Results 1 to 2 of 2

Thread: Security and Encryption FAQ Revision 15 by Doctor Who

  1. #1
    New Member
    Join Date
    Jul 2000

    Post Security and Encryption FAQ Revision 15 by Doctor Who

    This was posted by hpguru at another forum and i thought it was well written and very imformative.


    hpguru: This FAQ was cross posted by Doctor Who at and


    Security and Encryption FAQ Revision 15

    by Doctor Who

    "No one shall be subjected to arbitrary interference with his privacy,
    family, home or correspondence, nor to attacks upon his honour and
    reputation. Everyone has the right to the protection of the law against
    such interference or attacks."

    Article 12 Universal Declaration of Human Rights

    Disclaimer and justification for this FAQ.

    Many countries operate a legal system designed to suppress individual
    freedom. Such countries often do not obey basic human rights. The law
    in these countries may be based on guilty until proven innocent. My
    intention in offering this FAQ, is to legally challenge these threats to
    our freedom. It is not my intention to promote any illegal act, but to offer people the option of freedom of choice. How they use that freedom
    is entirely down to the individual.

    Revisions in this version of the FAQ include BestCrypt version 6. BestCrypt
    has been included because the latest version 6 has a particularly useful
    undocumented feature that offers a form of plausible deniability that is all
    but undefeatable, so far as I know. More about this later in the FAQ.

    The FAQ has 2 main Sections.

    Part 1 concentrates on passive security. It is intended to be useful to
    both posters and lurkers.

    Part 2 is to maximize your privacy whilst online, particularly for Email
    and Usenet posting.

    I have assumed three security levels:

    Level 1. For those who wish to protect their files from unauthorized
    access. These users are not too concerned at being found with encrypted
    data on their computer.

    Level 2. This is for those who not only wish to hide their private data,
    but to hide the fact that they have such data. This might be an essential
    requirement for anyone who lives in an inquisitorial police state where
    human rights are dubious, or where there is no equivalent to the United
    States 5th Amendment.

    Level 3. This is for those who not only need all that is offered by level
    2, but additionally wish to protect their computer from unauthorized
    access. Protecting themselves from hackers whilst online and snoopers who
    may try and compromize either their software or add substitute software
    that could reveal their secret passphrases.

    Part 1 explains the 3 security levels and offers help in achieving

    1. How does encryption work?

    In its simplest sense, the plaintext is combined with a mathematical
    algorithm (a set of rules for processing data) such that the original text
    cannot be deduced from the output file, hence the data is now in encrypted
    form. To enable the process to be secure, a key (called the passphrase) is
    combined with this algorithm. Obviously the process must be reversible, but
    only with the aid of the correct key. Without the key, the process should
    be extremely difficult. The mathematics of the encryption should be openly
    available for peer review. At first sight this may appear to compromize the
    encryption, but this is far from the case. Peer review ensures that there
    are no "back doors" or crypto weaknesses within the program. Although the
    algorithm is understood, it is the combination of its use with the
    passphrase that ensures secrecy. Thus the passphrase is critical to the
    security of the data.

    2. I want my Hard Drive and my Email to be secure, how can I achieve this?

    You need Pretty Good Privacy (PGP) for your Email and either Scramdisk or
    BestCrypt for your private files on your computer.

    PGP is here:

    Scramdisk is here:

    BestCrypt is here:

    Both PGP and Scramdisk version 3.01R3c are free. The newer version of
    Scramdisk, version 3.02A is not free. BestCrypt is commercial ware.
    The source code has been published for PGP and for Scramdisk version
    3.01R3c. The source code for version 3.02A has not yet been published. The
    souure code for the encryption side of BestCrypt has been published, but
    not the proprietary Windows interface. Scramdisk version3.02A, BestCrypt
    and PGP support Win95/98/2000 and NT.

    3. What is the difference between these Programs?

    PGP uses a system of encryption called public key cryptography. Two
    different keys are used. One key is secret and the other is made public.
    Anybody sending you mail simply encrypts their message to you with your
    public key. They can get this key either directly from you or from a public
    key server. It is analogous to ssomeone sending you a box and a self
    locking padlock for you to send them secret papers. Only they have the
    key to open the box.

    The public key is obviously not secret - in fact it should be spread far
    and wide so that anybody can find it if they wish to send you encrypted
    Email. The easiest way to ensure this, is by submitting it to a public
    key server.

    The only way to decrypt this incoming message is with your secret key. It
    is impossible to decrypt using the same key as was used to encrypt the
    message, your public key. Thus it is called asymmetrical encryption. It
    is a one way system of encryption, requiring the corresponding (secret)
    key to decrypt. PGP is simplicity itself to install and use. I recommend
    you use one of the Cyber-Knights versions.

    For your normal hard drive encryption, you will need a symmetrical type of
    encryption program. The same key is used for both encryption and
    decryption. Scramdisk and BestCrypt are especially good because they are
    "On-The-Fly" (OTF) programs. This means that the program will only decrypt
    on an as needed basis into RAM memory. More about this later in the FAQ.

    One question often asked by newbies is whether the passphrase is stored
    somewhere within the encrypted file. No. The passphrase is passed
    through a hash, such as SHA1. This is a one-way encryption. This output
    hash is what is stored within the encrypted container. The program will
    look for this hash and compare it with the hash it produces from the
    passphrase that you type in to mount the container. If they are identical,
    the container will be decipherable and will be mounted.

    4. I have Windows 95/98, am I safe?

    Windows is definitely not a security orientated program. One simple
    method of improving your computer security is to disable the Windows
    swapfile. To ensure reliable operation and dependant on what programs you
    run, you may need several hundred megabytes of RAM. If you are serious
    about your privacy, I would recommend investing in as much RAM as you can
    afford and turn off the swapfile. I suggest a minimum of 128 Megs and
    preferably double or even quadruple that.

    5. Apart from the Swapfile, what else can Windows reveal to a snooper?

    User.dat can reveal all sorts of interesting things about your computer
    habits. Take a peek by opening in Notepad or Wordpad. Press CTRL-F (i.e.
    the Control key and the F key together). Type in the box, X:\ (or whatever
    drive letter you use to store any critical data). Press "Find" and
    continue throughout the file. Alternatively, you could input .jpg, or .avi,
    etc - you get the idea. You cannot edit this file in Notepad or Wordpad.
    The only way to edit user.dat is by using regedit.exe. My experience
    suggests you will not be able to easily remove embarrassing entries.

    If you find information that you would rather not be there, you will either
    need to restore from an earlier backup of these files, or simply bite on
    the bullet and re-format your hard drive. This is extreme, but may be the
    only alternative. At least you then start with a clean slate.

    Remember the format command: Format c: /s (it is vitally important that
    you include the /s to install the system files). Obviously back up your
    data, Email address book, etc., etc., before proceeding.

    Dependant on how paranoid you are, after formatting you may choose to first
    install "Zapempty" or another Dos based free space wipe utility and run it
    a few times before you start installing Windows, etc. Formatting your
    drive does not clean out any old data. It is still there and can be
    recovered with specialist software.

    Zapempty is here:

    If you have not previously used encryption and/or you have contentious
    material lying around in plaintext form in all sorts of supposedly hidden
    places on your system, my strong recommendation is to re-format your hard
    drive and then run Zapempty before you install Windows and all your
    program. Assuming you have a clean system to start with, you can then
    proceed with creating all your encrypted drives and sub-folders within
    those drives and finally installing all the programs you intend using.

