-----BEGIN PGP SIGNED MESSAGE-----
Security and Encryption FAQ Revision 11
by Doctor Who
Introduction
A copy of this text is available at:
http://www.hellfire.demon.nl/guest/es-faq/
and at:
http://www.fortunecity.com/victorian/hartford/190/crypfaq.htm
Also here is a technical message board about security:
http://www.messagezone.com/message.asp?BoardName=101908
Acknowledgements
I have received many helpful suggestions and hints from many people -
too many to thank individually - so thank you one and all. I am most
heartened by the spirit of co-operation I have experienced in the
production of this FAQ. What started out as a few jottings from my
experiences, has evolved with several useful hints and suggestions
into a rather longer and I hope, much more useful document.
Purpose of this FAQ
The purpose of this FAQ is to help those who wish to improve their
privacy. If you view or store sensitive data on your computer this
FAQ could be of help to you. It is not intended as a comprehensive
overview of computer security, merely a means to that end. Links are
provided throughout the FAQ. They are repeated in a list at the end
for your convenience, plus other links offering further reading. This
FAQ concentrates on computer security of sensitive data in the home.
It also touches on privacy whilst online with Email and Usenet
postings.
Why do I need Encryption?
"Anonymity is a shield from the tyranny of the majority... It thus
exemplifies the purpose behind the Bill of Rights, and of the First
Amendment in particular: to protect unpopular individuals from
retaliation -- and their ideas from suppression - at the hand of an
intolerant society."
- -- Justice Stevens, McIntyre v. Ohio Elections Commission, 1996
If a Supreme Court Judge deems it a person's right, who would argue?
How does encryption work?
In its simplest sense, the plaintext is combined with a mathematical
algorithm (a set of rules for processing data) such that the original
text cannot be deduced from the output file, hence the data is now in
encrypted form. To enable the process to be secure, a key (called the
passphrase) is combined with this algorithm. Obviously the process
must be reversible, but only with the aid of the correct key. Without
the key, the process should be extremely difficult. The history and
progress of encryption is beyond the scope of this FAQ, but the
important point to understand is that the best modern encryption
algorithms are virtually unbreakable by anyone so far as is known,
including Government Agencies.
I want my Hard Drive and my Email to be secure, how can I achieve
this?
You need two different types of encryption software. For Email you
need a system of encryption called public key cryptography. This
system uses a key pair. One key is secret and the other is made
public. Anybody sending you mail simply encrypts their message to you
with your public key. They can get this key either directly from you
or from a public key server. This key is obviously not secret - in
fact it should be spread far and wide so that anybody can find it if
they wish to send you encrypted Email. The easiest way to ensure
this is by submitting it to a public key server.
The only way to decrypt this incoming message is with your secret key.
It is impossible to decrypt using the same key as was used to encrypt
the message, your public key. Thus it is called asymmetrical
encryption. It is a one way system of encryption, requiring the
corresponding (secret) key to decrypt. Actually there is a lot more
to it than this, but this is reducing the principle to its bare
essentials.
For your normal hard drive encryption, you will need a symmetrical
type of encryption program. The same key is used for both encryption
and decryption.
Which Programs do I need?
Let's deal with Email first. For your Email I recommend Pretty Good
Privacy (PGP). It is virtually the de facto Net standard for Email
cryptography. It is easily available and installed. PGP is available
in several versions as freeware. The source codes have been
published. The algorithm has, so far, survived critical analysis.
PGP is available for many platforms, including Win95/98, NT, Dos, Mac,
Unix, OS2. You can even work with the source code and compile your
own version if you are truly paranoid! PGP has several DL sites. PGP
(like all powerful crypto) is considered a munition by the American
Government, which means its export is prohibited without a license.
There are several version available for most operating systems:
Freeware Commercial
International version Windows/Mac: 5.5.3i Windows/Mac:
5.5.3ic
Other platforms: 5.0i Other platforms: N/A
US version Windows/Mac: 6.0 Windows/Mac: 6.0
Other platforms: 5.0 Unix: 5.0
Other platforms: 4.0
PGP is available here:
http://www.pgpi.com/
A FAQ for PGP dummies is here: http://www.skuz.net/pgp4dummies/
This site will give you loads of info about PGP and links to the US
versions.
The PGP FAQ is here: http://www.cryptography.org/getpgp.txt
Note: I have only limited knowledge about the newer Windows versions
of PGP, especially the version 6. I only use the Dos version 2.6.3i.
Additionally, so far as I know, the freeware version is not backward
compatible with earlier versions using RSA keys. You need to purchase
the commercial version to enjoy that privilege. Provided your chosen
version supports RSA it is backward compatible with earlier Dos
versions down to version 2.3 with smaller RSA keys and down to version
2.5 provided your key is not larger than 2048 bits. The newer Windows
versions are considered marginally more secure with the use of SHA1 in
place of MD5 for the hashing functions. There are other advantages
of having the latest version such as multiple keys can be generated
all with the same digital signature. So in the unlikely event of a
key being compromized, you can revoke it yet continue with the same
digital signature using a different key.
Which version should I use?
If you are going to send anonymous Email through the Cypherpunk
remailer system, you will need PGP version 2.6.3 for the United States
and version 2.6.3i for all other countries. These versions are also
available as 32 bit programs which speeds up the process of
encryption/decryption but maintains their compatibility with the
Cypherpunk system. If your needs are for privacy but you have no
need for anonymity, I recommend the appropriate Windows version.
It is possible to install both the Dos and the Windows versions, but
I have found it very cumbersome trying to synchronize the two separate
keyrings of the two versions. There are also various restrictions on
the choice of type of key to retain backward compatibility. I have
experienced incompatibilities between the two versions, despite
ensuring that both versions have supposedly compatible keys. The
Windows Versions offer you a choice of key types, either RSA or
Diffie-Hellman/DSS which is the default offered by PGP. The older Dos
version 2.6.3(i) can only work with the RSA type of key. Most
amateur, as opposed to commercial users, are still using RSA keys.
There is no need to be fazed by the Dos version of PGP as there are
programs available which do all the work for you. See later in the
FAQ.
Why are there two versions of PGP, RSA and Diffie-Hellman/DSS?
RSA is registered in the United States (but not elsewhere) and a
license is required to use it. There are PGP versions dedicated for
the United States which use RSAREF, a free license version of RSA for
private use only and an international version which uses normal RSA.
The Windows version does not use RSA, except in the commercial version
and only then for backward compatibility. The D-H/DSS version has
several advantages over RSA. The Cypherpunk remailers still support
RSA and if only for this reason, if you intend using the remailers,
you will need RSA. For more information about these differences I
recommend you visit the PGP site. Because of the United States ITAR
(International Trade and Armaments Regulations) PGP can not be
exported, at least not in binary form. It can however be exported
when the source code is written down in a book. The international
version is a re-compiled version from the original source code
exported legally in this way. Do not ask me to explain the absurdity
of this situation, it is beyond rational explanation.
After 20th September 2000 the license runs out on RSA and it will be
freely useable by anyone anywhere. Meanwhile, there is a licence
fee payable and so the freeware version does not include RSA. If you
want backward compatibility, which is advisable as many people are
sticking with RSA for one reason or another, then make sure your
version has RSA. You can get an earlier Windows version 5.5.3(i)
which includes both RSA and DH/DSS and is freeware. This is the
version I would recommend for best value for money if you want Windows
compatibility - it's free!
I've installed PGP, I'm ready to generate my keys, now what?
Assuming you wish to correspond anonymously via the Cypherpunk
remailer system, then create at least two separate key pairs. For
future security against improvements in computer technology, I would
suggest generating 2048 bit sized keys. The first pair are for your
Email usage. This first key should be signed and if you want others
to have access to your key to enable them to send you encrypted Email,
submit it to a key server, e.g. http://pgp5.ai.mit.edu/. You may want
to adopt a Nym (anonymous name) for this key. If you do, then choose
something that cannot be traced back to your Email address. I would
recommend you also create another Nym which will use the other key
pair. This second Nym should not allow fingering of your public key,
nor should you submit it to the key servers, nor should you sign this
key. This second Nym is for your highest security. You do not offer
this public key to anybody. In fact for the maximum possible
security, you should point your reply block for this Nym to a
newsgroup, such as alt.anonymous.messages. All incoming mail to you
via your Nym, even plaintext, will be encrypted from the Nym to
alt.anonymous.messages. This ensures that everything sent or
received by you via your Nym is secret and virtually untraceable
back to you.
For more understanding of the pros and cons of signing these keys
read the Nym FAQ.
Warning: Improper use of the Cypherpunk remailers will lead to
your Nym being blocked. This includes spamming and illegal posts.
Where can I get the Nym FAQ?
Send Email to: help@nym.alias.net - without a subject or body text.
This is essential reading before you set up a Nym.
What about the data on my Hard Drive?
PGP is excellent for Email, but for data storage it is essential to
use an "on-the-fly" encryption/decryption program. On-the-fly means
the data is ALWAYS in encrypted form on the drive, it is only
decrypted in memory (and possibly in the notorious Windows swap file
- - more about that problem later). When the drive is mounted, this
means after entering the correct passphrase and the drive is visible
as plaintext, each read/write to the drive decrypts to memory or
encrypts to the disk as necessary. It should be impossible to write
to the drive when unmounted. If it were read, it would appear as
gibberish. The advantages of this on-the-fly encryption/decryption
cannot be too strongly emphasized. It means that at all times your
files will remain in encrypted form on your hard drive. If a power
failure occurred you are not left stranded with sensitive material
lying around in plain text, except in the swap file! Yet once you
have entered your passphrase you can see the contents of the encrypted
partition, just as if it were plaintext. There are several of this
type of program, with more appearing all the time. What is most
important is that you use some form of encryption. There are many
lesser programs that offer file by file encryption/decryption, but
these offer unacceptably high security risks and should be avoided.
