Actions

Difference between revisions of "Privacy"

From RonWareWiki

 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
__NOTOC__
 
__NOTOC__
Communication over the Internet is public - anyone with sufficient technical skill can monitor any communication.  Email, in particular, is usually sent in a "plain text" format (even HTML mail is essentially plain text).  If you want to communicate privately with others, or if you want to keep information on your computer private so that other people cannot access it, you need to use "encryption".  The specific kind of encryption I am mentioning here is called "public-key" encryption, and the specific package I use to encrypt is called [http://gnupg.org/ "GnuPG"].  There are other systems available, but I use GnuPG.
+
Communication over the Internet is public - anyone with sufficient technical skill can monitor any communication.  Email, in particular, is usually sent in a "plain text" format (even HTML mail is essentially plain text).  If you want to communicate privately with others, or if you want to keep information on your computer private so that other people cannot access it, you need to use "encryption".  The specific kind of encryption I discuss here is called "public-key" encryption, and the particular software package I use to encrypt is called [http://gnupg.org/ "GnuPG"].  There are other systems available, but I use GnuPG because it is very stable and has been proven reliable.
  
 
==Why encryption?==
 
==Why encryption?==
There are a number of reasons one might wish to use an encryption package such
+
There are a number of reasons one might wish to use an encryption package such as [http://gnupg.org/ GnuPG]:
as [http://gnupg.org/ GnuPG]:
 
 
* Protecting financial information.  For example, credit card or bank account numbers.  Using GnuPG it is possible to send such information over the Internet without concern someone might intercept and abuse it.
 
* Protecting financial information.  For example, credit card or bank account numbers.  Using GnuPG it is possible to send such information over the Internet without concern someone might intercept and abuse it.
 
* Keeping business plans secret.  One may wish to discuss sensitive or proprietary information in an email.  Using GnuPG it is possible to do so without concern the competition will access it.
 
* Keeping business plans secret.  One may wish to discuss sensitive or proprietary information in an email.  Using GnuPG it is possible to do so without concern the competition will access it.
* Personal discussions.  Anything of a private or personal nature may be discussed in a GnuPG encrypted email without worrying a person who should not be privy to the information will read it.
+
* Personal discussions.  Anything of a private or personal nature may be discussed in a GnuPG encrypted email without worrying that a person who should not be privy to the information will read it.
 
* Proof of sender.  When an email is digitally signed with GnuPG, one may be absolutely certain the mail originated from the purported sender.  The return email address is not sufficient for this purpose.
 
* Proof of sender.  When an email is digitally signed with GnuPG, one may be absolutely certain the mail originated from the purported sender.  The return email address is not sufficient for this purpose.
 +
* Safe archival of sensitive data.  An encrypted backup file may be stored in a public storage area without concern.
 +
* Enforcing honesty.  A file on one's own machine which is encrypted is impossible for all but ''perhaps'' government agencies to read.  Everyone else is kept honest.
 +
* A simple desire for privacy.  Not everyone needs to know everything about you
  
Besides these uses, it is trivially possible to encrypt documents on one's own machine so that third parties cannot access them.  Similarly, one may encrypt a backup file and put it in a public storage area without concern it will be read.
+
==GnuPG (GPG)==
 
+
===Installation===
==Installation==
 
 
How to set it up:
 
How to set it up:
# Download the GNUPG package.  
+
# Download [http://gnupg.org/ the GNUPG package].  
#* Windows users: There is a [http://ftp.gpg4win.org/gpg4win-1.0.9.exe Windows installer] which includes everything (just run the installer).   
+
#* Windows users: There is a [http://www.gpg4win.org/download.html  Windows installer] which includes everything (just run the installer).   
#*Linux users: consult your distribution for details on whether there is an installable package already (most distros do have a gpg package).  If not, you'll have to [http://gnupg.org download], compile and install it yourself.
+
#*Linux users: consult your distribution for details on whether there is an installable package already (most distros do have a gpg package).  If not, you'll have to [http://gnupg.org/ download], compile and install it yourself.
 
# After you have it installed, create your own "key pair".   
 
# After you have it installed, create your own "key pair".   
 
#*Windows: start the "GPA" program, which will allow you to do all the steps mentioned here.
 
#*Windows: start the "GPA" program, which will allow you to do all the steps mentioned here.
Line 26: Line 27:
 
#*Linux:"gpg --recv-keys ad29415d"  (That last is the "KEYID" for my key, "ron@ronware.org").
 
#*Linux:"gpg --recv-keys ad29415d"  (That last is the "KEYID" for my key, "ron@ronware.org").
  
==Testing==
+
===Testing===
 
After having set up the program (which admittedly is a bit of a pain), you should test it.  First thing you want to do, is send your "KEYID" to the person you want to communicate with.  For example, if I wanted to communicate with you (I do!) I might send you an email containing the line: My KEYID is: ad29415d  
 
After having set up the program (which admittedly is a bit of a pain), you should test it.  First thing you want to do, is send your "KEYID" to the person you want to communicate with.  For example, if I wanted to communicate with you (I do!) I might send you an email containing the line: My KEYID is: ad29415d  
 
::'''NOTE:''' My public key "fingerprint" is: '''<tt>8130 734C 69A3 6542 0853 CB42 3ECF 9259 AD29 415D</tt>''' .  If you use some other key, it is not mine!
 
::'''NOTE:''' My public key "fingerprint" is: '''<tt>8130 734C 69A3 6542 0853 CB42 3ECF 9259 AD29 415D</tt>''' .  If you use some other key, it is not mine!
Line 32: Line 33:
 
Send an email to the person you want, using the program you prefer.  There are GPG "plug-ins" for Outlook (included in the Windows installer link above), and for Thunderbird (called "EnigMail).  There are other plug-ins as well, check out the GnuPG.org site for details (look at "frontends").  You will want to send the mail encrypted for the recipient you are interested in (you may also want to encrypt it to yourself so you can read it later!).
 
Send an email to the person you want, using the program you prefer.  There are GPG "plug-ins" for Outlook (included in the Windows installer link above), and for Thunderbird (called "EnigMail).  There are other plug-ins as well, check out the GnuPG.org site for details (look at "frontends").  You will want to send the mail encrypted for the recipient you are interested in (you may also want to encrypt it to yourself so you can read it later!).
  
==Caveats==
+
===Caveats===
 
*It doesn't matter much what key-length you use, as long as it is 1024 or higher.  However, the higher it is, the slower things get - and at this point and for the foreseeable future such a key is unbreakable.
 
*It doesn't matter much what key-length you use, as long as it is 1024 or higher.  However, the higher it is, the slower things get - and at this point and for the foreseeable future such a key is unbreakable.
*The passphrase you use to access your keys (which you create when you generate a key pair), gives access to your private key.  Make ''very'' sure it is something you will remember, but not something anyone else can guess.  Longer is better, up to a point.  The phrase is case-sensitive, so "DoG" is not the same as "dog".  Do ''not'' let anyone else know this phrase!
+
*The passphrase you use to access your keys (which you create when you generate a key pair), gives access to your private key.  Make ''very'' sure it is something you will remember, but not something anyone else can guess.  Longer is better, up to a point.  The phrase is case-sensitive, so "DoG" is not the same as "dog".  Do ''not'' let anyone else know this phrase!  Using a phrase which has some numerals and/or punctuation is best, for example: "My 2nd child was a girl!" ... of course, don't use that phrase now!
 
*The "keyring" you created (e.g. the place where your private-public key pair is stored) is the linchpin of the encryption system.  If someone gets a hold of it, and knows your passphrase, that person can decrypt anything you encrypted with that key.  So be careful, and don't leave it on publicly-accessible computers.  You will want a backup of it, which you should probably put on a USB key (in fact, keeping your key only on such a USB key is probably the most secure thing you can do).
 
*The "keyring" you created (e.g. the place where your private-public key pair is stored) is the linchpin of the encryption system.  If someone gets a hold of it, and knows your passphrase, that person can decrypt anything you encrypted with that key.  So be careful, and don't leave it on publicly-accessible computers.  You will want a backup of it, which you should probably put on a USB key (in fact, keeping your key only on such a USB key is probably the most secure thing you can do).
  
