Best encryption sw for home laptop

Discussion in 'Computer Security' started by emailchrisco, Jun 19, 2006.

  1. I know a whole lot more than you do apparently. Have you ever even used
    Truecrypt's traveler mode?

    I didn't think so.

    In traveler mode of course you need admin rights to mount the volume.
    That's the whole idea, to have everything "self contained" with nothing
    installed on the host. If you want the driver active you have to have
    permission to load it *EVERY TIME*.
    And it will be detected, or the data will not be decrypted. There are
    no other possibilities.
    So does the file disappearing into the bit bucket because some
    transport agent though it was too big, or any number of possible
    scenarios where the data doesn't make it to the destination in tact.

    None of them compromises the data or any passwords. Sorry.
    How has the attacker done this? Even with a trojanized volume the
    recipient has knowledge and opportunity to prevent the compromise. If
    you're so inattentive or stupid that you completely ignore error
    messages then no software or method will save you. That's not a problem
    with the software, it's operator error.
    It was never lost in the first place. The data lost integrity, and was
    discarded as being tampered with. The attacker can not decrypt it. This
    is the whole idea behind having integrity checks in place And again, if
    you're inclined to ignore the fact that your data has been tampered
    with you're lost anyway.
    Can you remove and replace pieces of a PGP encrypted message sent over
    an insecure channel? I didn't think so.

    So for extra points explain to the class why you think an attacker
    can break the same or equally strong encryption in some other file.
    No, you're a blowhard whose running his mouth about things he knows
    nothing at all about. You've obviously never used any of the software
    we're discussing. You even thought PGP SDA's were mountable volumes for
    Christ's sake. You're totally clueless.
    You're a liar. A bald faced liar. I never said any thing of the sort,
    it was *you* who made that mistake.

    It's no wonder you've been banned from so many places. Look at the way
    you behave. :(
    You should try actually learning something about the subjects you try
    and discuss. You're assumptions are making you look like a fool.
     
    Borked Pseudo Mailed, Jun 23, 2006
    #41
    1. Advertisements

  2. emailchrisco

    Demosthenes Guest

    <>
    I cannot mail a truecrypt file to (or Bestcrypt or FreeOTFE or
    PGPdisk container) to a recipient who doesn't have those
    programs installed on his machine, and who doesn't have admin
    privilieges. That is the situation with most government and
    many industry computers.
    I have never seen anyone crack such a message.
    That's good enough for me.
     
    Demosthenes, Jun 23, 2006
    #42
    1. Advertisements

  3. Yes, you *do*. You're misreading the very documentation you quoted I

    think.
    Note: No files installed on the machine. This means any drivers as
    separate. Included only with the "archive".

    Take it to the logical extreme, and I think it's clearer. Burn a
    traveler mode volume to CD and access it once. Windows makes a record
    of where the drivers are, and loads them. Now remove teh CD and reboot
    the machine. The drivers can not be loaded, obviously. To reload them
    you have to again have admin privileges, like you do when you load any
    such device driver.
    Yes, it makes registry entries. This is a completely different thing
    than installing drivers. Windows also makes a record of the drive
    letter, accessed files, and a lot of other things that have nothing at
    all to do with loading or unloading the actual drivers that grant you
    access.
    Please read this line again. Note it says "to use", not "to use the
    first time" or "to install". Every time the driver needs reloaded you
    need admin rights (if your OS requires admin rights to load this sort
    of driver at all). Remember that nothing is installed locally. Now
    think about how those drivers will remain loaded, or reload, after they
    have been unloaded or the volume has been removed.

    The short answer is, they can't, unless you specifically request them
    to be reloaded by attempting to mount the volume again. And that
    requires admin rights.
    Of course not. That's as ridiculous a statement as has ever graced this
    group. Compromising a PGP SDA or encrypted WinZip archive isn't
    anywhere near as "simple" as some people might mislead you into
    believing either. This sort of software wasn't dreamt up yesterday.
    There's been a considerable amount of effort invested in making sure
    they can't be tampered with. But if you're of the "nothing is perfect"
    mind set, then by all means move the encrypted archive to an isolated
    machine and open it. If there was any chance that it had been cracked
    or replaced, you've given the attacker nothing. You'll know it right
    away, and you can make arrangements to have the data resent.

    FWIW, I spent 8 years in the US Air Force handling encrypted
    communications and data. This sort of suspected compromise happened
    more often than anyone would like to admit. We had an extensive set of
    procedures for destroying suspect data, and resending good data. It can
    be done, and quite successfully, in spite of what those who have never
    dealt with such things will tell you. You just need a good software, and
    a little common sense. ;-)
     
    Borked Pseudo Mailed, Jun 23, 2006
    #43
  4. This doesn't appear as a description of your own requirements so much
    as a bit of theoretical brain storming. I certainly didn't take it to
    mean anything specific anyway.

