Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Truecrypt development stopped. Recommend changing to Bitlocker.

  • 29-05-2014 12:07am
    #1
    Closed Accounts Posts: 1,260 ✭✭✭


    truecrypt.sourceforge.net/

    Truecrypt development stopped. Recommend changing to Bitlocker.
    WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

    This page exists only to help migrate existing data encrypted by TrueCrypt.

    The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.


    Wonder what's going on here then...


«13

Comments

  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    theregister.co.uk/2014/05/28/truecrypt_hack/
    The website of popular drive-encryption software TrueCrypt has been ripped up and replaced with a stark warning to not use the crypto-tool. It's also distributing a new version of the software, 7.2, which appears to have been compromised.

    It's feared the project, run by a highly secretive team of anonymous developers, has been hijacked by unknown parties. The easy-to-use data-protecting utility is favored by NSA whistleblower Edward Snowden and his journo pals, as well as plenty of privacy-conscious people.

    Beginning on Wednesday, the TrueCrypt homepage redirects visitors to the project's official SourceForge-hosted page that displays a message to the effect that the software has been discontinued – and that users should switch to an alternative


    Even more worrying, The Reg has confirmed that a binary TrueCrypt 7.2 installer for Windows, downloaded from the TrueCrypt SourceForge site, contained the same text found on the rewritten homepage – confirming the download has also been fiddled with amid today's website switcheroo.


  • Registered Users, Registered Users 2 Posts: 2,809 ✭✭✭edanto


    Surely it's just a compromised sourceforge account, a temporary thing?


  • Registered Users, Registered Users 2 Posts: 6,374 ✭✭✭Gone West


    edanto wrote: »
    Surely it's just a compromised sourceforge account, a temporary thing?
    This is much more than a compromised wensite or compromised keys.


  • Registered Users, Registered Users 2 Posts: 6,393 ✭✭✭AnCatDubh


    Story on forbes also.

    :(


  • Registered Users, Registered Users 2 Posts: 9,957 ✭✭✭trout


    Krebs has a piece on it too ... recommending BitLocker doesn't ring true for some reason.

    I hope it's a hoax, but it does seem legit so far.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    I really hope this is a hoax.


  • Registered Users, Registered Users 2 Posts: 1,186 ✭✭✭davej


    Bowz7BdIQAAUroZ.jpg

    davej


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Got the following ditties from the ACH mailing list:

    - The signing key seems to be genuine, signatures are good.
    - The signing key is 1024/DSA. The key could have been compromised to sign the ?new release?.
    - The signing key available for download on the website has Windows line endings.
    - One previously downloaded version of the SAME key from the website had Unix line endings.
    - It doesn't make any sense to release 7.2 just to shut it down.
    - The TC audit team doesn't know anything about an upcoming release.
    - The TC audit team has completed Phase 1 of the audit with good results which - make it unlikely that there is something to be afraid of.
    - The changes made in the source code are quite strange.
    - The 7.2 release contains an updated license (TC license 3.1, I haven't diffed it yet.)
    - 7.2 can only read TC volumes.
    - The Windows installer for 7.2 doesn't make any network connections during installation.



    Overall stink level: High.


  • Registered Users, Registered Users 2 Posts: 1,819 ✭✭✭howamidifferent


    I'm not normally in the conspiracy forums but this stinks to me.
    I'd go with the idea the devs were being forced to backdoor it and instead aborted it with a big red flag pointing to bitlocker as an alternative.
    No one in their right mind would trust Bitlocker.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    I'd go with the idea the devs were being forced to backdoor it

    I thought this might be the case initially, but I'm not sure how you'd force someone to back door open source code. It would be much easier to have someone become a regular contributor, then deliberately add in sneaky code that weakens the crypto subtly. That's what I'd do if I were trying to screw an open source security tool. *maniacal laugh*


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,819 ✭✭✭howamidifferent


    Khannie wrote: »
    I thought this might be the case initially, but I'm not sure how you'd force someone to back door open source code. It would be much easier to have someone become a regular contributor, then deliberately add in sneaky code that weakens the crypto subtly. That's what I'd do if I were trying to screw an open source security tool. *maniacal laugh*

    But since no one has ever managed to produce a 100% identical binary from the source, who's to say the source published would be the source used to build the published binary. Backdoor in binary, clean source. No one would be the wiser except the devs who probably wouldn't go along with that idea. All conjecture on my part obviously.


