::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
: Re-Formated by Eldridge Currie  7/21/03  Using Q-Edit    : 
: http://www.qedit.com/ Courtesy of ETCO http://etco.cn.st :
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

 -----BEGIN PGP SIGNED MESSAGE-----

Security and Encryption FAQ Revision 17.6

by Doctor Who

"No one shall be subjected to arbitrary interference with
his privacy,family, home or correspondence, nor to attacks
upon his honour nd reputation. Everyone has the right to the
protection of the law against such interference or attacks."

Article 12 Universal Declaration of Human Rights

Disclaimer and justification for this FAQ.

Many countries operate a legal system designed to suppress
individual freedom.  Such countries often do not obey basic
human rights. The law in these countries may be based on          
guilty until proven innocent. My intention in offering this
FAQ, is to legally challenge these threats to our freedom.
It is not my intention to promote any illegal act, but to
offer people the option of freedom of choice.  How they use
that freedom is entirely down to the individual.             

This revision contains some major changes, particularly on
the choice of encryption programs.  DriveCrypt Plus Pack
version 2 whole disk/drive encryption with access only by a      
pre-boot password is now the preferred choice, with      
BestCrypt version 7 my second choice.
	


The FAQ has 2 main Sections.

Part 1 concentrates on passive security.  It is intended to
be useful to both posters and lurkers.

Part 2 is to maximize your privacy whilst online,
particularly for Email and Usenet posting.


As in previous versions, I have assumed three security levels:

Level 1.   For those who wish to protect their files from
unauthorized access.  These users are not too concerned at
being found with encrypted data on their computer.

Level 2.   For those who not only wish to hide their private
data, but to hide the fact that they have such data.  This
might be an essential requirement for anyone who lives in an
inquisitorial police state where human rights are dubious.

Level 3.  For those who not only need all that is offered by
level 2, but additionally wish to protect themselves from
hackers whilst online and snoopers who may try and
compromize either their software or add substitute software
that could compromize their privacy.

Part 1 explains the 3 security levels and offers help in
achieving them.


1.  How does encryption work?

Essentially the plaintext is combined with a mathematical
algorithm (a set of rules for processing data) such that the
original text cannot be deduced from the output file, hence
the data is now in encrypted form. To enable the process to
be secure, a key (called the passphrase) is combined with
this algorithm.  Obviously the process must be reversible,
but only with the aid of the correct key.  Without the key,
the process should be extremely difficult.  The mathematics
of the encryption should be openly available for peer
review.  At first sight this may appear to compromize the
encryption, but this is far from the case.  Peer review
ensures that there are no "back doors" or crypto weaknesses
within the program.  Although the algorithm is understood,
it is the combination of its use with the passphrase that
ensures secrecy.  Thus the passphrase is critical to the
security of the data.


2.  I want my Hard Drive and my Email to be secure, how can I
achieve this?

You need Pretty Good Privacy (PGP) for your Email and
DriveCrypt Plus Pack and/or BestCrypt for your hard drive
encrypted files.

PGP is here:  http://freepages.computers.rootsweb.com/~irfaiad/

DriveCrypt Plus Pack is here:  http://www.drivecrypt.com

BestCrypt is here:   http://www.jetico.com/


DriveCrypt Plus Pack (henceforth referrred to as DCPP) is
Win2000/NT/XP compliant but not yet compliant with Win98 or
earlier.  Version

1.0 had some bugs which all seem to have been resolved in
this new release, version

2.  Regrettably, no source code is available.

BestCrypt is Win95/98/NT/2000/XP and Linux compatible.  But
again the source code is only released for the algorithms,
not the Windows interface.

If the existence of the source code is important to you, I
suggest using PGP version 6.5.8ckt and Scramdisk with Win98.
The Win98 version of Scramdisk is the last one with freely
available source code. Officially Scramdisk has now been
superceded by DriveCrypt.  Unfortunately the source code for
DriveCrypt is undisclosed.   If you want Scramdisk it is
here:

http://www.samsimpson.com/scramdisk.php

3.  What is the difference between these encryption Programs?

PGP uses a system of encryption called public key
cryptography. Two different keys are used. One key is secret
and the other is made public.

Anybody sending you mail simply encrypts their message to
you with your public key. They can get this key either
directly from you or from a public key server.   It is
analogous to someone sending you a box and a self locking
padlock for you to send them secret papers, when only they
have the key to open the box.

The public key is obviously not secret - in fact it should
be spread far and wide so that anybody can find it if they
wish to send you encrypted Email.  The easiest way to ensure
this is by submitting it to a public key server.

The only way to decrypt this incoming message is with your
secret key.  It is impossible to decrypt using the same key
as was used to encrypt the message, your public key.  Thus
it is called asymmetrical encryption.  It is a one way
system of encryption, requiring the corresponding (secret)
key to decrypt.   PGP is simplicity itself to install and
use.  It even offers to send your newly generated public key
to the key server.

For your normal hard drive encryption, you will need a
symmetrical type of encryption program.  This means the same
key is used for both encryption and decryption.  DCPP and
BestCrypt are of this type and especially good because they
are "On-The-Fly" (OTF) programs.  This means that the
program will only decrypt on an as needed basis into RAM
memory. More about this later in the FAQ.

One question often asked by newbies is whether the
passphrase is stored somewhere within the encrypted file.
No.  The passphrase is passed through a hash, such as SHA1.
This is a one-way encryption.  It is the hash output that is
stored within the encrypted container.  The program will
compare this hash with the hash it produces from your
passphrase that you type in to mount (open) the container.
If they are identical, the program will use your passphrase
to decrypt the key that the program generated to encrypt the
disk or container.  Only then will the disk or container be
decipherable.  It is impossible to derive this key unless
the correct passphrase is input.  There are no shortcuts.
Importantly, it is impossible to derive the passphrase from
the hash output because it is a one way action only.


4.  I have Windows, am I safe?

Definitely NOT.

In previous versions I have suggested work-arounds to help
minimize the inherent security weaknesses within the Windows
operating system.

I have now concluded this is a sheer waste of time.
Whatever you do, Windows will tell the world.   It keeps
records of so much of your activity it seems the only
solution is the complete encryption of your whole drive.
Even using so-called washing programs, little is to be
gained. If security is important to you, there is only one
solution: encrypt your whole drive.

This is so important, I will repeat it:   If security is
important to you, there is only one solution: encrypt your
whole drive.

A program I recommend to test this out for yourself is
WinHex. It reads your drive and shows both the hexadecimal
and the text equivalent of each sector.  It makes
fascinating reading. You will see snippets of long deleted
or the ends of overwritten files, perhaps from the Windows
swapfile. Hints of text that will ensure any snooper could
accurately deduce your computer habits.  In fact the program
is so successful at this, it is also sold as a forensic tool
for disk analysis.  If you wish to write to disk and use it
for forensic analysis both full and specialist licenses are
required.  The evaluation version is good enough to prove
the necessity of encryption - if you need any persuading.

WinHex is available here:
http://www.winhex.com/winhex/order.html.

If you have Windows Media Player, go to View -> Options ->
Player and uncheck "Allow Internet sites to uniquely
identify Your player" It appears that Microsoft have done it
again.  The default is for this box to be checked.  Any Web
site could theoretically get your id from within your
Windows registry with this checked.  MS claim it is to help
identify users when they download copyrighted music.  But
anybody could be using this crack for their own purposes, so
protect yourself by unchecking it.

