Introduction to Privacy

It is now largely taken for granted that there is no privacy in the digital world, at least as the term was understood historically: a plethora of new commercial technologies now offer us many heretofore unknown advantages like popup and banner ads that collect our personal information, software that watches us as we surf, spam, cell-phone tracking and location-based advertising, and other goodies too numerous and depressing to mention. This happens because you've been (literally) sold a Big Lie — the lie of  "free, <just click here>."
 

Who Pays for Internet Freebies?
The short answer is, you do; or, more precisely, your personal information does: welcome to the Digital Fishbowl.

Every web page resides on a computer called a 'server;' every server has a high-speed, broadband connection; and, both servers and broadband data (T1) connections are expensive. Popular websites have 'server farms' consisting of hundreds or (in the case of Google, Hotmail, and Facebook — each with hundreds of millions of users) thousands of servers. Highly skilled people are required to set up and maintain ('administer') these server farms on an ongoing basis, and someone has to pay them.

These are the ineluctable facts behind the Internet mantra TANSTAAFL (There Ain't No Such Thing As A Free Lunch). You should always bear in mind that there are, in reality, no popular websites/services that are truly 'free;' and so, as a user, the question becomes “How does the website/service make money?”

Most popular sites and services generate their cash flow by displaying advertisements; and, since you are unlikely to read or respond to an ad unless the advertised product or service interests you, to maximize their income most internet advertisers try to collect information about people that will allow them to 'target' their ads (= select which ads will be displayed when you visit a site based on what they think you will buy). To do this effectively, they need to collect as much information about you as they can.
 

Online Tracking: Milking the Rubes
Whenever you go to an ad-supported website, your browser is silently returning personal information to either the web page server or (more frequently) a third-party adserver: this may include your name, username, email address, which pages you visit and how long you spend on each page, the words you type into search boxes, what ads were displayed and whether you clicked on one, as well as technical information about your browser and operating system.

The online techniques for invisibly tracking and monitoring your Internet use include cookies, web bugs, and javascripts; default packet-header (connection) information like the  user-agent  [platform/version, browser/version: often used to target "rich media" ads] and  referer  field  [the URL of the page you last viewed: used to "connect the dots" as you browse]; and network trouble-shooting tools like reverse DNS lookups. These are all part of your Internet connection and the pages you view; and, unless you take specific actions to prevent it, they will automatically  return information to the ad company profilers.(1, 2 ff.)

The information is collected, collated and stored under a unique ID number; and, in a surprisingly short time, a significant amount of information about you, your browsing habits, and your interests will accumulate in a dossier called your 'profile.'  It is the sale of this information that pays for most of the (nominally)  ‘free’  websites and services.

Most people are unaware of how extensive these profiles are; and, with the baby-boomers aging (and, as a result, buying less) tracking and profiling of children has also become a primary industry objective: any parents who may doubt this should read the actual text of the (horribly mis-named) Children's Online Privacy Protection Act of 1998 (COPPA).
To better understand the issues, I suggest you read the EPIC.org Privacy and Consumer Profiling” page for a comprehensive analysis of the type of information that is being collected and how extensive the practice has become, then check out the CEXX.org  spyware database for an eye-opening look at some of the online forms.

This bankshot payment model works because, although it may seem slightly counter-intuitive, in the United States you don't actually own your personal information, including your name, address, marital status, and — despite the fact you (usually) pay a monthly fee for them — your telephone number and email address : the information legally belongs to whomever collects and collates it; and, in most instances, the (new) owner is under no statutory obligation to obtain your consent before collecting or distributing ('sharing') it, either.

If you are concerned about this, you should carefully  read the website ‘Privacy Policy’ (usually found as a link in very small type at the bottom of the page); and, you should always read the ‘Terms of Service’ before  setting up an account with services like Hotmail or Facebook.  The Privacy Policy will outline what information a site collects, how it is used, and with whom it is shared; and, the Terms of Service are a legally binding contract: if you sign up for the service, it is assumed that you accept the TOS.

Many users simply ignore website privacy policies and most don't bother to read the TOS when they set up online service accounts. Many of these folks are upset — later, after the damage has been done — when they find their inboxes clogged with spam, their (snail)mail boxes filled with junk mail, their meals interrupted with automated telemarketing calls, and (increasingly) their cell phones bombarded by text-mail advertisements.
 

