http://www.fortunecity.com/skyscraper/true/882/DoctorWhoFAQ.txt Date: 1 Jan 2000 15:08:31 -0000 Message-ID: <20000101150831.23748.qmail@nym.alias.net> From: Doctor Who Subject: Encryption & Security FAQ - Revision 13 Newsgroups: alt.security.scramdisk X-No-Archive: yes Organization: Cypherpunks Anonymous MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---------Next_Part--GAMDD34CPC62" Mail-To-News-Contact: postmaster@nym.alias.net Lines: 1643 -----------Next_Part--GAMDD34CPC62 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit If you are serious about preserving your privacy, I recommend you read this FAQ Happy Millenium to all Take care Doctor Who -----------Next_Part--GAMDD34CPC62 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Security and Encryption FAQ Revision 13 by Doctor Who Purpose of this FAQ The purpose of this FAQ is to help those who wish to improve their privacy. If you view or store sensitive data on your computer this FAQ may be of help to you. It is intended to be useful to anyone new to cryptology and computer security. It is assumed that you have a basic understanding of computer usage. Main changes with respect to earlier versions In this latest revision, I have taken the opportunity to change the layout. I have chosen to assume three levels of privacy/security. This is to allow each person to identify their requirements and adjust their standards accordingly. These three levels are: Level 1. For those who wish to protect their files from unauthorized access. These users are not too concerned at being found with encrypted data on their computer. If they live in North America, they might be confident of the protection of the 5th Amendment which may protect them from being forced to hand over their private passphrases. Level 2. This is for those who not only wish to hide their private data, but to hide the fact that they have such data. This might be an essential requirement for anyone who lives in an inquisitorial police state where human rights are dubious, or where there is no equivalent to the United States 5th Amendment. Level 3. This is for those who not only need all that is offered by level 2, but additionally wish to protect their computer from unauthorized access. Protecting themselves from hackers whilst online and snoopers who may try and compromise either their software or add substitute software that could reveal their secret passphrases. These tactics are known as tempest and trojan attacks and are described later in the FAQ. Some may consider this sort of protection paranoia. So be it. It is for each individual to choose, but be aware that level 3 will involve considerably more bother than level 2 on its own. This first section deals with Level 1 Security: How does encryption work? In its simplest sense, the plaintext is combined with a mathematical algorithm (a set of rules for processing data) such that the original text cannot be deduced from the output file, hence the data is now in encrypted form. To enable the process to be secure, a key (called the passphrase) is combined with this algorithm. Obviously the process must be reversible, but only with the aid of the correct key. Without the key, the process should be extremely difficult. The mathematics of the encryption should be openly available for peer review. At first sight this may appear to compromize the encryption, but this is far from the case. Peer review ensures that there are no "back doors" or crypto weaknesses within the program. Although the algorithm is understood, it is the combination of its use with the passphrase that ensures secrecy. Thus the passphrase is critical to the security of the data. I want my Hard Drive and my Email to be secure, how can I achieve this? You need two different types of encryption software. For Email you need a system of encryption called public key cryptography. This system uses a key pair. One key is secret and the other is made public. Anybody sending you mail simply encrypts their message to you with your public key. They can get this key either directly from you or from a public key server. This key is obviously not secret - in fact it should be spread far and wide so that anybody can find it if they wish to send you encrypted Email. The easiest way to ensure this, is by submitting it to a public key server. The only way to decrypt this incoming message is with your secret key. It is impossible to decrypt using the same key as was used to encrypt the message, your public key. Thus it is called asymmetrical encryption. It is a one way system of encryption, requiring the corresponding (secret) key to decrypt. Actually there is a lot more to it than this, but this is reducing the principle to its bare essentials. For your normal hard drive encryption, you will need a symmetrical type of encryption program. The same key is used for both encryption and decryption. Which Programs do I need? Let's deal with Email first. For your Email I recommend Pretty Good Privacy (PGP). It is virtually the de facto Net standard for Email cryptography. It is freely available and easy to install. The source codes have been published. The algorithm has, so far, survived critical analysis. PGP is available for many platforms, including Win95/98, NT, Dos, Mac, Unix, OS2. You can even work with the source code and compile your own version if you are truly paranoid! PGP has several DL sites. Check the PGP site: http://www.pgpi.com/ Also here: http://members.tripod.com/cyberkt/ - This version will include RSA for backward compatibility with the earlier DOS versions, so recommended. Which version should I use? If you are going to send anonymous Email through the Cypherpunk remailer system and you intend using a remailer such as JBN, see later in FAQ, then you will need a version of PGP that supports RSA. I still use the older version of JBN that only supports the Dos version of PGP, but there is now JBN version 2 that supports the newer Windows versions of PGP. It is possible to send through the Cypherpunk anonymous remailers using hand formatting. But the value of remailers is only as good as the ability to use them. To attempt to make a multi-remailer message by hand formatting is tortuous to say the least. It is also very risky. I would urge you to learn how to use JBN which does the job very efficiently and safely and as a bonus, you can choose as many remailers as you like, within reason. Why are there two versions of PGP, RSA and Diffie-Hellman/DSS? RSA is registered in the United States (but not elsewhere) and a license is required to use it and so it is not included with the freeware versions from the official PGP site. The Cypherpunk remailers still support RSA and if only for this reason, if you intend using the remailers, you will need RSA. For more information about these differences I recommend you visit the PGP site. After 20th September 2000 the patent runs out on RSA and it will be freely usable by anyone anywhere. If you want backward compatibility, which is advisable as many people are sticking with RSA for one reason or another, then make sure your version has RSA. The alternative Cyber-knights site shown above, has complete versions with RSA and DH/DSS compatibility's. Additionally, the Cyber-knights versions come with PGPDisk. The Cyber-knights versions have gained some fame for their ability to generate and support excessively large keys. Such extra large keys are of little or no value in increasing the security of PGP. I've installed PGP, I'm ready to generate my keys, now what? Assuming you wish to correspond anonymously via the Cypherpunk remailer system, then create at least three separate key pairs. For future security against improvements in computer technology, I would suggest generating 2048 bit sized keys. The