  • Registered Users, Registered Users 2 Posts: 1,193 ✭✭✭liamo


    The point has been made on other forums that Truecrypt 7.1a is still perfectly usable. It's a point that I agree with.

    I have encrypted all laptops and external disks in our office with TC 7.1a.
    I had a home laptop stolen recently which was encrypted with 7.1a. The thieves may factory reset it but they won't get at my data.

    The stolen laptop was replaced this morning and I'm using TC 7.1a to encrypt that as well. I discovered the news about Truecrypt when I visited their site to see if there was any recent release. While there was, indeed, a new release, it certainly wasn't what I was expecting.

    Having read the content on the site and looked into it a little I asked myself "what are you trying to protect and against whom and what are you trying to protect it?"

    If I was worried about the NSA getting their hands on my data, then this development might make me reconsider the use of Truecrypt.
    I'm only trying to protect my laptop (and our work laptops) against data theft/breach through loss or theft of the device.
    Truecrypt is entirely acceptable to me for this (for the moment) - even if it appears to no longer be in development.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    But since no one has ever managed to produce a 100% identical binary from the source, who's to say the source published would be the source used to build the published binary. Backdoor in binary, clean source. No one would be the wiser except the devs who probably wouldn't go along with that idea. All conjecture on my part obviously.

    You would need the exact build spec to achieve an identical binary. OS, compiler, compiler flags, linker, linker flags, exact source tree, yada yada. If you were sufficiently paranoid, you'd be building from source yourself anyway.

    But yeah....I always wondered about that myself, just as a general wondering.

    Last point I'll make: I thought it was kinda funny how they had IE in the first screenshot. Not sure if it was another nod to it being a "lol bitlocker". I don't use windows, but I wouldn't trust bitlocker to encrypt my toast recipe.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    truecrypt.sourceforge.net/

    Truecrypt development stopped. Recommend changing to Bitlocker.




    Wonder what's going on here then...

    As I understand it the issue relating to a possible backdoor only affected the headers of volumes created in the Windows versions, isn't that right? The corresponding area in the Mac/Linux versions was just a string of encrypted zeroes.

    I have being experimenting with the program TCPLAY which works from the Linux Command line. It can create and mount Truecrypt partitions and I've been having a lot of fun with it. Have posted a guide on my blog and will put it up here when able.

    I like the idea of using multiple ciphers at once (unlike Bitlocker, Filevault, CryptFS etc.) but of course this only works for creating encrypted containers on Linux so maybe Bitlocker is a better option.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Any more word on this anywhere?


  • Registered Users, Registered Users 2 Posts: 1,193 ✭✭✭liamo


    Nah. Same stories being regurgitated across all sites. Nothing new of any substance that I've come across.

    I wouldn't think that this is going to go away quietly though.


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    Khannie wrote: »
    Any more word on this anywhere?
    This-->http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

    Is where it's at, nicely summed up.

    Nutshell-->It's really gone(1), the "open source" license they used may mean no one else can pick it up but someone probably will.

    The Dude that gathered the funding to Audit it hopes it's not because their is some big vulnerability gonna appear in the phase two part of the Audit, which is still going ahead as he has $30,000 to do it. Be done by summer end...probably.

    Same Dude knows the guy involved in developing Bitlocker, reckons he's sound and didn't backdoor it.


    (1) If you have an Installer of 7.1a downloaded before this happened then it's as good as it's gonna get untill someone picks up the torch.

    Bruce Schneier switched back to PGP.



    Tails guys are wondering what to switch to.



    Mysterious announcement from Truecrypt declares the project insecure and dead


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    Thanks - I had thought though that TAILS had settled on using tc-play as an alternative?

    I can't post links atm due to being new user but if you look under ticket number 5373 on TAILS website it says : Replace Truecrypt with tcplay - resolved. Perhaps that just means they have chosen to replace it?

    I hope they do choose tc-play as it allows you to encrypt the same volume with multiple ciphers not to mention use of keyfiles with password, hidden volumes etc.

    Something I did think looked promising was Zulucrypt which acts as a GUI frontend for both Truecrypt and cryptfs volumes. Anyone else used it?


