This was posted by hpguru at another forum and i thought it was well written and very imformative.

---------------------------------------------

hpguru: This FAQ was cross posted by Doctor Who at alt.security.scramdisk and alt.security.pgp.
Enjoy!

-----BEGIN PGP SIGNED MESSAGE-----

Security and Encryption FAQ Revision 15

by Doctor Who

"No one shall be subjected to arbitrary interference with his privacy,
family, home or correspondence, nor to attacks upon his honour and
reputation. Everyone has the right to the protection of the law against
such interference or attacks."

Article 12 Universal Declaration of Human Rights

Disclaimer and justification for this FAQ.

Many countries operate a legal system designed to suppress individual
freedom. Such countries often do not obey basic human rights. The law
in these countries may be based on guilty until proven innocent. My
intention in offering this FAQ, is to legally challenge these threats to
our freedom. It is not my intention to promote any illegal act, but to offer people the option of freedom of choice. How they use that freedom
is entirely down to the individual.

Revisions in this version of the FAQ include BestCrypt version 6. BestCrypt
has been included because the latest version 6 has a particularly useful
undocumented feature that offers a form of plausible deniability that is all
but undefeatable, so far as I know. More about this later in the FAQ.

The FAQ has 2 main Sections.

Part 1 concentrates on passive security. It is intended to be useful to
both posters and lurkers.

Part 2 is to maximize your privacy whilst online, particularly for Email
and Usenet posting.

I have assumed three security levels:

Level 1. For those who wish to protect their files from unauthorized
access. These users are not too concerned at being found with encrypted
data on their computer.

Level 2. This is for those who not only wish to hide their private data,
but to hide the fact that they have such data. This might be an essential
requirement for anyone who lives in an inquisitorial police state where
human rights are dubious, or where there is no equivalent to the United
States 5th Amendment.

Level 3. This is for those who not only need all that is offered by level
2, but additionally wish to protect their computer from unauthorized
access. Protecting themselves from hackers whilst online and snoopers who
may try and compromize either their software or add substitute software
that could reveal their secret passphrases.


Part 1 explains the 3 security levels and offers help in achieving
them.


1. How does encryption work?

In its simplest sense, the plaintext is combined with a mathematical
algorithm (a set of rules for processing data) such that the original text
cannot be deduced from the output file, hence the data is now in encrypted
form. To enable the process to be secure, a key (called the passphrase) is
combined with this algorithm. Obviously the process must be reversible, but
only with the aid of the correct key. Without the key, the process should
be extremely difficult. The mathematics of the encryption should be openly
available for peer review. At first sight this may appear to compromize the
encryption, but this is far from the case. Peer review ensures that there
are no "back doors" or crypto weaknesses within the program. Although the
algorithm is understood, it is the combination of its use with the
passphrase that ensures secrecy. Thus the passphrase is critical to the
security of the data.

2. I want my Hard Drive and my Email to be secure, how can I achieve this?

You need Pretty Good Privacy (PGP) for your Email and either Scramdisk or
BestCrypt for your private files on your computer.

PGP is here: http://members.tripod.com/cyberkt/

Scramdisk is here: http://www.scramdisk.clara.net/

BestCrypt is here: http://www.jetico.com/


Both PGP and Scramdisk version 3.01R3c are free. The newer version of
Scramdisk, version 3.02A is not free. BestCrypt is commercial ware.
The source code has been published for PGP and for Scramdisk version
3.01R3c. The source code for version 3.02A has not yet been published. The
souure code for the encryption side of BestCrypt has been published, but
not the proprietary Windows interface. Scramdisk version3.02A, BestCrypt
and PGP support Win95/98/2000 and NT.

3. What is the difference between these Programs?

PGP uses a system of encryption called public key cryptography. Two
different keys are used. One key is secret and the other is made public.
Anybody sending you mail simply encrypts their message to you with your
public key. They can get this key either directly from you or from a public
key server. It is analogous to ssomeone sending you a box and a self
locking padlock for you to send them secret papers. Only they have the
key to open the box.

The public key is obviously not secret - in fact it should be spread far
and wide so that anybody can find it if they wish to send you encrypted
Email. The easiest way to ensure this, is by submitting it to a public
key server.

The only way to decrypt this incoming message is with your secret key. It
is impossible to decrypt using the same key as was used to encrypt the
message, your public key. Thus it is called asymmetrical encryption. It
is a one way system of encryption, requiring the corresponding (secret)
key to decrypt. PGP is simplicity itself to install and use. I recommend
you use one of the Cyber-Knights versions.

For your normal hard drive encryption, you will need a symmetrical type of
encryption program. The same key is used for both encryption and
decryption. Scramdisk and BestCrypt are especially good because they are
"On-The-Fly" (OTF) programs. This means that the program will only decrypt
on an as needed basis into RAM memory. More about this later in the FAQ.

One question often asked by newbies is whether the passphrase is stored
somewhere within the encrypted file. No. The passphrase is passed
through a hash, such as SHA1. This is a one-way encryption. This output
hash is what is stored within the encrypted container. The program will
look for this hash and compare it with the hash it produces from the
passphrase that you type in to mount the container. If they are identical,
the container will be decipherable and will be mounted.

4. I have Windows 95/98, am I safe?

Windows is definitely not a security orientated program. One simple
method of improving your computer security is to disable the Windows
swapfile. To ensure reliable operation and dependant on what programs you
run, you may need several hundred megabytes of RAM. If you are serious
about your privacy, I would recommend investing in as much RAM as you can
afford and turn off the swapfile. I suggest a minimum of 128 Megs and
preferably double or even quadruple that.

5. Apart from the Swapfile, what else can Windows reveal to a snooper?

User.dat can reveal all sorts of interesting things about your computer
habits. Take a peek by opening in Notepad or Wordpad. Press CTRL-F (i.e.
the Control key and the F key together). Type in the box, X:\ (or whatever
drive letter you use to store any critical data). Press "Find" and
continue throughout the file. Alternatively, you could input .jpg, or .avi,
etc - you get the idea. You cannot edit this file in Notepad or Wordpad.
The only way to edit user.dat is by using regedit.exe. My experience
suggests you will not be able to easily remove embarrassing entries.

If you find information that you would rather not be there, you will either
need to restore from an earlier backup of these files, or simply bite on
the bullet and re-format your hard drive. This is extreme, but may be the
only alternative. At least you then start with a clean slate.

Remember the format command: Format c: /s (it is vitally important that
you include the /s to install the system files). Obviously back up your
data, Email address book, etc., etc., before proceeding.

Dependant on how paranoid you are, after formatting you may choose to first
install "Zapempty" or another Dos based free space wipe utility and run it
a few times before you start installing Windows, etc. Formatting your
drive does not clean out any old data. It is still there and can be
recovered with specialist software.

Zapempty is here: http://www.sky.net/~voyageur/wipeutil.htm

If you have not previously used encryption and/or you have contentious
material lying around in plaintext form in all sorts of supposedly hidden
places on your system, my strong recommendation is to re-format your hard
drive and then run Zapempty before you install Windows and all your
program. Assuming you have a clean system to start with, you can then
proceed with creating all your encrypted drives and sub-folders within
those drives and finally installing all the programs you intend using.

Later in the FAQ I will show you a system which keeps your registry files
(system.dat and user.dat) sanitized.

6. Are there other OTF programs, apart from Scramdisk and BestCrypt?

Yes, there are several. But to keep this FAQ manageable I mention only
those I can recommend from personal experience.

