Articles
back to main table of contents back to fidonews.org* Originally by David Hallford, 1:10/2@fidonet
* Originally to Bob Satti, 1:153/6
* Originally dated 11 Mar 1998, 8:44
Hi Bob,
Unlike my normal reticent self, I am going to crosspost this netmail to Zorch for inclusion in the Fidonews.
I see the ZC as the 'Chairman of the Board of Directors' of Z1 and as the representative of Z1 to the rest of Fidonet. Looking back over the past few years I beleive that you have done an outstanding job. You have endured a lot of mud-slinging with good humor, and used good common sense when making decisions.
Some people have made accusations that you are a member of a conspiracy to control Fidonet. I think that they are wrong for 2 reasons. The first, and most obvious, is that the man who controls the Nodelist already has the tools necessary to do what he wants done without the need of a conspiracy. The second is much less obvious to most of Fidonet... you are a good and decent man (with an excellent sense of humor) and I think such pettiness as they accuse you of is too far beneath your dignity to do.
As you know, I am leaving Fidonet after 11+ years. Please understand that if all of Fidonet were more like you I would do whatever was necessary to stay.
Don't shut the door on me, though. We may find out that I can't survive without my daily dosage of Fidonet.
I just wanted you, and everyone else, to know the high regard I have for you.
with my highest regards,
Dave
back to articles table of contents back to main table of contents back to fidonews.orgPGP for DUMMIES
Jim Cannell
1:306/21
What is PGP? PGP (Pretty Good Privacy (tm), (c) Phillip Zimmermann, is a public key encryption program. What is public key encryption? Public key encryption is a virtually tamper-proof method of encrypting and/or verifying data. Unlike conventional encryption, which requires a secure channel to exchange keys, public key encryption uses two keys, one of which can be distributed publically through insecure channels, while the other is kept in the exclusive possession of the owner.
This article is intended to give the reader sufficient knowledge to encrypt/decrypt, sign, and verify integrity of files using PGP. PGP uses two keys, public and secret. The secret key stays in the owner's possesion, and is encrypted with a passphrase known only to the owner. The public key can and should be distributed widely in such places as the internet keyservers and/or the FidoNet PKEY_DROP Echo.
First, you need to install PGP on your system. The PGP archive as distributed is named PGP262.ZIP. Information on where to get PGP is included at the end of this article. The distribution archive contains three files: PGP262I.ASC, PGP262I.ZIP, SETUP.DOC. if these three files are not present, throw the archive away, and get another copy from a different source. With PGP, as with any strong encryption program, you do not want to take a chance on a corrupt file. Read SETUP.DOC. It gives you useful information about setting up the program. PGP262I.ASC is a detached signature file for the archive PGP262I.ZIP. Once you get PGP set up, it can be used to verify the integrity of the archive. Again, if it doesn't check out, get a different archive.
Now you are ready to actually install PGP. First, make a directory C:\PGP, and add this directory to your path. Change to this directory and run:
pkunzip -d pgp262i
The -d option is required. Unzipping this archive will create a DOC subdirectory, which is necessary to run PGP. After this step, PGP is ready to execute.
The simplest thing that can be done with PGP is to verify the integrity of a PGP signed file. All you need for that is a copy of PGP and the signer's public key. To verify the integrity of a PGP signed file named SIGNDFIL.ASC, execute the following command:
pgp signdfil.asc
This will create a new file named SIGNDFIL (without the extension). The new file will have the signature removed, and PGP will tell you if the signature is good or bad. If even one bit in the file has changed after it has been signed, PGP will tell you that the signature is bad.
Perhaps you want to ensure that those receiving a file know that it was written by you, and that it has not been modified. This is done by signing the file. Again, this is a simple operation. Just execute the command:
pgp -s yourfile.ext
PGP will ask you to enter your passphrase. After you do this, PGP will add your signature to a new file named YOURFILE.PGP. This works well for binary files, but if your original file was a text file, you will notice that the signed file is unreadable. Don't despair, the recipient will still be able to verify the signature, and read it. If you really want the text readable before the signature is verified, use the command:
pgp -sat yourfile.txt
After entering your passphrase, PGP will create a new file named YOURFILE.ASC, which has your original plaintext bounded by the PGP delimiter lines, and a signature attached. You have probably seen this format as signed messages in some Echos. This can be a quite useful tool for moderators who have a problem with others sending moderator messages. A PGP signature cannot be forged, thus assuring the reader that the message really is from the moderator.
Now you are probably wondering how to get the PGP key pair used to sign the file. This is also a simple operation. Enter the command:
pgp -kg
PGP will offer you three choices of 384, 512, or 1024 bits. You may also enter a value for the number of bits up to a maximum of 2047. For PGP to be effective, do not use a key length shorter than 1024 bits. You will then be prompted to enter a user ID for your key. Any text string will work, but it should be something meaningful. For example, the ID string on my key is:
Jim Cannell jim.cannell@f21.n306.z1.fidonet.org
Next, you will be prompted to enter your passphrase. The passphrase can be a long sentence or phrase with numbers and/or punctuation marks included. It can be any length, but should be limited to 128 characters if you are running MSDOS or a similar OS. To be secure, it should contain a mix of upper and lower case characters along with numbers and punctuation marks. The words in it should be badly misspelled, and be utter nonsense. Any meaning should be recognizable only to yourself. Make sure it is something that you can remember without ever writing it down. After you enter the passphrase, you will be asked to enter it again for verification. Next you will asked to enter some random text. Then, the actual key generation process will begin. This process is quite lengthy, even on a fast computer, but fortunately, you only have to do it once. The key pair that you just generated will be in your PGP directory in the files PUBRING.PGP and SECRING.PGP.
