Slashdot Mirror

You're making that way more complicated and less secure than it needs to be.

TrueCrypt natively supports hidden volumes for a reason.

That's what TrueCrypt is great for - plausible deniability.

http://www.truecrypt.org/docs/?s=plausible-deniability

Unless they see you using both keys, or you've otherwise done something where they know you have a hidden partition...no.

They have a great explanation on their website http://www.truecrypt.org/

But essentially, you let them decrypt the normal partition, which has say, some financial info, records, etc. Then you pray they don't overwrite your hidden data. But they can't just examine the data and see you've got a hidden volume on there.

Even worse is that once you break one of the unreasonable policies (no admin logon on a developer machine, say), it's hard to keep any respect for the more reasonable ones. A bit of trust and leniency would go a long way toward respect. You could for example tell employees that they should avoid spending a lot of bandwidth during peak hours, and give people plenty warning if they're hogging all the gas.

Oh, and help them out a little by hinting about things like KeePass for passwords, TrueCrypt for sensitive data, and MD5 Password generator.

PortableApps came first and is better.

Better yet is PortableApps running inside a Truecrypt volume off the USB drive. Half the apps I run are that way. Makes for easy backups too, just copy the single Truecrypt file. Next thing I'm going to try is putting PortableApps and Cygwin both inside Truecrypt running off the drive (probably need a 4-8GB drive for that).

Something funny happened with my Truecrypt today.

I agree with the parent and sibling postings that Truecrypt is a great program to have, and I use it all the time. I set all my Truecrypt volume sizes to equal 650MB, so that I can burn it to CD-ROM easily (e.g. archived copies of my finances, etc.). The fixed size means that someday I can pick a few of my Truecrypt volumes to include a hidden volume, but most of them won't have hidden volumes --but any attacker can go spin his wheels trying to look for a hidden volume where there isn't any.

Lately I've been making a lot of backup text/XML files within my Truecrypt volume, approximately some 650MB of text files, but then yesterday something unexpected happened:

I ran out of room.

I was surprised because I thought TrueCrypt would have compressed the text files before encrypting them. I had read that files such as text files have low entropy --that is, high predictability-- and thus the cryptographically secure thing to do is to compress them first before encryption, or else it is a cryptographic flaw that makes the encryption more predictable and thus easier to break.

To be sure, even with this vulnerability, my TrueCrypt volume is probably going to be unbreakable by most standards, but can someone either verify or refute my statement? I had assumed that, for purposes of cryptographic security, TrueCrypt would automatically compress my data, and thus I would be able to stuff a lot more than 650MB of text files into my 650MB volume.

I use Truecrypt to encrypt a partition on a drive and store all of my documents there. It's transparent to the user, once you've mounted your volume(s) and it's pretty danged fast, too. You can do encryption with Twofish, Serpent and AES or a cascading combination of them. Pretty damned secure, opensource and free.

You can even encrypt a whole device. If you do that, it just looks like a blank volume and a thief won't even know there is data on the volume to be decrypted.

An idea might be to put a VMWare Virtual Machine inside a TrueCrypt volume.
This way your entire OS will be encrypted.

Whoops, well that is road kill of a different stink. Dumbass me just assumed that the source was out there that it was GPL. I didn't even think of a different license. Oh well, the source is there so you have the ability to look through it and compile it yourself, along with decent peer review too.

TrueCrypt is not licensed under the GPL. It uses its own crummy license which has has serious issues WRT free(dom)ness.

You might want to look into TrueCrypt.

Its different because you can change the TrueCrypt password all you want.

As a company admin, you create the TrueCrypt volume for your employees.
You backup the header file - That header file contains the real key used across the whole volume.

When you change your password, it doesn't have to re-encrypt the whole disk, right?
Thats because the header contains the real key it used across the volume.
And the password you provided is only used to provide access to the information contained in the header.

If you change your password, you only change the header.

http://www.truecrypt.org/docs/encryption-scheme.php

What this means is that, as an admin - You can allow your users to reset their own passwords, as many
times as they want, as frequently as they want.

Should they forget the password, you simply restore the original header, giving yourself back access to the volume,
and then you can change the password again for the user.

ALSO - If you need to access the users data, you backup the users volume, and restore yours.
Then you now have access to the volume.

When done, restore the users header back, and its back to whatever password he had.
You don't need to know his password to do this.

Its basically a second key to the volume.

Now if the user creates a new volume though, all bets are off.

