Domain: samsimpson.com
Stories and comments across the archive that link to samsimpson.com.
Comments · 13
-
Scramdisk
Since you're using windows 98 try Scramdisk.
I used it some years back in my Win9x days and it was very reliable (well version 2.02h was anyway). I used Eudora for email, but any email program that isn't so tied to the registry is good - e.g. uses ini files and you can tell the program where to find the ini and mails.
Here's how I did it:
Create a scramdisk container (encrypted file which you mount as a drive) big enough to hold your emails and other stuff.
Mount it as say M: (or z: or whatever - don't clash with local, cdrom or network drives)
You can install eudora on the M drive - or leave eudora on C: for them to use. Then you create a shortcut for your own use which points to "C:\Program Files\Qualcomm\Eudora\Eudora.exe" "m:\mymaildir"
Eudora is smart enough to use m:\mymaildir as the maildir when you launch it that way.
Note you can even put the scramdisk container on a network drive which is what I did at my office - that way I can mount my office mail from any LAN machine and access it, and the data goes over the network encrypted.
I've also had scramdisk and a scramdisk container on a CD-R to store my remote admin SSL certs.
Scramdisk does not work with NT/W2K/WXP you have to buy the author's next version for that. -
Re:Completely legit, response from Valve
"but it isn't an excuse for having shipped defective software in the first place."
.Oh, come on! I'm a big advocate of Linux etc (see e.g. here), but let's not pretent that Microsoft is the only vendor to ship software that's a) out of the box broken b) implemented poorly and with no respect to normal security practices.
-
Random comments...
(Full disclosure: I've been involved with the Win32 Scramdisk project in the past)
Hhhm, this is pretty interesting. I am not aware of any other disk encryption program (Scramdisk, DriveCrypt, LoopAES, PGPDisk, BestCrypt etc) that offers sector remapping. It's useful because it prevents standard disk structures from being exploited in a known plaintext attack (note: with current knowledge, this is only a theoretical weakness with AES anyway).
Apart from that it looks a pretty standard On-The-Fly-Encryption (OTFE) system. It does appear to be slightly more complex than most programs, but this is offset by the peer review from (at least...) two very well respected cryptographers - Dr David Wagner and Lucky Green. I am not aware of any of the other OTFE systems being reviewed by anyone half this competent.
Last paragraph of 6 says "RSA2/512" should read SHA2/512.
I'd personally be worried about the use of a static (zero!) IV. I know the key is random, but.....Oh well, if Dr Wagner has peer reviewed it then this can't be much of an issue.
From the paper: "A truly paranoid setup would leave the computer con- figured to boot the Windows system by default, and locate the GBDE data in such a way that it would be destroyed by the act of doing so."
It's likely this wouldn't work - the first thing a half-competent adversary would do is image all disks in a system before booting....It's forensic 101.
-
Can someone explain how SHA1 does this
In this article
it states
"Compare this with SHA-1 & RIPEMD with which no such forethought is necessary (because no B can be found that hashes to the same M with these two alternative algorithms)."
I would have thought that any hash algorith would *theoretically* have collisions. Can somebody smarter than me explain this.
Thanks. -
Re:MD5 Cannot stand up in court.
"The md5 hashing algorithm has been proven to contain flaws allowing two files to produce identical md5 sums."
You missed two important words at the end of the sentance "in theory".
Whilst MD5 is theoretically insecure (and it's use in most situations where the birthday paradox applies is frowned upon by cryptographers) I don't believe that a collision in the full hash function has been shown in practical terms. Besides - is it a good use of a few hundred days of horsepower on a few hundred machines to fake an illegal song?!
;)I've got an old (but still relevant) description of the MD5 flaw here.
The trivial fix for RIAA is to use SHA1 as a hash.....Or just produce a business model that makes sense...
-
Re:Wait a minute...they can't do that!
Yep, certainly was. I guess the AOL lawyers have finally found a strategy to try and put the genie back in the bottle.
Of course, the following disagree
;)
http://www.sifnt.net/waste.zip
http://forums.winamp.com/showthread.php?threadid =1 37077
http://www.dhorrocks2003.pwp.blueyonder.co.uk/wa st e-setup.exe
http://slackerbitch.free.fr/waste/waste-source.t ar .gz
http://edwards.servehttp.com:969/waste/
http://scriptingnews.userland.com/2003/05/30#Whe n:2:48:46PM
http://www.dhorrocks2003.pwp.blueyonder.co.uk/
http://www.virtuelvis.com/temp/waste-source.tar. gz
http://www.blibbleblobble.co.uk/
http://cyber.law.harvard.edu/blogs/gems/home/was te.zip
http://www.cleanstick.org/jon/junk/waste-source. tar.gzAnd add to that my mirror http://www.samsimpson.com/waste-source.tar.gz
-
Issues
The biggest issue with this idea is cross-platform. So far a few suggestions have been raised, and I like the idea of a samba frontend, though it seems a little extreme.
