
> >> Thanks.
> >> Peace, sadly - probably not possible today,
> >> Jennifer[/color][/color]
>
> I'll have to dust off my windows side of the computer blow out the
> cobwebs. I will send the file in question and my off newsgroup
> address to confirm it passed through the hotmail filters.
>[/color]

Thanks.

Jennifer
[color=blue]
> C.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFEXaRd9HLs2IZF4wURA0LqAKC67xLRIVsQjtQFRiHPDhRpL2Lb7QCgvzoG
> yKZStuBBc3jkpyQ2du+oGz0=
> =eyAU
> -----END PGP SIGNATURE-----[/color]

jennifer1988 wrote:
[color=blue]
> Borked Pseudo Mailed wrote:[color=green]
>> jennifer1988 wrote:
>>[color=darkred]
>> > Thanks for all the information.
>> > I too am afraid of anything that's closed sourced.[/color]
>>
>> Why would you feel fear?[/color]
>
> I fear them because they could have backdoors no one knows about.[/color]

Source code isn't a guarantee that a program has no back doors, nor is it
the only way to find them if they exist. It's certainly helpful, but I'd
sooner trust a closed source application using standard algorithms offered
by a reputable author than an open source implementation of an untested
algorithm devised by some guy who calls himself "Mr. Krypto". ;)

If you fear back doors, you need to fear them in all applications. Even
more pressing is the issue of simple mistakes. They're both threats to
your security that have from time to time "magically appeared" in crypto
software of both open and closed source varieties. If your data relies on
a dire need for absolute cryptographic security, you're completely out of
luck. What you need to be considering is a strong dose of physical
security, maybe with a crypto chaser.
[color=blue][color=green]
>> Closed source encryption algorithms and applications just aren't as
>> trustworthy.[/color]
>
> Ok. So why don't you feel fear?[/color]

Two reasons:

1. My data isn't so important that I have to worry about the NSA or the
FBI dorking around with it. The threats I see on the horizon are
incompetent wannabes like the guy who tries to steal my laptop and finds
out all my vital information is in an encrypted container. I'm confident
my passwords and scanned images of official documents are safe from that
sort of attack.

2. I'm fully aware of the risks and benefits of encryption, and have a lot
of trouble feeling fear for anything I understand. Fear is generally
something you feel either because you see an imminent threat, which I
don't, or a result of facing the unknown.

If I WAS afraid in any way that I might fall victim to some sort of back
door, then I would certainly take additional steps to make sure my data
was removed from any possibility of compromise. Like a secret panel in
the back of a closet with an electrified door leading to a hardened bunker
guarded by packs of rabid Rottweilers. Something like that. ;-)
[color=blue]
>[color=green]
>> Peer review is essential for
>> algorithms and highly desirable for applications using well reviewed
>> algorithms, but it's not any sort of guarantee.
>>[/color]
> True. But it's better than nothing.[/color]

Usually. If you don't place too much faith in it, it's fine. It's
something to consider when choosing security applications, especially so
when examining what algorithms are used. All other things being equal it's
more prudent to choose open source crypto over closed source, but it's not
the sole deciding factor. If you place too much faith in open source, you
run the risk of making a bad decision because of that ill placed faith.
[color=blue][color=green][color=darkred]
>> > But, I also wonder if
>> > the NSA has
>> > a supercomputer no one knows about that has cracked PGP.[/color]
>>
>> You're either worrying way to much about information isn't that
>> important, or way to little about "State Secret" caliber data. In which
>> case you wouldn't be discussing it here, so we have to assume the
>> former.
>>[/color]
> You can assume the former. I believe in the principle of privacy, even of
> my boring things.[/color]

Then you'll be more than protected if you simply stick with any time
tested crypto application offered by a reputable company. Closed source or
otherwise. You're hiding stuff from associates and the occasional crook,
not the super secret crypto cracking division of some joint NSA/FBI task
force on Jennifer's evil data. :)

The majority of the more widely respected crypto programs happen to be
open source, and for good reasons, but at our mere mortal levels it's more
of a matter of personal comfort than any real threat of compromise.
[color=blue][color=green]
>> What do you have, that the NSA or anyone would want to waste time
>> decrypting?
>>[/color]
> Nothing criminal or anything like that. The NSA wants to take away my
> privacy. I hate anyone who wants to take away a freedom.[/color]