For level 1 security, it is difficult to fault Scramdisk. If you require
level 2 security then I would recommend BestCrypt. More about this later
in the FAQ.


7. Which Algorithm is best, particularly as Scramdisk offers 8?

Scramdisk offers a choice of eight different encryption algorithms. I
recommend Blowfiish. BestCrypt offers Twofish or GOST. GOST is an older
Soviet Union program and rather slow. Twofish is one of several programs
being evaluated for the Advanced Encryption Standard. So far it has
withstood over 1,000 hours of intense crypto-analysis scrutiny without even
approaching its limits.

To ensure maximum security, you must take care over your choice of
passphrase. This is the most likely weakness with most people. Always make
it long. Remember, every extra character you enter makes a dictionary
search for the right phrase twice as long. Both Scramdisk and BestCrypt
ultimately limit the strength of the algorithm to 160 bits. This is
because the hash program they use, SHA1, outputs a maximum of 160 bits.
You will find that the passphrase input page for Scramdisk shows 4 lines
for inputting your passphrase. Each line can hold a maximum of 40
characters. Thus a maximum of a 160 character passphrase is possible. A
character is equal to slightly more than 1 bit. Most people will use a
somewhat shorter passphrase, but I would recommend that you at the least
spread your passphrase across the four lines, even if you do not fill each
line.

8. Why?

Because any passphrase cracker cannot find the correct key until it has
exhausted a key search as wide as the last character you enter. A strong
hint that you should make sure the last character of your passphrase is
well along the bottom line! For higher security you should spread it
around on all four lines, that is why they are there.

Be sure that if any serious snooper wants to view your secret data, they
will find a way without wasting their time attempting a brute force attack
upon your Scramdisk container. In some countries rubber hose cryptography
may be the rule. Anybody living in such a country needs level 2 security
at the very least. In some "civilized" countries there are more sinister
methods, such as tempest or the use of a trojan which require level 3
security (see later in FAQ).

9. I have heard that there are programs that HIDE and Encrypt, are these
any good?

Snake oil! They are not even worth considering for level 1 security. Keep
to the recommended programs if you are seriously in need of privacy.

10. What about simple file by file encryption?

You could use the Windows version of PGP. It comes with PGP Tools, which
will allow you to encrypt any file on your computer. Only encrypt these
single files on the assumption of a level 1 security.

11. Do I need to wipe as opposed to simply deleting files within the
Scramdisk or BestCrypt drives?

If the encrypted container is sufficiently secure for your normal files, it
must obviously be secure for deleted files. Therefore, it is unnecessary
to wipe files within the encrypted drive.

12. Do I need to wipe an unwanted encrypted container?

Depends. I used to say, yes. But if you are truly confident of the
strength of your passphrase, then just delete it. However, if you created
the container with a weak passphrase and it contains critical data,
definitely wipe it. Wiping will ensure that the encrypted keyfile material
at the head of the file is over-written. It is only strictly necessary to
wipe the first 10K of the file to ensure this.


13. Can I use Disk compression to increase the apparent size of the drive?

Not with Scramdisk. BestCrypt allows this and will compress and encrypt
on the fly.

14. Can I encrypt a floppy with Scramdisk and BestCrypt?

Yes, both allow floppies to be encrypted. In fact they also support
encryption on Jaz and CD-RW drives. You can even run Scramdisk off a
floppie in what is called "Traveller" mode. In this mode there are no
Scramdisk related VxD or INI files on your hard drive to worry about.
But you do have the problem of where to hide your Scramdisk floppy.

15. Does using Encryption slow things up?

There is a small speed penalty because your computer has to encrypt to write
to disk and decrypt to read from it. In practice on a modern machine, using
the Blowfish (or Twofish with BestCrypt) cipher, the encryption is totally
transparent in normal use.

16. Do I need a PGP passphrase if I store my keyrings within my encrypted
drive?

It is good security practice to use a passphrase, but for level 3 security
it is essential because level 3 security is intended to ensure your secret
data are safe if attempts are made to hack into your computer whilst online
or if your computer is compromized in your absence.


17. I use Mac, OS2, Linux, (fill in your choice), what about me?

Scramdisk is now available for Win95/98 and NT/Win2000. I believe a Linux
version has been promised... BestCrypt supports Win95/98/ME/NT/2000 and
Linux.

Meanwhile you could look here if you're a Mac user:

PGPDisk http://www.nai.com/default_pgp.asp
CryptDisk http://www.primenet.com/~wprice/cdisk.html


18. How can I ensure I do not leave traces of unwanted plaintext files on
my system?

Try Evidence Eliminator. Apart from its unfortunate name, it is remarkably
efficient at finding lost temp files and info. But I am concerned at its
registry cleaning. I found it unconvincing with old entries.

Get it here: www.evidence-eliminator.com (30 day trial period on offer).

In addition to using Evidence Eliminator, I suggest you also clean up your
registry after each session. To do this you should first run Evidence
Eliminator to remove backups of the registry. Create a folder called
C:\registry. Now copy System.dat and User.dat to C:\registry. Highlight
both files, right mouse click and select "properties". Uncheck "hidden",
click "apply" and "OK".

Using Notepad, write the following batch file, call it W.bat. After every
session you should close Windows and restart in Dos mode and run it in Dos
to be effective. If used in combination with Evidence Eliminator, it
should ensure a clean hard drive.


w.bat =

cd c:\Windows

attrib -r -s -h user.dat
scorch [user.dat]
copy c:\registry\user.dat c:\Windows
attrib +r +s +h user.dat

attrib -r -s -h system.dat
scorch [system.dat]
copy c:\registry\system.dat c:\Windows
attrib +r +s +h system.dat

scour

................

Read the accompanying documentation for these utilities before using them.

Scorch and scour are available here:
http://www.bonaventura.free-online.co.uk/


Note: Scour can take for ages if you have lots of files and a large
drive. A possibly more practical solution is to use Scour once to ensure
both your file ends and your free space on your drive are clean and then
substitute "Zapempty" for future wipes.

After finishing a session, and running the above batch, always shut down
completely. This means a cold re-boot for the next session. This ensures
that your RAM memory is wiped clean, otherwise with a warm boot it may write
back user.dat with the data you had sanitized. A simple check is to watch
whether your system tests its RAM memory. If it does, it has been flushed.

Remember, pressing Ctrl-Alt-Del will not flush the RAM memory.

The above may seem rather irksome. It is. Blame Bill Gates, not me! If
you are really seriously in need of privacy, I strongly recommend you bother
to do this housekeeping.

It is still theoretically possible to recover such over-written data, but it
must necessarily involve a lot of bother and expense. Only likely to be
used in very serious circumstances. Even then, whatever is recovered will
only hint at what may be hidden elsewhere.

19. What programs do I put in my newly created Encrypted Drive?

You need to take care over which programs to choose. Some news readers and
image Viewers and Emailers can write critical information to your Registry.

For what it's worth, here are my choices for these critical programs:


(A) Freedom from Zero Knowledge available here: http://www.freedom.net/

Freedom is an excellent way to ensure your online activities are screened
from prying eyes. It works seamlessly with the following programs to
ensure your Email, News posting and Web browsing are secure and totally
anonymous. Version 2.0 has just been released. This is slightly more
secure than the original version.

Freedom is not compatible with some services, e.g. AOL. See their web page
for full details of incompatible services.


(B) Agent (or FreeAgent) for the newsreader, and basic Emailing.