Data-Mining: The Government Digs In
Even if you are among the one-third of people surveyed who aren't concerned about the admakers' information collections, there are other players at the table who are  interested: in response to the 9/11 terrorist attacks, the Department of Defense instituted the TIA (Total Information Awareness) program

“to identify terrorists and prevent terrorist attacks by creating the tools that would allow analysts to "data-mine an indefinitely expandable universe of databases." …[And, w] hile the stated goal of TIA is to "detect, classify and identify foreign terrorists" to "defeat terrorist acts," as with any data-mining regime, absent controls TIA profiles can be used for whatever purpose the government might devise.” 1, 2
Even scarier, that TIA "universe of databases" includes all governmental databases (State, Federal, and local) as well as private (corporate sales and marketing) ones.

You should also be aware that email is the digital equivalent of a postcard,
“Messages travel from machine to machine open and available, just like the messages on the back of postcards. As those postcards move through the network, anyone on a machine that handles them can read the messages. People may choose not to, or they may not have the access privileges to do so easily, but the only security anyone has is based on the honesty, ignorance, and indifference of those at the intermediate points. 
[from E-MAIL SECURITY: How to Keep Your Electronic Messages Private  by Bruce Schneier; ISBN 0–471–05318–X]
and that 80% of all email sent in the clear (i.e., unencrypted) is routinely scanned for keywords by the NSA's ECHELON network.  And if that is not troubling enough, the NSA also took over the DoD's post-9/11 TIA (Total Information Awareness) program after Congress killed its funding in response to public outrage.

See  [1],  [2  §2.4–2.4.1],  [3],  [4], and  [5  §III. B.] for more details; and  [6] and  [7 ff.] for information on using personal encryption to protect and authenticate your email and secure your digital files.()

Orwell modelled his famous novel 1984  on Stalin's dictatorship, but he could not foresee that Big Brother's constituents would someday buy, install, and maintain the surveillance cameras themselves: move over Uncle Joe — here comes B.B.D. & O.
 


So, here we stand today — with detailed dossiers of personal information that past tyrannies could only dream of, and a broad, bright Information Superhighway that is largely paid for by pimps who are peddling your ass all over town: this is the contemporary, rather sordid model of the commercial Internet.

But it doesn't have to be that way.

Truth, Reality, and User Choice 
The first unavoidable, unpleasant, and terribly real fact that you must confront is that someone has to pay  for all those websites and services;  so, if you are convinced that there really is  a free lunch, you might as well stop here. But if you are troubled by the dangerous possibilities inherent in vast collections of digital dossier data or simply annoyed by Internet ads that follow you around, there are things you can do about it.

The first, obvious step is to "vote with your feet."

Taking Charge
The next step in protecting your privacy involves taking control of your computer, and this involves another unpleasant truth: you have no effective control at all over apps that are not local to your own machine and no control over access to data that is not stored on your own hard drive — so trusting everything to the Cloud isn't going to work.

Before submitting to the blandishments of businesses that stand to make enormous profits by selling information about you to advertisers, you should keep two salient points in mind —

(1)  You don't own your data when it's in the Cloud,
Files on your own machine are (legally) your property, and you control access permissions. If, on the other hand, your data is in the Cloud, the server where it resides has both access and ownership  privileges — regardless of your choices.

(2)  And you don't own your apps, either.
On your own machine you  decide what programs to install and how they run. But, if the services you use are located in the Cloud, you can't select what software you will use(1, 2) and you have no control over how it operates, either — and, as one tech remarked, “when you double-click on an application, you are turning control of your machine over to the progammer who wrote the code.”

For more information see  [1 ff.], or ask Emerald Technologies for a copy of the sh reference file “Lost in The Cloud ”.

If you want to have choices, you will have to learn how to do your own dirty work: installing and maintaining your own software and managing your own files.

The keyword above is learn  because, as I said at the beginning, there is no free lunch: you will have to pay the same price everyone pays — some of your time. Learning to use a computer is not difficult, but no one is going to bother to teach you, either: after you've bought a machine and paid for an Internet connection, the vendor(s) have no further financial interest, so you'll have to learn the basics for yourself. You'll find it easier if you keep the following four points in mind:

  1. Learning to use a computer means understanding a few basic concepts (how data is organized: files and folders) and techniques (copy and paste; opening, saving, and moving files). Unfortunately, learning this type of background knowledge is boring — but, without it, you can't understand how to do what you want  to do; and, what's worse, you won't know enough to make any choices (for example, about how your software runs or how to protect yourself on the Internet).  “Perseverance furthers:” be patient.

