Encrypted Fileserver with Bittorrent Web Interface

mistermark writes "I built a fully encrypted (samba) fileserver with a web interface for managing torrent downloads on it. All I used is OpenBSD 3.6 and its package collection, except for the TorrentFlux-interface (which you need to install separately). Anyway, it can be built using binary packages only. I included a rough HOWTO on how to make one of these yourself."

Nice

[slashalive]

Now you can seed your secret corporate documents!

Re:Nice

Now you can seed your secret corporate documents

Congratulations!. You are the most idiot that had read today!.

Re:Nice

You, on the other hand, are "the most idiot that had write today."

why?

Pertend I'm stupid, why would I want this?

Re:why?

So you can have an encrypted MP3 collection.

On 2000/XP, you can do this yourself by right clicking on the folder containing your warez/tunez and checking the encryption box. As long as Bittorrent runs with you as the current user, its reads and writes to that folder are automatically encrypted and decrypted by the filesystem.

Re:why?

[big_groo]

Pertend I'm stupid...

No need.

Re:why?

[jurt1235]

Simple: You have random users which make backups to your machine but don't want anybody else to be able to read these backups.

Re:why?

[caluml]

Yeah, I can't work this out either. The problem with torrents is not storing them safely, or downloading them safely. It's that when you start downloading a file using torrents, your IP address is known by the tracker which gives away the fact you're a downloader.
Sure, store them on an AES-256 encrypted filesystem, sure, use SSL for the transfer. But it doesn't help the fact that the downloaders/uploaders are known.

Re:why?

[theraccoon]

I don't know. TFA says:

"You at least need to proof the person actually possesses the data and in my case... good luck proofing that."

Actually... Bittorrent shows who's connected to you, who's uploading to you, and who's downloading from you. Those logs, at least in the good 'ole US of A, are proof enough for God the RIAA to file a lawsuit against you (or as the case may be, your IP address). The RIAA has never had to confiscate a file sharer's HD or computer, but I bet if they did, they could find someone or some way to de-crypt the files on that server. A fun experiment, but as far as I can see, it's not very practical in terms of stopping a lawsuit.

Re:why?

Pertend I'm stupid, why would I want this?

Is pertending necessary? :)

Re:why?

[Stoutlimb]

"But it doesn't help the fact that the downloaders/uploaders are known."

Would this work if it was used in conjunction with an anonymizing HTTP proxy service? Or freenet?

Re:why?

Short answer: to get a minimal protection when "they" will knock your door.

Long answer: because sometimes innovation, be it social or technical, or both, requires some rules to be broken. The powers that be can adapt much more slowly to changes, hence their constant battle against people that promote them.
The ultimate goal is not getting mp3s and movies without paying for them but changing the rules in order to allow the artists to get a reasonable payment for their work and allow more people access to music, movies, books, whatever by keeping prices low. This goal can only be achieved by widening the audience and removing the now unnecessary layers between the money and the artists. I'm talking about big production companies, the biggest useless moneysucking layer and -surprise- the worst enemy of p2p filesharers.
Given enough time, more artists will make music in their home studio, distribute it on the net and make profits by charging a fraction of what is currently asked for music. One day also good actors and small movie producers will join.

Read some history and you'll learn how it is sometimes necessary to be illegal in order to achieve some positive goals for the community.
I'd love a world where everything legal is also right and everything illegal is also wrong, but that's not our case. Sometimes we have to fight the rules.

Re:why?

but with the encryption can they tell what you are downloading? correct me if i'm wrong here but can't you see whats being downloaded over bittorrent? would this give you plausable deniability when you get busted for piracy? "i wasn't downloading movies over BT. it was just a very large text file."

Re:why?

[pembo13]

I'm curious as to what is to stop an individual, after receiving a letter from the *AA, from buying a new HDD, installing Windows 2k, leaving it unpatched, then claim that your computer has been acting slow, and your DSL has been acting slow, and you were always wondering why, and so it must be a 'virus' using your computer to download files.

Re:why?

[mian]

You at least need to proof the person actually possesses the data and in my case... good luck proofing that.

Actually in some countries direct linking alone is illegal, you do not need to actually posses the data but simply link to it anywhere else on the Internet can be illegal.

This reminds me of a site FAQ the other day on seedler.org which tries to justify it's existance by saying BitTorrent is not illegal

Is BitTorrent Illegal?

No. BitTorrent is purely a protocol for file transfer, just like FTP and HTTP. Unlike Kazaa it has no central database of files, or search capabilities.
The BitTorrent protocol can be used to transfer illegal files, but then so can FTP and HTTP. So if the bittorrent clients are illegal, so are Internet Explorer, Netscape etc.

But they are not a BitTorrent client, they are a site hosting .torrents which link in some way directly to copyright material. IE/firefox etc is not illegal but a web site which links directly to illegal material may very well be so that argument does not work.

Re:why?

[Mr.+Haplo]

Good question. I've been asking that every time I hear of a new Linux port to some device that has absolutely NO need to run it.

Hmm. I just realized that the window fan I bought today isn't running Linux yet. I wonder if there's a port available. Maybe I can get real-time fan speed status and control from it, instead of using the Windows-inspired 3-way dial to control the speed. Heck, I bet I could even control it over the Internet!

Go useless Linux ports!

Re:why?

[Elshar]

I'm pretty sure that no HTTP proxy service would be terribly thrilled should you start hammering their connection with your warez'd bittorrent transfers.

Not to mention you don't know if they are logging who uses their proxy servers. It wouldn't be hard to track + log connections. And, should they get a subpeona, they WILL relinquish that information.

Re:why?

[serutan]

I'm glad it's not just me wondering how this makes sense. It seems more like a "because I can" project. In the article he says the encryption protects him from prosecution/persecution by the Netherlands copy police. But I doubt it.

In the US at least, physical evidence isn't actually needed because these cases never actually go to court. Entities like the RIAA just mail threat letters and collect money. One accused person's lawyer called the RIAA and wasn't even connected with another lawyer, just a regular staffer.

slashdotted

[crazyray]

from the "about" page: Professional co-location was/is out of the question simply because of the costs and I did/do have bigger plans than to be able to host this kind of thing at home. To be honest, if this thing grows any bigger I'll be moving the whole shebang to a datacenter after all... Prices have dropped quite a bit since about two years ago and now. But, until then, all this comes from my server at a friends house where he has an amazing 10mbit up&down.

Well, I guess he USED to be your friend, until you slashdotted his internet connection....

Fantastic!

[Segfault666]

This is a fantastic piece on our [my] favorite OS. How-to's can be taken both ways, piracy or not - this is a fanstastic tutorial.

Re:Piracy how-tos?

how about protecting legitimate file sharing uses, whether or not the RIAA agrees with them? dont be so quick to criticize, my RIAA stooge friend.

Also encrypted my machine

[jurt1235]

It now looks like a toaster.

Re:Also encrypted my machine

[WolfWithoutAClause]

More like a pop tart when the toaster gets stuck.

Flames! 3 inches high! Firebrigade! And drama!

Re:Also encrypted my machine

It now looks like a toaster.
So you're using NetBSD

Re:Also encrypted my machine

[jurt1235]

since this is a BSD issue, I shall call it worse: Linux.

Re:Piracy how-tos?

Pirate away :). FreeBSD 5.3 FreeBSD 4.11

I would be impressed if..

[Keruo]

he would've used usb thumb drive to boot that thing and store the encryption key there.

Another pitfall is that samba.. not secure.. again, if he'd install vpn server there that would create secured medium for accessing it, would be another story.

The saddest part probably is that he raped SGI 320 and put AMD in it! just to have cool case for his desktop, seesh, he'd have much more geek respect, by keeping that SGI intact.

Re:I would be impressed if..

Even though the 320 was unique (not unix, not really winders either--as far as windows goes anyhow), it's just not an SGI to me. It's a bastard SGI, not fully qualified of the bug badge (or their stupid newer logo for that matter).

If he tore apart an O2, Octane, Origin 200, or earlier machines (Crimson, etc), or for that matter any other SGI that actually deserved to be called SGI, then I'd be disappointed. There are people that have done such. They deserved to be kicked. Hard.

As such, I really couldn't care less if he tore apart win32 SGIs. As a matter of fact, if he could magically make the entire concept of a SGI running windows just go away, I'd be all the happier!

Re:I would be impressed if..

[ninboy]

wasn't the 320 just one of the intel based NT workstations ? who cares if its not a mips/irix machine

Piracy how-tos?-A "./" Caesar.

[THe other AC]
"how about protecting legitimate file sharing uses"

You don't need to hide legitimate material.

[The OP]
" Has this site just completely given itself over to the warez kiddiez?"

Someone look up "transitional ethics" for this guy.

Re:Piracy how-tos?-A "./" Caesar.

You don't need to hide legitimate material.

Cue all the warez-boy screaming about how encrypted P2P is going to help the human rights of Falun Gong people in China... (while it also helps them to get more warez)

Re:Piracy how-tos?-A "./" Caesar.

there are plenty of reasons for wanting to obfuscate material, none of which necessarily imply illigitimacy. what if you are downloading goat pr0n...or you are a windoze freak embarrassed about wanting to try out linux and you are afraid that someone's sniffing the network you're accessing the torrent from.

Re:Piracy how-tos?

[LebenOjanen]

The truth and something we hear over and over and over and over and over again are two different things. :)

Note to law enforcement. Dont reboot.

[Bazman]

I'm guessing the encryption password needs to be re-entered on reboot (before mounting the FS, it seems). So if the feds bust in and kick you off your warez box, as long as they dont switch it off, they've got your 0-day filez in the plain. Just dd it all across the network.

And oh yeah, with SMB as your network file system, is the traffic securely encrypted? Weakest link, and all that...

Baz

PS yes, I know you're only doing legal stuff :)

Re:Note to law enforcement. Dont reboot.

[radixvir]

Even worse HES DOWNLOADING FROM BITTORENT. Why would the feds need to bust in? The **AAs will just catch him like every other bt user since the bt protocol itself isnt encrypted. Like any other P2P network, users connect to other users would have the data. Just start downloading a torrent and log everyones ips that connect to you.

Re:Note to law enforcement. Dont reboot.

[comwiz56]

He lives in Holland and notes that in the article the **AA (or whoever) must show proof of possesion to make charges.

Re:Note to law enforcement. Dont reboot.

[badriram]

I do not know samba supports it, but i know windows does let you sign traffic that is sent. But i do not think all the traffic can be encrypted. I think you have to be a domain member to encrypt traffic. But i might be wrong.

Re:Note to law enforcement. Dont reboot.

[xbytor]

So if the feds bust in and kick you off your warez box, as long as they dont switch it off, they've got your 0-day filez in the plain.

I've always had the power strip for my box on the floor next to my left foot. If I need to do an emergency power-off cuz the FBI wants to talk to me or because I got some Jenna Jameson on the screen and my boss just walked in, I can hit it in a hearbeat.