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    This is all very interesting. I'll be intrigued to see what comes of that security audit now. I wish I knew about these kickstarter things. I'd be inclined to chip in for funding of code reviews of security software that I rely on.
    Something I did think looked promising was Zulucrypt which acts as a GUI frontend for both Truecrypt and cryptfs volumes. Anyone else used it?

    Not me. I don't use truecrypt though.


  • Registered Users, Registered Users 2 Posts: 4,632 ✭✭✭ssaye2




  • Advertisement
  • Posts: 0 [Deleted User]


    As I understand it the issue relating to a possible backdoor only affected the headers of volumes created in the Windows versions, isn't that right? The corresponding area in the Mac/Linux versions was just a string of encrypted zeroes.

    I have being experimenting with the program TCPLAY which works from the Linux Command line. It can create and mount Truecrypt partitions and I've been having a lot of fun with it. Have posted a guide on my blog and will put it up here when able.

    I like the idea of using multiple ciphers at once (unlike Bitlocker, Filevault, CryptFS etc.) but of course this only works for creating encrypted containers on Linux so maybe Bitlocker is a better option.

    A good write up here of some alternatives to TrueCrypt including tc-play from the Gurgq http://grugq.tumblr.com/post/60464139008/alternative-truecrypt-implementations


  • Registered Users, Registered Users 2 Posts: 25,071 ✭✭✭✭My name is URL


    Have any of you switched to an alternative yet? I have version 7.1a installed at home and on my work computers. Would it be very foolish to leave things as they are until what happened becomes clearer?


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    I reckon it's usable in 99.9% of scenarios. There may be security holes in it, but the question is: Are you trying to protect your data from those who have the expertise to find and exploit those holes? If yes : I'm glad I'm not you. :D If no : continue using it.

    No harm in investigating alternatives though.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    Khannie wrote: »
    I reckon it's usable in 99.9% of scenarios. There may be security holes in it, but the question is: Are you trying to protect your data from those who have the expertise to find and exploit those holes? If yes : I'm glad I'm not you. :D If no : continue using it.

    No harm in investigating alternatives though.

    The problem we have here Khannie is that you never know in what context your data might be used or interpreted in the wrong hands.

    For instance after the young girl Millie Dowler went missing in the UK, the investigation was derailed because it turned out her father watched pornography, which in itself is legal but led the Police down the wrong path.

    We also have to consider those people who might have downloaded something innocently - I know you like me put in a lot of time on the Survivalism Thread and when downloading books about Bushcraft and Homesteading I have sometimes accidentally downloaded plans to build guns and bombs.

    As we've discussed though, we don't have to choose between Truecrypt or nothing - all the main distributions of Linux offer full disk encryption with built in tools, so I say use that in the first instance.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    Have any of you switched to an alternative yet? I have version 7.1a installed at home and on my work computers. Would it be very foolish to leave things as they are until what happened becomes clearer?

    Aside from aforementioned tcplay it's also possible to use CryptSetup which is built into Linux. Sadly both require the command line. If you google my Blogger ID 'machellotech' I have written some guides on how to use both.

    I think though that you were asking about friendly GUI encryption tools. I'm afraid I have nothing in your colour if so, anyone else?

    Edit : My addled brain has reminded me that the built in Disk Utility in Linux can be used to quickly and easily format a drive or USB stick in such a way that it requires a password to unlock it. I don't care for it as you don't get any say in the algorithim used (it uses LUKS default options which as memory serves is AES 128 bit) but at least is user friendly and should keep everyone out but shadowy government agents.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    The problem we have here Khannie is that you never know in what context your data might be used or interpreted in the wrong hands.

    Ah yes. This is the strongest argument in favour of total privacy. We're not far off that in fairness. I reckon 10 years and the entire internet will be encrypted up the ying yang. Email being the last problem to solve.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    Khannie wrote: »
    Ah yes. This is the strongest argument in favour of total privacy. We're not far off that in fairness. I reckon 10 years and the entire internet will be encrypted up the ying yang. Email being the last problem to solve.

    Good man, here's hoping. I know Snowden said he was in favour of it. Of course we could always switch over to Tor but as you know it's quite tricky to use it correctly to protect your identity.

