Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Security (http://www.velocityreviews.com/forums/f38-computer-security.html)
-   -   Security and Encryption FAQ - Revision 18.2 (http://www.velocityreviews.com/forums/t305465-security-and-encryption-faq-revision-18-2-a.html)

Doctor Who 06-04-2004 08:59 PM
Security and Encryption FAQ - Revision 18.2
 
-----BEGIN PGP SIGNED MESSAGE-----

Security and Encryption FAQ - Revision 18.2 - 4th April 2004

by Doctor Who



"No one shall be subjected to arbitrary interference with his
privacy, family, home or correspondence, nor to attacks upon his
honour and reputation. Everyone has the right to the protection of
the law against such interference or attacks."

Article 12 Universal Declaration of Human Rights




Disclaimer and justification for this FAQ.

Many countries operate a legal system designed to suppress individual
freedom. Such countries often do not obey basic human rights. The
law in these countries may be based on guilty until proven innocent.
My intention in offering this FAQ, is to legally challenge these
threats to your freedom. It is not my intention to promote any
illegal act, but to offer you the option of freedom of choice. How
you use that freedom is entirely down to you.


This revision contains more major changes. Apart from DriveCrypt
ver. 2.7 with its whole hard drive encryption, additionally I now
recommend TrueCrypt because it is open source and free. It seems to
be an excellent encryption program. I can also recommend a truly
anonymous and easy way to subscribe to Usenet and to surf the Net.
See part 2 of the FAQ.

The Quicksilver security bug has now been fixed - see later in FAQ.
This is the only change in this revision compared to revision 18.1



The FAQ has 2 main Sections.

Part 1 concentrates on passive security. It is intended to be useful
to both posters and lurkers. Part 2 is to maximize your privacy
whilst online, particularly for Email and Usenet posting.




As in previous versions, I have assumed three security levels:

Level 1. For those who wish to protect their files from
unauthorzised access. These users are not too concerned at being
found with encrypted data on their computer.

Level 2. For those who not only wish to hide their private data,
but to hide the fact that they have such data. This might be an
essential requirement for anyone who lives in an inquisitorial police
state where human rights are dubious, or where the individual does
not enjoy the right to silence to avoid incriminating himself.

Level 3. For those who not only need all that is offered by level
2, but additionally wish to protect themselves from snoops whilst
online who may try and hack either their software or add substitute
software that could compromize their privacy.




Part 1 explains the 3 security levels and offers help in achieving
them.




1. How does encryption work?

Essentially the plaintext is combined with a mathematical algorithm
(a set of rules for processing data) such that the original text
cannot be deduced from the output file, hence the data is now in
encrypted form. To enable the process to be secure, a key (called
the passphrase) is combined with this algorithm. Obviously the
process must be reversible, but only with the aid of the correct key.
Without the key, the process should be extremely difficult. The
mathematics of the encryption should be openly available for peer
review. At first sight this may appear to compromize the encryption,
but this is far from the case. Peer review ensures that there are no
"back doors" or crypto weaknesses within the program. Although the
algorithm is understood, it is the combination of its use with the
passphrase that ensures secrecy. Thus the passphrase is critical to
the security of the data.



2. I want my Hard Drive and my Email to be secure, how can I achieve
this?

You need Pretty Good Privacy (PGP) for your Email and DriveCrypt Plus
Pack or TrueCrypt or BestCrypt for your hard drive encrypted files.

PGP is here: http://www.pgpi.org/

DriveCrypt Plus Pack is here: http://www.drivecrypt.com

TrueCrypt is here: http://www.truecrypt.tk/

BestCrypt is here: http://www.jetico.com/

The International PGP Home Page hosts the latest version of PGP, ver
8.0.3. To download the software you must allow them to check who
you are basically. This means you may need to re-configure your
firewall. Just another software vendor's paranoia. PGP is available
for all versions of Windows, Linux, Unix, Mac and others. The source
code is available for compiling your own version should you wish.

DriveCrypt Plus Pack (henceforth referred to as DCPP) is
Win2000/NT/XP compliant but not compliant with Win98 or earlier.
Regrettably, no source code is available. It has one single
advantage which merits its inclusion, it is a whole boot drive
encryption program. Sadly there are no modern open source boot drive
encryption programs presently available.

TrueCrypt is a new, free and open source OTF program of great promise.
Although very new, it offers several advantages over DriveCrypt and
BestCrypt - a/ it is free and b/ it is open source. But it also has
another big advantage: it does not display any file header info
to help a snooper identify the files purpose. It can also encrypt a
whole partition or drive and again not display any info to help an
attacker. It is available as version 1.0 and still has a few bugs
to be sorted. But it offers the promise of being an excellent
program once these little niggles have been sorted. At present its
progress seems under a cloud due to a legal dispute which hopefully
will soon be sorted.

BestCrypt is Win95/98/NT/2000/XP and Linux compatible. But again
the source code is only released for the algorithms, not the Windows
interface.

If the sighting of the source code is important to you, I suggest
using PGP version 8.0.3 and TrueCrypt.

Note: PGP although excellent to ensure your Email privacy, does
nothing for anonymity. The difference is crucial and hopefully is
expanded on within this FAQ.


3. What is the difference between these encryption Programs?

PGP uses a system of encryption called public key cryptography. Two
different keys are used. One key is secret and the other is made
public.

Anybody sending you mail simply encrypts their message to you with
your public key. They can get this key either directly from you or
from a public key server. It is analogous to someone sending you a
box and a self locking padlock for you to send them secret papers,
when only they have the key to open the box.

The public key is obviously not secret - in fact it should be spread
far and wide so that anybody can find it if they wish to send you
encrypted Email. The easiest way to ensure this is by submitting it
to a public key server.

The only way to decrypt this incoming message is with your secret
key. It is impossible to decrypt using the same key as was used to
encrypt the message, your public key. Thus it is called asymmetrical
encryption. It is a one way system of encryption, requiring the
corresponding secret key to decrypt. PGP is simplicity itself to
install and use. It even offers to send your newly generated public
key to the key server.

For your normal hard drive encryption, you will need a symmetrical
type of encryption program. This means the same key is used for both
encryption and decryption. DCPP and BestCrypt are of this type and
especially good because they are "On-The-Fly" (OTF) programs. This
means that the program will only decrypt on an as needed basis into
RAM memory. More about this later in the FAQ.

One question often asked by newbies is whether the passphrase is
stored somewhere within the encrypted file. No. The passphrase is
passed through a hash, such as MD5. This is a one-way encryption. It
is the hash output that is stored within the encrypted container. The
program will compare this hash with the hash it produces from your
passphrase that you type in to mount (open) the container. If they
are identical, the program will use your passphrase to decrypt the
key that the program generated to encrypt the disk or container.
Only then will the disk or container be decipherable. Hashing is a
one way action only; it is impossible to derive the key from the hash
output. The hashing process is simply a clever way of checking that
the correct passphrase has been input.



4. I have Windows, am I safe?

Definitely NOT.

In previous versions I have suggested work-arounds to help minimize
the inherent security weaknesses within the Windows operating system.

I have now concluded this is a sheer waste of time. If security is
important to you, encrypt your whole drive.

A program I recommend to test this out for yourself is WinHex. It
reads your drive and shows both the hexadecimal and the text
equivalent of each sector. It makes fascinating reading. You will
see snippets of long deleted or the ends of overwritten files,
perhaps from the Windows swapfile. Hints of text that will ensure
any snooper could accurately deduce your computer habits. In fact
the program is so successful at this, it is also sold as a forensic
tool for disk analysis.

WinHex is available here: http://www.winhex.com/winhex/order.html.

If you have Windows Media Player, go to View -> Options -> Player and
uncheck "Allow Internet sites to uniquely identify Your player". It
appears that Microsoft have done it again. The default is for this
box to be checked. Any Web site could theoretically get your id from
within your Windows registry with this checked. MS claim it is to
help identify users when they download copyrighted music. But
anybody could be using this crack for their own purposes, so protect
yourself by unchecking it.