    That's often a problem with text based communication. It's necessary
    to state what you mean outright, and plainly. ;0)
    I have. But it was a long time ago and the technology has improved.
    It's really a matter of assessing your risk, and using a little common
    sense.

    FWIW, I'd lean more towards a PGP self-decrypting file. Only because
    your goal is security, not compression, and PGP is a security
    application which happens to compress. WinZip is a compression utility
    with security screwed into the side. That's just a "gut" thing, either
    one is probably good enough. I just gravitate towards "the proper tool",
    maybe a bit too much sometimes. :)
     
    Borked Pseudo Mailed, Jun 23, 2006
    #44
  5. Effectively it is. They attacker simply replaces the file with his own
    executable that sends him back the password and then does whatever it
    wants (nothing, outputting an error messages, decrypting the original
    archive, decrypting the original archive and then changing all its
    executables, decrypting the original archive and then replacing itself
    with the original archive, ...). Now he has the password and the
    encrypted archive.

    There is a slight difference when there's only a passive attacker, but
    this model rarely applies.

    Well, one really shouldn't care for your credence if you don't get such
    basic things on your own.
     
    Sebastian Gottschalk, Jun 23, 2006
    #45
  6. What an utter bullshit. There's no need to crack it. The attacker just
    replaces the executable so that it compromises the password.
     
    Sebastian Gottschalk, Jun 23, 2006
    #46
  7. emailchrisco

    Demosthenes Guest

    volumes.

    Yep. I've just dug up SFS and SecureDrive - but I have no idea
    if these old DOS programs will run under Windows XP.
    H'mm. I'd didn't know about PGP SDAs.
    PGPZip won't work, because the recipient has to have PGP
    installed.
    But I'll have to look into PGP SDA.
     
    Demosthenes, Jun 23, 2006
    #47
  8. emailchrisco

    Hadron Quark Guest

    But the thread did track to that : so you *do* need to install the SW on
    the targeg machine using admin rights? Next to useless then for anyone
    using other people machines to read mails isnt it?
     
    Hadron Quark, Jun 23, 2006
    #48
  9. I could imagine much better ways to waste time.
     
    Sebastian Gottschalk, Jun 23, 2006
    #49
  10. And do.
     
    Borked Pseudo Mailed, Jun 23, 2006
    #50
  11. The difference between "install" and "temporarily load" is mostly
    semantics quibbling, so yes, as far as that goes you're correct. The
    error arose when someone apparently tried to suggest that once the
    device driver had been installed you no longer needed admin rights for
    future access. Obviously this isn't the case, as no drivers are
    *permanently* installed. Each new access requires another
    "installation".

    The other "oops" was people not realizing that the OP's situation was
    actually one where admin rights couldn't be had, rather than chat about
    rights being an academic exercise.
     
    Non scrivetemi, Jun 23, 2006
    #51
  12. emailchrisco

    Zoltan Guest

    That's right.
    Or to open a container file carried on a USB device on a machine to
    which you do not have administrator rights.
    This appears to be the case with ALL OTFE systems, since they all seem
    to use device drivers.
    Traveller Mode

    TrueCrypt can run in so-called 'traveller' mode, which means that
    it does not have to be installed on the operating system under which it
    is run. However, there are two things to keep in mind:
    1) You need administrator privileges in order to able to run TrueCrypt
    in 'traveller' mode.
    2) After examining the registry file, it may be possible to tell that
    TrueCrypt was run on a Windows system even if it is run in traveller
    mode. If you need to solve these problems, we recommend using BartPE
    for this purpose. For further information on BartPE, see the question
    "Is it possible to use TrueCrypt without leaving any 'traces' on
    Windows?" in the section Frequently Asked Questions.


    In Windows, a user who does not have administrator privileges can use
    TrueCrypt, but only after a system administrator installs TrueCrypt on
    the system (or after the administrator gives the user administrator
    privileges). The reason for that is that TrueCrypt needs a device
    driver to provide transparent on-the-fly encryption/decryption, and
    users without administrator privileges cannot install/start device
    drivers in Windows.

    After a system administrator installs TrueCrypt on the system, users
    without administrator privileges will be able to run TrueCrypt,
    mount/dismount any TrueCrypt volume, and create filehosted TrueCrypt
    volumes on the system. However, users without administrator privileges
    cannot encrypt/format partitions, cannot create NTFS volumes, cannot
    install/uninstall TrueCrypt, cannot change passwords/keyfiles for
    TrueCrypt partitions/devices, cannot backup/restore headers of
    TrueCrypt partitions/devices, and they cannot run TrueCrypt in
    'traveller' mode.
     