  2. I recommend you set aside one, uninterrupted (e.g., turn off the cell phone) hour a day to study something like the Windows for Dummies  book.  Do it at the computer  so you can try things out as you go along.

  3. Try to help yourself before you ask for help: always read files named 'README'; learn how to use the Google 'Advanced Search' options to search the Internet; and, (for programs) click on the 'Help' button at the top of program window and read the 'Help' files.

  4. If you have to get more help, learn how to ask questions.

    For example,
    BAD question: “I'm using Windows and after I installed {program X} I keep getting error messages.”

    GOOD question: “I'm using Windows XP Professional, and after I installed {program X, version Y} I get an error message whenever I {exactly what you were doing: the web page you were on, the button you clicked, etc.} that says '{exact message, just as it appears on the screen}'.  I read {topic 1, topic 2, and topic 3} in the program Help files and tried {futile attempt 1, futile attempt 2} but it didn't seem to help. I went to the program website and looked at {online help topic 1, online help topic 2, and the 'user questions' page}, but couldn't find anything that seemed related to my problem. Then I went to Google and searched {search terms}, but the only link that seemed like it might be related ({pasted-in link to the website}) told me to {website instruction}, but when I tried it, that still didn't help.”

    [Question one can't be answered — there's not enough information — and no one would want to bother, anyway. This type of question often gets you a steaming heap of bad attitude rather than an answer.
    Question two *WILL* get an answer (guaranteed!): you've given at least some of the technical details necessary (if the person who volunteers to help you needs more, they'll ask) AND (most importantly) you've already tried to help yourself.]
     

‘Free’ Software: The Spies Among Us
A lot of the software on your machine is watching you — including most of the Internet programs that come with Windows; so, for Windows users the easiest way to "harden" your computer (= increase the level of both security and privacy) is

(1)  don't use Outlook or Outlook Express for your mail (see  [1]).

(2)  don't use Internet Explorer as your default browser (see  [1]).

(3)  don't use Windows Media Player for online multimedia (see  [1],  [2]  or your local service tech for suggestions).  And,

(4)  For more fine-grained control as you browse, use a web filter.

But, while that will certainly help protect you, there is still the question of all the other  apps on your machine — and which of them is spyware.

‘Spyware’ is adware (= software that downloads ads onto your computer) that is usually "bundled" with another program (= installs with another program). The software company gets some revenue from the advertisers, which means they don't have to sell their product for cash to make a profit.
Infected software is often (incorrectly) termed "freeware," although some software distribution sources distinguish between true freeware (software for which the author is not paid) and "adware" (software for which the author is paid by advertising and marketing companies).

Since you are ultimately responsible for the software on your computer, to avoid spyware problems you should:

And, to give you more control over which programs are allowed to connect to the Internet,

But unless you accept that someone has to pay for the Internet, all of this is simply (and literally) passing the buck.
 

Paying for Lunch: The Buck Stops With You
(The short form)  If you want it, need it, or just like it — be prepared to pay for it.

(The dirty details)  There's a lot of great, real  freeware on the Internet: some of it is available for free to individuals but paid for by business users [1, 2]; some of it is written by programmers who simply like to code [1]; some of it is available for free in simpler or less powerful versions, but paid for by users who buy the enhanced/superior version [1, 2]; some is written by teams with many contributors who donate their time [1, 2]; and some of it is available for free to the needy, but those who can afford to pay are asked to donate to the cause (payware on the honor system) [1, 2].

Likewise, there are a lot web pages that offer truly free information and services: some of these are written by people who want to help or advance a personal cause and posted or shared informally (like this one); some, like the software above, are written by teams with many contributors who donate their time (the various 'Wiki' sites); some are paid for by the author [1, 2]; and some ask for donations to defray the cost of hosting them [1, 2].

If you use the (real) Internet freebies, you can (and should) donate whatever you can: if you can afford the money, cash is always welcome; if you have programming skills, you can join a development team; if you have knowledge, you can share it; and — failing all else — you can help your neighbors and friends by sharing information and links.  But unless you want to only have Internet websites, software and services that are paid for by greedheads who are selling you, you better be prepared to pony up something.
 