Agent is here: http://www.forteinc.com


(C) For your Email I have 3 different recommendations:

i. Agent, as mentioned above

ii. Quicksilver, available here: http://quicksilver.skuz.net/

111. JBN2, here: Http://members.tripod.com/~l4795/jbn/index.html


Agent is simple and very easy to use. It can only be used for plaintext
Emails on its own, but will work seamlessly with Freedom to decrypt
incoming Emails. It also works with both Freedom and a remote host server
for posting anonymously.

Quicksilver is recommended for secure Email and Usenet posting. It does
not yet support Nym creation, but is otherwise an excellent program to send
mail and post anonymously to Usenet. Most importantly, Quicksilver is very
easy to learn to use. It uses the Mixmaster remailers for posting. These
are considered far more secure than the earlier Cypherpunk remailers.

Like Agent, Quicksilver is fully compatible with Freedom Email and can
download and transparently allow decryption of Freedom incoming Emails.

JBN2 is an excellent stand alone program for Nym creation and decryption of
Email and news postings sent via the anonymous remailer network. It does
not appear to work with Freedom to decrypt incoming Freedom encrypted Email.

This is not a big disadvantage as Agent is easily configured to receive
both News and Email if necessary.

All three of these programs will also work with PGP. Agent will require
you to copy and paste, but the other two have built-in support and work
seamlessly with PGP.


(D) For browsing I like Netscape Gold the best. This is an early version
of the Netscape browser, but all the better for that. You can direct it to
locate its Bookmarks file on the encrypted drive. Later versions of both
Netscape and Microsoft Explorer want to create user profiles and worse can
write data in unwanted and exposed folders. They are also very dependant
on Java and ActiveX. These are bad news as far as security is concerned.

Therefore, be sure to disable Java with Netscape.

I most strongly urge you NOT to use MS Internet Explorer. It will insist
on keeping things within Windows in many hidden folders. This is
especially the case for MS Mail and MS News and Outlook. Of course, you
can always use MSIE as a normal browser on your desktop for non-critical
browsing and Email, should you wish.

(E) Use ACDSee as your viewer. If you use the cache facility, make certain
that you set it up within your encrypted drive. This allows easy previewing
of thumbprints and click and zoom to examine image quality.


ACDSee is here: http://go.acdnet.com

Two alternatives are:

Thumbs Plus, at http://www.cerious.com and
VuePro, at: http://www.hamrick.com

Each of these 3 programs has some advantage over the others. Choose
whichever best suits your needs.


(F) Many files are compressed. The most popular is Zip. I recommend
obtaining a copy of WinZip from here: http://www.winzip.com. Or, do a
search for PKzip which is freeware, I believe.


(G) Any person who browses the Net should ensure they have a good virus
detector. There are many to choose from, some are freeware, others are
shareware or commercial ware. I use Norton's only because it allows me to
update the virus list online. Useful and so easy.


(H) Get a firewall. I recommend Zonealarm Pro which costs around 40 US
Dollars.

Note: The freebie version 2 of ZoneAlarm appears to be only partially
compatible with Freedom. The one big drawback to this freebie version is
that it leaves port 113 Ident open when its protection is necessarily
crippled to allow it to cohabit with Freedom. Bad, very bad. I strongly
recommend you buy Zonealarm Pro. This will work seamlessly with Freedom
on its maximum security settings and ensures that all ports are in stealth
mode.

If you already have the freebie version installed, after installing
ZoneAlarm Pro, click on the taskbar and open the new version. Go to
Security and ensure it is set to High. Now go to Programs to view the
list of previously acceptable programs you had allowed to access the Net.
Right click on each program and remove it from the list. This will ensure
that when each program is next started you can again allow acces, but with
full firewall protection. This is especially necessary with Freedom or it
will not run.

Get both versions here: www.zonelabs.com/zonealarmnews.htm

20. How can I ensure my temporary files do not give away info?

My earnest advice is to invest in more RAM memory and turn off the swapfile.
If this is not possible then at least take the bother to wipe it after every
session. Do not attempt to do this from within Windows. It is impossible
to reliably clean out the swapfile when Windows is still running. I have
experimented with various wipe utilities, including the one with PGP. The
best I have found is Scorch. To use this utility, you will need to make
the swapfile permanent. I like Scorch because it generates random garbage
when over-writing; it does not simply use strings of 111's or 000's.


21. How do I make the swapfile permanent?

In Windows, go to My Computer -> Control panel -> System -> Performance ->
Virtual memory. Click "Let me specify my own virtual memory settings".
Enter identical settings in both boxes. I suggest 150 Mbytes. Click OK.
Windows will tell you what you've done and complain and ask you if you are
sure you wish to continue, click YES. Windows will then want to re-boot.
Allow it to do so. After re-booting you can see the file in Windows
Explorer as Win386.SWP.

22. Is there really much difference security-wise between using RAM memory
instead of a permanent swapfile?

Definitely. No matter how many times you wipe the swapfile, it is still
possible to recover the over-written data, if enough effort is put into it.
Whereas, using the RAM memory ensures that nothing is written to disk at
all. This totally circumvents this problem because once the computer is
switched off all data in RAM memory is lost forever.

It also has the merit of safe crash close if you are raided.


All of the above is sufficient for a level 1 security.


Level 2. This is for those who not only wish to hide their private data,
but wish to hide the fact that they have such data. This might be an
essential requirement for anyone who lives in an inquisitorial police state
where human rights are dubious, or where there is no equivalent to the
United States 5th Amendment.


23. What more must I do to achieve level 2 Security?

For level 2, it is essential that you can show plausible deniability for
all files that might contain encrypted data. The purpose is to be able to
justify every file on your system. This section will help you to achieve
this higher level of security.



24. Which encryption program do you recommend and why?

BestCrypt version 6. The latest version 6 has an undocumneted feature
which allows a hidden (or secret) encrypted container to be created within
the existing one. First, a normal encrypted container (or file if you wish)
is created with BestCrypt in the usual way. Some private but legal data is
put into the container to justify its existence. Thenceforth it is never
again opened except to prove its contents are legal. In fact, no further
data should ever be written to the container or the second hidden container
will be destroyed.

25. How is this hidden container created?

Firstly, create a BestCrypt container in the normal way, the maximum size
is 4 Gigabytes. Then drop into a Dos box - do not restart your computer in
MsDos, it must be a Dos window. Then change directory to wherever the
BestCrypt executable is stored. Default is Program Files\Jetico\BestCrypt.
To go there from your C: drive in a Dos box type:

CD\progra~1\jetico\bestcr~1

You will then see:

C:\program files\jetico\bestcrypt\

Then type:

bestcrypt.exe debug

The BestCrypt screen opens. Click on the drive letter where the BestCrypt
container resides that you intend using to create the hidden container.
Now right click on the encrypted file. From the drop down list click on
Properties. You will be asked to enter your existing passphrase for that
container. A box opens titled "Change Container Properties". Beneath
"Change Algorithm and Password" there will be a box titled "Create hidden
part"

Click on the button and then click on OK. You will then be taken to a new
screen where you will be asked to confirm you understand what you are doing.
Click on yes and next, then the next screen invites you to choose the size
of the hidden container and to enter a new (must be entirely different)
passphrase for your new secret container. You can make the hidden container
as large as you wish, up to 100 per cent of the available space.