    Zoltan, Jun 23, 2006
    #52
  13. Every crypto file system implementation needs one if none is already
    preinstalled on common operating systems. That's why you cannot have
    both running with absolutely no admin rights and a filesystem-only
    solution at the same time.
     
    Sebastian Gottschalk, Jun 23, 2006
    #53
  14. emailchrisco

    Demosthenes Guest

    I believe that you are correct.
    I got it.

    What I want most to do is to carry data from home to my work
    computer on a USB drive.

    I want it encrypted in case I lose the USA device.

    I want to be able to access it from my work computer, on which I
    do not have admin rights.

    PGP SDA or WinZip seem to be the only solutions.
     
    Demosthenes, Jun 24, 2006
    #54
  15. emailchrisco

    Demosthenes Guest

    So how did Secure File System and SecureDisk work? (old DOS only
    programs, using TSRs)
     
    Demosthenes, Jun 24, 2006
    #55
  16. (Demosthenes) wrote:

    What about the most obvious solution... asking your admin to install
    Truecrypt on your work machine. :)

    Make the argument that allowing you to work from home makes you more
    productive, and the security of Truecrypt makes you safe. Explain what
    a win/win situation it is. If this is a legitimate request I don't see
    how any employer or admin could possibly refuse. You apparently have
    the ability to plug in a USB device and move files, so unless you're
    violating your TOE or some NDA type thingy, you're being a lot more
    responsible than the average Joe carrying unencrypted files back and
    forth.

    Even Truecrypt's licensing is golden...

    http://www.truecrypt.org/license.php

    2. "You" (or "your") means an individual or a legal entity (e.g., a
    non-profit organization, commercial organization, government agency,
    etc.) exercising permissions granted by this License.

    [...]

    2. You may use this product freely (see also Section III.) on single or
    multiple computers/systems for non-commercial and/or commercial uses.

    Section III deals with modifications and derivatives.

    I really don't see a down side to any of it. :)
     
    Borked Pseudo Mailed, Jun 24, 2006
    #56
  17. Rights and privileges are a product of a multi-user environment. MS-DOS
    had no differentiation between "users". It just ran, and essentially
    everyone was an admin. Indeed, there was no "login" to be found
    anywhere, and if you had a command prompt you could even delete the
    operating system itself. ;)

    The same could be said for Win9x even though "profiles" were
    implemented. Everyone was still a superuser. Windows NT is a multi-user
    environment. XP is more or less, having been spawned from NT, with the
    lines blurring a bit regarding certain functions. Your *nix and *BSD
    type operating systems are true multi-user operating systems from the
    ground up. That's one of the reasons computer viruses have a harder time
    propagating through and/or damaging *nix/BSD machines. There's a well
    defined difference between user space, and kernel space. There's "not
    so much" on an XP box, and none at all on 9X or DOS boxes.
     
    Borked Pseudo Mailed, Jun 24, 2006
    #57
  18. emailchrisco

    Demosthenes Guest

    I still have copies of SD and SFS.

    I wonder if I could get them to run in a DOS box...
     
    Demosthenes, Jun 24, 2006
    #58
  19. emailchrisco

    Demosthenes Guest


    Working from home isn't the only issue; it's also traveling with
    a laptop.

    It's a large organization. If the head man in charge of IT
    didn't come up with the idea, it's a BAD idea.

    They haven't a clue; you can boot their laptops with BartPE or
    Knoppix and do anything you want with them.

    EXCEPT secure them.

    I know how to use Windows encryption to at least secure the
    laptop; very few others do. But Windows encryption won't let me
    secure the USB drive.

    After the VA privacy breach, I wrote my Congresscritters to
    suggest this, but haven't gotten a response.

    Here's WHY I want the government to use encryption:
    http://www.privacyrights.org/ar/ChronDataBreaches.htm

    Someday they will use encryption - when their IT managers can
    come up with the credit for suggesting the idea.

    You may have noticed that the analyst who took the VA laptop
    home got fired.

    But the VA head of IT didn't.
     
    Demosthenes, Jun 24, 2006
    #59
  20. Highly unlikely. If they're anything at all like modern encrypted file
    system utilities they need to load some sort of driver that intercepts
    disk activity. That surely means admin rights, and assuming that you
    mean a terminal window when you say "DOS box" that command prompt will
    inherit whatever rights you have as a normal user. Hopefully that's not
    admin rights. ;)

    There's probably other things that will make the drivers/programs
    explode, but assuming the code runs at all this will probably be the
    proverbial straw that breaks the camel's back.
     
    George Orwell, Jun 24, 2006
    #60
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.