REFERENCES AND RESOURCES

SECURITY AND PRIVACY:  INFORMATION
WebsiteInformationComments
GRC.comSecurity
and
Privacy
The ShieldsUp section of the site will probe your system for security vulnerabilities. There is also a privacy FAQ, an assortment of freeware utilities, and a number of technically sophisticated newsgroups. The site provides beginners with excellent background explanations of technical issues.
EPIC.org
(Electronic Privacy Information Center)
PrivacyA primary source for both on- and off-line privacy information.  Highly recommended.
EFF.org
(Electronic Frontier Foundation)
PrivacyEFF was formed to maintain and enhance intellectual freedom, privacy, and other civil liberties and democratic values in networked communications.  Highly recommended, especially for voters.
Privacy.netPrivacyOn- and off-line privacy information, including extensive archives on consumer privacy at federal and state levels.
Privacy Rights ClearinghousePrivacyGeneral on- and off-line privacy information, including news postings and alerts, factsheets, case law, and sample opt-out letters.
Consumer Privacy GuidePrivacyBeginner-level privacy information, including on- and offline HowTo's
Privacy Foundation.orgPrivacyA wealth of technical information on various online privacy issues.
CEXX.org
(
Counterexploitation.org)
PrivacyA primary source for comprehensive spyware information.  Highly recommended.
pcHelp's Home PageSecurity
and
Privacy
Well-written site has in-depth source information on various security and privacy issues and several useful Win32 freeware (batchfile) "utilities."
Computer Emergency Response Team (CERT)SecurityTechnical advisories on fast-breaking security risks from the Software Engineering Institute of Carnegie-Mellon University.
Computer Vulnerability EvaluationsSecurityIndependent, standard listing (CVE/CAN numbers) of platform/software vulnerabilities.
ICAT Vulnerability IndexSecurityNIST listing of computer vulnerabilities, including description, damage potential, vulnerable software/versions, and links to patches.
SecurityFocusSecuritySecurity news and alerts, including the Bugtraq mailing list.
Microsoft Security PatchesHotfix Patches
and
Security Bulletins
Patches for all currently supported Windows platforms are posted on the second Tuesday of each month. Patches for critical vulnerabilities are posted as soon as they are ready for release, and often apply to other MS software (such as MS Office and older versions of IE/Windows).
PacketStormSecuritySecurity information
Crypto-GramSecurity
and
Privacy
Bruce Schneier's free monthly newsletter provides a witty and eminently readable resource about security and privacy issues from one the Internet's most highly respected authorities. Highly recommended.
See also  [1 and 2],  [3];  and, (if available) your copy of the sh  [Files 5.0] CD-ROM.
 
SECURITY AND PRIVACY:  SOFTWARE
Web Browsers
Alternatives to Internet Explorer
ProgramDescriptionNotes
MozillaOpen-source/freeware browser based on the Netscape browser codeA full-feature browser with built-in email client; probably the best choice for most users. Doesn't support ActiveX, allows checkbox disabling of JavaScript (either globally or for mail/news), and – because of the open-source coding – vulnerabilities are typically patched more quickly than with MSIE.
FirefoxNew open-source browser from the developers of Mozilla (above)Fast, flexible stand-alone web browser with tabbed browsing and a smaller footprint than Mozilla, but similar privacy/security control advantages. Most users will also want to download the Thunderbird email client (below).
AmayaW3C browser and online HTML editor“Amaya is both a browser and an [HTML] authoring tool dedicated to the World Wide Web.”  Unlike IE and Front Page Editor, Amaya meets all WWW and HTML web standards.[]
OffByOneFreeware HTML viewer/web browserPortable executable mini-browser (~1.8 MB) reads/writes Favorites, opens almost all html-type files, has proxy and SSL support but doesn't support script.
See also  http://browsers.evolt.org/  for a comprehensive listing of other browers
 
E Mail Clients
Alternatives to Outlook/Outlook Express
ProgramDescriptionNotes
ThunderbirdOpen-source freeware HTML email clientStand-alone version of the Mozilla email client; doesn't support ActiveX and options allow disabling JavaScript for mail/news.
EudoraFull-featured payware stand-alone email clientDefaults do not support HTML/scripted mail, so this is a good choice for businesses/users with security and privacy concerns; but, be sure the options invoking Windows/IE system resources to open HTML mail (run scripts, etc.) are disabled. The (nominally) freeware version has spyware — so if you want it, buy it.
Pegasus MailFreeware stand-alone text-only email clientA good choice for users with security and privacy concerns; but, users must be able to configure the program without help since the freeware version doesn't come with a User's Manual (which is sold separately).
K9

Freeware Bayesian spam filters

(See Paul Graham's “A Plan for Spam” for the classic reference.)

Unlike payware anti-spam services which maintain and update lists of spammer domains (which the spammers routinely change) or known spam email servers (which spammers evade by spoofing their IP address or using zombied machines to forward their emails), these freeware filters detect the actual wording of advertisements — which the spammers cannot change. The tradeoff is that you have to spend a bit of time "teaching" the filter by checking the 'spam' directory for misfiled emails.
See also “FAQ: How do spammers get people's email addresses?
 
POPFile
Annoyance Filter
 
Local Proxies
Filter your Internet connection
ProgramDescriptionNotes
ProxomitronFreeware portable executable edits header information and web page code on-the-flyProxomitron is no longer actively maintained but remains one of the best and most flexible programs available (and my own, personal choice). The 'Help' files are comprehensive and easy to read, and a user's control is only limited by his/her willingness to read them: the further you read, the more control you will have. Runs on all Win32 platforms up to and including XP/SP2 and on Linux/WINE. Users of Windows Vista/7 should check the website for platform compatibility issues.
Internet JunkbusterFreeware open-source local proxyThis is oldest web-filtering proxy, but it is not as easy to use as some and not as flexible as Proxomitron; runs on all Win32 and most Unix platforms.
GuidescopeA "simplified" version of Internet Junkbuster (above)Unfortunately, this used to only be available for Win9x platforms; but, my information is out of date and you should check the website to see if your browser/platform is supported with the latest version.
WebWasherProprietary proxy from Siemens AG; freeware for individual useAnother flexible and powerful tool that is easier to use than Internet Junkbuster, but not as comprehensive as Proxomitron; runs on all Win32 platforms, several Unix platforms, and MacOS. Again, my information is out of date; and, since the site has been sold to a payware vendor, you should check to see if the freeware and Mac versions are still available.
 
Blockfiles
Automatically kill tracking/profiling connections
John's No-ADS proxy auto configuration scriptA browser-based ad-blocking script that works with most browser/versions and all platforms (including MacOS).A .PAC (proxy automatic configuration) file that is an intermediate choice between stand-alone local proxies (above) and HOSTS blockfiles (below). Documentation on use is commented(-out) within the file, and there are step-by-step instructions for editing each line of code to work with almost any possible browser/proxy configuration.
[I suggest reading the blockfile sections carefully during setup: there are some adservers allowed for reasons that you might not share (and which you can block by editing or un-commenting the code), and a number of sections where you may wish to add your own entries.]
PGL's HOSTS filesHOSTS files for all Windows and most Unix platformsA simple, pre-formatted text file that, when dropped into the appropriate system directory, blocks connections to banner advertisers and profiling sites. Files can be edited (so you can add sites) and/or merged with other HOSTS files.()  [Provides the same site-blocking as the local proxies (above) but no other filtering.]
PGL's list blocks 3400+ top-level domains, and is also available in other formats (MS registry blocklist, cookie blocklist for IE and Mozilla/Firefox, etc.). Recommended for beginners and those who are only concerned with the worst offenders.
Stephen Martin's list blocks 10,000+ domains, but some entries may cause users connection problems with certain sites. Best for more advanced users or those willing to learn.
Both sites have detailed information on using HOSTS and links to supporting privacy information.
Stephen Martin's HOSTSThe classic HOSTS ad-blocking files, offered in a stand-alone format (127.0.0.1) or for use with a local proxy (0.0.0.0)
Willem's ListStephen Martin's HOSTS for ProxomitronStephen Martin's HOSTS reformatted/hashed for use with Proxomitron. (No longer actively maintained.)
Junkmail BlockfilesBlockfile addons for Proxomitron and Win32 HOSTS
(Last updated October 2011)
Blocks connections to websites of businesses that routinely purchase mailing lists to send unsolicited bulk-rate ads or who abuse customer information by refusing to honor opt-out requests. Formatted for use with the Proxomitron adlist, and with the HOSTS server list in both 127.0.0.1 (standard) and 0.0.0.0 format (for use with a local proxy).
Note: these supplement major blockfile lists (above); and, the download  website is not always up.
 