    Later in the FAQ I will show you a system which keeps your registry files
    (system.dat and user.dat) sanitized.

    6. Are there other OTF programs, apart from Scramdisk and BestCrypt?

    Yes, there are several. But to keep this FAQ manageable I mention only
    those I can recommend from personal experience.

    For level 1 security, it is difficult to fault Scramdisk. If you require
    level 2 security then I would recommend BestCrypt. More about this later
    in the FAQ.

    7. Which Algorithm is best, particularly as Scramdisk offers 8?

    Scramdisk offers a choice of eight different encryption algorithms. I
    recommend Blowfiish. BestCrypt offers Twofish or GOST. GOST is an older
    Soviet Union program and rather slow. Twofish is one of several programs
    being evaluated for the Advanced Encryption Standard. So far it has
    withstood over 1,000 hours of intense crypto-analysis scrutiny without even
    approaching its limits.

    To ensure maximum security, you must take care over your choice of
    passphrase. This is the most likely weakness with most people. Always make
    it long. Remember, every extra character you enter makes a dictionary
    search for the right phrase twice as long. Both Scramdisk and BestCrypt
    ultimately limit the strength of the algorithm to 160 bits. This is
    because the hash program they use, SHA1, outputs a maximum of 160 bits.
    You will find that the passphrase input page for Scramdisk shows 4 lines
    for inputting your passphrase. Each line can hold a maximum of 40
    characters. Thus a maximum of a 160 character passphrase is possible. A
    character is equal to slightly more than 1 bit. Most people will use a
    somewhat shorter passphrase, but I would recommend that you at the least
    spread your passphrase across the four lines, even if you do not fill each

    8. Why?

    Because any passphrase cracker cannot find the correct key until it has
    exhausted a key search as wide as the last character you enter. A strong
    hint that you should make sure the last character of your passphrase is
    well along the bottom line! For higher security you should spread it
    around on all four lines, that is why they are there.

    Be sure that if any serious snooper wants to view your secret data, they
    will find a way without wasting their time attempting a brute force attack
    upon your Scramdisk container. In some countries rubber hose cryptography
    may be the rule. Anybody living in such a country needs level 2 security
    at the very least. In some "civilized" countries there are more sinister
    methods, such as tempest or the use of a trojan which require level 3
    security (see later in FAQ).

    9. I have heard that there are programs that HIDE and Encrypt, are these
    any good?

    Snake oil! They are not even worth considering for level 1 security. Keep
    to the recommended programs if you are seriously in need of privacy.

    10. What about simple file by file encryption?

    You could use the Windows version of PGP. It comes with PGP Tools, which
    will allow you to encrypt any file on your computer. Only encrypt these
    single files on the assumption of a level 1 security.

    11. Do I need to wipe as opposed to simply deleting files within the
    Scramdisk or BestCrypt drives?

    If the encrypted container is sufficiently secure for your normal files, it
    must obviously be secure for deleted files. Therefore, it is unnecessary
    to wipe files within the encrypted drive.

    12. Do I need to wipe an unwanted encrypted container?

    Depends. I used to say, yes. But if you are truly confident of the
    strength of your passphrase, then just delete it. However, if you created
    the container with a weak passphrase and it contains critical data,
    definitely wipe it. Wiping will ensure that the encrypted keyfile material
    at the head of the file is over-written. It is only strictly necessary to
    wipe the first 10K of the file to ensure this.

    13. Can I use Disk compression to increase the apparent size of the drive?

    Not with Scramdisk. BestCrypt allows this and will compress and encrypt
    on the fly.

    14. Can I encrypt a floppy with Scramdisk and BestCrypt?

    Yes, both allow floppies to be encrypted. In fact they also support
    encryption on Jaz and CD-RW drives. You can even run Scramdisk off a
    floppie in what is called "Traveller" mode. In this mode there are no
    Scramdisk related VxD or INI files on your hard drive to worry about.
    But you do have the problem of where to hide your Scramdisk floppy.

    15. Does using Encryption slow things up?

    There is a small speed penalty because your computer has to encrypt to write
    to disk and decrypt to read from it. In practice on a modern machine, using
    the Blowfish (or Twofish with BestCrypt) cipher, the encryption is totally
    transparent in normal use.

    16. Do I need a PGP passphrase if I store my keyrings within my encrypted

    It is good security practice to use a passphrase, but for level 3 security
    it is essential because level 3 security is intended to ensure your secret
    data are safe if attempts are made to hack into your computer whilst online
    or if your computer is compromized in your absence.

    17. I use Mac, OS2, Linux, (fill in your choice), what about me?

    Scramdisk is now available for Win95/98 and NT/Win2000. I believe a Linux
    version has been promised... BestCrypt supports Win95/98/ME/NT/2000 and

    Meanwhile you could look here if you're a Mac user:


    18. How can I ensure I do not leave traces of unwanted plaintext files on
    my system?

    Try Evidence Eliminator. Apart from its unfortunate name, it is remarkably
    efficient at finding lost temp files and info. But I am concerned at its
    registry cleaning. I found it unconvincing with old entries.

    Get it here: (30 day trial period on offer).

    In addition to using Evidence Eliminator, I suggest you also clean up your
    registry after each session. To do this you should first run Evidence
    Eliminator to remove backups of the registry. Create a folder called
    C:\registry. Now copy System.dat and User.dat to C:\registry. Highlight
    both files, right mouse click and select "properties". Uncheck "hidden",
    click "apply" and "OK".

    Using Notepad, write the following batch file, call it W.bat. After every
    session you should close Windows and restart in Dos mode and run it in Dos
    to be effective. If used in combination with Evidence Eliminator, it
    should ensure a clean hard drive.

    w.bat =

    cd c:\Windows

    attrib -r -s -h user.dat
    scorch [user.dat]
    copy c:\registry\user.dat c:\Windows
    attrib +r +s +h user.dat

    attrib -r -s -h system.dat
    scorch [system.dat]
    copy c:\registry\system.dat c:\Windows
    attrib +r +s +h system.dat



    Read the accompanying documentation for these utilities before using them.

    Scorch and scour are available here:

    Note: Scour can take for ages if you have lots of files and a large
    drive. A possibly more practical solution is to use Scour once to ensure
    both your file ends and your free space on your drive are clean and then
    substitute "Zapempty" for future wipes.

    After finishing a session, and running the above batch, always shut down
    completely. This means a cold re-boot for the next session. This ensures
    that your RAM memory is wiped clean, otherwise with a warm boot it may write
    back user.dat with the data you had sanitized. A simple check is to watch
    whether your system tests its RAM memory. If it does, it has been flushed.

    Remember, pressing Ctrl-Alt-Del will not flush the RAM memory.

    The above may seem rather irksome. It is. Blame Bill Gates, not me! If
    you are really seriously in need of privacy, I strongly recommend you bother
    to do this housekeeping.

    It is still theoretically possible to recover such over-written data, but it
    must necessarily involve a lot of bother and expense. Only likely to be
    used in very serious circumstances. Even then, whatever is recovered will
    only hint at what may be hidden elsewhere.

    19. What programs do I put in my newly created Encrypted Drive?

    You need to take care over which programs to choose. Some news readers and
    image Viewers and Emailers can write critical information to your Registry.

    For what it's worth, here are my choices for these critical programs:

    (A) Freedom from Zero Knowledge available here:

    Freedom is an excellent way to ensure your online activities are screened
    from prying eyes. It works seamlessly with the following programs to
    ensure your Email, News posting and Web browsing are secure and totally
    anonymous. Version 2.0 has just been released. This is slightly more
    secure than the original version.

    Freedom is not compatible with some services, e.g. AOL. See their web page
    for full details of incompatible services.

    (B) Agent (or FreeAgent) for the newsreader, and basic Emailing.

    Agent is here:

    (C) For your Email I have 3 different recommendations:

    i. Agent, as mentioned above

    ii. Quicksilver, available here:

    111. JBN2, here: Http://

    Agent is simple and very easy to use. It can only be used for plaintext
    Emails on its own, but will work seamlessly with Freedom to decrypt
    incoming Emails. It also works with both Freedom and a remote host server
    for posting anonymously.

    Quicksilver is recommended for secure Email and Usenet posting. It does
    not yet support Nym creation, but is otherwise an excellent program to send
    mail and post anonymously to Usenet. Most importantly, Quicksilver is very
    easy to learn to use. It uses the Mixmaster remailers for posting. These
    are considered far more secure than the earlier Cypherpunk remailers.

    Like Agent, Quicksilver is fully compatible with Freedom Email and can
    download and transparently allow decryption of Freedom incoming Emails.

    JBN2 is an excellent stand alone program for Nym creation and decryption of
    Email and news postings sent via the anonymous remailer network. It does
    not appear to work with Freedom to decrypt incoming Freedom encrypted Email.

    This is not a big disadvantage as Agent is easily configured to receive
    both News and Email if necessary.

    All three of these programs will also work with PGP. Agent will require
    you to copy and paste, but the other two have built-in support and work
    seamlessly with PGP.

    (D) For browsing I like Netscape Gold the best. This is an early version
    of the Netscape browser, but all the better for that. You can direct it to
    locate its Bookmarks file on the encrypted drive. Later versions of both
    Netscape and Microsoft Explorer want to create user profiles and worse can
    write data in unwanted and exposed folders. They are also very dependant
    on Java and ActiveX. These are bad news as far as security is concerned.

    Therefore, be sure to disable Java with Netscape.

    I most strongly urge you NOT to use MS Internet Explorer. It will insist
    on keeping things within Windows in many hidden folders. This is
    especially the case for MS Mail and MS News and Outlook. Of course, you
    can always use MSIE as a normal browser on your desktop for non-critical
    browsing and Email, should you wish.

    (E) Use ACDSee as your viewer. If you use the cache facility, make certain
    that you set it up within your encrypted drive. This allows easy previewing
    of thumbprints and click and zoom to examine image quality.

    ACDSee is here:

    Two alternatives are:

    Thumbs Plus, at and
    VuePro, at:

    Each of these 3 programs has some advantage over the others. Choose
    whichever best suits your needs.

    (F) Many files are compressed. The most popular is Zip. I recommend
    obtaining a copy of WinZip from here: Or, do a
    search for PKzip which is freeware, I believe.

    (G) Any person who browses the Net should ensure they have a good virus
    detector. There are many to choose from, some are freeware, others are
    shareware or commercial ware. I use Norton's only because it allows me to
    update the virus list online. Useful and so easy.

    (H) Get a firewall. I recommend Zonealarm Pro which costs around 40 US

    Note: The freebie version 2 of ZoneAlarm appears to be only partially
    compatible with Freedom. The one big drawback to this freebie version is
    that it leaves port 113 Ident open when its protection is necessarily
    crippled to allow it to cohabit with Freedom. Bad, very bad. I strongly
    recommend you buy Zonealarm Pro. This will work seamlessly with Freedom
    on its maximum security settings and ensures that all ports are in stealth

    If you already have the freebie version installed, after installing
    ZoneAlarm Pro, click on the taskbar and open the new version. Go to
    Security and ensure it is set to High. Now go to Programs to view the
    list of previously acceptable programs you had allowed to access the Net.
    Right click on each program and remove it from the list. This will ensure
    that when each program is next started you can again allow acces, but with
    full firewall protection. This is especially necessary with Freedom or it
    will not run.

    Get both versions here:

    20. How can I ensure my temporary files do not give away info?

    My earnest advice is to invest in more RAM memory and turn off the swapfile.
    If this is not possible then at least take the bother to wipe it after every
    session. Do not attempt to do this from within Windows. It is impossible
    to reliably clean out the swapfile when Windows is still running. I have
    experimented with various wipe utilities, including the one with PGP. The
    best I have found is Scorch. To use this utility, you will need to make
    the swapfile permanent. I like Scorch because it generates random garbage
    when over-writing; it does not simply use strings of 111's or 000's.

    21. How do I make the swapfile permanent?

    In Windows, go to My Computer -> Control panel -> System -> Performance ->
    Virtual memory. Click "Let me specify my own virtual memory settings".
    Enter identical settings in both boxes. I suggest 150 Mbytes. Click OK.
    Windows will tell you what you've done and complain and ask you if you are
    sure you wish to continue, click YES. Windows will then want to re-boot.
    Allow it to do so. After re-booting you can see the file in Windows
    Explorer as Win386.SWP.

    22. Is there really much difference security-wise between using RAM memory
    instead of a permanent swapfile?

    Definitely. No matter how many times you wipe the swapfile, it is still
    possible to recover the over-written data, if enough effort is put into it.
    Whereas, using the RAM memory ensures that nothing is written to disk at
    all. This totally circumvents this problem because once the computer is
    switched off all data in RAM memory is lost forever.

    It also has the merit of safe crash close if you are raided.

    All of the above is sufficient for a level 1 security.

    Level 2. This is for those who not only wish to hide their private data,
    but wish to hide the fact that they have such data. This might be an
    essential requirement for anyone who lives in an inquisitorial police state
    where human rights are dubious, or where there is no equivalent to the
    United States 5th Amendment.

    23. What more must I do to achieve level 2 Security?

    For level 2, it is essential that you can show plausible deniability for
    all files that might contain encrypted data. The purpose is to be able to
    justify every file on your system. This section will help you to achieve
    this higher level of security.

    24. Which encryption program do you recommend and why?

    BestCrypt version 6. The latest version 6 has an undocumneted feature
    which allows a hidden (or secret) encrypted container to be created within
    the existing one. First, a normal encrypted container (or file if you wish)
    is created with BestCrypt in the usual way. Some private but legal data is
    put into the container to justify its existence. Thenceforth it is never
    again opened except to prove its contents are legal. In fact, no further
    data should ever be written to the container or the second hidden container
    will be destroyed.