There are other more practical advantages to on-the-fly encryption if
you have a large hard drive. Just try decrypting several Megabytes or
even Gigabytes of files each time you boot your computer, remembering
they must all be re-encrypted at the end of the session and their
plaintext equivalents securely wiped! With modern very large drives
using strong crypto it could take hours, an absurd scenario.
Should you be in any doubt about the benefits of on-the-fly
encryption/decryption in comparison with the need to securely wipe
all data after every session, take a peek here:
http://www.cs.auckland.ac.nz/~pgut001/secure_del.html
I have Windows 95/98, what should I use?
First off, Windoze 95/98 is definitely not a security orientated
program. I believe superior security can be obtained by using NT 4.
However, this raises other issues including not all programs will work
under NT 4.
One method of improving your computer security is to disable the
Windows swapfile. To ensure reliable operation and dependant on what
programs you run, you may need several hundred megabytes of RAM.
There are several programs that offer on-the-fly
encryption/decryption. I have had experience of only three:
SecureDrive, BestCrypt and Scramdisk. SecureDrive is Dos or Win3.xx
compliant only. Scramdisk is Win 95/98 compliant only at present,
whereas BestCrypt supports both Win 95/98 and Windows NT (using the
appropriate version).
SecureDrive is available here:
ftp://utopia.hacktic.nl/pub/replay/pub/disk/secdr14b.zip
Scramdisk is available here: http://home.clara.net/scramdisk/
Or here: http://www.scramdisk.clara.net/
BestCrypt is available here: http://www.jetico.sci.fi.
Can you compare these three programs?
Features Scramdisk BestCrypt SecureDrive
Cost Free 90 USD Free
Maximum size of container/volume 2 Gigs 4 Gigs 2 Gigs
Algorithms offered 9 3 1
On-the-fly encryption/decryption yes yes yes
Supports Jaz/CD-Writer yes yes no
Easy to backup/copy yes yes no
Ability to encrypt a floppy yes yes no
Can encrypt to a file yes yes no
Ability to choose size of file yes yes no
Works with Win95/98 yes yes No
Works with Win NT no yes no
Writes to the Windows registry no yes no
Error messages with wrong passphrase no yes yes
Hot key crash close yes yes no
Timeout container/volume close yes yes no
Is the full source code published yes no yes
Ability to use a keyfile yes* no yes
Hides chosen algorithm from snoopers yes no no
Hides passphrase errors from snoopers yes no no
Ability to change file extensions yes no no
Can encrypt a whole parititon Yes no yes
Ability to hide an encrypted partition yes no no
Ability to easily change passphrase yes no yes
Ability to use stenography yes no no
Low level inputting of passphrase yes no** yes
* = A Keyfile with Scramdisk only allows secondary privilege
access. It does not work as a low level randomnly generated
passphrase as with the other two programs.
** = BestCrypt+ offers a hardware option that allows inputting of the
passphrase at BIOS level.
These are only the primary characteristics of each program. Their
adherents will probably challenge me that I have left something out
that may be of great importance to them. I am simply portraying
their features as I see their importance. There are many other
features, which can only be gleaned from using the programs.
I started off a little suspicious of Scramdisk because of early
reports of incompatibility with JBN (see later in the FAQ). This
bug has now been fixed. As Scramdisk is entirely free, you have
nothing to lose in trying it for yourself. You can try BestCrypt
free for 30 days I believe.
Which is your choice of these three?
In earlier versions of this FAQ my first choice of recommendation was
BestCrypt. I have since had more experience with Scramdisk and I
believe it is sufficiently sorted to be the program of choice for the
majority of users who need maximum security of their data on their
desktops. I still strongly commend BestCrypt for its equally strong
encryption security and ease of use. However, BestCrypt is commercial
ware, Scramdisk is freeware. BestCrypt's authors are in Finland.
Scramdisk's authors are British I believe - they prefer to remain
anonymous. SecureDrive is a FAT16 compliant program only. It is
intended for Dos and Windows 3.XX. It will also work with Win95
prior to OSR2.
Bottom line, my choice, is... Scramdisk
What about the BestCrypt Hardware board?
In the earlier revision of this FAQ I discussed the advantages of
using the BestCrypt+ hardware card as a means to combat a tempest
attack (see next question). It is an ISA standard, non plug and play
card and interrupts the normal boot sequence and allows you to input
a low level passphrase. However, I believe the disadvantage of the
severe speed restriction imposed by this now aging hardware, plus its
cost mean it is not justified.
Comparative Times taken to encrypt 1 Gigabyte
Cipher: Blowfish Gost Gost_TSM
BestCrypt: 4 mins 20 secs 9 mins 35 secs 59 mins 10 secs
Scramdisk: 2 mins 55 secs N/A N/A
Gost_TSM is Gost used in Top Secret Mode, meaning it includes the
BestCrypt+ card in the encryption sequence, hence its much slower
speed.
These are only offered for comparison purposes. Actual times to
encrypt will depend on among other things, your processor speed.
The above suggests that the hardware offered by Jetico for BestCrypt
is far too slow. If it was 10 times faster, I might recommend it.
Almost the same level of tempest protection is available with
Scramdisk by using its Red Screen mode, which is strongly recommended.
What is Tempest?
Tempest is an acronym for Transient ElectroMagnetic Pulse Emanation
Surveillance. This is the science of monitoring at a distance
electronic signals carried on wires or displayed on a monitor.
Although of only slight significance to the average user, it is of
enormous significance to serious cryptography snoopers. To minimize
a tempest attack you should screen all the cables between your
computer and your accessories, particularly your monitor. A non CRT
monitor screen such as those used by laptops offers a considerable
reduction in radiated emissions, so may be considered by the truly
paranoid. More serious (more paranoid?) users may wish to consider
screening their room. This sounds absurd but is routine with certain
Government Agencies.
Which Algorithm is best, particularly as Scramdisk offers 9?
My choice is the Blowfish algorithm. This is also the algorithm of
preference in the Scramdisk documentation. The Blowfish algorithm
was designed by Bruce Schneier in 1993. The source code is available
and has withstood 5 years of crypto-analytical scrutiny. It was
written specifically for the 32 bit microprocessor. BestCrypt offers
Blowfish with 256 bit keys, Gost and DES. Scramdisk offers Blowfish
also with 256 bit keys, Cast, 3Des, IDEA, plus several others.
SecureDrive features only the IDEA algorithm with a 128 bit key. Do
not be misled, IDEA is extremely strong with "only" a 128 bit key.
Idea has no known crypto cracks and thus can be broken only by testing
every single possible key until the right one is found. This could
theoretically mean testing every key up to 2^128=10^38 or 10 with
another 37 zero's added! Likewise, there are no known weaknesses
with Blowfish, which also can only be broken by brute force testing of
every possible key. Blowfish with its 256 bit sized key means there
are 2^256=10^76 or 10 with 75 zero's keys! This is an incredibly
large number. More than the total number of atoms in the Universe.
My main reason for suggesting Blowfish, apart from its strong
security, is its incredible speed as demonstrated in the comparison
table above. Nothing else comes close, except Twofish, which is not
yet on offer by either program.
Note: For the uninitiated the size of the key is a rough arbiter
of the strength of a program, but it is only one of the factors. The
most important is the type of encryption algorithm that is chosen.
Strong crypto algorithms (such as BlowFish, IDEA and 3DES) are for all
practical purposes uncrackable by any presently known method. Much
more worrying are security leaks in other areas, such as people who
foolishly write down their passphrase and try hiding it in the leaves
of a book or forget to wipe their swapfile or choose inappropriate
programs that reveal critical information from within their Windows
Registry, etc.
Are there any other security factors I should consider?
If you live in North America, the following section may be of only
academic interest to you and you should be able to rely on the 5th
Amendment to protect you from being forced to incriminate yourself
by having to hand over your passphrase. If however you live in the
United Kingdom or any of several other countries with a similar lack
of a written Constitiution and thus reliant on the shifting sands of
whichever Government is in power, then read this section very
carefully.
It has been suggested to me that the method employed by the Law
Enforcement Authorities of the United Kingdom is very simple. If
they wish to view the contents of your encrypted drive and you
refuse to give them your passphrase, they get a Court Order demanding
you give them your passphrase. If you do not comply with this Order,
you are in "Contempt of Court". This may lead you to prison until you
"purge" your Contempt. This reminds me of the old English method of
testing to see if someone was a witch - they simply tied them up and
threw them in a deep pond. If they sank and drowned they were
innocent, dead but innnocent! If they floated the Devil had saved
them and they were guilty, only to be dragged out and burnt at the
stake!
The British have not advanced very far in four hundred years. Human
rights are still hundreds of years behind the standards achieved by
the New World.
I live in the UK/Iraq/Iran/China/wherever, how can I be safe?
Not easy. If the above is true, other measures may be necessary
and may very well be more important than just outright strong
cryptography. One of these measures is to use steganography
(literally invisible writing). This is the science of hiding
crypto files within an innocuous and perfectly normal file.
One big advantage of ScramDisk is it does not write to your Registry.
This suggests that you could install it on a floppy and run it from
there to view an encrypted volume hidden within another file. When
you finish your session you simply remove and hide the disk. There is
then nothing left on your computer to suggest you are using
encryption. This may be very useful. It does put a VxD file within
the Windows\system folder, but that is all.
France now allows encryption! As of early February 1999, France
has joined the enlightened society and will allow strong crypto up
to 128 bit keys. Regrettably, the French authorities are now going
to give their Law Enforcement greater powers to force users to reveal
their passphrases - they give with one hand then take it back with the
other.