5.  Which program do you recommend for this whole drive
encryption?

DriveCrypt Plus Pack (DCPP).  It is truly simple to install
and use.   One thing to watch, however, is that you ensure
that energy saving is disabled on your computer,
particularly whilst encrypting/decrypting.  I had a major
crash which trashed my hard drive completely and only
hhappened after I had enabled it.  This allowed the drives
to run down after 30 minutes.  It may be a coincidence, but
since returning to "always on", there have been no further
problems despite many hours of encrypting and decrypting of
several large drives.  It encrypts the whole partition.  So
if you want to keep part of your drive in plaintext you will
need to divide your hard drive into independent partitions
or have two separate hard drives. Unlike its namesake
DriveCrypt, it does not destroy the data within the
partition it encrypts.  This is obviously necessary as its
main advantage is to encrypt your C drive.

All your computer activities will be totally secure as
everything you do is from within an encrypted drive.  You
can choose which partition you wish to encrypt, you can also
choose which key to use.  On setting up DCPP you have the
option of creating a keyfile and of then generating any
number of keys to use.   It is very flexible.  The encrypted
drive need not necessarily be your bootable drive, although
this is obviously the main intention of the program.

In fact this is essential if you wish to tame Windows from
shouting to the world your computer habits.

If you live outside the United States and in a country which
does not have the equivalent of the 5th Amendment, you will
need to use a little subtlety to ensure your security.  More
on this later in the FAQ.

It is important to remember that DCPP is an OTF type of
program. The drive will remain encrypted at all times.  Any
necessary decryption is done into RAM memory only.  Thus a
crash close will not leave any evidence of your activities.
Likewise, there is now no need to worry about the swap file
or all the other weaknesses of the Windows operating system.

A further major advantage over previously recommended
encryption programs is that the passphrase is input at Bios
level, before Windows is loaded.

The importance of this is difficult to over-emphasize.

This means it is impossible for any software key-logging
program that may be on your computer to detect your
passphrase.  Such programs are sometimes picked up on the
Net or arrive via Email and could circumvent all your
efforts at security.  I am sure someone will mention that
there are hardware password logging devices which of course
could grab your passphrase when you start up.  However,
common sense local site security should minimize this risk.
Despite this slight risk, a Bios level passphrase is just
about the Holy Grail of security - very difficult to
intercept and snoop.  DCPP goes even further by very
deliberately operating at a reduced speed at the passphrase
prompt to ensure it is very time consuming for someone to
try and test for your passphrase.  In fact it gets worse for
a would-be snooper, they only get three attempts at
inputting the passphrase and the system stops, requiring a
re- start to get back to the passphrase prompt screen.  An
excellent design indeed!

DCPP is authored by a very well respected crypto expert who
also authored Scramdisk.  He has an intuitive knowledge of
what privacy is all about.

6.  Are there other OTF programs?

Yes, there are several. I recommend DCPP only because I have
had some personal experience with it.  Another similar
program you may wish to investigate is SafeBoot Solo.  I
have had no experience with it and so can only recommend
DriveCrypt.  But try it for yourself.  Both allow Bios input
of the passphrase with the consequential advantage of whole
drive security. SafeBoot Solo has the significant advantage
of being a whole lot cheaper than DCPP.  I was fortunate in
buying version 1.0 at a very special price and was offered
the updated version 2.0 for free.

Others, such as ScramDisk and BestCrypt only encrypt data
files, not the Windows operating system.  Scramdisk does
allow you to input the passphrase via its Red Screen mode
which is far superior to the BestCrypt one. BestCrypt only
allows you to use some keyboard filtering, the nature of
which is not specified.  However, BestCrypt has the unique
advantage of allowing you to generate a hidden container
inside the normal encrypted one.  This might be very
important to someone who needs good plausible deniability.

SafeBoot Solo may be less friendly as far as plausible
deniability is concerned, judging from the info at their
site.  I may be misjudgingit, but it appears that the
encrypted disk can be recovered using a Repair Kit floppy.

Of these programs, however, only Scramdisk has published the
source code. Regrettably for commercial reasons none of the
others are truly open and transparent.   If you insist on
sighting the source code then I suggest you use the 3.01r2
version of Scramdisk together with Windows 98.

Personally, and I emphasize this is my opinion only, I trust
the author of DCPP not to have put any back doors into his
program and therefore enjoy the benefit of inputting my
passphrase at Bios level.  But please do not blame me if I
am mistaken!

7.  How difficult is it to break one of these programs?

Very difficult, in fact for all practical purposes, it is
considered impossible.  In most cases, the weakest link will
be your passphrase.

Always make it long.  Remember, every extra character you
enter makes a dictionary search for the right phrase twice
as long.  The present version of DCPP ultimately limits your
key length to 160 bits. This is extremely strong indeed.
The sun will burn out into a white dwarf long before any
snooper has cracked that length of key.

Each keyboard character roughly equates to 8 bits, and is
represented on the drive as two hexadecimal characters.
This suggests a 20 character passphrase is equal strength to
the encryption. In practice, probably not. Few people can
remember a truly random 20 character passphrase.  So most
people use a less than random one. This means it should be
longer to help compensate for this lack of randomness.

You should also use at least part of both lines of the
passphrase input screen with DCPP.

8.  Why?

Because any passphrase cracker cannot find the correct key
until it has exhausted a key search as wide as the last
character you enter. A strong hint that you should make sure
the last character of your passphrase is well along the
bottom line!  For higher security you should spread it
around on both lines.

This is a distinct security improvement over the usual
straight line entry that is typical of other programs,
including BestCrypt.

Be sure that if any serious snooper wants to view your
secret data, they will find a way without wasting their time
attempting a brute force attack upon your DCPP container.
In some countries rubber hose cryptography may be the rule.
Anybody living in such a country needs level 2 security at
the very least.  In some "civilized" countries there are
more sinister methods, such as tempest or the use of a
trojan which require level 3 security (see later in FAQ).

Fortunately, tempest and trojan attacks are far less likely
to succeed against DCPP than all the other programs.  Hence
my strong and enthusiastic support for this program.

Note:  Various hacks of DCPP (and probably likewise
SafeBoot, I presume) have been published on Usenet.   Such
wonderful free offers may seem excellent value in comparison
to paying huge sums of money to the program makers of DCPP
and SafeBoot. But consider, how can you possibly be sure
they have not been tampered with. What if the snoops are
behind some of these rip off hacks?   What a great way to
catch the naive and gullible user who thought he was getting
a freebie bargain.

Of course I might be wrong about this, but nobody will ever
know until it is put to the test, and then it might be too
late.  If your freedom depends on security, don't take
shortcuts that might lead you to lose it.

9.  What about simple file by file encryption?

I like Kremlin.  I have set it up to run in the background.
It allows you to shred files as well as encrypt/decrypt.  It
can be set via the options menu to by default, overwrite
existing decrypted files or to wipe the plaintext file after
it is encrypted.  Very easy to use.

Kremlin is here:  http://www.kremlinencrypt.com/

You could also use the Windows version of PGP.  It comes
with PGP Tools, which will allow you to encrypt any file on
your computer.  Of course this is unneccessary for all files
within your DCPP drive.  But you may need it for files
outside this drive.  Only do this on the assumption of a
level 1 security.  I suspect the International version
offered by Kremlin is a crippled version to get around the
export restrictions of strong cryptography.

10.  How can I encrypt files on a floppy?

Use either Kremlin or PGP Tools.  PGP Tools comes with PGP
and will encrypt any floppy.  But ensure you wipe the
original file before closing.

11.  Does using Encryption slow things up?

Negligibly on any modern computer. However on my system DCPP
is slower than BestCrypt, perhaps because BestCrypt is only
affecting data, whereas DCPP affects both the operating
system and the data.


12.  Do I need a PGP passphrase if I store my keyrings
within my encrypted drive?

It is good security practice to use a passphrase, but for
level 3 security it is essential because level 3 security is
intended to ensure your secret data are safe if attempts are
made to hack into your computer whilst online.   Although
DCPP is an OTF program I am old fashioned as well as
paranoid, so I strongly advise using a passphrase for your
PGP keyring.