    When it comes to e-mail there's always gpg I suppose but too few people take the time and bother to set it up. This is a shame as integration in programs like Outlook, Thunderbird and Mac Mail is pretty seamless these days. Perhaps they don't think their e-mails are important enough to bother with? :)


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Perhaps they don't think their e-mails are important enough to bother with? :)

    This seems to be the case alright. "Ah sure let them read it, I've nothing to hide". Yet they still use an envelope. ;)


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    Khannie wrote: »
    This seems to be the case alright. "Ah sure let them read it, I've nothing to hide". Yet they still use an envelope. ;)

    You said it bro! I once had a teacher who said you shouldn't put anything on the internet you wouldn't write on the back of a post card. Seems a little nihilist to me but there you go.

    I wonder if it actually wouldn't be more secure in practice to exchange written letters with correspondents using hand ciphers than risk having your e-mail hoovered up because it contains the wrong keyword? :)


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 6,374 ✭✭✭Gone West


    All the emails get copied, regardless of what keyword you put in it.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    Fuzzy wrote: »
    All the emails get copied, regardless of what keyword you put in it.

    Are you sure about that? It's an awful lot of data. NSA and GCHQ must get sick of filtering all those cat videos. :)

    On a more serious note, during my short but colourful time on the underground of the internet we sent gpg encrypted e-mails over Tor or better yet Torchat (which used OTR messaging) to keep in touch - it seems to me that's the best way to guard against interception.

    Currently I use bitmessage's onion domain for ultra secret stuff, anyone else have a good e-mail provider they can recommend?


  • Registered Users, Registered Users 2 Posts: 6,374 ✭✭✭Gone West


    Are you sure about that? It's an awful lot of data. NSA and GCHQ must get sick of filtering all those cat videos. :)

    On a more serious note, during my short but colourful time on the underground of the internet we sent gpg encrypted e-mails over Tor or better yet Torchat (which used OTR messaging) to keep in touch - it seems to me that's the best way to guard against interception.

    Currently I use bitmessage's onion domain for ultra secret stuff, anyone else have a good e-mail provider they can recommend?
    It's best to assume that all data once it leaves systems under your control or audit is then copied.
    Each cat video only gets stored once by the way.

    The question now is not about whether your data is being copied and stored all over the place. The discussion has moved on to other questions, like...
    What meta data is being used for what.
    Who has access, and how prolific are queries of the database. Loveint etc.
    What will happen to this data in the future?
    Will it be public domain at some stage?
    Will your grandkids get a chance to read your awkward emails from secondary school?

    25 years ago if you suggested that IBM would be irrelevant in IT, you would have been fired.
    10 years ago if you suggested that cellphone metadata alone would be used by flying robots to blow up wedding ceremonies on the other side of the world, you would be laughed at.
    4 years ago if you suggested that secret US government embassy cables would be dumped online, you would have been called a conspiracy nut.

    No, I think it's fair to say you must assume that everything you don't directly control is copied and has an uncertain future.

    BTW, re: Truecrypt, my money is on "canary", although "Dev cracks under pressure and shuts down poorly" is a close second guess.


  • Registered Users, Registered Users 2 Posts: 2,809 ✭✭✭edanto


    Truecrypt.ch got a takedown order, according to their twitter @TrueCryptNext

    They said it might be fake but are asking for legal help.

    In this topsy turvy story it's impossible to know if they're good guys or not. Do their public efforts to keep the TC flag flying outweigh any mis-steps they make?

    If the original TC was a three letter takedown, could truecrypt.ch be some kind of front for the same agency? That does seem a bit far fetched!

    Who can tell if the code is unaltered from the code being audited?

    Are there changes that could introduce a vulnerability and leave the same checksum?


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    Fuzzy wrote: »
    It's best to assume that all data once it leaves systems under your control or audit is then copied.
    Each cat video only gets stored once by the way.

    The question now is not about whether your data is being copied and stored all over the place. The discussion has moved on to other questions, like...
    What meta data is being used for what.
    Who has access, and how prolific are queries of the database. Loveint etc.
    What will happen to this data in the future?
    Will it be public domain at some stage?
    Will your grandkids get a chance to read your awkward emails from secondary school?

    25 years ago if you suggested that IBM would be irrelevant in IT, you would have been fired.
    10 years ago if you suggested that cellphone metadata alone would be used by flying robots to blow up wedding ceremonies on the other side of the world, you would be laughed at.
    4 years ago if you suggested that secret US government embassy cables would be dumped online, you would have been called a conspiracy nut.

    No, I think it's fair to say you must assume that everything you don't directly control is copied and has an uncertain future.