The United States Governement and the Labour Government of the
United Kingdom, Mainland China and many other countries have signed an
agreement that will force key escrow onto users, allow wire-tapping of
private phones, interception of Email, etc and all without any
recourse to a Legal Warrant. This means in effect that the LEA, will
be able to read anything you send in encrypted form - if you have
handed over your secret key. I personally find this totally
reprehensible. It is almost as bad as forcing everybody to have
microphones installed in their homes, just so that the authorities can
monitor what you are saying. After all, you may let slip something
that could be helpful to the authorities in their war against crime
(at least that is their so-called justification for this agreement).
George Orwell's 1984 has truly arrived!
Words fail me in expressing my total revulsion of this sort of
unwarranted invasion into our privacy. Incidentally, this is the
complete reversal of the British Labour Government's Election
Manifesto where they agreed the need for individuals to be allowed
to retain their privacy. Proof, if it were needed, of the way
Governments change when they come to office. This is why I advocate
we should all exercise our inalienable right to privacy by using
encryption wherever possible.
Can you elaborate a little more about Scramdisk?
Scramdisk basically offers three methods of encryption, apart from
the 9 choices of algorithm. The three choices are to encrypt a
whole partition on your hard drive up to a maximum of 2 Gigabytes.
To encrypt a volume (meaning a file) up to 2 Gigabytes. The third
option is to hide an encrypted volume inside a sound file with the
.wav extension, again up to a maximum of 2 Gigs. This latter
method will need a WAV file at least twice the size of the proposed
Scramdisk volume and preferably 4 times its size. It is impossible
to detect which cipher algorithm has been chosen without the
passphrase.
What is the difference between encrypting a partition and a volume?
Whichever you choose the effect is the same. A virtual drive is
created on your computer when the encrypted partition or volume is
mounted (opened). This virtual drive is shown as a new drive letter
in Windows Explorer, exactly as if it were a physical drive. Clicking
on it opens it and the contents can be read in exactly the same way as
with any normal plaintext file. The data is still in encrypted form
on your computer. Make no mistake about this. It may look as if it
isn't, but trust me, it is fully encrypted. What you are seeing is
the result of the decryption being done on-the-fly. The data is held
in Ram memory or the Windows swapfile (bad news that, more anon).
If you choose to encrypt to a partition, Scramdisk will make the
volume up to 2 Gigabytes or the size of the partiton, if smaller.
When unmounted (closed) this partition disappears off your computer.
For most practical purposes it is invisible. You cannot reveal it
within Windows or Dos using the conventional operating system
software. Neither can you delete it, either in Win95/98 nor from
Dos. It can only be deleted with the aid of software such as
Partition Magic (see later in FAQ).
Partiton Magic shows it as an unrecognized format. To recover it,
you need to delete it and then re-create the partition to Fat32 (or
whatever). It is impossible to re-format in Dos or Windows, as it is
invisible to Dos and Windows. Incidentally, Norton's anti-virus may
flag up when you re-boot after you re-create this partition. Just
tell it to innnoculate the new files. This hiding of the partition
may sound very attractive, but it is of only limited use. Any
determined attacker would soon suss you have a "hidden" partition. Of
course the Scramdisk program itself will reveal it unfortunately, so
treat it as hidden from non-technical users only.
If you choose to encrypt to a volume, either on your hard drive or a
Jaz or floppy, you simply decide on its size, again up to the maximum
of 2 Gigabytes, and choose where to place it. If you encrypt a
floppy, the maximum size is 1 megabyte, which must be specified before
you start. Unlike BestCrypt, Scramdisk allows you to create a volume
within sub-folders.
Tell me more about these three choices?
The encrypted partition is the fastest to use. Access is done
directly by the VxD facility, bypassing the Windows FAT/FAT32. To
backup your data from such a partition involves your opening it and
saving to another open partition on the back up device, a Jaz drive,
CD-Writer or whatever. On a fast machine (450 Mhz P2, SCSI drives
with 512 Megs of RAM) 2 Gigs of data takes around 16 minutes to backup
or restore in this way. An encrypted volume/file of 2 Gigs copies
across in around 6 minutes. So what you gain in normal use you lose
when you backup or restore.
The method of encrypting a volume in the form of a file also has some
advantages, particularly if you live in the United Kingdom. Scramdisk,
uniquely so far as I know, allows you to re-name this encrypted volume
(file) using any name and any extension you choose, even .jbc, as used
by BestCrypt. Obviously BestCrypt can not open a Scramdisk container
just because it has the BestCrypt extension, but you could argue that
it IS a BestCrypt container, but you regretfully cannot open it
because you only had a 30 day evaluation copy, much as you would love
too... The trouble with that, is that an examination of the file may
prove it is not a BestCrypt encrypted container. Unlike Scramdisk,
BestCrypt may reveal information that may be useful to an attacker. A
pity.
But, nobody can prove that a re-named file is a Scramdisk container.
This is vitally important. Next to the steganography feature, it is
probably, the single most important aspect of Scramdisk.
The Scramdisk team have designed their program such that anybody
looking at the raw encrypted data will only see what appears to be
randomn characters. It is thus impossible to know for certain what
that file might be. Later in the FAQ I offer a suggestion for
software that wipes the free areas of your hard drive. One of the
files that comes with this software (Bigfile2.com) can gather up all
the free areas and convert it into a (very) large file called
AAAAAAAA.$$$. The purpose is to allow you to check these empty
sectors with a file viewer. After making this file, you could use a
file wipe utility such as Scorch (see later in FAQ), that will over-
write it with garbage. It is important to use one that generates as
far as possible randomn garbage, not a simple repetitive pattern. The
reason for this is because the contents of a Scramdisk volume are
themselves totally randomn.
Another suggestion. You could actually use Scramdisk as the wipe
utility itself! By encrypting the Partition, Scramdisk is generating
crypto characters that will over-write whatever is already on the
disk. To get your partition back you will either need to use
software such as Partition Magic to delete this partition, or you
could re-encrypt over the old one. The point is, Scramdisk is
arguably a good method of over-writing unwanted files on a whole disk
or partition up to 2 Gigabytes. I am not advocating that is how it
should be used. I am suggesting that this might be a valid defence
to explain the presense of such a partition on your computer. Of
course when you used Scramdisk in this unconventional way, you did not
write down the passphrase you had to input because it was only to be
used that once. It is difficult to see how anybody could prove
otherwise. But I am not a lawyer.
The third method uses steganography. This is the science of hiding
files within other files often graphics or sound files. Scramdisk's
steganography feature requires a sound file with the WAV extension.
Once created this extension must not be changed or Scramdisk will not
be able to access the file. Remember the purpose is to have a
genuine WAV file and to effectively hide the encrypted volume within
it. There is no need to attempt to hide the genuine sound file.
This is without doubt the safest form of hiding the container,
provided the Scramdisk container is not too large. If it were of
say, 2 Megs, then it could easily be hidden inside a 4 or better still
an 8 megs .wav file. This would be invisible to even the most
determined snooper.
As a test, I created an encrypted volume within a sound file just
twice as large as the Scramdisk volume in which I had deliberately
inserted 30 seconds of silence. I measured the signal to noise ratio
before encrypting with Scramdisk and again after. Before creating
the hidden file, the signal to noice ratio measured 60 decibels, a
typical value for a domestic quality sound card. After creating the
hidden volume it fell to 48 decibels. Thus Scramdisk generated an
extra 12 Decibels of noise. The new value of 48 Decibels is exactly
in line with theory where the steganography saturation is 50 per cent
of a 16 bit file. On an aural test on playback after the encrypted
volume had been created I could barely hear any hiss at all, even with
my ear up to the speaker. Hiss or randomn noise, is the giveaway that
there might be something hidden inside the file. But my test suggests
it would be extremely difficult to make a judgement that there was
anything suspicious about that file. Best of all, even if suspicions
were raised, it is still impossible to PROVE that it is a Scramdisk
encrypted container hidden within that .wav file. The noise might
just be randomn noise, nothing more. If you have an older 8 bit sound
card its natural signal to noice ratio will already be 48 decibels.
In such a case, there would be no difference between an encrypted wav
file and one generated on your computer. Note, the original sound
file must have been generated within your system to achieve that
natural noise level. But even if copied from another 16 bit source,
on your computer it would not be any different when tested, than all
your other wav files that were generated on your system! Of course if
you need the full 2 Gigs that Scramdisk offers, then you will have
some explaining to do with a 4 Gigabyte sound file. This is
equivalent to several CD's joined together, or a full length
soundtrack from a DVD. Of course, if you are a musician who needs a
six or seven hour length of unbroken pop/rock mix, you might be able
to explain it!
Are there any other advantages to Scramdisk?
Yes. One big advantage of Scramdisk is it never returns any errors
if a snooper were trying to test each of your files. The only way
it shows any response is when the correct passphrase has been input
against the correct file. You get one shot, if it is wrong Scramdisk
simply returns you back to its opening screen. Nothing else happens,
no errors, no screens warning you that the passphrase is wrong, or it
is not a Scramdisk encrypted volume! Likewise, with .wav files.
There is no feedback to help a snooper isolate a file for further
study. With upwards of 10,000 files on a modern computer, this
suggests an uphill struggle at the very least. Yet another small but
useful tweak, it always starts in the same folder, so it never leads
any snooper to the last file that was accessed.
For these reasons, in my opinion, Scramdisk must be the foremost
choice for use by the private individual who demands total privacy of
his data.
What about the "Red Screen" mode?
The "Red Screen" mode helps to protect you against a tempest or trojan
attack (see later in FAQ). This screen inputs the passphrase at a
very low level which helps defeat a tempest or trojan attack to
capture your on screen passphrase. This is only available if you
have a standard Qwerty keyboard. Europeans or Asiatics with non-
standard keyboards cannot use this facility because the character
layout at low level is not the same as displayed by the keyboard. A
possible solution with only partially non-standard keyboards might be
to try it using only figures and letters. An easy method is to create
a test Scramdisk volume using the normal passphrase screen, then
attempt to open it in Red Screen mode. Most of the differences
between European keyboards are in the shifted characters above the
figures. In which case a compromize might be reached if you use a
figures and letters only passphrase. If this works, I would choose a
figures and letters passphrase of at least 30 characters in length.