13.  I use Mac, OS2, Linux, (fill in your choice), what about me?

Use either BestCrypt, or PGPDisk.

PGPDisk http://www.nai.com/default_pgp.asp,

There may well be others, but I know nothing about them.



14.  How can I ensure I do not leave traces of unwanted plaintext

One vital point that must be adhered to at all costs is to
disable the Windows hibernation (power saving) feature.
Windows will dump everything that is in RAM memory onto the
boot drive by-passing the DCPP drivers. Because it by-passes
the DCPP drivers, it means it writes in plaintext everything
including the keyfile data which unlocks your most secret
partition!

So whatever else you do, disable the power saving features!

In the past I suggested either Evidence Eliminator (what a
compromising name!) or Windows Washer to help clean out
extraneous information.  With DCPP this sort of program is
less necessary against a snooper than for protecting
yourself whilst surfing the Net.  Such a program will ensure
your cookie files are cleaned up and get rid of bloat off
your drive.

I suggest that to minimize drawing attention to yourself
that Windows Washer is a more acceptable program name to be
found on your system rather than Evidence Eliminator,
assuming you choose to install it also onto your plaintext
drive.  Further, Evidence Eliminator spend far too much of
their time spamming Usenet to enhance their sales.  I
dislike such action and if for no other, refuse now to use
the program.

Windows Washer is here:  http://www.webroot.com

15.  What programs do I put in my newly Encrypted Drive?

In previous versions of this FAQ I was wary that some
programs might write critical info to your C drive.
However, this is far less of a security risk with it being
encrypted.  Nevertheless, for what it's worth, here are my
choices for these programs:


(A)  Agent (or FreeAgent) for the newsreader.

Agent is here: http://www.forteinc.com


(B)  For your Email I have 3 different recommendations:

i.   Agent, as mentioned above

ii.   Quicksilver, available here: http://quicksilver.skuz.net/

111.   JBN2, here:
https://members.tripod.com/~l4795/jbn/index.html


Agent is simple and very easy to use.  It can be used in
conjunction with a remote host server for posting
anonymously (see later in FAQ). The latest version also
supports reading of yEnc coded files.

Quicksilver is recommended for secure Email and Usenet
posting. It now also supports Nym creation.  It is an
excellent program for both anonymous Email and posting
anonymously to Usenet. It is still in beta testing mode.
Most importantly, Quicksilver is very easy to learn to use.
It uses the Mixmaster remailers for posting.  These are
considered far more secure than the earlier Cypherpunk
remailers.  Quicksilver comes with Mixmaster and will
install Mixmaster on first use, if required.  However, it
will only automatically decrypt messages that are received
via its Inbox addressed to one of your Nyms that were
created using Quicksilver.   It seems it is impossible to
decrypt by pasting a message into its Inbox, received via
another program.

JBN is very thorough, but much more complicated than
Quicksilver.  This might be the choice of the hardened
enthusiast.  Because of this, it also requires the most
maintenance to keep abreast of the ever changing remailers.
Quicksilver will normally choose the remailers for you which
does make things far easier, as the choice is done
automatically for each uploading session.  It is also very
easy to keep abreast of these remailers which are always
changing.  You simply click on Update and it does it for
you.  Painless.

All three of these programs will also work with PGP.   Agent
will require you to copy and paste, but the other two have
built-in support and work seamlessly with PGP.  I
particularly commend Quicksilver for its intuitive ease of
use.  This makes NYM maintenance much simpler.


(C)  For browsing use whatever you choose.

I used to warn against using MS Explorer, but now the beast
has been tamed by encrypting your C drive, but for extra
sefety disable Active-X


(D)  Use ACDSee as your viewer.  If you use the cache
facility, make certain that you set it up within your
encrypted drive. Fortunately it should do this by default.
This allows easy previewing of thumbprints and click and
zoom to examine image quality.  I prefer the earlier version
2.4. Less bloat.

ACDSee is here:  http://go.acdnet.com

Two alternatives are:

Thumbs Plus, at http://www.cerious.com and VuePro, at:
http://www.hamrick.com

Each of these 3 programs has some advantage over the others.
Choose whichever best suits your needs.


(E)  Many files are compressed.  I recommend obtaining a
copy of WinZip from here:

http://www.winzip.com.  Or do a search for PKzip which is
freeware.


(F)  Any person who browses the Net should ensure they have
a good virus detector.  There are many to choose from, some
are freeware, others are shareware or commercial ware.  I
now use AVG, which is free for non-commercial use.  It
allows updates via the Net and is especially easy to use.

Get AVG here:   www.grisoft.com


(G)  Get a firewall.  I recommend Zonealarm.

Get it here:  http://www.zonelabs.com/store/content/home.jsp

Note:  Just because your drive is encrypted does not relieve
you of the necessity of protecting yourself whilst online.
So take care to cover your tracks.

16.  How do I do this?

Never surf naked.  Always, always use a proxy.  If you are
not sure how to go about this, an easy answer is to use The
Anonymizer.

The Anonymizer is here:   www.anonymizer.com

Well worth a visit.  You can choose either to use the
freebie version or pay for something a little faster and
more secure.

If you prefer to do it the hard way, try this link:

http://www.samair.ru/proxy/

They have a listing of active proxies.  But you will need to
set it up yourself. I find them too much bother and use the
Anonymizer because it suits my needs.


All of the above is sufficient for a level 1 security.


Level 2.   This is for those who not only wish to hide their
private data, but wish to hide the fact that they have such
data or can offer an incontestable reason for their
inability to disclose the contents of such files.  This
means plausible deniability.


17.  What more must I do to achieve level 2 Security?

For level 2, it is essential that you can show plausible
deniability for all files that might contain encrypted data.
The purpose is to be able to justify every file on your
system.


18.  How do I achieve this higher level of security?

In a previous version of this FAQ, I mistakenly gave some
misleading info at this point.  My sincere apologies.  In an
effort to help with future plausible deniability, I was
trying to hint at the method in place of explaining it in
detail, but regrettably this caused some to completely
misunderstand the method. So what follows is I trust, rather
more straight forward.

First of all, you cannot hide the fact that you have an
encrypted drive. I have seen many posts from people claiming
all sorts of elaborate ruses to hide their DCPP drive using
a combinations of different operating systems, etc.   It
wont work.   Any competent snoop can easily prove you have
encryption on your computer. The trick is to be able to show
that this drive cannot be decrypted because the key has been
destroyed. With DCPP, a key is generated by the program
before you can encrypt a drive. The key ID is displayed in
the keyring when the program is run.  Normally a passphrase
is required to open the program, but in some countries
simply refusing to open the program is itself an offence.
Claiming you have "forgotten" the passphrase may not be
sufficient to save you.  However, if it can be shown that
the key needed to decrypt an encrypted drive is deleted or
missing, then it becomes much more difficult to prove you
are not complying with the Law.

Note:  An assumption is being made here that the presence of
encryption is not in itself an offence. If it is, then you
must use Scramdisk in Traveller mode.  This implies running
Scramdisk from a floppy. To understand how to do this,
please read the Scramdisk documentation that comes with the
program.

Assuming encryption is legal (which is the case in most civilised
countries) then you will need to be able to dual boot your
computer.

This means having two entirely separate operating systems.
They need not be different types. You can choose to use, for
example, two separate Windows XP systems.  Each would have
to be on different partitions on your hard drive.  Or you
could have two separate hard drives and use the first
partition on each.  Whichever route you choose, the
operating systems must be set up by Windows to be dual
bootable.  It took me about 10 minutes of studying the
Windows 2000 Pro manual to understand how to install a dual
boot Win 2000 Pro.

