Slashdot Mirror

Of course getting the users to actually use encryption is another story...

TrueCrypt works pretty good for these situations and it comes with an open source license. The forums contain a lot of tips and tricks for using the application in odd ball situations.

Not affiliated at all, just a satisfied user.

(I'm not sure what pbb, Outfoxed, and dyne:bolic are.)

Personally I'd include TrueCrypt, which is open-source and free disk encryption for Windows and Linux. This software is simply amazing.

It's very different from a security standpoint from running apps over the web if you also use Truecrypt to securely encrypt the info and carry a copy of truecrypt on your usb drive. If someone steals the usb key you've only really lost your latest edit (assuming the exec in question saves to a desktop now and then . . .) because the contents of the drive will be opaque to anyone wanting to access them.

Use something like TrueCrypt to encrypt it. The next version of the Portable Apps Suite will include an option to encyrpt your personal data.

> I wish there were more programmers that actually know how to do cross-platform stu

I'm not sure what your trying to suggest by that. However, they *just started* to port TrueCrypt to Linux. The full feature set that the Windows version has will be ported. Volume creation and GUI are on their TO DO list. http://www.truecrypt.org/future.php Maybe check the facts before posting things like this.

I'm curious if they are blocking Slashdot? If no, then they will do it after this article :D

Two programs that can help:

*****Tor*****

"Tor: An anonymous Internet communication system
Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features."

http://tor.eff.org/

*****TrueCrypt*****

"Free open-source disk encryption software for Windows XP/2000/2003 and Linux
Main Features:

* Creates a virtual encrypted disk within a file and mounts it as a real disk.
* Encrypts an entire hard disk partition or a device, such as USB flash drive.
* Encryption is automatic, real-time (on-the-fly) and transparent.
* Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
1) Hidden volume (steganography - more information may be found here).
2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).
* Encryption algorithms: AES-256, Blowfish (448-bit key), CAST5, Serpent, Triple DES, and Twofish.
*Mode of operation: LRW (CBC supported as legacy).
* Based on Encryption for the Masses (E4M) 2.02a, conceived in 1997."

http://www.truecrypt.org/

Wrong - as mentioned by several other posters there is an excellent free open-source encrypted drive product available for Windows - Truecrypt, http://www.truecrypt.org/ - which now has a Linux version available (since V4.0), offering the ability to access the same encrypted drive from both environments.

Forget Bestcrypt.

Just read this thread on google groups.

It would be great if someone translated it for those of us who speak only English and French.


I did tell about it to a few users of the software.

Hundreds of thousands of users downloaded the software and you told about the weakness only to "a few users" (instead of the developers)? Gee.

This problem was fixed a month ago.

http://www.truecrypt.org/history.php

I agree 100%. TrueCrypt lets you manage not only entire encrypted disks, but smaller, user-definable "container" volumes as well. These are all mounted as virtual drives, and are seamless to use. TrueCrypt works especially well with Thumb Drives.

One thing I really like about TrueCrypt is that it just works. I have tried several commercial options and several that come with Thumb Drives, and they tend to be either too cutsey or kludgy to use. In almost all cases, they are cumbersome and just have an "unstable" feel about them. TrueCrypt is solid, quick, and also importantly, doesn't require any installation other than copying a couple files and launching the app. (It does come with an installer, but it isn't necessary.)

Have a read of their FAQ and and you will see that a LOT of thought and effort has gone into this application.

I agree 100%. TrueCrypt lets you manage not only entire encrypted disks, but smaller, user-definable "container" volumes as well. These are all mounted as virtual drives, and are seamless to use. TrueCrypt works especially well with Thumb Drives.

One thing I really like about TrueCrypt is that it just works. I have tried several commercial options and several that come with Thumb Drives, and they tend to be either too cutsey or kludgy to use. In almost all cases, they are cumbersome and just have an "unstable" feel about them. TrueCrypt is solid, quick, and also importantly, doesn't require any installation other than copying a couple files and launching the app. (It does come with an installer, but it isn't necessary.)

