Posts by BenWilson
Last ←Newer Page 1 2 3 4 5 Older→ First
-
OnPoint: The Big Guns: Truecrypt and Tails, in reply to Stephen R,
Assuming that the government is interested in you
And also assuming Keith's assumptions....
In this case, that the Police can get a search warrant and seize your computers and your devices, and upon discovery of an encrypted hard drive, can compel you to give up the password. It’s a VERY specific adversary. It’s not unlimited, it doesn’t involve rubber hosing or extraordinary rendition, or indefinite detention, or supercomputers brute forcing your shit, or the TAO using custom exploits to target whatever.
Against this specific threat, the measures I suggested would give you a comparable level of protection. I'm not advising this, just disputing the claim:
For journalists, obscurity is not an option.
-
OnPoint: The Big Guns: Truecrypt and Tails, in reply to Richard Love,
My suggestions were not places that a search warrant makes any easier. A USB stick given to a friend, a file stored in an anonymous internet storage area, etc.
-
OnPoint: The Big Guns: Truecrypt and Tails, in reply to Matthew Poole,
Depending on various things, they may be able to look at the low-level pattern of activity and determine there is a space that it is avoiding, for no apparent reason.
I don’t think it works like that. If it doesn’t get the password of the hidden volume, it doesn’t know anything about it, and won’t necessarily avoid it. Presumably you have to mount the hidden volume when you’re using the system a lot, or you risk overwriting some of it. If I were designing it, I’d make the hidden volume data go from the end of the data space backwards, and all the other data go from the front, forwards, so that such overwriting would be unlikely until both volumes together were nearing the partition capacity, in case you wanted to work for extended periods without mounting the hidden volume (say you thought you were being observed). In that case, the avoidance of the end would be automatic and normal for the system anyway, and no proof of anything.
ETA: This is @Duane, not Matthew. Don't know how that happened.
-
OnPoint: The Big Guns: Truecrypt and Tails, in reply to Richard Love,
Because eventually a journalist publishes an article. Once this happens the fact that there might be additional (unpublished) information about sources etc ceases to be obscure. And motivated parties may try to look for this information, within the bounds of their technical and legal (joke!) capability.
Yes, but if it's hidden obscurely it's no easier to find once they know it exists, than it was before they knew. It's a possibility for journalists. Not as secure, but within the bounds given (the attacker will not be the NSA and coercion is off the table), the difference is not practically a great deal. However, the difficulty of using TrueCrypt is not high so I think "why not?" is a pretty strong argument for using it if there's the least paranoia.
-
OnPoint: The Big Guns: Truecrypt and Tails, in reply to SteveH,
Destroying it after use is one way to ensure secrecy, but it is not a requirement
No, but it's the least you can do. It's of no further use, and can only damage the security of the system.
A OTP has certain requirements one of which is that it must be kept secret forever.
Yup, and it's not secret by definition if there are thousands of publicly available copies of it floating around. Hence, that is not a one-time-pad. That's a thousands of times pad, and really insecure.
However I don’t know if using the least significant bit of each word on a CD would be sufficiently random.
It's definitely not what I'd use, even if I was using a OTP, which I probably wouldn't.
-
@Bill Brown
If they hack your email password alone, then almost all of those other passwords can just be reset.
-
OnPoint: The Big Guns: Truecrypt and Tails, in reply to Keith Ng,
This has all been aimed at journalists and their sources. For journalists, obscurity is not an option.
Why not? You can hide a memory stick somewhere, same as anyone else. Or put it "somewhere on the internet". You can have private conversations with people that do not involve electronic records. Indeed this seems like the most usual way of protecting themselves, most especially because it works.
-
OnPoint: The Big Guns: Truecrypt and Tails, in reply to Keith Ng,
Fair enough – even the header information itself is encrypted and may not exist. Which does not mean you couldn’t be compelled to give that password and be in violation of law if the existence of the drive comes to light later.
-
OnPoint: The Big Guns: Truecrypt and Tails, in reply to Jarno van der Linden,
If you appear to have really clever security systems, I don't think even producing the data will necessarily make them happy, because they can't be sure it's the real data. The could demand all the data from your hidden volume space, even if there's none in there. You can't prove there isn't any there, if there isn't any. But if the onus has shifted, that plays against you. You could end up in Guantanamo next to the goat herder who is also completely innocent. If you're lucky enough not to be subjected to extraordinary rendition. And that's all on the assumption that agents don't go Jack Bauer at the least excuse anyway,
I've made this point before, and I'll make it again. If you're really trying to protect your data from intelligence services, good luck with that. That's a cat and mouse game that they love to play, that they're paid to play, and have extraordinary powers in, well beyond you and your PC.
Protecting your systems against lesser and much more likely threats is sensible, though. Hackers. Industrial espionage. Colleagues, family. A burglar. Identity thieves. A snoopy detective. For this level of protection it doesn't really need to be that strong. You could use the big cannons that Keith has been writing about.
Perhaps if it was so widespread to lock up systems with strong encryption, and for all unwritten data space to always be random, then it would not be seen as evidence of having something to hide. But that isn't the case. Most people don't use any security at all, and probably don't have any secrets worth that level of security. This is the backdrop against which you will be seen both by agents, and possibly by a jury too.
The irony is that in the "security vs obscurity" stakes that is common in encryption speak, any people really planning to do things that intelligence services (and police) really should be worried about, tend to use obscurity. They're a needle in a haystack of billions of people. It's still very hard to detect low tech organization using high tech methods.
-
OnPoint: The Big Guns: Truecrypt and Tails, in reply to Paul Campbell,
In reality you just have to create a big enough haystack that the needle is essentially OTP
Not really, not in the sense to which you were originally referring, safe from the future hacker who has processing power with any limit you care to name, and all of the data from now fits on a corner of his phone's memory. The true OTP is actually safe from infinite computing power and storage. With infinite computing power, you could run every known key against every cyphertext and get the answer in zero time. That's the limit case. Public key is most certainly not safe from this. But it's a lot more practical, for now.
Last ←Newer Page 1 … 303 304 305 306 307 … 1066 Older→ First