Truecrypt development stopped. Recommend changing to Bitlocker.

beauf wrote: »

The problems with technology, is there always someone/organization with better technology. So it would be naïve to think you are secure against everyone. Even in the pipe is secure, it has to enter and leave it at some point. Even if that through social engineering, or a person. A Maginot Line as it were. "strategically ineffective".

Most people concerned about such things don't commit any data to electronic means at all.

For most people their data they are sending isn't sensitive anyway.

It's a much greater act of naivete to believe you've nothing to hide, therefore never need to worry about it, indeed it's one of the more common fallacies when it comes to security.

Also I don't see the fact that 100% security isn't always achievable to be a reason to conclude that the only way to maintain your privacy is to go live in a cave and use finger painting to communicate.

Even a well resourced adversary has to be able to distinguish only your traffic - this is why the Maginot line is such a poor basis of comparison as it was obvious to any fool where it was - a better analogy might be one letter amongst millions at the post office - which has to be found before any cryptanalysis can begin. This is why the article on the Tor website doesn't bother me that much - it tells us very little we didn't know before and isn't practical for surveillance purposes, at least on this scale.

Dermot Illogical wrote: »

As I recall they are govt-funded, or were at any rate. But that doesn't matter as much as control of the nodes.

You're right they do receive funding from the US government, as the tor browser is used by the Navy, diplomats etc. of course the AES cipher was also the result of a government sponsored competition, I don't really smell a rat as it helps the country as a whole if we all keep our data safe.

Recondite49 wrote: »

You're right they do receive funding from the US government, as the tor browser is used by the Navy, diplomats etc. of course the AES cipher was also the result of a government sponsored competition, I don't really smell a rat as it helps the country as a whole if we all keep our data safe.

I don't think their objectives are as altruistic as that.

beauf wrote: »

I don't think their objectives are as altruistic as that.

Answer your own question though - why not develop their own cipher in house? The answer I think is that security through obscurity is much weaker than open source.

Recondite49 wrote: »

...When it comes to cryptography, you might have noticed a computer is pretty handy.

Having said that if anyone wants to use an air gap to keep encrypted data safe or use a one time pad hand cipher, you'll have no argument from me. I just get ticked off by smug security researchers in pony tails saying that only face to face communication is secure.

Smug researchers? I'm just saying in my experience at a certain level of business you'll never see an email. If you get a phone call it will be vague to the point of nonsense unless you know the context, and you won't know the number as it won't be from their main phone. Its not about it security either. Its about deniable responsibility. But has the same outcome.

Recondite49 wrote: »

A passive adversary does indeed need to look at all the letters - of course if you want to intercept mail to a certain address the job is made easier but you still have to locate the letter at some stage in the system.

If the person is not random. Then you have a starting location. Probably a destination. Also.

Recondite49 wrote: »

The reason the Maginot line failed was as you say that people who knew its location simply chose to walk around it. I agree that the basic structure of the tor network has yet to be compromised and that attacks have centred around the end points but as mentioned previously it's a moot point if you make use of the hidden services so that your traffic doesn't leave the network.

This latest attack looks good on a white paper but it couldn't be used in its current incarnation to actively monitor a specific user at all times, even if you knew from where they're connecting.

No harm in encrypting your messages as they go through tor mind you!

The Maginot line didn't fail in one part of its job. It prevent direct attack. But unfortunately that wasn't the only problem.

beauf wrote: »

Smug researchers? I'm just saying in my experience at a certain level of business you'll never see an email. If you get a phone call it will be vague to the point of nonsense unless you know the context, and you won't know the number as it won't be from their main phone. Its not about it security either. Its about deniable responsibility. But has the same outcome.



If the person is not random. Then you have a starting location. Probably a destination. Also.



The Maginot line didn't fail in one part of its job. It prevent direct attack. But unfortunately that wasn't the only problem.

I think it's important to bear in mind that the attack here against the tor network isn't particularly effective.

If we were to take a real world analogy besides the Maginot line (because with respect, it doesn't afford much anonymity having miles of tanks and barbed wire), I think this can be explained quite easily.

Let's imagine a Post Office in a Banana Republic with 100 clerks. Let's say six of them have been bribed and are under the control of the local government.

Bear in mind for state surveillance to be effective at all, these clerks need to be in place and bribed at all times, however this isn't a problem for people with access to tax money, so far things are looking good for our shadowy hypothetical Politburo.

The clerks are bribed to write down the home address of everyone who sends mail at their counter as well as the intended recipient.

All it then takes is to forward the Politburo a copy of this list and they'll know who's been talking with who, right?

Well firstly, all you would be able to prove from a system such as this is that someone at one address had sent a message to a person in another. In itself it wouldn't tell you who the person was who sent the letters*, nor would it tell you anything about the contents of the letter, which is enciphered**.

