We may recall the hilariously stupid comedy of Meet the Parents staring Ben Stiller & Robert Deniro as they battle it out trying to earn or destroy the potential Father/Son in-law relationship. In the follow-up movie Meet the Fockers, Deniro leaves this wonderful illustration for Stiller to find after an episode where a drunken Stiller has made an absolute fool of himself, embarrassing his future in-laws and his own family alike. I would like to use the same illustration to describe how PGP/GPG can help you (and I) build our own Circle of Trust.
Referring to the link provided (Web of Trust) I take you to the The GNU Privacy Handbook. A simple enough document describing how to use the software available for free at www.gnupg.org. If you're using Windows, then I would suggest you use www.gpg4win.org as it includes 2 different programs for managing keys (I'm enjoying Kleopatra) and plugins for Outlook & Internet Exploder. I don't use either of those, but I like the key managers. I am a strong advocate for Mozilla Thunderbird (currently using v3) which uses the enigmail plugin. I like it, it's built-in functionality allows me to set simple rules and not have to worry about "did I remember to sign/encrypt that last message?". However; it doesn't work alone, Enigmail still requires the GnuPG software installed.
Once a person has gone through the trouble of installing GPG and their preferred email client plugins, then gone through the steps to create their personalized key-pair (Private & Public Keys) what's next? You have a key, but no one trusts it. Here's where the hard part begins. You may not require all of your messages to be signed because, not everything you do really needs that kind of verification. But without any one elses public key, you can't encrypt anything for anyone except yourself. That makes the information safe, but not shareable. You need to find someone, someone you trust and who trusts you, whom you would want to share protected information with. Sure you can get your mother set up with a key pair as well, but really, does "don't forget to take out the trash" really count as vital information? One idea would be for a teacher to set up his/her own key set and share it with their students and make every one of them do the same. No assignment or message submitted electronically would be valid unless it was digitally signed by the student, and encrypted to the teacher. That works, limited but workable.
Now the teacher can set his or her trust level for each student and the students can do the same for the teacher. Now we all have validated keys. Unrelated 3rd parties are more likely to trust a students key if their professor has digitally verified that key. Hell, why stop there? Let's get ALL the teachers who teach that student, verify the key. Now, if one teacher has come lately to the show, receives a digitally signed message but can't verify it, he/she can go over to one of the other teachers and get a copy of the student's key from them, and the same for students. With a school-wide key server, the entire process can be simplified. Students working together on projects can sign each others keys as well for temporary periods of time, especially when one person submits the assignment for the entire team.
By digitally signing his or her assignments, the student has not only verified that no one has intercepted and modified what it contains, but they also take responsibility for what's inside. Here's an example: Student A submits a short assignment containing a few blocks of programming code and some descriptive paragraphs all of which was digitally signed but not encrypted. Student B has installed a trojan on A's computer and receives a copy of the email and the assignment. B then copies the assignment out of the message, changes a few lines of the description and tweaks the code a bit to make it look original. B then digitally signs his work and submits it to the same teacher.
Now, I'd like to stop there for a moment. A situation similar to this occurred in real life, to myself and my study group some 10 years ago but it was before I learned about PGP. My study group and I worked together on designing some code, we each submitted a copy of it with our own descriptions and referenced each other as helpers. The assignments were submitted individually into a shared public folder the teacher left open for us. Another student came along and copied our work, DELETED our assignments and submitted his own. When we were asked for our submissions (a day late I might add) and they were marked, my group and I were all charged with Plagiarism for not referencing the thief's "obvious" hand in our code design. It was a terrible hit on our records and nothing we could do would prove that we were innocent.
Here's how PGP would have resolved the issue. B has signed his work, but the filedate of his work is set after A's work was already submitted. B will now be held accountable for stealing the work already submitted by A. Had the work been encrypted to the teacher, B would not even have had the opportunity to copy anything because B can't decrypt anything meant for someone else. The joke here is, if B had submitted the code for his Trojan for extra credit, he probably would have received those extra marks instead of being labelled a Plagiarist for actually using it.
Anyway. This scenario can also be applied to any work scenario where the HR department wants to discuss sensitive topics through intraoffice email and they don't want anyone being able to intercept it. Or maybe when sending some pornographic material to your spouse in another department. Network admins have direct access to any and all messages moving through their servers, and those are only the people who are allowed access. Gods only know who has access that shouldn't. In reality, the ammount of privacy we DON'T have is absurd. Everyone should have a key, it's not a breach of privacy, I mean, if you want to share stuff unprotected, you can still have that as an option. If we can do it for sex, why can't we do it for emails?
In conclusion, I have a key. I don't have anyone signing my key. I know I have a lot of friends out there who would probably like to be sure that what they are receiving is really from me and not from some crazy/manipulative 3rd party. Or if they want to send me protected information, then by all means. Please follow the links and instructions above and share your key with me. You can find my public key on the key service. The reference for it is 0x48C8C609 and can be found on the key server keyserver.veridis.com just type in the reference number and download the asc file (Simple ASCII file). Import it into your key manager and now you can verify any messages I send you or encrypt messages you want to send me.
If you decide to share keys with me, then be welcome to my Web of Trust.
--
Friar Greg
No comments:
Post a Comment