Silk Road forums

Discussion => Security => Topic started by: tbart on July 12, 2013, 03:21 pm

Title: GPG4USB Security paranoia
Post by: tbart on July 12, 2013, 03:21 pm
i'm not the brightest guy in the world in terms of being computer literate but if all the encryption companies had to give US Fed law enforcement back doors to their encryption software, then
how is GPG4USB safe?

any assist here would be really appreciated - my paranoia level just hit defcon 5
Title: Re: GPG4USB Security paranoia
Post by: Jack N Hoff on July 12, 2013, 03:23 pm
Back door that would allow them to crack PGP messages? ???  That doesn't even make sense. ;D
Title: Re: GPG4USB Security paranoia
Post by: astor on July 12, 2013, 03:30 pm
i'm not the brightest guy in the world in terms of being computer literate but if all the encryption companies had to give US Fed law enforcement back doors to their encryption software, then
how is GPG4USB safe?

any assist here would be really appreciated - my paranoia level just hit defcon 5

GnuPG and GPG4USB are open source, so people can see what it's doing: http://cpunk.de/svn/src/gpg4usb/branches/0.3.2-1/

You probably shouldn't trust proprietary software for your security, because it might be backdoored. Skype is definitely backdoored.
Title: Re: GPG4USB Security paranoia
Post by: tbart on July 12, 2013, 04:35 pm
Astor said "....GnuPG and GPG4USB are open source, so people can see what it's doing: http://cpunk.de/svn/src/gpg4usb/branches/0.3.2-1/"

problem is i'm not computer or software literate, and remember reading in one of the NSA articles how some software security engineers noticed a file in windows 8 showing "NSA key" or something like that. It was in a file that used only contain a windows managment key - when they pushed their counterparts at microsoft, they confirmed it was a NSA backdoor. But point is, windows 8 has been out what 1 - 1.5 years before folks that knew what they doing software wise, noticing that key. With my post, i was hoping some of the guys are sharp on this stuff could give a definitive answer.


well, i remember when the originial designer of pgp was held, without any criminal charges, back in the mid 1990s, because he wouldn't give the feds a backdoor. iirc, he refused and stayed in jail for almost 2 years, again, without any charges being levied. There was a big uproar in the computer security world but not much mention, if any, in the major media.

Given everyone has whored themselves to the feds, yahoo, google, microsoft, i'm sure steve jobs as well, facebook, plus i remember an article about any encryption software, under US export controls, had to provide the feds with a backdoor, if they wanted to export their software. And State Dept has it's own logic, nothing resembling commonsense. I used to deal with the state deport on exports but what was extreme arrogance, under the 1974 AECA (arms export control act), any mfgr of any item on the munitions articles list, was required, by law to register as an exporter (fees went to $2500 per year, with two year registrations req'd) - that sounds innocent enough except when you looked at the munitions articles list - Q-tips were on the list as they are sometimes used to clean firearms, so Johnson & Johnson, as they mfgr'd Q-tips were required to register.

When the fees started skyrocketing, we decided to terminate our export registration - state dept forced us to continue our registration, until we finally terminated our federal mfgring license (and filed a new one) and gave state dept notice of the termination - that was what it took to get off their list. They were extremely liberal, with no hesitancy to inject their political agenda into the conduct of their agency - and as liberals, extreme control freaks.

I have no doubt they put similiar pressure on the software companies, especially the encryption vendors - without knowing software, even though MIT's PGP is open license, i can't see why they would let them escape control and submitting a back door. Which leaves the password into it the last bit of security.

i doubt asking the folks at MIT if they gave the feds a backdoor would result in an answer that would be useful - if they had, i'd expect them to say they hadn't - look at the egg on Facebook's and google's face when they first denied assisting NSA

would really like to be able to put my paranoia to sleep on this one

for those wanting a better sense of how illogical US State Dept (and authoritarian) can be, when we first signed up or registered as exporters, they indicated on their website that they "published" a news letter, by their words, "every 14-16 months", and would announce new regs in those newsletters. Think about that, a new reg could be put into effect right after a news letter goes to print, so users in the field wouldn't know about for 14-16 months, unless they read the Fed register every week - major corporations have staffs tasked to do just that.