5. Which program do you recommend for this whole drive encryption?

As already mentioned, there is at present no modern whole boot
drive encryption program with open source. Of the many different
boot drive encryption programs, I like DriveCrypt Plus Pack (DCPP).
It is truly simple to install and use apart from its irksome and
involved registration process with its temp key and the 90 day wait
before they send you the permanent key. This is paranoia taken to
extremes! Whatever you do, do not change your Email address during
this 90 day wait or you will not receive the permanent key. I
would not be surprised if they lose more sales because of this than
they gain through ensuring nobody gets a freebie copy. As I have said,
paranoia!

Apart from these niggles it is an excellent program. It encrypts the
whole partition. So if you want to keep part of your drive in
plaintext you will need to divide your hard drive into independent
partitions or have two separate hard drives. Unlike its namesake
DriveCrypt, it does not destroy the data within the partition it
encrypts. This is obviously necessary as its main advantage is to
encrypt your boot drive. Why ever didn't Securstar use a different
name for goodness sake - perhaps Bootcrypt instead of Drivecrypt Plus
pack?

All your computer activities will be totally secure as everything you
do is from within an encrypted drive. On setting up DCPP you need to
create a key which the program will lock into a keyfile. This is
protected by your passphrase. This stage must be done whilst still
in Windows. You can generate any number of keys you wish. You can
then choose which partition you wish to encrypt and which key to use.
It is very flexible. The encrypted drive need not necessarily be your
bootable drive, although this is obviously the main intention of the
program. In fact this is essential if you wish to tame Windows from
shouting to the world your computer habits.

If you live outside the United States and in a country which does not
have the equivalent of the 5th Amendment, you will need to use a
little subtlety to ensure your security.

More on this later in the FAQ.

It is important to remember that DCPP is an on-the-fly (OTF) type of
program. The drive will remain encrypted at all times. Any
necessary decryption is done into RAM memory only. Thus a crash
close will not leave any evidence of your activities. Likewise,
there is now no need to worry about the swap file or all the other
weaknesses of the Windows operating system.

A further major advantage over previously recommended encryption
programs is that the passphrase is input at Bios level, before
Windows is loaded.

The importance of this is difficult to over-emphasize.

This means it is impossible for any software key-logging program
that may be on your computer to detect your passphrase. Such
programs are sometimes picked up on the Net or arrive via Email and
could circumvent all your efforts at security. It is even conceivable
that a snoop or hacker could steal your passphrase as you type it in,
if this is done whilst the operating system is running. I am sure
someone will mention that there are hardware keyboard logging devices
which of course could grab your passphrase when you start up.
However, common sense local site security should minimize this risk.
Despite this slight risk, a Bios level passphrase is just about the
Holy Grail of security - without a hardware keyboard logging device,
very difficult to intercept and snoop.



6. Are there other OTF programs?

Yes, there are several. I recommend DCPP only because I have had
some personal experience with it. Another similar program you may
wish to investigate is SafeBoot Solo. I have had only limited
experience with it. I did not like it. But try it for yourself.
Both allow Bios input of the passphrase with the consequential
advantage of whole drive security. SafeBoot Solo has the significant
advantage of being a whole lot cheaper than DCPP, but DCPP offers
superior plausible deniability. More on this later in the FAQ.

Others, such as TrueCrypt and BestCrypt only encrypt data files, not
the Windows operating system. Truecrypt does have significant
plausible deniability because it does not disclose any inforamtion
whatsoever within the file or partition headers. The installation
text file also suggests a method of taking this even further using
Windows to hide the drive letter of the TrueCrypt partition. This
might suggest that the "lost" part of a drive has not yet been used
or it is the consequence of deleting an older partition. Of course
it will contain random data that you will claim is the result of a
wipe program, such as Eraser, used before the partition was deleted.

Both BestCrypt and the latest version of DriveCrypt (but NOT DCPP),
allow you to create a hidden container within the initially created
encrypted container. This can be a big help in some cases - see
later in FAQ. TrueCrypt does not offer this facility. I prefer
the hidden container idea, it seems more plausible. But the source
has not been disclosed, so can you trust them?

A significant advantage of DCPP is it offers the option of a blank
screen on boot. This might put off a semi-technical snoop, but not
a forensic investigation, but it all helps.

SafeBoot Solo is far less friendly as far as plausible deniability is
concerned. It will announce itself very obviously on startup. Worse
the floppy disk that is recommended as an emergency disk allows a
third party with the cooperation of Safeboot to decrypt your drive.
Another disadvantage to those living outside the United States is the
default keyboard on boot may be different to the one installed under
Windows. This could make the passphrase unreadable and the drive
inaccessible. A potentially serious problem. Not recommended.

Of these programs, however, only TrueCrypt has published the source
code. Regrettably for commercial reasons none of the others are
truly open and transparent. If you insist on sighting the source code
then TrueCrypt is your only modern option. Actually, there is one
other: CrossCrypt. But it is far too buggy and under-developed to
be recommended for the present. It is still in beta mode. But it
is open source.

There is one last hope for those insisting on true open source and
need full boot drive encryption and that is SecureDrive. It will
only work with Win 98 or ME when configured to run in Dos FAT16
compatibility mode, meaning slow and inefficient. Now considered to
be obsolescent.

It is important to note that just simply publishing the source code
does not guarantee safety. It just means the authors are allowing
their program to be subjected to peer review. Most professional
encryption programmers will not reveal the inner workings of their
programs for reasons of commercial secrecy. Fortunately the
encryption algorithms they use are open source, but not the Windows
interface.

Before anybody dismisses these programs because of this disadvantage
it should be remembered that even if (and I emphasize IF) there is a
backdoor, once it is known the program authors reputation is in
tatters and they are out of business. So even if they have succombed
to the temptation (if it exists) to accept sack loads of cash in
return for incorporating a backdoor and giving this to one of the
three letter agencies (TLA's), e.g. NSA, CIA, FBI or even the KGB, do
you honestly believe this agency with such an important tool is going
to blow their cover and use it to get into your drive? Be real, no
such secretive body is going to show its hand unless you have secrets
of such earth shattering importance they threaten national security at
the highest level.

I am always amused at the paranoia displayed by those who refuse to
use closed source programs because of their insistence that backdoors
are a possibility. Well they are, but the alternative is far more
worrying in my humble opinion. Risk assessment suggests that it is
the lesser of the many evils here. Do you risk all for a possible back
door or use a less than optimum choice of encryption program?

Your call.



7. How difficult is it to break one of these programs?

Very difficult, in fact for all practical purposes, it is considered
impossible. In most cases, the weakest link will be your passphrase.

Always make it long. Remember, every extra character you enter makes
a dictionary search for the right phrase twice as long. The present
version of DCPP ultimately limits your key length to 160 bits
(despite the rather silly claims of 1344 bit encryption on the
Securstar Website). Believe me, 160 bits is extremely strong indeed.
The sun will burn out into a white dwarf long before any snooper has
cracked that length of key. Each time a bit is added it doubles the
number crunching time to crack into the program. Do the maths and
it soon becomes very obvious just how absurdly large the number of
tries that exist before the correct key is found.

Each keyboard character roughly equates to 8 bits, and is represented
on the drive as two hexadecimal characters. This suggests a 20
character passphrase is equal strength to the encryption. In
practice, probably not. Remember a keyboard has around 96 different
combinations of key strokes, thus multiplying this number by itself
20 times is a hugely large combination, ensuring a high probability
of defeat at guessing a passphrase. But few people can remember a
truly random 20 character passphrase. So most people use a less than
random one. This means it should be longer to help compensate for
this lack of entropy. If this sounds difficult, please see the links
at the end of the FAQ which can help you compile something that will
be truly strong, yet relatively easy to remember.

You should also use at least part of both lines of the passphrase
input screen with DCPP. If you like, two passphrases.



8. Why?

Because any passphrase cracker cannot find the correct key until it
has exhausted a key search as wide as the last character you enter.
A strong hint that you should make sure the last character of your
passphrase is well along the bottom line! For higher security you
should spread it around on both lines.

This is a distinct security improvement over the usual straight line
entry that is typical of other programs, including BestCrypt.