They do at that I suppose, but wasting time on you would mean OBlahBlah
Bin Terrorizin would have that much less resource dedicated to him. And if
they ever actually DID anything with your information at all it would be a
sure sign whatever program you're using is FUBAR, and that company as well
as their ability to back door real BadGirls(tm) would be down the toilet.
[color=blue][color=green]
>> There's no such thing as absolute security in the practical world, it's
>> all about risk assessment and mitigation. If you need to secure
>> something you need to make an intelligent decision about how to secure
>> it from the sort of attacker you're likely to encounter. If you're
>> dealing in NSA level information you're already screwed the pooch by
>> asking about it in a public forum. You should be using private couriers
>> with fake passports, exploding briefcases, and cyanide pills.
>>[/color]
> I need to get those.[/color]

Tell the truth now..... you just want hunky guys in fresh pressed suits
who reek of mystery and gunpowder hanging around. ;-)
[color=blue][color=green][color=darkred]
>> > And I wonder if
>> > the NSA has a secret satellite that can hear everyone's keystrokes.[/color]
>>
>> Why would the need a satellite? It's much more cost effective to sit
>> across the street in a van. :)
>>[/color]
> True. But they could be data mining, looking at millions of people at one
> time.[/color]

They can do that from the comfort of any piece of backbone Internet
connection. Much more cost effective than developing the technology to
listen to keystrokes from the vacuum of space Id' wager.
[color=blue][color=green][color=darkred]
>> > Maybe
>> > it would be safe to try and use PGP in a deep underground cave.
>> > Jennifer[/color]
>>
>> Maybe the cave doesn't matter. Your biggest threat is during
>> transmission, and more importantly, your own recklessness in divulging
>> the very existence of your cave hideout.
>>
>> Strike two...... :)[/color]
>
> True. But I'm sure the NSA has thought of people in caves long before I
> did.[/color]

Ahhh but therein lies the rub. They were unaware of YOURS until you went
and spilled the beans here in Usenetland. Now your cave is useless, and
you've learned the most valuable crypto lesson you ever will. Unless
there's some fatal flaw in your crypto, which nothing can guarantee
doesn't exist, it's you the user who is by FAR the weakest link. Crypto of
the modestly good sort used effectively is a LOT more secure than the
worlds best crypto used sloppily.

On 8 May 2006 21:06:18 -0700, "jennifer1988" <bk2884@hotmail.com>
wrote:

[snip known history][color=blue]
>
>Is it better than PGP? What are its advantages over PGP?[/color]

If all you want is to create an area is secure, where you can place
your documents and feel reasonably sure (given a strong password) that
they are safe from the eyes of others, then yes it is.

I'm just going to give you Truecrypt's advantages. Do some homework on
the PGP.

The advantages, to me, are Truecrypt's simplicity of operation and the
methods they used to craft the security.

They are using LRW mode for disk encryption'

[url]http://www.truecrypt.org/user-guide/?s=modes-of-operation[/url]


Truecrypt provides source code so it can be scrutinized and
re-compiled by all.

They provide for plausible deniability by construction of their disk
volumes which are not distinguishable from random data.

You can easily change your password if you want and not lose any of
the data.

It works under Windows and Linux.

It is free of charge and the people that write it are very serious
about what they are doing.


[snip known history][color=blue]
>
>In your opinion, should passwords be longer than 16 characters?
>[/color]

What you are looking for is entropy, which is a 5 dollar word for
randomness.

If you are going to use every available character from 00-FF Hex in
completely random fashion then 16 characters is really good.

That would give you close to 128-bit entropy.

But you wont be doing that, so you'll need a way to stretch out your
passphrase into something that contains enough entropy, but that you
can enter on a keyboard and remember.

[url]http://world.std.com/~reinhold/diceware.html[/url]

You can start with the link above if you really want to know about
some of the issues relating to passwords and their creation.

jennifer1988 wrote:

<snip>[color=blue]
> The NSA wants to take away my privacy. I hate anyone who wants to take away a freedom.[/color]

After 9/11, privacy and freedom are not the same thing.

You have your freedom from giving up a little of your privacy.

Like it, or not, that's the way it works.

noload <noload@dot.com> wrote:
[color=blue]
> jennifer1988 wrote:
>
> <snip>[color=green]
> > The NSA wants to take away my privacy. I hate anyone who wants to take away a freedom.[/color]
>
> After 9/11, privacy and freedom are not the same thing.
>[/color]

That is the lie that the Bush Administration would have us believe. I refuse.
[color=blue]
> You have your freedom from giving up a little of your privacy.
>[/color]

That is a contemptible lie. Giving up any privacy is the beginning of the
surrender of all freedom.