first pair are for your Email usage. This first key should be signed and if you want others to have access to your key to enable them to send you encrypted Email, submit it to a key server, e.g. http://pgp5.ai.mit.edu/. You may want to adopt a Nym (anonymous name) for this key. If you do, then choose something that cannot be traced back to your Email address. I would recommend you also create another Nym which will use the second key pair. This second Nym should not allow fingering of your public key, nor should you submit it to the key servers. This second Nym is for your highest security. You must not offer this public key to anybody. In fact for the maximum possible security, you should point your reply block for this Nym to a newsgroup, e.g. news:alt.anonymous.messages. All incoming mail to you via your Nym, even plaintext, will be encrypted from the Nym to news:alt.anonymous.messages. This ensures that everything sent or received by you via your Nym is secret and virtually untraceable back to you. The third key pair are for general usage, see later in FAQ. For more information about the Nym remailer service get the Nym FAQ. Where can I get the Nym FAQ? Send Email to: help@nym.alias.net - without a subject or body text. This is essential reading before you set up a Nym. What about the data on my Hard Drive? PGP is excellent for Email, but for data storage it is essential to use an "on-the-fly" encryption/decryption program. On-the-fly means the data is ALWAYS in encrypted form on the drive, it is only decrypted in memory and possibly in the notorious Windows swap file, (more about that problem later). When the drive is mounted, this means after entering the correct passphrase and the drive is visible as plaintext, each read/write to the drive decrypts to memory or encrypts to the disk as necessary. The advantages of this on-the-fly encryption/decryption cannot be too strongly emphasized. It means that at all times your files will remain in encrypted form on your hard drive. If a power failure occurred you are not left stranded with sensitive material lying around in plain text, except in the swap file! Yet once you have entered your passphrase you can see the contents of the encrypted partition, just as if it were plaintext. There are several of this type of program, I suggest three possible programs later in the FAQ. There are other more practical advantages to on-the-fly encryption if you have a large hard drive. Just try decrypting several Megabytes or even Gigabytes of files each time you boot your computer, remembering they must all be re-encrypted at the end of the session and their plaintext equivalents securely wiped! With modern very large drives it could take hours, an absurd scenario. I have Windows 95/98, what should I use? First off, Windoze 95/98 is definitely not a security orientated program. One simple method of improving your computer security is to disable the Windows swapfile. To ensure reliable operation and dependant on what programs you run, you may need several hundred megabytes of RAM. If you are serious about your privacy, I would recommend investing in as much RAM as you can afford and turn off the swapfile. I suggest a minimum of 128 Megs and preferably double or even quadruple that. Apart from the Swapfile, what else can Windows reveal to a snooper? Both user.dat and user.da0 (the backup copy) can reveal all sorts of interesting things about your computer habits. Take a peek by opening in Notepad or Wordpad. You cannot edit this file in Notepad or Wordpad - do not even think of it! The correct way to edit this file is by using regedit.exe. However, if you mess up your registry, Windows will not boot! I have heard that Microsoft do not even support registry problems. Your only recourse would then be to restore from a backup (you do backup regularly, don't you?), or to re-install Windows and all your programs from scratch. If you find information that you would rather not be there, I suggest either restoring from an earlier backup of these files, or simply bite on the bullet and re-format your hard drive. This is extreme, but may be the only alternative. At least you then start with a clean slate. Assuming you have a clean system to start with, you can then proceed with creating all your encrypted drives and sub-folders within those drives and finally installing all the programs you intend using. I would now suggest you take another peek at user.dat. At this stage, before any data has been copied onto your encrypted drive, any information within user.dat should be relatively benign. Later in the FAQ I show a simple system to keep these files sanitized. Which on-the-fly programs are recommended? There are several programs that offer on-the-fly encryption/decryption. I recommend three: Scramdisk, PGPDisk and SecureDrive. SecureDrive is DOS or Win3.xx compliant only. Scramdisk is Win 95/98 compliant only at present, whereas PGPDisk supports both Win 95/98 and Windows NT. All of these programs are freeware. All the source code for the three recommended programs is available for scrutiny. SecureDrive is available here: http://www.stack.nl/~galactus/remailers/securedrive.html Scramdisk is available here: http://home.clara.net/scramdisk/ Or here: http://www.scramdisk.clara.net/ Both PGP and PGPDisk are here: http://members.tripod.com/cyberkt/ Can you compare these three programs? Encryption Program Scramdisk PGPDisk SecureDrive Cost Free Free Free Maximum size of container/volume 2 Gigs 4 Gigs 2 Gigs Algorithms offered 9 1 1 On-the-fly encryption/decryption yes yes yes Ability to use steganography yes no no Supports Jaz/CD-Writer yes yes no Easy to backup/copy yes yes no Ability to encrypt a floppy yes yes no Can encrypt to a file yes yes no Can encrypt a partition yes no yes Filename can be freely chosen yes yes NA File extension can be freely chosen yes yes NA File will reveal it is encrypted data no yes yes Ability to hide an encrypted partition yes no no Ability to choose size of file yes yes no Works with Win95/98 yes yes No Works with Win NT no yes no Writes to the Windows registry no yes no Hot key crash close yes yes no Timeout container/volume close yes yes* no Full source code published yes yes yes Ability to use a Keyfile yes** no yes Hides chosen algorithm from snoopers yes no no Hides passphrase errors from snoopers yes no no Ability to easily change passphrase yes*** yes no Low level inputting of passphrase yes no yes * = Only works if there are no open files. ** = A Keyfile with Scramdisk only allows secondary privilege access. It does not work as a low level randomly generated passphrase as with SecureDrive. *** = Important that the passphrase be changed after creation. Which is your choice of these three? Assuming you have Win95/98, the choice is between Scramdisk and PGPDisk. Both are excellent programs. For ease of use, it is difficult to fault PGPDisk, especially if you intend using the Windows version of PGP - they work together seamlessly. However, Scramdisk has a few features that may tip the balance for some people. For example Scramdisk offers: 1. a steganography feature (see below) 2. never reveals any error messages if you input the wrong passphrase - thus no feedback to help a snooper isolate a file for further scrutiny 3. does not write to the Windows registry. 4. offers a far larger selection of algorithms. 