Slashdot Mirror

With the rise of deniability features in data-at-rest encryption products, I'm not sure how this is going to work in the real world. Wouldn't be hard to use these technologies for communications too.

http://www.jetico.com/

Tried and tested. Been around for decades. While not "open source," the full unix source code is free and is well maintained, including package metadata for popular distributions. They charge for binaries but the full software is free (including GUI) if you download and compile it yourself.

What you actually want is encryption software with plausible deniability features like TrueCrypt or BestCrypt. I really don't understand why more people don't know about these technologies.

Finally, someone other me is saying that and whilst we're correcting XKCD.... Security
Um, It's called Deniable Encryption, and it's been around in consumer products for ages, so I wish people would stop giving that "obligatory" response to other stuff as well.

Yeah, the blurb says the guy did erase it. The investigators found it in a "deep" scan. Which means they just used a block editor.

FWIW, there are loads of ways you could have this happen to you. Like this for instance I recall a story where a church bought a new computer and it was full of porn too, but I can't find the story.

BTW, posting as AC to tell my story. This happened to me once and I wasn't even looking for porn. I've had two downloads through bittorrent that weren't what they claimed to be. One was a cd full of kiddie stuff claiming to be an engineering application. Terrified me! I deleted it and used bcwipe about a dozen times.

• Antivirus (use with firewall)
  • NOD32 ESET (fast, reasonably secure)
  • GData (slower, best possible protection)
  • Avira (fast, highly secure, & free version)
• Firewall (use with antivirus & antispyware)
  • Comodo (free, hard to configure)
  • PC Tools (free, easier to configure)
  • Zone Alarm (pay & free versions)
  • Agnitum Outpost (pay)
  • Jetico Firewall (pay & free versions, hard to configure)
• Internet Security Suites
  • Kaspersky
  • GData
  • BitDefender (cheapest)

That and lock down your browser, by installing Firefox, with NoScript, Better privacy, adblock plus, and deny cookies by default, then enable the cookies you want using the cookingSafe extension. Do that no matter what security software you have installed. Or of course you could save yourself a great deal of trouble by using Linux.

This product does something similar, however it's commercial and not open source. http://www.jetico.com/bcrypt8.htm

BCwipe would leave a simliar fingerprint if you used DoD wipe. All you'd have is an empty hard drive full of random characters in the interstices.

I hook them into an old pc, wipe them with BCWipe, and then dispose of them. My preferred method is to put them in old machines, install Linux, and give them to Goodwill.

We just finished evaluation of a number of products as we also require full disk encryption. We are purchasing BestCrypt from Jetico. It also handles encryption of pagefile, swap files, swap partitions, and hibernation files.

On Windows it's actually easy and no, You do not need specialized hardware. The best and cheapest whole disk encryption solution is http://www.jetico.com/bcve.htm. Works like a charm without any significant changes in performance. Install, set the boot password (and a USB token if You want) and there You go -- without the keys, nobody will ever know what's on Your hard drive.

Jetico has a new piece of software in Beta which I am testing on an XP laptop and desktop. It works quite well! I would like to see a full third party review of the source though, as it is closed source.. but it is perfectly stable and I have not noticed any performance drops. Of course I am not much of a gamer and didn't do any benchmarks but it does work for me. It encrypts the entire hard drive so you even need a password to boot. (On Linux I use LUKS.) Check it out here.

Check BestCrypt. I've been using it for years, and like it (haven't tried 10Gb though). TrueCrypt looks like the same concept, so use the trial to speed test for comparison. It's not free, but it is available for windows and linux.

Also, be aware that your encryption choice will affect speed greatly. 448-bit is slower than 224 bit, etc. Also some algos are optimized - twofish is a pentium-optimized version of blowfish.

First of all, I think you should just look at keeping the existing system, just improve it. Changeover cost in hardware/software is going to be high, even if it's free software. Here's what I'd do to try to stay with Windows 2k or XP (throw this all out if you're on 98/ME and get a real OS!):

1. Antivirus
First of all, why no antivirus? Any reasonable Win2k/XP system should be able to run one. If you want something with very low cpu impact, try Eset's Nod32. Also exclude the directory that the DVR uses to write the videos from virus checks. The videos are unlikely to get infected, and virus checking on those directories will just muck things up. (I'm assuming that this is why you aren't using antivirus.) But everything else then can be protected.

If you have licenses for *any* antivirus product, try it again with excluding the videos directories. Any antivirus product worth more than a warm bucket of spit should be able to do that.