Well we had just gotten back from a defense exhibit in UAE in the early 1990s and had sold a highly engraved over/under shotgun, a Browning Superposed, that was going to be a gift to the King of UAE, his excellency, Shiek Zaied". We were repping for the engraver, the master engraver at Browning, Liege Belgium. That shotgun would never enter the US or leave the US

When we returned from UAE, we received our first copy of that newsletter, and it had an announcement that state dept was considering promugating a new reg requiring "brokers" to register as exporters. Now, for background, every shipment that leaves the US, has to be licensed, that licensed applied for the by the exporter.

Indicating brokers needed to register bothered me, so i called in to one of the licensing officers for info. I mentioned we had just accepted a commission for a $135,000 shotgun going from belgium to UAE and had read the blurb about brokers.

Well, first time i'd ever gotten a return call on the first message, and the guy that called was named Calvin xxxxx , and the guy literally barked at me, "this is xxxx (xxxx = last name), John xxxx, US State dept licensing officer - i have your message here and want you to put in a letter exactly what you're doing between belgium and UAE." That's how the conversation started.

He had barked that stmt so harshly (think in terms of bellowed it) i played stupid and said, I'm sorry, WHO is this, and of course he repeated his name & title, but still bellowing it like i should be coming to attention. So i repeated my question again and he repeated, this time with a slight quizzical note in his response. I said, "xxxx, i;m not sure who you are, but i would assume you are returning my call re the question i left. If so, courtesy would dictate you respond to my question first, and let me advise you, if you can't offer me the courtesy in this conversation that you expect from me, this conversation will end abruptly and we'll continue it with your supervisor on the line." I then went on to ask, what are the current regs re brokered sales. His response, "none currently". I asked him, if by brokered sales regulations State ddept deemed it in their authority to deny a sale from one US ally to another US ally, even though that sale would be occurring in full compliance with both the exporting and importing countries regulations and perfectly legal for a Belgium national or an UAE national to execute? He said "yes". I responded that obviously US State must think it has a deed of ownership on our company, and if it did, please show it to me, as i'd show them a forged signature. He then bellowed "i want you to put in writing what it is you are doing and mail it to me". I asked him, "didn't you say there were no regs currently re brokered sales?" and he bellowed that answer "yes" - i said have a good day and hung up.

Before you doubt the above exchange occurred, picture all those videos on youtube of cops acting badly, showing their "authoritae" - that is State dept, ATF, DEA & IRS


The part about the guy from PGP that was jailed on contempt until he released the backdoor key to PGP, that was for real - and knowing how much they would definitely want one, i've got to assume they have it - they are not above the law, remember the law doesn't apply to them - look at ATF exporting 2000+ assault rifles to the cartels WITH NO EXPORT LICENSE - realistically, with no  approval from state dept, all to run the gun deaths up to give themselves footing for more gun regulations in the US.
Title: Re: GPG4USB Security paranoia
Post by: Jack N Hoff on July 12, 2013, 04:39 pm
Do you not know what open source means?  Anyone programmer that feels like it can comb through the code....
Title: Re: GPG4USB Security paranoia
Post by: tbart on July 12, 2013, 05:25 pm
eh, jack, as i said at the opening of my first post "i'm not the brightest guy in the world in terms of being computer literate"

i couldn't comb thru code if my life depended on it - i'm past sixty years old, so while kids today grew up knowing this stuff like we knew what ever it was we knew in my day, what i'm asking is the community comfortable that pgp is safe - again, i just remember the original engineer or one of them, being held in jail for close to 2 years under contempt of court, because he wouldn't release the key, or the algorithm or whatever to pgp

