Computer Security

[jzacker]

long story short and point i am trying to convey:  once i have physical access to your machine i own you, your identity, passwords, and everything you ever did have done etc i know within a short amount of time.  unless you have a kill switch.  if you have that it is too much time and money for me to bother.  now think about it.

I'd recommend simply keeping all your important data on an encrypted partition and use PGP for email. If you use IM you can get encryption plugins for Pidgin and I'm sure others. Keeping an offsite copy of the encrypted data is important too.

this should probably be in another thread.  i dont want to hijack this on computer security but ...

any software application i.e. PGP, TrueCrypt etc doesnt prevent me (or anyone else) from getting into the machine as the user or another user with admin rights within a short amount of time rendering the encryption and all other software (non physical) security useless.

Very interesting.  Is there any security software you DO recommend?  Or is it all bunk?

[leetninja]

well some are "better" than others but for teh most part software is software and it can be broken.  some just make it harder than others.  i.e. checkpoint is a pre-boot and salts the hash every single time it would take YEARS to break it with brute force.  but if you are LE it takes about 20 minutes on the phone with checkpoint.  same goes for pretty much any other username/password/encryption on anything.  if LE wants your email password they just send a fax and have it 20 minutes later or faster sometimes.  honestly physical destruction is pretty much the ONLY way to secure data.  the downside is that if you dont get there first you cant exactly physically destroy anything.  its complicated i guess.

[bile]

Of course the best security is for the data not to exist but it's perfectly reasonable to expect the average encrypted partition tech, PGP and related forms of communication encryption to be more complicated then any local, state or even federal departments to bother with. If there is a weakness in the encryption there is little you can do but if you stay on top of releases of whatever software you've got nothing you're doing is worth several years of bruteforce attacks. Even with more specialized hardware... FPGA based or GPGPU... it'll still take a long time with modern cryptography systems with 2048 bit keys and appropriate setup. They'll try to force you to give them your passphrase before doing anything else.

That's really not the problem so much as the rest of it is. If your passphrase is crap and they guess it... your done. If they raid the place and it's already mounted and they have someone expecting an encrypted device they will have full access. If you have an external key that needs to be held securely. There are different methods to secure those parts too.

You need end to end security and obuscation. It's not necessarily easy but can be done. There were reasons the US government restricted crypto tech. As leetninja said though best secured data is nonexistent data.

[NJLiberty]

I wouldn't recommend anything as being LE proof. If you want to keep your housemates out of things, and want to be relatively secure from run of the mill hackers then there are a host of products out there. If you want to keep things safe from LE, you are pretty much beat in my opinion, short of physical destruction and even there you would have to be very thorough.  It is amazing what can still be retrieved, even after fires and such, assuming of course that they are interested in putting forth the effort and wasting still more of the people's money. 

The best I can suggest to you is to assume they can see and access everything on your computer and act accordingly. As leetninja said, if you are going to destroy it you have to make sure you get to it first. I just work from the assumption that they already have whatever I have on the computer and don't worry about it.  If they come, they come. I'm not confident they wouldn't just create whatever they needed to justify their actions anyway, whether they found it on my PC or not.

George

[K. Darien Freeheart]

Any information that can be ENcrypted can be DEcrypted. Encryption is your strongest data protection mechanism. With those two things in mind, I'll agree strongly with the sentiment "If you don't want it seen, don't put it into a viewable form".

If you're worried about law enforcement, any physical means of destroying your computer before they see it is, itself, a crime. I mean, in context, this popped up about a warrant being served. Blow up the computer when they have a warrent and they don't need anything off the disks to put you in a rape cage.

[bile]

And when we talk about physical destruction... that means like putting your harddrive in a grinder/woodchipper. A thorough wipe of a magnetic harddrive takes a lot more time then you generally have in these situations. And as pointed out that'd be a crime too...

[K. Darien Freeheart]

The hypothetical "run a magnet over it" is complete bunk. You'd need a magnet strong enough to life a car before you begin altering the data enough to obfuscate it. Atomizing or smelting are pretty much the only options for secure destruction of data and neither are feasible for the quick, home use.

[bile]

HD magnets are great toys. Just watch your finger tips.