2. Disable services.
Disable every unneeded service on these machines. A *lot* of them shouldn't be on. These systems should be doing practically nothing but writing video files (ok maybe some backups, or transferring files to another server for backups). A decent guide to this is here: http://www.theeldergeek.com/services_guide.htm.

3. Consider turning off Windows networking.
Disabling SMB/Netbios calls should stop most viruses/worms/etc. If you need to transfer data for backups and such, use SSH and SFTP instead. SFTP is what you'd use on a Linux/Unix system, and is *much* more secure.

Free Win32 SFTP client:
http://winscp.net/eng/index.php

Free Win32 SFTP server:
http://itefix.no/copssh

Nice, and not too expensive pay SFTP client (Tunnelier) and server (WinSSHD):
http://www.bitvise.com/

(And you shouldn't be getting email-borne viruses -- these systems shouldn't be used for email.)

You can also use SSH on this to restrict all kinds of other access as well, while providing VPN-style access. Very, very nice. (e.g. you can only Remote Desktop or VNC through SSH)

4. Block ports and such, and firewall it.
Setup a firewall between these systems and the outside world. Restrict ports to *only* those needed (e.g. SSH on port 22). If possible, restrict outgoing data to *only* those IP addresses that need access. Yeah, IPs can be falsified, but it's an extra layer of defense.

You could do this through a software firewall, or even just some cheap $20 hardware firewall boxes.

The XP firewall is better than nothing, but it's only incoming. Much better incoming/outgoing freebie firewalls are available from these companies:
http://www.wyvernworks.com/firewall.html
http://www.jetico.com/

(I'd probably do the hardware firewall, but if you're cash is tight, or the time/cost of installing all these extra hardware boxes is high, at least deploy a software firewall.)

5. Other Windows hardening options
You can also try these two freebie Windows hardening programs. They probably aren't perfect, but they help:
Harden-it: http://www.sniff-em.com/hardenit.shtml
Secure-it: http://www.sniff-em.com/secureit.shtml

And decent googling should turn up lots of different hardening guides to Windows as well.

After these you should have antivirus, you're blocking ports, you've disabled almost all virus vectors, and should have systems that are reasonably secure and stable.

Yeah, you have Windows and not sexy or politically correct OSS. But it's what you have. If you can make it work, use it. Fixing up your Windows boxes is probably a lot less time and money than swapping over

Bestcrypt is probably only solution supporting Linux AND Windows. Windows version is a shareware, but Linux version is a free (as a beer).

The program we use for this is called BCwipe. Basically it wipes the drives empty space to all 0's, then back to all 1's seven times. We use it for classified cleanup on machines without having to rebuild the whole machine from scratch. Basically it takes a long time to run, depending on your hard drive speed and size. On average an 80GB drive will take about 12 hours or so to run about 7 times. http://www.jetico.com/index.htm#/bcwipe.htm

I use Another Password Generator for all my passwords. http://www.adel.nursat.kz/apg/

As a general security measure, I use different passwords for all the Internet services I use. I simply do not trust the random forum and service owners I use enough; not because I distrust any concrete service like say Slashdot, but because it only takes one dishonest service owner to look up my password in order to have them all if I were to use the same one everywhere. Instead, I have a very long, huge text-file with all my password which is stored on my bestcrypt http://www.jetico.com/ partition. The system works great for me. Alright, I have to look up the service and password every time, but as I always have that file open in kate since I use it frequently it is not a big deal. This works fine for me and I recommend it. This way I only have to remember the actual sentence I use as a password for my bestcrypt drive, and nobody can use the password on one service to guess my password on another since they are all random garbage like we4kBoc3fis...

So I think that a "a master password" IS the solution. Every employee can easily have their own personal master password where they keep a record of all their passwords, and this allows every employee to have a random password that only works for them assigned for each service they use.

It also includes the ability to use hidden volumes. You use one password and the file opens up normally, if you use another you can access a hidden volume in the file. After creating a hidden volume you shouldn't modify the non-hidden volume contents as it could overwrite your hidden data, but there is no way to tell there's a hidden volume without guessing the second password.

I feel uncomfortable using closed-source encryption tools. Encryption is complicated. It is easy to introduce weaknesses. You don't know if secret software has back doors.

Link to Jetico.

I have used BCWipe to declassify Secret hard drives. They have a DOS version you can throw on a MS-DOS boot disk and a linux version you can put on a livecd. Either works equally well.

Well, you could use BCWipe.

You could also use everyone's favorite blocked I/O command, dd.

