More than a couple of people have asked me about computer security in the last couple of days, especially after the Tallbloke raid incident.
I’m offering a simple security solution for those that want to protect their files: a USB flash drive with built in hardware security that works on USB 3.0 and USB2.0 ports
See all the details here, buy one if you want a neat new gadget for Xmas (it sure beats getting socks or a tie).
Discover more from Watts Up With That?
Subscribe to get the latest posts sent to your email.
itsteapot says:
December 16, 2011 at 9:17 pm
…….. surely the only reason they are investigating TallGuy is because they have evidence that he was involved in “stealing” the UEA E-mails. …..The UEA should be compelled to release the E-Mails as it is in the public interest to have a truly transparent debate on how they have come to the decisions over human interaction with climate;
====================================================
I’d be really surprised if that were the case. But, you’re correct with your assertion about the UEA and making their emails available. What is ironic, is that we wouldn’t have bothered with them had they not shown evidence of collusion even prior to the first release of the emails. All one had to do was to follow the Steve Mac’s blog to know the climatologists did collude…. and worse.
For those asking questions, there are a lot of very good answers in this thread, but the bottom line is this:
1. Any method that is 100% secure renders the computer useless. You have to strike a balance between security and utility.
2. The stronger the security method you use, the more complex it becomes for you to access your own data, and the more likely it will be that you make your own data inaccesible from yourself (losing your encryption password for example)
3. Encryption is a very good way to protect sensitive data, but encyrption isn’t 100%. As noted above, breaking an encryption key is only a matter of time and resources versus the value of the data.
4. All the security on your personal computer in the world doesn’t protect you from what you do with your computer on the internet. You have to access the internet through an ISP service, and the ISP service can track all sorts of information about what sites you visit and what you downloaded and so on. There are ways around that too by using your ISP service to get to a proxy service etc to hide your tracks, but frankly, unless you are doing something illegal why would you go to the trouble? Whistle blowing would be the obvious exception.
5. If you want to keep it simple, but still protect your data, biometric authentication is easiest and pretty effective. You can get USB drives that are keyed to a fingerprint for example. No password to lose. But that doesn’t mean that someone with sufficient time and resources can’t get the data. It just makes it pretty simple to protect your data, hard to lose your “password”, and expensive enough that unless your data is worth millions, no one will be going after it. Of course, if your data is worth that much, you should be engaging a professional to protect it.
Rosco said:
December 16, 2011 at 7:25 pm
What is wrong with being tested for drink driving randomly.
If your over the limit you shouldn’t be on the road – end of story.
No-one compels you to drink and drive but drunken drivers are a menace we can do without.
********
Currently in Houston (Harris County) there is a “run away” Grand Jury proposing the indictment of a number of people in the District Attorney’s office for various conspiracies involving the whitewashing of the fact that the Houston Police Department has routinely used special “mobile labs” that give “erroneous” data, for their setups.
So you could be sober but still have the cops produce evidence that you are dead drunk.
Enjoy your time behind bars, thanks to “uncalibrated” instruments. You don’t think that weather stations are the only equipment that gives phony data do you.
_Jim says:
December 16, 2011 at 9:08 pm
James Sexton says on December 16, 2011 at 6:18 pm
…
In the U.S., one is compelled to blow in a breathalyzer if suspected of being drunk. If refused, guilt is assumed. The 5th amendment, like most of the constitution, is deemed only words to circumvent by our judges and lawmakers.
Not quite; there may be some penalty for ‘not blowing’ as this is usually part of the law written into the ‘agreement’ you agreed to for the privilege of obtaining a drivers license (you gave what is called “Implied Consent” – you agreed to ‘testing’ in various forms, incl blood and breath, when you applied for and obtained your DL).
For instance, regarding Florida’s “Implied Consent” Warning and a refusal to take a breathalyzer test:
In order for the fact that the driver refused to submit to chemical testing to be admissible at trial, the officer must read the driver Florida’s implied consent warnings.The implied consent laws in Florida require that any driver who accepts the privilege of driving a vehicle with the state is deemed to have given consent to submit to an approved chemical test of the driver’s breath, urine or blood.
So, in FL ‘refusal’ to take a breathalyzer test after being read the “Implied Consent” warning subjects a person to legal sanctions.
Upon refusal, in any case, a judge in most states can still issue a warrant in order to ‘draw blood’ for the purposes of a blood-alcohol test as well.
==============================================================
Jim, I love that rationale…… of course rules vary from state to state, in many cases asking for a blood draw is the same as refusing a breath analysis. But, either way, what difference does it make? If refusing to testify against yourself results in loss of rights and privileges what right do you really have? I really didn’t mean for the conversation to move to a discussion about drinking, but, I’m a drinker so I’ll go with it. It is a case in point. The impetus for me involving myself in the climate discussion was always the issue of Liberty. Right, wrong or indifferent, colding, hotting, or warmcolding….. none of the issues they may present is worth the Freedoms we have. In my experience, it has been serendipitous to discover the ills imagined from this global warming issue were just that……. imaginary. Turns out, the CO2 correlation is a machination as well. It is heartwarming and welcomed.
