Turning on the Zedz
Previous installments of this recurring theme have described elements of Linux and its community that help make Linux so useful and flexible. Previous hidden gem columns have dealt with software (Ghostscript) and a Web site (Google). This time it's both -- a Web site of significant value to open source users, and the software you'll find there.
Occasionally, those of us who live outside the United States have viewed, with a combination of concern and amusement, American government restrictions on encryption and computer privacy. It's strange to see certain educational initiatives by the U.S. government, including the Department of Justice's Kid's area which argues the values of privacy as they try to talk kids out of hacking. Yet this same government puts significant roadblocks in the way of adults who want such privacy.
The whole story can get pretty convoluted, but here it is in a nutshell: Americans are allowed to import code that includes strong encryption from other countries, but they can't export it anywhere except Canada. The policy is controversial and has even been declared unconstitutional by one court.
Untouchable
What this has done is to keep encryption software -- the code you need to
keep your data private -- out of many peoples' hands. If you want to
include encryption on production software CDs, you must make separate
versions for domestic and foreign consumption. Most Linux distributors,
not wanting this kind of limitation, simply don't bother with encryption
at all, either on their CDs or their Web sites.
In fact, the only open source software that ships with strong security and encryption isn't even a Linux product, nor is it an American product. It's OpenBSD, produced in Canada, which can be imported into America but not sent back out. An actual secure Linux distribution is under development in the Netherlands but isn't ready yet.
For most Linux users, information on how to make their files, e-mail, and communications secure isn't all that easy to come by. For many computer users, the most they see of reasonably-strong encryption is the choice Netscape gives when you download the new version of Communicator. All users can get the weak 56-bit encryption version (the same one that's included with many commercial Linux distributions); those who swear online at the Netscape Web site that they're American or Canadian can get the high-potency 128-bit stuff.
But that's scratching the surface. Netscape's encryption methods are used for electronic transactions over the Web, but they don't encrypt your e-mail and won't protect files on your system. More important than that, Netscape is hardly open source -- it's binary only.
Looking for clues
That's where the Replay
Associates Web site comes in. It's quite possibly the best
resource on the 'Net. Based in the Netherlands, Replay (which is
undergoing a name change to Zedz),
isn't subject to U.S. restrictions. So Americans can freely download from replay.com, but
just can't relay what they get to a location outside the U.S.
There are entire books covering the issue of security and the various tools -- proprietary and open source -- used to secure data and the way it's transmitted. Among the tools available on the Replay site, two stand out to me as the most useful, and likely most popular:
First is Pretty Good Privacy (PGP), which wins my prize for most modest name. This software does an excellent job of encrypting files using the concept of two "keys" -- one you make public and one you keep to yourself. This technology, called public key cryptography, is both elegant and effective. It works especially well in e-mail, both for encrypting entire messages and the more common use of digitally signing messages to ensure that what you read is what the sender wrote.
Next is ssh, or secure shell, an increasingly popular alternative to telnet which is best known for encrypting the data of a remote login session. While it's not totally foolproof (it can't encrypt TCP/IP packet headers) it is fairly effective. It can work with public key authentication allowing for lengthy password phrases instead of simple passwords, or it can work with plain passwords too. The difference is that your passwords are sent over an encrypted line, so snoopers can't determine the passwords you're using simply by intercepting packets (as can happen with telnet or rlogin sessions).
Both ssh and PGP suffer from not being fully open source. Their licenses are restrictive and exact fees for commercial use. In the case of ssh, the vendor extracting said fees is DataFellows, and for PGP it's Network Associates. Earlier versions of ssh have more liberal policies, and in the circles I travel, release 1 of ssh continues to be more popular than the more restrictive version 2. Furthermore, both ssh and PGP use proprietary technologies such as RSA (patented in the U.S. only) and IDEA (patented in many countries), and that usage meets opposition from developers who don't believe in closed software.
Open source security
Of course, it's one thing to complain, and quite another to do something
about the source of the complaint. The Free
Software Foundation, home of the GNU project and Richard Stallman, has
spearheaded technologies that offer the above security facilities with totally open
technology.
The free answer to PGP is the GNU Privacy Guard, expressed as the cute anagram GPG. It's quite easy to get and to use, and will become more so when the RSA patent expires September 20, 2000. From then on, free software encryption programmers won't have to make one version of their software for the U.S. (which excludes RSA) and another for the rest of the world, the way PGP programmers must do now.
Also on the way is OpenSSH, the fully open sourced alternative to ssh. All the above software, except for OpenSSH, is available and is described on the Replay site. While much of the Linux software there is referenced as being specific to Red Hat, it will work on most distributions.
One thing is clear. There's a lot of security software to choose from, and a lot to learn. Still, the advantages of being familiar with encryption are worth the effort if indeed your data (corporate or personal) means something to you. And whatever your preference, you'll find what you're looking for at the Replay Web site, which will become known as the Zedz site in December. It's certainly not kid's stuff, but it's well worth a look.
What does encryption mean to you? Let us know in the Talkback below or in the ZDNet Linux Forum. Or write to Evan directly at evan@starnix.com.