The reason for this option is that because the offset of the hidden part is
not hard coded, then it cannot be calculated from the container's size. The
position of the hidden container's hash is dependant on its size and thus
its position could be anywhere. Thus it may give additional security
against dictionary attacks on the password of the hidden part. A small but
significant effort to further protect your data from snoops.

For maximum security, the internal hidden container should be a small
fraction of the total container size, say 5 to 10 percent. However, it is
impossible for an attacker to reliably predict this size, (or even if it
truly exists) so it is not possible for them to know where the password
hash is located.

Note: If you click on properties without entering the debug program, you
will not see the option to create a hidden container. Better yet, if
after creating the hidden container and filling it with secret data, you go
back and enter debug mode again, the option to create a hidden container is
still there. It is not greyed out which might alert a snoop that such a
container already exists. This is a crucial advantage of the whole concept
of plausible deniability. Forensic examination of the BestCrypt file will
not reveal anything to suggest that a hidden encrypted container exists.

There is no data or information available to view or check on if the normal
container is opened.

This is because the keyfile hash of the passphrase is not marked out, it
appears as just more random hash filling empty space within the container.

The only possible way for anyone to prove that a hidden container exists is
by guessing the correct passphrase. There is absolutely no other way to
prove its existence. Neat.

Everything is identical to normal usage. You can enter either passphrase.
The normal one will mount the BestCrypt container, but not show any of the
data within the hidden container. The hidden passphrase will only mount
the hidden container and again will not show the normal data. Under
duress, it is therefore easy to show the ostensible contents of your
BestCrypt file.

The more data you load into the normal container, the smaller will be the
available space left for the hidden container, obviously.

A message appears after inputting the hidden container passphrase that you
have mounted the hidden container. It is imperative to check this. If you
absentmindedly mount the normal container and write data to it, you will
never again be able to mount your hidden container and you will lose all of
its data! Of course this is an easy way to destroy the hidden container
with all its data if the need ever arises.

26. Can I create a hidden encrypted container on a floppy?

Yes, and on a Jaz or a CD-RW disk. The procedure is identical. I
initially had a problem of formatting the hidden container on both the
floppy and the Jaz. But after a hard re-boot all went smoothly. I have
no idea what the problem was.

27. This all sounds too good to be true, are there any snags?

None so far as I can tell. Obviously, it assumes that the use of
encryption is legal in your country.

28. What if encryption is illegal in my country?

In that case, I suggest using the steganographic feature of Scramdisk. But
ensure you create your own WAV file, by making your own recording. Once the
steganographically encrypted file is created within the WAV file, make sure
to wipe the original recording to prevent forensic analysis showing their
low level data are not identical. Of course, you will need to install
Scramdisk in traveller mode. This means running it off a floppy. But you
will still need to hide the floppy effectively in the case of a search. I
am sorry I cannot help you here. It must be down to your own initiative.

29. Are there any other precautions I should take?

Make copies of all your PGP keys, a text file of all your passwords and
program registration codes, copies of INI files for critical programs,
secret Bank Account numbers and anything else that is so critical your life
would be inconvenienced if it were lost. These individual files should all
be stored in a folder called "Safe" on your encrypted drive.

Create a hidden container on a floppy or a CD-RW. Copy "Safe" onto the
hidden container on the floppy or CD. You could do this on your hard drive
and burn the BestCrypt file onto a CD-R. Cheaper, but once only usage.

I used to say give this floppy to a trusted friend. But now with BestCrypt
this is unncessary.

The above is sufficient for Level 2 security.

30. I need Level 3 Security, how do I achieve this?

This is for those who wish to protect their computer from unauthorized
access. Protecting themselves from hackers whilst online and snoopers who
may try and compromize either their software or add substitute software
that could reveal their secret passphrases.

31. What are these threats?

They are known as Tempest and Trojan attacks.

32. What is a Tempest attack?

Tempest is an acronym for Transient ElectroMagnetic Pulse Emanation
Surveillance. This is the science of monitoring at a distance electronic
signals carried on wires or displayed on a monitor. Although of only slight
significance to the average user, it is of enormous significance to serious
cryptography snoopers. To minimize a tempest attack you should screen all
the cables between your computer and your accessories, particularly your
monitor. A non CRT monitor screen such as those used by laptops offers a
considerable reduction in radiated emissions and is strongly recommended.

I have heard that in the United Kingdom where people have to pay a licence
to watch TV, the powers that be cannot detect the radiation from the new
gas plasma TV's when they do their street by street patrols. This suggests
that they might be excellent from a privacy point of view.

33. What can Scramdisk offer to help minimize a Tempest attack?

Use its Red Screen mode. Also, once a container is mounted, click on the
middle icon to clear all cached passphrases. This is my only serious
criticism of Scramdisk - it does not by default immediately clear the cache.

34. Tell me about Scramdisk's "Red Screen" mode?

This is a very useful feature of Scramdisk version 3.01R3c. The newer
version 3.02A which supports NT/Win2000, does not support the Red Screen
option.

The "Red Screen" mode inputs the passphrase at a very low level which helps
defeat a tempest or trojan attack to capture your on screen passphrase.
This is only available if you have a standard Qwerty keyboard. Europeans
or Asiatics with non-standard keyboards cannot use this facility because
the character layout at low level is not the same as displayed by the
keyboard.

A possible solution with only partially non-standard keyboards might be to
try it using only figures and letters. An easy method to test this is to
create a test Scramdisk volume using the normal passphrase screen, then
attempt to open it in Red Screen mode. Most of the differences between
European keyboards are in the shifted characters above the figures. In
which case a compromize might be reached if you use a figures and letters
only passphrase. If this works, I would choose a figures and letters only
passphrase of at least 40 characters in length. Of course the longer the
better.

35. What is a Trojan?

A trojan (from the Greek Trojan Horse), is a hidden program that monitors
your key-strokes and then either copies them to a secret folder for later
recovery or ftp's them to a server when you next go online. This may be
done without your knowledge. Such a trojan may be secretly placed on your
computer or picked up on your travels on the Net. It might be sent by
someone hacking into your computer whilst you are online.

36. How do I protect myself from a Trojan?

You must have a truly effective firewall. It is not sufficient for a
firewall to simply monitor downloaded data, but to also monitor all
attempts by programs within your computer that may try and send data out.
The only firewall that I know of that ensures total protection against such
programs is Zonealarm. This firewall very cleverly makes an encrypted hash
of each program to ensure that a re-named or modified version of a
previously acceptable program cannot squeeze through and "phone home". For
maximum secuity you will need Zonealarm Pro to work with Freedom. If you
decide not to bother with Freedom, then the freebie version is sufficient,
so far as I can tell.

ZoneAlarm is here: www.zonelabs.com/zonealarmnews.htm

To understand how important this firewall is, visit Steve Gibson's site.

Steve's site: http://grc.com/

Go to the "Test my Shields" and "Probe my Ports" pages.

You can test ZoneAlarm and Freedom for yourself.

37. How will I know when a trojan has modified an acceptable program?

Zonealarm will pop up a screen asking if this program is allowed to access
the Net. If it is one of your regular programs, be very wary and always
initially say NO until you can check why this program is not now acceptable
to Zonealarm. If it is a strange program, then obviously say, NO and
investigate.

38. What can BestCrypt offer to help minimize a Trojan attack?

Go to Options -> Key Generators -> ShA1 and click on Keyboard filters.
This filter helps prevent a keyboard logger from copying your key strokes
as you input your passphrases.

39. How important is the passphrase?

Critically important. It is almost certainly the weakest link in the
encryption chain with most home/amateur users. I provide links at the end
of the FAQ, some of these should either help directly or give further links
about how to create an effective passphrase.