There are several other features about Scramdisk that I like. I
recommend you at least download the program and read the documentation
yourself. Remember, it is FREE!
I use Mac, OS2, Linux, Unix, NT (fill in your choice), what about
me?
Sorry. Scramdisk is only available for Win95/98 at present. They
are looking for compilers with experience with other operating
systems, so contact the Scramdisk team at Scramdisk@hotmail.com if
you feel you could help them. I have no experience of any system
other than Dos and Windows. But you could search for yourself for
other programs, here for example:
For NT ...
"Sentry" http://www.softwinter.com/sdown.html
BestCrypt now also has a version for NT at
http://www.jetico.sci.fi/
For the Mac ...
CryptDisk http://www.primenet.com/~wprice/cdisk.html
PGPDisk http://www.nai.com/default_pgp.asp
I have heard that there are programs that HIDE and Encrypt, are these
any good?
I advise great caution. First of all, to the best of my knowledge,
some do not publish their encryption algorithms. Be very cautious of
any such program. Secondly, they only "hide" the file from the
Windows operating system. Any technician could find those files in
seconds. They are encrypted, but how strong is that encryption?
Is it subject to the United States ITAR export controls? If not, it
must be relatively weak crypto. Be very wary of snake oil.
Remember, there is a considerable difference between hiding files from
your wife/girl/boyfriend and hiding them from Big Brother with all the
resources he can bring to cracking your system. Never under-estimate
the snooper. Getting it right is far cheaper than getting it wrong!
What about simple file by file encryption?
I strongly urge you to use on-the-fly encryption/decryption.
Nevertheless, you may need a simple file by file encryption tool, but
with the strongest possible security. PGP can be coaxed into this,
but it is very clumsy in its Dos version, compared to some programs.
This after all, is not its prime purpose. There are many of this type
of program, possibly some are free. I have used two, Kremlin and
Blowfish Advanced 97. Kremlin entwines itself into your Registry and
offers a file wipe facility for shutdown, very useful. BFA 97 uses a
rather smart browser, it also offers a file wipe facility. It is
possibly simpler to use than Kremlin. Naturally, it uses the Blowfish
algorithm, but due to the new restrictions within Germany, its
strength is now limited to 64 bits - so not now recommended for
critical applications. It is shareware and cheaper than Kremlin.
Kremlin is here:
http://www.mach5.com/kremlin/index.html
BFA 97 is here:
http://come.to/hahn
What about the nitty-gritty?
As the majority of users are likely to be using Win95, I will
concentrate on the Scramdisk program, but substitute BestCrypt or
SecureDrive, or whatever is your choice. I strongly urge you to
invest in at least two hard drives of equal size. Partition each
drive such as to allow up to 2 Gigabytes for the Scramdisk volume or
whatever you can spare, depending on the size of your drives. These
two separate partitions on each Hard Drive, one encrypted and the
other plaintext for your Windows programs, etc, can each be copied
to the corresponding second Hard Drive for backup purposes - more
about how to do this later. In other words you are manually
mirroring the two drives.
The documentation explains how to set up and encrypt a partition or
volume and how to hide an encrypted volume within a .wav file.
Installation is done simply by clicking on the Sdinstal.exe file. You
are offered various options about file associations, etc. I would
not associate the default Scramdisk extension with Scramdisk. The
less info you offer a snooper the better. It would be pointless
anyway if you are going to change the name and extension of the
encrypted volume. I believe it is safe to have the Scramdisk icon on
your desktop, provided you are happy to dislose its presence. Of
course, you could install more than one encrypted volume or
partition.... Otherwsie run from a floppy.
The best way to learn about the program is by using it.
You have the option to allocate a preferred drive letter to the
encrypted partition or volume. You can allocate the same letter to
multiple encrypted volumes, provided only one is open at a time,
otherwise it will default to a different letter. Once you allocate
a drive letter, Scramdisk will remember it and use it until you choose
to change it. This is very useful if you backup your Scramdisk volume
from one partition to another. One point to remember, if you have any
shortcuts pointing to this drive letter either in the root of the
encrypted volume or on your desktop or in the Windows Start menu, you
will need to keep to the same letter every time you mount, otherwise
the shortcuts will not function. I would not recommend leaving trails
from the start menu or on the Desktop, but that is up to each of you.
I would keep all the shortcuts in the root of the virtual drive
itself, together with all programs that you will use, plus all the
files that you choose to DL. I will give my recommendations later.
Once mounted, the shortcuts to the programs residing within this
virtual drive will then be seen as if they were on your desktop.
You can use the same passphrase for all containers should you wish,
perhaps even the same as you use for PGP. There are arguments for
and against this, which I will not go into here. If you install PGP
within the encrypted drive (most strongly recommended), you need not
bother with any passphrases for your PGP keys, except as a
precautionary means to identify different keys. More on this later
in the FAQ.
Do I need to wipe as opposed to simply deleting files within the
Scramdiskd or BestCrypt drive?
If the encrypted container is sufficiently secure for your normal
files, it must obviously be secure for deleted files. Therefore, it
is unneccessary to wipe files within the encrypted drive.
Does using Encryption slow things up?
Yes, there is a small speed penalty because your computer has to
constantly encrypt to write to disk and decrypt to read from it. It
is also the major reason given by the "decrypt all files together"
type of programmer for you to buy his wares. This is one of the
reasons for my choosing Blowfish as my preferred algorithm - it is
the fastest among the top three for strength. In practice on a fast
machine, using the Blowfish cipher, the encryption is totally
transparent in normal use.
I want Scramdisk to encrypt a partition, how can I partition my Hard
Drive to do this?
I recommend Partition Magic. It makes partitioning your Hard Drive
very easy. Better still, Partition Magic offers easy copying from one
partition to another identically sized partition. This is very
useful, but you cannot copy encrypted partitions. Partition Magic
does not recognise their format. But for other purposes Partition
Magic can be very useful if you are unlucky enough to lose a drive (a
virus, or whatever). It works in DOS and is very simple to use. It is
commercial ware and costs around 70 Dollars. The manual forgets to
tell you that before you can copy across from one drive or partition
to another you must first delete (using the program) the destination
drive or partition. Unless this is done the copy command stays grayed
out! It will only copy to an identically sized partition or drive.
I have noticed other programs from PowerQuest which suggest similar
functions, but I have never used them so cannot offer any opinion bout
them.
Partition Magic is available from: http://www.powerquest.com/
I believe there are freeware or shareware programs available - do a
search on www.tucows.com or on www.shareware.com.
How large should I make the Scramdisk virtual encrypted drives?
The sizes of the Scramdisk drives are entirely up to you. There
is no reason why you shouldn't make them of 1020 Mb if you are going
to backup to a 1 Gigabyte Jaz drive or double that if you are
fortunate enough to have the 2 Gigabyte version or a DVD-Ram drive.
If you want the benefits of an external hard drive, I would recommend
the Jaz drive. The drawback is the cost of the media. A much cheaper
alternative is a CD-Writer, or even the new DVD-RAM drives. The
storage media for these are considerably cheaper than the Jaz
equivalent. The maximum size possible with a CD-R is around 540 Mb
and with the re-writable CD-RW type just 493 Mb. The forthcoming much
larger DVD-RAM drives will hold 2.32 Gigabytes when formatted on a
single sided disk and double that on a double sided disk. The Jaz is
the fastest, the DVD-Ram the best for archiving and the most robust.
What are the precautions to be taken with the Passphrase?
I would recommend a passphrase of at least 16 random characters.
Never write down your passphrase. You MUST learn it off by heart.
Unfortunately 16 randomn characters is very difficult to remember. An
acceptable compromize is to instead choose at least 30 characters of a
more easily remembered text and figures based passphrase with just a
few randomn characters thrown in for good measure. Remember the
adage, strength in length applies to crypto passphrases. Provided you
keep your PGP keyring within the encrypted drive there is no absolute
need to bother with a passphrase at all for PGP. This may sound
extreme, but the protection of your privacy is ensured by the
encrypted drive. It is quite possible that the consequences of
someone accessing your encrypted drive's data is marginally more
serious than their obtaining access to your PGP secret keys. If you
decide to forego a passphrase for your PGP keyring, be absolutely
certain that all your backups of the keyrings are in encrypted form.
I suggest a possible solution to this later in the FAQ.
Isn't there some risk with my passphrase always being held in
memory?
There is a slight risk of someone hacking into your computer whilst
online and yes, they may be able to read anything that is in your
swapfile or even your encrypted hard drive if it is mounted.
If I go to all these lengths, am I truly safe?
Not completely. There is still the faint possibility of a tempest
Or trojan attack.
You've explained about Tempest, but what is a Trojan?
A trojan (from the Greek Trojan horse), is a hidden program that
monitors your key-strokes and then either copies them to a secret
folder for later recovery or ftp's them to a server when you next go
online. This can be done without your knowldege unless you are
monitoring the data exchange between your computer and your ISP.
Such a trojan can be manually placed in your computer (suggesting poor
security management) or picked up on your travels on the Net. It
might conceivably even be sent by someone hacking into your account.
How can I prevent someone using my computer when I am away?
Use the Bios password facility. Also, use a screen-saver password if
you ever leave your computer switched on and unattended (not a good
idea).
Are there any other precautions I should take?