Now that you have your own PGP key, you need to take steps to protect it. First, sign your key. This is done with the command:
pgp -ks youruserid
After you have signed it, make at least one backup copy of both PUBRING.PGP and SECRING.PGP and store it in a secure place somewhere offline.
Next, you need to publish your public key. To do this, first extract it from your keyring with the command:
pgp -kxa youruserid keyfile
This creates a file named KEYFILE.ASC. For your own key, make this a unique file name. For example, my keyfile is named CANNELL.ASC. Post your keyfile as a message in the PKEY_DROP Echo, upload it to the internet key servers, and make it file requestable on your system with the magic name PGPKEY. Encourage your correspondents to freq it. You need to distribute this key as widely as possible.
To encrypt a file for a given recipient only, run:
pgp -e pvt_file.ext hisuserid
This will create a file named PVT_FILE.PGP, which can only be read by the recipient. When he gets it, he executes the command:
pgp pvt_file.pgp
PGP will ask him for his passphrase, and if it is correct will decrypt the PVT_FILE.PGP into the plaintext file, PVT_FILE. Note that when you encrypt a file with PGP, no one but the recipient can decrypt it; you won't even be able to decrypt it yourself.
This article should be sufficient to allow you to use PGP for its simpler tasks. To really discover how versatile this program is, read the included documentation. It is quite well written. I plan on this being the first of a series of articles on PGP. In future articles, I will describe how to do some of the more complex functions of PGP, such signing other people's keys, revoking keys, multiple IDs, multiple recipients, the web of trust, and more.
At the very least, the information in this article will enable you to determine whether or not your copy of this issue of FidoNews has been altered or censored since its publication by the Editor.
There are many places to obtain PGP. It is available for freq at 1:306/21 with the magic name PGP. The source code is available with the magic name PGPSRC. There is an ftp site at MIT, but you will be required to prove that you are a US or Canadian resident before being allowed to download. Thanks to the shortsighted US government, strong cryptographic protocols are considered munitions, and as such, their export is prohibited. Since I have an allergy to steel bars on my door, I must limit freqs to Zone 1 systems. If you want a copy, NetMail me from a Zone 1 address, and I will give you the password necessary to freq PGP. Although the US government has prohibited the export of PGP, it is freely available throughout the world anyway. In fact, every version of PGP has been available at overseas locations within minutes of its release. For those of you in other zones, I suggest that you first try to obtain PGP from 2:51/2. There are probably other locations closer to you that I am not aware of.
I invite you to join us in the PUBLIC_KEYS Echo to learn more about PGP and encryption. Both PUBLIC_KEYS and PKEY_DROP are international Echos distributed on several backbones in all six FidoNet zones.
If you have any questions, comments, etc., you can contact me in the PUBLIC_KEYS Echo or via NetMail at 1:306/21. Happy PGPing.
back to articles table of contents back to main table of contents back to fidonews.orgChanging the Balance
Michael Strates
3:635/725
News Flash!! FidoNet has gone back into action, with people leaving the Internet to go back to where they started. Hundreds of people are storming back to the older network, by 1,000's and the nodelist is growing out of control. Zones 1 & 3 have gained nearly 65,000 entries together.
Okay.. Perhaps I'm dreaming, but with a little bit of work, we can get our existing network to 'network'. Why did everybody leave FidoNet? The World-Wide-Web.. And what can FidoNet offer people using the existing services.. The World-Wide-Web, well a slight diversion from the real Web.. a thing I like to call SuperText.
SuperText is FidoNet's WWW. Let's say the base host for SuperText is 3:635/725, and the SysOp decides to put up three pages, one advertising his BBS (advert.stp), one about oil refineries (oilref.stp), and lastly, one about himself (me.stp).
The SysOp opens up the SuperText door, goes into the E)dit Pages section, and uploads the new .stp's into his SuperTextSpace. They get zipped into the database, frozen and the new entries are exported in Netmail for delivery to the next SuperText uplink.
Days later, it has been updated world-wide, and everybody can access his pages (in a flash) by opening the SuperText door, going into V)iew Pages, and typing in "centralbbs.mel.au/advert.stp" which would bring up his BBS advertisment.
SuperText will work. But there is a few obvious limitations with this design. Firstly, hard disk space is one -- however, it'll take a heck of alot of pages to fill an average 10MB free space up (considering they're compressed -- text files compress extra good!).
I've already created a UNIX prototype of SuperText, which seems to work well, but I need your help to continue development. I need people to write MEX scripts, and doors, and stuff for SuperText, and possibly an offline reader like Bluewave for SuperText.
If you can help with this new promising innovation, please send me netmail, "Michael Strates @ 3:635/725" or e-mail "mstrates@croftj.net".
back to articles table of contents back to main table of contents back to fidonews.org