Have a read of their FAQ and and you will see that a LOT of thought and effort has gone into this application.

Although I have not used TrueCrypt myself, I have serious doubts about the fundamental insights that its developers have in cryptography. To develop secure cryptography software, understanding of the algorithms much more important than actually implementing them.

Take for example the Truecrypt FAQ. They state that "On legacy volumes, which are encrypted in CBC mode, data within each sector (sector is 512 bytes) are chained so when a block becomes corrupted, each successive block within the sector will become corrupted as well."

Wrong. Using CBC (cipher block chaining), one corrupted encrypted block leads to two corrupted blocks after decryption, not an entire sector. This Wikipedia article explains it best: the red blocks indicate corrupted data.

I have not examined Truecrypt further, but I can imagine that there could be more cryptographical mistakes. The people developing Truecrypt may be great programmers, but apparently no (big-name) academic cryptographists are involved (or I must have overlooked them).

Personal note:

I'm a cryptography student at ESAT (K.U.Leuven, Belgium), where among other things AES (Rijndael) was developed. Although have not contributed to AES myself, I am being mentored by the same experts who were involved. Check my ip address if you want.

That is exactly why my prefered solution for on-the-fly hard disk encryption is TrueCrypt. Not only is it open source and cross platform (Windows/Linux), but it also happens to simply rock, surpassing many commercial products, with lots of nice features like the use of keyfiles, or for the true paranoid, cascade encryption (like AES-Blowfish-TripleDES) and plausible deniability (hidden volume).

TrueCrypt is disk encryption software for Windows XP/2000/2003 and Linux. Version 4.1 was released last month. It seems to have been designed by people who are VERY serious about encryption. For example, TrueCrypt "provides two levels of plausible deniability".

A number of encryption methods implement this. A quick search found StegFS and TrueCrypt. The idea is to simply hide an encrypted filesystem within another encrypted FS. With StegFS it is, as far as I understand it, cryptographically unfeasible to prove the existance of a hidden encrypted filesystem.

See: http://www.truecrypt.org/hiddenvolume.php

You can have a hidden encrypted disk inside another one. If pressed for the password, you simply give the password to the first volume, in which you've placed personal, but innocuous files (your budget, your tax returns, etc).

The second, hidden volume contains whatever you really want to protect, but there is no way to know whether or not a hidden volume exists within an encrypted volume.

People need to stop letting the governments erode all of our personal freedoms in the name of security; most of these new laws do nothing for real security.

In true Slashdot spirit, you should have mentioned the Open Source solution: TrueCrypt.

I have been burned before: I will never use a closed source software again for data encryption. The tinfoil hat crowd will worry about the possible NSA backdoor or weak implementation. More practically, I worry about the developer going out of business and the next windows update breaking my encryption software, leaving me high and dry with no other recourse but to downgrade or reinstall my system, get my data back, and start hunting for a new encryption solution. Save yourself the trouble and use TrueCrypt.

Now I was just going to write that the only problem with TrueCrypt was that it was Windows only (with Linux support on their roadmap, though...)... Well guess what: I just checked their site again, and here it is: "4.0, November 1, 2005 [...] TrueCrypt volumes can now be mounted on Linux." Perfect timing to prove again the superiority of Open Source :-)

This is slashdot. We like free software!

http://www.truecrypt.org/

Encrypted disks, crossplatform (win/lin).

http://www.truecrypt.org/ -- Best free one-the-fly virtual drive encrpytion with the option of encrpyting a volume with in one another that is impossiable to find. This allows the user plausable deniability, which is huge. They may crack the outer encrypted drive, but then they can never prove there is a secret inner drive! Good performance and benchmarking too...

That's because they are criminals. Failure to turn over your encryption key is an offence under the RIP Act, punishable IIRC by up to two years imprisonment.

