A little security help for my friends

The dubious statements claimed by the drive are as follows:
“no software exists that can be cracked”
This is not true if the attacker can get a key logger onto your computer before you use this drive.
“blocks 100% of auto-run based malware attacks”
While I can’t declare this false on principle, this seems much more likely advertising exaggeration than true.
“Comes with secure erase software to allow full deletion of files you move from hard disk to the Dataguardian drive.”
This software cannot be relied on to achieve successful full deletion of files. Especially because of temporary files created by viewers and editors and such. Only full drive encryption can be relied on to maintain security. This is especially the case when using flash drives, where the flash chips never overwrite a file but just leave the old file and write the new version at a different location. You can only delete any file on a flash drive by overwriting the entire flash drive. Even then, traces or entire files could remain in the weak blocks taken out of service by the drive controller. Some drives have a secure erase command to erase the entire drive, including the bad blocks, but it can be hard to run, especially if your computer bios locks your hard drive settings at boot, as many do.

In the UK and other countries you can be compelled to disclose passwords, or end up in jail for contempt until you disclose the password (guilt until proven innocent). Similar things have been tried in the US when people were crossing borders.
Things like TOR might help, although liberal application of thermite on short notice may be the only real solution. I can’t find the article but the cops in Russia or a near by country triggered a remote wipe while testing a car key to see what car it opened, of course this trick won’t work more than a few times 🙂

So far in the U.S. there is no law or regulation that can compel someone to divulge their password(s). Of course, with Obama’s attorney general on the rampage against civil liberties it’s only a matter of time.
More info: http://en.wikipedia.org/wiki/Key_disclosure_law

By all means, protect your data. And, by all means, protect your right to free discourse.
But, when it comes to climate information, we’ve nothing to hide. If some prominent “skeptic” does have something to hide, pertinent to the climate discussion, I’d advise offering it up. It would cause great harm to the skeptic side if a skeptic was found to have done something nefarious regarding the climate discussion and hid it from the law. I don’t think anyone will care about the music pirated or the porn on your PC. Some have stated the internets were invented for porn! 😉 If you’re sharing that stuff with a bit torrent or something of that nature, stop it.
There are plenty of fights to fight regarding individual rights and privacy. But, towards the climate discussion we should take care not to be seen as hypocrites.

When the Feds want you, NOTHING gets in their way. They’ve never been slowed down by nanotrivia like laws and constitutions.
When the Feds aren’t interested in you, it may feel like the laws are protecting your “rights”, but in fact the only thing that’s protecting you is lack of interest.

I found ‘liberte linux’ .
It gives privacy to your documents and anonimous surfing. Free for all, the bad guys and the good ones. Install in common usb stick and it leaves no trace on disk drives not even in the ram when unpluged.

The way I understand the law and caselaw in the UK (and in the US if one is crossing a border) one cold be arrested for not revealing the password to an emcrypted file on a computer storage medium that is under your control.
So, for example, if I have a file on my drives labelled something like “all.f7”, I am obliged to reveal the password, and can suffer the consequences of I do not reveal it or claim that I do not know/remember it.
IANAL

If they ask for your password say you forgot it. They can’t prosecute you for forgetting your password and you can’t give it to them if you forgot it and they can’t prove you did not forget it. Use Truecrypt http://www.truecrypt.org/ an open source utility which can encrypt your entire hard disk or create mountable files. it can even create hidden volumes so that it does not even appear to have encrypted files at all.
Anthony: Please tell your readers about Truecrypt. It is excellent. I have not affiliation with them, i just like their software.

will not work with the judges and the police
It will in New Zealand.
I’ve even been involved in a case where a guy had encrypted data that couldn’t be accessed by the Police. Annoyingly, as we knew it was the worst sort of paedophilia.
However, security of this type is not a solution for most people worried about the cops. If the Police come they will take your protected data. So you won’t have it, which is a bit of a problem if you actually need it. And what’s the point of having data you don’t need?
The Police won’t give it back if they have good reason to believe that it contains illegal material.
So, good protection, but only for certain situations. More businesses should use these, for example, to hold accounts and personal data.

Protect your data by putting it on the oldest CP you can find. After all, they only took Tallbloke’s laptops, not the ancient hardware.
I have a ZX80 going cheap – spend some of those oil dollars you are all getting.

