On Fri, Jul 18, 2008 at 10:56 AM, Steven Black <
blacks@indiana.edu> wrote:
> * The US Government admits that using unencrypted email is like sending
> all your letters on postcards. There's no expectation of privacy, so
> there's nothing wrong with reading them.
Postcards? Letters? Mail? Does anybody do that any more? You mean I
have to pay per envelope and it can take days to get to the
destination? Why would anybody want that?
Just kidding, of course. In many cases an employer has a right to
monitor employee emails, at least according to articles I've read. I
wonder what happens if the employer wants to read an email that an
employee has sent using GPG (using the employers email server). If the
employee refuses to provide the passphrase (or just decrypt the
content) for the employer upon request, what happens? Could they
terminate the employee? I have not idea how this might work.
I've read some articles about law enforcement forcing people to
disclose passphases for encrypted content or face jail time. I find
that scary, not becasue I'm hiding something, just because it seems
like a privacy violation.
Very interesting topic indeed!
> * To get the most out of encryption, you have to use it all the time.
> If only use encryption for "sensitive" emails, then you've suddenly
> indicated that (1) you have sensitive emails, and (2) these specific
> emails contain all of the sensitive information.
Very true. I suppose it depends on the type of "sensitive" material
being sent. On my personal account I don't think I've ever sent an
encrypted message that would cause any really serious problems if
someone knew it was sensitive and even manged to decrypt the content.
I might get very upset that someone had accessed my "private" mail,
but that's about all that would happen.
At work we have a different method of secure file transfer when
encrypted email is not an option. In general I don't send anything via
my work email that I wouldn't want read by my supervisor or even the
general public. Working for a .edu I know there may be public record
laws that may affect my messages, but I'm unclear exactly how those
laws are applied, so I tend to err on the side of caution.
There are a couple of issues I have with encryption for *every* message:
* I only correspond with regularly with about 5 people who actually
have or use GPG keys. Getting everyone I communicate with via email to
use encryption for every message is not likely to happen in my
lifetime.
* reading messages on mobile devices really isn't an option if they're
GPG encrypted, at least not that I'm aware of. The sensitive messages
shouldn't be read on a mobile device anyway, but I like to be able to
read non-sensitive stuff on the go. Again, in my case disclosure of my
routine email messages wouldn't be the end of the world. For others
this could very well be different depending on the type of "sensitive"
messages.
I am definitely not saying that encrypting every message is
impossible, just that for me I personally don't have anything I send
over email I view as critical enough to justify the extra effort
involved in this.
Of course I still want to learn more about GPG and encryption in general.
Barry mentioned Pidgin in one of his messages. I use Psi on Windows as
my Jabber client, and it integrates with GPG for IM encryption. Just
an FYI in case anyone is interested. I'm not sure if there are other
Windows IM clients that do this or not.
One more GPG related item and then I'll get back to work: I have an
Aladdin eToken, which is a small USB smart card that functions as a
card reader too. Private keys are generated on the device and can't be
exported or otherwise leave the device. I bought it mostly to play
with and learn about smart cards and two-factor authentication. It'll
authenticate with Active Directory if the AD environment is set up
just right with a certificate authority. What I really want to do now
though is generate a private key on it and use it with GPG on Windows.
I gave up after trying, though I don't recall the technical reason
that I couldn't get it to work. PGP's paid version does this, I think
with the same model eToken. I did manage to get an SSH private key
generated on the token and use it with Putty on Windows and also with
the openssh client on linux. Not that I need the added security for
anything, it's just fun to try it.
Sorry for the long-winded message. I'm not trying to start an
encryption argument (especially as the "new guy"), just presenting my
views based on my very limited knowledge of the topic. I'm fine with
continuing the encryption discussion on the mailing list if people
want to or just waiting until the meeting if that's preferred.
I hope to attend a few BLUG meetings in the near future!
Kevin
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug
