JF make 280
JF Nav
JF Nav
Creation Date: 2003-08-10
Tonight I created something cool and I want to show people how far HM is coming as quickly as I can make it. The picture is the prelinimary test of the skinned model for Hack Mars male children. The last time you saw it, it had a lame skin, no body, and no skeleton. It has skeleton and that means one thing: MOVIE! Download the movie here. Don't say I never gave you good stuff. Below is a tutorial I wrote yesterday on how to establish tin foil hat secure communication. Use it to rock the man. That's felony information distrobution with intent to cause extreme positive societal changes jic you're wondering.

Today's lesson will be immensely useful and will cover the topic of how to set up secure communications and data storage on your computer. It is definately not fool-proof, nor is it safe from no-knock seizures which the government is recently empowered to make. It is as secure as tin foil strapped to your head: if you open your mouth or have the tin foil forcably removed, it will not work. However, it serves a few needs for security: 1) prevents government wholesale cataloging of your personal/business communications, 2) prevents man-in-the-middle and insecure box hacker attacks, 3) secures data from the 'odd case'. If you are interested, but don't know where to start, start by reading this. This will be a no-nonsense tutorial on how to get secure data from point A to point B.

First, download GnuPG for your specific platform. Ther's a link on the left that says, "Download". If you're interested and know how, you can download the source and compile it. If you know how to do that, you're one step ahead of the game. I assume most people reading this are running Windows. That's fine. At the middle of that page, there's a section called binaries. Go to the right of where it says GnuPG 1.2.2 compiled for Microsoft Windows and click the link. It will download a zip file. Unzip that to C:gnupg

Create Key Pair
Now you need a key pair. I'll talk about them later. Let's just create them. Open up a Command Prompt. cd to the gnupg directory. Run gpg using gpg --gen-key This will ask you what kind of key you want. Pick 1, DSA and ElGamal. Then it asks for keysize. Keysize is proportional to strength against the NSA. 1024 should be impossible for the NSA to crack. We don't know because they don't tell us. Tin foil hats (crypto hackers) say that a keysize of 4096 is prudent. Avi in Neal Stephenson's amazing book, Cryptonomicon says that he wants his communication to be secure as long as men have the ability to have malice in their hearts. You probably want it to be secure from idiots and lamers, so either 1024 or 2048 is good enough. I'm going to pick 2048. The next question is how long the key should be valid. The idea is that the key may become compromised after a certain amount of time. It's not a big problem to have your key expire often, except that if people send you information and you have deleted the private key, the information is (in the best case scenario) lost completely. I've tried having an expiration date and my key always expire before I use it, so I'm going to set my new key to not expire. I'll change it in six months. Next it asks you for your name. Type in your name as you wish it to be. Only type your name. It tries to confuse you with instructions. Next, type a comment, like "Insecure Key". This tells people, trust this as far as you can throw it. A secure key would be the one that was written to a secure memory strip and is strapped to your chest 24/7. E-mail address is important so that your secure mail gets to the right person. It will ask you if all the info is correct. Type 'o' and it'll ask for a passphrase. This passphrase allows you to use the private key. This gives a layer of protection in case someone happens by your computer or hacks into your computer. Now you get the really cool part. It generates the key using entropy. This is an important part. To get a good key that will be uncrackable by the NSA, you need completely random data. Move your mouse randomly and in 20 seconds, it's done. It gives you an output that says:
pub 1024D/..... 2003-08-08 Name (Comment) 
    Key fingerprint = ....
sub 2048g/..... 2003-08-08

The idea is that you have a private key and a public key. The private key stays secure (whether your definition of secure is on a card strapped to your chest or if it means sitting in a hidden directory on your computer). You will distribute the public key to everyone, especially those who wish to speak to you securely.

Encrypt Plain-Text
So now you can start encrypting your data for your eyes only. For now, let's encrypt a little piece of ascii text info. The command to encrypt ascii information is gpg -a -e It will ask you for the user ID. Type in your name and it will say Added 2048g/.... 2003-08-08 "Joel R. Voss (Javantea key) ". It will ask for your user ID again. Press enter. Then you can type your message. When you are finished, press Ctrl-D. It will spit out something that looks like the thing below.
Version: GnuPG v1.2.1 (GNU/Linux)


I can publish this here and I know that the only person who can read it is me since my private key is secure on my computer. Now that it is secure, how do I retrieve it? That is quite simple. Save the encrypted data to a file using notepad. Name it file.txt.asc. The asc tells gpg that it is an encrypted ascii file. Then run gpg file.txt.asc and it will ask for your passphrase. That is your protection against a person on your computer decrypting it. Type in your passphrase and it will save the decrypted file as file.txt. That's pretty useful.

Encrypt Data
What if you want to encrypt some actual data? Say you want to encrypt an archive of rants. That's easy. Simply run gpg -e file.zip and it will save a file called file.zip.gpg. It will not be ascii, so you e-mail it as an attachment instead of inside the plain-text. To get ascii, you simply run gpg -a -e file.zip. To decrypt it, do the same as before: gpg file.zip.gpg and it will give you file.zip.

