koolies - Coolies, One of the friendliest places on the Net...

koolies - Coolies, One of the friendliest places on the Net... > Lab Area > Street Smarts for your online activities.

Sunny

Feb 4 2005, 10:26 AM

1. What is encryption?
Encryption is the scrambling of data into a secret code that cannot be deciphered except by the intended party. Given enough time (and enough computing power) allencrypted messages can be read – but this can take massive amounts of time and resources.

In simple terms, encryption is a way for you to secure your files and your e-mail from spying eyes. Your files get translated into code that makes no sense to anyone who sees it. It is an apparently random collection of numbers and letters. To encrypt a file, you "lock" it with a key, represented by a passphrase. To encrypt a message, you lock it with a key pair using your passphrase. It can only be opened by the intended recipient, who uses his or her own passphrase.

2. Why anyone who uses the Net should use encryption?
Everyone should use encryption because digital communications are inherently unsafe. Individuals who uses the Net regularly should be wise to have their files and communications secured. It is imperative for any savvy online user to use encryption in their digital communications to protect themselves and also the people they are working with in collaboration and communication.

Digital technology is a benefit to us easier communications, greater efficiency and more opportunities. However, with any benefit come certain dangers. You wouldn't drive a car without seatbelts even if you were not likely to get into an accident every time you drive. If you are driving in a more dangerous situation such as a race, you are more likely to use the available tools to make you safer.

Similarly, most of us are blissfully unaware that we are targets for surveillance. Knowing unencrypted email can be viewed by almost anyone from many different points of access makes it almost inevitable that unencrypted email will be accessed at some point. Your messages may already be monitored by adversaries and you will never know about it. Your beneficiaries' adversaries are your adversaries.

3. Is it illegal to use encryption?
Sometimes. It is perfectly legal to use encryption in the United States, Canada and other western nations including Peru. In fact it is legal in most countries of the world. However, there are particular exceptions in other parts of the world. In China, for example, organizations must apply for a permit to use encryption and everyone must report any encryption technology on their laptops as they enter the country. Singapore and Malaysia have laws requiring anyone wishing to use encryption to report their private keys. Similar laws are pending in India. There are other exceptions as well.

The Electronic Privacy Information Center (EPIC) provides An International Survey of Encryption Policy where they discuss the laws in most countries athttp://www2.epic.org/reports/crypto2000/, however this list was last updated in 2000.

4. What software is available?
There's email encryption, disk encryption, anonymous remailers, backup systems, virus protection, firewalls, and more!

But having the right software is not the whole solution. The weakest link is usually individuals, not technology. Encryption doesn't work if individuals don't use it consistently, if they share their passphrases indiscriminately or leave them in visible locations such as a sticky note pasted to their monitors. Backup software won't save you in the event of a fire or raid if you don't ensure the backup copy is stored at a separate secure location. Sensitive information must be treated on a need-to-know basis instead of being shared with everyone in organization, so you need to initiate hierarchies and protocols. In general, it's important to have a consciousness of privacy and security in your everyday activities. We call this "healthy paranoia".

5. What do we need?
It depends on your system and your activities, but generally everyone should have:

6. How do you choose which encryption software to use?
Usually, you ask your security knowledgeable friends. You need to communicate with certain people and groups so, if they are using a specific encryption system, you should use the same system to facilitate communications.

Some software packages simply don't do a good job while others are Honey Pots. With a honey pot, you are lured into using the free and seemingly excellent software by the very people who want to spy upon you. How better to read your most vulnerable communications than by being the overseer of your encryption software?

Still, there are many reputable brands of both proprietary software and freeware. Just remember to investigate before you use it.

7. Won't using encryption put me at a greater risk of a crackdown?
No one will know you are using encryption unless your email traffic is already being watched. If your email traffic is already being watched then your private information is already being read. That means you are already involved in a spook by those conducting surveillance on you. There is a concern that those performing surveillance on you will use other options if they can no longer read your email, so it is important to know your contacts, relatives, co-workers, implement safe backup policies and consistent office management at the same time you begin to use encryption.

