No arguement, Melissa, none at all. I attempted to respond
in a vein that I thought matched the OP's familiarity and
level in such matters. I may have made it a little
oversimplified, and did neglect to recommend going to PGP to
read their pretty well written hype where one can learn a
lot about it.
See my Inline, but I don't disagree with much that you
said::
Melissa said:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[Rare top posted preamble]...
This reply may be considered mostly off-topic for this
group, but
== Personaly opinion of course, but I think it's a
sufficiently relevant topic to go well with this group.
Others may disagree of course.
perhaps it's not entirely so. If anyone is concerned with the threat
of personal/private information on one's computer being compromised
via Trojan activity, perhaps the use of encryption has it's place in
"anti-Trojan" security measures.
== Definitely.
== This really needed more clarification than I provided.
I DO use PGP and also Thawte, but not as a matter of course;
they are reserved for clients and anytime important
information is dispensed. Since most of my "trusted
sources" (a misnomer, but works here) are semi-net-educated
family and friends, who don't understand much more than to
never respond to a spam and never open an attachment you
weren't expecting, and adhere to those rules, other less
technical and easier to implement methods work just as well
and avoid the added complexity (for them) of addons and
third party programs.
I won't discuss my "methods" specifically except to say
that they are nuances familiar to all of us and if they're
not readily present, we know to question the sources. With
up to date OS, av, spywares, firewall, etc., that's about
all that's necessary. Most of the people I've worked with
have no problem with things like spyware and firewalls, but
get confused by things like PGP et al. But our own little
"system" works well.
All that said, there has only been ONE instance of a
falsified email amongst us, and that one came to me from my
son, supposedly, in Ct. Other things, especially the
headers, proved it false and a phishing attempt, but
initially it was obviously not from my son due to our
methods not being present.
Hi Pop,
Having had my "identity" maliciously spoofed over the Internet
(resulting in uncomfortably close threats to my physical well being),
and also wishing to protect my privacy and the privacy of my
correspondents, I'm going to have to disagree with your somewhat
dismissive comments about the usefulness of PGP.
== I've never had that drastic an experience and don't
personally know anyone who has, but I can imagine how
disconcerting it must be. I hope it's over and that all is
on an even keel again? And, you're absolutely correct to
protect yourself and your correspondence.
I also feel that
your "hiding little oddities here and there" is in no way an adequate
substitute for what PGP or GnuPG can offer in terms of
authentication.
== No arguement, except that for our little group, it is
effective. In THIS environment, it's easy to do,
non-techie, easily recognized, and never repeats in any
pattern. Not hard to do given a little thought. Obviously
it can't compare to GP, but ... see my above para please for
my further opinions.
The method you describe is, at best, about as
"secure" or "reliable" as ROT13 is as an "encryption
scheme".
== Oh, indisputably not even as "good" as rot13. But,
effective if/when implemented, for day to day "how ya doin'"
and "how's the family" type of emails or even "how do I"
stuff, which is the majority of personal communications. If
anyone wants to listen to our data, more power to them;
they'll get bored reading it in a hurry! Now, if we had to
send each other ss numbers, financial info, stuff like that,
well, that's a lot different. Email in this vein is in the
non-time critical, personal informationless chatter amongst
friends who all stick together for a common goal, Not a one
of us is afraid to pick up the telephone for a data-filled
conversation, also a not very reliably private method
though.
By firing up my other browser, I automatically get the
certificates and encryption (128 AES normally) to use with
clients and other knowledgeable people.
I like my method because no one gets surprised of
confused if I implement it right, and remember to ask the
right questions. It also helps sometimes in figuring out
the source of an address leak to spammers. eg you can go
right to an email address here in this group if you want to,
and it's a real one (not the nobody@ in display), but it's
also a spamtrap and never read, so you won't get a response
from it. And since one had to work to get that particular
address when it's obvious I don't wnt it used, I never feel
bad if an "innocent" person uses it and get LARTed; they
asked for it.
....
Verifying a digital signature *does* do one thing, and *can* do two
things...
1) It *does* determine whether or not *anything* has been altered in
the message/document/file between the moment it was signed and the
moment the signature was verified.
....
it is also very good,
because PGP simply doesn't tolerate *any* changes made to an
already signed message, document, or file.
== No arguement, but only needed in the rarest of
circumstances outside a data or client relationship.
2) It *can* also "authenticate" the *signer* of a
message/document/file (who *may* also be the "author" of the
signed message/document/file in question), but this aspect of
authentication depends on one's understanding of the "web of
trust" (which also depends on one's trust of another's careful
usage of the program...including the safeguarding of one's private
key and passphrase).
== Exactly, which removes if from the realm of newbies and
neophytes in most cases. From what the OP asked, this would
be overkill facts, IMO.
.... it.
I think the idea that "official" work is somehow more worthy of
authentication and privacy protection than "personal" work or
correspondence is misplaced.
== Gotta disagree here, but I think we're beginning to play
on syntax. See previous comments.
On the most simple level, would you
write a "personal letter" on a postcard and send it
through the post?
== Yes, I would.
Or would you *insist* on putting such correspondence in an
envelope?
== No, I wouldn't. But, we're playing syntax again. I
think you mean what I would consider intimate in nature, or
containing something not for public eyes. I couldn't care
less if they eyes want to read about my "Love, Pop" on my
postcards, and such. Now, if it has to do with say an ss #,
or maybe I graphically describe something illegal, yeah, I
would.
*Any* email that is not encrypted can be read by any number of
people; with copies being available at any number of servers it
passes through on its way from sender to recipient. In fact, an
"email postcard" holds the potential of being seen by many more
people than would ever be exposed to a paper postcard sent via "snail
mail".
== Not a problem. I don't care as long as there are no
illegal or personally usable info in it. What's so wrong
with that? Who cares if I wish my friends down in Texas
happy birthday and all that gunk. Paranoia is a valuable
asset to a degree, but it can be a detriment when it's
improperly placed in one's life. Everyone of course is
entitled to their own opinions, and line of reasoning, so
there isn't really a right or wrong answer here.
I wonder how many people here send "personal, private" email messages
to friends and family yet never even consider the *fact* that people
other than the intended recipient *can*, and more often than they
might think, *do* read their messages?
== Again, syntac, except "fact": this is exactly why
simpler introductory experiences and education are so
important. Pushing Aunt Nelly into spending money on a
certificate and fiddling with PGP isn't the best path. Aunt
Nelly often ends up ignoring it all and goign her own way.
Education is key.
Unless and until one is unpleasantly surprised by some incident
involving the "unauthorized" reading of their personal
correspondence, they may never know that others can and do read their
messages.
== Disagreed. This assumes that NO ONE can understand the
implications of privacy without the actual experience.
While it may be true in your case, and this isn't a cut at
you, it's NOT true in all cases. A simple degree of
education with a pinch of paranoia goes a long ways.
On the other hand, we *can*, by using encryption, be
comfortable in the knowledge that even if someone other than our
intended recipient were to look at a copy of our correspondence, they
wouldn't be able to read the contents.
== And, not have your mails read because they ARE
encrypted.
Since this is PGP signed, what value is that to me?
Yeah, it'll tell me you are pretty much the person who
signed the PGP letter, but what's the value of it? I don't
know you from Adam, and although your nick is Melissa, you
could just as easily be a 40 year old pedophilic, identity
stealing pervert. Public keys destroy the usefulness of it
all, and there's nothing stopping the pervert from posing as
you, with this signature. There is nothing in place to
insure that you are who you say you are.
Obviously, in SOME (very important) situations, PGP IS
functional and usefull! But, here, amongst us strangers,
what possible good is it? I often have to smile when I see
the PGP sigs on the newsgroups, and always wonder if they
are well known or sufficiently entrenced to make the added
bit of bandwidth worth it?
I think my scope in life is simply wider than yours and if
you feel that I called you paranoid, which I didn't mean to,
please realize that paranoia is nomal and useful in the
right proportions. And I hope your experiences are all
positive in the future.
Pop