Not that I would ever put myself in a situation like that, but I'd rather be prepared "just in case".

Re:Note to law enforcement. Dont reboot.

[Beryllium+Sphere(tm)]

>Just dd it all across the network.

Of course, that's dd from a CD-ROM full of statically linked programs. Investigators shouldn't trust target machines for anything. And if you ever look at a machine that may wind up in court, make sure you don't do anything that writes to the hard disk.

The Secret Service guidelines for seizing computers say to consult a computer specialist if possible before doing anything, but if there's no specialist to be had they say to yank the power cord.

Doing investigations right is *hard*.

Re:Note to law enforcement. Dont reboot.

"I'm building my own starship", Tom said enterprisingly.

"I think I'm coming!", Tom ejaculated.

Re:Piracy how-tos?

ummm, are you a moron? Just because it says "torrent" does NOT mean piracy. There are many legitimate uses for bittorrent and many legitimate reason to want to encrypt files....put them together and what do you get? RTFA next time you fucking mpaa monkey.

And another thing...

[Bazman]

TFA suggests you use his cryptfs script thus:

cryptfs -m Encryption key: secretstring

dont forget to zap your .bash_history file afterwards. Its the first place we look.

Baz

Re:Piracy how-tos?

[Rakshasa+Taisab]

Much is illegal and depending on your ethical belifs much more may be immoral. But do not assume one is a superset/subset of the other. Most you can propably say about it is that they intersect.

Big fan...

[__aaclcg7560]

Can anyone identify the size of the fan being used on that server? I'm used to seeing 60mm and 80mm fans but not one that big. (Although when I had an AMD K-5 computer back in 1997, I would open up the case during the summer and use a 20" floor fan to keep it cool.) I think have the front end open like defeats the purpose of cooling down that many hard drives.

Re:Big fan...

[chowells]

Looks like a 120mm. They aren't _that_ uncommon.

Re:Big fan...

Looks like a 120mm

Re:Big fan...

[Anti-Trend]

That's a 120mm fan, which is pretty standard fare. I use them quite a bit in the workstations at work, since they move a lot of BTUs without sounding like a blowdryer in the process.

-AT

Re:Big fan...

[richie2000]

Looks like a 120 mm fan to me. They're becoming fairly common now, especially among the silent PC crowd. I even come across 90mm fans now and then...

Re:Big fan...

[bleckywelcky]

As everyone else said, 120mm. I've got 2 of them in my case. Why? Because they are bigger, they move more air with less fans (more air/fan), less power, and are typically quieter for the amount of air they move. For my case, I would need to replace my 2 120mm fans with probably 4 80mm fans to get the same CFM. All the while, power and noise will increase (as well as cost).

Re:Big fan...

[zakezuke]

Can anyone identify the size of the fan being used on that server? I'm used to seeing 60mm and 80mm fans but not one that big. (Although when I had an AMD K-5 computer back in 1997, I would open up the case during the summer and use a 20" floor fan to keep it cool.) I think have the front end open like defeats the purpose of cooling down that many hard drives.

As others have pointed out, 120mm (4.72 inches). This is pretty much the perfect size to mount in three 5.25 inch bays. I have one mounted on my system right where the brackets for the extra large cards go at 5v. Both my 120mm fans were pulls. One was from a Compaq 386 server which employed the use backplane and motherboard card. The other is a 120V was from an odd 8086 systems with linear power supply... i.e. not a switching power supply.

The front cover is likely to be off due to there being no room for it as there's a fan in the way. Either that or no vent holes in the front cover.

Re:Big fan...

[zakezuke]

Looks like a 120 mm fan to me. They're becoming fairly common now, especially among the silent PC crowd. I even come across 90mm fans now and then...

The 90mm fan size was common on IBM power supplies that fit in their full sized AT case. They were huge, about twice the size of our current standard, and typically the cover had a hole cut into it so you could actually use the big ass switch. It was normal for me to see the hole for the big switch on clone power supplies covered with a plate with wires coming out for the front switch.

90mm was also very common on systems that had no dedicated CPU fan but rather employed the use of a shroud and placed the fan on the lower part of the power supply.

Re:Big fan...

[BumpyCarrot]

Just so you know, it's really not that hot an idea to leave the case open. I've seen systems get hotter with a desk fan cooling them purely down to the dust build-up from having the side off. Not that we haven't all tried it :)

Re:Big fan...

[__aaclcg7560]

In my case (no pun intended), the case didn't have a front fan and, IIRC, the AMD K5 CPU didn't have a fan on the heatsink (this was back in 1997). The only fan in the box was the power supply. When the outside temperature was 100 degree and the inside wasn't that much coolor, popping open the case and using a floor fan was necessary. I just had to play on Quake 2 on my spanking brand new Voodoo Rush video card in glorious OpenGL colors while my roommates were still playing in software mode on their Diamond Virge video cards.

When I worked at Fujitsu for a while, their mainframe room had these huge floor fans just in case the air conditioner goes out. Talk about a freezing hurricane!

Re:Big fan...

[evilviper]

Can anyone identify the size of the fan being used on that server? I'm used to seeing 60mm and 80mm fans but not one that big.
I don't blame you for not know, or even for asking when you could quickly have looked it up, but I certainly do blame the idiot moderators that gave you points for the dumb question...

Beyond 80mm fans, 92 and 120mm fans are common. I have a couple from several years back. I stick with 80mm fans now, for numerous reasons.

Re:Big fan...

[BumpyCarrot]

Ahh, yeah, nothing like catching those extra frames above the competition ;) Well played my man.

Re:Big fan...

[repvik]

That's a standard 120mm fan. Useful to get nice airflow without the high-pitched whine of smaller fans. My current desktop has two of those (One in PSU, one on the radiator)

Re:Big fan...

[qopax]

you wanna tell us those reasons? I, for one, am interested in what the advantages are for having an 80mm fan instead of 120mm fans, except to make them fit into small spaces...

Re:Big fan...

[Skrybe]

Actually one of the main reasons not to leave the case of (aside from dust and curious pets) is that it changes the airflow characteristics. If you have a closed case with fans in strategic locations you're directing the airflow rather than just scattering it over the whole inside of the case.

Re:Big fan...

[evilviper]

Size certainly is one of the reasons. It's not at all easy to mount a 120mm fan on a heatsink, but it's no problem at all with an 80mm fan.

To throw another size one in there, most everything is still designed for 80mm fans (multiple case fans, power supply, heatsinks, etc), and adapting a larger fan to fit usually has many more drawbacks than benefits. For instance, a good 80mm fan might be almost silent in a power supply, while mounting a 120mm fan sideways (as Antec does) results in a lot more noise due to turbulence, because the airflow is then going in the wrong direction.

The main reason, is that there aren't many thermally-controlled 120mm fans, and tempurature controled makes a HUGE difference. You can have a system running absolutely silent when it's cool, and only ramp-up the fans (to nearly silent) when really needed. Incredibly quiet, and still completely stable. In addition, having seperate individual thermally-controlled fans is much better, and more flexible. If you have one 120mm fan, it will only speed-up a little with an increase in tempurature, while dual-80mm fans would both speed-up, making those airflow increases, to combat rising tempuratures, exponential (necessary, because thermal sensors aren't sensative enough, alone).

Another important one is directed cooling. In one system, I have an 80mm fan located directly above the northbridge, which gets rather hot. Now, if it was a larger fan, it would have less air-pressure, and would likely disperse before really reaching and cooling the northbridge. When you have to put 40mm fans all over your system to cool individual hotspots, it defeats the purpose of having those 120mm fans. You can certainly duct a 120mm fan to increase the air pressure, but size constraints (in all directions) usually make that difficult.

Also, there's price and selection. 120mm fans aren't that common, so the price is relatively high, and there isn't a lot of selection and different features. Meanwhile, there are an incredible number and variety of 80mm fans. Thanks to that, I can buy very good thermally-controlled Enermax fans for $3 per fan including S+H from newegg.

Re:Big fan...

[qopax]

I guess those are good points, but I don't really believe that the 80mm fans can be silent (except some panaflo ones :]), and most motherboards already have automatic fan speed control built into them, and usually people who are this involved in air cooling their systems have fan controllers as well, so they can control the speed of any fan. I have yet to come about a loud 120mm fan. My antec super lanboy case came with 2 of them, and it isn't xactly a big case, plus there are a considerable amount of new high quality power supplies with 120mm fans, and then there's the zalman 120mm hsf for the cpu, so thats pretty much the whole system. You can also probably just put a heatsink on the video card gpu, and mount a 120mm in front of the hard drives blowing at the card with an opn pci slot in front of the heatsink for exhaust. At least that's what I'm doing now, and the overclocking is pretty damn nice. Right now, what's creating the most noise (which is obvious) in my system are the cpu heatsink/fan and the power supply, which both have 80mm fans in them, so I guess I'm biased towards the 120mm fans cause of that.

Re:Big fan...

[evilviper]

I don't really believe that the 80mm fans can be silent (except some panaflo ones :])

They certainly can be. I listed the exact one I use almost exclusively, and at low tempuratures, it's very nearly silent, while moving plenty of air. If you've got lots of cheap loud 80mm fans, and the only 120mm fans you've got are quite and high quality, obviously you're going to be a bit biased. I'm willing to be my systems using only temp-controlled 80mm fans are far quieter than your system with single-speed 120mm fans.

most motherboards already have automatic fan speed control built into them,

Uh, no. A few do (AMD64 Cool-n-Quiet), but the large majority certainly don't.

have fan controllers as well

Yes, but they are all manual controls, never thermally controlled. That means you either have to be there every minute to adjust them as necessary, leave them turned up fairly loud so your system doesn't overheat IF it gets hot later (not easy to predict), or you can leave them turned down to get quiet and hope your system doesn't burn-up while you aren't around.

I have yet to come about a loud 120mm fan

Well you aren't trying then. I've got several that are louder than the loudest high-RPM 80mm fans you can buy. Absolutely ear-shattering, though you can undervolt them to make them usable.

there are a considerable amount of new high quality power supplies with 120mm fans

Yes, I detailed the problems with those already. The 120mm fan is not blowing air torwards the opening like an 80mm fan would, it's blowing air torwards the heatsinks, components, PCB, etc., which cause a lot of turbulence, so they are often noisier than a power supply with a good 80mm fan.

and then there's the zalman 120mm hsf for the cpu,

That thing certainly wouldn't fit in most cases. You need a LOT of clearance.

so thats pretty much the whole system.

No, I already mentioned my northbridge, which gets very hot, indirect airflow from a 120mm fan at the front/back of the case is NOT enough, so you'd have to mount a 40mm fan on it in your case, which defeats the purpose of having nice quiet 120mm fans in the first place. Northbridges are getting hotter and hotter, as are all other components in computers. RAM is also getting hotter, and commonly needs a small fan mounted above the RAM-sinks. Since DIMM slots are turned the wrong way (vertically) your 120mm front/back fans won't get much airflow to them, and having an 80mm fan right above them does a much better job. Quiet too...