Okay so, in the UK there is the RIPA act – Regulation Of Investigatory Powers Act 2000 – which basically turned the UK into a Police State.
Even if you encrypt your data, this act gives police the power to DEMAND the keys to decrypt your data, with an automatic penalty of 2 years in prison if you refuse to do so.
It’s that bad.
The way around this, is to use Truecrypt.
With Truecrypt, you can hide a complete Windows installation within what appears to be random data on your hard drive, which only appears when you type in one of three pass phrases.
What you then do, is create what appears to be just a typical Truecrypt hidden volume, which is protected by the second of three passwords, to which you add “sensitive” data (say bank account details and ordinary passwords, ordinary correspondence to family or friends etc.) , such that when you are compelled by the UK police to reveal your keys under penalty of imprisonment, they get to see this “sensitive” data.
After this, you then create a “decoy” OS installation, from which you boot every day and use normally. Again, this is accessed via the third of the three pass phrases involved. This is your “day to day” OS, which you use to perform your everyday tasks.
The Hidden OS is used only when you are doing something REALLY sensitive – like say corresponding with a whistleblower for example, using completely encrypted (PGP) email, throwaway or completely different email accounts, via the Tor network, etc etc etc.
When the police come to your door and DEMAND the keys to your encryption,you give them 2 out of the 3 keys (passwords/phrases) – the key to the “day to day” use OS, and the key to the Hidden Volume which stores your “sensitive” documents. You then with a poker-face explain that those are the only keys to your encrypted stuff, that you have complied with the RIPA 2000 Act etc etc.
There is absolutely no way to tell if there is a Hidden Operating System on your hard drive, if you do everything precisely the way in which the Truecrypt methodology entails.
Everything you need to know about this is on the Truecrypt website – including everything you need to appear plausible in front of law enforcement.
I hope this clears things up for folks.

Also, there is absolutely NO need to purchase these specialized USB data keys – and they will NOT protect you in the UK from the RIPA Act 2000. Only the Truecrypt route I described above will protect you from that.
Note also you can create your own far cheaper encrypted USB stick using the method I described above.

Haven’t y’all folks in the USA been paying attention? I suggest you read HR 1540 (National Defense Authorization Act of 2012), in particular Sections 1031 and 1032. http://thomas.loc.gov/home/thomas.php .
Quote:
SEC. 1032. REQUIREMENT FOR MILITARY CUSTODY.
(a) Custody Pending Disposition Under Law of War-
(1) IN GENERAL- Except as provided in paragraph (4), the Armed Forces of the United States shall hold a person described in paragraph (2) who is captured in the course of hostilities authorized by the Authorization for Use of Military Force (Public Law 107-40) in military custody pending disposition under the law of war.
(2) COVERED PERSONS- The requirement in paragraph (1) shall apply to any person whose detention is authorized under section 1031 who is determined–
(A) to be a member of, or part of, al-Qaeda or an associated force that acts in coordination with or pursuant to the direction of al-Qaeda; and
(B) to have participated in the course of planning or carrying out an attack or attempted attack against the United States or its coalition partners.
(3) DISPOSITION UNDER LAW OF WAR- For purposes of this subsection, the disposition of a person under the law of war has the meaning given in section 1031(c), except that no transfer otherwise described in paragraph (4) of that section shall be made unless consistent with the requirements of section 1033.
(4) WAIVER FOR NATIONAL SECURITY- The Secretary of Defense may, in consultation with the Secretary of State and the Director of National Intelligence, waive the requirement of paragraph (1) if the Secretary submits to Congress a certification in writing that such a waiver is in the national security interests of the United States.
(b) Applicability to United States Citizens and Lawful Resident Aliens-
(1) UNITED STATES CITIZENS- The requirement to detain a person in military custody under this section does not extend to citizens of the United States.
(2) LAWFUL RESIDENT ALIENS- The requirement to detain a person in military custody under this section does not extend to a lawful resident alien of the United States on the basis of conduct taking place within the United States, except to the extent permitted by the Constitution of the United States.
Endquote
Note that although it is not “required” to detain a citizen in military custody, it remains an “option”. You don’t get a lawyer or any other rights if the govt. claims you are a suspected person under the definition. You just disappear.

re: Jeremy’s comment above:
In the US, you absolutely do NOT have to divulge the encryption key(s) to any secured device. They can take the device if they have a warrant but you do not have to give them the password. The Electronic Freedom Foundation has a whitepaper on the topic at https://www.eff.org/wp/know-your-rights. A grand jury or judge may compel you to decrypt the contents but generally only when you are not the subject of the investigation.
re: IANAL’s comment, the US can seize a computer without a warrant when you cross a border but even there you do not have to divulge the password.
(And, yes, the folks at EFF are very good lawyers.)