Be sure that if any serious snooper wants to view your secret data,
they will find a way without wasting their time attempting a brute
force attack upon your DCPP container. In some countries rubber hose
cryptography may be the rule. Anybody living in such a country needs
level 2 security at the very least. In some "civilized" countries
there are more sinister methods, such as tempest or the use of a
trojan which require level 3 security (see later in FAQ).

Fortunately, tempest and trojan attacks are far less likely to
succeed against DCPP than all the other programs. Hence my strong
and enthusiastic support for this type of program.



9. What about simple file by file encryption?

I now recommend PGP Tools which comes free with PGP or Eraser. Of
course this is not necessary for files within your encrypted drive.
But is essential to clear files off your computer that are outside
your encrypted drive.

PGP Tools is available with PGP http://www.pgpi.org/

Eraser is here: http://www.tolvanen.com/eraser/



10. How can I encrypt files on a floppy?

Use either DCPP or PGP Tools or BestCrypt.



11. Does using Encryption slow things up?

Negligibly on any modern computer. However on my system DCPP is
slower than BestCrypt, perhaps because BestCrypt is only affecting
data, whereas DCPP has to deal with both the system and the data.

Note, the length of your passphrase is immaterial to the speed of
decryption.



12. Do I need a PGP passphrase if I store my keyrings within my
encrypted drive?

It is good security practice to use a passphrase, but for level 3
security it is essential because level 3 security is intended to
ensure your secret data are safe if attempts are made to hack into
your computer whilst online. Although DCPP is an OTF program I
am old fashioned as well as paranoid, so I strongly advise using a
passphrase for your PGP keyring.



13. I use Mac, OS2, Linux, (fill in your choice), what about me?

Use either BestCrypt, or PGPDisk.

PGPDisk http://www.nai.com/default_pgp.asp,

There are others, but I know nothing about them.



14. How can I ensure I do not leave traces of unwanted plaintext
files on my system?

If you are using DCPP this should not be a problem. But one thing
that needs addressing is the possibility of Windows dumping your
keyfile data which is held in RAM memory only, onto the encrypted
drive. To avoid this catastrophe you must disable the Windows
hibernation (power saving) feature. When Windows goes into
hibernation it will dump everything that is in RAM memory onto the
boot drive by-passing the DCPP drivers. Because it by-passes these
drivers, it means it writes everything in plaintext, including the
keyfile data, which unlocks your most secret partition! This
will defeat the whole purpose of having encryption.

So whatever else you do, disable the power saving features!

Although your whole drive will be encrypted I would still install a
program to clean out bloat and cookies. My recommendation for this
is Windows Washer.

Windows Washer is here: http://www.webroot.com



15. What programs do I put in my newly Encrypted Drive?

In previous versions of this FAQ I was wary that some programs might
write critical info to your boot drive. However, this is far less
of a security risk with it being encrypted. Because of this it is
far less critical that the programs be security friendly. For what
it is worth, here are some I recommend:

(A) Agent (or FreeAgent) for the newsreader.

Agent is here: http://www.forteinc.com

(B) For your Email I have 3 different recommendations:

i. Agent, as mentioned above

ii. Quicksilver, available here: http://quicksilver.skuz.net/

111. JBN2, here: Http://members.tripod.com/~l4795/jbn/index.html


Agent is simple and very easy to use. It can be used in conjunction
with a remote host server for posting anonymously (see later in FAQ).
The latest version also supports automatic decoding of yEnc coded
files.

Use Quicksilver for both Email and light Usenet posting.

The good news is that the original security bug has now been fixed
and version 1.0.5b1 is the latest release. This is an excellent Email
client. It supports Nym creation and maintenance. It is excellent
for both anonymous Email and posting anonymously to Usenet. Most
importantly, Quicksilver is very easy to learn to use. It uses the far
more secure Cypherpunk Type 11 remailers that use Mixmaster rather than
the earlier Type 1 Cypherpunk remailers. This means much more secure
anonymity for both Email and Usenet postings. QS comes with Mixmaster
and will install Mixmaster on first use. At present it does not use
the remote host and an encrypted tunnel. See later in FAQ about
tunnelling.

When downloading quicksilver, remember to run update immediately after
installation to download and install the Zipped files for News, Nym,
POP and PGP.

Note: There was a security flaw in version 1.0 of Quicksilver. This
only affected those using PGP version 8 and who did not elect to sign
an outgoing message. This bug has now been fixed and I recommend you
check which version you are using and upgrade if necessary.

JBN is very thorough, but much more complicated than Quicksilver.
This might be the choice of the hardened enthusiast. I now use QS
exclusively. JBN has not been upgraded for a considerable time,
whereas Quicksilver is under continuous development and open source.

All three of these programs will also work with PGP. Agent will
require you to copy and paste, but the other two have built-in
support and work seamlessly with PGP. I particularly commend
Quicksilver for its intuitive ease of use. This makes NYM
maintenance much simpler.

For browsing use whatever you choose.

I used to warn against using MS Explorer, but now the beast has been
tamed by encrypting your boot drive, but for extra sefety disable
Active-X.

To do this with MS Internet Explorer go to Tools > Internet Options >
Security > Custom Level. In this dialog box you will find a list of
options. Tick the boxes which disable Active-X, plus any others that
you feel will help your security. Remember the purpose is to ensure
nothing you download can run an Active-X program which might reveal
your identity when Online.

You must also have a virus checker and a firewall. I recommend AVG
as the virus checker.

Get AVG here: www.grisoft.com

For the firewall I recommend Zonealarm.

Get it here: http://www.zonelabs.com/store/content/home.jsp

Note: Just because your drive is encrypted does not relieve you of
the necessity of protecting yourself whilst online. So take care to
cover your tracks.



16. How do I do this?

Never surf naked. Always, always use a proxy. If you are not sure
how to go about this, an easy answer is to use The Anonymizer.

The Anonymizer is here: www.anonymizer.com

This is at best a second (or third) best way of achieving anonymity.
It has as its only merit that it is simple to implement.

I should emphasize at this point, that proxies are almost an art-
form in their own right. Far superior anonymity can be obtained
by the use of various free or shareware programs that will offer
you vastly superior anonymity compared to the Anonymizer. However,
not everybody has either the need or the knowledge to use these
programs. Just to wet your appetite here are a few programs that
will help in this regard:

Proxy.Checker
SamSpade
SocksCap
SuperScan

Do a Google search for yourself and read some background. Although
at first daunting it can lead to seriously good anonymity.

This is beyond the scope of this FAQ.





All of the above is sufficient for a level 1 security.





Level 2. This is for those who not only wish to hide their private
data, but wish to hide the fact that they have such data or can offer
an incontestable reason for their inability to disclose the contents
of such files.





17. What exactly do you mean by level 2 Security?

It means it is essential that you can show plausible deniability for
every single file, container, partition or drive that might contain
encrypted data. The purpose is to be able to justify every drive,
folder and file on your system.



18. How do I achieve this higher level of security?

Let us assume for the sake of argument that you have a partition or
a container of random data on your computer and further, you have
DCPP or DriveCrypt or any other encryption program installed on that
computer. It is very likely that a snoop would conclude this
partition or container is encrypted data on your desktop. Claims
that it is something else may very well not be believed. If you live
in the United States, this may not matter a jot. But if you live
within the United Kingdom this is much more of a problem because of
the Regulation of Investigatory Powers (RIP) Act. In that country a
Judge can instruct you to hand over a verifiable plaintext version of
that file or the key to allow them to decrypt it themselves or you
may face up to 2 years in prison. Claims by you that you have
forgotten the passphrase, or the file is something innocuous or
whatever, may not save you. The onus is on you to prove that it is
not encrypted, or to show strong evidence why you are unable to
decrypt it. In other words you can be forced into incriminating
yourself. A vile and totally undemocratic law that should be put in
the shredder, together with the people who passed it!

This situation requires good plausible deniability.

With DCPP, a key is generated by the program before you can encrypt a
drive. The key ID is displayed in the keyring when the program is
run. More importantly, the container or partition will be displayed
as an encrypted volume by DCPP, suggesting that with the right
passphrase that volume can be decrypted.

But as stated above, claims that you have "forgotten" the passphrase
may not be sufficient to save you. However, if it can be shown that
the key needed to decrypt an encrypted drive is deleted or missing,
then it becomes much more difficult to prove you are not complying
with the law.

This means having two entirely separate operating systems. They need
not be different types. You can choose to use, for example, two
separate Windows XP systems. Each would have to be on different
partitions on your hard drive. Or you could have two separate
hard drives and use the first partition on each. Whichever route you
choose, the operating systems must be set up by Windows to be dual
bootable. I have found that Windows will do this for you if you copy
your whole drive from one partition to a second partition using
Partition Magic. Every sector and byte is copied and when you re-
boot, you will hopefully find you now have a choice of bootable
partitions.



19. OK, I have dual boot, now what?

Install DCPP onto both drives. You should use the first partition
(the default) as your normal plaintext drive. The second drive
(which must also be bootable) is the one you will need to encrypt
with DCPP. However, it is necessary to have previously installed
DCPP onto the plaintext drive as part of the ploy to enable plausible
deniability - see further on.

If you choose to encrypt both drives, it is essential to use
different keys.

Before any encryption can be accomplished, it is mandatory that you
check that DCPP is supported by your operating system. To do this
you must first install Boot Authentication from the relevant screen
in the DCPP window. This is not the same thing as encrypting the
drive. You could choose to use Boot Authentication alone as a very
strong boot sequence protection for your computer. But this would be
using only half of DCPP's capabilities. It would not by itself
protect your data as there would be other means to access the drive
by forensics. You cannot encrypt your boot drive until after Boot
Authentication has been installed.

Immediately after installing Boot Authentication and before you re-
boot you must create an Emergency Repair (ER) disk as recommended by
the program. This is to ensure that if it all turns sour and your
computer cannot boot, you can still gain access to one or both of
your boot drives.

Assuming everything works, you can now encrypt your chosen drive.

It is absolutely essential that the key used to encrypt your drive is
a unique key, not being used by your system for any other drive. I
strongly recommend that you create a unique keyring just for this one
key to ensure it is not misplaced or confused with any other key.
Give this keyring a unique name, e.g Secret or Hidden. Test that
everything works as it should by booting into both drives, also test
that you are able to boot using the ER disk - very important this.

Now comes the tricky bit. Firstly, boot into your encrypted drive
and locate the file named "Backup" that is within your DriveCrypt
folder. This is normally to be found within "Program Files", unless
you chose to install it into a different folder. Copy "Backup" to
the same folder in your plaintext drive. This is a very important
file because it contains the original Master Boot Record (MBR) for
your system. You then re-boot into your normal plaintext drive.
Naturally, you will have had to enter your DCPP passphrase to boot
up. Because this boot drive is not encrypted, DCPP will allow you
to remove Boot Authentication off your computer. DCPP needs the
file "Backup" to do this, thus the reason for copying it across.

Next time you boot, no passphrase will be required and you will be
shown the two drives, but only one will be bootable. If you
perversely attempt to boot into your encrypted drive, Windows will
tell you it cannot load the OS. At first sight this might appear
that you have lost all your data! This is precisely the impression
you wish to give.

To access your encrypted drive, you must use the ER disk. What is
considered by DCPP as a last resort access to your computer, now
becomes your secret key to accessing your encrypted drive.

Hint: Ensure that when you first install DCPP onto your computer
that of the three boot passphrase screen options offered, you choose
the blank screen!

When booting with the ER disk, naturally if the wrong passphrase is
used you cannot boot. With the right passphrase you are offered the
choice of both drives and can boot into either drive. Make certain
you make a backup of this ER disk and store off-site. This way, if
you are unlucky and the boot floppy dies on you, you still have
access.

I have to repeat that it is essential that your keyring, as displayed
from within your plaintext drive and when running DCPP within that
drive, does not display the encrypted drive's key. Keep this key on
your encrypted drive.

This cannot be over-emphasized.



20. Why?

If this key is available DCPP will reveal the key fingerprint of that
drive, proving the presence of the key. DCPP will also then
recognise the encrypted drive. If no key is available then it is
axiomatic that it will be impossible to decrypt that drive. This
is absolutely true. The ER disk only allows OTF decryption for each
session. No information resides on the ER disk to help identify its
purpose. Even WinHex cannot read it. Windows tells you it is
unformatted. This is because the raw data on the disk is not in any
recognized file format, so it could be a damaged disk. DCPP will
not recognize the drive as encrypted. In fact it goes further and
claims it is not encrypted.

Just ensure that you choose the blank screen option when first
installing DCPP. Some people have been confused about this and how
to enter their passphrase. You simply type in the first line of your
passphrase onto the blank screen then momentarily press the "tag" key
and enter the second line of your passphrase. Finally hit "enter" to
see the two (or more) bootable drives on your computer.

If no matching key can be identified on your keyring then they now
have to prove you are lying. With full cooperation from you
regarding the other drive(s), nobody can claim you are being
uncooperative. It might be a good idea to have another partition
that is also encrypted by DCPP filled with innocuous files as a
justification for having DCPP installed.

Your defence is that you encrypted the drive as an experiment and
stupidly did not make a copy of the key. The only copy is within the
encrypted partition! You are still learning how to use the program,
so mistakes will be made. Never mind, you intend re-formatting the
drive when you eventually get around to it. Windows will offer to do
this if you click on it from within the "My Computer" screen.

By using a benign floppy, perhaps one that looks as if it has seen
better days, it will be far less obviously a target. Incidentally, a
DCPP (or BestCrypt) encrypted floppy also appears the same. This
might be advantageous, hint.

With the key destroyed I am sure SecureStar, the owners of DCPP, will
be happy to confirm that it is impossible to decrypt the data.

Note: This is general information only. Some users might prefer to
try other, perhaps even more ingenious ways to get around this
problem. I am deliberately leaving the alternatives unspoken. Each
may choose the system that best suits their security needs.

If you feel this is not sufficent as a form of plausible deniability
for your circumstances, then I can only suggest you use the hidden
container feature of DriveCrypt version 4.1 or BestCrypt version 7
or TrueCrypt (but carefully read the accompanying documentation
first). Whereas these offer good to excellent forms of plausible
deniability, without full hard drive encryption (meaning DCPP) it
does mean you are at the mercy of the Windows operating system.
Perhaps if you used Linux and BestCrypt you may be safer.

One important point to note for United Kingdom subjects: A conviction
cannot be upheld without evidence. Evidence that you and you alone
committed an internet "crime" must be substantiated by evidence on
your computer. No amount of circumstantial evidence gathered from
Web based intercepts is sufficient - or so I am informed by a legal
expert. So provided you can pass the plausible deniability part and
your passphrases are sufficiently strong, you should be home and dry.

Lucky indeed are those who live in countries that have a Constitution
allowing the suspect the right to silence and not forced into self-
incriminating himself.



21. What if encryption is illegal in my country?

In that case, I suggest using the stego feature of DriveCrypt. But
ensure you create your own WAV file, by making your own recording.
Once the stego encrypted file is created within the WAV file, make
sure to wipe the original recording to prevent forensic analysis
showing their low level data are not identical.

Of course, you will need to install DriveCrypt in traveller mode.
This means running it off a floppy. But you will still need to hide
the floppy effectively in the case of a search. I am sorry I cannot
help you here. It must be down to your own initiative.

Note the difference between this scenario and the previous one using
a boot floppy. The DriveCrypt floppy will plainly display the
program, thus incriminating you. Where encryption is legal, an ER
disk does not necessarily incriminate you thus less of a need to try
and hide it away.



22. Are there any other precautions I should take?

Make copies of all your PGP keys, a text file of all your passwords
and program registration codes, copies of INI files for critical
programs, secret Bank Account numbers and most importantly the key
for your secret encrypted drive plus anything else that is so
critical your life would be inconvenienced if it were lost. These
individual files should all be stored in a folder called "Safe" on
your encrypted drive. A copy of this folder should be stored on an
encrypted CD, preferably within the hidden part if using DriveCrypt
4.1 or Bestcrypt 7 and stored off-site.

If you are going to rely on any variation of the ploys suggested
within this FAQ, you should keep it within your secret drive.





The above is sufficient for Level 2 security.





23. I need Level 3 Security, how do I achieve this?

This is for those who wish to protect themselves from hackers whilst
online and snoopers who may try and compromize either their software
or add substitute software that could reveal their secret
passphrases.



24. What are these threats?

They are known as Tempest and Trojan attacks.



25. What is a Tempest attack?

Tempest is an acronym for Transient ElectroMagnetic Pulse Emanation
Surveillance. This is the science of monitoring at a distance
electronic signals carried on wires or displayed on a monitor.
Although of only slight significance to the average user, it is
of enormous importance to serious cryptography snoopers. To minimize
a tempest attack you should screen all the cables between your
computer and your accessories, particularly your monitor. A flat
screen (non CRT) monitor offers a considerable reduction in radiated
emissions and is recommended.



26. I have decided to use DCPP, am I at risk?

Far less than if you were using any other program. But do not use
the same passphrase to open any other encrypted partitions after you
have loaded Windows. Keep your boot passphrase totally unique and
you will be far safer than if using any other program.



27. What about DriveCrypt 4.1 and BestCrypt?

Neither offer the same facility of full boot drive encryption. But
both do offer some protection. DriveCrypt has its RED Screen mode
and BestCrypt offers some unspecified form of keyboard filtering.

The single likely biggest advantage of both programs is their ability
to create hidden containers within an existing encrypted container
(and/or a partition in DriveCrypt's case). This has enormous
plausible deniability advantages. The one and only disadvantage is
that the passphrase has to be entered from within Windows. Not a
real problem if run from within your DCPP encrypted drive.

One additional unique advantage of BestCrypt is it can optionally
encrypt the Windows swapfile suggesting it need not be run from
within the DCPP drive.



28. What is a Trojan?

A trojan (from the Greek Trojan Horse), is a hidden program that
monitors your key-strokes and then either copies them to a secret
folder for later recovery or ftp's them to a server when you next go
online. This may be done without your knowledge. Such a trojan may
be secretly placed on your computer or picked up on your travels on
the Net. It might be sent by someone hacking into your computer
whilst you are online.

The United States Government has openly admitted it will be employing
such techniques. They call it Magic Lantern. It was originally
promulgated as a counter-terrorism weapon. But who knows how it will
be used in practice.

In view of these changed tactics, it is mandatory that these possible
attacks be countered. Thus my insistence that only DCPP can give the
level of security to ensure you enjoy some peace of mind.

Nevertheless, whilst your encrypted drive is mounted you should take
precautions against a trojan copying any data and sending it out to
some unknown site.



29. How do I do this?

First of all you must have a truly effective firewall. It is not
sufficient for a firewall to simply monitor downloaded data, but to
also monitor all attempts by programs within your computer that may
try and send data out. The only firewall that I know of that ensures
total protection against such attacks is Zonealarm. This firewall
very cleverly makes an encrypted hash of each program to ensure that
a re-named or modified version of a previously acceptable program
cannot squeeze through and "phone home".

ZoneAlarm is here: www.zonelabs.com/zonealarmnews.htm

To understand how important this is, visit Steve Gibson's site.

Steve's site: http://grc.com/

Go to the "Test my Shields" and "Probe my Ports" pages.

You can test ZoneAlarm for yourself. I strongly urge all users
concerned with their privacy to run this test.

Steve's site is also a mine of other useful information and well
worth a visit.



30. How will I know when a trojan has modified an acceptable
program?

Zonealarm will pop up a screen asking if this program is allowed to
access the Net. If it is one of your regular programs, be very wary
and always initially say NO until you can check why this program is
not now acceptable to Zonealarm. If it is a strange program, then
obviously say, NO and investigate.



31. How important is the passphrase?

Critically important. It is almost certainly the weakest link in the
encryption chain with most home/amateur users. I provide links at
the end of the FAQ, some of these should either help directly or give
further links about how to create an effective passphrase.

For the newbies: never choose a single word, no matter how unusual
you think it is. A passphrase must be that, a phrase, a series of
words, characters and punctuation intermixed. One method that I
believe would help is to deliberately mis-spell common words in a
phrase. Scruggle in place of struggle, matrificent in place of
magnificent. These could be the start of a longer phrase. Taking
this a step further, invent words that are pronounceable but totally
meaningless for example, alamissis or grafexion. I recommend a
minimum of eight words, but obviously do not use either of those two.



32. How can I prevent someone using my computer when I am away?

In the past I had no truly effective answer, but if you are using
DCPP, you have nothing to fear. Nobody accessing you computer will
have any access to your encrypted drive in your absence. Even the
presence of an ER disk is no help to them without the passphrase.

However, if you are truly paranoid (and who isn't?) I would guard
against someone adding a hardware keyboard logger. These can be very
small and easily disguised as an RF trap on the keyboard lead.
Obviously, this is far more likely if your computer is also used
by others or can be accessed by others in your absence.

The most likely scenario for this to happen would be if your computer
was impounded for forensic examination and later returned to you
apparently intact. In such circumstances I would definitely not
input any passphrase at all until a very thorough check has been
undertaken. In fact I would never use it again! I advise buying a
new machine and transfer the drive across. Of course to access this
drive you will need the appropriate boot disk. This suggests it
would be wise to keep one copy off site.



33. Anything else?

Use a Bios password. Although it can be bypassed by resetting the
Bios, the fact it has been reset should be obvious by either there
not being a call for the Bios password on boot or it is different and
you cannot then startup. Also, ensure you have set a Windows screen-
saver password. Make a short cut on your desk top to the screen
saver, then open its properties box and put in a single key shortcut,
for example F10.

This ensures you have the option of a single keystroke blanking of
your screen in an emergency.





Part 2 of 2.

This second part concentrates on security whilst online.





There are countless reasons why someone may need the reassurance of
anonymity. The most obvious is as a protection against an over-
bearing Government. Many people reside in countries where human
rights are dubious and they need anonymity to raise public
awareness and publish these abuses to the world at large. This
second part is for those people and for the many others who can help
by creating smoke.



34. I subscribe to various news groups and receive Email that I want
to keep private, am I safe?

Whilst you are online anyone could be monitoring your account. If
you live in the British Isles be aware that all ISP's are required to
keep logs of your online activities, including which Web sites you
visit.

Shortly this will be reinforced by MI5 who will be monitoring all Net
activity 24 hours a day! The information will be archived eventually
for up to seven years. All Email headers will likewise be stored
for the same length of time.



35. Can anything be done to prevent my ISP (or the authorities)
doing this?

There are several things you can do. First of all subscribe
anonymously to an independent News Provider - more about how to
achieve this later in the FAQ. Avoid using the default news provided
by your ISP. Apart from usually only containing a small fraction of
all the newsgroups and articles that are posted daily, your ISP is
probably logging all the groups you subscribe to. You also need to
protect yourself from snoopers whilst online. Both of these aims can
be realized by encrypting the data-stream between your desktop and a
remote host server.

There are several methods of doing this. One is to use SSL proxies.
This can be very complicated and relies on expert knowledge for the
best results. Also, speed can vary dramatically depending on which
proxies are available. But when set up properly it is extremely
good at hiding your online activities.

If this is your choice, take a look here:

http://www.jestrix.net/tuts/sslsocks.html#intro

If simplicity is your goal, I suggest SSH and port forwarding. This
is easier to implement if you are new to privacy issues. Of course
with experience you can combine both, but that is beyond this FAQ.



36. I live in the United States why do I need to bother?

You don't need to. But your privacy and security are enhanced if
you do, particularly if you wish to ensure best possible privacy of
posting to Usenet. An additional concern must be the United States'
stated intention to snoop using whatever means they can. TIA aka
Total (now changed to Terrorist) Information Awareness is one project
that is having money poured into its research. This involves
combining many supposedly independent stores of private information
to track and define a citizens intentions. Naturally, this must
involve their computer habits.

If this makes you feel slightly uneasy, as well it should, then I
recommend implementing some or all of the suggestions within this
FAQ.



37. Ok, you've convinced me, how do I go about this?

The seriously sophisticated way is by chaining proxies using SSL
which can offer hard anonymity. It involves more bother and a
standard of ability and knowledge only gained by hours of practice
and is not everybodies choice. The pleasure gained is of course,
disproportionate to this bother and well worth the effort. This
level of sophistication is beyond this FAQ. If this sounds like a
lot of hard work and too much bother then the following is my best
suggestion.

Assuming you want simplicity, then I recommend you use the SSH
encryption protocol. SSH is a form of encryption that ensures that
everything that leaves your desktop is encrypted. To do this you
will need to subscribe to at least one, but preferably two
remote servers. To be truly effective the administrators of these
servers must be prepared to periodically review their security
policies and specifically to replace their RSA/DSA keys. Sadly, this
has not been done in the past with those that I have mentioned in
previous versions of this FAQ.

After searching, I have found what may be the answer, Privacy.Li, who
are registered in the Principality of Liechtenstein. Liechtenstein
is a European country best known for its secrecy surrounding its
banking facilities. This suggests it might be very useful for
routing anonymous connections to the Internet. Better yet,
Privacy.Li accept anonymous payments in either E-Gold or DMT/ALTA,
pecunix, e-bullion and of course cash/traveller cheques mailed in
through anonymous maildrops. A very wide choice, so take your pick.

All of these are truly anonymous methods of payment. I personally
like E-Gold, which does have the advantage of simplicity to setup and
use.

Privacy is here: http://privacy.li/

E-Gold is here: http://www.e-gold.com/

pecunix is here: www.pecunix.com

e-bullion is here: www.e-bullion.com

DMT/ALTA is here: https://213.132.35.90/


Privacy.Li offer an SSH encrypted connection with port forwarding
through either of their own servers. One server is in The
Netherlands and the other is in Hong Kong. Both well outside the
control of either the American or British snoops. The cost of
connection is around 100 Euros per year per server. By paying in E-
Gold or via DMT/ALTA it is a truly anonymous sign-up. I strongly
recommend them if your needs are for simplicity and total privacy.

A new service they have just introduced is an anonymous sign-up to
an independent news provider. The chosen one is Newshosting. This
seems an excellent news provider with most all of the news groups
most people want, even the contentious ones! Their retention,
completion and speed seems very good to excellent. The charge for
signing you up anonymously is 95 Euros per year with 120 Gigabytes
maximum download in that time. Exactly the same as signing up with
Newshosting directly yourself. Obviously Privacy.Li is benefiting
from a discount because of the bulk booking on behalf of the many
subscribers. Many subscribers means more smoke - a good thing.

But remember this is in addition to the cost of signing up for the
SSH connection, which is 100 Euros per year.

You can pay by E-Gold or DMT/ALTA. If you wish this service
(strongly recommended), you must sign up to the Hong Kong server
(known as Bear). You will then be able to connect directly into the
Newshosting server via Bear using SSH. I understand that they
also offer a proxy signup to any web service you choose on request,
again you can pay anonymously.

Not only will you be totally anonymous to Privacy.Li, but much more
importantly, doubly anonymous to Newshosting or the web service,
plus the connection will be fully hard encrypted from your desktop.

Additionally, you will get one anonymous Email address in the form
of userid@server.net (the server will depend on which one you
sign up to). You can also use this service to surf the Net totally
privately and anonymously.

Privacy.Li will send you all necessary info in the form of a FAQ to
help you configure your Email client and your newsreader. It really
is easy.

Contact via Email: webmaster@privacy.li



38. Does Privacy.Li monitor the downloads or keep logs?

First off, all SSH connections will always log the last connection.
This is actually a security assurance since you know the last time
you made a connection. If there is a connection after that time,
someone is hacking your account. So this is necessary. But I have
been assured that Privacy.Li do not and cannot (because it is very
difficult to log connections with SSH because all connections will
appear to be local to the server (localhost - 127.0.0.1).

Here is a quote from an Email reply that the admin at
Privacy.Li sent to an inquirer:


<Quote>

We do not log anyhting, with one exception: when you log in! and this
is kept revolvingly, only the last login is on file and will be
overwritten with the newest login. This also serves for your
security, because you always see, who logged in the last time into
your account. If it happens and you would see another login than
yours, it would mean your account has been hacked!

We never do any activity logs!

2. What legal authority, if any, is news.privacy.li subject to?

that's a good question :-) , well the domain is registered in
Liechtenstein, that's the only clue there is... Until today we have
not been served any subpoena nor court order, so it's tough to say
who could be in charge of us :-)

3. When posting to News Groups with news.privacy.li, why do your
headers show these Identifiers:

Message-ID: <xXXXXXXXXXXXXXX@news.privacy.li
X-Complaints-To: admin01@privacy.li
Xref: news.privacy.li newsgroup.name?

Because this is international protocol, I would not get the
newsfeed without giving those details.

>Our statement of promise to you;
>We are not wanting to spam or abuse your service in any way.

Good! But why are you so concerned? I really don't care what you
do, as long as it is not spamming or hacking/phreaking/phishing.

> 4. So besides abuse or spam, does news.privacy.li impose any
>posting limits?

No posting limits, well, you have the GB-posting limit according
to the package you buy


> 5. And finally, does news.privacy.li impose any download limits?

No, neither, as long as it is within your GB-allocation

<Unquote>



39. OK, this sounds interesting, how does SSH work?

SSH uses a protocol called port forwarding. This means that it
tunnels the necessary ports for Web browsing (port 80), Email send
and receive (ports 25 and 110), Usenet (port 119) through an
encrypted tunnel (port 22). Any adversary attempting to read your
data passing in either direction can only know that a/ it is
encrypted and b/ it is passing through port 22 on your computer.

Traffic analysis of the connection may give some hints whether you
are dealing with Email or Web browsing, but the big idea is that they
cannot read that traffic!

The method is simple but very secure. Your desktop SSH program
(called the client) asks for a connection to the remote host server.
The host replies with its DSA public key. This traffic is in the
clear, but now your desktop checks this key against previous
connections and alerts you if it is different, which might suggest
someone was intercepting your traffic. Your desktop has meanwhile
generated a random session key which is never shown to you. The
host's public key is used to encrypt this key. The host is able to
decrypt this session key using its secret key. Now using the
session key to encrypt everything that passes between you and the
host, it will ask you for your user id and password.

Henceforth all further data are exchanged encrypted with the session
key.

Each time you start the program prior to logging on, a new session
key will be generated. I am reasonably certain that this session key
is not saved by the host server. I have been told that the SSH
protocol calls for the session key to be held in RAM memory only and
to be irretrivably lost after the connection is closed.

SSH is available in various implementations and commercial programs.
The one I recommend now is Putty. Putty has the big advantage of
being free, plus the source code is available - very important this.

Putty is here: http://www.tucows.com/preview/195286.html

or here:

http://www.chiark.greenend.org.uk/~s.../download.html



40. Where does the data go after passing through the remote host?

It then goes out onto the Web or to the News Provider or wherever
totally anonymously. All your Web browsing and postings and
downloads will always be totally private.



41. Is the data encrypted after it leaves the remote server?

Not unless you are using an additional remote host. If you are
careful and limit your time online to say a 1 hour limit, breaking
off and re-connecting you will always generate a new session key.
This will make hacking attempts far more difficult. A further
refinement may be to use another, different remote host for the next
connection.



42. OK, I've signed up, how do I configure Agent and Putty to access
Usenet?

When you sign up with Privacy.Li they will send you a detailed FAQ on
how to set up Putty and Agent ver 2.0.

You are now ready to tunnel through to whichever News Provider you
signed with. Likewise, you can browse the Net, visiting sites with
complete anonymity.



