I have long thought Caterina Fake, author of Caterina.net and one of the participants in the development of flickr, to be one of the more literate and innovate minds on the 'net, so I am very interested in learning more about her new venture, Hunch.

Short of the unhealthy interest of a three letter government agency, in which case you probably have bigger problems than worrying about whether your data is encrypted, there are still good reasons to consider a few simple measures to ensure privacy in communications. Many of us are familiar with the by now somewhat shop-worn point that people who still use the postal service tend to prefer putting their personal letters and bill payments into envelopes rather than pasting them on a postcard for general review. Ironically, perhaps, the same people who would hesitate to have the postman reviewing their medical report are quite happy to leave their unencrypted email to reside on the servers of the Google or Yahoo corporations after it bounces halfway around the world from one server to the next. In addition, all this unencrypted data quietly residing on the Internet can become easy prey should the heirs of J. Edgar Hoover cast the same suspicious eye on you that he cast on David Halberstam and Martin Luther King, Jr. See http://en.wikipedia.org/wiki/Carnivore_(software).

Aside from whether the jack-booted thugs are on their way to come a knocking at the door, imagine the boss at your fortune 500 company has sent out a global email trumpeting the latest way to make money off of sub-prime mortgages, and you decide to send a snarky comment to your best friend about the progression of your boss's Alzheimer's. Then you hit the "reply all" button and realize that it is time to polish up your resume. Alternatively, if snarky remark had been encrypted, only best friend could read it, no matter where it is was sent.

And who has not received an email from the ex Foreign Minister of Nigeria explaining that a small advance contribution can liberate millions of untraceable funds, eighty percent of which will be turned over to you? Laughable that anyone would fall for such a transparent scam, but wouldn't it be reassuring to be confident that emails from your friends really are from your friends and not from the ex Foreign Minister of Nigeria pretending to be your friend. By requiring each person to have a unique private key, encryption reliably identifies the sender of a a signed or encrypted email.

Public key encryption requires a public key and a private key. In sending a message, the sender uses his private key and the recipient's public key to encrypt the message. Upon receipt, the recipient decrypts the message with the private key corresponding to his public key. While the public key, as the name implies, is widely circulated, the private key is held only by the owner, kept secret, and generally protected by a password. Verifying the identity of a key owner generally depends initially upon personal verification between users, but ultimately upon a "web of trust" built up as users' sign each other's keys. It seems to be generally conceded that used carefully, public key encryption systems such as GPG are capable of withstanding all but the most determined of institutional attacks, but that special care is necessary to create strong passwords, guard private keys, and verify relationships in the web of trust. See http://blogs.techrepublic.com.com/security/?p=412 .

Although only in limited use by private individuals, high quality public key cryptography is widely available to the public for free, supplemented by low cost refinements that increase its convenience. Among these are PGP/GPG (supplemented as needed by the public hushmail implementation) and SSL certificates providing S/MIME encryption.

Gnu Privacy Guard (GPG)

Gnu Privacy Guard (GPG) is a free program that encrypts files using the OpenPGP standard. It offers additional security because the source code (instructions for the computer) are freely available and can be examined by anyone with sufficient expertise to ensure that there are no back doors or other flaws in the program. Although GPG is standard on Linux platforms, Windows users need to install a Windows variety of the program such as gnupg.exe or gpg4win.exe.

My preferred standalone email client is Mozilla's Thunderbird, which provides for encrypting email using either GPG or S/MIME. Instructions on downloading and installing gnugpg.exe, creating and importing keys, and installing the Thunderbird Enigmail add-on in order to use GPG can be found at http://enigmail.mozdev.org/documentation/quickstart-ch1.php#id2532629 .

After downloading and installing gnupg.exe, you need to open a command window from Start>Run; type "cmd" in the "Run" window and hit return.

Use the "cd" command to change directories to c:\\Program Files\GNU\GnuPG, then

On the command line, type, as needed,

gpg --help to get help
gpg --gen-key to create your public and private keys
gpg --import to import previously generated keys

Although there are a host of other command line options for gpg, the most useful functions for sending email will all be available within Thunderbird once Enigmail is installed.