For the newbies: never choose a single word, no matter how unusual you think
it is. A passphrase must be that, a phrase, a series of words, characters
and punctuation intermixed.

40. How can I prevent someone using my computer when I am away?

Unless you have a removable C: drive which you can lock away in a secure
place, a wall safe or whatever, your only hope is by securely locking up
your computer so that access is extremely difficult. This may involve
some sort of strap and lock. There is no simple and easy answer. But
one way that can help thwart someone actually depositing a trojan on your
machine is by PGP signing ZoneAlarm.

41. How do I do this?

The easiest way is by using the Windows version of PGP to check the validity
of Zonealarm.exe and Zoneband.dll and if you have Zonealarm Pro, Zapro.exe.

You do this by digitally signing each of these files.

PGP offers you by default the option of a detached signature, use that
option. It surely goes without saying that you do not use any of your
secret Nym keys for signing these files. You should have generated a key
pair for general use, which is for just this sort of purpose. This key is
to level 1 security only, so use a different passphrase to the one you use
for your secret BestCrypt container. It could be the same as your open
BestCrypt container, of course. There is no reason to choose a simple one,
the more complex it is, the more plausible and value you appear to place in
the security of your open BestCrypt container. Anyway, it must be complex
if it is to protect your sig files.

After signing these files, you will see a new file appear with the identical

file name but with the tag ".sig" attached. If you click on this new file,
it will display the signature validity of the file it is checking. If the
signed file has been tampered with in any way, it will display "bad
signature".

Copy both of the above files, including their detached digital sigs into
C:\registry.

After copying across highlight all these files, right mouse click and select
"properties". Uncheck "hidden", click "apply" and "OK". These are your
backups for future use, it will do no harm to keep copies of all these files
together with their detached sigs within your (secret) encrypted drive.

Next, make shortcuts of both detached sigs that applies to the original
files (not the backup copies) and place these shortcuts in the Windows\Start

Menu\Programs\Start Up folder.

When you next start Windows it will then automatically display boxes showing
the result of testing these sigs against the original files. You now have a
reasonable chance of catching out any snooper who has actually physically
tampered with your machine in your absence.

For this system to be truly effective, you must trust PGP and investigate
any warning of a bad signature.

42. Can you suggest any other precautions I should take to preserve my
privacy?

Always proceed on the assumption that you are about to be raided! This
means you should take the bother to run W.bat at the end of each session.
Always bother to check the firewall signatures on boot. If any are bad,
check your backups and immediately copy across. Then close down and
re-boot.

If, however, the signature(s) are still bad, it suggests that Zonealarm has
been compromized. I would uninstall and then re-install from a clean
backup. Re-boot and see if this clears the problem. If there is still
a bad sig, I would restore the whole of your hard drive C: from a secure
backup. It is essential that you maintain a backup of this drive off site.

In some countries this may literally be a life or death situation. If you
are not prepared to trust PGP to do its job properly, it is totally
pointless going to all this bother.


........................................................................


Part 2 of 2.


This second part concentrates on security whilst online.

There are countless reasons why someone may need the reassurance of
anonymity. The most obvious is as a protection against an over-bearing
Government. Many people reside in countries where human rights are dubious
and they need anonymity to raise public awareness and publish these abuses
to the world at large. This part 2 is for those people and for the many
others who can help by creating smoke.

43. I subscribe to various news groups and receive Email that I want to
keep private, am I safe?

Whilst you are online anyone could be monitoring your account. If you live
in the British Isles be aware that all ISP's are required to keep logs of
your online activities, including which Web sites you visit. Shortly this
will be reinforced by MI5 who will be monitoring all Net activity 24 hours
per day! The information will be archived eventually for up to seven years!

The British Labour Government claim this Act is misunderstood and that it
will only be used against serious criminals.

Do you trust them? If you do, then you probably believe in fairies too.

44. Can anything be done to prevent my ISP (or the authorities) doing this?

There are several things you can do. First of all subscribe anonymously to
an independent News Provider. Avoid using the default news provided by your
ISP. Apart from usually only containing a small fraction of all the
newsgroups and articles that are posted daily, your ISP is probably logging
all the groups you subscribe to.

You also need to protect yourself from snoopers whilst online. To do this
you need to encrypt your data-stream between your desktop and a remote host.

This host should preferably be sited in a different State or country to your
own.

You also need to ensure this remote host server cannot log your true IP
address.



45. I live in the United States why do I need to bother?

You don't need to. But your privacy and security is enhanced if you do,
particularly if you wish to ensure best possible privacy of posting to
Usenet. Also, it is quite likely that many routes around the globe, even
across the States may be routed through London. The Web is literally just
that, a web. Thus American Email, news postings, etc are just as liable to
be read by MI5 and who knows what they will do with this information. As
many businesses exchange Email with total ignorance about security, I guess
the Brits are going to go ape over all that juicy business data they will
be gathering.

46. Ok, you've convinced me, how do I go about this?

You must use two programs. The first is to ensure you have an encrypted
link from your desktop to the distant (remote) server and the second wraps
a further layer of encryption around your data and additionally screens you
and your IP address from the remote server.

The two programs are SecureCRT and Freedom from Zeroknowledge.

SecureCRT is available here: www.vandyke.com/
It costs 99.00 USD. There is a 30 day trial.

In case you are confused by the choice of software on their page, you need
SecureCRT 3.1.1

SecureCRT uses several encryption algorithms within the SSH format. I
recommend Twofish or Blowfish. These are considerably faster than 3DES.

Freedom from Zero Knowledge is here: http://www.freedom.net/

Freedom will cost around 50 US Dollars per year. You can purchase
anonymously (recommended).

47. How do these two programs function?

Freedom offers you up to 5 Nyms. Each is entirely separate from the
others, even Zero Knowledge do not know to whom each belongs. Whilst a Nym
is selected, all data leaving your desktop is encrypted to the Freedom
server. This server need not be in your own country.

This is stage one. Stage two uses SecureCRT. This is the program that
allows you to have an encrypted connection to a remote host.

Either program can operate independently of the other. Together, they
ensure your data is double encrypted to military grade. On its own,
Freedom supports private and anonymous Email and private and anonymous
posting to Usenet. It does not support private nor anonymous downloading
from Usenet.

But if you combine Freedom usage with SecureCRT, you will then also enjoy
private and anonymous downloading as well because Freedom detects you have
a telnet connection (which is true) and then protects you accordingly. So
a further justification for using both together.

It is not essential to buy these two programs anonymously. But a good idea
if you can.

To use them, just start Freedom and then start SecureCRT. Freedom will
detect SecureCRT and will then automatically act as if there is a telnet
connection for all net traffic.

48. Where do I find a remote host server that supports SSH Encryption?

Regrettably the two that I know of, Cyberpass and Minder, are both closing
down.

I have found that by registering a domain name and then having it hosted on
a remote server, I have been able to use SecureCRT to log in using SSH. I
can even set up port forwarding for Email and Usenet. I regret I cannot
disclose my domain name or the server where it is being hosted. But a
simple Email inquiry about encrypted logins to a range of companies
offering domain name hosting should illicit a positive response from
several. It took me 5 minutes.

Subscibe anonymously, if at all possible.

49. So how do these two programs work?

You simply start Freedom and choose a Nym. Then start SecureCRT and log
into the remote host.