Right now, what's creating the most noise (which is obvious) in my system are the cpu heatsink/fan and the power supply, which both have 80mm fans in them,

That's funny. I've got nothing but 80mm fans in my systems, and what is creating the most noise are the hard drives...

You really should just get better 80mm fans for those spots.

Re:Big fan...

[qopax]

My 3 year old asus mobo has Q-fan technology, and my dad's pc's five year old mobo has some sort of proprietary fan controlling system, so that's why I would think a lot of motherboards have some sort of fan control in bios, even if it doesn't vary but lets you just set a speed. Does temperature really vary that much in your system that your fans have to keep changing their rpm? Between idle and load, my system overall temperature change at most 2 or 3 degrees celcius. I just keep all of my fans at minimum speed using the fan controller, except the case 120mm ones since using them at max. and min. doesn't change the volume of the noise at all.(either they are very good quality, or the 80mm fans on my cpu and in my power supply are so crappy they drown them out completely. even at low speed, the cpu heatsink/fan keeps it cool, around 38-40 degrees on load while it's overclocked from 2500+ to 3200+).

I work with computers quite often, and I have yet to come upon a problem with the northbridge. Really, does anyone have heat problems with those things? Plenty of modern motherboards just have heatsinks on those things and I have yet to hear people complaining about that. Hehe, it's funny you should mention it, but I did replace 2 of the 80mm fans in my power supply, but it barely helped. Maybe I just got really crappy ones that are worse than the old ones that came with it.

Changing the 80mm fan on my current cpu hsf is impossible. It's a VANTEC AeroFlow VA4-C7040. Oops, just realized that's 74mm. Wasn't as informed when I bought that.

Zalman 120mm heatsink is actually fairly compatible, and usually the case is not the problem, the motherboard is. It has pretty high clearance so the components don't get in the way, but a few mobos have the video card slots right near the cpus.

Re:Big fan...

[evilviper]

Does temperature really vary that much in your system that your fans have to keep changing their rpm?

Yes, ambient tempurature changes are dramatic. Come visit the desert sometime, where it can go from 120F (in the shade) during the day, to 40F at night...

Between idle and load, my system overall temperature change at most 2 or 3 degrees celcius.

Your system probably doesn't have S2K/disconnect support enabled. It may be an option in the bios, and if not, download and run fvcool (-e -v -i), and you've got about a 50% chance you'll find your AMD system's tempurature drop dramatically (when not fully loaded), and your power consumption drop significantly as well. I wrote up detailed information in my journal a while back, so look there if you'd like more info.

(either they are very good quality, or the 80mm fans on my cpu and in my power supply are so crappy they drown them out completely

The latter is almost certainly the case. I discovered, when I began really silencing systems, that what I previously considered to be very quiet components (certain hard drives, CD-Drives, fans, power supplies, etc) were actually very, very loud when the real noise-makers were replaced.

I work with computers quite often, and I have yet to come upon a problem with the northbridge. Really, does anyone have heat problems with those things? Plenty of modern motherboards just have heatsinks on those things and I have yet to hear people complaining about that.

Yes, it's getting to be a real problem. My MSI KM2M is the worst offender I've seen. It gets hot enough to cause a minor burn (despite the notably significant heatsink) unless you have direct airflow on it. This isn't an isolated problem either, as my Asus mobo with Via KT600 chipset also has a very hot northbridge. It's gotten to be such a serious issue, I've decided it's important to find the power specs of motherboards before I buy them, because the drain from the chipset can be as much as ~40watts, that's probably about half what your CPU is drawing. Many newer motherboards have fans on the northbridges, and they aren't there for looks... though the two I listed unfortunately do not come with northbridge fans, though they are obviously needed.

Changing the 80mm fan on my current cpu hsf is impossible. It's a VANTEC AeroFlow VA4-C7040.

Looking at it, it seems quite possible to replace it with an 80mm fan. You'll obviously need to make or buy a simple adapter. An 80mm square of plastic would do fine, if you cut almost 74mm out of the center, then drilled holes.

usually the case is not the problem, the motherboard is.

Well, the two work together, so there's usually no point in talking about the two issues seperately. If you have a motherboard that has the CPU socket very high up, you could still fit it if you have a very large case with extra room. Or if you have a small case, you could fit it if the CPU socket was near to the center. It generally depends on them both, not just one or the other.

Re:Big fan...

[qopax]

Well, I wasn't talking about ambient temperature, I was talking about the temperature inside your system, a much more isolated environment. And I also have the luck of not living in, or near, a desert, so that doesn't apply to me whatsoever. With all these air conditioners and heaterns, well, modern technology, the the room temperature is generally stable. I wouldn't be very comfortable if the temperature in this apartment varied by more than 20 degrees. I was talking more about the temperature changes due to the load of the system. If they aren't high enough during the load of the system to do anything (unless you overclock, they generally aren't), and you have enough fans to warrant a manual fan controller, they generally aren't (unless of course you're overclocking). It only becomes a risk once they start reaching grade C, 60-80 degrees celcius. That's why I generally don't worry about the heat as much as the noise. So what 80mm fans would you say are "silent"?

Re:Big fan...

[evilviper]

You obviously missed my point. Yes, you can always set your fans so they blow so much air that, at full-load, it will still cool the system. But then you have your fans at a very high and noisy setting unnecesarily.

You should also look into fvcool/vcool as I suggested. The CPU tempurature difference at idle/load is significant if your system idles the CPU properly.

why?-Ping of death.

"Pertend I'm stupid, why would I want this?"

Because standing at the street corner, handing out copies is too dangerous.

Re:Piracy how-tos?

Well, filesharing without the consent of the copyright holders is immoral too. What's your point?

why?-Gmail Privacy.

"Simple: You have random users which make backups to your machine but don't want anybody else to be able to read these backups."

So it's safe to say that slashdotters encrypt all their Gmail then?

Re:Piracy how-tos?

No it's not, what is your point? When I buy a (C|DV)D, I have the moral right to back it up.

I did this once...

[k4_pacific]

I built a fully encrypted system once. Even the source was encrypted. Sadly, I lost the key and it was all for naught...

Re:I did this once...

I want to write a freeware opensource encryption program. I will advertise only that it will encrypt the contents of "My Documents" so that nobody can decrypt it.

After that my program will print a message about the commercial version having support for decryption and where to send $25.00 via Pay Pal.

Re:I did this once...

[SirTalon42]

You forgot to incrypt the command name.

Re:Piracy how-tos?

[ninboy]

hmm , but why would you need to encrypt your torrent downloads of say linux iso images ? oh yeah you probably wouldn't .....

Re:Piracy how-tos?

morality is dead...long live relativism!

Defeats the purpose...

[Doodhwala]

So, what exactly does this accomplish? When you use Bittorrent, the protocol both downloads and uploads data at the same time (look up the tit-for-tat policy followed by BT to ensure fairness). If you were in the US, all the RIAA needs to do to sue you is download a single chunk of data from you. They don't need to break your door down and cart the computer away. So, the encryption is moot anyway.

Re:Defeats the purpose...

[Xarius]

How would they prove you weren't using it for legitimate purposes if it was encrypted though?

Re:Defeats the purpose...

If your machine gets confiscated by the authorities, it doesn't contain any usefule evidence against you.

Blizzard

[Alcimedes]

Shit, you better call up Blizzard quick. They've been using this warez technology to distribute their game patches. Who knew all torrents were illegal!

Douche bag.

Re:Blizzard

That's great, blizzard shits on the oss projects they don't like and embrace the ones that help them?

now that's useful

[commodoresloat]

encrypted mp3s sound so much better than regular ones.

Re:now that's useful

[Surt]

No no no, the point is that they sound so much worse to everyone else. The RIAA browsing your filesystem for example.

Re:now that's useful

[Gamma]

Not as good as encrypted Ogg Vorbis files!

Re:now that's useful

Encrypted mp3s of Britney Spears's songs do sound much better than regular ones.

Re:Piracy how-tos?

Yeah. Back it for yourself. Not for the "friends-I-only-know-by-their-nickname-if-at-all" in the internet.

Mirror?

[Fjornir]

Site is not responding. Anyone have a mirror? Anyone who happened to read it able to comment on how this compares to Freenet ?

Re:Mirror?

Well, it shouldn't be too tough. You see, the article says he's using it for BitTorrent and BitTorrent is not that similar to FreeNet since it leaves a very clear record of every user's IP. However, you can proxy the identity of that IP if you are a Linux user running a properly configured TOR, Privoxy and Proxychains configuration. In that case, you could use BitTorrent in a way that it is somewhat similar to FreeNet. But make sure you test your configuration to be sure it's working.
This article isn't really about that though. You can find more information about the difference between FreeNet and TORified applications as well as other privacy solutions, of which there are several, at tor.eff.org.
Then again, even if you don't use any kind of privacy tools it's only the tracker that would have your IP in the case of a torrent and trackers are intentionally configured to have very short lived logs. So, even completely unprotected Bittorrent isn't really that dangerous. For instance, when LokiTorrents went down the MPAA claimed they had hundreds of thousands of IPs and would initiate legal procedings en masse, but that turned out to be bluff after the devlopers of the tracker pointed out that the logs expired in a matter of hours.
However, one way a copyright narc could entrap you would be to set up their own tracker where they could definitely monitor everything and store the logs as long as they wanted. That's tricky too though because then they would have to be contributing the original files and it would end up like the fiasco at PiratBay(sp?) in Sweden.

Re:Mirror?

Heh, Selwerd as actually 2km away from here. Maybe I should go there and plug back in the cable :p.

Obstruction of justice

If the cops bust you, and you have an encrypted hard drive and you don't hand over the password, you will be charged with obstruction of justice. The maximum sentence of obstruction of justice is the same as the crime you are trying to avoid. So it really doesn't help you avoid anything.

http://www.ohiobar.org/pub/lycu/index.asp?articlei d=138

Re:Obstruction of justice

Damn. When did we turn into such a police state?!

Re:Obstruction of justice

because, at least if it is encrypted, you have time and a bargaining chip. since they cannot prove you are committing a crime without proving that you have illegal files, they cannot bust you for merely maintaining an encrypted volume. if people had to roll over and give up the keys whenever the cops wanted, we'd be living in communist china. thankfully, america is not there (yet).

Re:Obstruction of justice

Obstruction of justice doesn't kick you off computers for the rest of your life, nor does it give you one of those government trojans.

Re:Obstruction of justice

Not true. If they download an illegal file from your system (ie. warez or kiddie porn) then that is proof and could arrest/convict you just on that. With warrant in hand, they would get your hard drive so that hopefully they can catch *other* people (ie. with logs, or emails, etc). So the only people you are helping are others... it doesn't help you at all. Maybe if you work for the mafia and you'd take the fall for the rest of your familia, then it might be useful, but for the regular unsophisticated joe, it doesn't do you any good whatsoever.