After downloading Enigmail, one may wish to take advantage of one of the other features of GPG, which is its ability to verify the authenticity of downloaded software. To do so, first download and import the Enigmail public key as follows:

C:\Program Files\GNU\GnuPG\gpg --import enigmail-key.asc

Then, download the signature file from the website and the Enigmail file itself, and run

C:\Program Files\GNU\GnuPG\gpg --verify enigmail-0.95.7-tb+sm.xpi.asc enigmail-0.95.7-tb+sm.xpi

Enigmail, which is simply a Thunderbird .xpi file, is easily installed by anyone familiar with Mozilla simply by opening the extension in Thunderbird from Tools>Add-on>Install, otherwise see the more detailed instructions referenced above. Once installed, the new buttons on the Thunderbird toolbar allow you to easily encrypt, decrypt, sign, and verify signatures on your mail. (One note: mail signed with GPG should be sent in text format rather than HTML).

Hushmail

So far this solution works fine for desktops and laptops where one can install GPG, but increasingly people are using cellphones to send email to and fro over easily intercepted wireless connections. Although PGP Corporation (http://www.pgp.com) experimented briefly with a PGP client for the Palm Pilot, in general I have not found support for GPG on mobile mail clients. However, increasingly cellphones also have web browsing capability, and one method of addressing the problem of unencrypted email can be found at http://www.hushmail.com. Hushmail is essentially a web-based email server with GPG installed; it lets you create a free account and send encrypted email. For $50 (or more) a year, it will also let you integrate your hushmail account with your desktop or laptop GPG account, so you can access your hushmail account from the web on your cellphone, laptop, or desktop, and also from Thunderbird on your laptop or desktop.

S/MIME

An alternative to GPG is to create a personal SSL certificate, have it signed by a recognized certificate authority, and use it for encryption and signature of email. Depending on the purpose of the certificate, the process of creation can sometimes be a bit involved, and Certificate Authorities will sometimes charge a hefty fee to issue a signed certificate. (The signature from a trusted authority ensures a recipient of your email, for example, that you really are who you say you are. However, there is at least one good free Certificate Authority -- CACert.org.) CACert.org will issue a certificate suitable for email use for six months at no charge, and all that is required is registration at their site and the completion of a few web forms.

Go to www.cacert.org and click "Root Certificate" and then click Root Certificate (PEM Format) and Intermediate Certificate (PEM Format). This will set up your Certificate Authorities for use by your browser and for export to your mail client. Click each of the three boxes to indicate that you trust the certificate. In Firefox, go to Options>Advanced>Encryption>View Certificates and click on Cacert Class 3 Root under Root CA. Click View>Export and save as an X.509 Certificate with chain. Repeat for CA Cert Signing Authority. In Thunderbird, go to Tools>Options>Advanced>Certificates>View Certificates>Authorities>Import and Import each of your saved Certificate Authorities, again checking off the boxes to indicate that they are trusted.

Now sign up for a free account at www.cacert.org (although as a public service organization, they do accept donations). Once your email is confirmed and your account set up, go to Client Certificates and follow the directions to set one up for your email. Click on your certificate to install it in your browser. (You will now be able to sign into cacert.org using your certificate rather than your password if you wish). In Firefox, you can now go to Options>Advanced>Certificates>View Certificates>Your Certificates>Backup and save your personal certificate as a PKCS12 file (filename.p12), and then reverse the process to import your certificate into Thunderbird. You now have a personal SSL certificate in Thunderbird that can be used to create an S/MIME signature or encrypt your email. Of course, before you can send anyone encrypted mail, you will need to have them send you a copy of their certificate.

Responses? Questions? Suggestions? Send me encrypted mail at williamson [dot] day [at] hushmail [dot] com.