    25. How is this hidden container created?

    Firstly, create a BestCrypt container in the normal way, the maximum size
    is 4 Gigabytes. Then drop into a Dos box - do not restart your computer in
    MsDos, it must be a Dos window. Then change directory to wherever the
    BestCrypt executable is stored. Default is Program Files\Jetico\BestCrypt.
    To go there from your C: drive in a Dos box type:


    You will then see:

    C:\program files\jetico\bestcrypt\

    Then type:

    bestcrypt.exe debug

    The BestCrypt screen opens. Click on the drive letter where the BestCrypt
    container resides that you intend using to create the hidden container.
    Now right click on the encrypted file. From the drop down list click on
    Properties. You will be asked to enter your existing passphrase for that
    container. A box opens titled "Change Container Properties". Beneath
    "Change Algorithm and Password" there will be a box titled "Create hidden

    Click on the button and then click on OK. You will then be taken to a new
    screen where you will be asked to confirm you understand what you are doing.
    Click on yes and next, then the next screen invites you to choose the size
    of the hidden container and to enter a new (must be entirely different)
    passphrase for your new secret container. You can make the hidden container
    as large as you wish, up to 100 per cent of the available space.

    The reason for this option is that because the offset of the hidden part is
    not hard coded, then it cannot be calculated from the container's size. The
    position of the hidden container's hash is dependant on its size and thus
    its position could be anywhere. Thus it may give additional security
    against dictionary attacks on the password of the hidden part. A small but
    significant effort to further protect your data from snoops.

    For maximum security, the internal hidden container should be a small
    fraction of the total container size, say 5 to 10 percent. However, it is
    impossible for an attacker to reliably predict this size, (or even if it
    truly exists) so it is not possible for them to know where the password
    hash is located.

    Note: If you click on properties without entering the debug program, you
    will not see the option to create a hidden container. Better yet, if
    after creating the hidden container and filling it with secret data, you go
    back and enter debug mode again, the option to create a hidden container is
    still there. It is not greyed out which might alert a snoop that such a
    container already exists. This is a crucial advantage of the whole concept
    of plausible deniability. Forensic examination of the BestCrypt file will
    not reveal anything to suggest that a hidden encrypted container exists.

    There is no data or information available to view or check on if the normal
    container is opened.

    This is because the keyfile hash of the passphrase is not marked out, it
    appears as just more random hash filling empty space within the container.

    The only possible way for anyone to prove that a hidden container exists is
    by guessing the correct passphrase. There is absolutely no other way to
    prove its existence. Neat.

    Everything is identical to normal usage. You can enter either passphrase.
    The normal one will mount the BestCrypt container, but not show any of the
    data within the hidden container. The hidden passphrase will only mount
    the hidden container and again will not show the normal data. Under
    duress, it is therefore easy to show the ostensible contents of your
    BestCrypt file.

    The more data you load into the normal container, the smaller will be the
    available space left for the hidden container, obviously.

    A message appears after inputting the hidden container passphrase that you
    have mounted the hidden container. It is imperative to check this. If you
    absentmindedly mount the normal container and write data to it, you will
    never again be able to mount your hidden container and you will lose all of
    its data! Of course this is an easy way to destroy the hidden container
    with all its data if the need ever arises.

    26. Can I create a hidden encrypted container on a floppy?

    Yes, and on a Jaz or a CD-RW disk. The procedure is identical. I
    initially had a problem of formatting the hidden container on both the
    floppy and the Jaz. But after a hard re-boot all went smoothly. I have
    no idea what the problem was.

    27. This all sounds too good to be true, are there any snags?

    None so far as I can tell. Obviously, it assumes that the use of
    encryption is legal in your country.

    28. What if encryption is illegal in my country?

    In that case, I suggest using the steganographic feature of Scramdisk. But
    ensure you create your own WAV file, by making your own recording. Once the
    steganographically encrypted file is created within the WAV file, make sure
    to wipe the original recording to prevent forensic analysis showing their
    low level data are not identical. Of course, you will need to install
    Scramdisk in traveller mode. This means running it off a floppy. But you
    will still need to hide the floppy effectively in the case of a search. I
    am sorry I cannot help you here. It must be down to your own initiative.

    29. Are there any other precautions I should take?

    Make copies of all your PGP keys, a text file of all your passwords and
    program registration codes, copies of INI files for critical programs,
    secret Bank Account numbers and anything else that is so critical your life
    would be inconvenienced if it were lost. These individual files should all
    be stored in a folder called "Safe" on your encrypted drive.

    Create a hidden container on a floppy or a CD-RW. Copy "Safe" onto the
    hidden container on the floppy or CD. You could do this on your hard drive
    and burn the BestCrypt file onto a CD-R. Cheaper, but once only usage.

    I used to say give this floppy to a trusted friend. But now with BestCrypt
    this is unncessary.

    The above is sufficient for Level 2 security.

    30. I need Level 3 Security, how do I achieve this?

    This is for those who wish to protect their computer from unauthorized
    access. Protecting themselves from hackers whilst online and snoopers who
    may try and compromize either their software or add substitute software
    that could reveal their secret passphrases.

    31. What are these threats?

    They are known as Tempest and Trojan attacks.

    32. What is a Tempest attack?

    Tempest is an acronym for Transient ElectroMagnetic Pulse Emanation
    Surveillance. This is the science of monitoring at a distance electronic
    signals carried on wires or displayed on a monitor. Although of only slight
    significance to the average user, it is of enormous significance to serious
    cryptography snoopers. To minimize a tempest attack you should screen all
    the cables between your computer and your accessories, particularly your
    monitor. A non CRT monitor screen such as those used by laptops offers a
    considerable reduction in radiated emissions and is strongly recommended.

    I have heard that in the United Kingdom where people have to pay a licence
    to watch TV, the powers that be cannot detect the radiation from the new
    gas plasma TV's when they do their street by street patrols. This suggests
    that they might be excellent from a privacy point of view.

    33. What can Scramdisk offer to help minimize a Tempest attack?

    Use its Red Screen mode. Also, once a container is mounted, click on the
    middle icon to clear all cached passphrases. This is my only serious
    criticism of Scramdisk - it does not by default immediately clear the cache.

    34. Tell me about Scramdisk's "Red Screen" mode?

    This is a very useful feature of Scramdisk version 3.01R3c. The newer
    version 3.02A which supports NT/Win2000, does not support the Red Screen

    The "Red Screen" mode inputs the passphrase at a very low level which helps
    defeat a tempest or trojan attack to capture your on screen passphrase.
    This is only available if you have a standard Qwerty keyboard. Europeans
    or Asiatics with non-standard keyboards cannot use this facility because
    the character layout at low level is not the same as displayed by the

    A possible solution with only partially non-standard keyboards might be to
    try it using only figures and letters. An easy method to test this is to
    create a test Scramdisk volume using the normal passphrase screen, then
    attempt to open it in Red Screen mode. Most of the differences between
    European keyboards are in the shifted characters above the figures. In
    which case a compromize might be reached if you use a figures and letters
    only passphrase. If this works, I would choose a figures and letters only
    passphrase of at least 40 characters in length. Of course the longer the

    35. What is a Trojan?

    A trojan (from the Greek Trojan Horse), is a hidden program that monitors
    your key-strokes and then either copies them to a secret folder for later
    recovery or ftp's them to a server when you next go online. This may be
    done without your knowledge. Such a trojan may be secretly placed on your
    computer or picked up on your travels on the Net. It might be sent by
    someone hacking into your computer whilst you are online.

    36. How do I protect myself from a Trojan?

    You must have a truly effective firewall. It is not sufficient for a
    firewall to simply monitor downloaded data, but to also monitor all
    attempts by programs within your computer that may try and send data out.
    The only firewall that I know of that ensures total protection against such
    programs is Zonealarm. This firewall very cleverly makes an encrypted hash
    of each program to ensure that a re-named or modified version of a
    previously acceptable program cannot squeeze through and "phone home". For
    maximum secuity you will need Zonealarm Pro to work with Freedom. If you
    decide not to bother with Freedom, then the freebie version is sufficient,
    so far as I can tell.