    BTW, re: Truecrypt, my money is on "canary", although "Dev cracks under pressure and shuts down poorly" is a close second guess.

    Hi Fuzzy,

    I think you make a very good point although I don't think the two perspectives are mutually exclusive.

    Even with our current computing power, to actually monitor all electronic correspondence would be an unimaginably huge task - having said that if we proceed on the basis that our correspondence is being monitored then we can keep our data safe.

    This is especially important I think for people concerned with privacy as there's some evidence to show that people who for instance connect to the Tor network are singled out for surveillance over their neighbours - of course if your traffic is encrypted end to end then it's a moot point but this is why I think it's great we have forums like these where people can learn to communicate safely.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    bedlam wrote: »
    It looks like Truecrypt.ch are taking up the mantle.

    Why can't more people be like the Swiss. And the Dutch. With more Dutch people and more Swiss people, I think the world would be a better place.
    Are there changes that could introduce a vulnerability and leave the same checksum?

    No. Collisions do happen. That means it is possible for the data in a file to change and still match its checksum, but it usually happens with records. I saw it happening in signatures for malware, but it was accidental and very rare. The chances of someone creating backdoor code, and introducing it to existing code and the checksum remaining the same is astronomical.

    What Im unsure about when it comes to checksums is, if an attacker has corrupted the source code of an application. As in, gotten in, downloaded the code, patched it with his exploit code, pushed upstream, and kept everyone unaware, what hurdle would have been too great for him(or her) to replace the checksums with the new ones?


  • Advertisement
  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    syklops wrote: »
    Why can't more people be like the Swiss. And the Dutch. With more Dutch people and more Swiss people, I think the world would be a better place.



    No. Collisions do happen. That means it is possible for the data in a file to change and still match its checksum, but it usually happens with records. I saw it happening in signatures for malware, but it was accidental and very rare. The chances of someone creating backdoor code, and introducing it to existing code and the checksum remaining the same is astronomical.

    What Im unsure about when it comes to checksums is, if an attacker has corrupted the source code of an application. As in, gotten in, downloaded the code, patched it with his exploit code, pushed upstream, and kept everyone unaware, what hurdle would have been too great for him(or her) to replace the checksums with the new ones?

    Hi skylops,

    Wasn't the issue that given the metadata involving time and dates in the source code that it was actually very difficult to compile a binary that matched that on the Truecrypt website, even if it didn't contain a backdoor?

    Such a shame if the developers have been bagged and tagged but it's difficult to understand who would do this or why - isn't the cat out of the bag so to speak?


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie




  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    I quess it depends what you are using it for. If its in case you're gear gets robbed by some scumbag, or so people don't have easy access to the data then its probably fine. If you are hiding stuff from the NSA and law enforcement then you've bigger problems, and you are probably using something a bit more complex.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    beauf wrote: »
    I quess it depends what you are using it for. If its in case you're gear gets robbed by some scumbag, or so people don't have easy access to the data then its probably fine. If you are hiding stuff from the NSA and law enforcement then you've bigger problems, and you are probably using something a bit more complex.

    Well said beauf, I've already mentioned the open source alternative to Truecrypt tcplay in another thread which has all the same functionality if you're happy to use the Linux Command line. That said the Disk Utility in every Linux version I've seen so far allows you to format a drive with a password, which is quick and easy - I believe the default AES 128 bit encryption but if there are more tech savvy people out there, I'd love to hear from you.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    beauf wrote: »
    I quess it depends what you are using it for. If its in case you're gear gets robbed by some scumbag, or so people don't have easy access to the data then its probably fine. If you are hiding stuff from the NSA and law enforcement then you've bigger problems, and you are probably using something a bit more complex.

    I see your point, but I want to hide everything from everybody, just because fup you (not you, obviously). I very seriously value my privacy. I've nothing to hide, but I don't want back doors built into my security software so that someone can read emails between myself and my wife if they so choose, so I reject the notion that I shouldn't want software that is secure from the NSA. They're the ones most likely to abuse it IMO.


  • Advertisement
  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    I know you are making a general point about data in general. But just to be pedantic. They can intercept your emails at a lot of other points outside of your network and systems. So the old adage of don't email anything you wouldn't want on the 9 O'Clock News still applies. I have found anyone really concious of security tends to do things over the phone, or face to face rather than email.

