Re: [cryptography] Question About Best Practices for Personal File Encryption
Haven't seen it mentioned yet but honestly would say just run with a OPAL or FIPS 140 compliant SED. As much as folk don't trust NIST those using SED's certified to those standards are adequate enough for non-classified government documents (i.e. both NIST and DOD authorize them for use in their own organizations to protect their own information) including controlled unclassified information even while traveling in foreign nations with known active intelligence gathering (i.e. China). Are certified SED's from Intel and Samsung coupled with TPM enabled motherboards more expensive and harder to get, yes. Do I trust them more than other commercial or OSS software that, IMHO, could probably have a backdoor easily introduced via a software update, yes. Even if the NSA could hack your SED, not sure that would ever be used against you in a court of law as that is giving away huge capability given other national governments and multinational corps use SEDs quite routinely (FIPS or OPAL depending where you live). Just my two cents. -Peter PS: When I said certified SED I mean it, I don't mean a SED that promising AES encryption. You have to actively look for for certified SED's and they are often 200 to 300% priced, only sold via OEM channels, and have hard to find model numbers.___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
On Sun, Aug 17, 2014 at 12:09 AM, Jeffrey Goldberg jeff...@goldmark.org wrote: On 2014-08-16, at 4:51 PM, David I. Emery d...@dieconsulting.com wrote: On Sat, Aug 16, 2014 at 04:21:53PM -0500, Christopher Nielsen wrote: The comment about Apple is simply false. Apple does not have a key to FileVault2 unless you escrow your key with them. I know this because a dear friend recently passed, and his family was not able to gain access to his encrypted drives through Apple. You may be right or may not, but I certainly have to think that if there is a backdoor password to Filevault2 it is quite likely that Apple would not choose to disclose that fact to just some random user who had lost files due to forgotten passwords. Right. We don’t know whether Apple escrows the key in the absence of people asking them to, but we do know that they do offer to store a “recovery” key when someone sets up FileVault2. Did you know OS X ships the Keychain off to the iCloud in 10.9? http://www.apple.com/osx/whats-new/#icloud-keychain. So an instance of Apple being able to help someone recover their FileVault2 data proves absolutely nothing. Did you know Apple did not revoke the defective FileVault2 binary? Who needs an angry maid when you can downgrade to a defective binary that spews the user password into a log? http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-passwords-in-clear-text/11963 Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
On 17/08/2014 05:09 am, Jeffrey Goldberg wrote: On 2014-08-16, at 4:51 PM, David I. Emery d...@dieconsulting.com wrote: I do think, however, that if there are such backdoors, it would have to be known to only a very small number of people. Too many of the people who work on Apple security would blow the whistle. So it would have to be introduced in such a way that most of the people who actually develop these tools are unaware of the backdoors. It’s certainly possible, but it does shift balance of plausibility. Right. As I understand it, the standard way that this is done is to create a special features group in another closely-allied country. That group secures permission from HQ to do some rework for their special national needs. That group then inserts in the backdoor, then ships the entire patch off to HQ. Unless the center is reviewing for obfuscated tricks from a trusted partner, the backdoor slides in, and nobody knows it is there. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
Or in the case of OpenSSL, no one notices the backdoor as it is indistinguishable from an obscure programming error. On Sun, Aug 17, 2014 at 5:01 AM, ianG i...@iang.org wrote: On 17/08/2014 05:09 am, Jeffrey Goldberg wrote: On 2014-08-16, at 4:51 PM, David I. Emery d...@dieconsulting.com wrote: I do think, however, that if there are such backdoors, it would have to be known to only a very small number of people. Too many of the people who work on Apple security would blow the whistle. So it would have to be introduced in such a way that most of the people who actually develop these tools are unaware of the backdoors. It’s certainly possible, but it does shift balance of plausibility. Right. As I understand it, the standard way that this is done is to create a special features group in another closely-allied country. That group secures permission from HQ to do some rework for their special national needs. That group then inserts in the backdoor, then ships the entire patch off to HQ. Unless the center is reviewing for obfuscated tricks from a trusted partner, the backdoor slides in, and nobody knows it is there. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