==Keys==
+
===Keys===
===Ron's public key===
+
In the event you don't have keyserver access, or you don't trust the keyserver, you can get our keys here.
 +
 
 +
'''Ron's public key'''
 
<pre>
 
<pre>
 
pub 1024D/AD29415D 19/08/2004 Ron Aaron <ron@ronware.org>
 
pub 1024D/AD29415D 19/08/2004 Ron Aaron <ron@ronware.org>
Line 69: Line 72:
 
</pre>
 
</pre>
  
===Esther's public key===
+
'''Esther's public key'''
 +
<pre>
 
pub 1024D/7A25C70B 20/05/2007 Viviana Aaron <viviana@ronware.org>
 
pub 1024D/7A25C70B 20/05/2007 Viviana Aaron <viviana@ronware.org>
 
     Primary key fingerprint:  84F5 23CA 8A59 89DF 5063 334E 6B33 7F96 7A25 C70B  
 
     Primary key fingerprint:  84F5 23CA 8A59 89DF 5063 334E 6B33 7F96 7A25 C70B  
Line 104: Line 108:
 
=cDdx
 
=cDdx
 
-----END PGP PUBLIC KEY BLOCK-----
 
-----END PGP PUBLIC KEY BLOCK-----
 +
</pre>
 +
 +
===Further reading===
 +
* [http://www.gnupg.org/gph/en/manual.html GnuPG Handbook]
 +
* [http://www.linuxjournal.com/article/8732 GnuPG hacks] -- useful tips
 +
* How and why to have a [http://linuxreviews.org/howtos/gnupg/signingparty/ key signing party]
  
 +
==TrueCrypt==
 +
Encrypting an individual file or email using GPG is fine; but if you have a lot of files to encrypt it can become tedious.  The [http://www.truecrypt.org/ TrueCrypt] program lets you create an entirely encrypted "disk", where you can keep a large number of files, all encrypted. 
  
 +
Its features (from the website):
 +
* Creates a virtual encrypted disk within a file and mounts it as a real disk.
 +
* Encrypts an entire partition or storage device such as USB flash drive or hard drive.
 +
* Encrypts a partition or drive where Windows is installed (pre-boot authentication).
 +
* Encryption is automatic, real-time (on-the-fly) and transparent.
 +
* Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
 +
# Hidden volume (steganography) and hidden operating system.
 +
# No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).
 +
* Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: XTS.
  
 +
It is very capable and mature software.  One useful scenario is to create a TrueCrypt volume, in which you put all your sensitive business data.  If someone steals your laptop, unless you have given them the password they will be unable to access the data you have encrypted.  It works on Windows, Linux and Mac OS X, so there's no excuse not to use it.
  
 +
==EncFS==
 +
An alternative for Linux users (and Mac OS X apparently as well), is the [http://www.arg0.net/encfs EncFS encrypted file system].  It is quite similar to TrueCrypt in terms of end result, but it doesn't require one to specify a "container size" up front - it just transparently encrypts files to the underlying native file system.  The disadvantage is that it doesn't (1) allow plausible deniability and (2) prevent a malicious user from knowing the data are there.  I don't care much about either one of these, and on Linux I think EncFS is easier to deal with.  However, if you need to transport the same data between OSes (say on a USB key), then TrueCrypt has a clear advantage.
  
  
 
[[category: tips]]
 
[[category: tips]]

Latest revision as of 09:50, 5 February 2010

Communication over the Internet is public - anyone with sufficient technical skill can monitor any communication. Email, in particular, is usually sent in a "plain text" format (even HTML mail is essentially plain text). If you want to communicate privately with others, or if you want to keep information on your computer private so that other people cannot access it, you need to use "encryption". The specific kind of encryption I discuss here is called "public-key" encryption, and the particular software package I use to encrypt is called "GnuPG". There are other systems available, but I use GnuPG because it is very stable and has been proven reliable.

Why encryption?