Freedom uses a chain of servers which each allow encrypted connections
between them. The first server need not be your ISP. You set the
security level which can use 1, 2 or 3 hops. The more hops the greater
the security but the slower the connection. These can be independently
set for each Nym. They can be changed at any time after the Nym is created
should you choose. Unless your threat model is very high, a single hop
should suffice for normal usage when used with SecureCRT.

Importantly, each Nym requires a new key to be generated. Once created
the key is constant for that Nym. Thus by changing to another Nym during
a session (after closing down SecureCRT), a new key will be used to encrypt
the data. This ensures disassociation between the Nyms. This offers
greater security and encourages you to change Nyms often if you are online
for a long period. Even more importantly, each time you select a Nym a
fresh Active Route is created. This is vitally important because it allows
many combinations, literally hundreds of routes to the remote host.

Full details of the protocols are freely published on the Freedom.net site.
Also, the source code is available for downloading and inspection.

I urge anyone contemplating using Freedom to first familiarize themselves
with these FAQ's.

SecureCRT is a dedicated encryption program using high grade encryption
from your desktop to a remote host server that supports the SSH format. As
already emphasized, but I repeat it yet again, it is necessary to subscribe
anonymously to this remote host server to derive maximum benefit from its
use.

50. Why?

Because the whole purpose of using Freedom is to screen yourself from this
server. If they already know who you are, Freedom is totally redundant.

51. Doesn't the use of Freedom and SSH mean several layers of encryption?

Yes. Freedom call it telescopic encryption. The data from your desktop
computer is first encrypted by SSH using Blowfish or 3DES (your choice),
then it is wrapped with other layers of encryption to the first Freedom
server. If you wish, you can choose your route with Freedom version 2.
Better reliability is achieved if you allow Freedom to choose its own route.

But superior security is achieved by choosing your own route using three
hops.

52. Why is this important if it is multi-encrypted?

Because if the exit Freedom server is within the UK, it will be a possible
target with just one layer of encryption. It would be possible for the
snoops to determine the next hop was into the remote host. This would make
that host a possible target. Whereas if it leaves the UK multi-encrypted it
is a much more involved process to crack. It would be impossible to know
its next hop as all data between Freedom servers are encrypted. Of course
this equally applies to whichever country from which it exits the Freedom
Network, but only the UK has openly declared it will soon be deploying
black boxes to monitor and record all data passing through its ISP's
servers. Worse the 3 letter agencies of the UK and Uncle Sam exchange
juicy bits of info about each others citizens. So beware!

53. Where does the data go after passing through the remote host?

It then goes out onto the Web totally anonymously, or to the News Provider.
All your postings and downloads will always be totally private. If you
wish you can run Quicksilver through this system and add Mixmaster chained
remailers to route through after the data exits the remote host. You can
add as many remailers as you choose, up to 20 maximum. Be aware that the
reliability will fall away as more are added. As the message is further
encrypted to each remailer in the chain, this represents an exceptionally
robust method of achieving anonymous posting.

54. Is the data encrypted after it leaves the remote server?

Not unless you are using a remailer client such as Quicksilver. Otherwise
it is in plaintext. This does not really matter because by the time the
data exits the remote server it is entirely disassociated with you.
Nobody can do a trace without enormous resources and time. If you are
careful and limit your time online to say, a 1 hour limit, breaking off and
re-connecting using a different Nym via an entirely different circuit, any
hacking attempts will be frustrated and made enormously more difficult.

Incidentally, Freedom use 1 hour session keys whilst you are online. At the
end of each hour they are discarded and new ones negotiated. This is done
transparently to the user. So even if the data were recorded, unless they
get the key within an hour, it is irrecoverable except by a brute force
attack. Likewise, you cannot legally be forced to hand over what you do
not possess.

55. How do I get onto Usenet?

As already stated, do not use your own freebie news service offered by your
ISP. You must subscribe anonymously to a dedicated and independent News
provider such as Newscene or Newsfeeds. Regrettably, the best news
provider, Altopia does not support anonymous sign ups.

56. Freedom say they do not support encrypted downloading from a dedicated
news provider, they also claim it is not necessary. Do you agree?

No, I do not. Freedom are justifying what is a necessity with their
present version of their program. However, this only applies if you try
and log onto the news provider directly using Freedom alone. If you
subscribe anonymously to a remote serve, you gain not only the benefit of
being totally screened from the remote server, but also all your News
Provider's uploads and downloads are also totally private. This is because
as far as Freedom is concerned, you are making a telnet connection to the
Web and all telnet activity is always encrypted and anonymous.

57. Are there any precautions I should take before choosing a News
Provider?

Before subscribing to any news provider, even anonymously, make absolutely
sure that it does not reveal your NNTP posting host in the headers. Even
with the anonymity provided by a remote host plus Freedom, you still need
the extra layer of anonymity provided by the news provider stripping away
your anonymous posting host header. This frustrates any attempts to back
track to your chosen remote server. Some News Providers claim to never
keep logs. I never believe them. It is in their commercial interest to
know which groups are the most popular to ensure the optimum balance of
disk space and retention times. It is possible that they destroy these
logs after, say, 7 days. But never assume this. The main criteria of
choice for your potential News Provider must be its stripping away your
NNTP posting host IP address from the headers.

58. Couldn't I use the remote host as my local ISP?

No, definitely not.

59. Why not?

Because otherwise you can be traced instantly by the phone company. It
totally defeats the whole purpose of using Freedom to be anonymous.

60. What is the difference between a dialup and a shell account?

The dialup is what it says. It is your normal account with your Internet
Service Provider (ISP). With a shell account you connect to your ISP then
use the Net to make a telnet connection to a remote server. All your Net
activities, Email, Usenet, Web browsing are then done through this remote
host.

It is the multi layering of the encryption, plus the total anonymity of
using Freedom together with the remote host to an anonymous account at the
News Provider that almost guarantees your safe anonymity.

61. Why do you say "almost"?

According to Freedom it would take the combined efforts of a Government
security agency to hack into Freedom. They claim it would be extremely
time consuming, but nevertheless, it could be done.

That is with using Freedom alone. Factor in the extra layer of SSH
encryption together with anonymous signups to the remote server and the
News Provider and it means an awful lot of bother just to catch someone.
That is why I recommend all to use this technique as it will be of real
benefit to those unfortunates in countries with tyrant Governments. Makes
their job very much more difficult, if not downright impossible. If you
additionally use a remailer client configured to route the message via the
Mixmaster remailers, it would be horrendously difficult and truly doubtful
if it would be economic to even attempt to hack back to you.

62. Should I run these encrypted programs from within my encrypted drive?

For level 1 security you could run it from your C: drive. But for
better security you will need to run it from your encrypted container.
This means both SSH and Freedom should be installed on and run from your
encrypted drive. This is essential for level 3 security because it
insures against anyone accessing your computer in your absence and
substituting a cracked version of your programs or keys. If hacked,
anybody could be monitoring your traffic.

The addition of Freedom also helps to protect you if the remote server key
has been hacked. It would require an awful lot of effort to trace you.

63. Are there any problems using what is in effect quintriplicate
encryption (SSH, up to 3 layers of Freedom plus Scramdisk) together?

On a modern fast computer, these multiple layers of encryption are totally
innocuous. If you have added copious extra RAM, as recommended to obviate
using the Swapfile, you will find your computer runs much faster which will
most likely compensate for the encryption overhead. However, the data
transit speed is considerably slowed up due to the many nodes in transit.