Re:Obstruction of justice

[fbjon]

But if the very long and complex password is stored in a file, which doesn't exist, is that obstruction?

Re:Obstruction of justice

Yes. You are destroying evidence and you will be charged with obstruction of justice. Just like if you shred documents a la Arthur Anderson/Enron.

Re:Obstruction of justice

[pegr]

If the cops bust you, and you have an encrypted hard drive and you don't hand over the password, you will be charged with obstruction of justice.

And the link you so thoughtfully provided says nothing about forcing someone to testify against themselves, which is what you're talking about.

Damn, did I just feed a troll?

Re:Obstruction of justice

[Felmir]

What about not giving the password on the grounds that it might incriminate you?

Re:Obstruction of justice

[galdur]

I wonder how the data retention^h^h^h^h^h^h^h^h^h deletion policies corporations such as Microsoft have put in place on e-mail would fare in that regard....

Re:Obstruction of justice

[fbjon]

Ok, so what if the key is only held in memory, or perhaps some kind of self-destructing key such that the loss of the key is invoked by the authorities, not the accused... is there a line somewhere?

Re:Obstruction of justice

[Albinofrenchy]

Password? Encrypted? Officer, those files aren't encrypted, they are just randomly generated files I made... On a more serious note, it would be a nice safety feature if that when a certain wrong password was typed in, it would show an unencrypted version of something completely legal.

Re:Obstruction of justice

[mbaciarello]

Let me get this straight with another example:

Cop: "Are you guilty of [crime]?"

Me: "No!" or

Me: "..."

Despite my handsomely elaborate defense, I end up in jail for [crime] with a definitive sentence.

At that point, the zealous cop shows up and tells me he's also going to charge me with obstruction of justice, because he kindly asked me a question the first time around, and I lied or said nothing?

You got it backwards, I guess. The suspect is never required to collaborate with his/her prosecutors. They may strike a deal if they choose to do so. Obstruction of justice is a felony witnesses and persons who haven't been charged commit.

One instance where you could be right might be if a suspect tampers with something that already has been "identified" as evidence, or falsifies something as evidence in their defense. Your linked citation doesn't mention a single instance where a suspect is actually committing obstruction of justice. RTFC.

Re:Obstruction of justice

[shmlco]

In a RIAA civil suit that would not apply, and the court would be well within its bounds to subpeona information and/or evidence that might further the suit.

Re:Obstruction of justice

[BitterOak]

If the cops bust you, and you have an encrypted hard drive and you don't hand over the password, you will be charged with obstruction of justice.

Interesting. I'm curious, by the way. Which country do you live in? The situation you describe is quite different from that in the United States, and I'm curious as to how other cultures and legal systems work.

Re:Obstruction of justice

lol, if you have an encrypted hard drive here in Sweden, and the cops want to know the password, you can just say you forgot it. They can't do anything abour it.

Re:Obstruction of justice

That already exists. I forget what it's called, but there's a type of encryption where you actually encrypt two files into one, so if someone forces you to hand over the key, you give them a secondary one wich unencrypts the dummy files. Then all they have is, for example, a bunch of fake emails about you cheating on your spouse or something. I mean, if it was just a shopping list, that'd look suspicious, you'd want it to be something that would need to be encrypted, but not of interest to the party forcing you to surrender the info.

Re:Obstruction of justice

[Gyorg_Lavode]

if this happens, keep the key on a usb drive. If you get in trouble, destroy it and say its in with the rest of your computer junk, (I have a closet full). If they can't prove you destroyed it is it your fault if they can't find it? I know I have 4 or 5 USB keys and I can usually only find 3 at any 1 time.

Re:Obstruction of justice

If you designed a system specifically intended to destroy evidence when it was needed by the authorities, then presumably you could be charged with a variation of 'destruction of evidence'.

Re:Obstruction of justice

[fbjon]

Ok, so what needs to be done is:

1. Have a special remote control handy (use inconspicuous TV remote for example).
2. When you open door, and law enforcement places inconvenient demands, discreetly press button.
3. Server receives signal, overwrites key and makes all data disappear.
4. Stall law enforcement until data wipe has completed.
5. Evidence of evidence destruction does not exist.

7. Profit! (???)

Re:Obstruction of justice

[Trejkaz]

It's a shame the cop doesn't get arrested for obstruction of privacy.

Re:Obstruction of justice

its called stenography. sheesh it was the latest craze on slashdot for months.

Re:Obstruction of justice

[Captain+Scurvy]

Or, in the case of being forced to hand over your password to avoid being charged with obstruction of justice, have two passwords; one that is the 'real' one, and another that you'd give to the feds in case you're ever busted, and it generates completely legal material.

Re:Obstruction of justice

[Diablo1399]

Doesn't the DMCA have a proviso about encrypted data? Something along the lines that it cannot be submitted as evidence (even if it can be decrypted) without a warrant?

Failing that, just use TrueCrypt. It let's you encrypt a volume with TWO passwords. A true password that contains your real data, and a fake one that decrypts sensitive-looking but non-incriminating data. If the feds subpoena you, just provide the fake password, and say hello to plausible deniability!!

Re:Obstruction of justice

[lachlan76]

But they could almost definitely recognise a TrueCrypt partition...

Re:Obstruction of justice

[lachlan76]

But then they would know you were doing that because the plaintext is significantly smaller than the ciphertext.

Re:Obstruction of justice

[MikeBabcock]

Destruction of evidence won't get you far either.

Re:Obstruction of justice

[westlake]

And the link you so thoughtfully provided says nothing about forcing someone to testify against themselves, which is what you're talking about

You can invoke the fifth amendment while being questioned by the police or testifying before a court. The privilege is pretty much defined as a limited right to remain silent. It does not allow you to obstruct the execution of a lawful search warrant or discovery process without paying a price.

Re:Obstruction of justice

But then they would know you were doing that because the plaintext is significantly smaller than the ciphertext.

Not with an encrypted volume, in which case the entire drive is encrypted. They have no way of knowing how much "plaintext" is really in there.

Re:Obstruction of justice

[Odin's+Raven]

That already exists. I forget what it's called, but there's a type of encryption where you actually encrypt two files into one, so if someone forces you to hand over the key, you give them a secondary one wich unencrypts the dummy files.

I'm not sure if we're thinking of the same project, but the one I knew was called "rubber hose". For a while, it was hosted at www.rubberhose.org, but that site dropped off the net several years ago, and to the best of my knowledge has not reappeared since.

A few sites still carry copies of the rubberhose 0.8.3 source - a quick Google for the tarball returns a half-dozen or so hits, although some of the copies no longer exist.

The goal of the project was to allow a virtually unlimited number of encrypted filesystems to live on a drive, each with its own key. If someone attempts a "rubber hose" crypto attack (beating you with a rubber hose until you cough up a key), you can provide key(s) for accessing the sacrificial filesystem(s). Since there's no way for the attacker to know how many keys you may have created, there's no way for the attacker to be certain that you've handed over every single key. Conversely, there's also no way for you to prove that you've actually cooperated and turned over every key. The doc/beatings.txt file from the source tarball has some interesting thoughts about the implications of neither attacker nor defender being able to prove/disprove the existence of additional keys.

Re:Obstruction of justice

[fbjon]

But they cannot show that there exists a hidden partition within. The inner encrypted data is indistunguishable from random data, which the outer partition is filled with before use. So you can put for example an arbitrary amount of porn, a few generated pgp/gpg keys, a list of password that you "frequently" use (totally random of course) in the "public" part, and no-one can say that there should be an inner partition. Unfortunately, it doesn't (cannot?) support a third inner partition. Not to mention that the outer partition itself is already a block of seemingly random data.

Re:Obstruction of justice

[lachlan76]

Well it would be very suspicious if the suspect immediately gives up the password to data known to be encrypted with TrueCrypt.

Re:Obstruction of justice

[pegr]

You can invoke the fifth amendment while being questioned by the police or testifying before a court. The privilege is pretty much defined as a limited right to remain silent. It does not allow you to obstruct the execution of a lawful search warrant or discovery process without paying a price.

You cannot compel someone to reveal their encryption keys within the context of a search warrant. Now if the authorities can discover the keys in another manner, that is totally legit. Remember, it's not so important that type of encryption as it is the key handling process.

Re:Obstruction of justice

On a more serious note, it would be a nice safety feature if that when a certain wrong password was typed in, it would show an unencrypted version of something completely legal.

And that is a wonderful feature of the one time pad. You can have an OTP, for example a DVD or another HDD, full of random bits, which combines with the encrypted file system you use for real stuff. You keep off-site backups of the encrypted file systems and keep it up to date so that you can...

When you get caught, you make a file system of the same size, fill it with legitimate files that look to be a genuine configuration with appropriate dates, etc. You then use the captured file system AS the OTP for the "good" system, producing an encrypted file system. It is this encrypted file system which you supply as the OTP to the court.

The result, is a perfectly innocent file system filled with innocent and beleivable files. You could perhaps mix into those files, some "evidence" of small time criminal activity which cannot fall under the charges against you and which make your intention to encrypt believable.

A DVD can be ejected and destroyed pretty quickly so if you can limit your criminal activities to 8.5GB, you're set. You might even like to use another system on the side, with the same file system size, for nothing but innocent tasks, so that you'll have something to quickly generate this alternate, "get out of jail quick" OTP.

Re:Obstruction of justice

Assuming they wouldn't find you guilty of even worse crimes if they searched your computer...

Re:Obstruction of justice

No they couldn't.

Re:Obstruction of justice

[glacote02]

I have already posted this: 1) Make a big FAT32 partition with some 2Gb of legal data 2) make a dm-crypt mapping inside the partition, skipping the first 2 Gb 3) Have the hard-disk booting process not mounting it (eg not having dm-crypt compiled) but have a floppy/cdrom/usbkey boot which actually mounts it. You now can plausibly deny having encrypted data in the first place. It can not be proven that there is encrypted data unless the encryption is broken.

Re:Obstruction of justice

[MultisSanguinisFluit]

Not a chance.

If you're actually arrested, you have the right to remain silent, and in any case, you cannot be forced to testify against yourself. Police cannot even arrest you if you invoke the 5th amendment.

I've discussed this with the attorneys for which I work when we purchased laptops with fingerprint readers. In the example of hard drive locking of Thinkpads, you could be forced to swipe your finger (which unlocks the password which unlocks the hard drive), but you could not be forced to reveal the password. In their opinion, anyway.

Re:Piracy how-tos?

[MPHellwig]

Please repeat after me: The media is not the content en should be judge accordingly.

Don't worry I'll probably will repeat it till we all get it (end of time I guess).