has gpg4usb or pgp been studied definitively by the computer software literate?
Title: Re: GPG4USB Security paranoia
Post by: Jack N Hoff on July 12, 2013, 05:35 pm
Yes Tbart, it is safe. :)  Use a 4096 bit RSA key.
Title: Re: GPG4USB Security paranoia
Post by: Fallkniven on July 13, 2013, 12:10 am
I've done some tests with a major password cracking suite that the feds are supposed to make use of. It is programmed in such a way that even an idiot could crack something, GUIs and specialised search/crack methods - you really need to see/use it for yourself to get an idea of the scope of this software.

It found my (stupidly) stored gpgring.sec file that stores all my PGP private keys & thusly tried to crack them using a multitude of Brute Force options and presets. The only thing that prevented the passwords from being found is their complexity and length.

Try it for yourselves...

http://jntlesnev5o7zysa.onion/torrent/6964061/ElcomSoft.Password.Recovery.Bundle.Forensic.Edition.v2012-DOAISO
Title: Re: GPG4USB Security paranoia
Post by: Nightcrawler on July 13, 2013, 06:01 am
Astor said "....GnuPG and GPG4USB are open source, so people can see what it's doing: http://cpunk.de/svn/src/gpg4usb/branches/0.3.2-1/"

problem is i'm not computer or software literate, and remember reading in one of the NSA articles how some software security engineers noticed a file in windows 8 showing "NSA key" or something like that. It was in a file that used only contain a windows managment key - when they pushed their counterparts at microsoft, they confirmed it was a NSA backdoor. But point is, windows 8 has been out what 1 - 1.5 years before folks that knew what they doing software wise, noticing that key. With my post, i was hoping some of the guys are sharp on this stuff could give a definitive answer.

To the best of my recollection, according to Microsoft, the so-called NSAkey was just a key used for some internal purpose -- other people took this as evidence that Windows was backdoored. Windows may, in fact, actually _be_ backdoored, I don't know. What I do know for certain is that Windows has enough vulnerabilities that it really shouldn't be used for anything in the least bit dodgy. In any case, the most recent revelations have shown that Microsoft is not to be trusted in the least.

well, i remember when the originial designer of pgp was held, without any criminal charges, back in the mid 1990s, because he wouldn't give the feds a backdoor. iirc, he refused and stayed in jail for almost 2 years, again, without any charges being levied. There was a big uproar in the computer security world but not much mention, if any, in the major media.

Your recollection is, to put it mildly, incorrect. Phil was never jailed, although he was harassed each and every time when he returned to America after traveling abroad, until the charges were eventually dropped altogether.


[...]

would really like to be able to put my paranoia to sleep on this one

You can't. Your only choices are to examine the code for yourself, or hire someone to do it for you.

[snip]

The part about the guy from PGP that was jailed on contempt until he released the backdoor key to PGP, that was for real

No it isn't -- Phil was never charged, let alone jailed. You are most certainly entitled to your own opinions, but you are NOT entitled to your own facts.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B      MIT clearnet keryserver
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B    (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07  B66B AFC8 CE71 D9AF D2F0
Title: Re: GPG4USB Security paranoia
Post by: Nightcrawler on July 13, 2013, 06:19 am
I've done some tests with a major password cracking suite that the feds are supposed to make use of. It is programmed in such a way that even an idiot could crack something, GUIs and specialised search/crack methods - you really need to see/use it for yourself to get an idea of the scope of this software.

It found my (stupidly) stored gpgring.sec file that stores all my PGP private keys & thusly tried to crack them using a multitude of Brute Force options and presets. The only thing that prevented the passwords from being found is their complexity and length.

Try it for yourselves...

http://jntlesnev5o7zysa.onion/torrent/6964061/ElcomSoft.Password.Recovery.Bundle.Forensic.Edition.v2012-DOAISO

That is why I recommend 8-10 Diceware words to protect your TrueCrypt volumes and/or PGP keyrings. While I haven't used the Elcomsoft software, I suspect that it has code in it which enables it to try all the usual tricks that people think is secure. The bottom line is that people are really lousy judges of what constitutes a good, unguessable, secure password. These weaknesses are what the software exploits.

Access Data in Orem, Utah sells password breaking software to Federal agencies that scours suspect computers for keywords related to hobbies and the like. For example, a motorcycle buff might choose words related to motorcycles as his/her password.  A suspect in England, with an interest in horses used an obscure term related to a stirrup as his password.

If you use Diceware, all this subjective informatoin will yield them nothing.  Even if they know you have used Diceware, and even if they know the length of your passphrase, they still cannot brute-force it, if you have used a reasonable number of words.  Diceware's strength lies in the nature of how the words are chosen -- by a random, physical process -- rolling dice.
The authorities only option is brute-force, which is fruitless if you have used a sufficiently-long passphrase.

See: http://www.diceware.com/

Also see: DNA Key to Decoding Human Factor
http://www.washingtonpost.com/wp-dyn/articles/A6098-2005Mar28.html

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B      MIT clearnet keryserver
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B    (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07  B66B AFC8 CE71 D9AF D2F0

Title: Re: GPG4USB Security paranoia
Post by: Fallkniven on July 13, 2013, 07:13 am
I just use KeePassX in Tails now, it stores all my passwords encrypted with a master password, it also comes with an excellent password generator. Everything I need for safe password creation, storage and retrieval.
Title: Re: GPG4USB Security paranoia
Post by: tbart on July 13, 2013, 06:06 pm
Astor said "....GnuPG and GPG4USB are open source, so people can see what it's doing: http://cpunk.de/svn/src/gpg4usb/branches/0.3.2-1/"

problem is i'm not computer or software literate, and remember reading in one of the NSA articles how some software security engineers noticed a file in windows 8 showing "NSA key" or something like that. It was in a file that used only contain a windows managment key - when they pushed their counterparts at microsoft, they confirmed it was a NSA backdoor. But point is, windows 8 has been out what 1 - 1.5 years before folks that knew what they doing software wise, noticing that key. With my post, i was hoping some of the guys are sharp on this stuff could give a definitive answer.

To the best of my recollection, according to Microsoft, the so-called NSAkey was just a key used for some internal purpose -- other people took this as evidence that Windows was backdoored. Windows may, in fact, actually _be_ backdoored, I don't know. What I do know for certain is that Windows has enough vulnerabilities that it really shouldn't be used for anything in the least bit dodgy. In any case, the most recent revelations have shown that Microsoft is not to be trusted in the least.

well, i remember when the originial designer of pgp was held, without any criminal charges, back in the mid 1990s, because he wouldn't give the feds a backdoor. iirc, he refused and stayed in jail for almost 2 years, again, without any charges being levied. There was a big uproar in the computer security world but not much mention, if any, in the major media.

Your recollection is, to put it mildly, incorrect. Phil was never jailed, although he was harassed each and every time when he returned to America after traveling abroad, until the charges were eventually dropped altogether.


[...]

would really like to be able to put my paranoia to sleep on this one

You can't. Your only choices are to examine the code for yourself, or hire someone to do it for you.

[snip]

The part about the guy from PGP that was jailed on contempt until he released the backdoor key to PGP, that was for real

No it isn't -- Phil was never charged, let alone jailed. You are most certainly entitled to your own opinions, but you are NOT entitled to your own facts.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B      MIT clearnet keryserver
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B    (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07  B66B AFC8 CE71 D9AF D2F0

appreciate the detailed response - and i'll assume your memory is better than mine on phil zimmerman - i couldn't remember his full name till you reminded of his first - but i swear there was an article about them holding him in jail for refusing, iirc somewhere in colorada but again, i'll defer to your memory

tks for the suggestion on diceware list - makes a lot of sense on passwords

tks again