Editing HOSTS
Open the HOSTS file in Notepad (File|Open,  Files of type: All Files) and look at the other entries; then add your own URL(s) using the same pattern and save the changes.  If an entry in the file causes connection problems, you can either delete the line entirely or "inactivate" it by adding  '# ' (the pound sign followed by a space) in front of it.
Miscellaneous Software
ProgramDescriptionNotes
Ad-awareSpyware detection and removal utilitiesThese freeware utilities work well together on all Win32 platforms, through and including Windows XP. Although the software is almost certainly updated by now, users of Vista/Windows 7 should check the websites for platform compatibility.
Spybot Search & Destroy
 ZoneAlarm Firewall 

Freeware version is stable on all Win32 platforms and works well with default (installation) configuration.

Payware version (ZoneAlarm Pro) offers additional control to the knowledgeable user.

See also:
Tiny Personal FirewallUser-defined ruleset provides flexibility and control; best choice for the knowledgeable user.
Snort

Intrusion detection system

[See Robert Graham's FAQ for more information.]

Freeware Win32 command-line port of the well-known and highly respected Unix intrusion detection system; requires the appropriate platform/version WinPcap driver.
Trojan Detection Suite Payware anti-trojan monitoring software For critical computing environments and those with significant assets to protect, this complex, multi-layered tool allows users to combat trojans on their own ground for system-level control; but, less sophisticated users may find it difficult to deploy. Highly recommended for those who are capable of using it or willing to learn.
Integrity Checker File integrity auditing tool Not a full-blown IDS, but a scanning tool that checks files/directories to ensure they have not been modified since the last audit/run. Win32 PE can be run from an encrypted container, and command-line parameters allow the program to run at startup.
Notify Real-time file integrity auditing tool Freeware background monitoring software alerts user when watched files/directories are modified; uses very little memory and practically no CPU time. Unfortunately, my archived version is for Win9x/NT, so users of more current Win32 platforms should check the website for updated versions.
IDServeFreeware tools to help consumers identify vulnerable Microsoft (IIS) servers before submitting sensitive information.See the SANS Top Twenty annual listing of the most critical Internet security vulnerabilities (the ten most commonly exploited vulnerable services in Windows and the ten most commonly exploited vulnerable services in UNIX/Linux).
ViewHEAD
pcHelp's batchfile
BHOCaptorBHO detection and control utilitiesBHOs (Browser Helper Objects) allow application developers to control Internet Explorer: when IE 4.0+ starts, it reads the Registry to locate installed BHO's

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\explorer\Browser Helper Objects\{(hex) CSLID# }  (wrapped)
Searching the Registry for the CSLID sub-key identifies the controlling application, and removing it disables the BHO.

and then creates them. They don't require a user interface (although many appear as IE toolbars), and BHOs do not appear in the Add/Remove Programs dialogue.  See [1] and [2] for more information, and [3] for alternative browsers.
BHO Cop()
See also  [1, 2, and 3 (below)],  [4];  and, (if available) your copy of the sh  [Files 5.0] CD-ROM.
 
CRYPTOGRAPHY REFERENCES

[ In approximate order of technical detail: ]

  1. Learning About Cryptography,” by Terry Ritter
    [A good introduction to basic concepts, and cross-referenced with the Crypto Glossary (below); however, readers should be aware that some of the author's opinions are not broadly endorsed.(1 & 2), 3]
     
  2. Snake Oil Warning Signs
    [For “people who are not experts in cryptography or security but find themselves making decisions about what sorts of crypto (if any) to use… .”]
     
  3. An Introduction to Cryptography”  (part of the PGP documentation)
    [You can also find the document at the PGP International mirror or search Google.]
     
  4. Tom McCune's PGP Pages
    (1), Software/documentation/links,  and
    (2), PGP Questions & Answers.
    [Some of the links are broken, but this is still one of the best PGP reference sites; and, the detailed explanations cover all basic public-key cryptographic system concepts and tradeoffs. Highly recommended.]
     
  5. SSL & TLS Essentials: Securing the Web []  by Stephen A. Thomas  (John Wiley & Sons, 2000.  ISBN 0-471-38354-6)
    [A well-organized summary of SSL/TLS beginning with basic cryptographic concepts and continuing through authentication, certificates, and protocol layer/packet structures. Highly recommended.]
     
  6. Richard E. Smith, Internet Cryptography  (Addison-Wesley, 1997.  ISBN 978–0–201–92480–0)
    [A useful reference focussed on business security objectives, concepts and strategies for “people who know very little about cryptography but need to make technical decisions about cryptographic security…like…analysts and managers…, but it is best if readers already have a general familiarity with computers, networking and the Internet.” Highly recommended for business users.]
     
  7. Ritter's Crypto Glossary
    [“Hyperlinked definitions and discussions of many terms in cryptography” — a good page to save for offline reference.]
     
  8. Peter Gutmann's “Godzilla Crypto Tutorial
    [704 lecture slides in 8 parts; .PDF (Adobe Acrobat) format. The lecture-note format will present difficulties for student/beginners; but, since it also provides a quick reference/summary on just about everything crypto, I suggest saving the Index page.]

[ Math required: ]

  1. RSA Laboratories FAQ 
    [A comprehensive overview of cryptography in .PDF (Acrobat) format, beginning with basic mathematical/functional concepts. Highly recommended.]
     
  2. Cryptography FAQ”  (sci.crypt FAQ; 10 pg. with 3 supplements)
    [Also available from FAQS.org.]
     
  3. Applied Cryptography,[]  by Bruce Schneier  (2nd ed. 1996; John Wiley & Sons, ISBN 0–471–11709–9)
    [A "classic" reference work on the topic; includes C source code.]
     
  4. A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography  (CRC Press 1997, ISBN 0–8493–8523–7)
    [The classic reference work on the subject, but readers without an advanced math background will find little of interest.] 
Open source software: Whom do you trust?
Most users don't trust cryptography programs unless they are open source for two reasons: (1) since the source code is available for public scrutiny, it can be examined by experts to make certain the cryptographic functions are correctly implemented and to assure there are no “back doors” [government "master keys"];()  and, (2) vulnerabilities are also quickly found and patched.
Unless otherwise noted, all programs listed below are open source. 

[ Software – email, digital signing/authentication: ]

  1. PGP
    [Freeware archives for Win9x/NT/2K with links to current versions at PGP.com. XP users, however, should carefully  read the EULA before installing NAI (McAfee) versions > 7.1, in addition to (1), (2), (3) and (4). Because the source code is no longer publicly available, the editor does not use or recommend NAI (McAfee) versions of  PGP > 6.5.8.]
     
  2. PGP C-KT[]
    [The editor's recommended version for Win9x/NT/2K; however, (1) there are known issues with the C-KT version(s) in Windows XP+, and (2) they are no longer supported.  See also (1) and (2) for another opinion.]
     
  3. GPG
    [The GNU Privacy Guard is “a complete and free replacement for PGP” for all Win32 platforms. Recommended if you have no legacy issues (old keyrings/PGP Disk files) and for new users.  See also (1) and (2).]
    ® If available, XP users should also see their copy of the sh  Files 5.0 CD-ROM()  for software and a discussion of platform encryption issues.

[ Software – OTFE (file) encryption: ]

  1. PGP Disk[]
    [Enabled in the PGP C-KT version freeware; disabled in all NAI (McAfee) PGP freeware versions (see above).  Be sure to read this before installing.]
     
  2. Scramdisk (archived)
    [Win9x only; the (payware) version for NT/2K is no longer available and neither version is supported.]
     
  3. TrueCrypt
    [Open source freeware for Windows 2000/XP/2003 (and probably, by now, Vista and Windows 7); recommended for users without legacy issues.]
     
  4. FreeOTFE
    [For MS Windows 2000/XP/Vista and PDAs (Windows Mobile 2003/2005). The program has a very short track record, but its author's credentials (S. Dean, below) are generally recognized. Another good choice for users without legacy issues.]
    See also: S. Dean's page, “On-The-Fly Encryption: A Comparison.”  Highly recommended.

[ Additional Resources: ]

  1. Virtual Private Networking Software
    Using the Internet for routine business communications may not be secure: even if you encrypt your mail, remote file accesses and document transfers can expose you to unnecessary risk. However, an encrypted network connection [a tunnel ] can be established between individual machines (for example, between your primary Unix server and a Windows machine in a satellite office) or across/between networks (such as a home office LAN and a remote subsidiary). Encrypted networks are termed "Virtual Private Networks," or VPNs.
    • Stunnel 
      Stunnel is a program that uses the OpenSSL library to encrypt TCP connections "inside" the SSL/TLS (Secure Sockets Layer) available on both Unix and Windows. It is open source, and pre-compiled Win32 binaries are available.
    • OpenVPN 
      OpenVPN is an open-source tunneling application that uses the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single TCP/UDP port. Both pre-compiled Win2K/XP+ binaries and an OpenVPN GUI for Windows are available.
       