Moreover if the address to which the sender is traced is one used by many individuals like a college or a workplace, then the task is made much harder for the government. The same also applies to the recipient.

Just to make things even more difficult for our imaginary Politburo, every time someone goes to the Post office counter, they could choose to use a clerk not under their control.***

Of course they could try to solve this problem by bribing more clerks but the clerks themselves are subject to regular scrutiny by their own organisation which has a vested interest in maintaining the anonymity of the postal system and can immediately fire anyone found to be helping the government to trace mail.

Worse still, if the government is looking to track a particular individual, they have no way of knowing when or from where their message will be sent, nor can they easily know every person with whom they'll have contact.

Perhaps when it's put in these terms, it's easy to see why I don't think this type of attack on the tor network is very practical. Still I'm pleased they plugged the gaps but as I said, I'm not losing any sleep.



*Admittedly in a real life post office you may have to provide your name or at least consent to having your face filmed but this isn't the case for Tor users.
**Again, in real life a postal clerk could admittedly open the envelope but that's not practical here as the type of attack described doesn't decrypt traffic, just helps to trace it.
*** In the attack described, only around 6% of entry nodes were compromised. They have now been removed from the network.

Recondite49 wrote: »

I think it's important to bear in mind that the attack here against the tor network isn't particularly effective.

If we were to take a real world analogy besides the Maginot line (because with respect, it doesn't afford much anonymity having miles of tanks and barbed wire), I think this can be explained quite easily....

You're kinda stuck in a loop around electronic anonymity. My point was you can attack at other points other than the network.

IMO its incomplete, and its still assuming anonymity in a network. Just not an electronic one. Anyway, you're focused on a very specific area of security, which is taken as secure until the internet tell us other wise. I was talking about security in general as I see it used in business.

How about returning to the subject of the thread. True-crypt was secure....and now it isn't. Or maybe it never was. Or maybe it is, and they don't want you to use it.

.. or just because you're paranoid doesn't mean they're not out to get you.

Rucking_Fetard wrote: »

http://www.wired.com/2014/08/operation_torpedo/

Thanks for this RF, a colleague and I were discussing this a few weeks ago - particularly worrying as of course verifying the key used to sign the software wouldn't help here as no doubt that would be swapped out too! :-)

He said that maybe compiling the code from source would be an idea, however this would mean you'd have to minutely examine each line to be on the safe side.

Am I right in thinking that this was a worry surrounding Truecrypt in that it was virtually impossible to determine whether the compiled binaries matched the code on the website?

Khannie wrote: »

Just going back over this thread now...



Unfortunately I believe that even having sent such an email would make you a target. I routinely encrypt emails between myself and technically competent friends but I believe the fact that I've sent a PGP encrypted email probably has me on some list somewhere.

Hi Khannie,

While I doubt you're going to be bagged and tagged by Mossad anytime soon, this is an excellent point in that use of privacy tools can in and of itself attract unwanted attention.

I think you could probably mitigate the risk of your e-mails being intercepted by using a mail provider that uses a Tor hidden service e.g MailtoTor or I2P's own Susimail but of course this could be seen as a regressive argument as then an Orwellian government will know you're blanketing all your traffic, not just your e-mails.

Personally I try to use the obfsproxy browser to send my messages which makes some attempt to disguise the fact you're using tor, although I'm told that it's not 100% effective.

One of the former security gurus I met in the heyday of the Silk Road suggested using stego tools to hide encrypted messages inside innocent looking photos but I think this just reiterates the same problem in that the presence of such tools on your hard disk would lead to a minute examination of every file there - of course if you're feeling impish (as I often am), you could download several of such tools and use them to hide junk data in an image or two, just to keep everyone guessing!

They could simply invent something to frame you with. They don't have to base it on your data.

howamidifferent wrote: »

This. A driveby to load your PC with kiddy porn and thats you fcuked.

Or indeed simply stealing someone's credit card info to buy kiddy porn as your man Brian Cooper found out. It's still possible of course to be acquitted but you can lose your job and reputation.

Hopefully this will debunk the "nothing to hide" fallacy once and for all.

Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.

Recondite49 wrote: »

...Hopefully this will debunk the "nothing to hide" fallacy once and for all...

Explain how considering that in those example the data used to initiate the event didn't come from the individual. But from an illegal source. A stolen credit card.

beauf wrote: »

You're really fixated on your bubble. They can create data or non electronic information outside your control.

Yes... but then your dabs wouldn't be on it -do you ever actually read what people post or are you permanently on transmit? Deep sigh...
Edit : I have put the important part in bold, further to my last post.

That doesn't answer the question asked.

How do you secure/hide data you're not in control of.

I still prefer truecrypts feature set, to the newer ones. Early days yet I guess.