Make copies of all your PGP keys, a textfile of all your passwords
and program registration codes, copies of INI files for critical
programs, secret Bank Account numbers and anything else that is so
critical your life would be inconvenienced if it were lost. These
individual files should all be stored in a folder called "Safe" on
your encrypted drive. Encrypt a floppy with Scramdisk using your
usual passphrase and copy this folder onto the floppy. Whenever you
update "Safe", you should also update your floppy backup to ensure
synchronization. Now copy the Zip file for the Scramdisk program
onto another floppy - DO NOT ENCRYPT THIS SECOND FLOPPY! Both these
floppies should be kept apart from your computer in case of theft,
fire or any other interference. If the worst happens you should be
able to restore your data from your backups on your second hard drive
or Jaz or CD-R and use this floppy to re-install the Scramdisk program
to allow you access again. Making backups is a boring business. We
can always think of a zillion better things to do, but if ever you get
a system crash you will be convinced of its worth. Trust me, I speak
from experience...
What programs do I put in my newly created Encrypted Drive?
You need to take care over which programs to choose. Some newsreaders
and Image Viewers and Emailers can either write critical information
to your Registry, early Anawave Gravity wrote your News Providers
passwords in plaintext, ACDSee will show the drive\folder path of your
last access, Eudora and AnonPost will send revealing info when
attempting to communicate anonymously. Aegis Shell will make a copy
of your public keyring in the registry which will reveal your Nyms.
Eudora always seems to find your correct Email address. AnonPost
sends a handshake to your ISP which can reveal your Email address.
Only significant if you are using an anonymous remote host - see later
in FAQ. For what it's worth, here are my choices for these critical
programs:
1. Agent (or FreeAgent) for the newsreader, and basic Emailing.
Agent will write to the registry, so its presence cannot be disguised,
but this is probably not serious.
2. I recommend the latest version of ACDSee as your viewer. Make
certain that if you use the cache facility, you set it up within the
encrypted drive. This allows easy previewing of thumbprints and
click and zoom to examine image quality. ACDSee will write to the
registry and will always disclose the last drive\folder accessed in
the registry. If this bothers you, I suggest using VuePro. Allow
VuePro to install itself in its default (Windows) folder, but do not
allow VuePro to become the default viewer for your system. Now move
(not copy) the three files, onto the encrypted drive. VuePro
generates an ini file. This ini file will reveal the drive path and
name of the last file accessed, even worse than ACDSee, so make
certain it is installed within the encrypted drive (this is why it
should not be allowed to become the default viewer). You could use
Thumbs Plus. This similarly will write to the registry, but you can
ensure that its self-generated database is stored within your
encrypted drive. Thumbs Plus does not reveal anything except its
location in the registry. VuePro on its own, is a little clumsy for
general viewing, it needs Thumbs as well, whereas ACDSee can combine
the best of both, but regrettably tell everyone your last drive and
folder accessed! Your call. I will concentrate on ACDSee for the
purposes of simplicity.
ACDSee is here: http://www.acdsystems.com
VuePro is here: http://www.hamrick.com/
Thumbs Plus is here: http://www.cerious.com
3. I strongly recommend Jack be Nymble (JBN) for your Nym accounts
and sending and posting anonymously. This is a very sophisticated
program and requires much dedication and concentration to get the best
out of it. It is freeware and cannot be too strongly recommended in
my humble opinion. It can automate many functions in setting up and
managing a Nym, including automatic decryption of incoming messages.
It requires the Dos version of PGP, but will help you configure it.
It likewise will help you configure the Mixmaster chain of anonymous
remailers. Because of the United States ITAR you must be a United
States or Canadian resident to use Mixmaster. (Aside here, if you are
truly anonymous, how will they know?). JBN is excellent for all your
encrypted mail. It has many options, too many to list individually -
read the manual. It can also ensure your Usenet postings are truly
anonymous. You will have to experiment with the appropriate mail2news
gateway. Not all support all groups. Also, be prepared for some
considerable unreliability from these remailers as they are apparently
under constant attack from spammers. Jack be Nymble is available
here: http://members.tripod.com/~l4795/jbn/index.html
I have had a report that JBN will overwrite a dll file with its own,
older version which can cause problems with some fone/fax software.
The dll is MFC42.DLL. If you use fone/fax software, make a copy of
this file, install JBN, then restore your original version. I believe
the authors of JBN have been informed, so no doubt RProcess (the
author) will shortly be updating his file.
JBN2 is now available for beta testing. This is not a complete
release, it does not include for example, the decryption facility.
4. For browsing I find Netscape Gold the best. You can direct it
to locate its Bookmarks file on the encrypted drive. The later
versions want to create user profiles and worse want to put them in
exposed folders. Be careful! All versions will write to the
registry, but this is difficult to avoid with any browser. I most
strongly suggest you do not use Microsoft Internet Explorer. It
will insist on keeping things within Windows, be very careful with
that one! This is especially the case for MS Mail and MS News and
Outlook. Of course, you can always use MSIE as a normal browser on
your desktop for non-critical browsing and Email, should you wish.
Note: MSIE4 has a feature which can import favourites, it does it
just by clicking on "Import favourites". It will automatically find
and display your Netscape browser's bookmarks from your encrypted
drive if the encrypted drive is open. As a precaution I would
delete the feature if it is not required.
5. Many files are compressed. The most popular is Zip. I recommend
obtaining a copy of WinZip from here: http://www.winzip.com. Or, do a
search for PKunzip which is freeware, I believe.
6. Any person who browses the Net should ensure they have a good
virus detector. There are many to choose from, some are freeware,
others are shareware or commercial ware. I use Norton's only because
I like its Live Update Feature. It allows you to update the virus
list online. Useful and so easy.
What folders do I need on my Encrypted Drive?
These are my suggestions. Obviously adjust to suit your needs.
Create two new folders in the root of your encrypted drive, name
them "Programs" and "Library". All the above programs, except the
virus detector and WinZip, should now be installed into the folder
"Programs". Create two more folders under "Library" naming them "!
- - Incoming" and "Zzz", Ensure there is a space between "!" and
"incoming" This ensures that "! - incoming" is always at the top of
the list of folders, making it very easy to locate each time. Still
in the Library folder, create a set of folders starting from "00"
(zero, zero) through "9" and another set from "A" through "Z",
finally throw in one more of "!!" for those files that have a symbol
as their first character. You should now have all these additional
folders inside Library, starting with "! - Incoming" at the top and
finishing with "Zzz" at the bottom. Should you wish to add a
"specials" folder for your favorite pics, call it "! - Specials".
Likewise if you wish to have a sub-folder for your text downloads,
create "! - text". Install ACDSee into its choice of default
directory on drive C (remember your cannot hide its presence as it
insists on writing to the registry, as does Thumbs and to a lesser
extent VuePro). Zzz should be used as the cache folder for ACDsee.
There are numerous other options, too many to list here. Enjoy
experimenting.
Go into Agent\Group\Default Properties then browse and choose
X:\Library\! - Incoming, for both "directory for saving attached
files" and "Temporary Directory for Launching Attached Files". Go
to Group\Default\Properties\Post and ensure both "Prevent Usenet
messages from being archived X-No-Archive" and "Observe no archive
requests from original message in follow ups" are both checked.
It is simplicity itself to move pics from "! - incoming" to wherever.
Just highlight all those pics you wish to move and drag them using the
mouse to the chosen numbered or lettered folder depending on the first
letter of their file name. Easy! One of the most useful features of
both ACDSee and Thumbs is that if you have downloaded dupes, you can
offer them to their respective folders and the programs will show you
a thumbnail of the pic, plus give you the file sizes, so you can
replace if you have one of a better resolution.
How can I ensure my temporary files do not give away info?
Regrettably, despite all your best efforts Windows will still save
to a swap file unless you perversely disallow Windows from using one
and risk program lock-ups. This is an unavoidable risk with Windows.
To minimize this problem you must use a wipe utility. BestCrypt
includes a disk free space wipe utility which works whilst in Windows,
but do not trust it to completely wipe the swapfile. It is impossible
for any utility to do this truly effectively whilst Windows is still
running. However, do not despair there are ways around every problem.
1. In Windows, go to My Computer\Control
panel\System\Performance\Virtual memory. Click "Let me specify my
own virtual memory settings". Enter identical settings in both
boxes. I suggest 150 Mbytes. Click OK. Windows will tell you what
you've done and complain and ask you if you are sure you wish to
continue, click YES. Windows will then want to re-boot. Allow it
to do so. After re-booting you can see the file in Windows Explorer
as Win386.SWP. If you run games which require large swapfiles, or
run many programs simultaneously, you may need to increase the size.
But remember, the larger it is, the longer it will take to securely
wipe on shutdown and the greater the wear and tear on your hard
drive. If you have at least 125 Megs of RAM, you could try switching
the swapfile off altogether.
2. Use Notepad to write the following simple Batch file. Save it
in C:\Windows. Give the batch file a name. I suggest Wapp16.bat, but
any convenient letter or name will suffice, but NOT Win.bat or
confusion will occur with the Win.com which starts Windows. (I have
suggested Wapp16 as the file name simply to cause a little smoke if
anybody were searching through your computer - so many Windows files
start with the letter W).
Wapp16.bat =
Scorch [c:\win386.swp] /nodel
Scorch [c:\progra~1\cache\*.*]
Scorch [c:\windows\cookies\*.*]
Scorch [c:\windows\history\*.*]
Scorch [c:\windows\recent\*.*]
Scorch [c:\windows\spool\\fax\*.*]
Scorch [c:\windows\spool\\printers\*.*]
Scorch [c:\windows\temp\*.*]
Scorch [c:\windows\tempor~1\*.*]
Scorch [c:\windows\web\*.*]
Zapempty
Win
Note 1: Choose whichever of the above folders applies to your
system, likewise add any others that are not shown but required.
Note 2: In earlier versions of this FAQ I suggested adding this bat
file as the last line of your autoexec.bat file. Recent changes to
computers and in particular to Win98 mean the original self-running
mode is not now always possible. But you can still achieve most of
its useability by dropping into Dos and running it on the Dos command
line by simply typing "Wapp". The "Win" on the last line will return
you back into Windows after the batch has run. If you wish to close
down from that Dos line, do not include "Win" in the Batch.