5. the encrypted file does not reveal any information about the algorithm in use. 6. allows a whole partition to be encrypted, when the partition then disappears off the Windows/DOS operating system. Bottom line, my choice, is... Scramdisk What about Safe Folder, Puffer, E4M, etc., etc? Sorry, I only write about those programs I have actually used and trust. There are always many alternatives with more appearing all the time. By all means experiment for yourself. Which Algorithm is best, particularly as Scramdisk offers 9? My choice is the Blowfish algorithm. This is also the algorithm of preference in the Scramdisk documentation. The Blowfish algorithm was designed by Bruce Schneier in 1993. The source code is available and has withstood 6 years of crypto-analytical scrutiny. It was written specifically for the 32 bit microprocessor. Scramdisk offers Blowfish with a 256 bit key, plus eight others. Scramdisk hashes this key down to an effective strength of a 160 bit key using SHA1. PGPDisk offers CAST with a 128 bit key. SecureDrive features the IDEA algorithm with a 128 bit key. Do not be misled, CAST and IDEA are extremely strong with "only" 128 bit keys. The most likely weakness with most people is their passphrase. Always make it long. Remember, every extra character you enter makes a dictionary search for the right phrase twice as difficult. Right now there is no real point in attacking a 128 bit cypher by brute force. 160 bits will probably never be in reach of a brute force attack unless there are some radical and fundamental breakthroughs in computing. Note: For the uninitiated the size of the key is a rough arbiter of the strength of a program, but it is only one of the factors. Equally important is the type of encryption algorithm that is chosen. Strong crypto algorithms (such as BlowFish, IDEA, CAST) are for all practical purposes uncrackable by any presently known method, other than brute force testing of each possible key! May I suggest here, that if any serious snooper wants to view your secret data, they will find a way without wasting their time attempting a brute force attack upon your Scramdisk container. In some countries rubber hose cryptography may be the rule. Anybody living in such a country needs level 2 security at the very least. Can an encrypted container be identified as a Scramdisk volume? Only if you do not change the passphrase after creating the container. When a Scramdisk container is created, a random key material is made. The size is 1024 bytes for initialization vectors and whitening values plus the encryption key length. This material is encrypted with a SHA1 hash from the passphrase and saved at offset 0 and at offset 6144 in the container file. Thus two identical strings of 1024 bytes co-exist in the encrypted file. Software exists that can search for such identical strings in any file, which if found will strongly suggest that the file is a Scramdisk encrypted container. When the passphrase is changed, only the key material at offset 0 is re- encrypted with the new passphrase hash. So the answer is obvious, simply change your passphrase immediately after creating the container. You could just change the last character at the end of the passphrase when you create it initially. After checking it opens satisfactorily, right click on its icon in the Scramdisk Window and choose "change passphrase". Now simply change back the last character you changed when you created the container. This small change to the passphrase will hash down to an entirely different string and ensure that software designed to look for two similar strings will fail. This does not apply when steganography is used. If you decide on the steganography facility, there is no need to worry about this. All of the above is sufficient for a level 1 security. What more must I do to achieve level 2 Security? For level 2, it is essential that you can show plausible deniability for all files that might contain encrypted data. The purpose is to be able to justify every file on your system. This section will help you to achieve this higher level of security. Scramdisk does not write to the registry. Nevertheless, a forensic examination of your computer would almost certainly reveal encryption. Why? Because Scramdisk puts a VxD file within the Windows\System\Iosubsys folder. Also, should you decide to configure Scramdisk to use, say, the Red Screen mode, it then creates an ini file, called, you guessed it - Scramdisk.ini and puts this in the Windows folder. To minimize problems, accept this inevitability. The work around is simple, generate at least two parallel encrypted containers with Scramdisk. Each is a mirror of the other as far as the regular programs are concerned (because their presence may be registered by windows anyway). The only difference between the two containers is one is a steganographic container hidden within a WAV file. This is the one that will contain all your critical data. It is important to set up each encrypted container to use the same preferred drive letter, I suggest X:, but choose the same letter to ensure consistency with your truly secret encrypted container. Of course, only one drive X: can be open at a time. If you open another container, the drive letter will default to something different. How does this Steganography work? Steganography is the science of hiding files within other files often graphics or sound files. Scramdisk's steganography feature requires a sound file with the WAV extension. Once created this extension must not be changed or Scramdisk will not be able to access the file. There is no need to attempt to hide the genuine sound file. The purpose is to have a genuine WAV file and to effectively hide the encrypted volume within it. This is without doubt the safest form of hiding the container. Scramdisk will allow 2 Gigabytes maximum size of encrypted container. To hide the encrypted container, a WAV file of at least double that size is necessary and preferably four times that size. This would be invisible to even the most determined snooper. Small encrypted containers of around 20 megabytes or so are easily hidden, but very large WAV files are not usually easily available, but I explain later how to circumvent this problem. Scramdisk is fussy with regard to the type of WAV file. It must be to Windows PCM (WAV) format. There are several WAV formats, but only a Windows PCM WAV type will work. One easy way to create a usable format is by ripping the track off a normal CD. If you use AudioGrabber it will copy any or all tracks off a CD and save them as PCM WAV files. For maximum security I advise using the 25 per cent density option offered by Scramdisk, rather than the 50 per cent option. AudioGrabber is here: http://www.audiograbber.com-us.net/ Why choose 25 instead of 50 per cent density? A CD is in 16 bit format which theoretically can achieve 96 decibels signal to noise ratio. If you choose to encrypt up to 50 per cent density, it means your signal to noise ratio will drop to 8 bits, or 48 decibels. This is definitely noticeable as a background hiss. Whereas, if you opt for 25 per cent density, you retain a 72 decibel signal to noise ratio which may be higher than your sound card - thus unnoticeable without scientifically examining your file against the original. Surely, if I use an ordinary CD, then I could be discovered? True. For the absolute highest security, you should make your own recording of a piano, church organ or other instrument or a band, any band, jazz or whatever. Try to record at least two sessions. These should be converted to WAV format and stego encrypted. The original recording should be destroyed. Your stego encrypted copy is now the original. Nobdody can possibly prove otherwise. For all anybody knows the original achieved 72 decibels signal to noise ratio. For best security it is unwise to use digital recording equipment - it can easily exceed your 72 decibel self- imposed limitation. Analog hiss on the original is no bad thing! Incidentally, many audiophiles actually prefer the quality from an old fashioned analog recording compared to todays all singing and dancing digital ones. So you will be in