8. Why do we need to encrypt email and documents all the time?
If you only use encryption for delicate matters, those watching you or your clients can infer when critical activity is taking place…and are likely to crack down at those times. While they cannot read your encrypted communications, they can tell whether files are encrypted or not. A sudden rise in encryption may trigger a hightened activities so start using encryption before special "projects" arise. In fact, it's best to ensure all communication traffic flows smoothly.

Send encrypted email at regular intervals, even when there is nothing new to report. This way, when you need to send delicate information, it will be less noticeable.

9. If I've got a firewall, why do I need to encrypt my email?
Firewalls MAY prevent hackers from accessing your hard drive and network but, once you send an email out into the Internet, it's open to the world. You need to protect it before you send it.

10. No one is breaking into this office so why do I need to use privacy software?
First, you don't know if anyone is breaking into your system or if anyone is leaking information. Without encrypted communications, without physical security, without privacy protocols, anyone can be accessing your files, reading your e-mail and manipulating your documents without your knowledge. Second, your open communications can put others at risk in locations where politically motivated raids are more likely to occur. If you lock your doors, you should encrypt your files. It's that simple.

11. We don't have Internet access so we have to use an Internet café. How can we protect communications that we send from an outside computer?
You can still encrypt your email and your files. Before going to the Internet café, encrypt any files you intend to email and copy them in encrypted form onto your floppy disk or CD. At the Internet café, sign up for an encryption service such as Hushmail.com or an anonymity service such as Anonymizer.com, and use these when sending your email. Make sure the people receiving your communications have already signed up for these services.

12. If it's so important to secure our files and communications, why doesn't everyone do it?
This technology is relatively new but its usage is spreading. Banks, multinational corporations, news agencies and governments all use encryption, recognizing it to be a sound investment and a necessary cost of doing business. NGOs (Non Governemental Organizations) are at greater risk than companies whom most governments wish to welcome. NGOs are more likely to be targeted for surveillance so they need to be proactive in implementing the technology.

13. How can we use privacy technology?
Privacy is consistent with openness. Privacy technology stops people from accessing your information in a clandestine manner.

14. We follow all the privacy and security protocols and still our information is leaked – what's going on?
You may have a spy within your organization or you may have someone that simply cannot keep information confidential. Rework your information hierarchy to ensure fewer people have access to delicate information – and keep an especially watchful eye on those few people. Large corporations and organizations routinely disseminate different bits of false information to specific people as a matter or course. If this false information leaks out, the leak can be tracked directly back to the employee who were told the original (false) information.

The Do's and Don'ts of Using Encryption

DO use encryption consistently. If you only encrypt sensitive material, then anyone monitoring your email traffic will know when something important is about to happen. A sudden increase in use of encryption might lead to a raid.
DON'T put sensitive material in subject lines. They are usually not encrypted even if the message is.

DO use a passphrase containing letters, numbers, spacing and punctuation that only you can remember. Some techniques for safe passphrase creation are using designs on your keyboard or using random words strung together with symbols in between. In general, the longer the passphrase, the stronger it is.

DON'T use a single word, name, popular phrase or an address in your address book for your passphrase. These can be cracked in minutes.

DO backup your private key in a single secure place, such as encrypted on a tiny, removable "keychain" USB memory device or a Sony memory stick.

DON'T reply with sensitive materials to someone just because they send an encrypted email and use a recognizable name. Anyone can "spoof" a name by making his or her email address sound like someone you know. Always verify an identity before you choose to trust the source – communicate in person, by phone or by checking their digital fingerprint with a reliable source.

DO teach others to use encryption. The more people using it, the safer we will all be.

DON'T forget to sign the message as well as encrypting. You want your recipient to know whether your message has been altered in transit.

DO encrypt files that you send as attachments separately. They are generally not encrypted automatically when you send an encrypted email.

Any questions? Ask away:)

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.