Sam Hall says:
December 16, 2011 at 7:46 pm
[quote]In the U.S., one is compelled to blow in a breathalyzer if suspected of being drunk. If refused, guilt is assumed. The 5th amendment, like most of the constitution, is deemed only words to circumvent by our judges and lawmakers.[/quote]
Not quite. You can lose your driver’s license, but are not guilty unless they can prove it some other way.
=========================================================
Yes….. proof being deemed as the word of the arresting officer. But, if that doesn’t work, yes, losing your ability to drive, fines, and jail when you don’t blow into the machine, but not convicted of DUI is somehow deemed not technically convicted. It is a Pyrrhic victory.

Encryption is not data security it is a delaying or a cost-value tactic.
One purpose of encryption is to delay access to some information until such time as the information no longer has value to the attacker (An invasion plan). Alternatively, if the cost of decrypting the encrypted information is greater than the potential value of the information then there is no net benefit to the attacker (The Neman Marcus Cookie Recipe).
All encryption can be compromised if the value the attacker assigns to the information is greater than the cost of the attack. Most major intelligence organizations have the resources to successfully attack all encryption methods.
If you have data that you need to keep secret then it must be either guarded physically or hidden physically; because physical access it total access.
A simple and effective method for securing data in your home is to use a short-range wireless network storage device kept in your attic with the power controlled by a receive-only remote control power bar. No emanations when it is off, not visible, and only on when you need to use it.

Rosco says:
December 16, 2011 at 7:25 pm
What is wrong with being tested for drink driving randomly.
If your over the limit you shouldn’t be on the road – end of story.
No-one compels you to drink and drive but drunken drivers are a menace we can do without.
=====================================================
Nothing, if you don’t care about the 5th amendment. Rosco, rights are only preserved when you defend the rights of others. If you don’t defend other people’s rights, you’ve no expectation of having your rights defended.

Anthony,
Any chance you could have those made up with a logo on them? Maybe have Josh come up with something appropriate? Of course they should come with a pre-loaded file that only decrypts with the password “FOIA” or maybe “wattsupwiththat” to….surprise us.

itsteapot says:
December 16, 2011 at 9:17 pm
…….. surely the only reason they are investigating TallGuy is because they have evidence that he was involved in “stealing” the UEA E-mails. …..The UEA should be compelled to release the E-Mails as it is in the public interest to have a truly transparent debate on how they have come to the decisions over human interaction with climate;
====================================================
I’d be really surprised if that were the case. But, you’re correct with your assertion about the UEA and making their emails available. What is ironic, is that we wouldn’t have bothered with them had they not shown evidence of collusion even prior to the first release of the emails. All one had to do was to follow the Steve Mac’s blog to know the climatologists did collude…. and worse.

Rosco said:
December 16, 2011 at 7:25 pm
What is wrong with being tested for drink driving randomly.
If your over the limit you shouldn’t be on the road – end of story.
No-one compels you to drink and drive but drunken drivers are a menace we can do without.
********
Currently in Houston (Harris County) there is a “run away” Grand Jury proposing the indictment of a number of people in the District Attorney’s office for various conspiracies involving the whitewashing of the fact that the Houston Police Department has routinely used special “mobile labs” that give “erroneous” data, for their setups.
So you could be sober but still have the cops produce evidence that you are dead drunk.
Enjoy your time behind bars, thanks to “uncalibrated” instruments. You don’t think that weather stations are the only equipment that gives phony data do you.

If you don’t believe the UK is a police state keep reading.
I was driving home with the wife last month, after shopping in town, when I heard a siren. Looking in the mirror, expecting to see an ambulance or fire engine, much to my surprise I see an unmarked car with flashing blue rights. This car is right on my tail with plenty of room to overtake so I assume they want me. I pull into a layby and a uniformed policeman gets out of the car behind and asks me for my insurance !?!?!
After a lot of palavar and the police visiting my home it appears my insurance company had missed updating the DVLA computer when my AUTOMATIC RENEWAL went through.
A bored policeman entered my licence plate number and BINGO – found a criminal – SHEESH!
Statistics say there are over 2 million unensured vehicles on the UK roads but they managed to catch me in two weeks! Go figure.

davidmhoffer says:
December 16, 2011 at 10:20 pm
For those asking questions, there are a lot of very good answers in this thread, but the bottom line is this:
1. Any method that is 100% secure renders the computer useless. ……
==============================================
I’m supposedly one of those “professionals”, and what you’ve stated is exactly correct.
Time and reason, these are the things which keep one person’s data safe. And, as I stated earlier….. exact a cost. Give the SOBs reasons to move on. There’s someone easier around the corner. The credit card I use online has a very small limit. My taxes are on a different PC. ……yeh, they can come get me…..but, gosh the dance they’d have to do to get what little low hanging fruit they’d want….. of course that’s just for the average bad person. If we’re talking about a person who’s out to get you……. that’s what gun ownership is for. …… The 2nd amendment is because our founding fathers were smarter than most of us. 🙂

Be careful with “secure” USB drives. Many of them don’t actually encrypt the data, after all. So if the USB drive is opened and the flash memory is accessed directly, the data is there plain to read (this is easy as 1-2-3 and has been demonstrated by IT magazines in tests).
In any event, using a USB drive in a Tallbloke scenario is missing the point.
Obviously, they tracked him through his user account after posting. And in the UK, you can be forced to reveal any password, or else go to prison to contemplate about it a bit longer… 😉
I you feel the need for added security, go online ANONYMOUSLY. Of course you must act legal at all times, even if anonymous, yes, that’s right.
Don’t use your subscription landline/broadband and/or school/uni/library access – that does not qualify as anonymous and they will end up ringing at your door again for obvious reasons. (that wasn’t obvious to those anonymous and lulzsec kids; and also TOR connections can often be traced back, unlike popular believe – another thing that wasn’t obvious to them… I have read a forensic report on Tor, and they say they can often trace up to 6-7 out of 10 connections back with a high degree of certainty, if they badly want to – I don’t use it… it is a hassle, and if you reaaaally had to stay anonymous, you may well not be – of course I would use it anyway if I had to email a human rights report from Iran or some such thing)
Depending on where you live, there may be pay-as-you-go wireless USB internet access sticks available which you do not have to register to a name/address — AND do not top it up with your credit card!! 🙂 That means you can actually remain anonymous.
Internet USB drives like this are available in the UK, for example (hint-hint, tallbloke..) – as are anonymous pay as you go phones, and, low and behold, credit cards !! Yes that’s right, you can buy throw away credit cards at corner stores/at news agents and top them up right there with cash. I have a bunch, because for some reason, Valve/Steam didn’t accept my ‘proper’ credit card.
Anyway, that was my first thought – the guy is sitting on a heap of Sun boxes and must be thinking he is an IT big-shot, but no clue at all about internet security and/or how to stay anonymous, and probably even more so, no situational awareness, cough-cough… With the Climategate history as we know it, this was totally foreseeable, so I cannot feel sorry for him. I would have bet money on something like this happening.
Then again, the real issue here is proabably not that he is such a n00b, rather, he wanted to take the credit for breaking the news… ahh.. pride broke his neck… maybe he had the means to do it anonymously, but he sought recognition, and now he’s got it – who’s to complain about that? – Same is true about the Manning/Wikileaks cables – not content with what he did, he had to go around and brag about… what a fool. If there were no criminal charges attached to what Manning did, he should still go to prison for being that stupid. I had to think about him again, as he is in the news these days, and I just cannot bring myself to feel sorry for him on that basis alone – riles me up without end… it is like f*cking up the ‘perfect crime’.
So then kids, don’t go out and buy one of these, thinking you are invincible, especially if you get one of the type that doesn’t actually encrypt the data, even if the manufacturers all try to make them look as if they did (sometimes this isn’t 100% clear even after reading the tech specs sheet). And then encryption may not get you anywhere, if you reside in the ‘wrong’ country (e.g. UK). Long story short – don’t do naughty things 😛
Being aware of computer security is not a crime, and is actually actively endorsed by many governments (e.g. in Germany, they are actively peddling Live Linux CDs, advise on encryption, etc – you can download that directly from your friendly government) – only then running off with it and doing naughty things is not ok.
As a matter of fact, don’t buy this and save your money if you don’t have a clue about computers (that’s 95% of you for this purpose). – That is the case if you felt like owning one of these would actually do something for you after reading the article – and some of the comments show that you are hot candidates….
If you are e.g. a Windows 7 user, Windows will write (yes, actually write) backup copies of ALL your personal and system files with the volume shadow copy service (by default of the C drive, but you should check), and it does that regularly (who’s even heared of that before?). So even if you deleted your files and have them ‘secure’ on your USB, it takes anyone with a clue (= the guy examining your HD) 5 seconds to access the shadow copy and retrieve your data. (shadow copy is a bit more complex than can be explained in one line) If you don’t have a clue how, where and when your OS writes data, then you don’t need a secure USB key.
There are many more concerns attached to avoiding and/or getting rid of this type of data, which I will not elaborate on, so don’t run off, delete your shadows and think you are up to something. You don’t have to go all the length for practical purposes, but you would have to go a veeery long way if you were looking forward to an interview at the police station and I cannot help you with that. – When they clone your drives, eventually they will find anything that’s on it, and even heaps more you didn’t even think or know about, e.g. shadow copies and other fun stuff.
Don’t go out and buy this because chances are you won’t be a happy camper in the end, no one here is well advised by getting an encrypted key (that often isn’t actually encrypted to begin with).
Of course having an encrypted key is great when you lose it at the local Starbucks or the library. In the UK, full/any HD encryption is also no help, because you would have to reveal the key. Which is why I don’t even bother – but then, I am not in the business of downloading/leaking data illegally… (actually, I once lost an external drive because I just couldn’t remember the password 🙂 I think that is when I stopped messing with encryption because I have no use for it beyond curiousity)
Getting one of these encrypted USBs will be ‘security by obscurity’ for many or most people reading here for one reason or another – if the concern is that the police comes knocking at your door and not just general data security.
Encryption is NOT the subject Tallbloke should have contemplated, it is that other subject, all righties?
The prospect of being able to encrypt data or remain anonymous should not embolden anyone to do naughty stuff – you should, however, consider it as a matter of good practice.
This is not at all a complete guide on how to keep your system clean – I would be sitting here all day typing to achieve that (but it is not one of my concerns to do that for you), so if you are Dr Evil, you need to dig a bit deeper still in your own time.