When you have it set up correctly, you will be offered a
choice of Windows operating systems on boot.
                                                         
19.  OK, I have dual boot, now what?

Install DCPP onto both drives.  You should use the first
partition (the default) as your normal plaintext drive. The
second drive is the one you will need to encrypt with DCPP.
However, it is useful to have previously installed DCPP onto
the plaintext drive as part of the ploy to enable plausible
deniability - see further on.

If you choose to encrypt both drives, it is essential to use
different keys.

Before any encryption can be accomplished, it is mandatory
that you check that DCPP is supported by your operating
system.  To do this you must first install Boot Authenticity
from the relevant screen in the DCPP window. This is not the
same thing as encrypting the drive.  You could choose to use
Boot Authenticity alone as a very strong boot sequence
protection for your computer.  But this would be using only
half of DCPP's capabilities. It would not by itself protect
your data as there would be other means to access the drive
by forensics.

Immediately after installing Boot Authenticity and before
you re- boot you must create an Emergency Repair (ER) disk
as recommended by the program. This is to ensure that if it
all turns sour and your computer cannot boot, you can
restore your boot table back to its original state. Test
your system boots from both the normal hard drive startup
and with the boot floppy (ER) disk.

Assuming everything works, you can now encrypt your chosen drive.

It is absolutely essential that the key used to encrypt your
drive is a unique key, not being used by your system for any
other drive. I strongly recommend that you create a unique
keyring just for this one key to ensure it is not misplaced
or confused with any other key on your system.  Give this
keyring a unique name, e.g Secret or Hidden.

Test that everything works as it should by booting into both
drives, also test that you are able to boot using the ER
disk - very important this.

In view of what follows, it might be a good idea to hide
this special keyring within a BMP or WAV file within your
plaintext drive. If you do this, I would ensure that it is
hidden within a file that you have created yourself.  It is
very important that should anyone investigate, they are
unable to show the chosen file is in any way different from
an original. If you create, for example, your own WAV file
recording and use it to hide this key, then nobody can prove
it is anything other than a normal WAV file.  One thing to
note, if the WAV (or BMP) file is very large, DCPP will take
far longer to retrieve the key.

Now comes the tricky bit.  Firstly, boot into your encrypted
drive and locate the file named "Backup" that is within your
DriveCrypt folder.  This is normally to be found within
"Program Files", unless you chose to install it into a
different folder.  Copy "Backup" to the same folder in your
plaintext drive.  You then re-boot into your normal
plaintext drive, which will now, of course, be the boot
drive.  Naturally, you will have had to enter your Bios
passphrase to boot up.  Because your encrypted drive is not
now the boot drive, DCPP will allow you to remove Boot
Authenticity off your computer.  DCPP needs the file
"Backup" to do this, thus the reason for copying it across.

But most importantly, do NOT now update your ER disk,
despite the prompt from DCPP to do just that. This is
essential to what follows!

Next time you boot, no passphrase will be required and you
will be shown the two drives, but only one will be bootable.
If you perversely attempt to boot into your encrypted drive,
Windows will tell you it cannot load the OS.   At first
sight this might appear that you have lost all your data!

To access your encrypted drive, you must use the ER disk.
What is considered by DCPP as a last resort access to your
computer instead now becomes your secret key to accessing
your encrypted drive.

It is imperative that the key you have used be invisible
from within your plaintext drive.  If it is visible, DCPP
will display the key ID of your encrypted drive and the
snoops will be able to persuade you that as the key is
present, no excuses about forgotten passphrases will wash.

However, no key will pose a problem for them. No key means
decryption is impossible.

When booting with the ER disk, naturally if the wrong
passphrase is used you cannot boot.  With the right
passphrase you are offered the choice of both drives and can
boot into either drive.  Make certain you make a backup of
this ER disk and store off-site.  This way, if you are
unlucky and the boot floppy dies on you, you still have
access.   If you were rather foolish and did not bother
making a backup you can always create another by booting
into the normal drive and opening the container (using DCPP)
hosting the key that you have hidden within a WAV/BMP file.
If this should happen, create a new ER disk. You will need
to firstly re- install boot authenticity (using your secret
key), then create a new ER disk. I would then re-boot into
the encrypted drive and change the master passwords and of
course, create a new ER disk.  After testing, remove boot
authenticity off your drive as already described.

I have to repeat that it is essential that your keyring, as
displayed when booting into your normal drive does not
display the encrypted drive's key.
                                     
This cannot be over-emphasized.

20.  Why?

If a key is available DCPP will reveal the key fingerprint
of that drive. If no key is available then it is axiomatic
that it will be impossible to decrypt that drive.  This is
absolutely true.  The ER disk only allows OTF decryption for
each session.

True, some bright spark may try testing each of your disks
to check if any are ER disks, fine, just make certain you
have several available!

The more you have, all generated for experimental purposes
of course, the more difficult to isolate the correct one, if
one exists at all. It is impossible to prove that any one of
those disks is the correct one to allow booting into that
encrypted drive. The only way would be by correctly guessing
your passphrase.  No information resides on the ER disk to
help identify its purpose.  Even WinHex cannot read it.
Windows tells you it is unformatted.  The reason for this is
because the raw data on the disk is not in any recognized
file format.

In some countries, the United Kingdom is one such, LEA can
force you to reveal the contents of any encrypted drive on
pain of up to two years in prison.  No 5th Amendment there!
Worse, far worse, you cannot tell the world of your plight
on pain of five years in prison.  So in the case of
authoritarian interference with your right to privacy you
have no hope of exposing them to the critical gaze of
world-wide publicity.  The most worrying part is that this
was passed through the British Parliamentary system with
barely a whisper of protest from the Opposition.  A future
despotic Government may well use such laws for their own
ends. If so, I just hope that it is used on the present
members of Her Majesty's Government first, so they learn at
first hand what a draconian law they have passed.

This is about the same level of human rights as is exercised
by the government of Zimbabwe!

If no matching key can be identified on your keyring and the
passphrase you supply cannot open the encrypted drive, but
does show some other encrypted drive to prove it is a
genuine passphrase, then they now have to prove you are
lying.   With full cooperation from you regarding the other
drive(s), they certainly cannot claim you are being
obdurate.

Your defence is you encrypted the drive as an experiment and
stupidly deleted the key.  You are still learning how to use
the program, so mistakes will be made.   Never mind, you
intend re-formatting the drive when you eventually get
around to it.   Windows will offer to do this if you click
on it from within the "My Computer" screen.

By using a benign floppy, perhaps one that looks as if it
has seen better days, it will be far less obviously a
target.

With the key destroyed I am sure SecureStar, the owners of
DCPP, will be happy to confirm that it is impossible to
decrypt the data.

Note:  This is general information only.  Some users might
prefer to try other, perhaps even more ingenious ways to get
around this problem.  I am deliberately leaving the
alternatives unspoken.  Each may choose the system that best
suits their security needs.

If you feel this is not sufficent as a form of plausible
deniability for your circumstances, then I can only suggest
you use the hidden container feature of BestCrypt.  Whereas
this is an excellent form of plausible deniability, without
DCPP it does mean your are at the mercy of the Windows
operating system.   Perhaps if you used Linux and BestCrypt
you may be safer.

21.  What if encryption is illegal in my country?

In that case, I suggest using the stego feature of either
DriveCrypt or Scramdisk.  But ensure you create your own WAV
file, by making your own recording.  Once the stego
encrypted file is created within the WAV file, make sure to
wipe the original recording to prevent forensic analysis
showing their low level data are not identical.  Of course,
you will need to install DriveCrypt or Scramdisk in
traveller mode.  This means running it off a floppy.   But
you will still need to hide the floppy effectively in the
case of a search.  I am sorry I cannot help you here.  It
must be down to your own initiative.

Note the difference between this scenario and the previous
one using a boot floppy.  The DriveCrypt/Scramdisk floppy
will plainly display the program, thus incriminating you.
Where encryption is legal, an ER disk does not incriminate
you thus less of a need to try and hide it away.