good company if you justify your choice of recording equipment on that basis! It will still work even if the original recording does not achieve 72 decibels. Paranoia perhaps, but it helps enormously with plausible deniability. Remember, if you need a very large (Gigabytes) sized container, you will need a long continuous recording session. A WAV file will offer you about 10 Megabytes of file size per minute of recording. This is very wasteful (thankfully) and is the main reason for the emergence of Mpeg3 files on the Internet. Most important! Do not make a straight forward backup of this WAV file. As the future contents of the backup and the ongoing will not necessarily be identical, then neither will their hexadecimal encrypted data recorded openly for examination! Software may be available which could look for identically named files, with differing low level data. Such files will immediately raise suspicions that they may be carriers for stego encrypted data. This is my reason for suggesting recording at least two separate sessions. These recordings need not be similar in content, just approximately similar in length. How do I convert my recording into WAV format for Scramdisk? Use CoolEdit. Get it here: http://www.syntrillium.com Which is recommended, a container or a partition? For level 2 security, go for a container. Why? Although an encrypted partition disappears off the Windows/Dos system, its presence is easily determined by a snooper. Remember, Scramdisk itself reveals it. It even names it as a Scramdisk volume! So definitely not recommended for a level 2 security. But there is no reason why you should not use it as a decoy encrypted volume, see later in FAQ. Can I encrypt a floppy with Scramdisk? Yes. If you encrypt a floppy, the maximum size is 1 megabyte, which must be specified before you start. A larger size can be input, only to fall over when writing it to a file at the end. Are there any other advantages to Scramdisk? One big advantage of Scramdisk is it never returns any errors if a snooper is trying to test each of your files. The only way it shows any response is when the correct passphrase has been input against the correct file. You get one shot, if it is wrong Scramdisk simply returns you back to its opening screen. Nothing else happens, no errors, no screens warning you that the passphrase is wrong, or it is not a Scramdisk encrypted volume. Likewise, with WAV files, there is no feedback to help a snooper isolate a file for further study. With upwards of 10,000 files on a modern computer, this suggests an uphill struggle at the very least. Yet another small but useful tweak, it always starts in the same folder that the executable file is installed, so it never leads any snooper to the last file that was accessed. For these reasons, in my opinion, Scramdisk must be the foremost choice for those who demand level 2 security of their data. What about the "Red Screen" mode? The "Red Screen" mode helps to protect you against a tempest or trojan attack (see later in FAQ, regarding level 3 security). This screen inputs the passphrase at a very low level which helps defeat a tempest or trojan attack to capture your on screen passphrase. This is only available if you have a standard Qwerty keyboard. Europeans or Asiatics with non- standard keyboards cannot use this facility because the character layout at low level is not the same as displayed by the keyboard. A possible solution with only partially non-standard keyboards might be to try it using only figures and letters. An easy method is to create a test Scramdisk volume using the normal passphrase screen, then attempt to open it in Red Screen mode. Most of the differences between European keyboards are in the shifted characters above the figures. In which case a compromise might be reached if you use a figures and letters only passphrase. If this works, I would choose a figures and letters passphrase of at least 40 characters in length. How do I go about encrypting to a volume or to a partition? Read the fine manual. When generating an encrypted volume, you decide the size (up to 2 Gigabytes) and its name, or accept the default name and size offered by Scramdisk. You can place it wherever you choose, wherever there is room for it. When generating an encrypted partition, you will need a section of your hard drive partitioned off, clear of any data. If there are files and folders in the proposed partition, they will be lost upon encrypting. I use Mac, OS2, Linux, Unix, NT (fill in your choice), what about me? Sorry. Scramdisk is only available for Win95/98 at present. An NT version has been promised... Meanwhile you could look here: For NT ... "Sentry" http://www.softwinter.com/sdown.html For the Mac ... CryptDisk http://www.primenet.com/~wprice/cdisk.html PGPDisk http://www.nai.com/default_pgp.asp If you have either a Mac or are using Windows NT, I would recommend PGPDisk as the best second choice after Scramdisk. I have heard that there are programs that HIDE and Encrypt, are these any good? Forget it. They are not even worth considering for level 1 security. A forensic examination of your computer is a daunting prospect. Never under- estimate the snooper. What about simple file by file encryption? I recommend using the Windows version of PGP. It comes with PGP Tools which will allow you to encrypt any file on your computer. Only encrypt these single files on the assumption of a level 1 security. Do I need to wipe as opposed to simply deleting files within the Scramdisk or PGPDisk drive? If the encrypted container is sufficiently secure for your normal files, it must obviously be secure for deleted files. Therefore, it is unnecessary to wipe files within the encrypted drive. Do I need to wipe an unwanted Scramdisk container? Yes. Never simply delete the container. Wiping will ensure that the hash of your passphrase is destroyed. If you wish to destroy a stego container you can either wipe the original WAV file, or you can create a new stego container which will over-write the previous copy. Of course there is far less risk of exposure with a stego container, compared to a normal openly encrypted container. Does using Encryption slow things up? There is a small speed penalty because your computer has to encrypt to write to disk and decrypt to read from it. In practice on a fast machine, using the Blowfish cipher, the encryption is totally transparent in normal use. Do I need a PGP passphrase if I store my keyrings within my encrypted drive? For level 2 security, probably not essential provided you always backup these keyrings onto another encrypted container. If you need level 3 security, you must choose a passphrase for your secret PGP keyring. Why the difference? Because if you suffered an attack whilst your encrypted volume is open, someone could sniff out your keyrings. Once outside your control, without a passphrase everything you have sent or received by Email is immediately available to the snooper. What is a Tempest attack? Tempest is an acronym for Transient ElectroMagnetic Pulse Emanation Surveillance. This is the science of monitoring at a distance electronic signals carried on wires or displayed on a monitor. Although of only slight significance to the average user, it is of enormous significance to serious cryptography snoopers. To minimize a tempest attack you should screen all the cables between your computer and your accessories, particularly your monitor. A non CRT monitor screen such as those used by laptops offers a considerable reduction in radiated emissions, so may be considered by the truly paranoid. More serious (more paranoid?) users may wish to consider screening their room. This sounds absurd but is routine with certain Government Agencies. You've explained about