Scorch is a freeware wipe utility. The format of enclosing the file
to be wiped in square brackets is to minimize disastrous errors. Read
the documentation that comes with Scorch before use. There are
several other options, which are best gleaned from the included
documentation. Scorch is available here:
Http://www.mist.demon.co.uk/realdelete/index.html.
Ordinarily two wipes should be enough for all practical purposes.
If you are a propeller head, then choose any number of wipes that
you feel happy with. Remember, for anybody to recover data off your
drive after just one effective wipe would involve dismantling the
drive and a microscopic examination of each cylinder, sector by
sector. Extremely costly and very time consuming, so only likely if
you are considered an exceptionally worthy person to investigate!
Extra wipes after the first are just icing on the cake.
Zapempty wipes the empty areas of your hard drive. It is freeware
and available here: http://www.sky.net/~voyageur/wipeutil.htm. The
Zip file contains several other useful wipe utilities, besides
Zapempty.
Some reports spread alarm that up to 35 wipes are required
for effective wiping. Probably true, but there is more mileage in
investigating your Windows Registry, together with any pieces of paper
that might contain your passphrase, etc. The corollary is you should
take the greatest care over what you install and what you keep in and
around your computer.
In earlier versions of the FAQ I recommended Kremlin as a wipe
facility on closing down Windows. I have found a few problems with
that. First it interferes with the exiting to Dos when running
Partition Magic and similarly it caused severe problems when it wiped
the temp files after running Live Update for Norton Anti-Virus. I had
to uninstall Norton then re-install from scratch. My fault I should
have switched off the Kremlin wipe facility before closing down. But
in view of these problems, I have changed to doing all critical file
wiping from Dos. Hence the rather longer Bat file above. It is
cheaper as well, this way uses freeware programs!
..................................................................
That completes the first part of the FAQ. This second part has more
to do with ensuring privacy online. It may be useful. Again it is
offered in good faith. Please evaluate and make your own decisions
regarding its usefulness before committing any resources.
Can you suggest any other precautions I should take to preserve my
Privacy?
Common sense should prevail. It is quite pointless going to all
the bother of installing powerful crypto to protect yourself from
unwarranted intrusions into your privacy and then leave trails
within your computer environment. Take care that you never write
down your passphrase. So foolish, yet so many think they can hide
it in the pages of a book, or stuck beneath a drawer. I would also
earnestly urge you never to print anything from your computer that
is the least bit compromising. Privacy is about containing your
data within a secure environment, in this case within the encrypted
container.
Once it is outside that container, the container is redundant!
Moral: Never let anything out of that container that is not
strictly kosher.
I have heard security rumours about the new Pentium 3 chip, what are
they?
The latest Pentium chip from Intel has an inbuilt ability to give away
its serial number, hence your identity, after interrogation by any
hacker or site that wishes to avail itself of this facility. Although
Intel claim this can be switched off with software, a hacker employed
by a magazine took just 20 minutes to find out how to switch it on
remotely and read the machine's serial number. Once this has been
done once, the knowledge of how to do it will spread like wildfire
among the hacking community. I most strongly recommend NOT buying
this chip until independent testing has cleared it of any remote
chance of revealing your identity on line. I understand IBM will be
making it controllable from within the Bios - at least that is a step
in the right direction. But why was it incorporated in the first
place? Intel claim it helps ensure secure online credit card
transactions. Others suggest it allows software Companies, such as
Microsoft, to monitor software piracy and perhaps more seriously
offers intelligence agencies the means to identify individuals without
their knowledge. So much for your anonymity! You have been
warned!!
I download binaries (pictures) that may be compromising, am I safe?
No. Whilst you are online anyone could be monitoring your account.
I am NOT saying your local ISP will do this, but they COULD! If
your activities have aroused the suspicion of the authorities, this
is the first thing they are likely to do, especially your Email.
Aside here: The United Kingdom LEA has been talking to British
Service Providers with the view of gaining their co-operation in
monitoring peoples accounts, especially Email, without their
knowledge. The (non-statutary) authorites involved with this are
the Association of Chief Police Officers (ACPO) and the Internet
Service Providers of the UK (ISPA) which represent 90 percent of
dialup network providers in the UK. A disgruntled member of the
ISPA leaked their briefing report "Industry Capabilities of
Information". Remember, the ACPO's intention is to do this without
any legal warrant. They are almost certainly receiving support from
Jack Straw, British Home Office Minister. His argument is that only
"perverts and criminals need encryption". This is a very dangerous
and worrying trend. Big Brother is among us. For the sake of those
who remain unconvinced at the seriousness of this situation, please
remember that no matter how altruistic the reasons given by this
Government, these powers will lie on the Statute Book and may one day
be used to control an unwilling populace, just as is done in modern
day Mainland China.
Can anything be done to prevent my ISP (or the authorities) doing
this?
Yes. You need to encrypt your data-stream to and from your desktop
to a remote host. This host should preferably be sited in a
different State or country to your own. I know of only two such
hosts. Both offer a news service. One also claims it offers a
totally uncensored all available groups service.
Who are these two Remote Hosts:
Cyberpass and Minder are two, but there are many more. I have had
personal experience only of Cyberpass whose news feeds are restricted.
You will need to additionally subscribe to a News Provider such as
Altopia or similar for a fully uncensored news service. Minder say
they have a full uncensored news feed from Slurp (a well known source
for freedom of speech and anti-censorship of all kinds).
Before subscribing to any dedicated News Provider always check that
they provide what you are expecting to receive. The easiest way to
find this out is to ask them! No need to worry about revealing
yourself, use your newly created Nym as your Email address. One
thing that you should check is that they remove the NNTP posting host
address. Otherwise you are laying a trail of streetlamps straight to
your front door!
How do I go about Encrypting to either of these remote hosts?
You will need SSH (Secure Shell). To quote from the SSH FAQ:
SSH is a program to log into another computer over a network, to
execute commands in a remote machine, and to move files from one
machine to another. It provides strong authentication and secure
communications over insecure channels. It is intended as a replacement
for rlogin, rsh, and rcp. Additionally, ssh provides secure X
connections and secure forwarding of arbitrary TCP connections. If
you want more info about SSH, visit their home page at:
http://www.cs.hut.fi/ssh/#other
The FAQ, plus loads more info is available here:
http://wsspinfo.cern.ch/faq/computer-security/ssh-faq
There is an NG devoted to SSH at: comp.security.ssh Also, loads of
Nym info at : alt.privacy.anon-server
There are freebie versions around, but I have no experience of them
or where to find them. Doubtless the NG's will help you. You can
buy a commercial implementation from Datafellows, called F-Secure.
They allow a 30 day free trial period. F-Secure is available here:
http://Europe.DataFellows.com/cgi-bin/sshcgi/desktopreg.cgi.
Can I use Cyberpass or Minder as my local ISP?
Yes. Cyberpass now also operate as an ISP from anywhere within the
United States at local call rates. It may be possible to subscribe
anonymously, but that does not guarantee anonymity. I recommend you
use them for a shell account. This does mean paying for two separate
accounts, but that is for you to decide on how important is your
anonymity.
What is a Shell account?
For anybody who does not understand the difference between a dialup
and a shell account, the dialup is what it says. It is your normal
account with your Internet Service Provider (ISP). A shell account
is accessed after going on line with your usual ISP. With a shell
account you log into your ISP then use the Net to make a connection
to a remote server. All your Net activities, Email, Usenet, Web
browsing are then done through this remote host. To get the full
benefit you should use encryption from your Desktop to this remote
host. If the remote host is located in another country, better still.
To get the maximum benefit, you should ensure your registration with
this host server is done anonymously.
Note 1: For you to use a remote host, you only require a dialup
facility which allows the use of the Windows dialup networking
protocol. Most ISP's will offer help in configuring the dialup
connection from Windows. Regrettably, as yet there is no universal
standard. Most offer software to help you set it up easily. Ask
before subscribing. These dialup connections are usually cheaper
than a full blown bells and whistles ISP such as AOL. I have tested
the system with AOL and it appears to work ok, but a waste of money if
a dialup account is all you want.
Note 2: For those within the United Kingdom there are now at least
two separate totally free ISP's. One is called Freeserve. The
software for Freeserve is freely available on CD-ROM from the Dixons
group of stores, (PC World, Dixons). It will configure the dialup
connection and allow you to connect into a remote host. The free
connection expects you to give your name, address and various other
particulars such as age, sex, hobbies etc. But how will they ever
know what you tell them is true or untrue? Of course this is no
substitute for an encrypted connection, you could always be traced by
the phone company.
OK, I've got my dialup working, how do I connect to the Remote?
The procedure with Cyberpass and F-Secure for example, would be to
first log onto your ISP. Minimize its startup screen. You then
start F-Secure. You enter your passphrase for logging into Cyberpass.
F-Secure then contacts Cyberpass' server asking to open a connection.
Cyberpass reply with their RSA public key. Your copy of F-Secure
checks this key for authenticity from previous connections - very
important to prevent intermediate hacking. It then generates a
random 128 bit session key, encrypts it with the RSA public key from
Cyberpass and sends it back with the request "let's use this key".
The Cyberpass server now decrypts this message with its secret RSA
key. All further data transfer between Cyberpass and your computer,
including sending your Cyberpass password, are now sent encrypted
using that session key with either DES, 3DES or blowfish (your choice)
for the duration of that connection. Some servers only support DES or
3DES, I believe. Do NOT use DES. This has already been compromised
and shown to be weak crypto by today's standards. 3DES can be slow.
I recommend Blowfish for speed and security. I also recommend
disconnecting at irregular intervals and remaking the connection.
This purges the system and ensures a new route to the host with a new
session key.