There are a number of reasons one might wish to use an encryption package such as GnuPG:

  • Protecting financial information. For example, credit card or bank account numbers. Using GnuPG it is possible to send such information over the Internet without concern someone might intercept and abuse it.
  • Keeping business plans secret. One may wish to discuss sensitive or proprietary information in an email. Using GnuPG it is possible to do so without concern the competition will access it.
  • Personal discussions. Anything of a private or personal nature may be discussed in a GnuPG encrypted email without worrying that a person who should not be privy to the information will read it.
  • Proof of sender. When an email is digitally signed with GnuPG, one may be absolutely certain the mail originated from the purported sender. The return email address is not sufficient for this purpose.
  • Safe archival of sensitive data. An encrypted backup file may be stored in a public storage area without concern.
  • Enforcing honesty. A file on one's own machine which is encrypted is impossible for all but perhaps government agencies to read. Everyone else is kept honest.
  • A simple desire for privacy. Not everyone needs to know everything about you

GnuPG (GPG)

Installation

How to set it up:

  1. Download the GNUPG package.
    • Windows users: There is a Windows installer which includes everything (just run the installer).
    • Linux users: consult your distribution for details on whether there is an installable package already (most distros do have a gpg package). If not, you'll have to download, compile and install it yourself.
  2. After you have it installed, create your own "key pair".
    • Windows: start the "GPA" program, which will allow you to do all the steps mentioned here.
    • Linux users: you can run "kgpg" and do things the GUI way like Windows users, or type "gpg --gen-key"
  3. Upload your public key to a public key-server.
    • Windows: GPA has an easier way to accomplish the same thing.
    • Linux: "gpg --send-keys KEYID", where "KEYID" is the eight-character ID associated with your new key. To figure out what it is, do "gpg --list-keys myname", where "myname" is the email you gave GPG to generate your key.
  4. Import my key to your key-ring (that is, if you want to communicate with me!).
    • Linux:"gpg --recv-keys ad29415d" (That last is the "KEYID" for my key, "ron@ronware.org").

Testing

After having set up the program (which admittedly is a bit of a pain), you should test it. First thing you want to do, is send your "KEYID" to the person you want to communicate with. For example, if I wanted to communicate with you (I do!) I might send you an email containing the line: My KEYID is: ad29415d

NOTE: My public key "fingerprint" is: 8130 734C 69A3 6542 0853 CB42 3ECF 9259 AD29 415D . If you use some other key, it is not mine!

Send an email to the person you want, using the program you prefer. There are GPG "plug-ins" for Outlook (included in the Windows installer link above), and for Thunderbird (called "EnigMail). There are other plug-ins as well, check out the GnuPG.org site for details (look at "frontends"). You will want to send the mail encrypted for the recipient you are interested in (you may also want to encrypt it to yourself so you can read it later!).

Caveats

  • It doesn't matter much what key-length you use, as long as it is 1024 or higher. However, the higher it is, the slower things get - and at this point and for the foreseeable future such a key is unbreakable.
  • The passphrase you use to access your keys (which you create when you generate a key pair), gives access to your private key. Make very sure it is something you will remember, but not something anyone else can guess. Longer is better, up to a point. The phrase is case-sensitive, so "DoG" is not the same as "dog". Do not let anyone else know this phrase! Using a phrase which has some numerals and/or punctuation is best, for example: "My 2nd child was a girl!" ... of course, don't use that phrase now!
  • The "keyring" you created (e.g. the place where your private-public key pair is stored) is the linchpin of the encryption system. If someone gets a hold of it, and knows your passphrase, that person can decrypt anything you encrypted with that key. So be careful, and don't leave it on publicly-accessible computers. You will want a backup of it, which you should probably put on a USB key (in fact, keeping your key only on such a USB key is probably the most secure thing you can do).

Keys

In the event you don't have keyserver access, or you don't trust the keyserver, you can get our keys here.