Tempest, but what is a Trojan? A trojan (from the Greek Trojan horse), is a hidden program that monitors your key-strokes and then either copies them to a secret folder for later recovery or ftp's them to a server when you next go online. This can be done without your knowledge unless you are monitoring the data exchange between your computer and your ISP. Such a trojan can be secretly placed on your computer (suggesting poor security management) or picked up on your travels on the Net. It might be sent by someone hacking into your computer whilst you are online. I need Level 3 Security, how do I achieve this? You need both a firewall and a program to monitor internet accesses by any program on your computer. If you doubt this, visit here: http://grc.com/x/ne.dll?bh0bkyd2 Which firewall do you recommend? Black Ice. Get it here: http://www.networkice.com/ You configure it by clicking on the top left corner of the Black Ice Window. Click on Configure, then Protection. I recommend the "paranoid" setting. If you find you have a problem with FTP, simply drop the protection back a couple of notches for the duration of the download, then immediately revert back to paranoid! Which Monitor program do your recommend? I recommend ZoneAlarm. What does it do? This is what ZoneLabs say about their program: Description: ZoneAlarm Internet security utility lets users control applications Internet access and usage. ZoneAlarm increases security by letting users lock Internet access. The configurable Internet lock works both manually and automatically. ZoneAlarm visualizes all Internet activity on the computer, exposing potential unwanted Internet activity letting the user stop it. In a nutshell, you choose which programs can access the Net. Anything else is locked out, plus you get a screen telling you which program/file is trying to access the net. Get it here: www.zonelabs.com/zonealarmnews.htm How can I prevent someone using my computer when I am away? Very difficult. With floppy boot disabled in bios and a bios password enabled and a Windows password, there are still ways and means of gaining access. Regrettably, there is no easy answer, short of locking it away. One possible way is to have a removable hard drive and keep the drive in a secure place away from your computer. Note, this means your hard drive C: needs to be removable. Little or nothing is gained by keeping your encrypted drives on Zip or Jaz removable media because a trojan could still be deposited on your hard drive. A small ruse that can help thwart someone actually depositing a trojan on your machine is by PGP signing the registry keys, the firewall and ZoneAlarm. How do I do this? Easiest way is by using the Windows version of PGP to check the validity of each critical file that a snooper may try and compromize to obtain your secret passphrases. You do this by digitally signing each of the following files: Regedit.exe, system.ini, system.dat, system.da0, User.dat, user.da0, win.ini, ole2.dll (found in Windows\System folder), firewall,ini (from your Black Ice firewall folder), Blackd.exe, Blackice.exe, Blackice.ini, Zonealarm.exe (from the Zonealarm folder), zoneband.dll and from C:\ autoexec.bat, config.sys, sys.ini and msdos.sys. PGP offers you by default the option of a detached signature, use that option. It surely goes without saying that you do not use any of your secret Nym keys for signing these files. You should have generated a key pair for general use, which is for just this sort of purpose. This key is to level 1 security only, so use a different passphrase to the one you use for your stego Scramdisk container. It could be the same as your decoy Scramdisk container, of course. There is no reason to choose a simple one, the more complex it is, the more plausible and value you appear to place in the security of your decoy container. Anyway, it must be complex if it is to protect your sig files. After signing each file, you will see a new file appear with the identical file name but with the tag ".sig" attached. If you click on this new file, it will display the signature validity of the file it is checking. If the signed file has been tampered with in any way, it will display "bad signature". Create a new folder: c:\registry. Copy all the above files, including their detached digital sigs into c:\registry. After copying across, highlight all of them and right mouse click and choose "properties". Uncheck the "hidden" box. These are your backups for future use, it will do no harm to keep copies of all these files together with their detached sigs within your (secret) encrypted drive. Next, make shortcuts of every single detached sig that applies to the original files (not the backup copies) and place these shortcuts in the Windows\Start Menu\Programs\Start Up folder. Both system.dat and user.dat are dynamic registry files that change on boot and during use. To ensure authentication on boot, add the following lines to your autoexec.bat file: cd c:\windows attrib -r -s -h system.dat scorch [system.dat] copy c:\registry\system.dat c:\windows attrib +r +s +h system.dat attrib -r -s -h system.da0 scorch [system.da0] copy c:\registry\system.da0 c:\windows attrib +r +s +h system.da0 attrib -r -s -h user..dat scorch [user.dat] copy c:\registry\user.dat c:\windows attrib +r +s +h user.dat attrib -r -s -h user.da0 scorch [user.da0] copy c:\registry\user.da0 c:\windows attrib +r +s +h user.da0 Scorch is available here: http://www.bonaventura.free-online.co.uk/ This will ensure that clean copies of system.dat and user.dat and their backups system.da0 and user.da0 are put into the Windows folder before each boot. Should either file have been compromized, a clean original will replace it. When you next start Windows it will then automatically display boxes showing the result of testing these sigs against the original files. You now have a reasonable chance of catching out any snooper who has actually physically tampered with your machine in your absence. Your firewall should minimize the risk of anyone tampering whilst you are online. As you have checked all the relevant registry files and your firewall before each boot, you can be reasonably sure that your system is safe to use and has not been compromised. If, despite the above, someone has managed to compromise your computer, ZoneAlarm should alert you to any nefarious activity by any snoop program before it has a chance to send your passphrases to some web site. What is to stop a snooper creating a similar named key and making new sig files? Nothing at all. But, big but here, it is not the name of the signing key that you look at when checking, but its id. This cannot be spoofed by the snooper as it is your secret key, protected by your secret passphrase. What happens if I install any more programs? Before doing an install of any new program, always shut down completely and re-boot from cold. This ensures a clean registry before the new installation. Rem out the extra lines you have added to your autoexec.bat file. This means putting "rem" (without the quotation marks), plus a space as the first word of each of the additional lines you added. This will prevent Windows running those extra lines. Now install the program and re-boot. Immediately after re-boot you should copy user.dat, user.da0, system.dat and system.da0 into C:\registry and digitally sign them. You will need to do the signing within C:\registry as user.dat is constantly changing and may otherwise give you a false sig. Now copy these new detached sigs into C:\Windows, over-writing the originals already there. Go back into your autoexec.bat file and remove the "rem" in front of each affected line. Save the changes and then re-boot as a check that all is well. Naturally, you should backup these changes as