Already Been Done

[Alien+Venom]

I've already been doing this for quite some time now with Azureus, and the Swing Web Interface plugin alongside RSS Feed Scanner plugin (to download TV shows automatically). There's even an IRC bot plugin to allow control over an IRC network/channel.

Why is my way better? Well, the default BitTorrent client is somewhat lacking feature wise. Azureus is more powerful and gives you more control over what to do with the torrents when they are done downloading. Not to mention the support for trackerless torrents in the latest version. As for encryption goes... uh, why? The only people who have access to my "files" are those that are on the network. And the Swing Web Interface plugin has password functionality with HTTP SSL (you need GPG to be installed).

Re:Piracy how-tos?

What the hell is that supposed to mean?

Yeah, you yourself might not be trading media but most of the people on that system are. Therefore the system is going to go down even if it has legitimate uses.

I don't see why this is such an unthinkable scenario to you.

Re:oops url

[AcidTag]

OS/2

Be very, very careful when using EFS!!!

[Futurepower(R)]

Be very, very careful when using the Windows XP built-in file encryption, called EFS (Encryping File System).

EFS is very poorly documented. The encryption is tied to your user password in a way that is apparently not documented. EFS depends on being part of a Windows 2003 Server domain in a way that is not clearly documented; if you are using Windows XP on a stand alone computer, there are situations in which you will lose your files forever.

Microsoft technical support agrees with what I just said, and provides no help or fixes.

The official Microsoft forums contain the complaints of many people who have lost their files due to problems with EFS. One man said he lost 11 years of research.

People complain about Microsoft every day on Slashdot, but I've never seen a discussion by anyone who seemed to realize how bad Microsoft truly is.

Re:Be very, very careful when using EFS!!!

[Stardate]

Holy crap dude. Thanks for the warning! No mod points right now, but I'd love to find their "official position" on bugs like these in the KnowledgeBase (support.microsoft.com) but that probably won't happen until it's been "fixed".

Re:Be very, very careful when using EFS!!!

[Ph33r+th3+g(O)at]

And don't forget that as a member of a domain, a GPO can cause an EFS key to be escrowed with the admininstrators. So if you're thinking this will hide your MP3z at work from the domain admins or SMS sweeps, no go. (Of course, if the filesystem is mounted during an SMS enumeration/collection sweep, it doesn't matter what encryption you're using.)

Re:Be very, very careful when using EFS!!!

[Universal+Indicator]

11 years of research without a single backup? Sounds like the person was asking for it!

Re:Be very, very careful when using EFS!!!

[LnxAddct]

Perhaps he was encrypting his backups because of the nature of the research.
Regards,
Steve

Re:Be very, very careful when using EFS!!!

[torokun]

See? Security through obscurity _can_ be effective.

Re:Be very, very careful when using EFS!!!

This is another example of mod-by-agreement.
Anyway, EFS is documented perfectly well. Certainly better than cryptfs or encfs.

Workgroup and domain users can designate an EFS Recovery Agent should they need to decrpyt EFS files in a pinch. I believe the process can be started with a simple cipher /r. More people have problems with EFS than with OSS alternatives because more people use MS products.

The way EFS works is the way it should work. Maybe you should check out the documentation that actually does exist before you slam MS based on off-topic idealogical disagreements.

Re:Be very, very careful when using EFS!!!

[nolife]

I use Truecrypt. It is free and open source. Provides much more flexibility and the encrypted source file(s) can be stored on any medium (network, flash, floppy, etc..) Sure it is not durectly integrated into the OS but for me, it strikes the perfect balance between security and piece of mind.

Re:Be very, very careful when using EFS!!!

[fbjon]

I've also just created a small drive with TrueCrypt for some small purposes, but I guess it doesn't have any error-recovery features.. would it be possible to do a mirroring of the crypted file? Otherwise all data after the bad block disappears instantly.

On second thought, why not just make a backup of the file regularly.. but if it's a large file, some real-time system is preferrable. In which case, crypting of a raid disk is a good idea. Ok, I guess I answered my own question.

Re:Be very, very careful when using EFS!!!

[greenrd]

Well, that just goes to prove: if you're encrypting your backups - don't use a closed-source product, and definitely don't use a closed-source, poorly-documented product, to do so.

Re:Be very, very careful when using EFS!!!

[Pollardito]

hopefully he was doing research into the dangers of not backing up a computer, or at least he can change to that topic after the fact

Re:Be very, very careful when using EFS!!!

[nolife]

If you used the file method, the OS would treat the encrypted file just as any other file so it would have no more or less error recovery then the underlying file/disk system that it is stored on has. I have a generic backup on my file server that simply runs rsync or tgz from cron between two physical disks. Not a production system but it serves me well.

Re:Be very, very careful when using EFS!!!

[coolcold]

those doing these are mostly computer USERS who don't know nor care about open or closed source, documented or not. They just want thing Just Works (TM). They only trust Microsoft stuff because they are grown up with it or that's what was provided (no choice in the second case).

Re:Be very, very careful when using EFS!!!

[ConceptJunkie]

It's probably the same as their position on the bug that causes Outlook 2003 to randomly lose data once the database file size gets up to about a gig and a half. They don't care.

"You're just a user so screw off. We're far too important to worry about your stupid data."

I can't see any other explanation.

Re:Be very, very careful when using EFS!!!

[bitflip]

How is this different from well-documented encryption? You lose your password, you lose your data. Just because that password is tied in with your login password doesn't really change anything.

Re:Be very, very careful when using EFS!!!

[xQx]

Well they'll learn pretty quickly won't they?

I don't remember any traffic cop giving me leighway because "I'm just a user trying to go from A to B, I don't want to learn about this technical car stuff like indicators and road-signs"

EFS is yet another example of IF YOU DONT KNOW WHAT IT DOES DONT TOUCH IT. If you can't see the danger in encrypting important stuff so nobody else can see it and don't check up to find how it determines you from everybody else... and then don't back up. .. Hey, that's called learning from your own stupidity.

I guess it's IBM's fault I lost all my files because they left this 'del' key on my stinkpad without documenting what it does?

Re:Be very, very careful when using EFS!!!

[OrangeTide]

Actually that's not the case with a block cipher. You just lose the entire block if there is any damage. We all use block ciphers because the math is easier to prove correct and it works well for packeted oriented data and for block devices (like a harddrive). There are stream ciphers, but they are less popular. AES, for example, is a symmetric block cipher.

Re:Be very, very careful when using EFS!!!

[oliphaunt]

Would that research be the result of 11 years of 1-handed typing?

Re:Be very, very careful when using EFS!!!

[njyoder]

Welcome to the wonderful world of backups. EFS lets you copy the encrypted files, file for file and decrypt them later.

Re:Be very, very careful when using EFS!!!

[devilspgd]

11 years of research and it didn't occur to him to make a backup?

I bet he won't do that again.

Re:Be very, very careful when using EFS!!!

[uhlume]

Bullshit. EFS isn't tied to your user password in any way, undocumented or otherwise: it's tied to a certificate created the first time you encrypt any file on your filesystem. Without this certificate, you'll be unable to access your encrypted files, regardless what user account or password you happen to be using, so it's wise to back up your certificates to a CD in case of accidental deletion or corruption. THIS IS TRUE OF ANY SECURITY CERTIFICATE UNDER WINDOWS OR ANY OTHER OPERATING SYSTEM. If you can't be bothered to read the documentation for a high-powered feature before using it, don't complain if your lack of preparation backfires on you.

Re:Be very, very careful when using EFS!!!

[Dibblah]

Not documented, huh?

http://support.microsoft.com/default.aspx?scid=kb; EN-US;q290260

Summary: Rejoin your original domain and change your password to your original password.

People complain about Microsoft every day on Slashdot, but I've never seen a discussion by anyone who seemed to realize that if all you wannabe Windows Administrators left the "market", the world would be a better place for everyone.

Re:Be very, very careful when using EFS!!!

[Agret]

Yes wang enhancement is a very demandful research.

Re:Be very, very careful when using EFS!!!

[rikkards]

You don't need to be part of a domain, you can set up EFS with a workstation in a workgroup.

It also isn't associated with your password, it's associated with your account. This means that the EFS cert is stored in the user's CAPI store with no security checks other than the user's logon password. This means anyone who logs on with the user's account by whatever means will be able to access their files.

EFS in a domain is better as the Domain Administrators group has the ability to decrypt any EFS data encrypted by any user in the domain so if the user account gets blown away it can be recovered later.

Re:Be very, very careful when using EFS!!!

[rikkards]

Chances are his computer was not part of a domain as the Domain admins should be able to decrypt the files. Plus if it was set up properly, the local admin would be able to as well.

Re:Be very, very careful when using EFS!!!

[rikkards]

Another option is Windows Privacy Tray which is based off of GnuPG.

Re:Be very, very careful when using EFS!!!

"those doing these are mostly computer USERS who don't know nor care..."

Well, it really sounds too stupid to me to be true, but *if* it is true that man lost 11 years of work, you can bet he will care... now!

If your are responsible for your own data you are a computer USER no longer; you become a computer ADMINISTRATOR, so you better know what are you doing, or sooner or later you will go the way of that poor guy.

Now you have been warned!

Re:Be very, very careful when using EFS!!!

[Cili]

Another option is CrossCrypt + CrossCrypt GUI.

I don't know about the rest, but encripted volumes made with CrossCrypt are also accessible on Linux (provided you use a 20+ length password)

Re:Be very, very careful when using EFS!!!

[rikkards]

The only thing I wish GPG or Windows Privacy Tray had was ability to work with S/MIME.

Re:Be very, very careful when using EFS!!!

[gd2shoe]

This one is actually not a bug, but a feature. If EFS merely relied on the users password, then a brute force attack would eventually rend the contents readable. As it is now, you also need some kind of EFS key which is assigned to the user account. There are ways to export/import the key, but I don't remember how.

Re:Be very, very careful when using EFS!!!

[xpyr]

Well there are cracks/hacks out there that can decrypt the EFS. So it's not totally secure.

Differentl laws in that country make this useful!

[orionware]

At first I thought, "wtf good is that?!". I figured it was for the ultra paranoid. Then I realized. He lives in a country where the law has to actually have physical proof of you breaking the law. Here in the US I don't think they feds need to kick in the door and find your mp3s being fed to the world to actually charge you. They just strongarm your ISP for your info.

The theory in his country being if they can't find anything on your drive, then they can't prove shit.

Must be nice...

even the author doesn't know...

[SuperBanana]

why would I want this?

From the site:

"Use? Actually, I'm not sure"

As others have pointed out- wiretaps, "give us the key or you go to jail just as long", as well as simply not unplugging the box...all make this project pretty pointless.

I also got a kick out of the author bragging, under a screenshot showing links to numerous illegal torrent sites, "that's a legal torrent I'm downloading!" Do these people think they're clever or something?

Re:even the author doesn't know...

[holysin]

To answer your question: They feel no more clever then the people that comment about how unclever they are...