I've used BestCrypt http://www.jetico.com/ on Linux for 6+ years now. This is a kernel plugin and a commandline tool for user-level volume creation, mounting, password change, etc. It features a good number of encryption methods and uses plain files on existing filesystems for storing the encrypted volumes.

Then I've created a number of BC volumes, all 650 mb, to allow for easy backup of the encrypted volumes to a CD. Each volume is used for a specific type of data: Personal stuff, work related stuff, "bulk" stuff (archives that I rarely use), etc.

When I login, .bash_login checks if the volumes are mounted and, if not, starts prompting for passwords. When I logout, .bash_logout asks if I want to unmount (close) the encrypted volumes.

If you are considing BestCrypt (BC), please be aware that kernel upgrades requires at least recompilation of BC (or a new rpm) and for major upgrades (2.4->2.6), you may have to wait for a new BC version to come out before upgrading. Not a problem for me, as I don't do the kernel circus.

For encrypted filesystems in general, do use a journaling filesystem on the volumes! My own volumes used to be ext2, since I had no journaling FS available, when they were created. After a spectacular server crash, I ended up with several hundred mb's of corrupted data. Not BC's fault - old Unix file-systems just aren't up to ugly crashes.

Nowadays, Linux itself features encrypted filesystems (lookback-something), but I haven't investigated, since my current solution has worked really well for me.

I have also considered encrypting all filesystems, but the hassle just isn't worth it for me - the server has 2x160 gb disks and the amount of sensitive data is just a few gb's. Actually I think encrypting my WinXP boxes is much more interesting. They don't hold any data, but they run applications that uses the data on the encrypted volumes - and I can't really expect (or trust) Windows to keep my private data private - temp files and such.

The latest version of BestCrypt supports that. You can create a container inside a container, and if you are forced to reveal the password, you only do so for the first container. The adversary remains unaware of the existance of the second container.

In general, I like this software because of its low CPU overhead and Linux compatibility, although I think version 7 is Windows only for now.

I use a secure disk program (Bestcrypt, for Windows and Linux) to create mountable, secured virtual drives. I make each disk just under the limit for the burnable media, I bought a DVD burner, and given the limits of the DVD format the largest single file is 3.99 GB. I have two main virtual disks I use, one I mount every time I use the system (for desktop, email, favorites, etc.), the other is for things I use far less often (photos, archived projects, etc.). And every week (at least) I burn the main disk to DVD (less often for the other disk). Before I had a DVD drive I did the same thing with containers that were only 650MB).

I use a separate backup script to backup all the non-unique data (programs, system, etc.) to another hard drive.

(I've had a laptop stolen from my house years ago by burglars who broke in, and with the personal files, banking info, etc. that one keeps on their PC these days, security can't be ignored.) quincy

Bestcrypt http://www.jetico.com/ encrypts swap files too, so all you can get with your grepping is just @(#*)$#)$*)#*(#*^0

would be jetico's bestcrypt.

http://www.jetico.com/

supports twofish and blowfish too and even GOST too, all the way up to 446bit of keylength.

a must have for any paranoid nut

Well, there is bestcrypt which will do that for Windows and Linux. Source available for Linux but not free. http://www.jetico.com/download.htm

I know that with some MUAs one can specify certain folders for local mail storage, and you can do this with Eudora in particular (you can probably do it with The Bat or maybe even Outlook; I've used neither of those, so I can't say). So install Eudora, and create your shortcuts for each user like in the link. You'll want to create folders on a different drive letter for each user. User #1 gets h:\mail, User #2 gets i:\mail, etc.

Now, install BestCrypt. You have three users, so create three container files. Have each roommate type in their own passphrase. Open each one, mounting each on the drive letter where the icon shortcuts above point to. Ensure that Eudora can get/send mail (look for mtimes on the .toc files for the inboxes if nothing else).

Now create three small batch files, one for each Eudora shortcut from above. In each, you'll have a line with the command for that user's bcrypt container mounting command, then the text in the "Target" from the Eudora icon above after that. Edit the properties of each icon, and point them to the appropriate batch file.

When User #1 clicks his Eudora desktop icon, BestCrypt will fire off, asking him for a passphrase. Then once the container with User #1's mail folders is mounted, Windows will start Eudora, pointing it at the newly mounted drive. It'll check mail, and store everything. When User #1 is done reading his mail, he can either leave his mail container moutned, or right-click the system tray icon and unmount it. (You could alternately create a batch file that shuts down Eudora and then unmounts the container.)