soon as convenient. Are there any other precautions I should take? Make copies of all your PGP keys, a textile of all your passwords and program registration codes, copies of INI files for critical programs, secret Bank Account numbers and anything else that is so critical your life would be inconvenienced if it were lost. These individual files should all be stored in a folder called "Safe" on your encrypted drive. Encrypt a floppy with Scramdisk using your stego passphrase and copy this folder onto the floppy. Whenever you update "Safe", you should also update your floppy backup to ensure synchronization. Now copy the Zip file for the Scramdisk program onto another floppy - DO NOT ENCRYPT THIS SECOND FLOPPY! Both these floppies should be kept apart from your computer in case of theft, fire or authoritarian interference. To retain a level 2 security they should be entrusted to a good friend for safe custody. Under no circumstances can they be kept on the same premises as your computer or you have compromized your level 2 security. What programs do I put in my newly created Encrypted Drive? You need to take care over which programs to choose. Some newsreaders and Image Viewers and Emailers can write critical information to your Registry. For what it's worth, here are my choices for these critical programs: 1. Agent (or FreeAgent) for the newsreader, and basic Emailing. Agent is here: http://www.forteinc.com 2. I recommend the latest version of ACDSee as your viewer. Make certain that you set up the cache facility within your encrypted drive. This allows easy previewing of thumbprints and click and zoom to examine image quality. ACDSee is here: http://go.acdnet.com An alternative image viewer is Thumbs Plus. Thumbs Plus is here: http://www.cerious.com 3. I strongly recommend Jack be Nymble (JBN) for your Nym accounts Email and posting anonymously. This program also writes to your registry. There is a new version 2 recently released. This version will work with the newer Windows versions of PGP, provided it is RSA compatible and you have RSA keys. I have experienced difficulties with it, which may just be my hard luck. For this reason I am presently sticking with the earlier version which works only with the Dos version of PGP. Whichever version you choose (you may find only the latest version 2 available), you will see that it is a very sophisticated program and requires much dedication and concentration to get the best out of it. It is freeware and cannot be too strongly recommended in my humble opinion. It can automate many functions in setting up and managing a Nym, including automatic decryption of incoming messages. It has many options, too many to list individually - read the manual. It can also ensure your Usenet postings are truly anonymous. You will have to experiment with the appropriate mail2news gateways. Not all support all groups. Jack be Nymble is available here: Http://members.tripod.com/~l4795/jbn/index.html 4. For browsing I find Netscape Gold the best. You can direct it to locate its Bookmarks file on the encrypted drive. The later versions want to create user profiles and worse want to put them in exposed folders. Be careful! I most strongly suggest you do NOT use Microsoft Internet Explorer. It will insist on keeping things within Windows, be very careful with that one! This is especially the case for MS Mail and MS News and Outlook. Of course, you can always use MSIE as a normal browser on your desktop for non-critical browsing and Email, should you wish. 5. Many files are compressed. The most popular is Zip. I recommend obtaining a copy of WinZip from here: http://www.winzip.com. Or, do a search for PKunzip which is freeware, I believe. 6. Any person who browses the Net should ensure they have a good virus detector. There are many to choose from, some are freeware, others are shareware or commercial ware. I use Norton's only because I like its Live Update Feature. It allows you to update the virus list online. Useful and so easy. How can I ensure my temporary files do not give away info? My earnest advice is to invest in more RAM memory and turn off the swapfile. If this is not possible then at least take the bother to wipe it after every session. Do not attempt to do this from within Windows. It is impossible to reliably clean out the swapfile when Windows is still running. I have experimented with various wipe utilities, including the one with PGP. The best I have found is Scorch. To use this utility, you will need to make the swapfile permanent. How do I make the swapfile permanent? In Windows, go to My Computer|Control panel|System|Performance|Virtual memory. Click "Let me specify my own virtual memory settings". Enter identical settings in both boxes. I suggest 150 Mbytes. Click OK. Windows will tell you what you've done and complain and ask you if you are sure you wish to continue, click YES. Windows will then want to re-boot. Allow it to do so. After re-booting you can see the file in Windows Explorer as Win386.SWP. What else do I need to do? Use Notepad to write the following simple Batch file. Save it in C:\Windows. Give the batch file a name, W.bat (but NOT Win.bat or confusion will occur with Win.com which starts Windows). W.bat = cd\ Scorch [win386.swp] /nodel scorch [c:\temp\*.*] Scorch [c:\progra~1\cache\*.*] Scorch [c:\windows\cookies\*.*] Scorch [c:\windows\history\*.*] Scorch [c:\windows\recent\*.*] Scorch [c:\windows\spool\fax\*.*] Scorch [c:\windows\spool\printers\*.*] Scorch [c:\windows\temp\*.*] Scorch [c:\windows\tempor~1\*.*] Scorch [c:\windows\web\*.*] cd c:\Windows attrib -r -s -h user.dat scorch [user.dat] copy c:\registry\user.dat c:\Windows attrib +r +s +h user.dat attrib -r -s -h user.da0 scorch [user.da0] copy c:\registry\user.da0 c:\Windows attrib +r +s +h user.da0 scour Read the accompanying documentation for these utilities before using them. Scorch and scour are available here: http://www.bonaventura.free-online.co.uk/ Note 1: If you have told Windows not to use the swap file, you can ignore "Scorch [win386.swp] /nodel" Note 2: Choose whichever of the above folders applies to your system, likewise add any others that are not shown but required. If you are not sure, no harm will be done by leaving in any that are surplus. Note 3: Scour can take for ages if you have lots of files and a large drive. A possibly more practical solution is to use Scour once to ensure your file ends are clean and then substitute "Zapempty". Zapempty is here: http://www.sky.net/~voyageur/wipeutil.htm The method offered of over-writing user.dat and user.da0 in Dos mode, is far superior to attempting to over-write from within Windows. You may find it very difficult to over-write from within Windows because when shutting down, the cache is flushed and this may write back to the original (and revealing) version of user.dat. The mods to your autoexec.bat file serve a different purpose. They are there to ensure nothing has been compromized on your computer in your absense. The shut down bat file is to ensure clean registry files are always available for scrutiny by any snooper. After finishing a session, and running the above bat, always shut down completely. This means a cold re-boot for the next session. This ensures that your RAM memory is wiped clean, otherwise with a warm boot it may write back user.dat with the data you had sanitized. A simple check is to watch whether your system tests its RAM memory. If it does, it has been flushed. Remember, pressing Ctrl-Alt-Del will not flush the RAM memory. Can you suggest any other precautions I should take to preserve my Privacy? Always proceed on the assumption that you are about to be raided! This means you should take the bother to run W.bat at the end of each session. Always bother to check