22.  Are there any other precautions I should take?

Make copies of all your PGP keys, a text file of all your
passwords and program registration codes, copies of INI
files for critical programs, secret Bank Account numbers and
anything else that is so critical your life would be
inconvenienced if it were lost.  These individual files
should all be stored in a folder called "Safe" on your
encrypted drive.

One very important point to remember is to ensure you do not
keep a copy of this FAQ in plaintext.  If you are going to
rely on any variation of the ploys suggested earlier, the
less ammunition you offer the better.

This must mean keeping this FAQ within your secret drive.

The above is sufficient for Level 2 security.


23.  I need Level 3 Security, how do I achieve this?

This is for those who wish to protect themselves from
hackers whilst online and snoopers who may try and
compromize either their software or add substitute software
that could reveal their secret passphrases.


24.  What are these threats?

They are known as Tempest and Trojan attacks.


25.  What is a Tempest attack?

Tempest is an acronym for Transient ElectroMagnetic Pulse
Emanation Surveillance.  This is the science of monitoring
at a distance electronic signals carried on wires or
displayed on a monitor.  Although of only slight
significance to the average user, it is of enormous
importance to serious cryptography snoopers.  To minimize a
tempest attack you should screen all the cables between your
computer and your accessories, particularly your monitor.  A
non CRT monitor screen such as those used by laptops offers
a considerable reduction in radiated emissions and is
recommended.


26.  I have decided to use DCPP, am I at risk?

Far less than if you were using any other program.  But do
not use the same passphrase to open any other encrypted
partitions after you have loaded Windows.   Keep your boot
passphrase totally unique and you will be far safer than if
using any other program.


27.  What about BestCrypt??

It does not offer the same facility, but it does offer some
protection. On the Menu bar, click on Key Generators ->
SHA-1.. and ensure "Use Keyboard Filter" is checked.

Two unique advantages of BestCrypt are it allows hidden
containers to be created and it can optionally encrypt the
Windows swapfile. Both options are easy to implement and
truly effective.


28.  What is a Trojan?

A trojan (from the Greek Trojan Horse), is a hidden program
that monitors your key-strokes and then either copies them
to a secret folder for later recovery or ftp's them to a
server when you next go online. This may be done without
your knowledge.  Such a trojan may be secretly placed on
your computer or picked up on your travels on the Net.  It
might be sent by someone hacking into your computer whilst
you are online.

The United States Government has openly admitted it will be
employing such techniques. They call it Magic Lantern.  It
was originally promulgated as a counter-terrorism weapon.
But who knows how it will be used in practice.

In view of these changed tactics, it is mandatory that these
possible attacks be countered.   Thus my insistence that
only DCPP can give the level of security to ensure you enjoy
some peace of mind.

Nevertheless, whilst your encrypted drive is mounted you
should take precautions against a trojan copying any data
and sending it out to some unknown site.

29.  How do I do this?

First of all you must have a truly effective firewall.  It
is not sufficient for a firewall to simply monitor
downloaded data, but to also monitor all attempts by
programs within your computer that may try and send data
out.  The only firewall that I know of that ensures total
protection against such attacks is Zonealarm.  This firewall
very cleverly makes an encrypted hash of each program to
ensure that a re-named or modified version of a previously
acceptable program cannot squeeze through and "phone home".

ZoneAlarm is here:  www.zonelabs.com/zonealarmnews.htm

To understand how important this is, visit Steve Gibson's site.

Steve's site:  http://grc.com/

Go to the "Test my Shields" and "Probe my Ports" pages.

You can test ZoneAlarm for yourself.  I strongly urge all
users concerned with their privacy to run this test.

Steve's site is also a mine of other useful information and
well worth a visit.


30.  How will I know when a trojan has modified an acceptable
program?

Zonealarm will pop up a screen asking if this program is
allowed to access the Net.  If it is one of your regular
programs, be very wary and always initially say NO until you
can check why this program is not now acceptable to
Zonealarm.  If it is a strange program, then obviously say,
NO and investigate.

31.  How important is the passphrase?

Critically important.  It is almost certainly the weakest
link in the encryption chain with most home/amateur users.
I provide links at the end of the FAQ, some of these should
either help directly or give further links about how to
create an effective passphrase.

For the newbies: never choose a single word, no matter how
unusual you think it is.  A passphrase must be that, a
phrase, a series of words, characters and punctuation
intermixed.  One method that I believe would help is to
deliberately mis-spell common words in a phrase. Scruggle in
place of struggle, matrificent in place of magnificent.
These could be the start of a longer phrase.  Taking this a
step further, invent words that are pronounceable but
totally meaningless for example, alamissis or grafexion.  I
recommend a minimum of eight words, but do not use either of
those two.


32.  How can I prevent someone using my computer when I am away?

In the past I had no truly effective answer, but if you are
using DCPP, you have nothing to fear.  Nobody accessing you
computer will have any access to your encrypted drive in
your absence.  Even the presence of an ER disk is no help to
them without the passphrase.

However, if you are truly paranoid (and who isn't?) I would
guard against someone adding a keyboard hardware key logger.
These can be very small and easily disguised as an RF trap
on the keyboard lead. Obviously, this is far more likely if
your computer is also used by others or can be accessed by
others in your absence.

The most likely scenario for this to happen would be if your
computer was impounded for forensic examination and later
returned to you apparently unharmed.   In such circumstances
I would definitely not input any passphrase at all until a
very thorough check has been undertaken.  In fact I would
never use it again!  I advise buying a new machine and
transfer the drive across.  Of course to access this drive
you will need the appropriate boot disk.  This suggests it
would be wise to keep one copy off site.

33.  Anything else?

Use a Bios password.   Although it can be bypassed by
resetting the Bios, the fact it has been reset should be
obvious by either there not being a call for the Bios
password on boot or it is different and you cannot then
startup.  Also, ensure you have set a Windows startup
password and a screen-saver password.  Make a short cut on
your desk top to the screen saver, then open its properties
box and put in a single key shortcut, example F10.

This ensures you have the option of a single keystroke
blanking of your screen in an emergency.


Part 2 of 2.

This second part concentrates on security whilst online.

There are countless reasons why someone may need the
reassurance of anonymity.  The most obvious is as a
protection against an over- bearing Government.  Many people
reside in countries where human rights are dubious and they
need anonymity to raise public awareness and publish these
abuses to the world at large.   This part 2 is for those
people and for the many others who can help by creating
smoke.



34.  I subscribe to various news groups and receive Email
that I want to keep private, am I safe?

Whilst you are online anyone could be monitoring your
account. If you live in the British Isles be aware that all
ISP's are required to keep logs of your online activities,
including which Web sites you visit.

Shortly this will be reinforced by MI5 who will be
monitoring all Net activity 24 hours a day!  The information
will be archived eventually for up to seven years!   All
Email headers will likewise be stored for the same length of
time.



35.  Can anything be done to prevent my ISP (or the
authorities) doing this?

There are several things you can do.  First of all subscribe
anonymously to an independent News Provider - more about how
to achieve this later in the FAQ.  Avoid using the default
news provided by your ISP.  Apart from usually only
containing a small fraction of all the newsgroups and
articles that are posted daily, your ISP is probably logging
all the groups you subscribe to.  You also need to protect
yourself from snoopers whilst online.  Both of these aims
can be realized by encrypting the data-stream between your
desktop and a remote host server.

This host should preferably be sited in a different State or
country to your own.



36.  I live in the United States why do I need to bother?

You don't need to.  But your privacy and security are
enhanced if you do, particularly if you wish to ensure best
possible privacy of posting to Usenet.   Also, it is quite
likely that many routes around the globe, even across the
States may be routed through London.  The Web is literally
just that, a web.  Thus American Email, news postings, etc
are just as liable to be read by MI5 and who knows what they
will do with this information.