I have had odd problems which seem to be caused by the chosen route taken
through the Freedom network. Occasionally I get a "host unknown" error as
I attempt to log in to the remote host server. If I change my Nym with
Freedom and re-try, so far it has always worked on the second attempt.

64. How do I configure Freedom?

It is very easy, but do read the fine manual before you generate a Nym.
Anyway, always assume your first Nym is compromised.

65. Why?

Because you may generate it within minutes of installing the program and you
may later regret some of the config settings after you learn more about it.
Each Nym is isolated from the others, so it gives you the chance to learn a
little about the program before using it seriously.

66. How do I configure SecureCRT to work with a remote host?

Read the FAQ at http://anonymizer.com/ssh

You simply log into the remote server with your password and minimize the
SecureCRT screen once connected. That's it!

To use Agent or Netscape you need to specify "localhost" in the settings of
these programs.


Warning! Do not give your remote host Email address to Freedom as a contact
when buying Freedom. Far, far better to give your true Email.

67. Why?

Because there is no worry that someone at Freedom knows you have bought the
program. But it is imperative that they do NOT know any of your Nyms on
route. This particularly applies to your remote host username. Many
people lose sight of the fact, that it is vital to distance yourself from
your Nyms. This means you never use any of your Freedom generated Nyms
openly on Usenet. Their greatest benefit is to screen you; by openly
publishing them you have immediately given away half your anonymity that
you have so carefully built up.

Of course, you may choose to deliberately use one Nym for light anonymity,
just as I have for anyone wishing to contact me about this FAQ.

Your Nyms are hidden whilst you surf the Net or whenever you are using
Telnet, such as when you are logged into a remote server. Only when you
send Email or post to Usenet do you need to be concerned at your exposing
them. Of course this is why you have bought them, but I would not use them
openly, if only to avoid spam.

I am talking here about extreme anonymity. This does not apply to the
casual poster. But if your liberty depends upon your anonymity, then be
very careful about how you use them.

68. What happens if I forget to start Freedom?

Your ISP address may (possibly) be logged by the remote server. If it does
happen, simply close down the connection and restart using Freedom. But
wait a few minutes to avoid anyone monitoring the remote from sussing that
the two log-ins were from the same person.

Always check the "TLNT" green light is lit on the Freedom box before
posting. This ensures that your traffic is being routed via the remote
host server and not directly out from your ISP.

Also, most important, Freedom will only function as intended if a Nym has
been selected.

No Nym, no anonymity. Period.

69. Is there an alternative way, something simpler?

Yes. You can post via a proxy such as Yahoo or Hotmail. But I treat these
as soft anonymous. Don't use them for anything critical.

70. How about Email with Freedom and SecureCRT?

You can set up Agent to be your Email and Newsreader client. I would
recommend using it to download from Usenet and to receive your Email from
Freedom.

Freedom has a basic spam filter, I recommend you use it

However, using Agent to send Email and to post directly to Usenet is not
nearly as hard anonymous as Quicksilver. Fine for most activities, but if
you need absolute security it would be wiser to use Quicksilver.
Quicksilver is intended to be used for Email or posting using the Mixmaster
anonymous remailer network. This ensures the strongest possible anonymity.

Far stronger than the older Cypherpunk remailers.

71. How do I configure Agent as a news reader using the telnet connection
through a remote server?

Firstly, you should change your assigned password for the remote server.
Type "passwd" (without the quotes) at the command line in SecureCRT after
logging in. Follow the on screen instructions.

In Agent, open Options -> User and System Profile -> User

Under "News Server Login", ensure Login with a Username and Password is
checked. Type in your username exactly as given to you by the news
provider. Enter your password. Check "Remember Password between sessions"
Both are case sensitive. Uncheck "Login with Secure Password
Authentication".

Click OK.

Now go to Options -> User and System Profile -> System. Put "localhost"
without the quotes into the News server box. Check Server creates Messages
out of order.

Click OK.

This ensures that all Usenet downloads are via your remote server.

72. How do I ensure Freedom decrypts incoming Email automatically with
Agent?

Assuming you have a regular Email client for your non-anonymous mail, such
as Outlook Express, I would recommend you configure Agent for your Freedom
Email. Zero Knowledge now have their own POP server for Email, which can
be accessed directly using Freedom version 2.

In Agent go to Options -> User and System Profile -> System. Click on "Send

Email messages with SMTP", enter mail.freedom.net in the Email server box.

Ensure that "Send Email messages with MAPI" is unchecked.

Click OK.

This ensures your sendmail is routed via the Freedom network.

Now, Options -> Inbound Email -> Check "Receieve Email with POP", Enter
"mail.freedom.net" in the POP server box.

Check "login with a username and password",
Check "Use APOP if supported by the server"
Enter "freedom" for both the username and the password.
Check "Remember password between sessions".
Uncheck "Login with secure password authentication"
Uncheck "receive Email with SMTP"

Click OK

This ensures your incoming Email is from the Freedom server.

To set up Quicksilver for Freedom Email do the following:

Click on tools -> POP accounts -> new ->

Type freedom into login ID and mail.freedom.net into the POP3 host box and
freedom
as the password. Click OK and OK again to close the pane.

73. I prefer to use Eudora/Anawave Gravity/Xnews, etc as my Email client,
how do I set them up?

Sorry, I don't know. You will have to experiment for yourself. Although
I have used several other Email clients/newsreaders, I like and use only
Agent for receiving News and Email and Quicksilver for all postings of
News and Email.

74. Why particularly Agent?

Because Agent allows me to personalize each news group with a different Nym
and/or signature. This might be possible with other news readers, but I
have gotten used to Agent.

75. How is this done?

Set your default settings by opening Options -> System and User Profile ->
User. Enter whatever Email address you wish, it might be a spoof if you
wish. Its only critical value is it must have the "@" sign in it. In fact
that is all you need enter if you choose. The remaining lines can be left
blank if you wish.

Open Options -> Posting Preferences -> Signatures. You should create
whatever sigs you may wish to use. Create as many as you wish. You can
have one per news group if you like. Take your time to browse through the
other options and set up your preferences.

These are your default settings.

Choose a News Group. Open Group -> Properties -> Post, click on "override
default settings" Now choose a signature from the list of those you have
previously created. Next browse through the list of options from "Bcc"
through "From" to "Summary". Each of these can (your choice) be selected in
turn. As each title is highlighted, click on "Override default value" for
that title.

Now enter whatever you wish in the space below it. Now uncheck the
"override default value" and whatever you have typed will appear next to the
highlighted title.

This information will apply to just the news group you have chosen. You
will need to repeat this for each group for which you wish to set a
different value.

These options mean every single group can, if you wish, have unique "Sender"
and "Reply-to" and unique signatures.

76. Can I post graphics anonymously to Usenet with this system?

Absolutely. Just make certain that you use Freedom with an active Nym and
then your remote server with SecureCRT. Freedom will always ensure that
all outgoing traffic is via the remote server (provided you have set up
Agent to use "localhost" as described above).

Agent will always use your News Provider as the posting host. This is why
I recommended you subscribe anonymously to this news provider. Nothing
can then be traced back.

Quicksilver will always use one of the mail2news gateways. These are
intended to be hard anonymous and when used together with these other
recommendations should ensure extreme anonymity. But the remailer network
does not readily accept large files, such as graphics. This need not be a
significant problem as you can use Agent, provided all the other measures
have been strictly adhered to.