    The other point about security is you have to use it. If its awkward you won't. Or you'll use it less often.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    beauf wrote: »
    I know you are making a general point about data in general. But just to be pedantic. They can intercept your emails at a lot of other points outside of your network and systems. So the old adage of don't email anything you wouldn't want on the 9 O'Clock News still applies. I have found anyone really concious of security tends to do things over the phone, or face to face rather than email.

    The other point about security is you have to use it. If its awkward you won't. Or you'll use it less often.

    Well said Khannie, security which is proof- against everyone except X is no good. Unless it's good against a competent attacker with large resources I don't want to know! :-)


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    beauf wrote: »
    I know you are making a general point about data in general. But just to be pedantic. They can intercept your emails at a lot of other points outside of your network and systems. So the old adage of don't email anything you wouldn't want on the 9 O'Clock News still applies. I have found anyone really concious of security tends to do things over the phone, or face to face rather than email.

    The other point about security is you have to use it. If its awkward you won't. Or you'll use it less often.

    I agree with your point about the trade off between security and convenience but I don't think we need to give up on e-mail altogether - intercepting a message that for instance you've encrypted with a 4096 bit gpg key wouldn't do the NSA much good.

    Also they still haven't found a way to compromise the overall structure of the tor network.

    Of course if you're going to meet face to face with your contacts you could do this just the once every few years and exchange one time pads of random data - we certainly don't need to give up on e-mail altogether in my ever humble opinion! :-)


  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    Are you using encrypted email across all your devices including mobiles etc. I've only seen it a handful of times.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    beauf wrote: »
    Are you using encrypted email across all your devices including mobiles etc. I've only seen it a handful of times.

    Hi beauf,

    That's an excellent question. I've an Android phone running K9 mail in addition to APG which can encrypt and decrypt e-mails but I'm too worried about, the device being stolen or seized to use it for very personal correspondence.

    I use a live OS (TAILS) in combination with Bitmessage to send private e-mails. The e-mails are encrypted with gpg. I store my key and favourite program on a USB stick, encrypted with Linux disk utility.

    This is by no means perfect as certain vulnerabilities exist within TAILS, plus the stick itself while encrypted could be taken by force, but I've no concerns about messages being intercepted - they never leave the tor network.

    I don't mean to go off topic but I do think it is possible to NSA-proof your messages and data. Let's keep the faith.


  • Registered Users, Registered Users 2 Posts: 1,819 ✭✭✭howamidifferent


    Hi beauf,

    I've no concerns about messages being intercepted - they never leave the tor network.

    I don't mean to go off topic but I do think it is possible to NSA-proof your messages and data. Let's keep the faith.

    The below article seems to indicate that this may not be as secure as you assume.... :(

    https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    The below article seems to indicate that this may not be as secure as you assume.... :(

    https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack

    This attack has to do with traffic confirmation and seeks to undermine a user's anonymity - not their privacy.

    In fact as the Tor blog itself states this is nothing new and there's not a shred of evidence that this can be used to reliably target specific users.

    In my own case at any rate and e-mails sent over Tor have been encrypted so I won't be losing any sleep.

    I have been wondering about what else we can do though to mitigate the risk. Using a dedicated private bridge and running a relay of your own would make it difficult for other compromised relays to intercept your traffic specifically surely?


  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    The problems with technology, is there always someone/organization with better technology. So it would be naïve to think you are secure against everyone. Even in the pipe is secure, it has to enter and leave it at some point. Even if that through social engineering, or a person. A Maginot Line as it were. "strategically ineffective".

    Most people concerned about such things don't commit any data to electronic means at all.

    For most people their data they are sending isn't sensitive anyway.


  • Registered Users, Registered Users 2 Posts: 6,374 ✭✭✭Gone West


    Tor just makes me uneasy.
    I can't articulate properly why. It just does.
    The protocol seems solid enough, but the people who are funding development to the tune of millions of $USD per year are suspect.


  • Registered Users, Registered Users 2 Posts: 3,131 ✭✭✭Dermot Illogical


    Fuzzy wrote: »
    Tor just makes me uneasy.
    I can't articulate properly why. It just does.
    The protocol seems solid enough, but the people who are funding development to the tune of millions of $USD per year are suspect.

    Creation of a target-rich environment? It makes sense to get all your suspects into the one place so you can concentrate your efforts.


  • Advertisement
Advertisement