Silk Road forums
Discussion => Security => Topic started by: UK Stealth on January 10, 2013, 03:29 am
-
Not sure i wanna go with PGP anymore seems the law bodies can get one of these now :(..
Please read this article tell me im wrong.
http://www.theregister.co.uk/2012/12/20/elcomsoft_tool_decrypts_pgp
Does anyone have a better solution i was thinking of using https://privnote.com/
-
Cracked is an extremely loose word to use here, even if you believe the entire article it doesn't mention anything about cracking the encryption.
It only claims that the tool can get the passphrase from memory, that way after they port the drive to where its going after, they have the phrase ready so they dont have to drill you for it.
Also the people who are smart and use the two part Truecrypt hidden volume? If true the mounted password to the inside volume would be invaluable to have so that they didn't get blocked on false data.
Nothing cracked though, not today, and certainly not for 300.
The site looks ilke some shit straight out of the US trash heap they call "The Sun"? Tabloid garbage - Suprised it wasn't Jesus that grabs the password for them.
-
Disable Firewire in the BIOS. You probably don't use it anyway. Disable (or avoid using systems that have) Thunderbolt ports. This will prevent external tools from dumping the keys for mounted encrypted partitions from memory
Don't use hibernation on secure systems. Make sure swap space is either disabled, or also on an encrypted partition.
£300 tool (mostly) defeated.
For the purposes of most here, using Tails or other bootable USB OSs that leave no trace on any physical media for as short periods of time as possible will do the trick.
-
Privnote is definitely worse. This really isn't anything you need to worry about unless you're moving serious, serious amounts and are worried about them trying to convict you by proving intent to sell instead of charging you with possession.
Honest. It's no big deal, really. Yes, it works sometimes, but it's not a real concern.
-
Not sure i wanna go with PGP anymore seems the law bodies can get one of these now :(..
Please read this article tell me im wrong.
http://www.theregister.co.uk/2012/12/20/elcomsoft_tool_decrypts_pgp
Does anyone have a better solution i was thinking of using https://privnote.com/
I would suggest that _you_ read the article again, S L O W L Y, for comprehension, this time.
Just in case you missed it the first time, here the salient points:
- ... "[E]ncryption technology, in the right conditions, can be circumvented thanks to human laziness:"
- "Weak passwords aside, encrypted volumes must be mounted for the user to have on-the-fly access to encrypted data."
- "If the computer is powered off, the analyser can retrieve the keys from a hibernation file on the disk, in which the operating system saves the state of the machine including its main memory, if present and accessible.
Solutions:
=========
* Don't be a lazy sod -- don't afford the authorities the right conditions.
* Be anonymous. If they can't find you, they can't get physical access to your computer now, can they?
* Don't use weak passwords -- use Diceware -- 8-10 words are unbreakable, for the foreseeable future. See: http://www.diceware.com/
* Don't leave your drives mounted when you're not at the computer.
* If your computer has a Firewire port, put expoxy in it, preventing them from using their tool to gather data in the computer's memory.
* Don't hiberate your computer, EVER.
* Encrypt your swap file.
None of the attacks describe here are new -- they were described in the original PGP documenation in 1991-92, you just have take the steps I've outline above to defeat this type of attack.
BTW, UK Stealth, since you're obviously in the UK, you have another reason for staying anonymous -- the Regulation of Investigatory Powers Act, Part III (RIPA). Under the terms of this Act, if the authorities demand that you decrypt encrypted data, and you refuse, you go to to jail for up to two years.
If you thought PGP wasn't effective, why do you Parliament passed RIPA, Part III?
Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
-
Pgp is not in use anymore.
Pgp is not save, that is why we use the new gpg.
So you are right and wrong at the same time.
-
Pgp is not in use anymore.
Pgp is not save, that is why we use the new gpg.
So you are right and wrong at the same time.
Last I saw, PGP, Inc. was still in business, although they are now owned by Norton <ptui!> . As far as I am aware, their current software is standards-compliant, as is GnuPG's.
Older versions of PGP are no longer safe, as are older versions of GPG. Unfortunately, that doesn't seem to stop people from using them anyway.
Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
-
"* If your computer has a Firewire port, put expoxy in it, preventing them from using their tool to gather data in the computer's memory. "
This isn't very effective. The port's pins are still accessible, especially on a desktop. Disable Firewire in the BIOS, and then it can't be re-activated without restarting the computer which clears the keys in RAM anyway. Epoxy in the firewire port just makes it difficult to hide in plain site.