[color=blue]
> Like it, or not, that's the way it works.[/color]

No, It isn't.

When society reaches the point where it's mandatory to have ID, then it is
time to move. The problem with the world now is that there are very few places
left to move TO, most of them being extremely inhospitable.

In article <8M-dnUxLCdmqCP3ZnZ2dnUVZ_s6dnZ2d@northstate.net>,
[email]noload@dot.com[/email] says...[color=blue]
> jennifer1988 wrote:
>
> <snip>[color=green]
> > The NSA wants to take away my privacy. I hate anyone who wants to take away a freedom.[/color]
>
> After 9/11, privacy and freedom are not the same thing.
>
> You have your freedom from giving up a little of your privacy.
>
> Like it, or not, that's the way it works.
>[/color]

No, that is the way we move away from freedom. Privacy and anonymity
are the roots of all freedom.

While they systematically remove the checks and balances and ignore laws
as not relevant to them, they chant "If you have nothing to hide you
have nothing to fear" and "only criminals have something to hide". It's
the mantra of the day.

I reply to that: "If _you_ have nothing to hide then you should have
nothing to fear from proper judicial oversight". Yet, they keep working
to remove it. Well, it's not me that is hiding here and if their words
of "only criminals have something to hide" have any truth, why are they
hiding from proper oversight?

/steve
--
Cotse.Net Privacy Service
Advanced e-mail, ssh, proxies, web hosting, and more.
Your Shield From The Internet
[url]http://www.cotse.net[/url]

"jennifer1988" <bk2884@hotmail.com> wrote in
news:1147147578.833286.162380@v46g2000cwv.googlegroups.com:
[...][color=blue]
> clark wrote:[color=green]
>> If you choose a strong password and keep it secret the security
>> offered in Truecrypt is strong (high) security.
>>
>> Do not forget to keep a copy of that password somewhere safe as
>> if you forget your password, there is no way to recover the data.
>>
>> The documentation is good and they have a "Beginners Tutorial" to
>> get you going.
>>
>> And Truecrypt is a free product.
>>[/color]
>
> Is it better than PGP? What are its advantages over PGP?[/color]

Security-wise, it's probably equivalent to PGP. I prefer it because
it's independent of PGP. I once used PGP Disk and when I updated my
version of PGP, my PGP disk was no longer accessible. I had to
uninstall PGP and re-install the older PGP to recover the data.
Since then, PGP has improved the effects of updating, but it still
left a bad taste in my mouth...
[color=blue]
>[color=green]
>> And remember that that using any combination of current or past
>> names and numbers (telephone, street address, SSN, friends names,
>> lover's names, children's names, pet's names, birthdays, model of
>> car, favorite colors, cuss words, slang terms, or famous passages
>> of text) will allow your password to be recovered in a short
>> period of time.
>>
>> This is true for any security product, yet over 95% of people's
>> passwords are derived from those very same parameters, so the
>> large majority of folks are not using strong passwords.
>>
>> A good, strong password is generally hard to remember at first,
>> and that is why you need to be able to refer to it, until it gets
>> engrained in your memory.
>>[/color]
>
> In your opinion, should passwords be longer than 16 characters?[/color]

Obviously the longer the better. That's why they're now called
"passphrases" instead of "passwords". Truecrypt also has option of a
"key file" where you can point it to a file on your disk and it will
use the contents of that file to generate the crypto key. The file
better not change, though.

HTH,
John

On Tue, 09 May 2006 21:48:06 +0100, Anonymous wrote:
[color=blue]
>
> When society reaches the point where it's mandatory to have ID, then it is
> time to move. The problem with the world now is that there are very few places
> left to move TO, most of them being extremely inhospitable.[/color]

Let's hope that some catastrophe, natural or manmade, will clean out the
excess and get the world population down to something reasonable. One
billion sounds like a nice round number, giving the world plenty of people
to keep the high-tech stuff going, while giving everyone lots of room.

No one will give a damn then about IDs and what's going on in the Middle
East, or the rest of the insane stuff we live with today.