[leetninja]

HD magnets are great toys. Just watch your finger tips.

lol they are fun.  neodymium magnet

[leetninja]

thin clients are one option as well.  nothing saved no traces.

[Zefferon]

long story short and point i am trying to convey:  once i have physical access to your machine i own you, your identity, passwords, and everything you ever did have done etc i know within a short amount of time.  unless you have a kill switch.  if you have that it is too much time and money for me to bother.  now think about it.

Do you think you could recover any data files from one of my hard drives?
I use simple XOR encryption with 1 megabyte pads.

[K. Darien Freeheart]

It can be done. It would not be too difficult to construct a device which uses thermite to destroy a HDD. It would have to be external, but you could set it off with the touch of a button.

That method requires your constant attention. It does NOTHING to protect your data when you're at Price Chopper buying some cookies. Drive destruction is a good way to decommission drives securely, but it's a really crappy method of protection while the drives are in production.

If you want to really be safe, don't use a hard drive disk or if you do, make sure that you have a "read only OS" setup, with everything else saved to a USB key or something else that can easily be destroyed or hidden.

A method I prefer, and one that "works anywhere" is a LiveCD like Ubuntu. Pop it in, boot up, browse, edit, whatever. Data is saved to RAM which clears when the PC is powered down (yes, the data lingers for a few moments, but I strongly suspect you're screwed anyway if they're poised to move in during those few moments.

I also use LUKS for my laptop. Because it's portable, I'm concerned that it'll get swipped one day and I don't want another set of crooks having access to my bank accounts.

[leetninja]

Do you think you could recover any data files from one of my hard drives?
I use simple XOR encryption with 1 megabyte pads.

It is a simple encryption to crack.

I'm not the only one who will tell you "XOR encryption is a trivially simple symmetric cipher which is used in many applications where security is not a defined requirement."

With the proper software and coding it could be cracked within minutes because it is symmetrical.  I havent looked but i would imagine someone has already done it.

[DigitalWarrior]

This conversation is brutally retarded.

They are also going to fry you with network logs.

LE does not have a magic decrypt this button in the vast majority of anything interesting.  This is especially true of truecrypt (open source is a motherfucker if you are trying to hide stuff).  If you have any evidence of any "decrypt this" button, please let me know exactly what it is.  If you encrypt your hard drive it is nearly impossible to get at it without you giving them your password.  But you will almost certainly give them your password because you do not follow procedures.  That and the judge is going to order you to produce the key.

Leet, I will take a simple XOR with a secure one time random pad over any other thing in the world.  The thing you quoted assumed a one bit pad, which is silly.  A one time pad is theoretically foolproof, and not subject to any analysis whatsoever.  The real problem is that the "secure" or the "random" are often broken.  A 1M pad is pretty damned big but not nearly big enough, it is subject to statistical analysis by a reasonably competent laboratory.  It could even be trivial if you have a lot of unused space (Find several one meg blocks with the same binary value, assume those are blank, compare to a blank section of various filesystems, get XOR key for each and then use the XOR to decrypt). 

If you want something for free speech, you need procedures.  On the physical machine, store it in a quality safe.  Prior to each use, examine the tamper stickers, PS2/USB port, and motion detector logs (Just say no to KeyCatcher).  Next fire up a Linux LiveCD and use an encrypted USB stick with hidden volume to store your preferences and keyring and files (yes your performance is crap, but you are not storing the vast majority of what you are doing, even momentarily, on any persistent memory).  You should be using open internet and definitely using TOR (not perfect, but good).  DO NOT ever visit any web site that can tie a log in to you from that computer (cookies suck).  Practice good OPSEC or die. 

I don't have to do this because I live in America.

If you are trying to hide child porn, forget about it and place yourself in the care of a mental health provider.  You have a compulsion and will screw up your procedures while not thinking clearly.  Maybe electroshock therapy will help.  If you are actually abusing children, we should get together and go shooting.  You can hold the target. 

Digital "Yes I get paid to tell my customers stuff like this.  That will be $180 payable in silver" Warrior

[Zefferon]

Mr DigitalWarrior,

A seperate 1m one-time-pad PER FILE.

Some of the files being zips.