On 17/08/2014 19:39 pm, Ryan Carboni wrote: Or in the case of OpenSSL, no one notices the backdoor as it is indistinguishable from an obscure programming error. The difference between a corporate backdoor and an open source backdoor is likely that when it is finally discovered, the corporate embarrassment is still easy enough to suppress: NDAs are a weapon. Sunlight is your friend. The many eyeballs thing doesn't really find any more bugs, it seems, but it certainly guarantees a scandal. The agencies don't go where the sunlight is brightest. On Sun, Aug 17, 2014 at 5:01 AM, ianG i...@iang.org mailto:i...@iang.org wrote: On 17/08/2014 05:09 am, Jeffrey Goldberg wrote: On 2014-08-16, at 4:51 PM, David I. Emery d...@dieconsulting.com mailto:d...@dieconsulting.com wrote: I do think, however, that if there are such backdoors, it would have to be known to only a very small number of people. Too many of the people who work on Apple security would blow the whistle. So it would have to be introduced in such a way that most of the people who actually develop these tools are unaware of the backdoors. It’s certainly possible, but it does shift balance of plausibility. Right. As I understand it, the standard way that this is done is to create a special features group in another closely-allied country. That group secures permission from HQ to do some rework for their special national needs. That group then inserts in the backdoor, then ships the entire patch off to HQ. Unless the center is reviewing for obfuscated tricks from a trusted partner, the backdoor slides in, and nobody knows it is there. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
On Fri, Aug 15, 2014 at 9:05 PM, Mark Thomas mark00tho...@gmail.com wrote: any commercial product could be compromised and not completely secure. Like Apple’s FileVault2, which Apple has a key to. There aren't known backdoors in FileVault2, or for that mater, Microsoft's Bitlocker. Apple, on the other hand, has been pretty forthcoming with law enforcement backdoors in iPhones (which, actually, seem fairly reasonable, IMO) Don't trust their encrypted filesystem? You better not trust the OS either, for that surely has access to all of the encryption keys you've ever put in main memory. tl;dr: if you don't trust proprietary encrypted filesystems, you better not trust the proprietary OSes they're built into either. -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
I just use gpg and armor the file. If its text, there's also a vim plugin that works perfectly with this method. On Aug 16, 2014 12:06 AM, Mark Thomas mark00tho...@gmail.com wrote: I have a question for the group, if I may ask it here and in this manner (?). What are you guys using to encrypt individual files and folders or even entire drives like a USB? I am thinking that: 1. any commercial product could be compromised and not completely secure. Like Apple’s FileVault2, which Apple has a key to. 2. It is probably open source. 3. It is probably implemented with the command line. Am I on the right track? If so does anyone know of a helpful guide to get started with OpenSSL on the command line besides the man pages? Regards, Mark ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
On linux, for full disk encryption, LUKS might be a good choice. Most distributions nowadays offer a way to turn on full disk encryption when installing (minus the /boot partition). For single files I use GnuPG. regards, Jonas On 16.08.2014 06:05, Mark Thomas wrote: I have a question for the group, if I may ask it here and in this manner (?). What are you guys using to encrypt individual files and folders or even entire drives like a USB? I am thinking that: 1. any commercial product could be compromised and not completely secure. Like Apple’s FileVault2, which Apple has a key to. 2. It is probably open source. 3. It is probably implemented with the command line. Am I on the right track? If so does anyone know of a helpful guide to get started with OpenSSL on the command line besides the man pages? Regards, Mark ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
On Aug 15, 2014 11:06 PM, Mark Thomas mark00tho...@gmail.com wrote: I have a question for the group, if I may ask it here and in this manner (?). What are you guys using to encrypt individual files and folders or even entire drives like a USB? I am thinking that: 1. any commercial product could be compromised and not completely secure. Like Apple’s FileVault2, which Apple has a key to. The comment about Apple is simply false. Apple does not have a key to FileVault2 unless you escrow your key with them. I know this because a dear friend recently passed, and his family was not able to gain access to his encrypted drives through Apple. That said, FileVault2 is susceptible to offline dictionary attacks on the password, or if you can get access while the drive is online, there are attacks on the Keychain. 2. It is probably open source. What makes you think open source will save you? All the eyeballs looking at the code? That was proven a false sense of security when heartbleed was announced. 3. It is probably implemented with the command line. Am I on the right track? If so does anyone know of a helpful guide to get started with OpenSSL on the command line besides the man pages? Regards, Mark ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