  2. Password Management Software
    Your passwords function as your proof of identity in the digital world, so you should always use good ones. Unfortunately, strong passwords are long, random strings composed of upper and lower case letters, numbers, and special symbols (in short, every possible character on your keyboard) and therefore difficult to remember. The solution to this dilemma involves using software to generate strong passwords and store them in encrypted form: that way, you only have to remember one  password — the one you need to access the encrypted password file.
    • PasswordGen 
      Open-source freeware Win32 portable executable generates secure passwords with options to select either the password strength (number of bits) or the length (number of characters). When the password is generated, the program will display its actual, measured entropy (how random/strong it is, measured in bits) with the option to automatically copy it to the clipboard.
    • Password Safe 
      Open-source freeware Win32 portable executable uses Blowfish encryption to store your passwords. Once opened by entering the "safe combination" (the master-password used to access the database), double-clicking an entry copies the selected password to the clipboard.
       
  3. Secure Delete Software
    Securely deleting files (and backup/copies) is part of general file security and closely allied with encryption  because hard drive files are difficult to completely erase.1, (2, 3)  In Windows, files that have been deleted (and  emptied from the Recycle Bin) may be easily recovered.1, 2  Even files that have been overwritten can be recovered with specialized software: the (US) Department of Defense uses a seven-pass overwrite standard for UNclassified material,  and the "gold standard" for complete erasure is a 35-pass overwrite using a particular sequence of bit patterns [see (1) §3 ff.].  See also: Disk and File Shredders: A Comparison ;”  and, (if available) your copy of the sh  Files 5.0 CD-ROM.()
    • Eraser  (open-source Win32/GUI): recommended for most users
    • Scorch  (16-bit/command-line): especially good for large files, such as swap/paging.
    • Scour  (16-bit/command-line): wipes data in unallocated disk space and the slack cluster space at the end of files.
       
  4. Gutmann and Shearer's “Government, Cryptography, and the Right to Privacy 
    [“Regulation and control of cryptography use on the Internet by national governments may lead to an imbalance in the citizen/government power relationship…including unprecedented surveillance of citizens…[and] human rights abuses by less democratic or non-democratic governments… .”]
     
  5. Crypto Law Survey
    [Bert-Jaap Koops' definitive “survey of existing and proposed laws and regulations on cryptography.”]
     
  6. Crypto-Gram
    [Bruce Schneier's “free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography.” Highly recommended.]
     
  7. Link farms:[]
  8. Whitfield Diffie and Susan Landau, Privacy on the Line: The Politics of Wiretapping and Encryption  (The MIT Press, 1998.  ISBN 0–262–04167–7)
    [A brilliant and cogent summary of recent historical developments and current law regarding the domestic use of SIGINT (SIGnals INTelligence) against private citizens.  Highly recommended — especially for thoughtful voters.]
     
  9. James Bamford, The Puzzle Palace  (Houghton Mifflin, 1982;  Penguin, 1983; ISBN 0–14–006748–5)
    [A popular book describing the NSA, “which has been the dominant force in cryptography in the US since WWII.” ]
     
  10. The sh Cryptography Compilation  CD-ROM database available from Emerald Technologies has an extensive collection of crypto and crypto-related software, source code, and reference archives.
    [Wherever possible, program versions were downloaded from recognized international archives, some before passage of the USA Patriot Act  (see Title I, Sec. 105–106 and Title II for privacy/government surveillance concerns). In all cases, download documentation is provided so users can decide for themselves if they trust the archived software/versions.]
     
  11. Alice and Bob
     

N.B.: Users with Internet Explorer 7+ installed (Windows XP/automatic update and Windows Vista+) will not have access to Internet FTP software and information archives since the protocol is no longer supported: see your service tech for a workaround.
 


You can save this page for offline reference by right -clicking the screen and selecting "Save Page As/(type) Web Page, HTML only" (Firefox, Mozilla), or clicking the File button and selecting "Save As/(type) Web Page, HTML only" (Internet Explorer).
Note: On most Windows® systems, pages saved using IE6+ will be re-formatted and will not open offline.