Do not underestimate the British MI5/6. They are spending 2
billion Dollars (plus cost over-runs) on re-building GCHQ at
Chelmsford in anticipation of all this increased snooping.
An additional concern must be the United States' stated
intention to snoop using whatever means they can. Put any
intepretation on this you please, but it all adds up to a
reduction in Net privacy for all.



37.  Ok, you've convinced me, how do I go about this?

You must use the SSH encryption protocol.  SSH is a form of
encryption that ensures that everything that leaves your
desktop is encrypted. To do this you will need to subscribe
to at least one, but preferably two remote servers.  To be
truly effective the administrators of these servers must be
prepared to periodically review their security policies and
specifically to replace their RSA/DSA keys.  Sadly, this has
not been done in the past with those that I have mentioned
in previous versions of this FAQ. However, I have now
stumbled upon one whose administrator has promised
faithfully to replace his keys on a monthly basis.  This is
vastly better than trusting to luck that nobody has hacked
into their site.

In previous versions of this FAQ I have suggested using
Cyberpass.net, but I am very concerned that they have
ignored repeated requests from me regarding their security
standards.  They have only once in the past 6 years changed
their DSA key.  If they have ever been served with a writ to
hand over that key, or had their site hacked (which I do
know has happened at least once) then all subsequent traffic
through them becomes transparent if monitored.  Their
refusal to answer my requests on whether this has ever
happened alarms me to such an extent that I cannot recommend
any more.

You have been warned!

After searching, I have found what may be the answer,
Privacy.Li, who are based in the Principality of
Liechtenstein.  Liechtenstein is a European country best
known for its secrecy surrounding its banking facilities.
This suggests it might be very useful for routing anonymous
connections to the Internet.  Better yet, Privacy.Li accept
anonymous payments in either E-Gold or DMT/ALTA.  Both of
these are truly anonymous Internet banking systems.  I
advise investigating both and choose whichever best suits
your needs.  DMT/ALTA uses very secure encryption protocols
to ensure secrecy of both your account and your
transactions.

Privacy is here:   http://privacy.li/

E-Gold is here: http://www.e-gold.com/

DMT/ALTA is here: https://196.40.46.24/ or https://213.132.35.90/
(they change ip's frequently)

Privacy.Li offer far more than is openly displayed on their
Website.  They offer an SSH encrypted connection with port
forwarding through either of their own servers.  One server
is in The Netherlands and the other is in Hong Kong.  Both
well outside the control of either the American or British
snoops.  The cost of connection is very reasonable, around
100 Euros/US Dollars per year per server.  By paying in
E-Gold or via DMT/ALTA it is a truly anonymous sign-up.  I
strongly recommend them if your needs are for total privacy.
Contact them yourself and negotiate direct.  See also their
site for more info.  As stated above they deliberately do
not display their full range of services, as this might
compromise your security.

One important point, Privacy.Li will not tolerate abusive
spamming or other obviously offensive use of their
facilities.  They will disconnect such spammers without
warning or refund.

Contact via Email:   webmaster@privacy.li

You can also use them to register a Domain name anonymously,
or get them to host your Domain on an associates site, I
suggest Alpina1.net. To see what Alpina1 have to offer, go
here:

http://alpina1.net

It is difficult to over-estimate the significance of this
service.  They promise to replace their RSA key every month
and to Email the key fingerprint to every subscriber.  This   
is excellent security and should offer a level of security
way above that previously on offer from Cyberpass.

In case anyone is suspicious of this strong recommendation,
let me state I have absolutely no connection with Privacy.Li
other than as a very satisfied customer.




38.  OK, this sounds interesting, but how does SSH work?

SSH uses a protocol called port forwarding.  This means that
it tunnels the necessary ports for Web browsing (port 80),
Email send and receive (ports 25 and 110), Usenet (port 119)
through an encrypted tunnel (port 22).  Any adversary
attempting to read your data passing in either direction can
only know that a/ it is encrypted and b/ it is passing
through port 22 on your computer.  They cannot even
determine whether you are Web browsing or sending Email.

Note:   This is not strictly true.  I have heard a spokesman
for the British Government claim that even encrypted traffic
can give information of the type of traffic being passed.
But the big idea is that they cannot read that traffic!

The method is simple but very secure.  Your desktop SSH
program (called the client) asks for a connection to the
remote host server.  The host replies with its DSA public
key.  Your desktop checks this key against previous
connections and alerts you if it is different, which might
suggest someone was intercepting your traffic.  Your desktop
has meanwhile generated a random session key which is never
shown to you.  The host's public key is used to encrypt this
session key.  The host is able to decrypt it using its
secret key.  Now using the session key to encrypt everything
that passes between you and the host, it will ask you for
your user id and password.   Henceforth all further data are
exchanged encrypted with the session key.

Each time you start the program prior to logging on, a new
session key will be generated.   I am reasonably certain
that this session key is not saved by the host server.  I
have been told that the SSH protocol calls for the session
key to be held in RAM memory only and to be irretrivably
lost after the connection is closed. This means that even if
the encrypted data is recorded, without the session key it
will be forever lost.  This is why it is so important that
the site admin replace their key periodically.  With
Cyberpass anything recorded from years back could be
decrypted by serving a writ on them and obtaining their
secret key.  This would unlock the session key that was
initially exchanged between you and Cyberpass.   Thus the
snoops could come knocking years after you had forgotten all
about that data exchange.

The only caveat here is the assumption that the remote SSH
server's RSA or DSA key (whichever type they use) has not
been compromised. Thus the essential need to use a server
that is not easily accessible to snoops.

SSH is available in various implementations and commercial
programs. The one I use is F-Secure.  Alternatively a
cheaper but similar program is Tunnelier from Bitvise.

F-Secure is here:  F-Secure:  http://www.f-secure.com/

Tunnelier is here:  http://www.bitvise.com/tunnelier.html




39.  Where does the data go after passing through the remote
host?

It then goes out onto the Web or to the News Provider
totally anonymously. All your postings and downloads will
always be totally private.



40.  Is the data encrypted after it leaves the remote server?

Not unless you are using an additional remote host.   If you
are careful and limit your time online to say a 1 hour
limit, breaking off and re-connecting you will always
generate a new session key.  This will make hacking attempts
far more difficult.



41.  How do I get onto Usenet?

You must subscribe anonymously to a dedicated and
independent news provider such as Astraweb, Newsfeeds or
Altopia.  You will need to modify Agent to ensure it routes
data through the encrypted connection.

To find a News Provider that suits your needs, try here:

http://www.exit109.com/~jeremy/news/providers/

I suggest taking advantage of the Privacy.Li proxy service
to sign up with whichever News Provider you wish to use.
Obviously you must pay Privacy.Li in either E-Gold or
DMT/ALTA to ensure you are anonymous to them.  You are then
doubly anonymous to the News Provider or whatever service
provider or site you have subscribed.   It probably does not
need mentioning, but credit and debit cards leave a trail
directly to your front door and are utterly useless from a
privacy point of view.

If you wish to subscribe to a News Provider directly (more
bother and only then has just one level of anonymity) then
you could send cash to Astralabs and possibly others.  I
know that Astralabs will accept direct cash payments for
their services.  If this is your choice, then send your cash
her:

Astra Labs Limited
80 Raffles Place
#16-20 UOB Plaza 2
Singapore
048624

IMPORTANT: all cheques/money orders should be made payable
to "Astra Labs Limited"  But sending a cheque would defeat
the whole purpose.




42.  OK, I've signed up, how do I configure Agent and SSH to
access Usenet?

Go to Options -> User and System Profile -> System and put
"localhost" in the line for News Server and again for Email
Server.  Click OK.