    ZoneAlarm is here:

    To understand how important this firewall is, visit Steve Gibson's site.

    Steve's site:

    Go to the "Test my Shields" and "Probe my Ports" pages.

    You can test ZoneAlarm and Freedom for yourself.

    37. How will I know when a trojan has modified an acceptable program?

    Zonealarm will pop up a screen asking if this program is allowed to access
    the Net. If it is one of your regular programs, be very wary and always
    initially say NO until you can check why this program is not now acceptable
    to Zonealarm. If it is a strange program, then obviously say, NO and

    38. What can BestCrypt offer to help minimize a Trojan attack?

    Go to Options -> Key Generators -> ShA1 and click on Keyboard filters.
    This filter helps prevent a keyboard logger from copying your key strokes
    as you input your passphrases.

    39. How important is the passphrase?

    Critically important. It is almost certainly the weakest link in the
    encryption chain with most home/amateur users. I provide links at the end
    of the FAQ, some of these should either help directly or give further links
    about how to create an effective passphrase.

    For the newbies: never choose a single word, no matter how unusual you think
    it is. A passphrase must be that, a phrase, a series of words, characters
    and punctuation intermixed.

    40. How can I prevent someone using my computer when I am away?

    Unless you have a removable C: drive which you can lock away in a secure
    place, a wall safe or whatever, your only hope is by securely locking up
    your computer so that access is extremely difficult. This may involve
    some sort of strap and lock. There is no simple and easy answer. But
    one way that can help thwart someone actually depositing a trojan on your
    machine is by PGP signing ZoneAlarm.

    41. How do I do this?

    The easiest way is by using the Windows version of PGP to check the validity
    of Zonealarm.exe and Zoneband.dll and if you have Zonealarm Pro, Zapro.exe.

    You do this by digitally signing each of these files.

    PGP offers you by default the option of a detached signature, use that
    option. It surely goes without saying that you do not use any of your
    secret Nym keys for signing these files. You should have generated a key
    pair for general use, which is for just this sort of purpose. This key is
    to level 1 security only, so use a different passphrase to the one you use
    for your secret BestCrypt container. It could be the same as your open
    BestCrypt container, of course. There is no reason to choose a simple one,
    the more complex it is, the more plausible and value you appear to place in
    the security of your open BestCrypt container. Anyway, it must be complex
    if it is to protect your sig files.

    After signing these files, you will see a new file appear with the identical

    file name but with the tag ".sig" attached. If you click on this new file,
    it will display the signature validity of the file it is checking. If the
    signed file has been tampered with in any way, it will display "bad

    Copy both of the above files, including their detached digital sigs into

    After copying across highlight all these files, right mouse click and select
    "properties". Uncheck "hidden", click "apply" and "OK". These are your
    backups for future use, it will do no harm to keep copies of all these files
    together with their detached sigs within your (secret) encrypted drive.

    Next, make shortcuts of both detached sigs that applies to the original
    files (not the backup copies) and place these shortcuts in the Windows\Start

    Menu\Programs\Start Up folder.

    When you next start Windows it will then automatically display boxes showing
    the result of testing these sigs against the original files. You now have a
    reasonable chance of catching out any snooper who has actually physically
    tampered with your machine in your absence.

    For this system to be truly effective, you must trust PGP and investigate
    any warning of a bad signature.

    42. Can you suggest any other precautions I should take to preserve my

    Always proceed on the assumption that you are about to be raided! This
    means you should take the bother to run W.bat at the end of each session.
    Always bother to check the firewall signatures on boot. If any are bad,
    check your backups and immediately copy across. Then close down and

    If, however, the signature(s) are still bad, it suggests that Zonealarm has
    been compromized. I would uninstall and then re-install from a clean
    backup. Re-boot and see if this clears the problem. If there is still
    a bad sig, I would restore the whole of your hard drive C: from a secure
    backup. It is essential that you maintain a backup of this drive off site.

    In some countries this may literally be a life or death situation. If you
    are not prepared to trust PGP to do its job properly, it is totally
    pointless going to all this bother.


    Part 2 of 2.

    This second part concentrates on security whilst online.

    There are countless reasons why someone may need the reassurance of
    anonymity. The most obvious is as a protection against an over-bearing
    Government. Many people reside in countries where human rights are dubious
    and they need anonymity to raise public awareness and publish these abuses
    to the world at large. This part 2 is for those people and for the many
    others who can help by creating smoke.

    43. I subscribe to various news groups and receive Email that I want to
    keep private, am I safe?

    Whilst you are online anyone could be monitoring your account. If you live
    in the British Isles be aware that all ISP's are required to keep logs of
    your online activities, including which Web sites you visit. Shortly this
    will be reinforced by MI5 who will be monitoring all Net activity 24 hours
    per day! The information will be archived eventually for up to seven years!

    The British Labour Government claim this Act is misunderstood and that it
    will only be used against serious criminals.

    Do you trust them? If you do, then you probably believe in fairies too.

    44. Can anything be done to prevent my ISP (or the authorities) doing this?

    There are several things you can do. First of all subscribe anonymously to
    an independent News Provider. Avoid using the default news provided by your
    ISP. Apart from usually only containing a small fraction of all the
    newsgroups and articles that are posted daily, your ISP is probably logging
    all the groups you subscribe to.

    You also need to protect yourself from snoopers whilst online. To do this
    you need to encrypt your data-stream between your desktop and a remote host.

    This host should preferably be sited in a different State or country to your

    You also need to ensure this remote host server cannot log your true IP

    45. I live in the United States why do I need to bother?

    You don't need to. But your privacy and security is enhanced if you do,
    particularly if you wish to ensure best possible privacy of posting to
    Usenet. Also, it is quite likely that many routes around the globe, even
    across the States may be routed through London. The Web is literally just
    that, a web. Thus American Email, news postings, etc are just as liable to
    be read by MI5 and who knows what they will do with this information. As
    many businesses exchange Email with total ignorance about security, I guess
    the Brits are going to go ape over all that juicy business data they will
    be gathering.

    46. Ok, you've convinced me, how do I go about this?

    You must use two programs. The first is to ensure you have an encrypted
    link from your desktop to the distant (remote) server and the second wraps
    a further layer of encryption around your data and additionally screens you
    and your IP address from the remote server.

    The two programs are SecureCRT and Freedom from Zeroknowledge.

    SecureCRT is available here:
    It costs 99.00 USD. There is a 30 day trial.

    In case you are confused by the choice of software on their page, you need
    SecureCRT 3.1.1

    SecureCRT uses several encryption algorithms within the SSH format. I
    recommend Twofish or Blowfish. These are considerably faster than 3DES.

    Freedom from Zero Knowledge is here:

    Freedom will cost around 50 US Dollars per year. You can purchase
    anonymously (recommended).

    47. How do these two programs function?

    Freedom offers you up to 5 Nyms. Each is entirely separate from the
    others, even Zero Knowledge do not know to whom each belongs. Whilst a Nym
    is selected, all data leaving your desktop is encrypted to the Freedom
    server. This server need not be in your own country.