It sounds like a lot of work, but it should take more than 5-10 minutes to set up. And it'll be secure. You can pick many different algorithms with BestCrypt. Using Blowfish with a 256-bit key ought to be just fine for your needs. An alternate solution would be to go on ebay and find some cheap used laptops for your roommates' mail needs. Then you can encrypt your entire filesystem.

-B

BestCrypt offers cool encryption for linux via a kernel module and the loopback interface. Choose from a glob of algorithms to protect your block device, such as Blowfish, Twofish, GOST and 3DES. Whilst not free, for a measly $89.95 you get the source code and 1 license, coupled with 1 years updates and online support. More than adequate for those with sensitive data.

BestCrypt includes swap-file encryption in their latest version. It uses a new key generated at each boot, and is stored only in memory.

The biggest issue with this idea is cross-platform. So far a few suggestions have been raised, and I like the idea of a samba frontend, though it seems a little extreme.

BestCrypt is the only cross-platfrom encrypted drive/volume software I know of, its only free for Linux though. :(

Scramdisk/ e4m are options. Though Scramdisk doesn't run on w2k or XP, nor Linux. E4M doesn't run on linux either. The source for Scramdisk and E4M is available, but I've forgotten what the license is. I *think* its GPL, but don't count on it.

DriveCrypt is made by the same people as ScramDisk, but DC is closed source. Though they are promising a Linux release (as well as the current XP/2K/etc clients).

You may also like to try The Linux crypto mailing list to search for answers there.

Developing On-The-Fly encrypted drives for linux isn't all that hard, afterall, its been done before a few times. Doing so for Windows 95 though to XP is a lot harder.

As for the Mac side, I have no idea. I think the most portable option would be the Samba idea mentioned before. It shows the most promise, you are esentially piggybacking off a known and support product.

has the ability to create encrypted images with any given cipher and mount them. They've made a version for both, Windows and Linux (not sure if they have a Mac though). It creates a .jbc file that you can copy and manipulate to your heart's content. Here's their site.

There are a few product to do just that, such as bestcrypt .

Wipe is a nice program, but it is simply overkill. It has been shown in studies that typically 3 passes of a data wiping program should make your data non-recoverable by standard means (using popular forensics tools such as EnCase, Maresware, NTI's batch of programs, or disk editors on whatever platform you are interested in). As to how much the U.S. government investigators are able to retrieve...well that falls into your urban legends category I suppose. For the most part, DoJ guildelines suggest wiping your data 7 times as part of the norm. This is because of the non precise manner in which hard drive read/write heads pass over the disk itself (more of a wobble rather than a perfect circular motion). I just recently saw a whitepaper on Encase's site that covered users of WinXP using EFS (encrypted filesystem) secure deletion (which just does 3 passes) that makes recovery of the files deleted not possible this is the whitepaper. Just as the above reference article concludes, it should be kept in mind that there is so many places to look on Windows and Unix machines other than what files were deleted. Perhaps pictures of your latest porn stash or the Word document covering your NDA violations are gone, but registry settings, file slack (as was mentioned in the parent article briefly), pagefiles, memory dumps, and many other locations that track your activities on a given machine can be used as well. Wow, I did not mean to get so long winded...I just really get into computer forensics. My personal advice for decent file security and deletion is encryption + multi-pass deletion. There are several encrypted filesystems out there for both Windows and *nix, and a few options that are viable with both (BestCrypt File system containers and also BCWipe for deletion is a good example). I don't see the need to start advertising products, so check out the options for OS level and OS independent solutions.

I use an encrypted filesystem (BestCrypt, available from Jetico on my Linux notebook to protect sensitive data. The passphrase is queried during boot, if it is not entered, the notebook is basically a stock Linux notebook.

/tmp is on a RAM disk.

In addition I've put up restrictive packet filters (no inbound traffic) via iptables.

Now if I close the notebook, the lid switch detects this and prompts for a password next time the lid is opened. The notebook will lock up after a number of incorrect entries.

If I leave physical vicinity of the laptop I always close the lid (it has become a habit). If someone steals the notebook while I'm away, they got three tries on my password. After this they have to reboot and will find the encrypted partition unaccessible.

Works for me, and I think it's pretty secure.

On the laptop, I have an encrypted home directory. I never suspend my laptop, so I always log in/out when I use it in different locations. If someone stole it, they'd have a nearly impossible time getting to my personal files.

On the fileserver I use it via Samba and NFS mounts. This is why I chose BestCrypt over some other kind of encrypted filesystem/volume, actually. My wife can mount a volume file from her Windows machine via Samba and I can mount them via NFS (or via Samba when I'm booted into Windows game mode).

