Last night, we chatted: FG, Turtle
We had a conversation, fertile
It's strong; no wrong --
-- From hack-er throng
Encrypted, you see: safe; private, too

Be careful: Yahoo™, AOL™, peeps
Vi-rus-infested sewage hell; creeps:
Spam throng; send pr0n;
Become their pawn [1]
Secur-i-ty, seek, like smart geeks do

I don't want to see your puter
Hacked into by Chinese looter: drive, hard
(Your hard drive, stealin')
What's the US Gummint usin"?
AES, their choosin', and you -- [2]
Oh yeah, yes, you can use it too!

Why not give it a try and see, folks?
It's even absolutely free, folks
Go on, log on
Rely upon;
See: please thee, oh yeah, were we pleased, two!
Scumbag, we de-feased you [3]
Woah yeah, Hamachi™, Woo!




[1] Successfully hacking into someone else's computer so that you have complete remote command of it (often without the owner/user's knowledge) is to "own" it, in hacker slang. The common typo in fast chat of "pwn" for "own" caused "pwn" to become accepted hacker terminology, as a verb. "You've been pwned" means that you are now part of the hacker's army of robot computers, or "bots", at his command, some of whom have been found to have thousands or even milliions under their control. (Look up "Conficker", e. g. at Wikipedia.) The similarity to "pawn" is quite apropos, as you, in effect, become their pawn.

[2] "defease" = to defeat or annul, used mostly in the legal and financial world (to defeat, void, or annul a contract or debt.)

[3] AES = Advanced Encryption Standard, a method of encrypting information (remember your Secret Decoder Ring from the cereal box?), which was chosen by the US Government in 2001 after a five-year competition among the world's best cryptographers (experts in making and breaking codes). It replaced a 20-year-old system that was starting to show a few cracks and was wearing a little thin around the edges, though not yet "broken". In its strongest form, known as AES-256, it is approved for encrypting Top Secret classified information.

Considering how many secrets the US Govt. has, which we'll probably never know, and which they surely don't want us to find out.... if it's good enough for them, it's good enough for us.

FUN FACTS:

A)
The Clinton Administration, including "Internet hero" Vice President Al Gore, attempted in 1993 to require all makers of cell phones and similar devices to include the "Clipper Chip", a device that provided encryption, but with the Government holding a secret set of keys to allow them to snoop on any such device. Public outcry and the availability of phones made overseas shot that down in a hurry. It was dead by 1996.

B)
In 1991, Phil Zimmerman invented PGP (for "Pretty Good Privacy", an ironic understatement), a no-cost method for individuals to encrypt and secure their e-mail and other Internet communications. It was embraced, not only by privacy advocates in the US, but also by dissidents in totalitarian countries who were afraid to communicate over the Internet.

In February 1993, Zimmermann became the formal target of a criminal investigation by the US Government (guess who were POTUS and Vice-POTUS at the time?) for "munitions export without a license". Any encryption that was too strong for the US Govt. to break was considered dangerous, and many felt that the Govt. wanted to retain the ability to break US citizens' encrypted communications as well. Penalties for conviction could have been severe.

Zimmermann challenged these regulations in a curious way. He published the entire source code of PGP in a book that was distributed and sold widely. Anybody wishing to build their own copy of PGP could buy the $60 book, cut off the covers, separate the pages, and scan them using an OCR (Optical Character Reader) program, creating a set of source code text files. PGP would thus be available anywhere in the world. The claimed principle was simple: export of munitions—guns, bombs, planes, and software—was (and remains) restricted; but the export of books is protected by the First Amendment. The question was never tested in court with respect to PGP. In cases addressing other encryption software, however, two federal appeals courts have established the rule that cryptographic software source code is speech protected by the First Amendment.

As home computers became more widespread, it was apparent that not just criminals, but all of us, needed safe encryption to do our banking, bill pay, credit card management, and a host of other things. (You also can have free encrypted e-mail, which would have saved a lot of embarrassment for several Administrations; former New York Governor Eliot Spitzer; South Carolina Governor Mark Sanford, whose e-mails to his Argentinian mistress became public, etc.) After several years, the investigation of Zimmermann was closed without filing criminal charges against him or anyone else, and strong, unbreakable encryption is now freely available to anyone.

FUN GAME TO PLAY:

Whenever you visit a secure site. like your bank, look for the little "padlock" icon in the lower-right corner of your browser (any browser, AFAIK, but definitely IE and Firefox). Double-click the padlock and read the box assuring you that the connection is encrypted, and how. If it says "AES-256", they've got the current state of the art. A surprising number of the most high-value targets -- banks -- and others are still using the older RC4-128. Shame on them! AES is free, it's easy for the techies to implement, and it hardly slows things down at all. Even my Yahoo e-mail, which is free, uses AES for the login page on which you submit your username and password. Write such institutions an angry e-mail, demanding that they upgrade.

However, no need to panic -- yet -- or to stop using the sites secured by RC4-128. Cryptographers are the most paranoid people on the planet. (Not surprising -- the combined US-UK effort that succeeded in breaking the German and Japanese codes was essentially responsible for winning World War II, as we could eavesdrop on all of their communications, plans, etc. This is *serious* stuff, folks.) For example, let's say that for a given encryption system, an attacker with the fastest computer would need a billion years to try every possible password, or "encryption key", as the cryptogeeks call it. Now suppose someone comes up with a method that can guarantee the recovery of any key in "only" a million years. Cryptographers would have a heart attack -- that's a thousand-fold decrease in strength, despite being utterly useless to the attacker.

But the rule (in all security) is "Attacks never get worse; they always get better." Now that there's known to be a flaw, someone might find in the next year a method to break it in "only" a thousand years. Then a hundred. Then ten. Hey, your credit card will have expired by then, anyway. But the exploitation of the flaw(s) continues.... Therefore, any method that is faster than trying every possible combination (known as a "brute force" attack), is regarded as a "break", and taken seriously.

ANOTHER SAFETY TIP IF YOU HAVE A WIRELESS NETWORK:

The above principle was demonstrated in the first generation of wireless home routers -- the gadgets that you plug into your modem so that you can take your laptop anywhere within range, and still connect to the Net. That communication between laptop and router needs to be secured, else any passer-by with a laptop could listen in. (As I sit here on my own laptop, I can pick up anywhere from two to four other unsecured wireless networks from neighbors and nearby businesses, depending on weather, who's powered on at the moment, etc.)

The first encryption method used, called WEP (Wired Equivalent Privacy), was seriously flawed. Tools began appearing on the Net to allow attackers to locate the encryption key, and thereby join and snoop on the network, within some number of days of gathering your encrypted communications. Eventually, that was reduced to hours, then to two minutes. Now, any WEP key can be cracked in less than sixty seconds. (Like the movie, "Gone In Sixty Seconds".)

The next generation, an interim product called WPA (Wi-Fi Protected Access), was designed to be compatible with older routers while providing adequate security, so long as a long, strong password was used. ([Be{u2NPjmt-dk8}6l$@H , e. g., not your dog's, bf's, gf's or bff's name.) The state of the art is now WPA-2. All routers sold today support it, as do some sold since around 2005. If you have a version of Windows XP™ that dates back more than a year or so, your computer might not support WPA-2. An update is available at the Microsoft™ support site, which will quickly add this capability. Then you can change your router 's encryption to WPA-2, if it supports it.