As others have said, some parts of the U.S. government has become completely lawless. The government is requiring access and requiring that access be kept secret. The Bush administration has become a dictatorship. I think U.S. citizens should demand impeachment and that Cheney and the Decider be tried for treason. Why should the really big criminals be allowed to break the law?

My experience of whoever it is who sells PGP is that there are other issues about they way they do business, too.

That's why open source encryption is so important. TrueCrypt supports Windows and Linux. Supports encrypted devices and encrypted folders, including hidden folders.

To encrypt a file, use the free open source Gnu Privacy Guard.

They can't do whole hard disk encryption, but they are at least honest.

There are ways around it, using Truecrypt for example.

http://www.truecrypt.org/

You can have a hidden encrypted volume inside another volume. Without the key to the hidden volume there's absolutely no way to detect it (that volume can even be destroyed when using the first volume without providing the keys to the hidden one). If the authorities ask for your keys you give only those for the first volume and they'll never know there's another.

That doesn't help much for things like encrypted emails unless you manage to make one-time keys and shred the private key after saving the decrypted version to a hidden volume.

I just hope they won't make illegal the act of shredding a private key...

Your point, is only the point that anyone who has been interested in privacy protection in the last several thousand years has discovered and brought up. It boils down to the fact that if you are using encryption to protect your privacy, and you are one of a very few people doing so, then it is very obvious that you are hiding something. To anyone interested in you, they are naturally going to wonder what you are hiding, and try to force you to reveal it.

One of the very first PGP How-Tos I ever read mentioned that sending regular emails was like sending all your messages written on postcards, and PGP was like putting it in an envelope. It went on to discuss the hazard of being the only person mailing envelopes, when everyone else was content with postcards, and used that illustration to try to get the reader to get everyone on their address book using PGP for every message.

Your complaint, and proposed solution, is just that there be ubiquitous encryption so that one person who really wants or needs it doesn't stand out from the crowd by using something that is obviously different from "normal". You, just like the original writer of that long-ago How-To, are completely correct, however, just like him, you are doomed to disappointment. Until you can either get the majority of people to stop using Microsoft OS, or get Microsoft to include secure encryption, with no government back-door, turned on by default, anyone using any form of encryption is going to stand out when investigators come knocking. And yes, you can build your own linux distro with these features, but as you point out, could you even get a significant number of linux users to move to it, let alone the masses of people it would take for it to be consideered 'normal'? Not only that, but even if everyone was using envelopes, they would still know that you used an envelope, and would want the key to open it.

So, is the solution to just sit back and whine that you can't use encryption, because all the other poopy-heads won't use it, or can you do something else to allow yourself some privacy, and ability to deny wrong doing?

That is where Truecrypt comes in. Plausible deniability does not mean that they can't tell you are using encryption. No one has come up with a reliable way to do that (steganography) that doesn't still need something at either end to encode and decode that message, and that is a tip off to outsiders. You can hide the encryption in transit, but at the write and read points, you will have to have something to interpret it. Yes, TrueCrypt will be a tip off that you are using encryption, and it may be known for having the ability for hidden volumes. The key is that there is no way to prove there is a hidden volume. No matter what you do, you can't hide that you are using encryption. They can always prove that you are using it, and force you to reveal your key. But they can not prove you have a hidden volume. Thus you have the ability to plausibly deny that there is a hidden volume, and they cannot know if you are lying or not, unlike any attempt to deny using cryptography at all.

In addition, with the tools TrueCrypt gives you, and some intelligent planning, you can go a long way to increase your deniability. Your encrypted volume can be named anything... say... pagefile.sys on a secondary drive. Yes, someone who is really looking for things, and is good, may check your windows settings to see, if in fact, you have a multigig pagefile setup on that drive, but in itself it would not raise red flags. And you can always claim that you had that pagefile setup in a previous OS installation and it never got removed when you re-installed (I haven't yet found any other common, multigig binary file that would work). Run Truecrypt off a USB drive, or CD labeled as something completely different. Is an investigator going to scan everything on every CD near your computer? NSA probably, but not your local cop shop. The

"I guess when wire-tapping and CCTV just isn't enough"

The issue, of course, is that systems are being put into place that can be used against citizens who protest. By using "terrorism" to create fear, those who want corruption and control are building systems that can be used to give them more control. Laws that required centuries to build are now being thrown away with as little awareness by citizens as can be designed.

The movie Zeitgeist explains it: The movie Zeitgeist (2007) claims to explain it all, from an example of how people are controlled by myths, to how people who control government use fear to get more control, to why the U.S. government is pursuing a policy of hyper-inflation of the dollar now.