Why not save money and just use Cyberpass as the ISP?
For a dialup account with Cyberpass, you rely on Cyberpass keeping
your name anonymous and not monitoring your activities (unless they
are compelled by a legal warrant to release your account details).
If you have subscribed anonymously and Cyberpass thus have no idea
who you are, you can nevertheless quite easily be traced immediately
via the phone Company. But by coming into a shell account via another
ISP means the authorities must coordinate their searches when you are
actually online and work with probably a different authority in
another State or country. Still possible, but so much more bother.
With constant and irregular breaks to the host it becomes even more
difficult to trace you.
How do I set up the Anonymous account with Cyberpass?
An anonymous Cyberpass shell account will cost 39.48 every six months
upfront. You need to send Cyberpass a few alternative user names,
plus your choice of an eight letter password (case sensitive), plus 42
Dollars.
You then watch the Cyberpass bulletin board at:
http://www.cyberpass.net/top/help/news.html until you see your user
id posted up telling you the account is active. You will receive mail
on first logging in which tells you your Cyberpass Email address.
Their address for snailmail payment is:
Infonex Internet Inc.
Attn: Anonymous Accounts
8415 La Mesa Blvd. Suite 3B
La Mesa, CA 91941
Do not include any personal information. They expect you to choose
a username and an eight character password, case sensitive. Include
a half dozen usernames just in case there are problems with prior use.
Be imaginative, remember your username can be figures as well as
letters. Keep copies of your proposed usernames and your eight
character password, in case you forget them before the account becomes
active.
Once your account is active, immediately change your password by
typing "passwd" at the command prompt and following the on screen
instructions. You will receive an Email on first logging on showing
your new Email address.
Send your account details with the money. This does not compromise
your anonymity in any way, provided you do not put a return address
on the envelope! Do not send bills, send a money order. You can
trust them to implement your account. I have found them to be
excellent.
What about Minder?
The following is a verbatim quote from their system administrator:
"The service which provides our newsfeed, slurp.net, does not censor
their feed for any reason. If the group you are looking for exists,
they carry it. We do offer SSH logins and in fact we encourage our
users to do so.
The price schedule for shell accounts
(www.minder.net/services.html)is
as follows:
1 month/USD5 6 months/USD25 12 months/USD50
Payments should be sent to:
Minder Network Services
69 South Locust Ave.
Marlton, NJ 08053
USA
This is cheaper than Cyberpass and considerably cheaper than Cyberpass
plus an additional News Provider. However, I have no experience of
Minder, so I have to advice caution. Try them and see...
Are there any problems using what is in effect double encryption
(SSH and Scramdisk or BestCrypt) together?
On a modern fast computer, the encryption is totally innocuous.
If you have problems with strange timeouts, this may be a memory
problem or to do with the speed of your processor. I had such a
problem which seems to be cured with a faster machine and considerably
more RAM. To speed things up, add a Ramdrive. This is set up
within your config.sys file. Here is an example of such a ramdrive
for 10 megs:
DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICEHIGH=C:\WINDOWS\COMMAND\DRVSPACE.SYS /MOVE
DEVICEHIGH=C:\WINDOWS\RAMDRIVE.SYS 10240 512 1024 /E
DEVICE=C:\WINDOWS\SETVER.EXE
This should be additional to any other config.sys entries.
I cannot guarantee the above is suitable for all machines. I regret I
cannot enter into de-bugging corrsepondence, please see your supplier.
How do I configure my News Reader and Browser with Cyberpass?
Easy. Read the FAQ at http://anonymizer.com/ssh.html. Once connected
via F-Secure, you simply minimize the startup screen and then use your
browser, email, etc in the usual way. To ensure they route their
connection through Cyberpass (or whatever remote host you choose) you
need to specify "localhost" in the proxy connection settings. This is
straying into the territory of information that comes with these
programs. The Anonymizer FAQ explains it in detail and quite lucidly.
The bottom line is, it ensures you are virtually anonymous with
whomever you communicate and more importantly, the data is hidden from
prying eyes. Minder is cheaper at around 5 Dollars per month. Please
check with Minder for more details, www.minder.com. I have no idea
whether they offer anonymous registration as does Cyberpass. If
anyone knows anything, please supply feedback.
What about the data between Cyberpass and the News Provider, is this
encrypted?
No. From cyberpass onwards it is in plaintext.
Can I use IRC in this way?
Not so far as I know.
Can I be anonymous as far as other Web sites are concerned?
Yes. Visit the Anonymizer at: http://www.anonymizer.com/ - there
are others, but I have no experience of them.
I use a dedicated News Provider, how do I connect?
Follow the Anonymizer help exactly as shown on the Anonymizer FAQ,
but instead of inputting news.cyberpass.net as the news provider,
enter your News Provider's site URL, e.g. maxim.newsfeeds.com for
Newsfeeds. You will have to configure Agent (or whichever newsreader
you are using) for a news server log in, exactly as now.
How can I post anonymously to Newsgroups?
ALWAYS choose a news provider that strips away your NNTP posting
host address. There are several, the best of which is Altopia.
Regrettably, Altopia usually has a long waiting list. Another
is Newscene, I believe, but check for yourself. Newscene
additionally claims not to keep any logs (I do not believe this, but
I have no proof, it is just a hunch)
What do you suggest to maximize my anonymity whilst posting?
My suggestion is to always use your Nym and post via nym.alias.net
provided you:
a. Always point your Nym reply block back to a newsgroup such as
alt.anonymous.messages
b. Use Jack be Nymble (JBN) with a JBN generated random
conventional passphrase for the reply block
c. Post using Mixmaster chaining with at least five remailers
d Use an encrypted channel to a remote host server such as Cyberpass
c Ensure that you subscribe to this remote host anonymously
Provided you do all the above, you should be reasonably safe.
Mixmaster is presently considered the safest option to preserve your
anonymity. These remailers are considered much safer than the
Cypherpunk types.
Note 1: You cannot use Mixmaster for your reply blocks. Due to
the greater anonymity of Mixmaster it is impossible at present for
them to handle replies. However, you could and most definitely
should use Mixmaster for all posting. For maximum anonymity you
should point your reply back to alt.anonymous.messages or a similar
news group.
Note 2: JBN has a very useful feature to improve reliability. It
allows multi-sending of an identical message through independent
remailers such that only one copy will be sent out from your Nym as an
Email message or posted onto Usenet. It is referred to as Replay.
Read the manual for more info, well recommended. You cannot use this
facility when sending directly to a mail2news Gateway, it must go via
your Nym.
How can I post graphics to NewsGroups?
JBN allows you to attach files by adding them within the message body.
Remailers will not normally allow attachments. There is no limit to
the number of attachments you can add in this way, other than the size
limit of the remailers. In practice most remailers do not permit
posting of binaries. Also, some mail2news gateways, will dump any
messages containing the words binaries, pictures or sex in their
headings. This means that even text posts to these types of groups
may be thrown into the rubbish bin. I have had no bother using
Mail2news@nym.alias.net with simple text posts, such as this one.
Remember, any abuse will mean your Nym will be blocked indefinitely.
If you wish to post binaries, my advice is to sign up with a News
Provider that strips away your NNTP Posting Host address and ensure
you use a remote host server with SSH encryption after signing up
anonymously. Remember, this is not nearly as secure as posting via
multi-chained remailers and a Nym.
Can you offer any help in setting up a Nym?
Regrettably there are many pitfalls in setting up an effective Nym.
The first one is in actually asking for the list of Nyms available.
If Nym.alias.net is monitored for Nym list requests (possible) then
any new nym appearing after such a request is obviously fairly
easily tied to a particular Email address. I would suggest that
this list request should only be done the once and if possible, sent
to a different Email address to your usual one, possibly Hotmail.
I know this sounds paranoid, but true anonymity is not easy to
achieve. Yet another way, is to get the list of used Nyms sent to
your true Email address, then set up a Nym several weeks or months
later. Once you have a Nym, all future requests for the list should
be sent to that Nym.
To be anonymous, you will need JBN, PGP and Mixmaster. JBN will help
you configure these, including modifying your autoexec.bat file. I
strongly recommend that all three programs be installed within your
encrypted drive.
When you start JBN you will normally be shown the Message Folder.
This is the default folder for all your Email and Postings to
Usenet. However, to set up a Nym, you should use the Nym folder.
Keep only your Nym configuration messages in that folder. Do not
put your Email or Postings into that folder, keep them in the
Message Folder for better filing.
PS I am aware that a small speed increase can be obtained by
installing Agent, JBN, etc within a normal (plaintext) drive and then
pointing the program to its ini and data files within the encrypted
drive. However, I am also concious that some may not get it right
and so possibly end up compromizing their security. If you know and
understand how to do this effectively, by all means do so.
Hints for setting up a Nym:
1. Make certain that you have generated a new key for your Nym.
2. Make certain that you send this key with your first configuration
message. Also, make certain that you sign your configuration request
with this key (most important).
3. Type in your chosen Nym, e.g. if "mynym" were your chosen Nym,
type mynym@nym.alias.net. Also, most important, type "mynym"
(without the quotes) into the name box, otherwise you will not be able
to save your passphrases to a file and JBN will not automatically
decrypt incoming messages. To save the details for automatic
decryption, simply press Update within JBN.
4. Always tick the Send Key, Nym Commands, Create, Cryptrec (most
important!), Nobcc and the Reply Block boxes, but keep the other boxes
clear (at least until you are better able to understand their
purposes).
5. For your first Nym I recommend keeping the reply block very
simple, so simply press the Active button next to the 1 box for just
one active reply block.
6. The first remailer will be Nym-Server. On the line, Encrypt-Key,
press the little "R" button. At the very bottom of the screen, you
will see an instruction telling you to type a number of random
keystrokes. This typing is used by JBN to seed a randomnly generated
line of text characters. You will then see this line of random text
appear in the Encrypt-Key line. Now press Set and this random text
will appear next to the Nym-server and will be used to conventionally
encrypt your reply block message with those randomn characters.