    This is stage one. Stage two uses SecureCRT. This is the program that
    allows you to have an encrypted connection to a remote host.

    Either program can operate independently of the other. Together, they
    ensure your data is double encrypted to military grade. On its own,
    Freedom supports private and anonymous Email and private and anonymous
    posting to Usenet. It does not support private nor anonymous downloading
    from Usenet.

    But if you combine Freedom usage with SecureCRT, you will then also enjoy
    private and anonymous downloading as well because Freedom detects you have
    a telnet connection (which is true) and then protects you accordingly. So
    a further justification for using both together.

    It is not essential to buy these two programs anonymously. But a good idea
    if you can.

    To use them, just start Freedom and then start SecureCRT. Freedom will
    detect SecureCRT and will then automatically act as if there is a telnet
    connection for all net traffic.

    48. Where do I find a remote host server that supports SSH Encryption?

    Regrettably the two that I know of, Cyberpass and Minder, are both closing

    I have found that by registering a domain name and then having it hosted on
    a remote server, I have been able to use SecureCRT to log in using SSH. I
    can even set up port forwarding for Email and Usenet. I regret I cannot
    disclose my domain name or the server where it is being hosted. But a
    simple Email inquiry about encrypted logins to a range of companies
    offering domain name hosting should illicit a positive response from
    several. It took me 5 minutes.

    Subscibe anonymously, if at all possible.

    49. So how do these two programs work?

    You simply start Freedom and choose a Nym. Then start SecureCRT and log
    into the remote host.

    Freedom uses a chain of servers which each allow encrypted connections
    between them. The first server need not be your ISP. You set the
    security level which can use 1, 2 or 3 hops. The more hops the greater
    the security but the slower the connection. These can be independently
    set for each Nym. They can be changed at any time after the Nym is created
    should you choose. Unless your threat model is very high, a single hop
    should suffice for normal usage when used with SecureCRT.

    Importantly, each Nym requires a new key to be generated. Once created
    the key is constant for that Nym. Thus by changing to another Nym during
    a session (after closing down SecureCRT), a new key will be used to encrypt
    the data. This ensures disassociation between the Nyms. This offers
    greater security and encourages you to change Nyms often if you are online
    for a long period. Even more importantly, each time you select a Nym a
    fresh Active Route is created. This is vitally important because it allows
    many combinations, literally hundreds of routes to the remote host.

    Full details of the protocols are freely published on the site.
    Also, the source code is available for downloading and inspection.

    I urge anyone contemplating using Freedom to first familiarize themselves
    with these FAQ's.

    SecureCRT is a dedicated encryption program using high grade encryption
    from your desktop to a remote host server that supports the SSH format. As
    already emphasized, but I repeat it yet again, it is necessary to subscribe
    anonymously to this remote host server to derive maximum benefit from its

    50. Why?

    Because the whole purpose of using Freedom is to screen yourself from this
    server. If they already know who you are, Freedom is totally redundant.

    51. Doesn't the use of Freedom and SSH mean several layers of encryption?

    Yes. Freedom call it telescopic encryption. The data from your desktop
    computer is first encrypted by SSH using Blowfish or 3DES (your choice),
    then it is wrapped with other layers of encryption to the first Freedom
    server. If you wish, you can choose your route with Freedom version 2.
    Better reliability is achieved if you allow Freedom to choose its own route.

    But superior security is achieved by choosing your own route using three

    52. Why is this important if it is multi-encrypted?

    Because if the exit Freedom server is within the UK, it will be a possible
    target with just one layer of encryption. It would be possible for the
    snoops to determine the next hop was into the remote host. This would make
    that host a possible target. Whereas if it leaves the UK multi-encrypted it
    is a much more involved process to crack. It would be impossible to know
    its next hop as all data between Freedom servers are encrypted. Of course
    this equally applies to whichever country from which it exits the Freedom
    Network, but only the UK has openly declared it will soon be deploying
    black boxes to monitor and record all data passing through its ISP's
    servers. Worse the 3 letter agencies of the UK and Uncle Sam exchange
    juicy bits of info about each others citizens. So beware!

    53. Where does the data go after passing through the remote host?

    It then goes out onto the Web totally anonymously, or to the News Provider.
    All your postings and downloads will always be totally private. If you
    wish you can run Quicksilver through this system and add Mixmaster chained
    remailers to route through after the data exits the remote host. You can
    add as many remailers as you choose, up to 20 maximum. Be aware that the
    reliability will fall away as more are added. As the message is further
    encrypted to each remailer in the chain, this represents an exceptionally
    robust method of achieving anonymous posting.

    54. Is the data encrypted after it leaves the remote server?

    Not unless you are using a remailer client such as Quicksilver. Otherwise
    it is in plaintext. This does not really matter because by the time the
    data exits the remote server it is entirely disassociated with you.
    Nobody can do a trace without enormous resources and time. If you are
    careful and limit your time online to say, a 1 hour limit, breaking off and
    re-connecting using a different Nym via an entirely different circuit, any
    hacking attempts will be frustrated and made enormously more difficult.

    Incidentally, Freedom use 1 hour session keys whilst you are online. At the
    end of each hour they are discarded and new ones negotiated. This is done
    transparently to the user. So even if the data were recorded, unless they
    get the key within an hour, it is irrecoverable except by a brute force
    attack. Likewise, you cannot legally be forced to hand over what you do
    not possess.

    55. How do I get onto Usenet?

    As already stated, do not use your own freebie news service offered by your
    ISP. You must subscribe anonymously to a dedicated and independent News
    provider such as Newscene or Newsfeeds. Regrettably, the best news
    provider, Altopia does not support anonymous sign ups.

    56. Freedom say they do not support encrypted downloading from a dedicated
    news provider, they also claim it is not necessary. Do you agree?

    No, I do not. Freedom are justifying what is a necessity with their
    present version of their program. However, this only applies if you try
    and log onto the news provider directly using Freedom alone. If you
    subscribe anonymously to a remote serve, you gain not only the benefit of
    being totally screened from the remote server, but also all your News
    Provider's uploads and downloads are also totally private. This is because
    as far as Freedom is concerned, you are making a telnet connection to the
    Web and all telnet activity is always encrypted and anonymous.

    57. Are there any precautions I should take before choosing a News

    Before subscribing to any news provider, even anonymously, make absolutely
    sure that it does not reveal your NNTP posting host in the headers. Even
    with the anonymity provided by a remote host plus Freedom, you still need
    the extra layer of anonymity provided by the news provider stripping away
    your anonymous posting host header. This frustrates any attempts to back
    track to your chosen remote server. Some News Providers claim to never
    keep logs. I never believe them. It is in their commercial interest to
    know which groups are the most popular to ensure the optimum balance of
    disk space and retention times. It is possible that they destroy these
    logs after, say, 7 days. But never assume this. The main criteria of
    choice for your potential News Provider must be its stripping away your
    NNTP posting host IP address from the headers.

    58. Couldn't I use the remote host as my local ISP?

    No, definitely not.

    59. Why not?

    Because otherwise you can be traced instantly by the phone company. It
    totally defeats the whole purpose of using Freedom to be anonymous.