The movie is free and can be downloaded using a BitTorrent client, burned to a CD (a DVD is not necessary), and most modern DVD TV players will play it.

The Zeitgeist movie is very poor in some places, such as the opening sequences, and excellent in most places.

Don't expect emerging consciousness of very difficult subjects like those in the movie Zeitgeist to be free of error. The movie correctly says that "resurrection after 3 days" is part of many ancient myths, with an astrological background. However, the movie also speculates that Jesus Christ may never have existed. That is beside the point. In fact, whether Jesus Christ existed or not, many people in the world thought that his ideas and the ideas of his follower Paul of Tarsus were an improvement over what they had before. Even many people who do not claim to be part of a religion think that.

Those who want more information about how corrupters use fear can watch the free 3-Part BBC movie: The Power Of Nightmares: The Rise Of The Politics Of Fear (2004).

For those who don't know, and want to know what is happening and why, those movies are an excellent and entertaining way to start.

For people and their friends who invest in weapons and the manipulatable parts of the oil business, such as Cheney and the Bush family, controlling the government is how they make money and get more power. People from rich families often grow up believing that it is acceptable for them to kill people to get what they want. It is difficult, however, for the average person to believe that someone who already has a lot of money would kill others simply because he wants more money.

I am surprised at how much conflict of interest is allowed in the U.S. and U.K. governments. Why are weapons and oil investors like Cheney and Bush allowed to decide about starting wars in countries that have oil? (Afghanistan may not have oil, but oil investors want to build a pipeline through Afghanistan.)

Now the U.S. and U.K. governments are planning to start a war with Iran, another oil-rich country.

TrueCrypt has "plausible deniability. I wondered why TrueCrypt encryption software has "plausible deniability". I guess that is why. We will soon all be needing it.

This is in fact very easy to prove:

If te maximum jail time for not divulging encryption keys is significantly less than the time for actually being convicted of terrorism, then it should be obvious that real terrorists would never divulge such encryption keys.

No, this law, and others like it in other jurisdictions, are simply there to give the police one more reason to force regular citizens to hand over their keys.

If you actually do have something to hide from the authorities, the best idea is probably to look into http://truecrypt.org/ and the capability of having hidden encrypted volumes.

When forced, either by legal threats or by rubber hose interrogation, you can then divulge the primary key. On the primary volume you should store potentially embarrassing, but not really critical information. This should be sufficient to show that you had reason to hide said info, but not enough to put you in jail for a long time.

If you happen to be located in a place like Myanmar/Burma, then you should also use TrueCrypt, for exactly the same kind of reason.

Terje
"almost all programming can be viewed as an exercise in caching"

Encrypt using Truecrypt, which supports plausible-deniability. Allows you to have an encrypted volume and then a "hidden" encrypted volume within that. If you're ever forced to give up your key due to extortion or torture, you only need to reveal the key to the outer volume and the inner hidden volume remains encrypted.

Slashdot story quality is often low; apparently Slasdot editors don't even Google the stories. This is the real story; it was an armed robbery: Coppola Says Robbery Cost Years of Data (AP). This poorly edited story has even more detail: Thieves Steal Francis Ford Coppola's Everything.

I suspect that there is more to the story than we know. I suspect that he is more worried about release of information than loss of information. The AP article says he had a backup copy of a screenplay on which he is working.

The moral of the story is: Have proprietary data? Use TrueCrypt. Supports Windows and Linux. As all encryption software must be, it is open source, very mature, and supports both Windows and Linux. Supports encrypted devices and encrypted folders, including hidden folders.

To encrypt a file, use the free open source Gnu Privacy Guard.

I forgot to mention: for encryption you don't need to shell out big bucks like the dolts at the IT department did where I work. Just install Truecrypt and encrypt your data partition. Let that partion map on your My Documents folder and you're done.

I use it on my USB sticks.... Love it

That said, while Truecrypt exists for Linux, I'm sure there is a native way to do encryption without additional software. If anyone has more information about that, I'll be glad to hear of it. (Migrating to Ubuntu full-time, so one day I'll need it)

But behold! My block of swiss cheese has a stronger security model!

We use UltraVNC over a VPN built into a hardware firewall. UltraVNC has "repeater" software that works around firewalls: "Repeater: With the help of the repeater you can use UltraVNC viewer behind a NAT router. NAT-to-NAT: The NAT to NAT connector allows for connections between UltraVNC viewer and server behind NAT routers without any router modification."