I say the sooner the better.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8 May 2006 21:06:18 -0700, "jennifer1988" <bk2884@hotmail.com> wrote:

Hi Jennifer
[color=blue]
>Is it better than PGP? What are its advantages over PGP?[/color]

I prefer it to PGP because it has more options (algos). It doesn't require
installation* and has nice little features such as key files and hidden
volumes. It is also a very stable application. It has never failed me.
[color=blue]
>In your opinion, should passwords be longer than 16 characters?[/color]

Depends on what its for. I tend to never use less than 15 characters for
passwords unless the system doesn't support passwords of that length.
Normally I have 8-10 words as my passphrase so around 50 characters total.

For a Windows password there are a lot of advantages to using >14
characters, one of the biggest being that it stops the LM hash being stored.
Read [url]http://blogs.technet.com/robert_hensing/archive/2004/07/28/199610.aspx[/url]
for more information.

For PGP I never use a password, only a passphrase.

* Administrator access is needed to the system to run in "traveller" (not
installed) mode. If you install TrueCrypt it is then possible for a non
admin (power user) to use TrueCrypt however I could be wrong on this, its
been a while since I checked.

Morgan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32) - GPGshell v3.51
Comment: Key not available on key servers
Comment: Please get from [url]http://mrp.freeshell.org[/url]

iQEVAwUBRG8XvV3QLDLuwbSdAQIO+Af/eteUmuSZCq9lmt9swFGyxOYdwlbDrzI/
fuSwXapoO5vUD1Ke5qKSsbDZtdcdhndziVFGr4a2MvnR7gGoUIs+myB2O05T2El+
ErDznILPJnsHU8kvjXPWj07yjbrI4X3pDWgjiOn3Ppc03+JoR4+Kd3ySEl/aRIC9
TMqoYE9YCsfrl8paB+tslRcheI+xDjr67LxHeqbCRNPjGXmmyAxi27PuqY9mjlW2
UT0ppwViOmawiLIdus4gRS3jHnFGK6K5tepyIkVMCKZVM7bh86+0ilFSl09uwcDv
7a7+j4ynZlCqYF7/i6aRF5F0wvw4XMEUc9Uz6y5jNyrbrYneV2PifQ==
=YhW1
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Morgan <me@privacy.net> wrote in
news:qh5u62h6br1ssl0jc8i84vtv82i6hkfv3k@4ax.com:
[color=blue][color=green]
>>Is it better than PGP? What are its advantages over PGP?[/color]
>
> I prefer it to PGP because it has more options (algos). It doesn't
> require installation* and has nice little features such as key files and
> hidden
> volumes. It is also a very stable application. It has never failed me.[/color]
<snip>

My news server has not retained prior posts in this thread, but this
appears to be in relation to TrueCrypt. Based on this assumption, I can't
resist stating that PGP's Virtual Disk now defaults to using 256 bit AES
for the symmetric algorithm. Recent versions also have options of 128 bit
CAST and 256 bit Twofish. Personally, I just can't think of a reason why
including additional algorithms serves any real purpose in increasing
security. I don't recall the details now, and whether this was related to
either TrueCrypt or an ancestor of it, but I have seen at least one other
such product that included multiple symmetric options, with some being very
secure, and with at least one such option being quite weak.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
Comment: My PGP FAQ: [url]http://www.mccune.cc/PGP.htm[/url]

iQEVAwUBRG8qtWDeI9apM77TAQh9rwf/Xl/OVo8u9Px4IcvgEPwSSGBJmw9JNVhk
kazAxLpdZiejBWR7uLwMHpnJcNO7BPqMh0wT1KIpe8xpvAY9vjNhXuj7f+LX+YbD
Xoz9giE84ln0fp0gYKKEu2QF5yLSQRJkFYphb84/4sbJxBmJGilf/UP4GDwtDlb6
QlIf81bFQieSElX4Q9FAH9b3NzjWEXujjFsiKCJ8Ldb9OOwgvZqEBtRfMYI8uvjn
E3Kf5YjuLJl709MxbwwgVScqhtbRRTiF8driWDt3a3XKmRbfrgyb7g1u7CZOSKyq
zdWU4KxyNsPxDhlWgLdKldsPsdjQypCZ50YpdHAnesYnwCR2uTi6Gg==
=Bk9b
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 20 May 2006 14:42:00 GMT, Tom McCune <news1@DELETE_THISmccune.cc>
wrote:

[color=blue]
>My news server has not retained prior posts in this thread, but this
>appears to be in relation to TrueCrypt. Based on this assumption, I can't
>resist stating that PGP's Virtual Disk now defaults to using 256 bit AES
>for the symmetric algorithm. Recent versions also have options of 128 bit
>CAST and 256 bit Twofish. Personally, I just can't think of a reason why
>including additional algorithms serves any real purpose in increasing
>security. I don't recall the details now, and whether this was related to
>either TrueCrypt or an ancestor of it, but I have seen at least one other
>such product that included multiple symmetric options, with some being very
>secure, and with at least one such option being quite weak.[/color]

Hi Tom. Yes the post was regarding TrueCrypt.

I guess it is more for performance than for security (although TrueCrypt
also allows for two and three level encryption with different algorithms
such as AES-Twofish-Serpent, I do not know mathmatically what extra
protection this gives you thought.

The biggest reason I prefer TrueCrypt over PGPdisk is portability (no
install need, no license problems) and its features such as hidden volumes
and being able to use a raw device (such as an external HDD).

While PGPdisk is very nice, the fact it is only available as part of the PGP
suite makes it difficult to use on a mobile device unless you purchase
multiple licenses. A stand alone version of PGPdisk for $50 or so would be
great IMHO.

Morgan


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32) - GPGshell v3.51
Comment: Key not available on key servers
Comment: Please get from [url]http://mrp.freeshell.org[/url]

iQEVAwUBRG9wqF3QLDLuwbSdAQJlnAgAvsTvI6pUgMgx3HKyJFBXb4EUMYa2e0cQ
MxcFqYlvtUVSbg+S8bfofdaoKbw3LKxrgehEo6bzuQbcAv5gs6C7XH+6iOEfXXGY
J75PinQEIRloiiTTVY+2vZl+tDmCMy3x4ffdD1GtSpKXu6xHkSTvOFcYdbFu2NUj
7g/FlaCbcVu++uYehrSTbMC+XRJXkZZPTzZN9l6HSo9hg5IJacIbg1Pk1fgWJpGh
kvY5GtnbowZ22TYPQSzJhYFpAsLcsoz+IRW75YBPgTc0vIHsZvJy9y5YPxHwpVXC
r1hRvKIA/R0FPrzIYH5vBwFy1H9UVlxxHd2XdUzxFI3Kyu/ABxeSMg==
=OVws
-----END PGP SIGNATURE-----

--

Morgan

PGP Keys [url]http://mrp.freeshell.org[/url]

Entropy isn't what it used to be

jennifer1988 wrote:[color=blue]
> David E. Ross wrote:[color=green]
>> jennifer1988 wrote:[color=darkred]
>>> I apologize for this very basic question. I have a number of files that
>>> I want to encrypt with pgp. They are letters, legal documents and other
>>> similar files that I don't want anyone to see. I'm looking for a
>>> software package to buy. Something free is good too if it does what I
>>> want. I have many folders and many files. I could take all the files in
>>> a folder, put them in a zip file and then encrypt the zip file. Or, I
>>> might want to encrypt each file individually. Is there a software
>>> package that will take 100 or so files and encrypt each one of them
>>> individually with a few strokes by me? What software is best?
>>>[/color][/color][/color]

At present, I mainly use GnuPG to sign files, so I have a way of
checking later to see if the file was modified since it was signed. I
will also be using GnuPG in tandem with Gizmo and Zfone for VOIP in the
near future. For encrypting individual files or collections of files,
however, I strongly recommend you consider using truecrypt. All of the
softwares I have named here are $-free, open-source projects that
support both Linux and WindowsXP. (I don't have WindowsXP on my
computer.) I also think it is smart to use an on-screen keyboard any
time you have to type in a GnuPG or a truecrypt password.

--

only asking wrote:[color=blue]
> At present, I mainly use GnuPG to sign files, so I have a way of
> checking later to see if the file was modified since it was signed. I
> will also be using GnuPG in tandem with Gizmo and Zfone for VOIP in the
> near future.[/color]

Oops. I misspoke. Zfone does *not* require GnuPG or anything like it:

Zfone uses a new VoIP encryption protocol called ZRTP to secure Internet
telephone calls. The protocol provides a high level of security because
it doesn't rely on public key infrastructure (PKI), key certification,
trust models or certificate authorities. *** ZRTP does the key
agreement process on a peer-to-peer basis, using a new key for each
telephone call.***
[from [url]http://www.voip-news-net.com/2006/05/zfone_for_windo.html][/url]

And Gizmo has nothing to do with encryption, it's just handles the VOIP.