    60. What is the difference between a dialup and a shell account?

    The dialup is what it says. It is your normal account with your Internet
    Service Provider (ISP). With a shell account you connect to your ISP then
    use the Net to make a telnet connection to a remote server. All your Net
    activities, Email, Usenet, Web browsing are then done through this remote

    It is the multi layering of the encryption, plus the total anonymity of
    using Freedom together with the remote host to an anonymous account at the
    News Provider that almost guarantees your safe anonymity.

    61. Why do you say "almost"?

    According to Freedom it would take the combined efforts of a Government
    security agency to hack into Freedom. They claim it would be extremely
    time consuming, but nevertheless, it could be done.

    That is with using Freedom alone. Factor in the extra layer of SSH
    encryption together with anonymous signups to the remote server and the
    News Provider and it means an awful lot of bother just to catch someone.
    That is why I recommend all to use this technique as it will be of real
    benefit to those unfortunates in countries with tyrant Governments. Makes
    their job very much more difficult, if not downright impossible. If you
    additionally use a remailer client configured to route the message via the
    Mixmaster remailers, it would be horrendously difficult and truly doubtful
    if it would be economic to even attempt to hack back to you.

    62. Should I run these encrypted programs from within my encrypted drive?

    For level 1 security you could run it from your C: drive. But for
    better security you will need to run it from your encrypted container.
    This means both SSH and Freedom should be installed on and run from your
    encrypted drive. This is essential for level 3 security because it
    insures against anyone accessing your computer in your absence and
    substituting a cracked version of your programs or keys. If hacked,
    anybody could be monitoring your traffic.

    The addition of Freedom also helps to protect you if the remote server key
    has been hacked. It would require an awful lot of effort to trace you.

    63. Are there any problems using what is in effect quintriplicate
    encryption (SSH, up to 3 layers of Freedom plus Scramdisk) together?

    On a modern fast computer, these multiple layers of encryption are totally
    innocuous. If you have added copious extra RAM, as recommended to obviate
    using the Swapfile, you will find your computer runs much faster which will
    most likely compensate for the encryption overhead. However, the data
    transit speed is considerably slowed up due to the many nodes in transit.

    I have had odd problems which seem to be caused by the chosen route taken
    through the Freedom network. Occasionally I get a "host unknown" error as
    I attempt to log in to the remote host server. If I change my Nym with
    Freedom and re-try, so far it has always worked on the second attempt.

    64. How do I configure Freedom?

    It is very easy, but do read the fine manual before you generate a Nym.
    Anyway, always assume your first Nym is compromised.

    65. Why?

    Because you may generate it within minutes of installing the program and you
    may later regret some of the config settings after you learn more about it.
    Each Nym is isolated from the others, so it gives you the chance to learn a
    little about the program before using it seriously.

    66. How do I configure SecureCRT to work with a remote host?

    Read the FAQ at

    You simply log into the remote server with your password and minimize the
    SecureCRT screen once connected. That's it!

    To use Agent or Netscape you need to specify "localhost" in the settings of
    these programs.

    Warning! Do not give your remote host Email address to Freedom as a contact
    when buying Freedom. Far, far better to give your true Email.

    67. Why?

    Because there is no worry that someone at Freedom knows you have bought the
    program. But it is imperative that they do NOT know any of your Nyms on
    route. This particularly applies to your remote host username. Many
    people lose sight of the fact, that it is vital to distance yourself from
    your Nyms. This means you never use any of your Freedom generated Nyms
    openly on Usenet. Their greatest benefit is to screen you; by openly
    publishing them you have immediately given away half your anonymity that
    you have so carefully built up.

    Of course, you may choose to deliberately use one Nym for light anonymity,
    just as I have for anyone wishing to contact me about this FAQ.

    Your Nyms are hidden whilst you surf the Net or whenever you are using
    Telnet, such as when you are logged into a remote server. Only when you
    send Email or post to Usenet do you need to be concerned at your exposing
    them. Of course this is why you have bought them, but I would not use them
    openly, if only to avoid spam.

    I am talking here about extreme anonymity. This does not apply to the
    casual poster. But if your liberty depends upon your anonymity, then be
    very careful about how you use them.

    68. What happens if I forget to start Freedom?

    Your ISP address may (possibly) be logged by the remote server. If it does
    happen, simply close down the connection and restart using Freedom. But
    wait a few minutes to avoid anyone monitoring the remote from sussing that
    the two log-ins were from the same person.

    Always check the "TLNT" green light is lit on the Freedom box before
    posting. This ensures that your traffic is being routed via the remote
    host server and not directly out from your ISP.

    Also, most important, Freedom will only function as intended if a Nym has
    been selected.

    No Nym, no anonymity. Period.

    69. Is there an alternative way, something simpler?

    Yes. You can post via a proxy such as Yahoo or Hotmail. But I treat these
    as soft anonymous. Don't use them for anything critical.

    70. How about Email with Freedom and SecureCRT?

    You can set up Agent to be your Email and Newsreader client. I would
    recommend using it to download from Usenet and to receive your Email from

    Freedom has a basic spam filter, I recommend you use it

    However, using Agent to send Email and to post directly to Usenet is not
    nearly as hard anonymous as Quicksilver. Fine for most activities, but if
    you need absolute security it would be wiser to use Quicksilver.
    Quicksilver is intended to be used for Email or posting using the Mixmaster
    anonymous remailer network. This ensures the strongest possible anonymity.

    Far stronger than the older Cypherpunk remailers.

    71. How do I configure Agent as a news reader using the telnet connection
    through a remote server?

    Firstly, you should change your assigned password for the remote server.
    Type "passwd" (without the quotes) at the command line in SecureCRT after
    logging in. Follow the on screen instructions.

    In Agent, open Options -> User and System Profile -> User

    Under "News Server Login", ensure Login with a Username and Password is
    checked. Type in your username exactly as given to you by the news
    provider. Enter your password. Check "Remember Password between sessions"
    Both are case sensitive. Uncheck "Login with Secure Password

    Click OK.

    Now go to Options -> User and System Profile -> System. Put "localhost"
    without the quotes into the News server box. Check Server creates Messages
    out of order.

    Click OK.

    This ensures that all Usenet downloads are via your remote server.

    72. How do I ensure Freedom decrypts incoming Email automatically with

    Assuming you have a regular Email client for your non-anonymous mail, such
    as Outlook Express, I would recommend you configure Agent for your Freedom
    Email. Zero Knowledge now have their own POP server for Email, which can
    be accessed directly using Freedom version 2.

    In Agent go to Options -> User and System Profile -> System. Click on "Send

    Email messages with SMTP", enter in the Email server box.

    Ensure that "Send Email messages with MAPI" is unchecked.

    Click OK.

    This ensures your sendmail is routed via the Freedom network.

    Now, Options -> Inbound Email -> Check "Receieve Email with POP", Enter
    "" in the POP server box.

    Check "login with a username and password",
    Check "Use APOP if supported by the server"
    Enter "freedom" for both the username and the password.
    Check "Remember password between sessions".
    Uncheck "Login with secure password authentication"
    Uncheck "receive Email with SMTP"

    Click OK

    This ensures your incoming Email is from the Freedom server.

    To set up Quicksilver for Freedom Email do the following:

    Click on tools -> POP accounts -> new ->

    Type freedom into login ID and into the POP3 host box and
    as the password. Click OK and OK again to close the pane.