the registry signatures on boot. If any are bad, check your backups and immediately copy across. Then close down, run W.bat and re-boot. This should ensure whatever had affected them has been removed. If, however, the signature(s) are still bad, I would strongly recommend you do NOT open your encrypted drive. I would urge you to restore the whole of your hard drive C: from a backup. It is essential that you maintain a backup of this drive off site. If you are not prepared to trust PGP to do its job properly, it is totally pointless going to all this bother. ....................................................................... That completes the first part of the FAQ. This second part has more to do with ensuring privacy online. It may be useful. Again it is offered in good faith. Please evaluate and make your own decisions regarding its usefulness before committing any resources. I download binaries (pictures) that may be compromising, am I safe? No. Whilst you are online anyone could be monitoring your account. I am NOT saying your local ISP will do this, but they COULD! If your activities have aroused the suspicion of the authorities, this is the first thing they are likely to do, especially your Email. Can anything be done to prevent my ISP (or the authorities) doing this? Yes. You need to encrypt your data-stream between your desktop and a remote host. This host should preferably be sited in a different State or country to your own. Can you suggest such a Host? There are possibly several, but I have had experience of only 2 - Cyberpass (WWW.Cyberpass.Net) and Minder (WWW.Minder.net). What about anonymity? Both Minder and Cyberpass will allow anonymous sign ups. You simply send them either a bankers order or cash. Please check their Web sites for current costs, addresses and conditions. If you send a Bankers Order, remember not to use your true address! Tell me more about these remote hosts? Both Cyberpass and Minder offer Email and a range of newsgroups. Minder now peer with Altopia. Altopia is a first class news provider with presently over 90,000 groups. All these groups and all articles published by Altopia are now available via Minder. The speed of access with Minder has improved remarkably over the last few weeks. So highly recommended. Cyberpass offers a restricted news group service of only around 35,000 groups. Thus you may additionally need to sign up with a dedicated news provider at extra cost. More worryingly, you may not be able to sign up anonymously to the news provider, yet more reason to choose Minder. You will not be able to use encryption directly into the news provider. If you choose an external news provider, make absolutely certain that it does not publish your NNTP Posting Host. Before subscribing to any News Provider, check this out, otherwise you are laying a trail of street lamps straight to your front door! Minder and Cyberpass remove all such information from your posts, as does Altopia. Newscene claim to, but it is my experience that they occasionally forget and leave it in! This could be very dangerous. How do I go about Encrypting to these remote hosts? You will need SSH (Secure Shell). The SSH FAQ, plus loads more info is available here: http://wsspinfo.cern.ch/faq/computer-security/ssh-faq There is an NG devoted to SSH at: news:comp.security.ssh Also, loads of Nym info at : News:alt.privacy.anon-server There are freebie versions around, but I have no experience of them or where to find them. Doubtless the Ng's will help you. You can buy a commercial implementation from Datafellows, called F-Secure. I am told that they have now introduced a version 2 which is not compatible with the earlier version still being used by Cyberpass. You will need version 1.1 for full compatibility with Cyberpass. I have used version 1.1 with Minder without any problems. They allow a 30 day free trial period. F-Secure is available here: http://Europe.DataFellows.com/cgi-bin/sshcgi/desktopreg.cgi. There is an alternative for those living in either the United States or Canada. This is SecureCRT. It is available from VanDyke Technologies at www.vandyke.com. I am told it is compatible with both Cyberpass and Minder. Can I use Minder or Cyberpass as my local ISP? Yes, but not recommended. It may even be possible to subscribe anonymously, but that does not guarantee anonymity. I recommend you use them for a shell account. Why? Because otherwise you can be traced instantly by the phone company. What is the difference between a dialup and a Shell account? The dialup is what it says. It is your normal account with your Internet Service Provider (ISP). A shell account is accessed after going on line with your usual ISP. With a shell account you log into your ISP then use the Net to make a connection to a remote server. All your Net activities, Email, Usenet, Web browsing are then done through this remote host. To get the full benefit you should use encryption from your Desktop to this remote host. If the remote host is located in another country, better still. To get the maximum benefit, you should ensure your registration with this host server is done anonymously. Why do you recommend a Shell account in addition to the necessary ISP? Because you can subscribe anonymously to the remote host. You cannot be anonymous to your ISP. You can be traced instantly by the phone Company. By logging into your ISP and then using an encrypted connection from your computer through your ISP to an anonymous remote host, you screen yourself from any prying eyes between your desktop and this remote host. Can I run this encrypted connection from within my encrypted drive? Yes, but unnecessary. Scramdisk, PGPDisk and BestCrypt will function with the SSH encryption system. But you might as well put the SSH encryption program on your normal C:\ drive. As a small bonus this will speed things up slightly. Why is it unnecessary to install F-Secure withn my encrypted drive? SSH writes to the registry anyway, so you cannot hide its presence. In any case, your ISP can log your requests for connection to the remote host. Thus although unable to view what is being exchanged between you and the host, you cannot suppress the fact that you are connecting to a remote host. Are there any problems using what is in effect double encryption (SSH and Scramdisk or PGPDisk) together? On a modern fast computer, the encryption is totally innocuous. If you have problems with strange timeouts, this may be a memory problem or to do with the speed of your processor. I had such problems which seem to be cured with a faster machine and considerably more RAM. How do I configure my News Reader and Browser with these remote hosts? Read the FAQ at http://anonymizer.com/ssh or the one at http://www.minder.net (whichever you intend using). Once connected via F- Secure, you simply minimize the startup screen and then use your browser, Email, etc in the usual way. To ensure they route their connection through Minder/Cyberpass (or whatever remote host you choose) you need to specify "localhost" in the proxy connection settings. The FAQ's explain it in detail and quite lucidly. Is the data between the remote host and the external news provider encrypted? No, not unless you use the Minder/Cyberpass news providers. From the remote server to any external news provider the data will not be encrypted. Also, these other news providers may not allow an anonymous sign up. This means any postings may be logged and are therefore traceable. Remember, they will have your Credit Card details on file. If you post via Minder or Cyberpass news servers it is much more difficult to trace you as it means synchronizing a search with your ISP and Minder (or Cyberpass) whilst you are online and actually posting. How can I post graphics anonymously to Usenet? My suggestion is to post via Minder/Cyberpass. Keep in mind that any complaints that you are posting illegal material or spamming may cause your account to be permanently closed. This applies, of course, to any news provider account, not just Minder and Cyberpass. I would recommend using a different user name in place of your assigned user name by Minder or Cyberpass. This ensures you cannot be easily traced if any complaints are forthcoming! Agent allows you to do this very easily in the Options|User-and-System-Profile|User menu. You can change this as often as you please. This is called spoofing your headers. I suggest immediately breaking the connection after a posting session. Close F-Secure SSH and re-open. This ensures a new session key is generated. Log in again with a new link. Never stay online whilst posting for longer than 1 hour maximum. Always post at different times, do not create a regular pattern of postings at specific times and days of the week. Can I use IRC in this way? No. Never, ever attempt any supposedly anonymous activities on IRC! As the IRC port is not through the remote host, you can be traced! Various sites offer you anonymity for IRC, but never trust such a third party. They could be anyone. Can I be anonymous as far as other Web sites are concerned? Yes. By using the remote host, your home IP address will be hidden from any Web sites you visit. What do you suggest to maximize my anonymity whilst posting? For absolute maximum anonymity, always use your Nym and post via Nym.alias.net provided you: a. Always point your Nym reply block back to a newsgroup such as news:alt.anonymous.messages b. Use Jack be Nymble (JBN) with a JBN generated random conventional passphrase for the reply block c. Post using Mixmaster chaining with at least five remailers d Use an encrypted channel to a remote host server e Ensure that you subscribe to this remote host anonymously Provided you do all the above, you should be reasonably safe. Mixmaster is presently considered the safest option to preserve your anonymity. These remailers are considered much safer than the earlier type 1 remailers. JBN allows you to switch instantly between these types at the click of your mouse. It is not normally possible to post graphics via the remailers. Remember, the best defense is not to arouse suspicion. Always, always, lurk before leaking. Once suspicions have been aroused, it is a hundred times more difficult to retain the advantage. Therefore: 1. always use encryption, whatever else you do. 2. always open your encrypted container before you go online 3. always post via your encrypted and anonymous remote host 4. Never ask of anyone nor give anyone, your true Email address. 5. Never DL any file with .exe, .com or .bat extension from a dubious source. 6. For your own protection, never offer to trade any illegal material, nor ever respond to those seeking it, even anonymously. 7. After setting up your Nym, you may receive Email which appears to offer you something for nothing - free travel holidays or whatever. Ignore ALL such Email. ............................................................. Some Useful Links: On-the-fly encryption programs: Scramdisk: http://home.clara.net/scramdisk/ Or here: http://www.scramdisk.clara.net/ PGP and PGPDisk: http://www.pgpi.com/download/ Or here: http://members.tripod.com/cyberkt/ SecureDrive: http://www.stack.nl/~galactus/remailers/securedrive.html Anonymous Remailers: Jack B. Nymble: http://www.skuz.net/potatoware/jbn/index.html Also here: http://members.tripod.com/~l4795/jbn/index.html Mixmaster: Mixmaster download site: http://www.thur.de/ulf/mix/ Remote Hosts and anonymizer sites: Minder: http://www.minder.net/ Cyberpass: http://www.cyberpass.net/ The Anonymizer: http://www.anonymizer.com/3.0/index.shtml Remote Host encryption: A commercial version of SSH: http://Europe.DataFellows.com/cgi-bin/sshcgi/desktopreg.cgi Recommended Image Viewers: ACDSee: http://go.acdnet.com Thumbs Plus: http://www.cerious.com Useful programs: AudioGrabber is here: http://www.audiograbber.com-us.net/ CoolEdit: http://www.syntrillium.com Windows Washer: http://www.webroot.com/ Black Ice: http://www.networkice.com/ ZoneAlarm: http://www.zonelabs.com/zonealarmnews.htm Agent: http://www.forteinc.com/ Partition Magic: http://www.powerquest.com/ Winzip: http://www.winzip.com Secure wiping: Scorch and Scour: http://www.bonaventura.free-online.co.uk/ Zapempty: http://www.sky.net/~voyageur/wipeutil.htm Other additional useful sites: Test your shields: http://grc.com/x/ne.dll?bh0bkyd2 Beginner's Guide to PGP: http://www.stack.nl/~galactus/remailers/bg2pgp.txt PGP for beginners: http://axion.physics.ubc.ca/pgp-begin.html#index PGP FAQ: http://www.uk.pgp.net/pgpnet/pgp-faq/ Also worth a visit: http://home.earthlink.net/~rjswan/pgp/ FAQ for PGP Dummies: http://www.skuz.net/pgp4dummies/ The PGP FAQ: http://www.cryptography.org/getpgp.txt The SSH home page: http://www.cs.hut.fi/ssh/#other With links to free download sites Web based Anon E-mail - https://www.replay.com/remailer/anon.html More about remailers: http://replay.com/remailer/replay.html Simple Anonymity: http://members.tripod.com/~bbop/SimpleAnonymity.html Reference Guide: http://members.tripod.com/~l4795/reli/UserMan.htm Remailer Link: http://members.tripod.com/~l4795/links.html Privacy Links: http://anon.efga.org:8080/Privacy Proxys: http://www.bikkel.com/~proxy/ Anonymous Posting: http://www.skuz.net/Thanatop/contents.htm Anonymity Info: http://www.dnai.com/~wussery/pgp.html Nym Instructions: http://www.publius.net/n.a.n.help.html Nym Creation: http://www.stack.nl/~galactus/remailers/nym.html General info: http://www.stack.nl/~galactus/remailers/index-pgp.html (Good for links) General help: http://www.io.com/~ritter/GLOSSARY.HTM ....................................................... If you believe any part of this FAQ is wrong, misleading or could be improved, please Email your comments and I will take them onboard. To respond to me personally, please email me at Doctor_who@nym.alias.net and include your PGP key with your message if you expect an encrypted answer. I can only respond to RSA keys. <---- please read that again My key fingerprint: F4 A7 05 A0 76 18 25 2B B1 0A C1 BF 5C 29 C0 A2 My public key: - - - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQENAzWgNFgAAAEH/1N7GxF+PnMgQf7azm1eFqSqssyhMAWDybiEIiqd3BDCoKJ9 zzxfvSIicAKPAYTlM5m18L8FCPNacvFnhY2Zl2wzWZikLu19uJ+3m7KzCcUgVRe7 3INqsmP+XNjmt4OfRInGUWLMNgwNQFZEubezfsZGqr5w2JUi5OzlHzGWCDpVu/00 4KFEMoB2FwAk366+ignHYzlOseOHE5QMVJJNmw2k6WOaLzR4k1jkyds2ooynbpBf C3K7PUsvVsDkQm/iKbVKbjDJBuuBMwWb+V1KQdSSM93dpba/aoAZuiax0R8JK3yJ HEJvvaXKUqKo54XTNZIjpFItRlWGwkv8BnzsySkABRO0JERvY3RvciBXaG88ZG9j dG9yX3dob0BueW0uYWxpYXMubmV0PokBFQMFEDXzUWvCS/wGfOzJKQEBHAIH/j5/ 7Ibwl4+1RKQXzECtfJKQqyoDKxWOKq08sbfq7n88BC3cwcCXeGf40SH5jeqQFvRA q+wokPy21mU7tcuj/dOxNB03q/jdUFhEVUnUWvSLHErltv+GcPaUF3K4PjLM/LfX 5FSln84wokZ8MClbiWSCGFhmpE/Y3dNj1tUoxR5dlc9gNDWL4f8dKOqa/cfxxsyK l6LfkWVEfVjfRiaHLuEQ6e6w2dT+aqy4bCbF/2NMIcn8vGxW2Yo9cvkMAoc0FMKm Pn3kw3NxcOdGa2FvgrK68TwBAUKAPsxnNJeGNDOFbn/CkW5d+jtHdDQcvrTI9P6X y45X+ZjNAm8JAM4Z7Mk= =BNk+ - - - - - - - - - - - -----END PGP PUBLIC KEY BLOCK----- ......................................................... Version 13 -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: cp850 iQEVAwUBOG0/1sJL/AZ87MkpAQE0DQf/TfyajqmQ6nXj5Fa1GlGetdsUm99whOoJ 1SkpAtBsz9yIEOOAegoS2EveShKVzrWw2GgfjxIJ3vKpJDKopa0EOGCaftSYl10l J5skALU7xvfV8SzwJf+0RfdhLWlOBb0Cd6+g/RMBuO2qo/Qthq3T4zoIWh0bxJDc rG4zjL8gh1bxUcLK4HQm6jNOCqFsPoh1p2SQyNvuqAeu1AuEnqMD61kGbwvOJiKo lf2SgnbYjZsf1iMix/U0sd6mwdTmFrwRplp4mdPh/C7Mkis/ndl0dCAzf1xJbnYg CH73iXBSPVqVWEMNkkuV3+uL5nHtRRQTQJSxSyKrf8KQqFFp5NLtbg== =XrKr -----END PGP SIGNATURE----- -----------Next_Part--GAMDD34CPC62--