On Sat, Aug 16, 2014 at 04:21:53PM -0500, Christopher Nielsen wrote: The comment about Apple is simply false. Apple does not have a key to FileVault2 unless you escrow your key with them. I know this because a dear friend recently passed, and his family was not able to gain access to his encrypted drives through Apple. You may be right or may not, but I certainly have to think that if there is a backdoor password to Filevault2 it is quite likely that Apple would not choose to disclose that fact to just some random user who had lost files due to forgotten passwords. One imagines that unless Apple wants to declare their security breakable and presumably bear the burden of having every law enforcement agency, divorce attorney, corporate trial lawyer and government intelligence operation around the world - along with millions of users with various grades of good and bad stories about why they need Apple to break into Filevault2 partitions demanding help (often for much less than it costs Apple to provide it and handle the legal costs to validate the reasons for and authority of the requester to break in) that they would not wish to share the fact that there is a deliberate backdoor mechanism to break in or even a known bug that would allow it. And that of course begs the question of whether such a publicly announced backdoor could ever be kept secret and reserved for Apple alone as it would become an instant target for every hacker and spy and corporate espionage type to reverse engineer... or steal from inside Apple. On the other hand, given the right appeals to patriotism, and national security along with blackmail type arm twisting from certain governments, I'd not be sure they would not provide help or have not been forced to design things so they can. Only a few folks at Apple probably know the real truth about this... one way or the other. -- Dave Emery N1PRE/AE, d...@dieconsulting.com DIE Consulting, Weston, Mass 02493 An empty zombie mind with a forlorn barely readable weatherbeaten 'For Rent' sign still vainly flapping outside on the weed encrusted pole - in celebration of what could have been, but wasn't and is not to be now either. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
On Aug 16, 2014, at 14:21 , Christopher Nielsen m4dh4t...@gmail.com wrote: On Aug 15, 2014 11:06 PM, Mark Thomas mark00tho...@gmail.com wrote: I have a question for the group, if I may ask it here and in this manner (?). What are you guys using to encrypt individual files and folders or even entire drives like a USB? I am thinking that: 1. any commercial product could be compromised and not completely secure. Like Apple’s FileVault2, which Apple has a key to. The comment about Apple is simply false. Apple does not have a key to FileVault2 unless you escrow your key with them. I know this because a dear friend recently passed, and his family was not able to gain access to his encrypted drives through Apple. I'm afraid I must point out that your statement is logically incorrect. If they didn't want you to know that they could access the encrypted drives, of course they would say that they couldn't. This is no evidence at all. Yes, I'm paranoid, but am I paranoid enough? Greg. smime.p7s Description: S/MIME cryptographic signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
On Sat, Aug 16, 2014 at 5:21 PM, Christopher Nielsen m4dh4t...@gmail.com wrote: On Aug 15, 2014 11:06 PM, Mark Thomas mark00tho...@gmail.com wrote: I have a question for the group, if I may ask it here and in this manner (?). What are you guys using to encrypt individual files and folders or even entire drives like a USB? I am thinking that: 1. any commercial product could be compromised and not completely secure. Like Apple’s FileVault2, which Apple has a key to. The comment about Apple is simply false. Apple does not have a key to FileVault2 unless you escrow your key with them. I know this because a dear friend recently passed, and his family was not able to gain access to his encrypted drives through Apple. You can't trust Apple as far as you can pick them up and throw them. There's nothing special about Apple, and others are just as bad. Also, less than one month old: Apple Confirms 'Backdoors'; Downplays Their Severity, http://www.zdziarski.com/blog/?p=3466. And remember, according to Apple, they were not tracking users either. Apple faces class action suit for tracking users without consent, http://nakedsecurity.sophos.com/2014/08/04/apple-faces-class-action-suit-for-tracking-users-without-consent/. And let's not forget this: Apple deluged by police demands to decrypt iPhones, http://www.cnet.com/news/apple-deluged-by-police-demands-to-decrypt-iphones/. They've been caught lying so much they have no credibility. Sorry to hear about your friend. Apple's unwillingness to help allows provides them with cover. They can't have documented cases of circumventing their security controls. That's bad for business. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