    73. I prefer to use Eudora/Anawave Gravity/Xnews, etc as my Email client,
    how do I set them up?

    Sorry, I don't know. You will have to experiment for yourself. Although
    I have used several other Email clients/newsreaders, I like and use only
    Agent for receiving News and Email and Quicksilver for all postings of
    News and Email.

    74. Why particularly Agent?

    Because Agent allows me to personalize each news group with a different Nym
    and/or signature. This might be possible with other news readers, but I
    have gotten used to Agent.

    75. How is this done?

    Set your default settings by opening Options -> System and User Profile ->
    User. Enter whatever Email address you wish, it might be a spoof if you
    wish. Its only critical value is it must have the "@" sign in it. In fact
    that is all you need enter if you choose. The remaining lines can be left
    blank if you wish.

    Open Options -> Posting Preferences -> Signatures. You should create
    whatever sigs you may wish to use. Create as many as you wish. You can
    have one per news group if you like. Take your time to browse through the
    other options and set up your preferences.

    These are your default settings.

    Choose a News Group. Open Group -> Properties -> Post, click on "override
    default settings" Now choose a signature from the list of those you have
    previously created. Next browse through the list of options from "Bcc"
    through "From" to "Summary". Each of these can (your choice) be selected in
    turn. As each title is highlighted, click on "Override default value" for
    that title.

    Now enter whatever you wish in the space below it. Now uncheck the
    "override default value" and whatever you have typed will appear next to the
    highlighted title.

    This information will apply to just the news group you have chosen. You
    will need to repeat this for each group for which you wish to set a
    different value.

    These options mean every single group can, if you wish, have unique "Sender"
    and "Reply-to" and unique signatures.

    76. Can I post graphics anonymously to Usenet with this system?

    Absolutely. Just make certain that you use Freedom with an active Nym and
    then your remote server with SecureCRT. Freedom will always ensure that
    all outgoing traffic is via the remote server (provided you have set up
    Agent to use "localhost" as described above).

    Agent will always use your News Provider as the posting host. This is why
    I recommended you subscribe anonymously to this news provider. Nothing
    can then be traced back.

    Quicksilver will always use one of the mail2news gateways. These are
    intended to be hard anonymous and when used together with these other
    recommendations should ensure extreme anonymity. But the remailer network
    does not readily accept large files, such as graphics. This need not be a
    significant problem as you can use Agent, provided all the other measures
    have been strictly adhered to.

    77. Why, particularly Quicksilver, what about Private Idaho or Jack B.

    I found Private Idaho far too buggy and not as intuitive as Quicksilver.
    JBN2 is very sophisticated, but appears to need more maintenance to keep it
    working. Quicksilver on the other hand, appears to be so easy to configure
    and is far more intuitive to use.

    78. Which Email address should I use?

    Your choice. Use Freedom or you could use you remote host as an Email
    address. Personally, I would not do that. I would prefer to give out one
    of my Freedom Nym's.

    79. Why?

    Because if you regret your choice, you can abandon that Freedom Nym. It is
    far more difficult and bothersome to change your remote host username.

    For even stronger security create a Nym at one of the Nym servers, such as, or at and point your reply block to a news
    group such as news:alt.anonymous.messages.

    80. How do I do that?

    You will need a remailer client such as JBN2. This is a very sophisticated
    program and will take some time to learn to use correctly. But once
    learnt, it offers you the opportunity to create as many Nym's as you wish.

    81. Are there any other suggestions?

    Immediately you finish a posting session, break the connection. Close
    SecureCRT and change your Freedom Nym. This ensures new session keys are
    generated. Log in again over the new link. It is not quite so necessary
    to close Freedom, but I would certainly change your Freedom Nym before
    commencing posting again. This ensures a different route is created to the
    remote host. Anybody attempting to hack in along the way is foiled.

    Never stay online whilst posting for longer than 1 hour maximum with any
    particular Nym.

    Always post at different times, do not create a regular pattern of postings
    at specific times and days of the week.

    82. Surely all this is totally over the top for the majority of users?

    It is certainly over the top for 99 per cent of users for 99 per cent of the
    time. If, however, you are the one in a hundredth and you do not much like
    the idea of being at risk for 1 per cent of the time, then no, it is not
    over the top at all. Using these tactics helps create smoke which in turn
    helps protect those who really do need all the protection and security they
    can get.

    Remember this FAQ is intended to help many different people. Some may be
    living in deprived conditions, in countries where human rights abuses are a
    daily fact of life.

    I must emphasize again, the more that take up these suggestions the easier
    it is for those people to hide themselves amongst the smoke.

    83. Can I use IRC in this way?

    Freedom boasts that you can be anonymous on IRC. But I am very dubious of
    this. Take your chances, but do not blame me if it all ends in tears.

    84. Can I be anonymous as far as other Web sites are concerned?

    Yes. Freedom alone is sufficient for this.

    85. What about spammers who offer "totally anonymous Web-surfing", etc?

    I don't want to harm anyone's commercial enterprise, but ask yourself, do
    you really believe anybody with a vested interest in their business cares
    two hoots about your safety?

    These people always charge you money, usually requesting a Credit Card,
    which means they can identify you. If you are going to pay out your hard
    earned cash at least use it to buy true anonymity.

    86. Lastly, what do you say to the charge that this FAQ may be useful to

    As someone once said, the sun shines on the righteous and the wrong-doer
    with impartiality.

    We might as well ban cars, kitchen knives, guns, etc., because of their
    potential to aid criminals. We must balance the benefits against the

    There will always be those who seek to control others lives, using whatever
    scare tactic they can. Ask yourself, could there be a hidden agenda behind
    their concerns?

    Who benefits the most if Governments are allowed to reduce our freedom of
    choice? The Government or us?


    1. always, always, lurk before leaking.

    2. always use encryption, whatever else you do.

    3. always start Freedom with an active Nym, before logging into your
    remote host.

    4. always post via your encrypted and anonymous remote host to your
    anonymouly subscribed News Provider.

    5. never ask of anyone nor give anyone online, your true Email address.

    6. never DL any file with .exe, .com or .bat extension from a dubious
    source. If you do, don't run it.

    7. for your own protection, never offer to trade any illegal material, nor
    ever respond to those seeking it, even anonymously.


    If you believe any part of this FAQ is wrong, misleading or could be
    improved, please Email your comments and I will take them onboard.

    To respond to me personally, email me at
    and include your PGP key with your message if you expect an encrypted

    Please use my key, below, to encrypt your message to me.

    My key fingerprint: F4A7 05A0 7618 252B B10A C1BF 5C29 C0A2

    Type Bits/KeyID Date User ID
    pub 2047/7CECC929 1998/07/06 Doctor Who <Doctor_Who@Freedom.Net>

    - - - - - - -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: 2.6.3ia

    - - - - - - -----END PGP PUBLIC KEY BLOCK-----


    This ends the FAQ. What follows are some links which might prove helpful.


    Version 15

    Version: 6.0.2ckt

    -----END PGP SIGNATURE-----

    [ 02-19-2001: Message edited by: Marine06 ]

  2. #2
    Regular Member Scoot's Avatar
    Join Date
    Oct 2000
    Spokane WA. USA


    Thanks for the informative document.
    Would it have been possible to post a link?
    Some good information there and some questionable.
    I assume someone would need EXTREME privacy to go to those extremes.
    It seems as if it was written for citizens of countries under totalitarion rule?


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts