Security and Encryption FAQ - Revision 18.2

Discussion in 'Computer Security' started by Doctor Who, Jul 5, 2004.

  1. Doctor Who

    Doctor Who Guest

    -----BEGIN PGP SIGNED MESSAGE-----

    Security and Encryption FAQ - Revision 18.2

    by Doctor Who



    "No one shall be subjected to arbitrary interference with his
    privacy, family, home or correspondence, nor to attacks upon his
    honour and reputation. Everyone has the right to the protection of
    the law against such interference or attacks."

    Article 12 Universal Declaration of Human Rights




    Disclaimer and justification for this FAQ.

    Many countries operate a legal system designed to suppress individual
    freedom. Such countries often do not obey basic human rights. The
    law in these countries may be based on guilty until proven innocent.
    My intention in offering this FAQ, is to legally challenge these
    threats to your freedom. It is not my intention to promote any
    illegal act, but to offer you the option of freedom of choice. How
    you use that freedom is entirely down to you.


    This revision contains more major changes. Apart from DriveCrypt
    ver. 2.7 with its whole hard drive encryption, additionally I now
    recommend TrueCrypt because it is open source and free. It seems to
    be an excellent encryption program. I can also recommend a truly
    anonymous and easy way to subscribe to Usenet and to surf the Net.
    See part 2 of the FAQ.

    The Quicksilver security bug has now been fixed - see later in FAQ.
    This is the only change in this revision compared to revision 18.1



    The FAQ has 2 main Sections.

    Part 1 concentrates on passive security. It is intended to be useful
    to both posters and lurkers. Part 2 is to maximize your privacy
    whilst online, particularly for Email and Usenet posting.




    As in previous versions, I have assumed three security levels:

    Level 1. For those who wish to protect their files from
    unauthorzised access. These users are not too concerned at being
    found with encrypted data on their computer.

    Level 2. For those who not only wish to hide their private data,
    but to hide the fact that they have such data. This might be an
    essential requirement for anyone who lives in an inquisitorial police
    state where human rights are dubious, or where the individual does
    not enjoy the right to silence to avoid incriminating himself.

    Level 3. For those who not only need all that is offered by level
    2, but additionally wish to protect themselves from snoops whilst
    online who may try and hack either their software or add substitute
    software that could compromize their privacy.




    Part 1 explains the 3 security levels and offers help in achieving
    them.




    1. How does encryption work?

    Essentially the plaintext is combined with a mathematical algorithm
    (a set of rules for processing data) such that the original text
    cannot be deduced from the output file, hence the data is now in
    encrypted form. To enable the process to be secure, a key (called
    the passphrase) is combined with this algorithm. Obviously the
    process must be reversible, but only with the aid of the correct key.
    Without the key, the process should be extremely difficult. The
    mathematics of the encryption should be openly available for peer
    review. At first sight this may appear to compromize the encryption,
    but this is far from the case. Peer review ensures that there are no
    "back doors" or crypto weaknesses within the program. Although the
    algorithm is understood, it is the combination of its use with the
    passphrase that ensures secrecy. Thus the passphrase is critical to
    the security of the data.



    2. I want my Hard Drive and my Email to be secure, how can I achieve
    this?

    You need Pretty Good Privacy (PGP) for your Email and DriveCrypt Plus
    Pack or TrueCrypt or BestCrypt for your hard drive encrypted files.

    PGP is here: http://www.pgpi.org/

    DriveCrypt Plus Pack is here: http://www.drivecrypt.com

    TrueCrypt is here: http://www.truecrypt.tk/

    BestCrypt is here: http://www.jetico.com/

    The International PGP Home Page hosts the latest version of PGP, ver
    8.0.3. To download the software you must allow them to check who
    you are basically. This means you may need to re-configure your
    firewall. Just another software vendor's paranoia. PGP is available
    for all versions of Windows, Linux, Unix, Mac and others. The source
    code is available for compiling your own version should you wish.

    DriveCrypt Plus Pack (henceforth referred to as DCPP) is
    Win2000/NT/XP compliant but not compliant with Win98 or earlier.
    Regrettably, no source code is available. It has one single
    advantage which merits its inclusion, it is a whole boot drive
    encryption program. Sadly there are no modern open source boot drive
    encryption programs presently available.

    TrueCrypt is a new, free and open source OTF program of great promise.
    Although very new, it offers several advantages over DriveCrypt and
    BestCrypt - a/ it is free and b/ it is open source. But it also has
    another big advantage: it does not display any file header info
    to help a snooper identify the files purpose. It can also encrypt a
    whole partition or drive and again not display any info to help an
    attacker. It is available as version 1.0 and still has a few bugs
    to be sorted. But it offers the promise of being an excellent
    program once these little niggles have been sorted. At present its
    progress seems under a cloud due to a legal dispute which hopefully
    will soon be sorted.

    BestCrypt is Win95/98/NT/2000/XP and Linux compatible. But again
    the source code is only released for the algorithms, not the Windows
    interface.

    If the sighting of the source code is important to you, I suggest
    using PGP version 8.0.3 and TrueCrypt.

    Note: PGP although excellent to ensure your Email privacy, does
    nothing for anonymity. The difference is crucial and hopefully is
    expanded on within this FAQ.


    3. What is the difference between these encryption Programs?

    PGP uses a system of encryption called public key cryptography. Two
    different keys are used. One key is secret and the other is made
    public.

    Anybody sending you mail simply encrypts their message to you with
    your public key. They can get this key either directly from you or
    from a public key server. It is analogous to someone sending you a
    box and a self locking padlock for you to send them secret papers,
    when only they have the key to open the box.

    The public key is obviously not secret - in fact it should be spread
    far and wide so that anybody can find it if they wish to send you
    encrypted Email. The easiest way to ensure this is by submitting it
    to a public key server.

    The only way to decrypt this incoming message is with your secret
    key. It is impossible to decrypt using the same key as was used to
    encrypt the message, your public key. Thus it is called asymmetrical
    encryption. It is a one way system of encryption, requiring the
    corresponding secret key to decrypt. PGP is simplicity itself to
    install and use. It even offers to send your newly generated public
    key to the key server.

    For your normal hard drive encryption, you will need a symmetrical
    type of encryption program. This means the same key is used for both
    encryption and decryption. DCPP and BestCrypt are of this type and
    especially good because they are "On-The-Fly" (OTF) programs. This
    means that the program will only decrypt on an as needed basis into
    RAM memory. More about this later in the FAQ.

    One question often asked by newbies is whether the passphrase is
    stored somewhere within the encrypted file. No. The passphrase is
    passed through a hash, such as MD5. This is a one-way encryption. It
    is the hash output that is stored within the encrypted container. The
    program will compare this hash with the hash it produces from your
    passphrase that you type in to mount (open) the container. If they
    are identical, the program will use your passphrase to decrypt the
    key that the program generated to encrypt the disk or container.
    Only then will the disk or container be decipherable. Hashing is a
    one way action only; it is impossible to derive the key from the hash
    output. The hashing process is simply a clever way of checking that
    the correct passphrase has been input.



    4. I have Windows, am I safe?

    Definitely NOT.

    In previous versions I have suggested work-arounds to help minimize
    the inherent security weaknesses within the Windows operating system.

    I have now concluded this is a sheer waste of time. If security is
    important to you, encrypt your whole drive.

    A program I recommend to test this out for yourself is WinHex. It
    reads your drive and shows both the hexadecimal and the text
    equivalent of each sector. It makes fascinating reading. You will
    see snippets of long deleted or the ends of overwritten files,
    perhaps from the Windows swapfile. Hints of text that will ensure
    any snooper could accurately deduce your computer habits. In fact
    the program is so successful at this, it is also sold as a forensic
    tool for disk analysis.

    WinHex is available here: http://www.winhex.com/winhex/order.html.

    If you have Windows Media Player, go to View -> Options -> Player and
    uncheck "Allow Internet sites to uniquely identify Your player". It
    appears that Microsoft have done it again. The default is for this
    box to be checked. Any Web site could theoretically get your id from
    within your Windows registry with this checked. MS claim it is to
    help identify users when they download copyrighted music. But
    anybody could be using this crack for their own purposes, so protect
    yourself by unchecking it.



    5. Which program do you recommend for this whole drive encryption?

    As already mentioned, there is at present no modern whole boot
    drive encryption program with open source. Of the many different
    boot drive encryption programs, I like DriveCrypt Plus Pack (DCPP).
    It is truly simple to install and use apart from its irksome and
    involved registration process with its temp key and the 90 day wait
    before they send you the permanent key. This is paranoia taken to
    extremes! Whatever you do, do not change your Email address during
    this 90 day wait or you will not receive the permanent key. I
    would not be surprised if they lose more sales because of this than
    they gain through ensuring nobody gets a freebie copy. As I have said,
    paranoia!

    Apart from these niggles it is an excellent program. It encrypts the
    whole partition. So if you want to keep part of your drive in
    plaintext you will need to divide your hard drive into independent
    partitions or have two separate hard drives. Unlike its namesake
    DriveCrypt, it does not destroy the data within the partition it
    encrypts. This is obviously necessary as its main advantage is to
    encrypt your boot drive. Why ever didn't Securstar use a different
    name for goodness sake - perhaps Bootcrypt instead of Drivecrypt Plus
    pack?

    All your computer activities will be totally secure as everything you
    do is from within an encrypted drive. On setting up DCPP you need to
    create a key which the program will lock into a keyfile. This is
    protected by your passphrase. This stage must be done whilst still
    in Windows. You can generate any number of keys you wish. You can
    then choose which partition you wish to encrypt and which key to use.
    It is very flexible. The encrypted drive need not necessarily be your
    bootable drive, although this is obviously the main intention of the
    program. In fact this is essential if you wish to tame Windows from
    shouting to the world your computer habits.

    If you live outside the United States and in a country which does not
    have the equivalent of the 5th Amendment, you will need to use a
    little subtlety to ensure your security.

    More on this later in the FAQ.

    It is important to remember that DCPP is an on-the-fly (OTF) type of
    program. The drive will remain encrypted at all times. Any
    necessary decryption is done into RAM memory only. Thus a crash
    close will not leave any evidence of your activities. Likewise,
    there is now no need to worry about the swap file or all the other
    weaknesses of the Windows operating system.

    A further major advantage over previously recommended encryption
    programs is that the passphrase is input at Bios level, before
    Windows is loaded.

    The importance of this is difficult to over-emphasize.

    This means it is impossible for any software key-logging program
    that may be on your computer to detect your passphrase. Such
    programs are sometimes picked up on the Net or arrive via Email and
    could circumvent all your efforts at security. It is even conceivable
    that a snoop or hacker could steal your passphrase as you type it in,
    if this is done whilst the operating system is running. I am sure
    someone will mention that there are hardware keyboard logging devices
    which of course could grab your passphrase when you start up.
    However, common sense local site security should minimize this risk.
    Despite this slight risk, a Bios level passphrase is just about the
    Holy Grail of security - without a hardware keyboard logging device,
    very difficult to intercept and snoop.



    6. Are there other OTF programs?

    Yes, there are several. I recommend DCPP only because I have had
    some personal experience with it. Another similar program you may
    wish to investigate is SafeBoot Solo. I have had only limited
    experience with it. I did not like it. But try it for yourself.
    Both allow Bios input of the passphrase with the consequential
    advantage of whole drive security. SafeBoot Solo has the significant
    advantage of being a whole lot cheaper than DCPP, but DCPP offers
    superior plausible deniability. More on this later in the FAQ.

    Others, such as TrueCrypt and BestCrypt only encrypt data files, not
    the Windows operating system. Truecrypt does have significant
    plausible deniability because it does not disclose any inforamtion
    whatsoever within the file or partition headers. The installation
    text file also suggests a method of taking this even further using
    Windows to hide the drive letter of the TrueCrypt partition. This
    might suggest that the "lost" part of a drive has not yet been used
    or it is the consequence of deleting an older partition. Of course
    it will contain random data that you will claim is the result of a
    wipe program, such as Eraser, used before the partition was deleted.

    Both BestCrypt and the latest version of DriveCrypt (but NOT DCPP),
    allow you to create a hidden container within the initially created
    encrypted container. This can be a big help in some cases - see
    later in FAQ. TrueCrypt does not offer this facility. I prefer
    the hidden container idea, it seems more plausible. But the source
    has not been disclosed, so can you trust them?

    A significant advantage of DCPP is it offers the option of a blank
    screen on boot. This might put off a semi-technical snoop, but not
    a forensic investigation, but it all helps.

    SafeBoot Solo is far less friendly as far as plausible deniability is
    concerned. It will announce itself very obviously on startup. Worse
    the floppy disk that is recommended as an emergency disk allows a
    third party with the cooperation of Safeboot to decrypt your drive.
    Another disadvantage to those living outside the United States is the
    default keyboard on boot may be different to the one installed under
    Windows. This could make the passphrase unreadable and the drive
    inaccessible. A potentially serious problem. Not recommended.

    Of these programs, however, only TrueCrypt has published the source
    code. Regrettably for commercial reasons none of the others are
    truly open and transparent. If you insist on sighting the source code
    then TrueCrypt is your only modern option. Actually, there is one
    other: CrossCrypt. But it is far too buggy and under-developed to
    be recommended for the present. It is still in beta mode. But it
    is open source.

    There is one last hope for those insisting on true open source and
    need full boot drive encryption and that is SecureDrive. It will
    only work with Win 98 or ME when configured to run in Dos FAT16
    compatibility mode, meaning slow and inefficient. Now considered to
    be obsolescent.

    It is important to note that just simply publishing the source code
    does not guarantee safety. It just means the authors are allowing
    their program to be subjected to peer review. Most professional
    encryption programmers will not reveal the inner workings of their
    programs for reasons of commercial secrecy. Fortunately the
    encryption algorithms they use are open source, but not the Windows
    interface.

    Before anybody dismisses these programs because of this disadvantage
    it should be remembered that even if (and I emphasize IF) there is a
    backdoor, once it is known the program authors reputation is in
    tatters and they are out of business. So even if they have succombed
    to the temptation (if it exists) to accept sack loads of cash in
    return for incorporating a backdoor and giving this to one of the
    three letter agencies (TLA's), e.g. NSA, CIA, FBI or even the KGB, do
    you honestly believe this agency with such an important tool is going
    to blow their cover and use it to get into your drive? Be real, no
    such secretive body is going to show its hand unless you have secrets
    of such earth shattering importance they threaten national security at
    the highest level.

    I am always amused at the paranoia displayed by those who refuse to
    use closed source programs because of their insistence that backdoors
    are a possibility. Well they are, but the alternative is far more
    worrying in my humble opinion. Risk assessment suggests that it is
    the lesser of the many evils here. Do you risk all for a possible back
    door or use a less than optimum choice of encryption program?

    Your call.



    7. How difficult is it to break one of these programs?

    Very difficult, in fact for all practical purposes, it is considered
    impossible. In most cases, the weakest link will be your passphrase.

    Always make it long. Remember, every extra character you enter makes
    a dictionary search for the right phrase twice as long. The present
    version of DCPP ultimately limits your key length to 160 bits
    (despite the rather silly claims of 1344 bit encryption on the
    Securstar Website). Believe me, 160 bits is extremely strong indeed.
    The sun will burn out into a white dwarf long before any snooper has
    cracked that length of key. Each time a bit is added it doubles the
    number crunching time to crack into the program. Do the maths and
    it soon becomes very obvious just how absurdly large the number of
    tries that exist before the correct key is found.

    Each keyboard character roughly equates to 8 bits, and is represented
    on the drive as two hexadecimal characters. This suggests a 20
    character passphrase is equal strength to the encryption. In
    practice, probably not. Remember a keyboard has around 96 different
    combinations of key strokes, thus multiplying this number by itself
    20 times is a hugely large combination, ensuring a high probability
    of defeat at guessing a passphrase. But few people can remember a
    truly random 20 character passphrase. So most people use a less than
    random one. This means it should be longer to help compensate for
    this lack of entropy. If this sounds difficult, please see the links
    at the end of the FAQ which can help you compile something that will
    be truly strong, yet relatively easy to remember.

    You should also use at least part of both lines of the passphrase
    input screen with DCPP. If you like, two passphrases.



    8. Why?

    Because any passphrase cracker cannot find the correct key until it
    has exhausted a key search as wide as the last character you enter.
    A strong hint that you should make sure the last character of your
    passphrase is well along the bottom line! For higher security you
    should spread it around on both lines.

    This is a distinct security improvement over the usual straight line
    entry that is typical of other programs, including BestCrypt.

    Be sure that if any serious snooper wants to view your secret data,
    they will find a way without wasting their time attempting a brute
    force attack upon your DCPP container. In some countries rubber hose
    cryptography may be the rule. Anybody living in such a country needs
    level 2 security at the very least. In some "civilized" countries
    there are more sinister methods, such as tempest or the use of a
    trojan which require level 3 security (see later in FAQ).

    Fortunately, tempest and trojan attacks are far less likely to
    succeed against DCPP than all the other programs. Hence my strong
    and enthusiastic support for this type of program.



    9. What about simple file by file encryption?

    I now recommend PGP Tools which comes free with PGP or Eraser. Of
    course this is not necessary for files within your encrypted drive.
    But is essential to clear files off your computer that are outside
    your encrypted drive.

    PGP Tools is available with PGP http://www.pgpi.org/

    Eraser is here: http://www.tolvanen.com/eraser/



    10. How can I encrypt files on a floppy?

    Use either DCPP or PGP Tools or BestCrypt.



    11. Does using Encryption slow things up?

    Negligibly on any modern computer. However on my system DCPP is
    slower than BestCrypt, perhaps because BestCrypt is only affecting
    data, whereas DCPP has to deal with both the system and the data.

    Note, the length of your passphrase is immaterial to the speed of
    decryption.



    12. Do I need a PGP passphrase if I store my keyrings within my
    encrypted drive?

    It is good security practice to use a passphrase, but for level 3
    security it is essential because level 3 security is intended to
    ensure your secret data are safe if attempts are made to hack into
    your computer whilst online. Although DCPP is an OTF program I
    am old fashioned as well as paranoid, so I strongly advise using a
    passphrase for your PGP keyring.



    13. I use Mac, OS2, Linux, (fill in your choice), what about me?

    Use either BestCrypt, or PGPDisk.

    PGPDisk http://www.nai.com/default_pgp.asp,

    There are others, but I know nothing about them.



    14. How can I ensure I do not leave traces of unwanted plaintext
    files on my system?

    If you are using DCPP this should not be a problem. But one thing
    that needs addressing is the possibility of Windows dumping your
    keyfile data which is held in RAM memory only, onto the encrypted
    drive. To avoid this catastrophe you must disable the Windows
    hibernation (power saving) feature. When Windows goes into
    hibernation it will dump everything that is in RAM memory onto the
    boot drive by-passing the DCPP drivers. Because it by-passes these
    drivers, it means it writes everything in plaintext, including the
    keyfile data, which unlocks your most secret partition! This
    will defeat the whole purpose of having encryption.

    So whatever else you do, disable the power saving features!

    Although your whole drive will be encrypted I would still install a
    program to clean out bloat and cookies. My recommendation for this
    is Windows Washer.

    Windows Washer is here: http://www.webroot.com



    15. What programs do I put in my newly Encrypted Drive?

    In previous versions of this FAQ I was wary that some programs might
    write critical info to your boot drive. However, this is far less
    of a security risk with it being encrypted. Because of this it is
    far less critical that the programs be security friendly. For what
    it is worth, here are some I recommend:

    (A) Agent (or FreeAgent) for the newsreader.

    Agent is here: http://www.forteinc.com

    (B) For your Email I have 3 different recommendations:

    i. Agent, as mentioned above

    ii. Quicksilver, available here: http://quicksilver.skuz.net/

    111. JBN2, here: Http://members.tripod.com/~l4795/jbn/index.html


    Agent is simple and very easy to use. It can be used in conjunction
    with a remote host server for posting anonymously (see later in FAQ).
    The latest version also supports automatic decoding of yEnc coded
    files.

    Use Quicksilver for both Email and light Usenet posting.

    The good news is that the original security bug has now been fixed
    and version 1.0.5b1 is the latest release. This is an excellent Email
    client. It supports Nym creation and maintenance. It is excellent
    for both anonymous Email and posting anonymously to Usenet. Most
    importantly, Quicksilver is very easy to learn to use. It uses the far
    more secure Cypherpunk Type 11 remailers that use Mixmaster rather than
    the earlier Type 1 Cypherpunk remailers. This means much more secure
    anonymity for both Email and Usenet postings. QS comes with Mixmaster
    and will install Mixmaster on first use. At present it does not use
    the remote host and an encrypted tunnel. See later in FAQ about
    tunnelling.

    When downloading quicksilver, remember to run update immediately after
    installation to download and install the Zipped files for News, Nym,
    POP and PGP.

    Note: There was a security flaw in version 1.0 of Quicksilver. This
    only affected those using PGP version 8 and who did not elect to sign
    an outgoing message. This bug has now been fixed and I recommend you
    check which version you are using and upgrade if necessary.

    JBN is very thorough, but much more complicated than Quicksilver.
    This might be the choice of the hardened enthusiast. I now use QS
    exclusively. JBN has not been upgraded for a considerable time,
    whereas Quicksilver is under continuous development and open source.

    All three of these programs will also work with PGP. Agent will
    require you to copy and paste, but the other two have built-in
    support and work seamlessly with PGP. I particularly commend
    Quicksilver for its intuitive ease of use. This makes NYM
    maintenance much simpler.

    For browsing use whatever you choose.

    I used to warn against using MS Explorer, but now the beast has been
    tamed by encrypting your boot drive, but for extra sefety disable
    Active-X.

    To do this with MS Internet Explorer go to Tools > Internet Options >
    Security > Custom Level. In this dialog box you will find a list of
    options. Tick the boxes which disable Active-X, plus any others that
    you feel will help your security. Remember the purpose is to ensure
    nothing you download can run an Active-X program which might reveal
    your identity when Online.

    You must also have a virus checker and a firewall. I recommend AVG
    as the virus checker.

    Get AVG here: www.grisoft.com

    For the firewall I recommend Zonealarm.

    Get it here: http://www.zonelabs.com/store/content/home.jsp

    Note: Just because your drive is encrypted does not relieve you of
    the necessity of protecting yourself whilst online. So take care to
    cover your tracks.



    16. How do I do this?

    Never surf naked. Always, always use a proxy. If you are not sure
    how to go about this, an easy answer is to use The Anonymizer.

    The Anonymizer is here: www.anonymizer.com

    This is at best a second (or third) best way of achieving anonymity.
    It has as its only merit that it is simple to implement.

    I should emphasize at this point, that proxies are almost an art-
    form in their own right. Far superior anonymity can be obtained
    by the use of various free or shareware programs that will offer
    you vastly superior anonymity compared to the Anonymizer. However,
    not everybody has either the need or the knowledge to use these
    programs. Just to wet your appetite here are a few programs that
    will help in this regard:

    Proxy.Checker
    SamSpade
    SocksCap
    SuperScan

    Do a Google search for yourself and read some background. Although
    at first daunting it can lead to seriously good anonymity.

    This is beyond the scope of this FAQ.





    All of the above is sufficient for a level 1 security.





    Level 2. This is for those who not only wish to hide their private
    data, but wish to hide the fact that they have such data or can offer
    an incontestable reason for their inability to disclose the contents
    of such files.





    17. What exactly do you mean by level 2 Security?

    It means it is essential that you can show plausible deniability for
    every single file, container, partition or drive that might contain
    encrypted data. The purpose is to be able to justify every drive,
    folder and file on your system.



    18. How do I achieve this higher level of security?

    Let us assume for the sake of argument that you have a partition or
    a container of random data on your computer and further, you have
    DCPP or DriveCrypt or any other encryption program installed on that
    computer. It is very likely that a snoop would conclude this
    partition or container is encrypted data on your desktop. Claims
    that it is something else may very well not be believed. If you live
    in the United States, this may not matter a jot. But if you live
    within the United Kingdom this is much more of a problem because of
    the Regulation of Investigatory Powers (RIP) Act. In that country a
    Judge can instruct you to hand over a verifiable plaintext version of
    that file or the key to allow them to decrypt it themselves or you
    may face up to 2 years in prison. Claims by you that you have
    forgotten the passphrase, or the file is something innocuous or
    whatever, may not save you. The onus is on you to prove that it is
    not encrypted, or to show strong evidence why you are unable to
    decrypt it. In other words you can be forced into incriminating
    yourself. A vile and totally undemocratic law that should be put in
    the shredder, together with the people who passed it!

    This situation requires good plausible deniability.

    With DCPP, a key is generated by the program before you can encrypt a
    drive. The key ID is displayed in the keyring when the program is
    run. More importantly, the container or partition will be displayed
    as an encrypted volume by DCPP, suggesting that with the right
    passphrase that volume can be decrypted.

    But as stated above, claims that you have "forgotten" the passphrase
    may not be sufficient to save you. However, if it can be shown that
    the key needed to decrypt an encrypted drive is deleted or missing,
    then it becomes much more difficult to prove you are not complying
    with the law.

    This means having two entirely separate operating systems. They need
    not be different types. You can choose to use, for example, two
    separate Windows XP systems. Each would have to be on different
    partitions on your hard drive. Or you could have two separate
    hard drives and use the first partition on each. Whichever route you
    choose, the operating systems must be set up by Windows to be dual
    bootable. I have found that Windows will do this for you if you copy
    your whole drive from one partition to a second partition using
    Partition Magic. Every sector and byte is copied and when you re-
    boot, you will hopefully find you now have a choice of bootable
    partitions.



    19. OK, I have dual boot, now what?

    Install DCPP onto both drives. You should use the first partition
    (the default) as your normal plaintext drive. The second drive
    (which must also be bootable) is the one you will need to encrypt
    with DCPP. However, it is necessary to have previously installed
    DCPP onto the plaintext drive as part of the ploy to enable plausible
    deniability - see further on.

    If you choose to encrypt both drives, it is essential to use
    different keys.

    Before any encryption can be accomplished, it is mandatory that you
    check that DCPP is supported by your operating system. To do this
    you must first install Boot Authentication from the relevant screen
    in the DCPP window. This is not the same thing as encrypting the
    drive. You could choose to use Boot Authentication alone as a very
    strong boot sequence protection for your computer. But this would be
    using only half of DCPP's capabilities. It would not by itself
    protect your data as there would be other means to access the drive
    by forensics. You cannot encrypt your boot drive until after Boot
    Authentication has been installed.

    Immediately after installing Boot Authentication and before you re-
    boot you must create an Emergency Repair (ER) disk as recommended by
    the program. This is to ensure that if it all turns sour and your
    computer cannot boot, you can still gain access to one or both of
    your boot drives.

    Assuming everything works, you can now encrypt your chosen drive.

    It is absolutely essential that the key used to encrypt your drive is
    a unique key, not being used by your system for any other drive. I
    strongly recommend that you create a unique keyring just for this one
    key to ensure it is not misplaced or confused with any other key.
    Give this keyring a unique name, e.g Secret or Hidden. Test that
    everything works as it should by booting into both drives, also test
    that you are able to boot using the ER disk - very important this.

    Now comes the tricky bit. Firstly, boot into your encrypted drive
    and locate the file named "Backup" that is within your DriveCrypt
    folder. This is normally to be found within "Program Files", unless
    you chose to install it into a different folder. Copy "Backup" to
    the same folder in your plaintext drive. This is a very important
    file because it contains the original Master Boot Record (MBR) for
    your system. You then re-boot into your normal plaintext drive.
    Naturally, you will have had to enter your DCPP passphrase to boot
    up. Because this boot drive is not encrypted, DCPP will allow you
    to remove Boot Authentication off your computer. DCPP needs the
    file "Backup" to do this, thus the reason for copying it across.

    Next time you boot, no passphrase will be required and you will be
    shown the two drives, but only one will be bootable. If you
    perversely attempt to boot into your encrypted drive, Windows will
    tell you it cannot load the OS. At first sight this might appear
    that you have lost all your data! This is precisely the impression
    you wish to give.

    To access your encrypted drive, you must use the ER disk. What is
    considered by DCPP as a last resort access to your computer, now
    becomes your secret key to accessing your encrypted drive.

    Hint: Ensure that when you first install DCPP onto your computer
    that of the three boot passphrase screen options offered, you choose
    the blank screen!

    When booting with the ER disk, naturally if the wrong passphrase is
    used you cannot boot. With the right passphrase you are offered the
    choice of both drives and can boot into either drive. Make certain
    you make a backup of this ER disk and store off-site. This way, if
    you are unlucky and the boot floppy dies on you, you still have
    access.

    I have to repeat that it is essential that your keyring, as displayed
    from within your plaintext drive and when running DCPP within that
    drive, does not display the encrypted drive's key. Keep this key on
    your encrypted drive.

    This cannot be over-emphasized.



    20. Why?

    If this key is available DCPP will reveal the key fingerprint of that
    drive, proving the presence of the key. DCPP will also then
    recognise the encrypted drive. If no key is available then it is
    axiomatic that it will be impossible to decrypt that drive. This
    is absolutely true. The ER disk only allows OTF decryption for each
    session. No information resides on the ER disk to help identify its
    purpose. Even WinHex cannot read it. Windows tells you it is
    unformatted. This is because the raw data on the disk is not in any
    recognized file format, so it could be a damaged disk. DCPP will
    not recognize the drive as encrypted. In fact it goes further and
    claims it is not encrypted.

    Just ensure that you choose the blank screen option when first
    installing DCPP. Some people have been confused about this and how
    to enter their passphrase. You simply type in the first line of your
    passphrase onto the blank screen then momentarily press the "tag" key
    and enter the second line of your passphrase. Finally hit "enter" to
    see the two (or more) bootable drives on your computer.

    If no matching key can be identified on your keyring then they now
    have to prove you are lying. With full cooperation from you
    regarding the other drive(s), nobody can claim you are being
    uncooperative. It might be a good idea to have another partition
    that is also encrypted by DCPP filled with innocuous files as a
    justification for having DCPP installed.

    Your defence is that you encrypted the drive as an experiment and
    stupidly did not make a copy of the key. The only copy is within the
    encrypted partition! You are still learning how to use the program,
    so mistakes will be made. Never mind, you intend re-formatting the
    drive when you eventually get around to it. Windows will offer to do
    this if you click on it from within the "My Computer" screen.

    By using a benign floppy, perhaps one that looks as if it has seen
    better days, it will be far less obviously a target. Incidentally, a
    DCPP (or BestCrypt) encrypted floppy also appears the same. This
    might be advantageous, hint.

    With the key destroyed I am sure SecureStar, the owners of DCPP, will
    be happy to confirm that it is impossible to decrypt the data.

    Note: This is general information only. Some users might prefer to
    try other, perhaps even more ingenious ways to get around this
    problem. I am deliberately leaving the alternatives unspoken. Each
    may choose the system that best suits their security needs.

    If you feel this is not sufficent as a form of plausible deniability
    for your circumstances, then I can only suggest you use the hidden
    container feature of DriveCrypt version 4.1 or BestCrypt version 7
    or TrueCrypt (but carefully read the accompanying documentation
    first). Whereas these offer good to excellent forms of plausible
    deniability, without full hard drive encryption (meaning DCPP) it
    does mean you are at the mercy of the Windows operating system.
    Perhaps if you used Linux and BestCrypt you may be safer.

    One important point to note for United Kingdom subjects: A conviction
    cannot be upheld without evidence. Evidence that you and you alone
    committed an internet "crime" must be substantiated by evidence on
    your computer. No amount of circumstantial evidence gathered from
    Web based intercepts is sufficient - or so I am informed by a legal
    expert. So provided you can pass the plausible deniability part and
    your passphrases are sufficiently strong, you should be home and dry.

    Lucky indeed are those who live in countries that have a Constitution
    allowing the suspect the right to silence and not forced into self-
    incriminating himself.



    21. What if encryption is illegal in my country?

    In that case, I suggest using the stego feature of DriveCrypt. But
    ensure you create your own WAV file, by making your own recording.
    Once the stego encrypted file is created within the WAV file, make
    sure to wipe the original recording to prevent forensic analysis
    showing their low level data are not identical.

    Of course, you will need to install DriveCrypt in traveller mode.
    This means running it off a floppy. But you will still need to hide
    the floppy effectively in the case of a search. I am sorry I cannot
    help you here. It must be down to your own initiative.

    Note the difference between this scenario and the previous one using
    a boot floppy. The DriveCrypt floppy will plainly display the
    program, thus incriminating you. Where encryption is legal, an ER
    disk does not necessarily incriminate you thus less of a need to try
    and hide it away.



    22. Are there any other precautions I should take?

    Make copies of all your PGP keys, a text file of all your passwords
    and program registration codes, copies of INI files for critical
    programs, secret Bank Account numbers and most importantly the key
    for your secret encrypted drive plus anything else that is so
    critical your life would be inconvenienced if it were lost. These
    individual files should all be stored in a folder called "Safe" on
    your encrypted drive. A copy of this folder should be stored on an
    encrypted CD, preferably within the hidden part if using DriveCrypt
    4.1 or Bestcrypt 7 and stored off-site.

    If you are going to rely on any variation of the ploys suggested
    within this FAQ, you should keep it within your secret drive.





    The above is sufficient for Level 2 security.





    23. I need Level 3 Security, how do I achieve this?

    This is for those who wish to protect themselves from hackers whilst
    online and snoopers who may try and compromize either their software
    or add substitute software that could reveal their secret
    passphrases.



    24. What are these threats?

    They are known as Tempest and Trojan attacks.



    25. What is a Tempest attack?

    Tempest is an acronym for Transient ElectroMagnetic Pulse Emanation
    Surveillance. This is the science of monitoring at a distance
    electronic signals carried on wires or displayed on a monitor.
    Although of only slight significance to the average user, it is
    of enormous importance to serious cryptography snoopers. To minimize
    a tempest attack you should screen all the cables between your
    computer and your accessories, particularly your monitor. A flat
    screen (non CRT) monitor offers a considerable reduction in radiated
    emissions and is recommended.



    26. I have decided to use DCPP, am I at risk?

    Far less than if you were using any other program. But do not use
    the same passphrase to open any other encrypted partitions after you
    have loaded Windows. Keep your boot passphrase totally unique and
    you will be far safer than if using any other program.



    27. What about DriveCrypt 4.1 and BestCrypt?

    Neither offer the same facility of full boot drive encryption. But
    both do offer some protection. DriveCrypt has its RED Screen mode
    and BestCrypt offers some unspecified form of keyboard filtering.

    The single likely biggest advantage of both programs is their ability
    to create hidden containers within an existing encrypted container
    (and/or a partition in DriveCrypt's case). This has enormous
    plausible deniability advantages. The one and only disadvantage is
    that the passphrase has to be entered from within Windows. Not a
    real problem if run from within your DCPP encrypted drive.

    One additional unique advantage of BestCrypt is it can optionally
    encrypt the Windows swapfile suggesting it need not be run from
    within the DCPP drive.



    28. What is a Trojan?

    A trojan (from the Greek Trojan Horse), is a hidden program that
    monitors your key-strokes and then either copies them to a secret
    folder for later recovery or ftp's them to a server when you next go
    online. This may be done without your knowledge. Such a trojan may
    be secretly placed on your computer or picked up on your travels on
    the Net. It might be sent by someone hacking into your computer
    whilst you are online.

    The United States Government has openly admitted it will be employing
    such techniques. They call it Magic Lantern. It was originally
    promulgated as a counter-terrorism weapon. But who knows how it will
    be used in practice.

    In view of these changed tactics, it is mandatory that these possible
    attacks be countered. Thus my insistence that only DCPP can give the
    level of security to ensure you enjoy some peace of mind.

    Nevertheless, whilst your encrypted drive is mounted you should take
    precautions against a trojan copying any data and sending it out to
    some unknown site.



    29. How do I do this?

    First of all you must have a truly effective firewall. It is not
    sufficient for a firewall to simply monitor downloaded data, but to
    also monitor all attempts by programs within your computer that may
    try and send data out. The only firewall that I know of that ensures
    total protection against such attacks is Zonealarm. This firewall
    very cleverly makes an encrypted hash of each program to ensure that
    a re-named or modified version of a previously acceptable program
    cannot squeeze through and "phone home".

    ZoneAlarm is here: www.zonelabs.com/zonealarmnews.htm

    To understand how important this is, visit Steve Gibson's site.

    Steve's site: http://grc.com/

    Go to the "Test my Shields" and "Probe my Ports" pages.

    You can test ZoneAlarm for yourself. I strongly urge all users
    concerned with their privacy to run this test.

    Steve's site is also a mine of other useful information and well
    worth a visit.



    30. How will I know when a trojan has modified an acceptable
    program?

    Zonealarm will pop up a screen asking if this program is allowed to
    access the Net. If it is one of your regular programs, be very wary
    and always initially say NO until you can check why this program is
    not now acceptable to Zonealarm. If it is a strange program, then
    obviously say, NO and investigate.



    31. How important is the passphrase?

    Critically important. It is almost certainly the weakest link in the
    encryption chain with most home/amateur users. I provide links at
    the end of the FAQ, some of these should either help directly or give
    further links about how to create an effective passphrase.

    For the newbies: never choose a single word, no matter how unusual
    you think it is. A passphrase must be that, a phrase, a series of
    words, characters and punctuation intermixed. One method that I
    believe would help is to deliberately mis-spell common words in a
    phrase. Scruggle in place of struggle, matrificent in place of
    magnificent. These could be the start of a longer phrase. Taking
    this a step further, invent words that are pronounceable but totally
    meaningless for example, alamissis or grafexion. I recommend a
    minimum of eight words, but obviously do not use either of those two.



    32. How can I prevent someone using my computer when I am away?

    In the past I had no truly effective answer, but if you are using
    DCPP, you have nothing to fear. Nobody accessing you computer will
    have any access to your encrypted drive in your absence. Even the
    presence of an ER disk is no help to them without the passphrase.

    However, if you are truly paranoid (and who isn't?) I would guard
    against someone adding a hardware keyboard logger. These can be very
    small and easily disguised as an RF trap on the keyboard lead.
    Obviously, this is far more likely if your computer is also used
    by others or can be accessed by others in your absence.

    The most likely scenario for this to happen would be if your computer
    was impounded for forensic examination and later returned to you
    apparently intact. In such circumstances I would definitely not
    input any passphrase at all until a very thorough check has been
    undertaken. In fact I would never use it again! I advise buying a
    new machine and transfer the drive across. Of course to access this
    drive you will need the appropriate boot disk. This suggests it
    would be wise to keep one copy off site.



    33. Anything else?

    Use a Bios password. Although it can be bypassed by resetting the
    Bios, the fact it has been reset should be obvious by either there
    not being a call for the Bios password on boot or it is different and
    you cannot then startup. Also, ensure you have set a Windows screen-
    saver password. Make a short cut on your desk top to the screen
    saver, then open its properties box and put in a single key shortcut,
    for example F10.

    This ensures you have the option of a single keystroke blanking of
    your screen in an emergency.





    Part 2 of 2.

    This second part concentrates on security whilst online.





    There are countless reasons why someone may need the reassurance of
    anonymity. The most obvious is as a protection against an over-
    bearing Government. Many people reside in countries where human
    rights are dubious and they need anonymity to raise public
    awareness and publish these abuses to the world at large. This
    second part is for those people and for the many others who can help
    by creating smoke.



    34. I subscribe to various news groups and receive Email that I want
    to keep private, am I safe?

    Whilst you are online anyone could be monitoring your account. If
    you live in the British Isles be aware that all ISP's are required to
    keep logs of your online activities, including which Web sites you
    visit.

    Shortly this will be reinforced by MI5 who will be monitoring all Net
    activity 24 hours a day! The information will be archived eventually
    for up to seven years. All Email headers will likewise be stored
    for the same length of time.



    35. Can anything be done to prevent my ISP (or the authorities)
    doing this?

    There are several things you can do. First of all subscribe
    anonymously to an independent News Provider - more about how to
    achieve this later in the FAQ. Avoid using the default news provided
    by your ISP. Apart from usually only containing a small fraction of
    all the newsgroups and articles that are posted daily, your ISP is
    probably logging all the groups you subscribe to. You also need to
    protect yourself from snoopers whilst online. Both of these aims can
    be realized by encrypting the data-stream between your desktop and a
    remote host server.

    There are several methods of doing this. One is to use SSL proxies.
    This can be very complicated and relies on expert knowledge for the
    best results. Also, speed can vary dramatically depending on which
    proxies are available. But when set up properly it is extremely
    good at hiding your online activities.

    If this is your choice, take a look here:

    http://www.jestrix.net/tuts/sslsocks.html#intro

    If simplicity is your goal, I suggest SSH and port forwarding. This
    is easier to implement if you are new to privacy issues. Of course
    with experience you can combine both, but that is beyond this FAQ.



    36. I live in the United States why do I need to bother?

    You don't need to. But your privacy and security are enhanced if
    you do, particularly if you wish to ensure best possible privacy of
    posting to Usenet. An additional concern must be the United States'
    stated intention to snoop using whatever means they can. TIA aka
    Total (now changed to Terrorist) Information Awareness is one project
    that is having money poured into its research. This involves
    combining many supposedly independent stores of private information
    to track and define a citizens intentions. Naturally, this must
    involve their computer habits.

    If this makes you feel slightly uneasy, as well it should, then I
    recommend implementing some or all of the suggestions within this
    FAQ.



    37. Ok, you've convinced me, how do I go about this?

    The seriously sophisticated way is by chaining proxies using SSL
    which can offer hard anonymity. It involves more bother and a
    standard of ability and knowledge only gained by hours of practice
    and is not everybodies choice. The pleasure gained is of course,
    disproportionate to this bother and well worth the effort. This
    level of sophistication is beyond this FAQ. If this sounds like a
    lot of hard work and too much bother then the following is my best
    suggestion.

    Assuming you want simplicity, then I recommend you use the SSH
    encryption protocol. SSH is a form of encryption that ensures that
    everything that leaves your desktop is encrypted. To do this you
    will need to subscribe to at least one, but preferably two
    remote servers. To be truly effective the administrators of these
    servers must be prepared to periodically review their security
    policies and specifically to replace their RSA/DSA keys. Sadly, this
    has not been done in the past with those that I have mentioned in
    previous versions of this FAQ.

    After searching, I have found what may be the answer, Privacy.Li, who
    are registered in the Principality of Liechtenstein. Liechtenstein
    is a European country best known for its secrecy surrounding its
    banking facilities. This suggests it might be very useful for
    routing anonymous connections to the Internet. Better yet,
    Privacy.Li accept anonymous payments in either E-Gold or DMT/ALTA,
    pecunix, e-bullion and of course cash/traveller cheques mailed in
    through anonymous maildrops. A very wide choice, so take your pick.

    All of these are truly anonymous methods of payment. I personally
    like E-Gold, which does have the advantage of simplicity to setup and
    use.

    Privacy is here: http://privacy.li/

    E-Gold is here: http://www.e-gold.com/

    pecunix is here: www.pecunix.com

    e-bullion is here: www.e-bullion.com

    DMT/ALTA is here: https://213.132.35.90/


    Privacy.Li offer an SSH encrypted connection with port forwarding
    through either of their own servers. One server is in The
    Netherlands and the other is in Hong Kong. Both well outside the
    control of either the American or British snoops. The cost of
    connection is around 100 Euros per year per server. By paying in E-
    Gold or via DMT/ALTA it is a truly anonymous sign-up. I strongly
    recommend them if your needs are for simplicity and total privacy.

    A new service they have just introduced is an anonymous sign-up to
    an independent news provider. The chosen one is Newshosting. This
    seems an excellent news provider with most all of the news groups
    most people want, even the contentious ones! Their retention,
    completion and speed seems very good to excellent. The charge for
    signing you up anonymously is 95 Euros per year with 120 Gigabytes
    maximum download in that time. Exactly the same as signing up with
    Newshosting directly yourself. Obviously Privacy.Li is benefiting
    from a discount because of the bulk booking on behalf of the many
    subscribers. Many subscribers means more smoke - a good thing.

    But remember this is in addition to the cost of signing up for the
    SSH connection, which is 100 Euros per year.

    You can pay by E-Gold or DMT/ALTA. If you wish this service
    (strongly recommended), you must sign up to the Hong Kong server
    (known as Bear). You will then be able to connect directly into the
    Newshosting server via Bear using SSH. I understand that they
    also offer a proxy signup to any web service you choose on request,
    again you can pay anonymously.

    Not only will you be totally anonymous to Privacy.Li, but much more
    importantly, doubly anonymous to Newshosting or the web service,
    plus the connection will be fully hard encrypted from your desktop.

    Additionally, you will get one anonymous Email address in the form
    of (the server will depend on which one you
    sign up to). You can also use this service to surf the Net totally
    privately and anonymously.

    Privacy.Li will send you all necessary info in the form of a FAQ to
    help you configure your Email client and your newsreader. It really
    is easy.

    Contact via Email:



    38. Does Privacy.Li monitor the downloads or keep logs?

    First off, all SSH connections will always log the last connection.
    This is actually a security assurance since you know the last time
    you made a connection. If there is a connection after that time,
    someone is hacking your account. So this is necessary. But I have
    been assured that Privacy.Li do not and cannot (because it is very
    difficult to log connections with SSH because all connections will
    appear to be local to the server (localhost - 127.0.0.1).

    Here is a quote from an Email reply that the admin at
    Privacy.Li sent to an inquirer:


    <Quote>

    We do not log anyhting, with one exception: when you log in! and this
    is kept revolvingly, only the last login is on file and will be
    overwritten with the newest login. This also serves for your
    security, because you always see, who logged in the last time into
    your account. If it happens and you would see another login than
    yours, it would mean your account has been hacked!

    We never do any activity logs!

    2. What legal authority, if any, is news.privacy.li subject to?

    that's a good question :) , well the domain is registered in
    Liechtenstein, that's the only clue there is... Until today we have
    not been served any subpoena nor court order, so it's tough to say
    who could be in charge of us :)

    3. When posting to News Groups with news.privacy.li, why do your
    headers show these Identifiers:

    Message-ID: <
    X-Complaints-To:
    Xref: news.privacy.li newsgroup.name?

    Because this is international protocol, I would not get the
    newsfeed without giving those details.

    >Our statement of promise to you;
    >We are not wanting to spam or abuse your service in any way.


    Good! But why are you so concerned? I really don't care what you
    do, as long as it is not spamming or hacking/phreaking/phishing.

    > 4. So besides abuse or spam, does news.privacy.li impose any
    >posting limits?


    No posting limits, well, you have the GB-posting limit according
    to the package you buy


    > 5. And finally, does news.privacy.li impose any download limits?


    No, neither, as long as it is within your GB-allocation

    <Unquote>



    39. OK, this sounds interesting, how does SSH work?

    SSH uses a protocol called port forwarding. This means that it
    tunnels the necessary ports for Web browsing (port 80), Email send
    and receive (ports 25 and 110), Usenet (port 119) through an
    encrypted tunnel (port 22). Any adversary attempting to read your
    data passing in either direction can only know that a/ it is
    encrypted and b/ it is passing through port 22 on your computer.

    Traffic analysis of the connection may give some hints whether you
    are dealing with Email or Web browsing, but the big idea is that they
    cannot read that traffic!

    The method is simple but very secure. Your desktop SSH program
    (called the client) asks for a connection to the remote host server.
    The host replies with its DSA public key. This traffic is in the
    clear, but now your desktop checks this key against previous
    connections and alerts you if it is different, which might suggest
    someone was intercepting your traffic. Your desktop has meanwhile
    generated a random session key which is never shown to you. The
    host's public key is used to encrypt this key. The host is able to
    decrypt this session key using its secret key. Now using the
    session key to encrypt everything that passes between you and the
    host, it will ask you for your user id and password.

    Henceforth all further data are exchanged encrypted with the session
    key.

    Each time you start the program prior to logging on, a new session
    key will be generated. I am reasonably certain that this session key
    is not saved by the host server. I have been told that the SSH
    protocol calls for the session key to be held in RAM memory only and
    to be irretrivably lost after the connection is closed.

    SSH is available in various implementations and commercial programs.
    The one I recommend now is Putty. Putty has the big advantage of
    being free, plus the source code is available - very important this.

    Putty is here: http://www.tucows.com/preview/195286.html

    or here:

    http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html



    40. Where does the data go after passing through the remote host?

    It then goes out onto the Web or to the News Provider or wherever
    totally anonymously. All your Web browsing and postings and
    downloads will always be totally private.



    41. Is the data encrypted after it leaves the remote server?

    Not unless you are using an additional remote host. If you are
    careful and limit your time online to say a 1 hour limit, breaking
    off and re-connecting you will always generate a new session key.
    This will make hacking attempts far more difficult. A further
    refinement may be to use another, different remote host for the next
    connection.



    42. OK, I've signed up, how do I configure Agent and Putty to access
    Usenet?

    When you sign up with Privacy.Li they will send you a detailed FAQ on
    how to set up Putty and Agent ver 2.0.

    You are now ready to tunnel through to whichever News Provider you
    signed with. Likewise, you can browse the Net, visiting sites with
    complete anonymity.



    43. How strong (safe) is this SSH encryption?

    Very strong and safe. You may have a choice of algorithms, or you
    will have to use whatever algorithms are supported by the host
    server. 3DES is a popular choice. Do not allow DES as it is now
    considered a poor choice. One more thing, SSH has largely been
    replaced by the more secure SSH2. Fortunately Privacy.Li uses SSH2.

    To re-emphasise, both of Privacy.Li's servers are off shore. One is
    in The Netherlands and the other is in Hong Kong. You can choose to
    sign up to either or both, but only the Hong Kong server will support
    direct access via Privacy.Li to the Newshosting server.



    44. Should I run these encrypted programs from within my encrypted
    drive?

    Yes, provided you are using dual boot with DCPP.



    45. Can I post graphics anonymously to Usenet with this system?

    Absolutely. If you choose to use Agent, it will always use your News
    Provider as the posting host. This is why I recommended you
    subscribe anonymously to this news provider. Nothing can then be
    traced back. If you are into heavy posting then you should use Power
    Post or something similar that allows you to choose whole folders of
    files for posting.

    If you use Quicksilver it will always use one of the mail2news
    gateways. These are intended to be hard anonymous, but it does not
    yet support the SSH option. The anonymous remailer network does not
    readily accept large files, such as graphics. Worse, it is my
    experience that reliability is not good.



    46. Why Quicksilver, what about Private Idaho or Jack B. Nymble?

    I found Private Idaho far too buggy and not as intuitive as
    Quicksilver. I have also used Jack B. Nymble. It is very
    sophisticated, but I now prefer the elegant simplicity of
    Quicksilver. This is my choice, others are free to assess the
    alternatives and choose accordingly.



    47. Is there another, simpler way?

    Email can also be sent (and received) by Yahoo or Hotmail. But I
    treat these as soft anonymous. Don't use them for anything critical
    unless you can access them via SSH and your anonymously signed for
    remote host.

    There are also several freebie remote hosts. My experiences suggest
    they are less reliable and frequently down. By all means experiment
    and use whatever suits you best. To access Usenet you will need to
    find an NNTP host proxy, which are far less common.

    Warning: Using a freebie remote host may mask your true IP address,
    but that only helps to prevent a back-trace. If you live in a country
    which monitors your Net activities, (e.g. the United Kingdom), any
    snoop will know which site you are accessing and if so minded, could
    monitor the datastream. An SSH connection however encrypts this
    datastream and most importantly, thus hides both the datastream and
    your destination host server IP from these prying eyes.

    Unless you are prepared to use chained proxies and SSL encryption a
    single proxy is little use on its own.

    In simple terms, you need SSH and a truly anonymously signed up
    remote host server if you want true Net privacy. Of course if you
    also use a proxy to log into Privacy.Li, then this improves things
    even further. But if you are clever enough to learn to use one
    proxy, you can then easily progress to learning to chain several
    together to achieve an even higher level of privacy. The other
    obvious advantage is they are free!



    48. Are there any other suggestions?

    Immediately you finish a posting session, close Putty and break the
    connection. This ensures new session keys are generated when you log
    in again over the new link. Never stay online whilst posting for
    longer than 1 hour maximum. There is nothing to stop you re-
    connecting as soon as you have dropped the connection, just do not
    stay online continuously.

    Always post at different times, do not create a regular pattern of
    postings at specific times and days of the week. If possible, use
    different ISP's to log onto the Net. By all means use a freebie ISP
    if available in your area. Be aware that these freebies invariably
    log your telephone number and connection times. But then so do the
    others to a varying extent.

    It is vital and axiomatic that all your secret data must always and
    at all times remain within your encrypted drive. There is very
    little point at all in going to all this bother and then printing out
    the data or saving it onto a plaintext drive.

    Always assume you are about to be raided!



    49. Surely all this is totally over the top for the majority of users?

    It is certainly over the top for 99 per cent of users for 99 per cent
    of the time. If, however, you are the one in a hundredth and you do
    not much like the idea of being at risk for 1 per cent of the time,
    then no, it is not over the top at all.

    In any case, using these tactics helps create smoke which in turn
    helps protect those who really do need all the protection and
    security they can get.

    Remember this FAQ is intended to help many different people. Some
    may be living in deprived conditions, in countries where human rights
    abuses are a daily fact of life.

    Privacy and anonymity are very important principles associated with
    both freedom of speech and democracy.


    "Anonymity is a shield from the tyranny of the majority... It thus
    exemplifies the purpose behind the Bill of Rights, and of the First
    Amendment in particular: to protect unpopular individuals from
    retaliation - and their ideas from suppression - at the hand
    of an intolerant society."

    Justice Stevens, McIntyre v. Ohio Elections Commission, 1996

    If a Supreme Court Judge deems it a person's right, who would argue?

    Well many Governments do, judging by their actions.



    50. Can I use IRC/ICQ/Yahoo/MSM in this way?

    No. But you can use a program called Trillian. There is now a Pro
    version which will allow an encrypted conversation between a group
    and even allows file exchange (I believe). I have only used the
    beta version, text only. It appears to do all they claim for it.
    Both parties need to be using Trillian for the encryption to be
    effective. You can use it as a stand alone, but it will not then
    support encryption.

    Trillian is here: http://www.trillian.cc

    If your intention is to seek to correspond with others to exchange
    contentious or illegal material, be aware that encryption alone may
    not be sufficient. In those circumstance it might be a very good
    idea to ensure you understand how to use a proxy before connecting.



    51. Can I be anonymous as far as other Web sites are concerned?

    Yes, by either using the Anonymizer browser plug-in or by setting up
    MSIE or Netscape to use your encrypted connection to your remote host
    server. Using MSIE go to Tools -> Internet Options -> Connections
    - - - -> Settings. Under "Proxy Server" tick the box marked "use a Proxy
    server for this connection" Put "localhost" in the address box and
    the port number in the box marked "Port". The port number is decided
    by the Webmaster of the server you use. You will be told this in the
    FAQ that comes after you have signed up.

    There is also a new system that is becoming available called Freenet.
    Read all about Freenet here: http://freenet.sourceforge.net/

    If you do choose to use it, be aware it is still in its infancy and
    some care needs to be taken, particularly with regard to the choice
    of Browser. Under no circumstances use MS Internet Explorer! The
    site gives more information regarding browsers, read it carefully.
    I am not yet convinced. But by all means experiment. Also be aware
    that you are then part of a network and your computer becomes one of
    the nodes. A lot of data will be exchanged through your system
    whenever you are online, irrespective of whether or not you are using
    Freenet yourself. It can even slow down other services you may be
    using.



    52. What about backing up my Data?

    Although not strictly relevant to a FAQ mainly concerned with
    privacy, nevertheless, this is so important a few words are needed.
    I have neglected this in past revisions, but it is so essential that
    here is how I manage it.

    It is not possible to use Norton's Ghost, nor Partition Magic.
    Ghost wil actually appear to back up the data, but will not restore
    it correctly. There are rather involved work arounds, but for
    simplicity here is my suggestion:

    Create another encrypted container using DriveCrypt or BestCrypt on
    an external hard drive. Open this partition and copy some innocuous
    data from your normal plaintext drive. Now close this container and
    create a hidden container, following the instructions in the
    documentation that comes with DriveCrypt (or BestCrypt). Now copy
    all your secret data across into this secret container.

    Restoring is not quite as simple. If it is just a matter of
    restoring some lost data files, this is perfectly straight forward.
    Just open the secret container and copy them into your DCPP partition
    to replace the lost files. If however, you need to restore
    everything because you cannot boot into the DCPP partition then I
    recommend using Partition Magic (I have never used Ghost) to delete
    the DCPP partition and then copy across the whole of your plaintext
    drive using the same program.

    You must now re-encrypt that drive using DCPP. You should do this
    before you restore the data within your secret container. When DCPP
    has finished its job, simply re-boot into the DCPP partition and copy
    all your data back. Create a new ER disk before closing. Your old
    disk may very well not function, even with the same passphrases.

    Remember to re-boot into you plaintext drive and to remove Boot
    Authentication. You are hopefully now back where you started.



    53. Lastly, what do you say to the charge that this FAQ may be
    useful to criminals?

    I did take time to have a re-think after the events of 9/11.
    However, on balance I believe it is still the right thing to do.
    Like gun control, if we ban weapons only the police and criminals
    will have them. Banning encryption or anonymity is not going to
    make criminals stop using encryption or attempting to be anonymous.

    It is almost laughable for anyone to be so naive as to believe that
    passing any law would make the least difference to a criminal.

    I believe that the individual should be allowed to choose, not the
    Government on his behalf.

    Who benefits the most if Governments are allowed to reduce our
    freedom of choice? The Government or us?

    Those that give up a little freedom to gain a little security will
    lose both.




    Therefore:

    a. always use encryption, whatever else you do.


    b. always post via your encrypted and anonymous remote host to your
    anonymouly subscribed News Provider.


    c. never ask of anyone nor give anyone online, your true Email
    address.


    d. never DL any file with .exe, .com, .bat or .scr extension from a
    dubious source. If you do, carefully delete without running it.


    e. for your own protection, never offer to trade any illegal
    material, nor ever respond to those seeking it, even anonymously.


    f. never use your Credit/Debit Card to sign up to any contentious
    Web site.



    My key fingerprint: F463 7DCB C8BD 1924 F34B 8171 C958 C5BB


    - - -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: 6.5.8ckt

    mQENAza3VwsAAAEIAJoghtgM5IW0CmQOocBDJPUSDAlkaPkP4LVN/6I6U1qYXYSX
    slRiXL6R8/L5LiYGjc8+jkK0MbpTh7W4WiT35L31kX2EU/MSNlpawvpwTvaye8cz
    Kbwupsi7qtxVEETM11ucSuxtG8ShOwiYrMUqOmP93hf9h78gNzD/qGOYGV994Adt
    MHRZ4lPlQnknxoDszHxCDcS83jlo4mD1xhuvLQ1thXFkGBl9Bw/lSWDxcu0gssZB
    necFTSkFtJbnu3gHp6DVE9CO/ZxhXDGHAmC/jLfB5QH59Zbbw4fFgQ7tw2gUAgiS
    kvv0RS55TB9n7JiDwc+Mk0OlYavdZOh5cRSmBqcABRG0JURvY3RvciBXaG8gPGRv
    Y3Rvcl93aG9AbnltLmFsaWFzLm5ldD6JARUDBRA2t1cLZOh5cRSmBqcBAb87B/46
    wEezqswaPz8NIA0/XYULXPKse11aCgRL7MIQPO1CRdqjbFnWi1wU2AnAkCtCLia+
    lhulNrLJxMUvHgOQc4oC+nlUntBE9f8hHg0VwvQJ/4kO29UeVf0iwr+drZjRJooR
    oR1C1UDDr199eeKJ3+m2pO7j1DBxv4tWQAYsJmZQQqlNRLzsmHJyTI/ZN03UREAZ
    Qr4k6EjD1lScWg9MfueITgiMdbeV3MmCpf7mnlahvlN/S31CeEfoY2OpcRYVXNQb
    it9N8cPM+2KZEdl/FW7yVPgd6BCGFFgPcRiqLC7c1F6qBPUpbdYf/pvd3/lhRJR9
    IY35xfmdHWM8Rk+ivIPD
    =0l2S
    - - -----END PGP PUBLIC KEY BLOCK-----


    To contact me, please use my public key to encrypt your message to
    news:alt.anonymous using the subject line:

    "Gosh, I've got mail" - without the quotes. Please ensure you
    include your key if you want a reply. Your message will not be read
    let alone answered if it is sent in plaintext.




    This ends the FAQ.




    Items specifically mentioned or recommended in the FAQ:


    PGP: http://www.pgpi.org/

    DCPP: http://www.drivecrypt.com

    TrueCrypt: http://www.truecrypt.tk/

    BestCrypt: http://www.jetico.com/

    Eraser: http://www.tolvanen.com/eraser/

    WinHex: http://www.winhex.com/winhex/order.html.

    Windows Washer: http://www.webroot.com

    Agent: http://www.forteinc.com

    ACDSee: http://www.acdsystems.com/english/products/acdsee/index

    Thumbs Plus: http://www.cerious.com

    VuePro: http://www.hamrick.com

    AVG here: www.grisoft.com

    Zonealarm: www.zonelabs.com/zonealarmnews.htm

    Steve's site: http://grc.com/

    SSL Proxy info: http://www.jestrix.net/tuts/sslsocks.html#intro

    Privacy is here: http://privacy.li/

    E-Gold is here: http://www.e-gold.com/

    DMT/ALTA is here: https://196.40.46.24/ or https://213.132.35.90/
    (they change ip's frequently)

    Quicksilver: http://quicksilver.skuz.net/

    Jack B. Nymble: http://www.skuz.net/potatoware/jbn/index.html

    The Anonymizer: http://www.anonymizer.com

    Privacy.Li: http://www.privacy.li/index.htm

    A Proxy site listing: http://www.samair.ru/proxy/

    Putty.exe: http://www.tucows.com/preview/195286.html

    or here:

    http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

    F-Secure: http://www.f-secure.com/

    News Providers: http://www.exit109.com/~jeremy/news/providers/

    Freenet: http://freenet.sourceforge.net/

    Trillian: www.trillian.cc

    Mixmaster (required by Quicksilver and Jack B. Nymble):

    Download site: http://www.thur.de/ulf/mix/ (comes ready to install
    with Quicksilver - just run Quicksilver for the first time)



    Nym remailers:

    nym.alias.net, home page: Http://www.lcs.mit.edu/research/anonymous.html

    Anon.efga.org, home page: http://anon.efga.org/



    In case you need convincing:

    http://www.gn.apc.org/duncan/stoa_cover.htm



    Useful programs:

    Partition Magic: http://www.powerquest.com/

    FSRaid: http://www.fluidstudios.com/fsraid.html

    HJSplit: http://www.freebyte.com/hjsplit/

    Mastersplitter: http://www.tomasoft.com/mswin95.htm

    PowerPost: http://www.cosmicwolf.com/

    Quickpar: http://www.pbclements.co.uk/QuickPar/

    SmartPar: http://www.smr-usenet.com/tutor/smartpar.shtml

    WinAce: http://www.winace.com/

    WinRAR is here: http://www.rararchiver.com/

    YProxy is here: http://www.brawnylads.com/yproxy/



    Some anonymity sites:

    http://www.worldnet-news.com/software.htm

    http://www.skuz.net/potatoware/index.html

    http://www.skuz.net/potatoware/jbn/index.html

    http://packetderm.cotse.com/

    http://www.cotse.com/refs.htm

    http://freeyellow.com/members3/fantan/pgp.html

    http://www.all-nettools.com/privacy/

    http://Privacy.net/

    http://www.geocities.com/CapeCanaveral/3969/gotcha.html

    http://www.junkbusters.com/ht/en/links.html

    http://www.skuz.net/potatoware/privacy.txt



    Other additional useful sites:

    Beginner's Guide to PGP:

    http://www.stack.nl/~galactus/remailers/bg2pgp.txt

    PGP for beginners:

    http://axion.physics.ubc.ca/pgp-begin.html#index

    FAQ for PGP Dummies: http://www.skuz.net/pgp4dummies/

    The PGP FAQ: http://www.cryptography.org/getpgp.txt

    The SSH home page: http://www.ssh.com/products/ssh/

    Anonymous Posting:

    http://www.skuz.net/Thanatop/contents.htm

    Anonymity Info: http://www.dnai.com/~wussery/pgp.html

    Nym Creation:

    http://www.stack.nl/~galactus/remailers/nym.html

    General info:

    http://www.stack.nl/~galactus/remailers/index-pgp.html


    Revision 18.2


    -----BEGIN PGP SIGNATURE-----
    Version: 6.5.8ckt

    iQEVAwUBQMuhJ2ToeXEUpganAQHBcwf+P1o8VznEVuGejClCrWoHeyhvwJSsc6Mn
    CuyeSTIbYMTGjoQQxprsHnAkPSY+VKbksXJqtCCgmLJI3Shn3rRFFXQqevEyc6cR
    AkOQNTQF0w98Gb01BTUXjxMjEaNjLWpjEioWfqVZ4O2+hZ3TAC2a9UmsJn5wWtES
    fEBoN2m4JRqlzkMcPqZ96+WJy9GIbqPwjX3jlgvuKJDIEQgs8PeJqqJkyymwOrG3
    GjAZFLZy8O0ro+my855SQB1AEfDW00Cj6iGubi8TEu1iRdWFUvDGFN/pzqG1BF05
    a2417kKp5CHW+LzNTZs3qa0jVxfkPOJFD1wTd9Kegw8w+zEXx0aOWA==
    =1Fax
    -----END PGP SIGNATURE-----
    Doctor Who, Jul 5, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. starwars

    Security and Encryption FAQ - Revision 18.2

    starwars, Apr 9, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    1,293
    starwars
    Apr 9, 2004
  2. Doctor Who

    Security and Encryption FAQ - Revision 18.2

    Doctor Who, Apr 12, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    1,399
    Doctor Who
    Apr 12, 2004
  3. Doctor Who

    Security and Encryption FAQ - Revision 18.2

    Doctor Who, Apr 16, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    1,328
    Doctor Who
    Apr 16, 2004
  4. Doctor Who

    Security and Encryption FAQ - Revision 18.2

    Doctor Who, Apr 24, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    1,252
    Doctor Who
    Apr 24, 2004
  5. Doctor Who

    Security and Encryption FAQ - Revision 18.2

    Doctor Who, May 9, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    1,268
    Doctor Who
    May 9, 2004
Loading...

Share This Page