Sure, it's pointless, but it gives great experience for the real (read: business) world, using open (for the most part) software.

Re:even the author doesn't know...

[forlornhope]

I do believe you are wrong. I don't think the police or anyone can compelle you to give them encryption keys. Since they are not physical, but knowledge based, you "giving" them the keys is actually you testifying. The 5th amendment protects you from them forcing you to testify.

So in the end if they can't keep you in jail till you give them the keys. Also, the RIAA surely can't make you tell them.

Re:even the author doesn't know...

[Halvy]

'illegal' Torrents?

the word 'illegal' is the MOST- SUBJETIVE word in the english language.

And YES-- 'WE' do think we are 'CLEVER', ... and we will proves ourselves more & more clever when we start to 'call-the-bluffs' of the corporate criminals-- using ALL options availible..

Re:even the author doesn't know...

[OrangeTide]

That's a very interesting angle. Although normally we write down our keys some place (one good reason to use a passphrase with your keys). I believe the court and confiscate personal material to use as evidence, example the court could take your diary and use it. If they can take a diary, they can certainly take an electronic or paper copy of your keys. IANAL so I don't know if the court can compel you to hand over physical evidence, but I think they can.

So pick a good passphrase and memorize it and don't write it down (or if you do write it down, don't make it known that you wrote it down).

Re:even the author doesn't know...

[DjReagan]

Of course, the fith amendment doesn't apply outside the USA.
In the UK, for example, there was a law passed recently called the Regulation of Investigatory Powers Act which does give the police powers to compell you to hand over the encryption keys, or face jail.

Re:Piracy how-tos?

[MPHellwig]

That means that you don't get it, the media is the way of transportation of the content. Sharing media is not the bad thing recieving and/or sharing _illegal_ _content_ is.

I can see that this is indeed a difficult topic for you, defining the meaning of words in a sentence.

For Your Eyes Only...

[xtracto]

from MSDN: Taking Recovery Precautions

Recovering Encrypted Files

Any data recovery agent can recover an encrypted file when a user's private key fails to decrypt the file.

To recover an encrypted file
1. Log on to a computer that has access to the user's profile; for example, a computer that has a designated recovery console or a recovery key on removable media such as a floppy disk. You might log on at the user's computer or the user might have a roaming profile.
2. Locate the encrypted file. For example, the user might have made a backup of the file by using Backup or sent the file to a WebDAV Web folder.
3. Decrypt the file by using either the cipher command or My Computer. This will make the file available to the user.

For more information about decrypting files, see "Working with Encryption and Decryption" earlier in this chapter.

As for corrupted encripted files, well, I think it is almost impossible for an encripted file to be restored if it is corrupted, unless it has some kind of recovery record overhead...

Of course, I would better opt out for an standard open cyphering method.

Re:For Your Eyes Only...

E-N-C-R-Y-P-T-E-D

Re:For Your Eyes Only...

[xtracto]

lol thnks, do you know what is worse?? I quoted the text from the web page which contained the word spelled correctly =oS

I prefer VNC & Azureus

[squisher]

I setup the a similar system but without encryption, just running a vnc server and azureus in it. The setup really is a snap: copying torrent files onto a samba share with the help from a simple batch file and Azureus checks every 1 min to start downloading them. Then setup a vncviewer shortcut that includes the password and you have all the comforts of running a local bt client with all the benefits of a central server!

~Squisher

Re:I prefer VNC & Azureus

Don't forget that by itself, vnc traffic is NOT encrypted... (realvnc has a version that is, but I don't think anyone else does yet)

Re:I prefer VNC & Azureus

[Trejkaz]

Problem being that two users logged into VNC end up fighting over the mouse pointer.

Re:Obstruction of justice --misleading wording.

You use the phrase "don't hand over" but this is an oversimplification of a complicated legal issue.
Let's take two examples.
Example One
You say: "Fuck you dirty rat coppers, I have the key and I spit at your entire justice system which I haven nothing but contempt for. I have the key and I refuse to give it to you. Go to hell."
Well, in that case I think you might be right.
But let's try another instance of "don't hand over" that has different implications.
Example Two
You say: "Key? What key? You mean the key to the house? Oh, the computer. It doesn't need a key. Oh, you mean an encrypted file key? How's that work now? I'm not sure about all that really. Maybe you should ask my lawyer.
I think the second one is hardly going to be grounds for obstruction because by the time you and your lawyer talk it out for a few hours you'll come up with a good one.
Ronald Reagan pulled that crap under oath in front of the Senate for Iran Contra and he was snickering he thought it was so funny that fucking asshole. And they didn't find that old bastard in contempt.

Simple:

[Sairret]

"I don't recall."

even the author doesn't know...What career.

"Sure, it's pointless, but it gives great experience for the real (read: business) world, using open (for the most part) software."

And lockpicking, and hot-wiring your car will be great training for that locksmith/electronic tech. career I've been eyeballing.

Slashdotted - Mirrors Here

[Kinetic]

It looks like the article is down. As usual, MirrorDot has the mirror available.

Re:Slashdotted - Mirrors Here

[qualico]

Looks like the bandwidth is good, too bad mysql couldn't forge past the memory problem.
Maybe a OS limitation?

It would be nice to know how to harden a system from slashdotting so that you can optimize the failure to occur in bandwidth, not the system.

Warning: mysql_connect() [function.mysql-connect]: Can't create a new thread (errno 35). If you are not out of available memory, you can consult the manual for a possible OS-dependent bug in /usr/local/www/textpattern/lib/txplib_db.php on line 15

Re:Slashdotted - Mirrors Here

simple -
1. Don't use PHP.
2. Don't use MySQL.

Or alternatively, do testing to determine what the constraints of your environment are, and limit the number of connections to the web server.

Re:Piracy how-tos?

[tomjen]

You think it is imoral, i may disagree.
You should not equal morality and law.
You should not force your morality upon others.

HOWTO

Step 1: Install Windows XP
Step 2: Install Azureus
Step 3: Enable Azureus Web Interface
Step 4: ???
Step 5: Profit!

Re:Piracy how-tos?

Why?? Beacuse the gov't says so?? I say copyright is immoral!

Doesn't help

[shmlco]

All the court needs to do is issue a subpoena for the password. Refuse, and you're now in contempt.

Re:Doesn't help

[Gyorg_Lavode]

Wouldn't that be against the 5th amendment?

Re:Doesn't help

[MarkusQ]

Yes, but the 5th amendment is against the patriot act.

Which one do you think would win?

--MarkusQ

Re:Doesn't help

[evilviper]

Nope. Providing a fingerprint, DNA sample, etc., is not against the 5th, so a password certainly isn't.

Now, what the parent failed to mention was that you could provide a password that was WRONG, and merely say you've forgotten. Unless there is some overt giveaway that you are lying, they can't hold your poor memory against you.

Re:Doesn't help

[Cecil]

I'm not american, so correct me if I'm wrong, but I believe the 5th Amendment is only available to people who are testifying, NOT people who are on trial.

Re:Doesn't help

[LurkerXXX]

Your wrong. It's for everyone. Weather they are on trial or not.

Re:Doesn't help

[LurkerXXX]

Make that 'whether'. My bad.

Re:Doesn't help

[shmlco]

As I mentioned in another post, in civil suits that doesn't apply, and the court would be well within its bounds to subpeona information and/or evidence that might further the suit.

Re:Doesn't help

[eclectro]

Actually this happenned to Kevin Mitnic when the FBI confiscated an encrypted disk. He never handed over the password on 5th amendment grounds, and the FBI were not able to decrypt it.

However, he spent three years in prison without a trial, which was a travesty of justice. He then reached a plea deal with the FBI.

Though he asked for his encrypted disk back after he left prison, the FBI didn't give it to him.

I don't know if the status of his encrypted disk has changed since (as this is a few years old now).

But I believe that you do not have to offer up something that may incriminate yourself. But as you can see, the government was able to suspend Mitnic's right to a speedy trial.

Also, with the patriot act and the way our current government is acting, all bill of rights errr bets are off.

Re:Doesn't help

[evilviper]

He never handed over the password on 5th amendment grounds, and the FBI were not able to decrypt it.

Just because the FBI didn't try very hard to get that information, doesn't mean it's impossible to do so. Perhaps the FBI didn't have strong enough probable cause for searching his encrypted files.

But I believe that you do not have to offer up something that may incriminate yourself.

Believe what you want, but there are a LOT of exceptions to the 5th ammendment. Without seeing legal precident that passwords for encrypted files are an exception, I don't believe it. It falls too close to other known exceptions to be arbitrarily excluded.

Re:Doesn't help

[Zurk]

hmm...well it doesnt have precedential value since its a 2005 case but in one instance at least a drug dealer was not compelled to turn over keys to decrypt files on his machine after the state was unable to crack the encryption.
see : Wilhelmus v. State, 824 N.E.2d 405, 2005 Ind. App. LEXIS 433
it should come on findlaw soon anyway...
IAAL, but im not acting as one. this is not legal advice.
OVERVIEW:
Defendant's motion for a speedy trial was granted. Four days before the date scheduled for trial, the State filed an Ind. R. Crim. P. 4(D) motion for continuance that was granted. Defendant objected to the scheduling of a trial date beyond the Ind. R. Crim. P. 4(B)(1) 70-day limit and filed an unsuccessful motion to dismiss. While Ind. R. Crim. P. 4(B)(1), when invoked, provided for a trial within 70 days, Ind. R. Crim. P. 4(D) allowed for an extension of the 70-day period under certain circumstances. Despite its best efforts in the prosecution of one of the largest methamphetamine labs in the county, the State was faced with one unavailable key witness; another key witness who would have been unavailable if the trial was postponed only one week; belated, case-altering drug analysis results; indecipherable computer files presumed necessary for identity purposes; and information of inappropriate, potentially investigation-compromising conduct among multiple people. The State's request for a 14-day extension was more than reasonable under the circumstances.

mirror

[nubbie]

mirror

Site *not* slashdotted! (yet)

[qualico]

The most educating part of the article is here: function.mysql-connect
Now watch the server get a real slashdotting from all the refreshes. :P

Re:Piracy how-tos?

I didnt even read the artical and just the idea of samba plus torrent plus encryption is sound. I can see many legit uses for this.

Let say you have a blob of files in a network. They are secure in your network. But now you want to get those files onto a computer across the country. Typical procedure is to zip them up encrypt and send the big new file somewhere. Then someone on the other end does the reverse. Now you could have something more automagical. Then if there are many of the same 'file server' out there it could get more interesrting. Especialy for remote offices. They could work together.

COURSE there are other techs out there that acomplish the same sort of thing. Which kind of leads me to think 'why do this'. If it is because he can. Then hey thats what hacking is about. If it is so he can encrypt/hide his warez this is not the right way to go about it. As it would have some holes...