Go to Options -> User and System Profile -> User and under
News Server Login, put your given username and your
password.  Check "Login with a Username and Password" and
"Remember Password between sessions". Click OK.

Start F-Secure.   Open Profiles -> Edit Profiles -> Local
forwardings -> Add -> In the Source Port box put 119, in the
Destination Host box put the name of the News Server, for
example news.alt.net if you signed up with Altopia.  In the
Destination Port box put 119.  Click OK, and Ok again, say
Yes when asked if you wish to save the settings, close
F-Secure.

You are now ready to tunnel through to whichever News
Provider you signed with.




43.  How strong (safe) is this SSH encryption?

Very strong and safe.  You may have a choice of algorithms,
or You will have to use whatever algorithms are supported by
the host server.  3DES is a popular choice.  Do not allow
DES as it is now considered a poor choice. One more thing,
SSH has largely been replaced by the more secure SSH2.
Fortunately Privacy.Li uses SSH2.



44.  Should I run these encrypted programs from within my
encrypted drive?

Yes, provided you are using dual boot with DCPP.



45.  Can I post graphics anonymously to Usenet with this system?

Absolutely.  If you choose to use Agent, it will always use
your News Provider as the posting host. This is why I
recommended you subscribe anonymously to this news provider.
Nothing can then be traced back.

If you use Quicksilver it will always use one of the
mail2news gateways. These are intended to be hard anonymous,
but it does not yet support the SSH option.  Attempts to put
"localhost" into the proxy settings causes an error on my
system.   Despite this, Quicksilver is the more secure
method of sending and receiving Email and for posting to
Usenet where you have only a single layer of anonymity.  But
the remailer network does not readily accept large files,
such as graphics.  This is not a problem as you can use
Agent, provided you are double layered anonymous.



46.  Why Quicksilver, what about Private Idaho or Jack B. Nymble?

I found Private Idaho far too buggy and not as intuitive as
Quicksilver. I have also used Jack B. Nymble.  It is very
sophisticated, but I prefer the elegant simplicity of
Quicksilver.  This is my choice, others are free to assess
the alternatives and choose accordingly.



47.  Is there another, simpler way?

Email can be sent (and received) by Yahoo or Hotmail.  But I
treat these as soft anonymous.   Don't use them for anything
critical unless you can access them via SSH and your
anonymously signed for remote host. Stronger anonymity is by
using a paid for service such as that offered by Privacy.Li
or Hushmail.

There are also several freebie remote hosts.  My experiences
suggest they are less reliable and frequently down.  By all
means experiment and use whatever suits you best.  To access
Usenet you will need to find an NNTP host proxy, which are
far less common.

Warning:  Using a freebie remote host may mask your true IP
address, but that only helps to prevent a back-trace.   If
you live in a country which monitors your Net activities,
(e.g. the United Kingdom), any snoop will know which site
you are accessing and if so minded, could monitor the
datastream.   An SSH connection however encrypts this
datastream and most importantly, thus hides both the
datastream and your destination host server IP from these
prying eyes.

In simple terms, you need SSH and a truly anonymously signed
up remote host server if you want true Net privacy.



48.  Are there any other suggestions?

Immediately you finish a posting session, break the
connection. Close F-Secure.  This ensures new session keys
are generated when you log in again over the new link.
Never stay online whilst posting for longer than 1 hour
maximum.  There is nothing to stop you re-connecting as soon
as you have dropped the connection, just do not stay online
continuously.

Always post at different times, do not create a regular
pattern of postings at specific times and days of the week.
If possible, use different ISP's to log onto the Net.  By
all memans use a freebie ISP if available in your area.  Be
aware that these freebies invariably log your telephone
number and connection times.  But then so do the others to a
varying extent.

It is vital and axiomatic that all your secret data must
always and at all times remain within your encrypted drive.
There is very little point at all in going to all this
bother and then printing out the data or saving it onto a
plaintext drive.  Always assume you are about to be raided!

Always back up your data onto CDROM or DVD using secure
encryption. BestCrypt is an excellent choice here with its
hidden container facility.



49.  Surely all this is totally over the top for the majority of
users?

It is certainly over the top for 99 per cent of users for 99
per cent of the time.  If, however, you are the one in a
hundredth and you do not much like the idea of being at risk
for 1 per cent of the time,then no, it is not over the top
at all.

In any case, using these tactics helps create smoke which in
turn helps protect those who really do need all the
protection and security they can get.

Remember this FAQ is intended to help many different people.
Some may be living in deprived conditions, in countries
where human rights abuses are a daily fact of life.

Privacy and anonymity are very important principles
associated with both freedom of speech and democracy.


"Anonymity is a shield from the tyranny of the majority...
It thus exemplifies the  purpose behind the Bill of Rights,
and of the First Amendment in particular: to protect
unpopular individuals from retaliation - and their ideas
from suppression - at the hand of an intolerant society."

  Justice Stevens, McIntyre v. Ohio Elections Commission, 1996

If a Supreme Court Judge deems it a person's right, who would
argue?




50.  Can I use IRC/ICQ/Yahoo/MSM in this way?

No.  But you can use a program called Trillian.  There is
now a Pro version which will allow an encrypted conversation
between a group and even allows file exchange (I believe).
I have only used the beta version, text only. It appears to
do all they claim for it.  Both parties need to be using
Trillian for the encryption to be effective. You can use it
as a stand alone, but it will not then support encryption.

Trillian is here:   http://www.trillian.cc

If your intention is to seek to correspond with others to
exchange contentious or illegal material, be aware that
encryption alone may not be sufficient.  In those
circumstance it might be a very good idea to ensure you
understand how to use a proxy before connecting.

I regret I cannot offer any help in this matter, as I have
no experience of using IRC or Yahoo.



51.  Can I be anonymous as far as other Web sites are concerned?

Yes, by either using the Anonymizer browser plug-in or by
setting up MSIE or Netscape to use your remote host as a
proxy.  I recommend using your remote host with the SSH
protocol.



52.  Lastly, what do you say to the charge that this FAQ may
be useful to criminals?

I did take time to have a re-think after the events of 9/11.
However, on balance I believe it is still the right thing to
do.  Like gun control, if we ban weapons only the police and
criminals will have them. Banning encryption or anonymity is
not going to make criminals stop using encryption or
attempting to be anonymous.

It is almost laughable for anyone to be so naive as to
believe that passing any law would make the least difference 
      pre-boot password is now the preferred choice, with      


BestCrypt version 7 my second choice. 



I believe that the individual should be allowed to choose,
not the Government on his behalf.

Who benefits the most if Governments are allowed to reduce
our freedom of choice?   The Government or us?

Those that give up a little freedom to gain a little
security will lose both.





Therefore:

a.   always use encryption, whatever else you do.


b.   always post via your encrypted and anonymous remote
host to your anonymouly subscribed News Provider.


c.   never ask of anyone nor give anyone online, your true
Email address.


d.   never DL any file with .exe, .com or .bat extension
from a dubious source.  If you do, don't run it.


e.   for your own protection, never offer to trade any
illegal material, nor ever respond to those seeking it, even
anonymously.


f.   never use your Credit/Debit Card to sign up to any
contentious Web site.



My key fingerprint: F463 7DCB C8BD 1924  F34B 8171 C958 C5BB

My user id:  0x14A606A7


- - -----BEGIN PGP PUBLIC KEY BLOCK-----
Military Build - Ver 6.5.8mil

mQENAza3VwsAAAEIAJoghtgM5IW0CmQOocBDJPUSDAlkaPkP4LVN/6I6U1qYXYSX
slRiXL6R8/L5LiYGjc8+jkK0MbpTh7W4WiT35L31kX2EU/MSNlpawvpwTvaye8cz
Kbwupsi7qtxVEETM11ucSuxtG8ShOwiYrMUqOmP93hf9h78gNzD/qGOYGV994Adt
MHRZ4lPlQnknxoDszHxCDcS83jlo4mD1xhuvLQ1thXFkGBl9Bw/lSWDxcu0gssZB
necFTSkFtJbnu3gHp6DVE9CO/ZxhXDGHAmC/jLfB5QH59Zbbw4fFgQ7tw2gUAgiS
kvv0RS55TB9n7JiDwc+Mk0OlYavdZOh5cRSmBqcABRG0JURvY3RvciBXaG8gPGRv
Y3Rvcl93aG9AbnltLmFsaWFzLm5ldD6JARUDBRA2t1cLZOh5cRSmBqcBAb87B/46
wEezqswaPz8NIA0/XYULXPKse11aCgRL7MIQPO1CRdqjbFnWi1wU2AnAkCtCLia+
lhulNrLJxMUvHgOQc4oC+nlUntBE9f8hHg0VwvQJ/4kO29UeVf0iwr+drZjRJooR
oR1C1UDDr199eeKJ3+m2pO7j1DBxv4tWQAYsJmZQQqlNRLzsmHJyTI/ZN03UREAZ
Qr4k6EjD1lScWg9MfueITgiMdbeV3MmCpf7mnlahvlN/S31CeEfoY2OpcRYVXNQb
it9N8cPM+2KZEdl/FW7yVPgd6BCGFFgPcRiqLC7c1F6qBPUpbdYf/pvd3/lhRJR9
IY35xfmdHWM8Rk+ivIPD
=0l2S
- - -----END PGP PUBLIC KEY BLOCK-----






This ends the FAQ.




Items specifically mentioned or recommended in the FAQ:



PGP:   http://freepages.computers.rootsweb.com/~irfaiad/

DCPP: http://www.drivecrypt.com

BestCrypt:  http://www.jetico.com/

Scramdisk:  http://www.samsimpson.com/scramdisk.php

Kremlin:  http://www.winhex.com/winhex/order.html

WinHex: http://www.winhex.com/winhex/order.html.

Windows Washer:  http://www.webroot.com

Agent: http://www.forteinc.com

ACDSee: http://www.acdsystems.com/english/products/acdsee/index

Thumbs Plus: http://www.cerious.com

VuePro:  http://www.hamrick.com

WinZip:  http://www.winzip.com

AVG here:   www.grisoft.com

Zonealarm:  www.zonelabs.com/zonealarmnews.htm

Steve's site:  http://grc.com/

Privacy is here:   http://privacy.li/

E-Gold is here: http://www.e-gold.com/

DMT/ALTA is here: https://196.40.46.24/ or
https://213.132.35.90/ (they
change ip's frequently)

Quicksilver, available here: http://quicksilver.skuz.net/

Jack B. Nymble:    http://www.skuz.net/potatoware/jbn/index.html

The Anonymizer:  http://www.anonymizer.com

Privacy.Li:  http://www.privacy.li/index.htm

A Proxy site listing:  http://www.samair.ru/proxy/

F-Secure:  http://www.f-secure.com/

News Providers: http://www.exit109.com/~jeremy/news/providers/

Scorch and Scour:   http://www.bonaventura.free-online.co.uk/

Trillian:   www.trillian.cc

Mixmaster (required by Quicksilver and Jack B. Nymble):

Download site:    http://www.thur.de/ulf/mix/

(comes ready to install with Quicksilver - just run Quicksilver
for the
first time)




Nym remailers:

nym.alias.net, home page:
http://www.lcs.mit.edu/research/anonymous.html

Anon.efga.org, home page: http://anon.efga.org/



In case you need convincing:

http://www.gn.apc.org/duncan/stoa_cover.htm



Useful programs:


Partition Magic:  http://www.powerquest.com/



Some anonymity sites:


http://www.worldnet-news.com/software.htm

http://www.skuz.net/potatoware/index.html

http://www.skuz.net/potatoware/jbn/index.html

http://packetderm.cotse.com/

http://www.cotse.com/refs.htm

http://freeyellow.com/members3/fantan/pgp.html

http://www.all-nettools.com/privacy/

http://Privacy.net/

http://www.geocities.com/CapeCanaveral/3969/gotcha.html

http://www.junkbusters.com/ht/en/links.html

http://www.skuz.net/potatoware/privacy.txt




Other additional useful sites:


Beginner's Guide to PGP:

http://www.stack.nl/~galactus/remailers/bg2pgp.txt

PGP for beginners:   http://axion.physics.ubc.ca/pgp-
begin.html#index

FAQ for PGP Dummies:    http://www.skuz.net/pgp4dummies/

The PGP FAQ:            http://www.cryptography.org/getpgp.txt

The SSH home page:   http://www.ssh.com/products/ssh/

Anonymous Posting:   http://www.skuz.net/Thanatop/contents.htm

Anonymity Info:   http://www.dnai.com/~wussery/pgp.html

Nym Creation:    http://www.stack.nl/~galactus/remailers/nym.html

General info:   http://www.stack.nl/~galactus/remailers/index-
pgp.html





Revision 17.6a


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ckt
Comment: KeyID: 0x14A606A7

iQEVAwUBPxnNC2ToeXEUpganAQGz6Qf/QfZZYDPvlBVaZoaSRwNS7UAH5ghjqeVS
mb/oJOEGEBZvCjLUMiAZuGNHnCqNaWeSGdXhJ6XmfaQDqkcdFQC0jBdXlD4OUW6B
v3G4J4t6yps/GOWVaPEZFEYQO3yeWCoj1H0V5KgPZ4uyKAoVcF05cQuGXN5YIfBx
HeamU+s4GKE3IwQbZfzMjdCM4Zbo3/cyYfnWpngUFQqYRd1DTi9ukVDsCGWoaBix
LOyMFo8g79yG1i4kglIo4vAXP4BMoL6oAyJs1um4h+WMTFmAUEABNzL2/w9Vk1Je
GGw9hRkoJcU7z0VMGjYZ0+vncZZhHUTfg4L5Lq0+BcIUCzh4e2TIww==
=T4j5
- -----END PGP SIGNATURE-----



~~~
This PGP signature only certifies the sender and date of the message.
It implies no approval from the administrators of nym.alias.net.
Date: Sun Jul 20 03:42:40 2003 GMT
From: doctor_who@nym.alias.net

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQEVAwUBPxoPsk5NDhYLYPHNAQHaxAf/WRssIWcxt27+MDpVJ6Gq7UWmvxiVOPQR
/EorPDPfWbxqQ4YoRM8WaxVVKRZYAaN9sT+7VcLxdkDilQVdjnJXoLYp2fSLl2ub
oyjakduJVpcTQ7wnzEUpRpeQlY7fTW9TkhEUjEL318WOXbuxIbUrRPgTSB5SXrJ5
HYfSFO2FNARGsEpYJJsNoxdIMkczNYLdbMui5bQ+YZ2trPZWzhU4LSR3nqvgUwhi
cRBrrtr3zOxfk4tOP04e3J45tlw0T1x/3ohFvsT6mXTlGdZJ5ZmqTmsuFNyWFUDk
FeVIP95r2axo0CcG2upsj02ayrZzEf8rytLEf9ldWanUWRl9Q2q1UA==
=KNVR
-----END PGP SIGNATURE----- 

- Fraud artists target privacy consumers
False advertising has duped many consumers into buying worthless imitation software -  "eraser / internet
washers" that do not work - you might as well throw your money away. If you have recently been the victim
of a scam by one of these fly-by-night outfits you are strongly urged to get your money back as quickly as
possible, and not to use the software under any circumstances because it could even damage your hard
disk! You don't have to take risks, make sure you accept only the authentic, original Evidence Eliminator™
and be sure you are both 100% safe and secure!