77. Why, particularly Quicksilver, what about Private Idaho or Jack B.
Nymble?

I found Private Idaho far too buggy and not as intuitive as Quicksilver.
JBN2 is very sophisticated, but appears to need more maintenance to keep it
working. Quicksilver on the other hand, appears to be so easy to configure
and is far more intuitive to use.



78. Which Email address should I use?

Your choice. Use Freedom or you could use you remote host as an Email
address. Personally, I would not do that. I would prefer to give out one
of my Freedom Nym's.

79. Why?

Because if you regret your choice, you can abandon that Freedom Nym. It is
far more difficult and bothersome to change your remote host username.

For even stronger security create a Nym at one of the Nym servers, such as
nym.alias.net, or at anon.efga.org and point your reply block to a news
group such as news:alt.anonymous.messages.

80. How do I do that?

You will need a remailer client such as JBN2. This is a very sophisticated
program and will take some time to learn to use correctly. But once
learnt, it offers you the opportunity to create as many Nym's as you wish.

81. Are there any other suggestions?

Immediately you finish a posting session, break the connection. Close
SecureCRT and change your Freedom Nym. This ensures new session keys are
generated. Log in again over the new link. It is not quite so necessary
to close Freedom, but I would certainly change your Freedom Nym before
commencing posting again. This ensures a different route is created to the
remote host. Anybody attempting to hack in along the way is foiled.

Never stay online whilst posting for longer than 1 hour maximum with any
particular Nym.

Always post at different times, do not create a regular pattern of postings
at specific times and days of the week.

82. Surely all this is totally over the top for the majority of users?

It is certainly over the top for 99 per cent of users for 99 per cent of the
time. If, however, you are the one in a hundredth and you do not much like
the idea of being at risk for 1 per cent of the time, then no, it is not
over the top at all. Using these tactics helps create smoke which in turn
helps protect those who really do need all the protection and security they
can get.

Remember this FAQ is intended to help many different people. Some may be
living in deprived conditions, in countries where human rights abuses are a
daily fact of life.

I must emphasize again, the more that take up these suggestions the easier
it is for those people to hide themselves amongst the smoke.

83. Can I use IRC in this way?

Freedom boasts that you can be anonymous on IRC. But I am very dubious of
this. Take your chances, but do not blame me if it all ends in tears.

84. Can I be anonymous as far as other Web sites are concerned?

Yes. Freedom alone is sufficient for this.

85. What about spammers who offer "totally anonymous Web-surfing", etc?

I don't want to harm anyone's commercial enterprise, but ask yourself, do
you really believe anybody with a vested interest in their business cares
two hoots about your safety?

These people always charge you money, usually requesting a Credit Card,
which means they can identify you. If you are going to pay out your hard
earned cash at least use it to buy true anonymity.

86. Lastly, what do you say to the charge that this FAQ may be useful to
criminals?

As someone once said, the sun shines on the righteous and the wrong-doer
with impartiality.

We might as well ban cars, kitchen knives, guns, etc., because of their
potential to aid criminals. We must balance the benefits against the
bruises.

There will always be those who seek to control others lives, using whatever
scare tactic they can. Ask yourself, could there be a hidden agenda behind
their concerns?

Who benefits the most if Governments are allowed to reduce our freedom of
choice? The Government or us?




Therefore:

1. always, always, lurk before leaking.

2. always use encryption, whatever else you do.

3. always start Freedom with an active Nym, before logging into your
remote host.

4. always post via your encrypted and anonymous remote host to your
anonymouly subscribed News Provider.

5. never ask of anyone nor give anyone online, your true Email address.


6. never DL any file with .exe, .com or .bat extension from a dubious
source. If you do, don't run it.

7. for your own protection, never offer to trade any illegal material, nor
ever respond to those seeking it, even anonymously.


....................................................


If you believe any part of this FAQ is wrong, misleading or could be
improved, please Email your comments and I will take them onboard.


To respond to me personally, email me at doctor_who@freedom.net
and include your PGP key with your message if you expect an encrypted
answer.

Please use my key, below, to encrypt your message to me.


My key fingerprint: F4A7 05A0 7618 252B B10A C1BF 5C29 C0A2

Type Bits/KeyID Date User ID
pub 2047/7CECC929 1998/07/06 Doctor Who <Doctor_Who@Freedom.Net>

- - - - - - -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQENAzWgNFgAAAEH/1N7GxF+PnMgQf7azm1eFqSqssyhMAWDybiEIiqd3BDCoKJ9
zzxfvSIicAKPAYTlM5m18L8FCPNacvFnhY2Zl2wzWZikLu19uJ+3m7KzCcUgVRe7
3INqsmP+XNjmt4OfRInGUWLMNgwNQFZEubezfsZGqr5w2JUi5OzlHzGWCDpVu/00
4KFEMoB2FwAk366+ignHYzlOseOHE5QMVJJNmw2k6WOaLzR4k1jkyds2ooynbpBf
C3K7PUsvVsDkQm/iKbVKbjDJBuuBMwWb+V1KQdSSM93dpba/aoAZuiax0R8JK3yJ
HEJvvaXKUqKo54XTNZIjpFItRlWGwkv8BnzsySkABRO0I0RvY3RvciBXaG8gPERv
Y3Rvcl9XaG9ARnJlZWRvbS5OZXQ+iQEVAwUQOcEG28JL/AZ87MkpAQGvEwf9F+Ef
JxEgnkQ2d8kbRGejFzFWGkzQL0Z51GKX1XKcrBWObt9eKoJmN22AeJy+WcGIGokf
ZNSOaTuTGX7aFKCOtuLwghl8ovleJsouRve8qWIGBUhFMmXcw5xuCL14MCZlcgGo
0SvROgi5RtbpS3t9qu47JO6tQvRgsuwYZErjhHzlb5lCRq6mgefJkaBx2q6HY5Pf
hjhY/yiOkqR8py6nwtd6Vz6hFXn7phEfhOy8NJ8jrd3WpCVXeNjvY0BJw+KjB2We
I9K/w1Fi/q18F7N23DYiwRx50Ox5I4fTPEkmSW4OMqDRDpgwgxSJLPXGMocxNRlY
OO5Y/QQlQUl/huE2HQ==
=NzEw
- - - - - - -----END PGP PUBLIC KEY BLOCK-----


.......................................................................

This ends the FAQ. What follows are some links which might prove helpful.


.........................................................

Version 15

-----BEGIN PGP SIGNATURE-----
Version: 6.0.2ckt http://members.tripod.com/IRFaiad/

iQEVAwUBOox2g8JL/AZ87MkpAQHXOQf9FTJqFItbC92FVCZvCp4Z8oUj5rZUmP4G
7HP4rZ3xaH5uSqxUXp6iKZaBzFm7VLyzAwm5WYfJGU4MmiZ/XpdayZb8010/95wd
Mh29ywh82OEyze3rdSvhLSehN2q31lw5HYWYs3DecUbNTmvkDqk/bvKtzrwctlcq
qoUQndGWsHnljlG004XO2bxg/sIS2Lka7TB7ThAjfJF5wurUb50hQBA0v+UK0TZg
GirywR/LwgnAN2GbKoeO5GbpaKa5IfnMkLCnoVoz2iWUuwUpEObPBt1mjxlCPVxz
WjUmOW/nhPaApIpZgOOkTIx8ofkw2FToEkbd1cwXaYj0uBR7TO10kQ==
=hYt2
-----END PGP SIGNATURE-----

[ 02-19-2001: Message edited by: Marine06 ]