OpenVPN works around firewalls: "With OpenVPN, you can: * tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port". I haven't used OpenVPN because the documentation was cryptic, but it looks like very good software. There is an OpenVPN How-To, but it seemed poorly written to me. OpenVPN 2.1_rc4, released on 2007-04-25 looks a little easier, but I didn't test it. The basic idea of OpenVPN software seems to be that, if you are a very advanced networking professional, you will be able to read the explanation.

UltraVnc SC, as someone said below: "UltraVNC SC is a mini (166k) UltraVNC Server that can be customized and preconfigured for download by a Customer. UltraVNC SC does not require installation and does not make use of the registry. The customer only has to download the little executable and Click to make a connection. The connection is initiated by the server, to allow easy access thru customers firewall."

It's crazy to use closed-source remote software, in my opinion. They say, in effect, "You can trust us, none of our employees built in a back door. Really. You can trust us also that our company hasn't been sold recently, or changed policies without notifying customers."

Joel on Software's Fog Creek remote software is a joke, in my opinion. Joel says, in effect, "Let us perform a billectomy on your wallet. Then you can use our software that built on open source software and was extended by some interns over one summer."

I think the same about encryption software. There is only one good option. The open source, excellent, cross-platform TrueCrypt.

I always wondered if a botnet could get large enough to effectively break encryption.
The only reason AES, RSA, and other algorithms are considered secure is the extremely large amount of time or processing power needed to brute force them. But with a "distributed supercomputer", a botnet operator could potentially brute force the keys, like those protecting Microsoft's driver signing, bank SSL certificates, and even the keys used by certificate authorities.

Breaking them could allow hackers to forge certificates, fake driver signing, sniff bank transactions, and circumvent other security measures. Even TrueCrypt is vulnerable if the encryption keys can be brute forced. With enough processing power, hashing algorithms are potentially vulnerable too; like those used for passwords.

Encryption is so heavily relied on by the computer industry that successful key breaking could cause lots of security problems. The only way to mitigate possible attacks is to use stronger encryption algorithms, use longer keys, and to use multiple encryption layers instead of relying on a single algorithm's strength.

Runs on Linux and Windows, and doesn't need a TPM chip to operate. It'll create encrypted volumes from files, or work with raw devices, and also do "hidden volumes" in case you need plausible deniability - http://www.truecrypt.org/

Word document encryption is easily defeated. There are tools to do so in under 5 minutes. Security through obscurity is no security at all. If you wish to have true security I suggest something like TrueCrypt.

That's different. Windows can't "see" more than one partition on a USB flash drive... which is why the Disk Management MMC snap-in won't let you create more. If you make more than one partition Windows only mounts the first one it sees.

Of course this assumes you're talking about actual partitions. More likely you're confusing a virtual drive for a real partition; I'm thinking TrueCrypt, which is promoted by many as a way to keep files safe and encrypted on your thumb drive. You enter a password and an encrypted file on the first and only partition on the drive is mounted as a virtual partition on it's own drive letter. Nothing is ever hidden from Windows; Windows never knows that the simple file is supposed to be a partition, nor what the encryption key is that is needed to decrypt it. TrueCrypt supplies the first function, while the user's password or keyfile supplies the second. The only things hidden are the things the user explicitly wanted hidden by making the TrueCrypt Volume and putting files in there.

I did a talk for my local LUG back in September of 2006 describing exactly how to do this using TrueCrypt for Linux and Windows

I described in detail how to install, boot and use the USB key as a bootable Linux distribution, and also how to use the USB key in Windows (or Linux) with TrueCrypt, using some fancy tricks to auto-prompt for the password upon insertion of the key, how to use a slew of PortableApps on the key, and even a launchable menu to find and access them.

This was almost a full year ago. IronKey, whatever it is, is nothing new.

Why is this kind of product not targetted directly at the kind of user who is aware of the issues at stake?

Given the source code to truecrypt, it would be fairly trivial to distinguish truecrypt volumes from more random data.

Here's the source code. I'll be waiting for your proof of concept.

Even when the outer volume is mounted, it is impossible to prove whether there is a hidden volume within it or not, because free space on any TrueCrypt volume is always filled with random data when the volume is created* and no part of the (dismounted) hidden volume can be distinguished from random data.

Everybody is drinking the koolaid on this point. This can't be true. Mixing random data and non-random data in a predictable way does not make the whole thing random.

Sure it does.

Given the source code to truecrypt, it would be fairly trivial to distinguish truecrypt volumes from more random data.

I encourage you to try.

truecrypt,http://www.truecrypt.org/

You do make some very good points, but because the Full Disk encryption software is not a chip soldered to my Motherboard. If the encryption software I choose is full of holes, I can then replace it with a certified paid product or another open source product.

The issue here is that the "security" offered by MS and TPM isn't all that secure to start with, and you can't get rid of it whether you want it on there or not ... at least not without abandoning the MS OS and/or the hardware with TPM installed.

For something like truecrypt,http://www.truecrypt.org/ I don't think it's any more inherently insecure than most pay products, and since I actually use it I can personally attest that it is better than most.

Nobody in their right mind would upload ANY personal documents to free hosts unless the filenames end in .tc.

As I read this article, the very first thing that popped into my head was privacy issues. We've all ready how the NSA, CIA, FBI, etc. accessed AT&T's phone records, etc. I wouldn't put it past them if they are already accessing and data-mining Yahoo! and Google E-mail.

The service gives users who e-mail documents between home and work computers an alternative way to access their files on the go. Users can keep files private or share them with people they know or with anyone on the Web.

When I need to take some of my work home with me to finish it up, I always use TrueCrypt to create a volume and use AES-Twofish-Serpent with Whirlpool. Since it is free, I recommend that everyone here use it. You have nothing to lose if you do and if you don't - you don't want to be in the news as the employee who lost another database of customer records.

Sadly, "in this day and age (tm)," you need to be vigilant of all of your data as everyone from hackers to governments want to see what you are doing.

http://www.truecrypt.org/

People should be fired/prosecuted for negligence these days.

http://www.truecrypt.org/hiddenvolume.php

Your welcome.

Try http://www.truecrypt.org/, in hidden-volume mode.

That's what packages like TrueCrypt with hidden volume support are good for. The Man tortures you, you give up a key, and he finds some fake secret files, while your real secret files are still safely hidden.

In my haste I missed that TrueCrypt also does hidden OS partitions.

http://www.truecrypt.org/

This is from their website:

In case an adversary forces you to reveal your password, TrueCrypt provides and supports two kinds of plausible deniability:

1. Hidden volumes (for more information, see the section Hidden Volume).

2. It is impossible to identify a TrueCrypt volume. Until decrypted, a TrueCrypt volume appears to consist of nothing more than random data (it does not contain any kind of "signature"). Therefore, it is impossible to prove that a file, a partition or a device is a TrueCrypt volume or that it has been encrypted.

So no matter how paranoid you are ... the Open Source community has got you covered!

http://www.truecrypt.org/

We're already using torrent encryption, Wireless encryption, anon HTTP Proxy, encrypted NNTP, etc.

Meh, what's one more. Go ahead officer friendly, take the drive, try to read it, what??? You can't see any data on it? How sad.

/On decent hardware performance is pretty much the same. (except for games Grrr>)

Any suggestions?

If you can accept just having some partitions encrypted, TrueCrypt is wonderful.

I am fed up being told that I can't encrypt data on my USB drive.

My bad. I guess I was just thinking aboout the hidden volume feature (one of the more attractive features of TrueCrypt):

From http://www.truecrypt.org/docs/?s=version-history


A hidden volume can only be created within a FAT TrueCrypt volume (i.e., the file system of the outer volume must either be FAT12, FAT16, or FAT32). NTFS file system stores various data throughout the entire volume (as opposed to FAT) leaving little room for the hidden volume. Therefore, the Volume Creation Wizard prevents the user from selecting NTFS as the file system for the outer volume. The hidden volume can contain any file system you like. Note that the outer volume (when file-hosted) can be stored on any file system.

The whole point of using TrueCrypt is that you have a second encrypted volume inside the first which is effectively hidden because it is impossible mathematically to prove that its there. You simply place some reasonably confidential personal information on the first layer of encryption like your personal financing, photos, (legal) porn collection etc. providing you with plausible deniability. In the second inner layer of encryption you place stuff you don't want RIAA or anyone to actually find.

The whole point of using TrueCrypt is that you have a second encrypted volume inside the first which is effectively hidden because it is impossible mathematically to prove that its there. You simply place some reasonably confidential personal information on the first layer of encryption like your personal financing, photos, (legal) porn collection etc. providing you with plausible deniability. In the second inner layer of encryption you place stuff you don't want RIAA or anyone to actually find.