Best part is that there's no batteries, bracelets, rings, whatever to worry about. Just remember your passphrase and you're good to go. I'd recommend BestCrypt to anyone.

-B

Anyway, I highly recommend it.

-B

Try using BestCrypt from Jetico -- it works on Un*x and Windows. This is a great tool for creating a mountable encryted filesystem (just about every algorithm under the sun is supported, including 3DES and Blowfish).

Also included (which is why this reply is relevant) is the bcwipe utility, which does Department of Defense recommended (5200.28-STD) deletion.

It isn't "free-as-in-speech" but it does have a "free-as-in-beer" evaluation copy.

Check out:

http://freshmeat.net/projects/bestcrypt/

and

http://www.jetico.com/linux.html

Try using BestCrypt from Jetico -- it works on Un*x and Windows. This is a great tool for creating a mountable encryted filesystem (just about every algorithm under the sun is supported, including 3DES and Blowfish).

Also included (which is why this reply is relevant) is the bcwipe utility, which does Department of Defense recommended (5200.28-STD) deletion.

It isn't "free-as-in-speech" but it does have a "free-as-in-beer" evaluation copy.

Check out:

http://freshmeat.net/projects/bestcrypt/

and

http://www.jetico.com/linux.html

It works for linux too. There's a free trial download for both Windows and Linux. More details at: http://www.jetico.com/linux.html

Eric

Like I said, it's not a filesystem, but it might get you by. I personally don't care if /etc is encrypted or not. But I might care if /home was encrypted. It's easy enough to mount a BestCrypt container file at /home, so that might be enough.

-B

Is anyone familiar with Bestcrypt? It's an open source, non-free encrypted loopback filesystem program that works under both windows and linux. One problem that prevents me from using it though is that it collects no entropy whatsoever when you create a container. I don't know if it's just reading from /dev/random, but I think this is a potential weakness of the program. (Beside it being non-free).

I must disagree with with this statement, "Those sound like pretty good things to encourage anyhow to me." Encouraging people to break laws is not a joking matter especially in a strict system in a 3rd world country.

Sure Asia has some strict laws, but telling people to break them is not the solution, and will only enforce their government's petty stance on regulations. What the students should do is protest, make the world aware of the harsh sentences being imposed in their countries. Lobby to get them removed

If some states in the US started trying to circumvent drug laws by hiding their "stashes" their breaking the laws just as well so you can't have it one way and not the other. Fsck yea I disagree with someone like the government's bs, but at the same time a rule is a rule no matter how you cut it.

Now on the flip side of things, I hope their doing a good enough job of ridding their songs. If not they could use BCWipe to rid them, or if their laws allow for encryption, they could write an hourly cron script to tar then pgp them without destroying evidence.

Personally some of those students who are protesting, should look into getting into politics to ease things for their future kin.

use the source!

Taken off the http://www.rubberhose.com/

Rubberhose transparently and deniably encrypts disk data, minimising the effectiveness of warrants, coersive interrogations and other compulsive mechanims, such as U.K RIP legislation. Rubberhose differs from conventional disk encryption systems in that it has an advanced modular architecture, self-test suite, is more secure, portable, utilises information hiding (steganography / deniable cryptography), works with any file system and has source freely available. Currently supported ciphers are DES, 3DES, IDEA, RC5, RC6, Blowfish, Twofish and CAST.

For thoses that don't know about the software you can read about it here.

PS:I never post to /. This is a first! back to getting the new /. DB built...

Note it's a commercial product, you can get a 30 day eval copy, after that your encrypted filesystem will become read only.

I completely agree with you this is a serious problem. Software track what you do what files you handle without telling anything to you .. I recently had an arguments with the ACDSee coders over their "feature" of storing a complete database of everything you saw with their software (complete paths and filenames, togeter with small thumbnails sometimes) and they refused to acknoledge that there might be some users that DONT WANT the whole world to knwo what they have been looking at on their computer.

The solution? the only solution that's 100% safe and simple is to keep an entire machine as a VMWARE file all inside a BESTCRYPT file!

in a SINGLE move get rid of any chanche for any forensic software to snoope into your OS details :-)))) AH.. of course you dont have to keep your DATA into the virual machien.. you can leeave your BESTCRYPT file in the HOST machine and access it via VIRTUAL NETWORK from the VMWARE machine! :)) (on which you must have installed bestcrypt as well). Email me if you want to discuss details more. I am writing some web pages about all this.