Matt [December 17, 2011 at 1:29 am] says:
“the guy is sitting on a heap of Sun boxes and must be thinking he is an IT big-shot, but no clue at all about internet security and/or how to stay anonymous, and probably even more so, no situational awareness, cough-cough… With the Climategate history as we know it, this was totally foreseeable, so I cannot feel sorry for him. I would have bet money on something like this happening.
Then again, the real issue here is proabably not that he is such a n00b, rather, he wanted to take the credit for breaking the news… ahh.. pride broke his neck… maybe he had the means to do it anonymously, but he sought recognition, and now he’s got it – who’s to complain about that? – Same is true about the Manning/Wikileaks cables – not content with what he did, he had to go around and brag about… what a fool. If there were no criminal charges attached to what Manning did, he should still go to prison for being that stupid. I had to think about him again, as he is in the news these days, and I just cannot bring myself to feel sorry for him on that basis alone – riles me up without end… it is like f*cking up the ‘perfect crime’.”

Not a whole lot of sense there Matt. Are you positive that you have even followed ClimateGate 2.0? I would review the facts if I were you.
To the best of our knowledge, Tallbloke was the first blogger on whose blog there was a 3rd party person (FOIA) write a blog comment and post the link to the ZIP file. FOIA then went to several other sites and did the same. That is it. This whistleblower (FOIA) essentially did what you just did here, writing a comment on a blog.
Tallbloke reported it by commenting on a comment to his blog and several others. What exactly do you mean by ‘taking credit’? The thrust of your statement implies to me that Tallbloke somehow deserves this or was asking for it. I suggest you back that up.
P.S. Enough with the wikileaks comparison. Climatology is not equal to the Federal Military or State Department or state secrets. The punk stole classified material. In normal times he would be swinging from a tree before nightfall.

I am afraid this device wouldn’t help Tallbloke in the UK. As Jeremy ((5:09PM) and John (5:53PM) have already pointed out, in the UK you can be compelled to disclose your personal passwords. In the UK this is sanctioned by the ‘Investigatory Powers Act, which imposes a penalty of 2 years imprisonment for failure to disclose. People have already been imprisoned under this act in the UK, so simply saying that you have forgotten it won’t work. However, I do not believe that there is any such law in the US.
What you have to do is encrypt files without making it clear that files are encrypted., e.g. no password is prompted for when the file is accessed Alternatively, some software allows double encryption keys; what data you get to see depends on which password you type in.

Now you are being stupid again, Anthony.
Why are you implying that Tallbloke had files to hide?
It was all about IP tracing a comment to a blog post.

A previous commenter mentioned difficulty of remembering a really good password. The key to a really strong password is a combination of length and a decent mix of letters, numbers and special characters and eliminating spaces. And as it turns out, a really good password does not have to be hard to remember.
For example, start with this pass phrase: “I really hate Joe Romm with a passion”. Now add in your mother’s birth year “1925”. finally, add your favorite special character “&”. Now combine them in this format keeping the upper case letters: &1925IreallyhateJoeRommwithapassion&
To brute force or crack this pass phrase by any known method would take this long: 5.07 hundred billion trillion trillion trillion centuries, as per this security expert’s web site https://www.grc.com/haystack.htm .
The key is creating a phrase you can easily remember but no one else is going to guess (eg, “I absolutely love Xmas turkey”), then you eliminate the spaces while keeping the upper case, then you add some number and then add a few special characters and voila, a massively secure password.

Smoking Frog says:
December 17, 2011 at 5:05 am
I don’t think that’s true. Based on what I’ve read, AES-256 is unbreakable, at least for some years to come, and it might be unbreakable, period.

That isn’t stated correctly. What you mean is that properly implemented AES-256 that only allows brute-force attacks is essentially unbreakable as no computer exists that would take less than the age of the universe to brute-force the key. The problem with your statement is that brute-force attacks are not the only way to attack encryption.
never forget: http://xkcd.com/538/

Folks, there’s a lot of confusion here about breaking encryption keys.
For someone with a desk top computer using a brute force attack, breaking 256 bit encryption is impractical. Not impossible. Itz like winning the lottery. The odds are huge, but someone does. There’s a percentage chance (though a teeny tiny one) that someone nails it on the first try.
But from a practical perpsective, 256 bit encryption is vulnerable to sophosticated methods other than brute force, in particular when they are combined with supercomputers. 10,000 cpu’s working in parallel changes the odds considerably. And you’d be surprised how many facilities that large or larger exist.
In fact, quite a few of them would exist at climate research centres such as CRU. One can only wonder if Phil Jones and Co are sweating bullets trying to break that encryption key to see just how bad it really is…. of course, having all that compute horsepower at your disposal means little when the team lead can’t even figure out how to use Excel, and their statistical analysis methodologies produce nothing but hockey sticks.

Most people have a problem with the huge numbers because they only read what media writes. That’s why they think their use of 256-bit encryption will take the bazillion years to brute force through as a properly used and implemented 256-bit encryption theoretically could take.
The amount of CPUs is moot today, it is the amount of cores in each CPU that counts and how many thread each core can process. The ancient old, 2008, IBM Roadrunner had 116,000+ cores, and did one+ Peta Flop.
But to put this is relative terms, my newest, sub $1000, laptop can do 900-1200 passwords per second on average with four cores@1.8GHz and two threads per core on a 32bit system, to up to nine character length passwords. An similar but optimized system can do twice+ in 64-bit mode. That would be up to some 2000*116000 passwords per second for an ancient system such as the 2008 IBM Roadrunner. That’s like all the words stored in a library per minute.
Enter 2011 and Fujitsu’s 10.5+ Peta Flops of super computing power.
But, enter the human mind and the not so random choosing of passwords…where brute forcing a password gets easier the more you know about the person and the password, but of course that is all moot when the police interrogator, sorry interviewer, enters the room, then pretty much everyone gives up their passwords in the end, for the simple reason of one or both parties being nice so that all can go home in time for dinner, so to speak.
If you’re a traveling salesman, or what not, traveling all over with your computer and, or, information on memory sticks, then encrypt it pronto, but for the sole reason of misplacing it, dropping it, having it stolen. But to encrypt your files because you fear the police might get a hold of it? If you’re not living in a western world democracy, fine, for fear the communists, but in a western world democracy that same information might as well set you free.

With all due respect to ‘Smoking Frog’ and others, the likelihood of discovering a long, easily remembered pass phrase by law enforcement officials is going to take an inordinate amount of time, even with today’s advanced silicon, non-quantum, technology. Unless blind luck happens or the law enforcement officials determine the password from social engineering, the potential length of time to discover the password is astronomical – it just becomes unfeasible.
Those suggesting otherwise should accept my ‘Smoking Frog’ password challenge, which can be found here: http://www.c3headlines.com/smoking-frog-password-cracking-challenge.html.
Okay, “crack” this easily remembered password phrase for the two encrypted files located at the ‘C3’ page. Claim the glory and educate all of us that we need to be much better at security. And, let’s see how long a massive, parallel PC effort takes to ‘crack’ a simple but long password phrase. Let the zombie-infected PC farms rip!
BTW, Steve Gibson, the well known expert on information security suggests that the simple password phrase used in the ‘Smoking Frog’ challenge would take 65 trillion trillion trillion centuries to discover using today’s super-duper technology. Time to prove him wrong also, don’t ya think?
Check out Steve’s site (https://www.grc.com/haystack.htm) and test your own password or pass phrase as to how strong it potentially is.

Jeremy December 17, 2011 at 9:30 am
Smoking Frog December 17, 2011 at 5:05 am
I don’t think that’s true. Based on what I’ve read, AES-256 is unbreakable, at least for some years to come, and it might be unbreakable, period.
Jeremy
That isn’t stated correctly. What you mean is that properly implemented AES-256 that only allows brute-force attacks is essentially unbreakable as no computer exists that would take less than the age of the universe to brute-force the key. The problem with your statement is that brute-force attacks are not the only way to attack encryption.
never forget: http://xkcd.com/538/
It is stated correctly. At present, there seems to be no known attack on AES-256 that is sufficiently superior to brute force to matter, and there might never be.

davidmhoffer December 17, 2011 at 11:59 am
But from a practical perpsective, 256 bit encryption is vulnerable to sophosticated methods other than brute force, in particular when they are combined with supercomputers. 10,000 cpu’s working in parallel changes the odds considerably. And you’d be surprised how many facilities that large or larger exist.
No, that’s not true. C3 Editor presented a 36-character password. First consider brute force, and suppose the alphabet size is 70 (upper and lower case, numerals, and some other stuff), so there are 36^70 possible 36-character passwords, which is on the order of 10^108. Divide that by 10,000 and you have 10^104 possible passwords for each of the 10,000 computers. How about a trillion computers, which is about 1,000 times the number of computers in the world. That gives you 10^96 passwords per computer. You’ve accomplished nothing.
Now consider “sophisticated methods.” Based on what I’ve read, the strongest known attack on AES-256 reduces the problem by far less than 10,000, but it could reduce it by far more and still be useless.

C3 Editor December 17, 2011 at 4:23 pm
Your challenge is absurd. Your “Smoking Frog” webpage misrepresents what I wrote here; it conflates weak encryption with strong encryption. I merely pointed out that a “strong” password is not strong with a weak cipher. I did this because what you had written could easily lead an uninformed person to believe otherwise. Weak ciphers really do exist, mind you. They exist in legacy software in businesses and government agencies, and uninformed persons use them.
Your SmokingFrog2 file shows several signs of being a WIndows executable, but you claim it is an encrypted file. Are you expecting me or someone else to notice that it seems to be an executable, and try to run it, with who knows what consequences? That’s called a “Trojan.”
Nice going.
To say the least, it is interesting to me as an AGW skeptic to learn that a well-known AGW skeptic (you, except your name) exhibits such attitude and behavior. Why should anyone trust you?

As was mentioned by several posters above, TrueCrypt’s Hidden Volume functionality is a good way to keep your data private even in the face of a warrant or other forms of coercion.
http://www.truecrypt.org/docs/?s=hidden-volume

As an example, here are some real AES keys and the corresponding passphrases:

Passphrase: a
87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7
Passphrase: The science can never be settled
47507e7ecd7ec4a34a51b6b26c438b89f0372119373961cdd515c6ea1d46789f

Note that the 256-bit number (above represented in base-16) cannot be converted back into the corresponding pass phrase, this is a one-way (trapdoor) transformation. The probability of any two district inputs (pass phrases) to the secure hash algorithm producing identical output (AES keys) is vanishingly small.
The 256-bit number is then used to transform each 256-bit block of the plaintext in turn producing the corresponding ciphertext, or vice versa when decrypting.

scott (December 18, 2011 at 12:44 pm):
I assumed a 36-character password to conform to C3 Editor’s presentation, including his use of Steve Gibson’s calculator. But let me ask you: Does a person who uses an idiotic password, such as “password,” get the same 256-bit key as everyone else who uses the same idiotic password? If not, how is the key generated?

Smoking Frog asked:
Does a person who uses an idiotic password, such as “password,” get the same 256-bit key as everyone else who uses the same idiotic password? If not, how is the key generated?
The secure hash algorithm has the property that for any given input, A, there is one and only one distinct output A’. So yes, “password” always produces the same 256-bit key. That is one reasons why security professionals recommend against using the word ‘password’ as a pass phrase. An implementation may salt the passphrase (add something to it) before passing it to the secure hash algorithm, but in this usage, the salt would only make rainbow tables more difficult ) (and they are effectively impossible already for 256-bit keys, requiring billions of disk drives, and they do no good in this usage anyway since recovering A if you have A’ is pointless, just use the A’ you have to decode the message already).
That said, trying to brute force AES by varying the SHA256 input (A) rather than simply cycling through the universe of SHA256 A’ values may never actually crack the encryption since there is no guarantee that all possible A’ values can be generated by an infinitely large set of A values.
(one could pass the AR4 pdf to sha256sum and use that as a key, for example. Another property of SHA-256 is that the probability of two different A values generating the same A’ value is infinitely remote.)
If you have a linux system with the sha256sum command, you can play with it and see how unique A’ is for different 1-character A values.

Looking at the specification I see nothing better than my own USB key with Truecrypt.
Autorun is normally disabled on any serious PC.
the password is limited to 16 chars, which is not enoug except if you use realy really really random one. Me I prefer to have very very very long passphrase (hackers can break 64-70bits, government nearly 90, and english language use 1 information bit per letter… so use a random sentence of more that 100 letters… nb: not a citation)
it provide complementary software (sweeper! antivirus?) usefull, but to be honnest I install all security software on my PC, and don’t trust others.
for security advices, read Bruce Schneier books (best ate “Beyond Fear” and … forget it, it is too technical), and consult his blog… he have the reasonable paranoia and the risk aware trust.
ps: I don’t fear climate police, but identity stealers that will copy my civil papers to steal my life…
note that if you want a real hardware solution for critical data, it should be qualified hardware,
qualified software, separate keyboard.
companies like Gemalto are selling asymmetric cryptographic smart-card, card reader with separate keyboard…
but as usual the risk is on the host computer.
my best advice is to have a separate computer, with truecrypt style encrypted disk, with USB asymmetric key token (and pincode)…
use a very simple navigator, mostly readonly disk, simple text editor (at most libre office, but avoid), and non administrator account. of course antivirus, firewall activated…
if you are serious, maybe use a pocket separate router+firewall to protect your pc , even if it is already protected by your DSL router…
don’t use tor for secret data.
use SSH/SSL, or good encrypter transport (S/MIME/PGP) for secret communication…
and first of all know what is secret and what is not, what is valuable and what is not…
and use your safe PC only for real safety needs…
don’t do game, porn, news reading, hobby foruming on the safe PC…
keep it for sensible application, like spying the evil climatologist, talking with the daemon (or with skeptics), making/scanning/keeping administrative of business papers, keeping the nudist photo of your spouse, and the awful baby playing with mud photo of your teen kids…
anyway, except if you host stolen data like climate gate, wikileaks, clear stream listing, your only asset to protect are :
– civil documents that could help to steal identity (of you or your business)
– private documents, image, video (home porn, ridiculous, shocking relations) that can ruin your reputation or social life, or the one of your loved ones.