We all know that a request from grieving family members or from the United States Government are answered in ways that the should only be justified for the other party (i.e.. saying “no to the USG and “yes to the family). Never the less, I pose the original question again, without the Apple distractor: What are you guys using to encrypt individual files and folders or even entire drives like a USB? I am thinking that: 1. Any commercial product could be compromised and is possibly not completely secure. 2. It is probably open source. 3. It is probably implemented with the command line. Am I on the right track? If so does anyone know of a helpful guide to get started with OpenSSL on the command line besides the man pages? Regards, Mark On 2014.08.16, at 5:11 PM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Aug 16, 2014 at 5:21 PM, Christopher Nielsen m4dh4t...@gmail.com wrote: On Aug 15, 2014 11:06 PM, Mark Thomas mark00tho...@gmail.com wrote: I have a question for the group, if I may ask it here and in this manner (?). What are you guys using to encrypt individual files and folders or even entire drives like a USB? I am thinking that: 1. any commercial product could be compromised and not completely secure. Like Apple’s FileVault2, which Apple has a key to. The comment about Apple is simply false. Apple does not have a key to FileVault2 unless you escrow your key with them. I know this because a dear friend recently passed, and his family was not able to gain access to his encrypted drives through Apple. You can't trust Apple as far as you can pick them up and throw them. There's nothing special about Apple, and others are just as bad. Also, less than one month old: Apple Confirms 'Backdoors'; Downplays Their Severity, http://www.zdziarski.com/blog/?p=3466. And remember, according to Apple, they were not tracking users either. Apple faces class action suit for tracking users without consent, http://nakedsecurity.sophos.com/2014/08/04/apple-faces-class-action-suit-for-tracking-users-without-consent/. And let's not forget this: Apple deluged by police demands to decrypt iPhones, http://www.cnet.com/news/apple-deluged-by-police-demands-to-decrypt-iphones/. They've been caught lying so much they have no credibility. Sorry to hear about your friend. Apple's unwillingness to help allows provides them with cover. They can't have documented cases of circumventing their security controls. That's bad for business. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
On Sat, Aug 16, 2014 at 06:26:28PM -0500, Mark Thomas wrote: Am I on the right track? If so does anyone know of a helpful guide to get started with OpenSSL on the command line besides the man pages? last time i checked openssl does no authenticated encryption on the command line. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
On 2014-08-16, at 4:51 PM, David I. Emery d...@dieconsulting.com wrote: On Sat, Aug 16, 2014 at 04:21:53PM -0500, Christopher Nielsen wrote: The comment about Apple is simply false. Apple does not have a key to FileVault2 unless you escrow your key with them. I know this because a dear friend recently passed, and his family was not able to gain access to his encrypted drives through Apple. You may be right or may not, but I certainly have to think that if there is a backdoor password to Filevault2 it is quite likely that Apple would not choose to disclose that fact to just some random user who had lost files due to forgotten passwords. Right. We don’t know whether Apple escrows the key in the absence of people asking them to, but we do know that they do offer to store a “recovery” key when someone sets up FileVault2. So an instance of Apple being able to help someone recover their FileVault2 data proves absolutely nothing. I have spoken to people who specialize in forensics recovery for Apple products and who have close relations to Apple. Those conversations lead me to believe that there is no backdoor that they are aware of. Of course, if there were, they would not reveal that information to me. I do think, however, that if there are such backdoors, it would have to be known to only a very small number of people. Too many of the people who work on Apple security would blow the whistle. So it would have to be introduced in such a way that most of the people who actually develop these tools are unaware of the backdoors. It’s certainly possible, but it does shift balance of plausibility. Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Question About Best Practices for Personal File Encryption
I have a question for the group, if I may ask it here and in this manner (?). What are you guys using to encrypt individual files and folders or even entire drives like a USB? I am thinking that: 1. any commercial product could be compromised and not completely secure. Like Apple’s FileVault2, which Apple has a key to. 2. It is probably open source. 3. It is probably implemented with the command line. Am I on the right track? If so does anyone know of a helpful guide to get started with OpenSSL on the command line besides the man pages? Regards, Mark ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography