Turning on the Zedz

Previous installments of this recurring theme have described elements ofLinux and its community that help make Linux so useful and flexible.Previous hidden gem columns have dealt with software (Ghostscript) and a Web site (Google).This time it's both -- a Web site of significant value to open sourceusers, and the software you'll find there.

Occasionally, those of us who live outside the United States have viewed,with a combination of concern and amusement, American governmentrestrictions on encryption and computer privacy. It's strange to seecertain educational initiatives by the U.S. government, including the Department of Justice's Kid'sarea which argues the values ofprivacy as they try to talk kids out of hacking. Yet this samegovernment puts significant roadblocks in the way of adults who wantsuch privacy.

The whole story can get prettyconvoluted, but here it is in a nutshell: Americans are allowed toimport code that includes strong encryption from other countries, but theycan't export it anywhere except Canada. The policy is controversial andhas even been declared unconstitutional by one court.

Untouchable
What this has done is to keep encryption software -- the code you need tokeep your data private -- out of many peoples' hands. If you want toinclude encryption on production software CDs, you must make separateversions for domestic and foreign consumption. Most Linux distributors,not wanting this kind of limitation, simply don't bother with encryptionat all, either on their CDs or their Web sites.

In fact, the only open source software that ships with strong security andencryption isn't even a Linux product, nor is it an American product. It's OpenBSD, produced in Canada, which can be imported into America but not sent back out. An actual secure Linux distributionis under development in the Netherlands but isn't ready yet.

For most Linux users, information on how to make their files, e-mail, andcommunications secure isn't all that easy to come by. For manycomputer users, the most they see of reasonably-strong encryption is thechoice Netscape gives when you download the new version ofCommunicator. All users can get the weak 56-bit encryption version (thesame one that's included with many commercial Linux distributions); thosewho swear online at the Netscape Web site that they're American orCanadian can get the high-potency 128-bit stuff.

But that's scratching the surface. Netscape's encryption methods are used for electronic transactions over the Web, but they don't encryptyour e-mail and won't protect files on your system. More important thanthat, Netscape is hardly open source -- it's binary only.

Looking for clues
That's where the ReplayAssociates Web site comes in. It's quite possibly the best resource on the 'Net. Based in the Netherlands, Replay (which isundergoing a name change to Zedz),isn't subject to U.S. restrictions. So Americans can freely download from replay.com, butjust can't relay what they get to a location outside the U.S.

There are entire books covering the issue of security and the varioustools -- proprietary and open source -- used to secure data and the wayit's transmitted. Among the tools available on the Replay site, twostand out to me as the most useful, and likely most popular:

First is Pretty GoodPrivacy (PGP), which wins my prize for most modest name. This softwaredoes an excellent job of encrypting files using the concept of two "keys"-- one you make public and one you keep to yourself. Thistechnology, called public key cryptography, is both elegant andeffective. It works especially well in e-mail, both for encrypting entiremessages and the more common use of digitally signing messages to ensurethat what you read is what the sender wrote.

Next is ssh, or secureshell, an increasingly popular alternative to telnet which is best knownfor encrypting the data of a remote login session. While it's not totallyfoolproof (it can't encrypt TCP/IP packet headers) it is fairly effective.It can work with public key authentication allowing for lengthy passwordphrases instead of simple passwords, or it can work with plain passwordstoo. The difference is that your passwords are sent over an encryptedline, so snoopers can't determine the passwords you're using simply byintercepting packets (as can happen with telnet or rlogin sessions).

Both ssh and PGP suffer from not being fully open source. Their licensesare restrictive and exact fees for commercial use. In the case of ssh, the vendor extracting said fees is DataFellows, and for PGP it's NetworkAssociates. Earlier versions of ssh have more liberal policies, and in the circles Itravel, release 1 of ssh continues to be more popular than the morerestrictive version 2. Furthermore, both ssh and PGP use proprietary technologies such as RSA (patented in the U.S.only) and IDEA(patented in many countries), and that usage meets opposition fromdevelopers who don't believe in closed software.

Open source security
Of course, it's one thing to complain, and quite another to do somethingabout the source of the complaint. The FreeSoftware Foundation, home of the GNU project and Richard Stallman, hasspearheaded technologies that offer the above security facilities with totally opentechnology.

The free answer to PGP is the GNU Privacy Guard,expressed as the cute anagram GPG. It's quite easy to get and to use, and will become moreso when the RSA patent expires September 20, 2000. From then on, free software encryption programmers won't have tomake one version of their software for the U.S. (which excludes RSA) andanother for the rest of the world, the way PGP programmers must donow.

Also on the way is OpenSSH,the fully open sourced alternative to ssh. All the above software, exceptfor OpenSSH, is available and is described on the Replay site. While much of the Linuxsoftware there is referenced as being specific to Red Hat, it will work onmost distributions.

One thing is clear. There's a lot of security software to choose from, and a lot to learn.Still, the advantages of being familiar with encryption are worth theeffort if indeed your data (corporate or personal) means something toyou. And whatever your preference, you'll find what you're looking for atthe Replay Web site, which will become known as the Zedz site in December. It's certainly not kid's stuff, but it's well worth a look.

What does encryption mean to you? Let usknow in the Talkback below or in the ZDNet Linux Forum. Or write to Evan directly at evan@starnix.com.