Ron's public key

pub 1024D/AD29415D 19/08/2004 Ron Aaron <ron@ronware.org>
    Primary key fingerprint:  8130 734C 69A3 6542 0853 CB42 3ECF 9259 AD29 415D 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0

mQGiBEEj98MRBADu6bzKOrObpQpNURSLmKa/HDrsjdpgJ9tus+cVjOv00pMnzzQo
0b66Ck67gepBOMclFpOqo+E5vvK7pO0Z7EvpP6VTaIPhc7OcirDEMttSYK7nhove
o1vnUhlIfEn5rPT4H7QiO4VzKZiUYv9czdyugnk5YSb6NqbPSWnZpR5EIwCg+2Ok
HqsnlzvJa75DKHrFX7aHVHUEANgibtghMZY0SZvoasFwN9kXAb41uWs8WMoany5H
GtEi1RMYoSc0tOiaTLwGZAO5u4if50R2gbKZRcgIbGzSYqg/g+uP0pvdqucGJEPE
7/yQZVoCdVaoCyGKs8fVztyWRbqEzWahU6as1X1p1Y+nV75g+7Vvd/X04QBy0RjI
okrmBACR2W4+eA8BpKLbLpZvrvNjWXFMDyCjmyazxIoh41bTlxl3mZVgXqexuvJb
mv4n4sGjysG3XPJy8lLusG5GwetsDhMsfR49A7johbqt7Cc1hXZv0RjSaTH5oigC
mJZ26DPHdRbui2fzstW3BoQgLpfLnQGH3hocNJj8rMcQVxGQnbQbUm9uIEFhcm9u
IDxyb25Acm9ud2FyZS5vcmc+iF4EExECAB4FAkEj98MCGwMGCwkIBwMCAxUCAwMW
AgECHgECF4AACgkQPs+SWa0pQV3KmACg8m8/67Gg/kiCY3ixHVoa1Cu4NLcAnRS+
yg9zaHB5iOY3VxgdeFzMCGW+uQENBEEj98MQBADXfmpkWxYKUe16BW+A1NR+cSc+
WIHyN78VCOrHUt5fm2S9IR/YYGeqpHjkA21KC+Dk6OGjDGbngLkxt2dUH91/MVv6
Qcv9gCS4P85myvTnRZNYVD48WRLAt4GsL13sv8HWwUcyI64Q10QaHjM750XS8Rpm
CIz4LvclWGSkEoMT5wADBQQAjn3oj9T32rwl7m3OVB1bAg/mOhc8r9glq0nE6G+A
B+Om+b0PFewjmYutXsFCD4Wub6czeheG9/GOiCynIxqY7b/6shNgaHK1JyKrG6o5
WLC1XwkSasfnQV2m+ezBh/cl3cqhPq4CjepbzIlx55e/BhRznJAi78S3AcZACIw5
gVWISQQYEQIACQUCQSP3wwIbDAAKCRA+z5JZrSlBXTiyAKCkQkv85he+DiCKHYkc
7N5paAUhfgCePiqw6CBz9A8t5eY2kSxn+ld5E30=
=woj+
-----END PGP PUBLIC KEY BLOCK-----

Esther's public key

pub 1024D/7A25C70B 20/05/2007 Viviana Aaron <viviana@ronware.org>
    Primary key fingerprint:  84F5 23CA 8A59 89DF 5063 334E 6B33 7F96 7A25 C70B 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0