7. Further down the box, choose Anon-Post-To from the drop down
menu in the first box marked Final Headers.
8. Now type in "alt.anonymous.messages" without the quotes in the
adjacent box.
9. In the second line of the Final Headers choose Subject from the
drop down menu.
10. Alongside this, type a subject that you will be easily
remembered. Type something snappy such as, Bill Clintons Private
Mailbox.
11. Remember to press Update, to ensure that the chosen
conventional passphrase is stored in your Nym Accounts registry
within JBN.
12. Before sending, press Stats to update the stats list. When
the Stats box opens, press Tools on the Menu bar and choose Update
Cypherpunk keys then Update Mixmaster keys.
These steps are all mentioned in the excellent manual, but are
sometimes forgotten and one of the reasons why people are unable to
create their Nyms.
When sending, always (if possible) choose Mixmaster as your first
choice of class of remailers.
Note 1: You should set up a template message book. From within this
book, click on Books and ensure "Auto split lines", "Queue on Send"
and "Autoname on Load" are all ticked, then save it with the extension
"tbk".
Note 2: You cannot use Mixmaster directly for your Reply Block, but
you can choose Cypherpunk Remailers that support mixmaster. If this
sounds complicated, again, please see the manual. If it is too much,
just point your reply block directly to alt.anonymous.messages and you
will still enjoy first class anonymity without the worry that you may
have done something silly. You can add extra reply blocks at a later
stage, should you choose.
Remember: the more parallel Reply Blocks, the greater the chances
of your being identified, all else being equal. This is why many
seriously paranoid people use alt.anonymous.messages as their incoming
Email message dumping ground.
None of the above is in itself a panacea to avoid reading (and
understanding) the JBN manual. You would be most unwise to attempt
to create a serious Nym without some understanding of the
possibilities available with this very sophisticated program. You
would be blindly stupid to rely on it for critical use anonymity
unless you have studied the manual.
Conclusion
I must repeat that this is not intended as a definitive statement on
computer security. It is offered in good faith as a starting point.
Many will choose to implement things in a different way. That is
what freedom is about. The important thing to remember is to use
encryption, whatever else you do. To send Email without encryption
is equivalent to sending a letter on a postcard. Fine for sea-side
postcards but hardly a good idea if you wish to preserve your privacy.
Finally:
1. Never ask of anyone nor give anyone, your true Email address.
2. Never DL any file with .exe, .com or .bat extension from a
dubious source.
3. For your own protection, never offer to trade any illegal
material, nor ever respond to those seeking it, even anonymously.
4. After setting up your Nym, you may receive email which appears
to offer you something for nothing - free travel holidays or whatever.
Be very careful! It may be a ruse to get you to reveal yourself! I
suggest ignoring ALL such Email.
..............................................................
Some Useful Links:
On-the-fly encryption programs:
Scramdisk: http://home.clara.net/scramdisk/
Or here: http://www.scramdisk.clara.net/
BestCrypt: http://www.jetico.sci.fi.
SecureDrive:
http://idea.sec.dsi.unimi.it/pub/security/crypt/code/secsplit.zip
Anonymous Email and Usenet Posting:
Jack B. Nymble: http://www.skuz.net/potatoware/jbn/index.html
Also here: http://members.tripod.com/~l4795/jbn/index.html
PGP and Mixmaster:
PGP download site: http://www.pgpi.com/download/
Mixmaster download site: http://www.thur.de/ulf/mix/
Beginner's Guide to PGP:
http://www.stack.nl/~galactus/remailers/bg2pgp.txt
PGP for beginners: http://axion.physics.ubc.ca/pgp-
begin.html#index
PGP FAQ: http://www.uk.pgp.net/pgpnet/pgp-faq/
Also well worth a visit: http://home.earthlink.net/~rjswan/pgp/
Other remailer Front Ends:
AnonPost: http://home.clara.net/j.davies/anonpost/index.htm
EasyNym: http://home.clara.net/j.davies/easynym/index.htm
Private Idaho 3.52t: http://www.lynagh.demon.co.uk/pidaho/
Remote Hosts and anonymizer sites:
Cyberpass: http://www.cyberpass.net/
Minder: www.minder.net/services.html
The Anonymizer: http://anonymizer.com/ssh.html
Remote Host encryption:
A commercial version of SSH:
http://Europe.DataFellows.com/cgi-bin/sshcgi/desktopreg.cgi
Recommended Image Viewers:
ACDSee: http://www.acdsystems.com
VuePro: http://www.hamrick.com/
Thumbs Plus: http://www.cerious.com
Useful programs:
Partition Magic: http://www.powerquest.com/
Winzip: http://www.winzip.com
Kremlin: http://www.mach5.com/kremlin/index.html
BFA97: http://come.to/hahn
Secure wiping:
http://www.cs.auckland.ac.nz/~pgut001/secure_del.html
Zapempty/wipeutil: http://www.sky.net/~voyageur/wipeutil.htm
Various additional useful sites:
FAQ for PGP Dummies: http://www.skuz.net/pgp4dummies/
The PGP FAQ: http://www.cryptography.org/getpgp.txt
The Official PGP FAQ: http://www.pgp.net/pgpnet/pgp-faq/
The SSH home page: http://www.cs.hut.fi/ssh/#other
The SSH FAQ: http://wsspinfo.cern.ch/faq/computer-security/ssh-faq
Web based Anon E-mail - https://www.replay.com/remailer/anon.html
Remailer How To: http://replay.com/remailer/replay.html
More about remailers: http://replay.com/remailer/replay.html
Simple Anonymity:
http://members.tripod.com/~bbop/SimpleAnonymity.html
Reference Guide: http://members.tripod.com/~l4795/reli/UserMan.htm
Remailer Link: http://members.tripod.com/~l4795/links.html
Privacy Links: http://anon.efga.org:8080/Privacy
Proxys: http://www.bikkel.com/~proxy/
Anonymous Posting: http://www.skuz.net/Thanatop/contents.htm
Anonymity Info: http://www.dnai.com/~wussery/pgp.html
Nym Instructions: http://www.publius.net/n.a.n.help.html
Nym Creation: http://www.stack.nl/~galactus/remailers/nym.html
General info: http://www.stack.nl/~galactus/remailers/index-
pgp.html
General help: http://www.io.com/~ritter/GLOSSARY.HTM
.......................................................
If you believe any part of this FAQ is wrong, misleading or could be
improved, please post or Email your comments and I will take them
onboard.
To respond to me personally, please email me at
Doctor_who@nym.alias.net and include your PGP key with your message
if you expect an encrypted answer.
Note: I can only respond to RSA keys.
My Public key:
Type Bits/KeyID Date User ID
pub 2047/7CECC929 1998/07/06 Doctor Who
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia
mQENAzWgNFgAAAEH/1N7GxF+PnMgQf7azm1eFqSqssyhMAWDybiEIiqd3BDCoKJ9
zzxfvSIicAKPAYTlM5m18L8FCPNacvFnhY2Zl2wzWZikLu19uJ+3m7KzCcUgVRe7
3INqsmP+XNjmt4OfRInGUWLMNgwNQFZEubezfsZGqr5w2JUi5OzlHzGWCDpVu/00
4KFEMoB2FwAk366+ignHYzlOseOHE5QMVJJNmw2k6WOaLzR4k1jkyds2ooynbpBf
C3K7PUsvVsDkQm/iKbVKbjDJBuuBMwWb+V1KQdSSM93dpba/aoAZuiax0R8JK3yJ
HEJvvaXKUqKo54XTNZIjpFItRlWGwkv8BnzsySkABRO0JERvY3RvciBXaG88ZG9j
dG9yX3dob0BueW0uYWxpYXMubmV0PokBFQMFEDXzUWvCS/wGfOzJKQEBHAIH/j5/
7Ibwl4+1RKQXzECtfJKQqyoDKxWOKq08sbfq7n88BC3cwcCXeGf40SH5jeqQFvRA
q+wokPy21mU7tcuj/dOxNB03q/jdUFhEVUnUWvSLHErltv+GcPaUF3K4PjLM/LfX
5FSln84wokZ8MClbiWSCGFhmpE/Y3dNj1tUoxR5dlc9gNDWL4f8dKOqa/cfxxsyK
l6LfkWVEfVjfRiaHLuEQ6e6w2dT+aqy4bCbF/2NMIcn8vGxW2Yo9cvkMAoc0FMKm
Pn3kw3NxcOdGa2FvgrK68TwBAUKAPsxnNJeGNDOFbn/CkW5d+jtHdDQcvrTI9P6X
y45X+ZjNAm8JAM4Z7Mk=
=BNk+
- -----END PGP PUBLIC KEY BLOCK-----
.........................................................
Revision 11
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: cp850
iQEVAwUBNt8dZ8JL/AZ87MkpAQE0/Qf+PmtVwwLtZEhyaZIyOdrImbw1qlUrP69S
xx2G6eaAT3OVRtKnywDTxxlWxFeSxvKnVy+pPFpS8yxG06rUbHfNYJR+r2L3nLmv
pgtHY4q7JgpZwUO8BNcGIezE9lhskyluth2qauQ/4tz9tGTHJTsfg/57gT8/Hq47
axQrphvtBFEYRjj65IX0TAPkrhY07i40VjMP+J6VMcGvr1NwEOXLwMeInsSqvZTk
x99Qg88dVGL0jYClpG4TLjTn+NQqVa27drFeYIPAmRUCDrfKyZgjnVJZAGuRUx3e
j4dOWaKJzzbXmZNz8g8YckKPAnNfq0z+ylgp3NGdQXXGmfbUzXh3WA==
=IjBb
-----END PGP SIGNATURE-----