Website Fried

[QBasicer]

In other news, MySQL is out of memory, and if you click the little help link it provides, it takes you to the best 404 page i've seen. (Click here for direct link)

Re:Website Fried

Danm, wehn I saw all these hot slutty babes, I got so hot msyelf !
Soryr ofr teh one-hand-tpying, but thnaks for the link !

Re:Website Fried

[La+Camiseta]

It's a great idea until he gets his bill for excessive bandwidth use next month. And at European rates too. Ouch!

That's what you get when all of /. smashes your 404 page repetedly I guess.

Re:Website Fried

yeam. i am moving to holland thanks fpor the advice.

Re:oops url

[CommandLineGuy]

FreeBSD?

Re:Laugh all you want, leftie

A-hahahaaaaaaa!

Hahaahaaaaaaaaaaaaaaa

Hahahahahaaaaahahhhhaaaaaaa

ahaaaaaaaaahahaaaaaaaa haaaahaaaaaaaahaa!!!

*grin* :-) :-D lololololl rofl!

Thanks!

Proof of possession still required

They still have to show possession, you know. You might get stuck behind bars while they try to sort something out against you, but only temporarily. You can't actually be *charged* for possessing an illegal copy of something unless it can be shown that you possess it or possessed it at some point.

If you start to download an item and delete each byte as it comes in, you've never possessed the item itself --- you can't be done for possession of individual bytes one at a time, everyone's got the same bytes. :-)

Likewise, if you start to download an item and for each incoming byte you store a random one instead, then you've never possessed the item --- you can't be done for possession of a file of a particular length. :-)

So, having a known IP address and getting logged as a downloader can't really be used to prove possession. At most it can indicate the possibility of possession.

Uploading of copyright material is a different matter however. Until bittorrent starts relaying fragments via other nodes, local encryption isn't going to help you much when the entrapper presents documented proof that you actually gave him a copy of an item, since that clearly indicates possession.

Bittorrent files really need to be encrypted and then scattered pseudo-randomly across a multiply-redundant set of nodes, and then the reassembly info passed into the network and deleted from the original host. Then you won't even need any local encryption yourself.

Many scattered, poorly written documents about EFS

[Futurepower(R)]

I've read the many scattered, poorly written documents about EFS. I find them very misleading. For example, the information above does not say that it applies only if the encrypting computer is part of a Windows domain.

OpenBSD antsp2p

Interesting that the author mentions antsp2p. But the fact is that OpenBSD does not support JRE 1.5, and thus the author won't be able to run antsp2p.

I'm guessing that his backups were encrypted...

[Futurepower(R)]

I'm guessing that his backups were encrypted and he didn't realize that the encryption was tied to his user password, and to an undocumented hidden number associated with his user profile. Creating another account with the same login name and password does NOT allow decryption.

Who would guess that the encryption was insecure? When you read Microsoft's documentation, there is a lot of talk of file recovery, but the documentation doesn't say that it applies only to computers that are members of a Windows domain.

404 Fried too

[bshroyer]

Cool! First we /. the website, then we /. the 404 page. Where can we go from here?

You act sure, but you say, "I believe."

[Futurepower(R)]

You said, "This is another example of mod-by-agreement. Anyway, EFS is documented perfectly well."

Correction: This is another example of someone on Slashdot acting sure when he knows nothing about the issue, and didn't even read the document at his first link in his Google Search: Microsoft Windows XP - Data Recovery and Data Recovery Agents, which says:

"The default design for the EFS recovery policy is different in Windows XP Professional than it was in Windows 2000 Professional. Stand-alone computers [using Windows XP] do not have a default DRA, but Microsoft strongly recommends that all environments have at least one designated DRA.

"In a Windows 2000 environment, if an administrator attempts to configure an EFS recovery policy with no recovery agent certificates, EFS is automatically disabled. In a Windows XP Professional environment, the same action enables users to encrypt files without a DRA. In a mixed environment an empty EFS recovery policy turns off EFS on Windows 2000 computers, but only eliminates the requirement for a DRA on Windows XP Professional computers."

This information means that you can lose your files in Windows XP in a way that you could not lose them in Windows 2000. Microsoft made this change, but provided no on-screen warning.

The Microsoft document quoted above says, "Stand-alone computers do not have a default DRA,..."

It should say, Stand-alone computers CANNOT have a DRA that allows decryption of files from a different computer with the same user name and password.

As I mentioned, this was verified by Microsoft Tecnhical Support representatives, as was the information in my parent post.

You said above, "I believe the process can be started with a simple cipher /r." This is a VERY serious matter. People lose their files!!! You should not be posting comments in which you take a seemingly sure position, but that sureness is based on "belief".

Re:You act sure, but you say, "I believe."

[Foolhardy]

The only difference between 2000 and XP's EFS system for data recovery agents (DRAs) is that 2000 used to make administrators DRAs by default but XP requires you to do it manually using this procedure.

Yeah, you can lose your data, if you reset the user's password. Before you reset a password, a big ugly warning box is shown stating that the user might expierence data loss. (a dialog not present in 2000). It's not like you'll magically lose your files in XP for no reason.

This information means that you can lose your files in Windows XP in a way that you could not lose them in Windows 2000. Microsoft made this change, but provided no on-screen warning.

This isn't a new way to lose files. It's a simple change in the default configuration. An on screen warning? What do you want, an immense file shown on screen during installation listing all the changes in the operating system since the last version? A warning displayed every time you encrypt a file? What if the user really wants to have no DRAs?

If you are concerned about the status of DRAs, go and check the group policy yourself.
If you don't know how to set up and query DRAs correctly (it's not hard) then you shouldn't be using EFS at all.

It should say, Stand-alone computers CANNOT have a DRA that allows decryption of files from a different computer with the same user name and password.

Sure you can. Make sure you connect using the "Connect using a different user name" option. You may have to do it by mapping a drive letter. If you have computers where you are maintaining a set of identical users with the same passwords, it's probably time to upgrade to a domain. That's what they are for.

Re:oops url

So Microsoft gets boycotted no matter what stand they take on this issue.

I'm normally suspicious and untrusting of Microsoft, but COME ON... there's plenty of reasons to hate Microsoft, and sexual preference is NOT one of them.

Other experience?

[Futurepower(R)]

I'm very interested to know if other people have experience with other encrypting file systems.

TrueCrypt seems excellent, however, the recent bug fixes look somewhat serious. Is TrueCrypt mature?

Re:Piracy how-tos?

[anakin876]

how is it immoral? Are you equating "file sharing without the consent of the copyright holder" with theft? If that is the argument (not that I am likely to get a response from the original AC), then I would like to ask who is being robbed? If the person downloading the material would never have purchased it, then no one is being deprived of revenue.

Re:Differentl laws in that country make this usefu

It's like that in Sweden for example. If they can't find any evidence on your harddrives, they can't do jack shit. (a company was recently freed in court because the cops couldn't find the files which were specified in the warrant).

OT: Re:Big fan...

[jonbrewer]

120mm - I have one in an aluminum Lian Li case. Nice and quiet with good airflow, if you don't mind having a gigantic PC case.

Re:Piracy how-tos?

bibity bopity boo

Re:oops url

[OrangeTide]

Well there is Jesux. A christian Linux distro.

Stenography Steganography Stegasaurus

[kris_lang]

That is not the dinosaur which you meant.
Or as said in the Princess Bride, "that word, I do not think it means what you tjink it means..."

umm... I believe you mean "steganography", though if you don't know shorthand, the scribbles of a stenographer are rather cryptic.

One way to secure a server

[l0rdpestilence]

Warning: mysql_connect() [function.mysql-connect]: Can't create a new thread (errno 35). If you are not out of available memory, you can consult the manual for a possible OS-dependent bug in /usr/local/www/textpattern/lib/txplib_db.php on line 15

/. ing something is one way to secure the site...good one.

EFS encrypts with two passwords.

[Futurepower(R)]

EFS encrypts with two passwords, one is a hidden password generated by Windows XP. Backing up one password does not actually prevent data loss, because there is a hidden password that is not backed up. That's my best understanding, after discussing this with Microsoft Technical Support.

Re:EFS encrypts with two passwords.

You simply don't know anything about EFS. That's clear.

Re:EFS encrypts with two passwords.

Someone posted a link to an article about how to recover the hidden password. I can't find the link now.

Re:EFS encrypts with two passwords.

[Foolhardy]

Not exactly. A public/private key set is generated the first time you encrypt a file. The public key is used to encrypt files and the private to decrypt them. The only place these keys are stored are in a special key store that is encrypted with your password, unless you explicitly export the keys with the Certificates snap-in. On a domain, this is in the Active Directory and on stand-alone computers it's in the SAM. When your account is deleted or the password is reset, the key store is lost. Even though you have the original password, the old key store is gone. At this point, you re-import your backed up keys into the new store.
There aren't any 'hidden passwords'.

Microsoft Technical Support says no.

[Futurepower(R)]

I was told by a Microsoft Technical Support representative that the procedure you are recommending does not work. I've tried it, and they are right, it doesn't work.

The title is, "Designating a Data Recovery Agent in a Stand-Alone Environment". That is VERY misleading. The Data Recovery Agent works only if you happen to know the other password, generated by Windows XP. If you put the same login name and password on another computer, you cannot recover your files, because the hidden password will be different.

The DRA works only if you are using the original installation of Windows. If you have a system crash, you lose EVERYTHING. Your backup is NOT a backup! That's cruel.

Someone with your knowledge and ability can no doubt figure some way to back up the other password. However, most people are misled, and many are losing data, judging from complaints on the Microsoft forums.

Re:Microsoft Technical Support says no.

[Foolhardy]

I just tried it. It works fine. Here was my procedure:

1. Create a EFS recovery agent certificate and private key pair using cipher /r:efskey and enter a password to protect the key file. This produces efskey.cer and efskey.pfx.
2. Add the certificate (efskey.cer) to the list of recovery agents using the Local Security Policy snap-in. (must be admin for this)
3. As user A, create a file and encrypt it.
4. As user B, add the private key (efskey.pfx) to your personal store using the certificates snap-in. You must re-enter the password used when you created the private key.
5. As user B, browse to the encrypted file and decrypt it. Note that the user that did this was listed as a recovery agent but not a normal 'transparent access' user.

Notes:

• The options for import and export are in 'All Tasks'. Just right-click on a folder (probably Personal) to import into or specific key to export and use the All Tasks submenu.
• Make sure that you import the .pfx key file (not the .cer certificate) into the recovery agent's key store. The default file filter is for .cer; change it to .pfx.
• The certificate must be defined as a recovery agent before files on the system are encrypted, or they won't be decryptable using the recovery agent. Use cipher /u to update the key list on all encrpyted files on local drives.
• Anyone can export their EFS key for backup purposes using the certificates snap-in. This will work regardless of installation.
• You can have many encryption keys and certificates, both for transparent and recovery agent uses.

