...

I figure that as long as we are going to receive... ? a commercial message from Digex ?

We might be able to tap their knowledge base in assesing the various risks and rewards available by using a Commercial ISP.

After all, with the FBI and Scientologists waging war on the Internet ( capturing keystroaks, siezing computers, and rummaging through everyones E-mail ), There may be a way to make life a little more interesting for them.

I will be glad to send in my two cents worth - I am not sure that I understand the question though.

While, I believe in strong crypto for everyone (what cypherpunks doesn't), I also believe that much can be done to prevent the wholesale snooping of Commercial ISP customers data. I believe that this data is snooped because the ISP's and large number of customers (ignorant of security) make this data too easy a target (cost effective). While the NSA may follow it's motto (In GOD we trust, the rest we monitor). Others may take hostile actions agenst someone whose password or personal information has been obtained. (ex. drain bank account, or just send spam) Some questions that I would like to ask... 1 - Assuming that someone from an agengy or someone pretending to be from an agency wanted to capture one or all the ISP customers key presses. What method would they use ? Would they capture the data at the phone company? Would they tap the raw data stream at the initial ISP router ? Would they route IP packets from the initial ISP router through their own equipment before arriving at the ISP maching running the shell account ? Would they use a Trojin Shell (or telnetd) on a shell account ? Would they inform the ISP and get his help or root access ? 2 - What methods could be put into place by the ISP or it's customers to help prevent this snooping activity ? Perhaps an alternative login method (like deslogin or idealogin) trying to protect data through the phone company and IP route to the target machine. Perhaps having a crypto checksum on the shell (telnetd) to detect trojin software. Perhaps sendmail could public key encrypt mail on it's way to the customers directory. Perhaps just raising the customer awareness of security issues and methods at the ISP. This could affect the mainstream user (joe sixpack) as well as the PGP user. Perhaps ISPs could offer a data archive service/site (foreign site) where data in the form of PGP encrypted E-mail can be saved and retrieved via a robot (something like majordomo). That way, if your home computer breaks, burns, is stolen, or siezed. You can still retrieve your data at a later time. Granted these methods do not prevent a determined attacker from squashing an ISP cutomer. However, it does raise the cost of the effort to single out a user and attack him rather that grab cleartext from everyone. -tom