mQGiBEZQkPwRBAChRhZdaBSCQmVLhWC/CDLMucyvC7Z2chltFYGap6ANMsn+xFZd
6vF0ypyX9s7YrHH6yVDP7d2LCENlVAE4GPp0Zll4if8GAG04IcuhA+EnHNOqsdWF
eig9C86UfgdDytSAVoZCL1sJRNk+NGPZmLxcxvi4eO+5gl4yBtOSsGoyXwCgm6mq
X6n3o/rb3A+wBU/O5VgRficD/2eHI9rS2ApHcPAufxpf5Gmgdemu8bjSFFDDfJR3
p/ZxmfeJMDRGszXsEkG6k5DckF1UYGQNCjnZN7vSTrDwyLaXh8SAtO7BOSYCfEsk
POFwCqjczyulRpLNrNfDTW1f9gfj4jxyN06VKJE58WdMYWvDB4LbL4gqj0cb0SZ3
aF3YA/9KqYAVt2YeCwdon2TPQLExINcsDydOpamvNk/11oJJ0T3M1SpQJONTpTa/
lk0/+YKWOf5ESJvhHeJba0gzq737U688dS3hKDJyV0UrktEhrxEfagUTWqXn2ls2
a+LfGvytM3VSB/I79PdRZZmmnHg26ixBAppai7N4R+J/d7ccfrQjVml2aWFuYSBB
YXJvbiA8dml2aWFuYUByb253YXJlLm9yZz6IYAQTEQIAIAUCRlCQ/AIbAwYLCQgH
AwIEFQIIAwQWAgMBAh4BAheAAAoJEGszf5Z6JccLikMAn3ShOc840w4iMg8YIHSD
3wJXRy6SAKCaMHJnucnl87uP5l8tAkt3Xkz39YhGBBARAgAGBQJGUJNDAAoJED7P
klmtKUFdBA4An2v+2vOXeiCcBzhbSD3R2K2lM/q9AKD4Jg6gASOmMHMa9yZrI/nv
BMXLo7kCDQRGUJD8EAgAizTWX8fdsUeRrMsWMGz6SX+55tu7TIYMc0mejTi29wTJ
bVFB/DEDWXBOckqWS7xuVALQGBxBOcYyiqiC7ASMh7n7Hy1dDGKRzDiBAY3KgxKC
jz3Pk3sv/lOom+lljJSz0SzwSY5JauJyjZEYaT0oOobXoOf+WlTf3O5FSb5eYXSl
AA4VjrWMqb44+/0y3l6iHfRCV9npPJtl9oniL1R25/YgD9BVm0EG3VDZTfntOt5Q
M6oTEFIxsFR99WJLrBqMfXh6FofyqHMyLO3UVmj6TH3uum2igIjG7PWHVbec47zw
vy6QhwT1pb425bMol7PGkpRH7U8zr0sGhbPfL4G+JwADBQf/bQPF2+dfUCJkkTdm
0R2xPQLKbNrI9MHjA5ZC1JxZhhC+8CX5Hmk0XadO/D5FchuEeRC/wBjnFAPSb2F3
w4nTMIogQJB30YSxRrfm9xOB1Y+FODBkDlBnJrGLOu8BKk80i4U1se8qzHdABuya
RjoCE3d61iOr1UTJFXfxXMtf5euAGVGti6PUH5WbELOf/HqbMKGhfthXgDrEzqY2
o2bJgRLPf2vE68qeTEv5qt8PhYntzANooIGGNWXLIfgygYtTSEl2sxqQ/kInBhsX
pubDWzagHyocZ3iGdjDCf9dj1p+PG07e3dWTyJ4frAt7u/mUajbqLxWDcQ1tr+up
CsDnvIhJBBgRAgAJBQJGUJD8AhsMAAoJEGszf5Z6JccLjCMAmwdCTCEd3We0hqTL
joGQ/iLdmSAuAJ0XEZeoRxgUPPg6QPGachZU+Np5IQ==
=cDdx
-----END PGP PUBLIC KEY BLOCK-----

Further reading

TrueCrypt

Encrypting an individual file or email using GPG is fine; but if you have a lot of files to encrypt it can become tedious. The TrueCrypt program lets you create an entirely encrypted "disk", where you can keep a large number of files, all encrypted.

Its features (from the website):

  • Creates a virtual encrypted disk within a file and mounts it as a real disk.
  • Encrypts an entire partition or storage device such as USB flash drive or hard drive.
  • Encrypts a partition or drive where Windows is installed (pre-boot authentication).
  • Encryption is automatic, real-time (on-the-fly) and transparent.
  • Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
  1. Hidden volume (steganography) and hidden operating system.
  2. No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).
  • Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: XTS.

It is very capable and mature software. One useful scenario is to create a TrueCrypt volume, in which you put all your sensitive business data. If someone steals your laptop, unless you have given them the password they will be unable to access the data you have encrypted. It works on Windows, Linux and Mac OS X, so there's no excuse not to use it.

EncFS

An alternative for Linux users (and Mac OS X apparently as well), is the EncFS encrypted file system. It is quite similar to TrueCrypt in terms of end result, but it doesn't require one to specify a "container size" up front - it just transparently encrypts files to the underlying native file system. The disadvantage is that it doesn't (1) allow plausible deniability and (2) prevent a malicious user from knowing the data are there. I don't care much about either one of these, and on Linux I think EncFS is easier to deal with. However, if you need to transport the same data between OSes (say on a USB key), then TrueCrypt has a clear advantage.