You're not so much adding users to the list of recovery agents, but a list of trusted certificates. Any user that has (and adds to their certificate/key store) the corresponding private key to one of those trusted certificates can decrypt files. The certificate store also contains the normal EFS key and cert. It is protected by the user's password, so when it is reset the store becomes inaccessible along with your keys (unless you exported them for backup).

The Data Recovery Agent works only if you happen to know the other password, generated by Windows XP. If you put the same login name and password on another computer, you cannot recover your files, because the hidden password will be different.

Huh? The only passwords needed were for user logon and an optional one to protect the recovery cert private key. If you are going to another computer, export your keys. That's exactly what the export and import functions are for.

The DRA works only if you are using the original installation of Windows. If you have a system crash, you lose EVERYTHING. Your backup is NOT a backup! That's cruel.

You backup the data and you export and backup the keys. Simple.

How would you do things differently?

You are right, and Microsoft tech supp. is wrong?

[Futurepower(R)]

You simply disagree with Microsoft Technical Support, that's clear.

You have to assume a known algorithm

[Beryllium+Sphere(tm)]

Fascinating idea but wouldn't do any good.

Basic crypto says you should expect your opponent to know what algorithm you're using. Even if you do your encryption and decryption in hardware, sooner or later the Polish resistance will capture one of your machines and hand it over to British intelligence.

So if you have software that hands out bogus plaintext in response to a bogus key, whoever's investigating you will know to ask for BOTH keys.

Re:You have to assume a known algorithm

[Albinofrenchy]

The trick then is to make it so legitimate in appearance that they stop looking.

Re:You have to assume a known algorithm

[bundaegi]

A nice one I used a while back (ha!) is StegFS

It's kernel 2.0 or 2.2 only if I remember...

[from the original website]

Although a number of people have shown some interest in recent times in doing work on StegFS or developments of the idea (e.g. http://stegfs.sourceforge.net/), no-one seems to have had enough energy to actually do anything.

The FS had an arbitrary number of layers which were completely hidden from each other (running the risk of files in one layer overwriting files in a layer below).

Anyway, this is (was) mentioned on ./ a couple of times before.

Re:why? Well, that you mean is . . .

That argument is not one that you personally approve of. Thanks for sharing your personal opinion. It's good to have everyone share, wouldn't you agree?

Re:oops url

Um, not really:
http://www.geocities.com/ResearchTriangle/Node/408 1/jesux.html

Re:You are right, and Microsoft tech supp. is wron

[uhlume]

MSTS either "dumbed down" their explanation for you, or you simply failed to understand it: the "second hidden password" isn't a password at all, but rather a security certificate, and it's far from impossible to create a backup: see http://www.worldstart.com/tips/tips.php/1444 for instructions even an idiot could follow.

Although...

[CarpetShark]

If the cops bust you, and you have an encrypted hard drive and you don't hand over the password, you will be charged with obstruction of justice.

One benefit would be that you could still argue the case on principle. The encrypted HD would abstract the loaded issue of "piracy" enough to let you argue about your rights and privacy.

Hilarious.

nt

NetBSD

[bhima]

Does anyone know if this torrentflux thingy works on net BSD?

Re:NetBSD

Torrentflux works on almost every OS with Python 2.2 or higher, PHP4 and MySQL.

FUCK BT KIDDIES - torrent users are crooks!

torrent is the downfall of the movie/game industry! fuck all the highschool/university bastards who use it! FUCK BT 1KIDDIE676S 1fuck bt4 kidd ies FUCK BT 1KIDDIES fuck2 bt kiddies FUCK BT KID234DIES fuck bt kid8dies FUCK3 BT KIDD9IES fuck bt kiddies1 FUCK BT KIDDI8787ES4 fuck bt kiddies 1FUCK BT KIDDIES2 fuck5 bt k3ddies FUCK BT 3KIDDIES fuck bt kiddies6 FUCK BT KIDDIES fuck bt kiddies7FUCK BT KIDDIES fuck bt kiddies FUC6K BT KIDDIES6 fuck bt kiddies FUCK BT KIDDIES fuck bt kiddies FUCK BT KIDDIES fuck bt kiddies FUCK BT KIDDIES fuck bt kiddies FUCK BT KIDDIES fuck bt kiddies FUCK BT KIDD8IES fuck bt kiddies FUCK BT KIDDIES fuck bt kiddies FUCK BT KIDDIES fuck bt kiddi3es FUCK BT KIDDIES fuck bt kiddies FUCK BT K1DDIES fuck bt kiddies FUCK BT KIDD676IES3 fuck bt1ki234ddies FUCK BT 2KIDDIES fu324ck bt kiddies 1FUCK BT KIDDIES fuck bt kiddies FUCK BT4KIDDIES fuck bt ki3242ddies F34UCK BT KIDDIES fuck bt kiddies FUCK BT7 KID324DIES fuck bt 6kiddiesFUCK BT KIDD766ES fuck bt kiddies rFUCK BT KIDDIES fuck 34325btkiddies67FUCK BT K1DDIES4 fuck bt kiddies FUCK BT KIDD1ES 5fuck bt kiddies FUCK BT KIDDIES fuck bt kiddies4

Re:FUCK BT KIDDIES - torrent users are crooks!

[Michael_Ayoub]

"torrent is the downfall of the movie/game industry!" You are part of the downfall of the human race!

EFS *seems* very well documented.

[Futurepower(R)]

That's not what is happening. EFS seems very well documented. It takes considerable analysis to determine that what the documentation seems to say is not correct, and, for those who "upgraded" from Windows 2000, that a backup is no longer a backup.

Jus use a random password

[cpghost]

All the court needs to do is issue a subpoena for the password. Refuse, and you're now in contempt.

Three strategies:

• "The password? Hmm... I'm sorry, I can't remember it! This whole lawsuit is detrimental to my ability to remember such things."
• Give another password that kills the master keys. Then, when asked about it say: "Oh darn, that was the password for the second partition!" (bad if they say: okay, we've made a backup, what was that password again?)
• Encrypt with a passphrase drawn from /dev/random (like encrypted swap partitions!). As long as you don't reboot, files are available. And you don't know the passphrase as well, so you're not in contempt.

Most EFS problems are with stand alone computers.

[Futurepower(R)]

True. However, you didn't bother to read this entire thread. Most of the cases of loss of data with EFS occur on stand alone computers that have never been part of a domain. Also, there are postings by people who have lost their data because of some problem with the domain controller computer.

As, I said, and you ignored, the problems with stand alone computers have been verified by Microsoft Technical support.

The documentation is very misleading. Backing up the certificate, in the minds of many (former) EFS users, backs up everything needed to decrypt the files. That's what the documentation seems to say. However, the behavior has changed since Windows 2000.

Wrong!

[Futurepower(R)]

This is what most EFS users think, and it is wrong. Backing up the certificate is not enough to recover your data!! Don't believe me? Try it! I did. Try restoring your data to a different computer with the same login name and passowrd, after restoring the certificate backup. You will get an access error.

The problem is that people are faithfully backing up their certificates, and discovering later that there is, effectively, another password, an SID, I think, but it is not documented, required to recover their encrypted data.

Re:Wrong!

[rikkards]

You are right, it is based off of the SID not off a password. The SID isn't a password but the numerical representative of the account. If the accounts are workstation based then the SID will be different from one workstation to another. However if you are using a Domain account the User SID will be the same when you logon to different workstations.

The key to the issue is the trusted authority. Since the original workstation was the trusted Authority that created the cert in the first place, you should be able to import the exported backup private certs on the same workstation, however since you tried to import on another workstation, since the second workstation does not trust the original it fails. The solution in this case is to set up a Certificate Authority that all trusted certificates will be issued from that the workstations will trust.

The scary thing is that the EFS cert is put into the CAPI store with no security other than the user's credentials. This means that anyone who can logon with the user's account would be able to access any encrypted files. This is due to MS trying to keep EFS transparent to the user which i s a leftover from their Pre Security Initiative days. I wouldn't be surprised if somewhere down the road a user will need either a PIN, biometric device, smartcard or a token to access the encrypted data as well as logging on with their user account

Just works...

[hummassa]

The Problem, and a lot of people do NOT realize it, is: Proprietary Software NEVER does Just Work(TM). It may pass that impression at first, but in the long run, tsc tsc...

Try restoring to a different computer, no domain.

[Futurepower(R)]

Thank you for your detailed reply.

However, as I said, Microsoft Technical Support verified that there are problems with stand alone computers, that have never been part of a domain.

Could you try restoring to a different computer, that has never been part of a domain? The documentation implies again and again that your procedure would work, but it doesn't.

You say above, "Anyone can export their EFS key for backup purposes using the certificates snap-in. This will work regardless of installation."

I've tried restoring to a stand-alone computer many times, without success. MS Technical Support says it can't be done. I'm very interested to know if you can make it work, and how. In Windows XP, the data is also tied to another, randomly generated number that is hidden from the user.

To test this, it is necessary to restore to a different installation of Windows XP, one that is not a clone of the computer on which the backup was made. This simulates actual use, where there was a system crash.

Okay, 3: Certificate. User name PW. Hidden PW.

[Futurepower(R)]

Yes, what I said is misleading. So, here's a correction: There are 3 [three] passwords: 1) The certificate, 2) The user name password, and 3) A hidden password, apparently some kind of an SID. I don't know for sure, because it is not documented, apparently.

Re:Try restoring to a different computer, no domai

[Foolhardy]

OK. I could not get the recovery agent function to work properly, but I could add normal (transparent) access users from other computers to a file. Both are running seperate installs of XP SP2, and AFAIK neither has ever been a domain member.

1. Encrypt a file on computer A, user A like normal.
2. Export user A's private key.
3. Use ntbackup or a different local installation to access the still-encrypted file on computer/installation B.
4. Import user A's private key into B's key store on computer B.
5. Note that the encryption properties of the file list user B as having transparent access.
6. Open the file.

OR

1. Export user B's public certificate.
2. Import that certificate into your personal or the computer's list of "Trusted People" on A.
3. Encrypt a file on A, and add user B to the transparently authorized list (note the user@computer for B is now listed in Add)
4. Transfer the encrypted file to computer B. User B can access the file transparently.

eh?

[StarKruzr]

Congressman DeLay, is that you?

Interesting.

[Futurepower(R)]

Interesting. I tried that many times and was not able to make it work. I was told by Microsoft Technnical Support that it would not work.

Is it possible that the two computers you used for test were clones of each other? Then they would have the same SIDs.

Re:Interesting.

[Foolhardy]

These are two seperate normal installs directly from the XP cd. They don't have the same machine SID.

Which method did you try? Both? At what point does it seem to break? Are you listed as an authorized user for the files in the encryption properties on both installs?

Tomorrow.

[Futurepower(R)]

I will test this again tomorrow.

I thought everyone already knew?

[OrangeTide]

It is pretty obviously a joke, people were really thinking that Christians would be that extreme? I guess some coastal liberals live in caves. :)

Anyways, someone should have modded the parent up.