I guess that's why one may use TrueCrypt with its support for two-level plausible deniability. I.e. it's practically impossible to prove there isn't more on the encrypted volume than you see, unless you have an enormous time to spend on trying to crack the hidden nested volume.

That's because they are criminals. Failure to turn over your encryption key is an offence under the RIP Act, punishable IIRC by up to two years imprisonment.

I guess that's why one may use TrueCrypt with its support for two-level plausible deniability. I.e. it's practically impossible to prove there isn't more on the encrypted volume than you see, unless you have an enormous time to spend on trying to crack the hidden nested volume.

Some encryption schemes allow for plausible deniability, where you can give a password, but it's just the one for the wrapper, and you can have a hidden inside volume they can't prove exists. Check out Truecrypt, for an example of FOSS software that does this.

People say good things about TrueCrypt. I've just begun using it.

Not biometric, but a good way to keep information safe.

Corsair has a rubberized water resistent shock-resistent flash drive available. I have one and found that it is quite durable: http://www.corsair.com/

As for encryption, check-out this open source project which offers an excellent encryption solution for Flash drives:
http://www.truecrypt.org/

For example:
Zip up your stuff (or tar.bz2, whatever...)
gpg -c --cipher-algo AES256 Stuff.zip

Copy Stuff.gpg to your flash media.

To decrypt, copy Stuff.gpg to your computer and run:
gpg -d Stuff.gpg > Stuff.zip

Don't forget your password. Make sure you use a trustworthy GPG binary, and the unencrypted archive should never be stored on your flash media!. The unencrypted version could be easily recovered using undelete software.

Now if it was me doing this, and I had some time on my hands, I'd look into the Linux crypto loop stuff. But that doesn't work all that well if nobody in your family runs Linux. So, I would have to opt for True Crypt on a Windows machine, create an encrypted volume on my flash drive, copy over the improtant files, unmount and run for it. At my parents/grandparents/whatever, it would be trivial to download and intall true crypt again and get access to my files.

I highly recommend TrueCrypt for your encryption needs. It essentially creates an encrypted file of a desired size which you can copy wherever you like, which the application mounts like a removable drive when you need to encrypt/decrypt stuff. The program even has a traveller mode that you can run without installation. Only requirement is that you have admin rights on the PC.

Oh, and if you do have to swim for it. . .just make sure the drive is in a ziploc bag :)

It's for Windows only, but I stumbled upon TrueCrypt found at http://www.truecrypt.org/ and really like it. And it's not only useful for USB drives, but can be used to create encrypted logical drives on a Hard Drive. For the really paranoid, the documentation even covers lots of stealthy ways to use it so as not to be detected.

I'm certainly no expert at encryption, but it seems pretty solid. Basically, it creates an encrypted container file and then mounts it as a logical drive when you open the file through the app. I've seen commercial counterparts such as StealthDisk, and I think TrueCrypt's interface is easier to use and its execution is more solid.

It's OSS and free as in beer and as in speech.

TrueCrypt has you covered.

Also for my private data, I have a TrueCrypt volume on the drive so that in case someone gets their hands on it, my not so public data will be safe.

If you're actually intending to put your LIFE on it though also consider a backup strategy so you won't lose everything when your drive falls off your keychain and into the sewer where it's eaten by technologically advanced rodents.

TrueCrypt will support Linux in the near(?) future.

For Windows, the best option is TrueCrypt.

I've got a review of it here, if you're interested, as well as some other portable security tools. I've a bigger list portable software tools as well. (shameless link, but on topic)

To address the temp and swap file issues, you can use tools to wipe them on a regular basis. This website has a lot of useful information about that.

Also you might want to try TrueCrypt. You could use that to encrypt your entire temp drive. I am not sure, but I don't believe it will let you encrypt the swap file itself.

If you're using windows (2000/XP Professional), right click on the directory you want to use encryption. Then select Properties, on the general tab click on Advanced and tick Encrypt contents to secure data.
There you go, transparent encrypted directory.
Also, Truecrypt is capable of encrypting stuff too.

/search/*.jpg, *.html, *.gif, *.etc...

Firefox and Opera may use a different method of file structure/ naming, but they *do* have a fundamental process and that process does not vary from system to system.

Ditto. Truecrypt is great, and free.

Although free to use, it's free-ness in other respects is unclear. The code is available to read (technically "open source"), but the license is a complete mish-mash of components, reflecting all the different contributions to it over the years: http://www.truecrypt.org/license.php

In particular, it states: "This product may be freely copied and/or distributed, provided that it is not modified or repackaged" and then goes on to say that you *can* repackage it as long as you attribute about 12 different people ...

Is there not a *real* Free product which does this?

http://www.truecrypt.org/

not sure if it will compile on other systems

Althought windows only, Truecrypt looks really cool and can be a real lifesaver in conjunction with pendrives or even gmail.

--
Dreamhost superb hosting.
Kunowalls!!! Random sexy wallpapers.

Or use something like Truecrypt's hidden volumes. AFAICS proving the existence of the second volume is impossible. So you don't have to hide the fact that you used encryption. You can even provide the password to the outer volume containing dismissible "secret" data.

> Simply demand passphrases - under penalty of law - from anybody whose packetstream, when decoded, contains the string "BEGIN PGP KEY BLOCK".

Yes, but that doesn't mean people won't be able to send encrypted data.

For example, TrueCrypt provides plausible deniability : the idea is you can create a 1 MB-file container and put, say, 600kb of JPEG files in it. The rest of the container is padded with random data. But you have the option of making this random data not-so-random, by encrypting something else (e.g. what you want to hide from the police) in its place. Police can force you to reveal the password of the container, but once they know it they will have no way to distinguish between a container with just JPEG files and random padding, and a container with JPEG files and secret data. So your secret data is perfectly safe.

However, this method has the disadvantage of not being very transparent: you need to create dummy files that appear important enough to you to be worth encrypting, but that can still be safely compromised to the police. It means that sending data periodically and automatically in this way is more difficult, because the "dummy load" has to be crafted so that it will be plausible that the container contains just the dummy load and nothing else.

Anyway I'm not sure how they would be able to really enforce this: I guess that if you send somebody an e-mail containing a 1 MB random file originating from alqaeda@hotmail.com, they are not realistically going to be forced by police to reveal any sort of key, because they don't even know what to do with it... What criteria should the police meet in order to prove that the person that they're trying to get the key from were actually able to use the encrypted data? Replying to the e-mail? That wouldn't prevent Al-Qaeda folks from sending news in one direction...

And then as other posters mentioned, there are session keys, which can't be recovered either.

This law doesn't look that clever...

There's an open source program called truecrypt that seems to work on the same principal as the one in your add. I've been using it for a while now and it works great.

For Time, the purpose of giving portable hard drives to reporters would be to transfer to the reporter ownership - and responsibility - for notes. That would reduce the onus on the company, leaving the reporter to decide how far to go with a personal act of civil disobedience. Some other publications also see the wisdom in this approach.

If portable HDs are used, it might not be a bad idea to encrypt them with something like TrueCrypt. A reported could even include a Hidden volume and tell the government/whoever that they haven't gotten around to actually using that particular drive yet.

Truecrypt has already solved this problem. I like this quote from the manual:

It may happen that you are forced by somebody to reveal the password to an encrypted volume. There are many situations where you cannot refuse to reveal the password (for example, when the adversary uses violence). Using a so-called hidden volume allows you to solve such situations in a diplomatic manner without revealing the password to your volume.

There is also the option of using an encrypted container and filling it half-way with some innocent-looking stuff that would still be worth encrypting. In the remaining space, you place another container with the real stuff.