43. How strong (safe) is this SSH encryption?

Very strong and safe. You may have a choice of algorithms, or you
will have to use whatever algorithms are supported by the host
server. 3DES is a popular choice. Do not allow DES as it is now
considered a poor choice. One more thing, SSH has largely been
replaced by the more secure SSH2. Fortunately Privacy.Li uses SSH2.

To re-emphasise, both of Privacy.Li's servers are off shore. One is
in The Netherlands and the other is in Hong Kong. You can choose to
sign up to either or both, but only the Hong Kong server will support
direct access via Privacy.Li to the Newshosting server.



44. Should I run these encrypted programs from within my encrypted
drive?

Yes, provided you are using dual boot with DCPP.



45. Can I post graphics anonymously to Usenet with this system?

Absolutely. If you choose to use Agent, it will always use your News
Provider as the posting host. This is why I recommended you
subscribe anonymously to this news provider. Nothing can then be
traced back. If you are into heavy posting then you should use Power
Post or something similar that allows you to choose whole folders of
files for posting.

If you use Quicksilver it will always use one of the mail2news
gateways. These are intended to be hard anonymous, but it does not
yet support the SSH option. The anonymous remailer network does not
readily accept large files, such as graphics. Worse, it is my
experience that reliability is not good.



46. Why Quicksilver, what about Private Idaho or Jack B. Nymble?

I found Private Idaho far too buggy and not as intuitive as
Quicksilver. I have also used Jack B. Nymble. It is very
sophisticated, but I now prefer the elegant simplicity of
Quicksilver. This is my choice, others are free to assess the
alternatives and choose accordingly.



47. Is there another, simpler way?

Email can also be sent (and received) by Yahoo or Hotmail. But I
treat these as soft anonymous. Don't use them for anything critical
unless you can access them via SSH and your anonymously signed for
remote host.

There are also several freebie remote hosts. My experiences suggest
they are less reliable and frequently down. By all means experiment
and use whatever suits you best. To access Usenet you will need to
find an NNTP host proxy, which are far less common.

Warning: Using a freebie remote host may mask your true IP address,
but that only helps to prevent a back-trace. If you live in a country
which monitors your Net activities, (e.g. the United Kingdom), any
snoop will know which site you are accessing and if so minded, could
monitor the datastream. An SSH connection however encrypts this
datastream and most importantly, thus hides both the datastream and
your destination host server IP from these prying eyes.

Unless you are prepared to use chained proxies and SSL encryption a
single proxy is little use on its own.

In simple terms, you need SSH and a truly anonymously signed up
remote host server if you want true Net privacy. Of course if you
also use a proxy to log into Privacy.Li, then this improves things
even further. But if you are clever enough to learn to use one
proxy, you can then easily progress to learning to chain several
together to achieve an even higher level of privacy. The other
obvious advantage is they are free!



48. Are there any other suggestions?

Immediately you finish a posting session, close Putty and break the
connection. This ensures new session keys are generated when you log
in again over the new link. Never stay online whilst posting for
longer than 1 hour maximum. There is nothing to stop you re-
connecting as soon as you have dropped the connection, just do not
stay online continuously.

Always post at different times, do not create a regular pattern of
postings at specific times and days of the week. If possible, use
different ISP's to log onto the Net. By all means use a freebie ISP
if available in your area. Be aware that these freebies invariably
log your telephone number and connection times. But then so do the
others to a varying extent.

It is vital and axiomatic that all your secret data must always and
at all times remain within your encrypted drive. There is very
little point at all in going to all this bother and then printing out
the data or saving it onto a plaintext drive.

Always assume you are about to be raided!



49. Surely all this is totally over the top for the majority of users?

It is certainly over the top for 99 per cent of users for 99 per cent
of the time. If, however, you are the one in a hundredth and you do
not much like the idea of being at risk for 1 per cent of the time,
then no, it is not over the top at all.

In any case, using these tactics helps create smoke which in turn
helps protect those who really do need all the protection and
security they can get.

Remember this FAQ is intended to help many different people. Some
may be living in deprived conditions, in countries where human rights
abuses are a daily fact of life.

Privacy and anonymity are very important principles associated with
both freedom of speech and democracy.


"Anonymity is a shield from the tyranny of the majority... It thus
exemplifies the purpose behind the Bill of Rights, and of the First
Amendment in particular: to protect unpopular individuals from
retaliation - and their ideas from suppression - at the hand
of an intolerant society."

Justice Stevens, McIntyre v. Ohio Elections Commission, 1996

If a Supreme Court Judge deems it a person's right, who would argue?

Well many Governments do, judging by their actions.



50. Can I use IRC/ICQ/Yahoo/MSM in this way?

No. But you can use a program called Trillian. There is now a Pro
version which will allow an encrypted conversation between a group
and even allows file exchange (I believe). I have only used the
beta version, text only. It appears to do all they claim for it.
Both parties need to be using Trillian for the encryption to be
effective. You can use it as a stand alone, but it will not then
support encryption.

Trillian is here: http://www.trillian.cc

If your intention is to seek to correspond with others to exchange
contentious or illegal material, be aware that encryption alone may
not be sufficient. In those circumstance it might be a very good
idea to ensure you understand how to use a proxy before connecting.



51. Can I be anonymous as far as other Web sites are concerned?

Yes, by either using the Anonymizer browser plug-in or by setting up
MSIE or Netscape to use your encrypted connection to your remote host
server. Using MSIE go to Tools -> Internet Options -> Connections
- - -> Settings. Under "Proxy Server" tick the box marked "use a Proxy
server for this connection" Put "localhost" in the address box and
the port number in the box marked "Port". The port number is decided
by the Webmaster of the server you use. You will be told this in the
FAQ that comes after you have signed up.

There is also a new system that is becoming available called Freenet.
Read all about Freenet here: http://freenet.sourceforge.net/

If you do choose to use it, be aware it is still in its infancy and
some care needs to be taken, particularly with regard to the choice
of Browser. Under no circumstances use MS Internet Explorer! The
site gives more information regarding browsers, read it carefully.
I am not yet convinced. But by all means experiment. Also be aware
that you are then part of a network and your computer becomes one of
the nodes. A lot of data will be exchanged through your system
whenever you are online, irrespective of whether or not you are using
Freenet yourself. It can even slow down other services you may be
using.



52. What about backing up my Data?

Although not strictly relevant to a FAQ mainly concerned with
privacy, nevertheless, this is so important a few words are needed.
I have neglected this in past revisions, but it is so essential that
here is how I manage it.

It is not possible to use Norton's Ghost, nor Partition Magic.
Ghost wil actually appear to back up the data, but will not restore
it correctly. There are rather involved work arounds, but for
simplicity here is my suggestion:

Create another encrypted container using DriveCrypt or BestCrypt on
an external hard drive. Open this partition and copy some innocuous
data from your normal plaintext drive. Now close this container and
create a hidden container, following the instructions in the
documentation that comes with DriveCrypt (or BestCrypt). Now copy
all your secret data across into this secret container.

Restoring is not quite as simple. If it is just a matter of
restoring some lost data files, this is perfectly straight forward.
Just open the secret container and copy them into your DCPP partition
to replace the lost files. If however, you need to restore
everything because you cannot boot into the DCPP partition then I
recommend using Partition Magic (I have never used Ghost) to delete
the DCPP partition and then copy across the whole of your plaintext
drive using the same program.

You must now re-encrypt that drive using DCPP. You should do this
before you restore the data within your secret container. When DCPP
has finished its job, simply re-boot into the DCPP partition and copy
all your data back. Create a new ER disk before closing. Your old
disk may very well not function, even with the same passphrases.

Remember to re-boot into you plaintext drive and to remove Boot
Authentication. You are hopefully now back where you started.



53. Lastly, what do you say to the charge that this FAQ may be
useful to criminals?

I did take time to have a re-think after the events of 9/11.
However, on balance I believe it is still the right thing to do.
Like gun control, if we ban weapons only the police and criminals
will have them. Banning encryption or anonymity is not going to
make criminals stop using encryption or attempting to be anonymous.

It is almost laughable for anyone to be so naive as to believe that
passing any law would make the least difference to a criminal.

I believe that the individual should be allowed to choose, not the
Government on his behalf.