BestCrypt is the only cross-platfrom encrypted drive/volume software I know of, its only free for Linux though.
:(Scramdisk/ e4m are options. Though Scramdisk doesn't run on w2k or XP, nor Linux. E4M doesn't run on linux either. The source for Scramdisk and E4M is available, but I've forgotten what the license is. I *think* its GPL, but don't count on it.
DriveCrypt is made by the same people as ScramDisk, but DC is closed source. Though they are promising a Linux release (as well as the current XP/2K/etc clients).
You may also like to try The Linux crypto mailing list to search for answers there.
Developing On-The-Fly encrypted drives for linux isn't all that hard, afterall, its been done before a few times. Doing so for Windows 95 though to XP is a lot harder.
As for the Mac side, I have no idea. I think the most portable option would be the Samba idea mentioned before. It shows the most promise, you are esentially piggybacking off a known and support product.
-
Issues
The biggest issue with this idea is cross-platform. So far a few suggestions have been raised, and I like the idea of a samba frontend, though it seems a little extreme.
BestCrypt is the only cross-platfrom encrypted drive/volume software I know of, its only free for Linux though.
:(Scramdisk/ e4m are options. Though Scramdisk doesn't run on w2k or XP, nor Linux. E4M doesn't run on linux either. The source for Scramdisk and E4M is available, but I've forgotten what the license is. I *think* its GPL, but don't count on it.
DriveCrypt is made by the same people as ScramDisk, but DC is closed source. Though they are promising a Linux release (as well as the current XP/2K/etc clients).
You may also like to try The Linux crypto mailing list to search for answers there.
Developing On-The-Fly encrypted drives for linux isn't all that hard, afterall, its been done before a few times. Doing so for Windows 95 though to XP is a lot harder.
As for the Mac side, I have no idea. I think the most portable option would be the Samba idea mentioned before. It shows the most promise, you are esentially piggybacking off a known and support product.
-
Re:STOP with this Neoproject bullshit!
God, where to start....
"RSA requires that you have two true primes to generate they key but the problem is there is no known way to generate a 2048 bit true prime that can't be factored in the same about of time it takes to generate it."
Wrong. Entirely wrong in fact. You should read the Handbook of Applied Cryptography (kindly made available online here). See e.g. section 4.3. Proving a 2048-bit number is prime (I think you mean 2x 1,024-bit numbers, but....) should take a minute or two - not excessive for a one-off operation!
"forget it however there are several publications that indicate that the number of solid pseudo-primes that are 512 bits long is about 2^40 so its key strength is about the same as 40 bits."
Erm, where do you get this stuff from? What's a "solid pseudo-prime"? ;) Also, the number of 512-bit primes is expected to be around 3.7x10^151 (see e.g. here)."Since we are talking about a 4x as many bits, a good guess of the strenght of a 2048 bit pseudo-prime would be about as hard as guessing a 160 bit DES like key".
Hardly - Certicom reckon that a 128-bit symmetric key is equiv. to a 3072-bit RSA key. Don't forget that, with symmetric keys, the strength usually doubles with each added bit of key material - the same isn't true for RSA or DH keys as there is now a sub-exponential algorithm for solving these problems....
The rest of your post doesn't get much better, but I'm off to eat sunday lunch now....Seriously, read HAC - it's good for you.
-
Interesting Privacy and Crypto Quotes
-
Very recent pictures of WTC
I was at the World Trade Center on Saturday the 8th of September, 2001....It was my first visit to the States from England and I was in awe at the city and WTC.
Some pictures from the top of and from the outside of the WTC are here: http://www.samsimpson.com/pictures.php?dir=galler
i es/newyork/wtc/
Simply unbelievable
:(
-
Very recent pictures of WTC
My first visit to the States (from England) was last Thursday to New York City.
These photos were taken of and from the World Trade Center (building 2) on Saturday early afternoon.
I'm not an emotional guy, but it's shocking to believe the devastation and loss of life that would be caused by an attack on these building.
-
Read my FAQ!
Interesting story - you may like to look at my PGP DH vs PGP RSA FAQ.
To quote the FAQ:
8.2. Get the threat in perspective!
The NSA (probably!) aren't specifically interested in you. They aren't going to break into your house to install bugs, or monitor your screen from a block away. They will however collect all of your messages sent over public networks.
PGP protects you from one form of monitoring - Echelon or other passive network sniffing. When your messages are captured by this global monitoring system, along with millions of other messages a day, the NSA can possibly decide to try and decode your message.
The most significant threat to PGP comes from user sloppiness. It is far easier to install a keylogger on your computer, install a trojan version of PGP, or bruteforce your passphrase than to break any of the cryptographic mechanisms employed by PGP.
If you are seriously worried about Intelligence Agencies actively monitoring you, then the last thing you should be worried about is them cryptographically attacking your PGP crypto implementation!
I'm currently working on a new version, and the ToDo list is here.