TrueCrypt can do this to provide "plausible deniability". The second container does not appear in the filesystem of the first container. That's why you have to be careful to not modify the outer container once the inner container is created. Since the free space of any container will be filled with random data, an additional container inside the free space will be undistinguishable from random noise. Read the manual for more info.

There is also the option of using an encrypted container and filling it half-way with some innocent-looking stuff that would still be worth encrypting. In the remaining space, you place another container with the real stuff.

TrueCrypt can do this to provide "plausible deniability". The second container does not appear in the filesystem of the first container. That's why you have to be careful to not modify the outer container once the inner container is created. Since the free space of any container will be filled with random data, an additional container inside the free space will be undistinguishable from random noise. Read the manual for more info.

http://www.truecrypt.org/

I like TrueCrypt for Windows (http://www.truecrypt.org/)

From the website:

Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:

1) Hidden volume (more information may be found here).

2) No TrueCrypt volume can be identified (TrueCrypt volumes cannot be distinguished from random data).

I was talking about people who did not lose their password or encryption certificates, obviously.

The problem is that Windows XP makes an additional password, one that is not backed up using any of the tools or documents provided. That automatically generated password is necessary, as well as the user account password, to decrypt the files.

If a computer is stand-alone, not part of a domain, then backing up everything, reformatting your hard drive, and reloading Windows XP will result in not having access to any of your EFS encrypted files.

The hidden, automatically generated password is not documented in any place that I was able to find. Microsoft Technical Support representatives agree with what I've said here.

The open source Truecrypt may be a far better choice, but I haven't tried it yet. Sourceforge hosts Truecrypt.

A tidied up version

I suggest you consider encrypting part of the drive, TrueCrypt is a great little app and will run from the USB Thumb Drive as a way to store any info you wish to be secure.

You might also want to consider EssentialPIM or Getting Things Done tools like GTDTiddlyWiki or Next Action (requires firefox)

Check out portablefreeware for more apps and Slashdot

Microsoft usb flash manager is a way to backup you flash drive and keep the info safe, you might also want to consider a second flash drive

(PS: Getting Things Done is a simple and effective personal productivity method by David Allen. You can get the book from Amazon.
Also check out the GTD community at the 43Folders website, wiki, and newsgroup.)

I suggest you consider encrypting part of the drive, TrueCrypt is a great little app and will run from the USB Thumb Drive as a way to store any info you wish to be secure.

You might also want to consider EssentialPIM or Getting Things Done tools like GTDTiddlyWiki or Next Action (requires firefox)

Check out portablefreeware for more apps and Slashdot

Microsoft usb flash manager is a way to backup you flash drive and keep the info safe, you might also want to consider a second flash drive

(PS: Getting Things Done is a simple and effective personal productivity method by David Allen. You can http://www.amazon.com/exec/obidos/tg/detail/-/0142 000280/qid=1115360158/sr=8-1/ref=pd_csp_1/002-8782 437-3718417?v=glance&s=books&n=507846" href="http://www.amazon.com/exec/obidos/tg/detail/ -/0142000280/qid=1115360158/sr=8-1/ref=pd_csp_1/00 2-8782437-3718417?v=glance&s=books&n=507846" class="externalLink">get the book from Amazon.
Also check out the GTD community at the 43Folders http://www.43folders.com/" href="http://www.43folders.com/" >website, http://wiki.43folders.com/index.php/Main_Page" href="http://wiki.43folders.com/index.php/Main_Pag e" >wiki, and http://groups-beta.google.com/group/43Folders/" href="http://groups-beta.google.com/group/43Folder s/" >newsgroup.)

I also use GMail for some light duty backup purposes, and to further help the paranoia I use http://www.truecrypt.org/ to put smallish (1-5MB) encrypted partitions up there for sensitive data. So far they have scaled with additional storage faster than my demand for storage, so I am quite happy with it so far. Just store the executable for TrueCrypt in your account as well and you are set for life.

Very cool.