Encrypt Communications
Now that you can do that, here's the really important part: secure communications between people. It's easier if you have a friend who is instigating the use of GPG because they have it figured out and can tell you what to do with things. But in my case, I'm the only one I know who wants to use GPG. So what do I and others like me do? We put on our tin foil hats and spew conspiracy theories to those around us who we talk to. We add keywords to our e-mails that are certain to set off Carnivore and the NSA's alarms. Then we tell our friends, "I wish we had a GPG system set up so that we could communicate." Then in the next e-mail, we say, "I found this cool new tutorial on how to use gpg. Here is my public key." and at the bottom of the message, they put their unsightly 1024 bit ascii public key. To do this, simply run gpg -a --export "Name" where Name is your name. It will spit out a public key in ascii that you can put at the bottom of your message. Don't send this at the bottom of every message you write, just the ones where you implore your friend to use GPG. Don't worry about people getting ahold of your public key. That only means that they can encrypt data that only you can see. Say that some hacker gets your public key. They can now send you an e-mail that you can read. As if they couldn't do that before. Now there's only fewer people who can read what the hacker is telling you. There is another way to publicize your public key through a server, but is not easy enough to do this through the command line for this tutorial.

So the first answer everyone always gives is: "I don't understand it and I've got nothing to hide." Then we tell them, "I'm going to cut off all communication with you unless we use military-grade encryption. Call me long-distance and I'll run you through the process if you like. It takes 5 minutes." So then you have some leverage. Obviously this person wants to keep talking with you and if it only takes 5 minutes to do it, why not? So they do exactly what you have just done. They can now send you their public key using the same method you used above.

Send an encrypted e-mail
Now you can send them an encrypted e-mail and you can be certain that only they can read it. One small step for man, one giant leap for mankind. First, you must import their key. Simply run gpg --import and paste their public key into the window. Press Ctrl-D and it will confirm the key. Then you can send them a message. To do this, it is the same as encrypting plain-text above gpg -a -e and then at the user ID, you type their name instead of your name. When you are finished, press Ctrl-D and it will give you an encrypted ascii message. Put that into an e-mail and send it away. They will do the same and you are secure in your communications.

There are other things that can become as important as encryption like signing and photo ids, but you can find out about them some other time.

You Hate Command Line Interface
Of course you don't like the command line. That is why they make graphical user interfaces. GPG has front-ends if you wish. It makes sense to use a front end because you can actually use the features easily. The idea of GPG is not to make life hard for everyone involved, but to make things secure without any extra effort. I actually use KGpg (Linux Gpg front-end for KDE) when I'm not wearing my tin foil hat.

Notes on Usage
You don't want to encrypt everything. That would be silly. Encrypt those things that are personal, private, etc. These are usually text, but can also be... pictures... or video... Your mail archive would be a good idea. However, since all your mail has been passed around the web in plain-text, don't expect that everyone hasn't already seen it. You are encrypting it so that people don't see it in the future. Of course, somewhere the sender/recipient of that e-mail has a copy. Trusting them to either destroy it or encrypt it is a task in itself. Another thing you can encrypt is your diatribes and essays. You don't want the wrong people to use the info against you, so you simply encrypt it and speak freely. I myself put most of my rants out here in the open. However, there's about 10 MB of plain-text that I keep on my secure system which I encrypt because there is absolutely no reason for anyone else to read it. (In an unlikely case that I am martyred by a tyrranical government ala MLK, Ghandi, Haymarket Martyrs, etc, those might become a nice autobiography, but I don't want to die just yet.) If you feel the need for privacy in your diary, rants, and technical reading, feel free to do so. Encrypting your mp3 collection is probably not very useful. It will take time to decrypt them every time you want to listen and if you're sharing them, encryption won't work. If you're smart, you won't share illegally on an insecure network*. If you want, you might put all your mp3s into an archive, encrypt it and burn it to a CD. This will do a few things. The first is that it allows you to ensure that no matter what nuclear holocaust, good music will endure to future. When you want to listen to it, break out the CD and decrypt it into memory. The second is that in the unlikely case that police seize your data, they can't get at it. You are then completely absolved from any wrong-doing since they can't prove that you did anything wrong.

What if they seize your private key? At that point you would be heading for tin foil hat land. Then you would need a secure data chip that you keep with you with the key. Floppies don't last long enough, so I'd advise against that. Sony has a good system with it's Memory Stick, but only if you have a Sony computer or a Memory Stick Reader. Better would be a 8 MB Compact Flash and a USB Compact Flash reader. The total set up would set you back $50 max and then you'd be a tin foil hat hacker. PDAs and possibly cell phones could be used similarly if you trust them. Beware of Van Eck Phreaking, because those little boxes can tell their secrets from across a room. There becomes a problem that if the people you are being private from cannot access your data even with you in jail, then you certainly cannot. The idea of your data being preserved in the future is gone. It is up to you to weigh getting sued or imprisoned vs. preserving data.

*Plain-text networks are insecure. But attaching your user data makes it much more insecure. When I say much more insecure, I mean "getting sued" insecure. People who share copyrighted data over the network are liable to get sued for a lot of money by the RIAA's pen full of lawyers. Whether this is right or not is left up to you. I will assume you don't want to get sued though. Mediocrity is not an excuse these days it seems. Any person picked seemingly at random for copyright abuse can get sued. Anonymity affords a person so much protection. The networks could implement this quite easily but would open themselves up to litigation. Freenet does this but sadly does not work well enough to push five 20kB pictures and a 5kB rant let alone a Terabyte per month.

Javantea's Public Key
Version: GnuPG v1.2.1 (GNU/Linux)


"Body movin, body movin, 
A1 sound never sound so soothing 
Body movin, body movin, 
We be getting down and you know we're crush groovin 
Let me get some action from the back section 
We need body rocking not perfection
Body movin, body movin, 
A1 sound never sound so soothing 
Body movin, body movin, 
And if you ask me turn up the bass 
And if you play the fender, rock it b in hyper space 
Body movin' "
--Beastie Boys
Home Characters Making Of Technical Mail News Links |< First < Prev Next > Latest >|  bandwidth version Goto Scene