Who benefits the most if Governments are allowed to reduce our
freedom of choice? The Government or us?

Those that give up a little freedom to gain a little security will
lose both.




Therefore:

a. always use encryption, whatever else you do.


b. always post via your encrypted and anonymous remote host to your
anonymouly subscribed News Provider.


c. never ask of anyone nor give anyone online, your true Email
address.


d. never DL any file with .exe, .com, .bat or .scr extension from a
dubious source. If you do, carefully delete without running it.


e. for your own protection, never offer to trade any illegal
material, nor ever respond to those seeking it, even anonymously.


f. never use your Credit/Debit Card to sign up to any contentious
Web site.



My key fingerprint: F463 7DCB C8BD 1924 F34B 8171 C958 C5BB


- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 6.5.8ckt

mQENAza3VwsAAAEIAJoghtgM5IW0CmQOocBDJPUSDAlkaPkP4L VN/6I6U1qYXYSX
slRiXL6R8/L5LiYGjc8+jkK0MbpTh7W4WiT35L31kX2EU/MSNlpawvpwTvaye8cz
Kbwupsi7qtxVEETM11ucSuxtG8ShOwiYrMUqOmP93hf9h78gNz D/qGOYGV994Adt
MHRZ4lPlQnknxoDszHxCDcS83jlo4mD1xhuvLQ1thXFkGBl9Bw/lSWDxcu0gssZB
necFTSkFtJbnu3gHp6DVE9CO/ZxhXDGHAmC/jLfB5QH59Zbbw4fFgQ7tw2gUAgiS
kvv0RS55TB9n7JiDwc+Mk0OlYavdZOh5cRSmBqcABRG0JURvY3 RvciBXaG8gPGRv
Y3Rvcl93aG9AbnltLmFsaWFzLm5ldD6JARUDBRA2t1cLZOh5cR SmBqcBAb87B/46
wEezqswaPz8NIA0/XYULXPKse11aCgRL7MIQPO1CRdqjbFnWi1wU2AnAkCtCLia+
lhulNrLJxMUvHgOQc4oC+nlUntBE9f8hHg0VwvQJ/4kO29UeVf0iwr+drZjRJooR
oR1C1UDDr199eeKJ3+m2pO7j1DBxv4tWQAYsJmZQQqlNRLzsmH JyTI/ZN03UREAZ
Qr4k6EjD1lScWg9MfueITgiMdbeV3MmCpf7mnlahvlN/S31CeEfoY2OpcRYVXNQb
it9N8cPM+2KZEdl/FW7yVPgd6BCGFFgPcRiqLC7c1F6qBPUpbdYf/pvd3/lhRJR9
IY35xfmdHWM8Rk+ivIPD
=0l2S
- -----END PGP PUBLIC KEY BLOCK-----


To contact me, please use my public key to encrypt your message to
news:alt.anonymous using the subject line:

"Gosh, I've got mail" - without the quotes. Please ensure you
include your key if you want a reply. Your message will not be read
let alone answered if it is sent in plaintext.




This ends the FAQ.




Items specifically mentioned or recommended in the FAQ:


PGP: http://www.pgpi.org/

DCPP: http://www.drivecrypt.com

TrueCrypt: http://www.truecrypt.tk/

BestCrypt: http://www.jetico.com/

Eraser: http://www.tolvanen.com/eraser/

WinHex: http://www.winhex.com/winhex/order.html.

Windows Washer: http://www.webroot.com

Agent: http://www.forteinc.com

ACDSee: http://www.acdsystems.com/english/products/acdsee/index

Thumbs Plus: http://www.cerious.com

VuePro: http://www.hamrick.com

AVG here: www.grisoft.com

Zonealarm: www.zonelabs.com/zonealarmnews.htm

Steve's site: http://grc.com/

SSL Proxy info: http://www.jestrix.net/tuts/sslsocks.html#intro

Privacy is here: http://privacy.li/

E-Gold is here: http://www.e-gold.com/

DMT/ALTA is here: https://196.40.46.24/ or https://213.132.35.90/
(they change ip's frequently)

Quicksilver: http://quicksilver.skuz.net/

Jack B. Nymble: http://www.skuz.net/potatoware/jbn/index.html

The Anonymizer: http://www.anonymizer.com

Privacy.Li: http://www.privacy.li/index.htm

A Proxy site listing: http://www.samair.ru/proxy/

Putty.exe: http://www.tucows.com/preview/195286.html

or here:

http://www.chiark.greenend.org.uk/~s.../download.html

F-Secure: http://www.f-secure.com/

News Providers: http://www.exit109.com/~jeremy/news/providers/

Freenet: http://freenet.sourceforge.net/

Trillian: www.trillian.cc

Mixmaster (required by Quicksilver and Jack B. Nymble):

Download site: http://www.thur.de/ulf/mix/ (comes ready to install
with Quicksilver - just run Quicksilver for the first time)



Nym remailers:

nym.alias.net, home page: Http://www.lcs.mit.edu/research/anonymous.html

Anon.efga.org, home page: http://anon.efga.org/



In case you need convincing:

http://www.gn.apc.org/duncan/stoa_cover.htm



Useful programs:

Partition Magic: http://www.powerquest.com/

FSRaid: http://www.fluidstudios.com/fsraid.html

HJSplit: http://www.freebyte.com/hjsplit/

Mastersplitter: http://www.tomasoft.com/mswin95.htm

PowerPost: http://www.cosmicwolf.com/

Quickpar: http://www.pbclements.co.uk/QuickPar/

SmartPar: http://www.smr-usenet.com/tutor/smartpar.shtml

WinAce: http://www.winace.com/

WinRAR is here: http://www.rararchiver.com/

YProxy is here: http://www.brawnylads.com/yproxy/



Some anonymity sites:

http://www.worldnet-news.com/software.htm

http://www.skuz.net/potatoware/index.html

http://www.skuz.net/potatoware/jbn/index.html

http://packetderm.cotse.com/

http://www.cotse.com/refs.htm

http://freeyellow.com/members3/fantan/pgp.html

http://www.all-nettools.com/privacy/

http://Privacy.net/

http://www.geocities.com/CapeCanaveral/3969/gotcha.html

http://www.junkbusters.com/ht/en/links.html

http://www.skuz.net/potatoware/privacy.txt



Other additional useful sites:

Beginner's Guide to PGP:

http://www.stack.nl/~galactus/remailers/bg2pgp.txt

PGP for beginners:

http://axion.physics.ubc.ca/pgp-begin.html#index

FAQ for PGP Dummies: http://www.skuz.net/pgp4dummies/

The PGP FAQ: http://www.cryptography.org/getpgp.txt

The SSH home page: http://www.ssh.com/products/ssh/

Anonymous Posting:

http://www.skuz.net/Thanatop/contents.htm

Anonymity Info: http://www.dnai.com/~wussery/pgp.html

Nym Creation:

http://www.stack.nl/~galactus/remailers/nym.html

General info:

http://www.stack.nl/~galactus/remailers/index-pgp.html


Revision 18.2

-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt

iQEVAwUBQG9ommToeXEUpganAQE8uAgAlt2jYIhPn29Ejno2FN hS/AmtPz1cnwuv
4DZ9JQdFidVK++Vxmjbp/HR/yubwev8opS9ilnf3zJqMms4IKUzsODpSSdnHXRXC
cl9Y1exDg+e/QQNVLR3VQ9t833//rJXr5hQW0fODkrH+GjR0x1BCkPpXM9FrM4ju
t4QRy6ImUDylb0bKAwBPQ9ITuNPQrW0vi8GrItFKg9+/wKPNA0FoZKddKK5ol/Yu
8r3o/v9lG6pHoM8TNvNyKlRLQtz7Mq6M92v65tJ2VKSTI87lZuaGHuC kU5uDWVzR
SC5Wis6opHkt2G2BcjvksnMRCBFYpngpwET/uk5MgiQC+NSz93Ln/Q==
=fkp2
-----END PGP SIGNATURE-----


All times are GMT. The time now is 11:42 PM.

Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57