GPG Public Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux)
mIsESa9tNAMEALhjNmAm3UT7CD2S9o101AJNw2pZf49pjuV7LKG4gG7ewOEwc5Ym
ZutDxO2MOqaC3WrnO8JbS1vrX/X/trCnF6JRbOgOSKq8wzWFhylKZ1zrvJdOVcsj
D5XyvqcTXuRxOcUa2lyIFNBW8KdKDiF0p9/1aZiYVYVMowEBmVmUtjIpAAQLtDsi
d2lsbGlhbXNvbi5kYXlAaHVzaG1haWwuY29tIiA8d2lsbGlhbXNvbi5kYXlAaHVz
aG1haWwuY29tPoiqBBADAgAUBhUICQoDAgYLCQgHCgQFAkmvbTQACgkQcFwBLeix
UqYhIAP+M+5IrzTAmq1coLUZ4RJXSlVoBl6mdGy2shoOhcgyHxJROyKIR3/0pZCh
3uA+95bfvDssTXHU1EIYaYoGfvS9e6djnivoTZbHGS+kwKvg+fmIvqiSBtf1usyU
GYBxTTaagOVf6nsqz73Fv9qjOxn+dys4rmQYYMGqH5T/HBFGEvqIRgQQEQIABgUC
Sa9tPAAKCRB6AvnnJ0y2KRqJAKCV2lmIyHULUUhul810yXV6AE1hxwCfWpDBjrUP
swxOeQqlCY5+CoK7sCKItwQfAwIAIQIHARcMgBGKYGVvwmNLnNqipzx6AvnnJ0y2
KQUCSa9tNAAKCRBwXAEt6LFSphZRA/wKWbc8ACrnzDcjYNd6s2hguz4JExYGR7D1
+/3eaMURY7C5BlKvUmJYoo2HREOsgMIYAACPvXxPaNwJTN4qrMySvYKMHOb9WOpW
IgfkC09nNpqEsaldBdj091pj7KRdqJp3L8FXBTBQXWoG9mAN5SwZbB8TBeY8CyQo
At1WJpcaYLkBCwRJr200AggAoNR4a/kQg8XBecS3lIUDDRI654TP1jO4ZfEpwlr5
qrax2dEkXHQvsShTjYmgHBA+3tqChL192ftiL2IsvlMApz+XuK/g0zA6raI6NiNG
b/hqK9aW/JwdEXcoC2RIybRqgri/IDmHp2yaYogLxHyPKBjdRZdXK6oqcr1oYvOo
02RKUQhLEin96TjMP04Suzbp6vDjzMqL2I42Ug47JemwC9pS+/pDCCAPX3q//dQN
r4NqQB37E9AT1yuJPLlTMglzkp9mBmR4UEQHjJQlf87xsh/RZnOFNlXFcrC0srv7
tFLRQeMSh7J6ZSlskukIrN6zuu5xhnFVJuNbeg3zNuS7twAEC4icBBgDAgAGBQJJ
r207AAoJEHBcAS3osVKmVTkD/2aDPPCHHoB95XaBeOCpGrViphsu4sjKA4kH4T3t
5YfWPsXtJD/vitYnQeehv/TIhRvfy9IXjjNLqCDXP5GLucFTnXDasnYp5Y03GONY
lCw7jBP39BWR8Zrh7BUjYb7Tyv0+7555nDLcsiHLhf0YBGX/IKzyqcxfQjZs0hwh
E9eM
=a0/2
-----END PGP PUBLIC KEY BLOCK-----

UPDATE 3/16/09: It looks as though you can use the gpg4win package to install a plugin for Outlook 2003. (Outlook 2007 is apparently not supported yet.) Their site is located at http://www.gpg4win.org/. I have not had a chance to try it out yet, but a detailed instruction manual is available at http://www.gpg4win.de/handbuecher/novices.html. People who have a serious need for encryption can also buy a commercial implementation of PGP (the commercial version of GPG) such as PGP Home at http://na.store.pgp.com/desktop_home.html for $99. For web-based mail, you probably need something like hushmail as a practical matter, and hushmail also appears to offer Outlook integration in the paid version. Mostly, objections to GPG are not that it is insecure (although many people do not choose a strong enough password) but that 1) the learning curve is too steep, 2) it is too much of a hassle, 3) it may raise questions about what you have to hide if you are using encryption, or 4) anything you have to encrypt should not be sent from an insecure location like work, anyway. You pays your money, and you takes your choice.

Doc Searls has a fascinating article in Linux Journal on the evolution of Barack Obama's technological infrastructure. Searls explains how the Obama technological revolution had its genesis in the experience of Joe Trippi, who got his start working for Debian Linux developer Ian Murdock before he became Howard Dean's campaign manager and the midwife of the Democratic Internet machine. Since then, open source developers have played a key role in developing the Democratic communications infrastructure, while also-ran John McCain was tied to a clunky and inert Microsoft platform.

The New York Times makes the case for Linux in general and Ubuntu in particular. According to the Times, the biggest obstacle to wider deployment of Linux is that it does not come installed on the computer.

I finally got around to reading the first chapter of Learning Python.

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GJ/L d++ s+ a+ C+ UL>++++ P>+ L+>++ E W++ N o-- K- w !O M>+ V-- PS++>+++ PE Y+ PGP>+ t !5 !X !R tv+ b+>++ DI-- D- G e+++ h---- r+++ y++++
------END GEEK CODE BLOCK------

(Decode)

A quick guide to everything you ever wanted to know about GNU Privacy Guard.

N.B. For my key, see /pgp.html.

Conway's Game of Life is a simple computational game in which "cells" are either "alive" or "dead" based on their proximity to other cells — too few neighboring cells cause a cell to "die" from isolation and too many from overcrowding. The game is interesting on multiple levels. It was designed to show that an initial pattern could be self-replicating based on simple rules. As an analytical tool, it allows for analysis both at the cellular level and at the level of patterns, in much the same way that biological organisms can be analyzed. In another twist, Life is "Turing complete" and can function as a computer.

I recently applied Service Pack 2 to a Microsoft Small Business Server 2003 and received the following error message: "Setup could not verify the integrity of the file Update.inf. Make sure the Cryptographic service is running on this computer." The good news is that Microsoft has good documentation of the problem. The bad news is that it took 11 steps to fix it.

Firefox extension: Book Burro Saves money on Books >> Dumb Little Man

Normally, I am not too big on "make your toilet paper into precut squares to save money" kind of sites. Dumb Little Man, however, has at least one useful suggestion to offer: a Firefox extension that provides price comparisons among online booksellers. It is enough to make me want to see if there are more.

I have misspent a couple of hours today exploring MyBlogLog, a site devoted to providing statistics on blog traffic and allowing members to see when they have visited each others' blogs. For bloggers, it is well worth taking a look. While I was there, I discovered a savvy conservative commentator, a word maven, a specialist in brand development, and some of my favorite Moroccan sites: Refusenik and Murmures, which led me to MyBlogLog in the first place.

An interesting blog by a former Foreign Service Officer who spent much of his career posted to the Middle East.

Halley's Comment points to Microsoft's tarted up search engine.

The BBC Climate Change Project uses idle time on thousands of PCs around the world to create a virtual supercomputer that runs climate change experiments. Basically, once you sign up and download the software, if you are not using your computer, the BBC Climate Change Project is. A variety of similar projects, powered by BOINC technology, are available through GridRepublic; GridRepublic lets you run several different projects on your computer.

Anyone who cares to join one of my teams (the Hong Kong Kavaliers! after the Adventures of Buckaroo Banzai) can sign up for any of the following projects at the following sites or through GridRepublic:

Hong Kong Kavaliers:

• BBC Climate Change Project


• Similarity Matrix of Proteins


• Einstein@Home


• SZTAKI Desktop Grid


• Quantum Monte Carlo at Home (QMC@Home)

Playin' with technorati.

I have just gotten around to trying out del.icio.us. The site allows you to "tag" web pages so that they can be organized into bookmarks on your del.icio.us account. The site lets you search for similarly tagged items, and it tells you who else has tagged the web page you have tagged. Very cool.

Keith Ferrazzi announces a new way to donate your home computer's unused computing power to advance scientific and medical research through the power of BOINC. Building on the success of the Search for Extraterrestrial Intelligence (SETI) in harnessing idle computers across the Internet to donate spare processing power, GridRepublic now offers the chance to donate idle computing power on your home computer to a variety of scientific projects.