But, in the end, if it turned out that we were hotting up the world and the warming would present difficult weather, I’d still oppose the solutions. Liberty under harsh conditions is preferable to servitude under favorable conditions.
If you don’t believe the UK is a police state keep reading.
I was driving home with the wife last month, after shopping in town, when I heard a siren. Looking in the mirror, expecting to see an ambulance or fire engine, much to my surprise I see an unmarked car with flashing blue rights. This car is right on my tail with plenty of room to overtake so I assume they want me. I pull into a layby and a uniformed policeman gets out of the car behind and asks me for my insurance !?!?!
After a lot of palavar and the police visiting my home it appears my insurance company had missed updating the DVLA computer when my AUTOMATIC RENEWAL went through.
A bored policeman entered my licence plate number and BINGO – found a criminal – SHEESH!
Statistics say there are over 2 million unensured vehicles on the UK roads but they managed to catch me in two weeks! Go figure.
1. Unless you create your files on a safe computer, saving them safely won’t help. Malware will watch you creating documents. They don’t care then how you store them, they have the information.
2. Get a second PC and never connect it to the internet. Only generate valuable files on that PC.
3. Be aware that security services can detect you typing on that PC through vibrations via the mains socket. Trust me, they can. It’s scary but true. You need to be aware of that and do something about it.
4. If the US Government really want to follow you, they’ll use a satellite. Your PC is never free of their bugging eyes, unless you build a metal-encased tomb underground.
That’s the corporate world nowadays. It’s why they are encouraging ‘inventors’ and ‘entrepreneurs’. Because if the ideas come from the little guys, they can steal them. Without fear of lawsuits.
Cynical, sad?
The truth, I’m afraid………
davidmhoffer says:
December 16, 2011 at 10:20 pm
For those asking questions, there are a lot of very good answers in this thread, but the bottom line is this:
1. Any method that is 100% secure renders the computer useless. ……
==============================================
I’m supposedly one of those “professionals”, and what you’ve stated is exactly correct.
Time and reason, these are the things which keep one person’s data safe. And, as I stated earlier….. exact a cost. Give the SOBs reasons to move on. There’s someone easier around the corner. The credit card I use online has a very small limit. My taxes are on a different PC. ……yeh, they can come get me…..but, gosh the dance they’d have to do to get what little low hanging fruit they’d want….. of course that’s just for the average bad person. If we’re talking about a person who’s out to get you……. that’s what gun ownership is for. …… The 2nd amendment is because our founding fathers were smarter than most of us. 🙂
Richard111 says:
December 17, 2011 at 12:20 am
If you don’t believe the UK is a police state keep reading.
=======================================
That is heartbreaking. Because you didn’t purchase from a private company in the proper manner, you are subject to search and seizure. I wish us yanks could say we’re above that. But, as you can see by this thread, we are not, and not only that, we still have advocates who believe this is proper.
What is exceptionally noteworthy is that the principle of “a Man’s home is his castle” is one of the foundations of U.S. Constitutional law. Sadly, our application of such principle is applied in much of the same manner it is in Great Britain.
Don McLean is singing now. Starry, starry night…...
Be careful with “secure” USB drives. Many of them don’t actually encrypt the data, after all. So if the USB drive is opened and the flash memory is accessed directly, the data is there plain to read (this is easy as 1-2-3 and has been demonstrated by IT magazines in tests).
In any event, using a USB drive in a Tallbloke scenario is missing the point.
Obviously, they tracked him through his user account after posting. And in the UK, you can be forced to reveal any password, or else go to prison to contemplate about it a bit longer… 😉
I you feel the need for added security, go online ANONYMOUSLY. Of course you must act legal at all times, even if anonymous, yes, that’s right.
Don’t use your subscription landline/broadband and/or school/uni/library access – that does not qualify as anonymous and they will end up ringing at your door again for obvious reasons. (that wasn’t obvious to those anonymous and lulzsec kids; and also TOR connections can often be traced back, unlike popular believe – another thing that wasn’t obvious to them… I have read a forensic report on Tor, and they say they can often trace up to 6-7 out of 10 connections back with a high degree of certainty, if they badly want to – I don’t use it… it is a hassle, and if you reaaaally had to stay anonymous, you may well not be – of course I would use it anyway if I had to email a human rights report from Iran or some such thing)
Depending on where you live, there may be pay-as-you-go wireless USB internet access sticks available which you do not have to register to a name/address — AND do not top it up with your credit card!! 🙂 That means you can actually remain anonymous.
Internet USB drives like this are available in the UK, for example (hint-hint, tallbloke..) – as are anonymous pay as you go phones, and, low and behold, credit cards !! Yes that’s right, you can buy throw away credit cards at corner stores/at news agents and top them up right there with cash. I have a bunch, because for some reason, Valve/Steam didn’t accept my ‘proper’ credit card.
Anyway, that was my first thought – the guy is sitting on a heap of Sun boxes and must be thinking he is an IT big-shot, but no clue at all about internet security and/or how to stay anonymous, and probably even more so, no situational awareness, cough-cough… With the Climategate history as we know it, this was totally foreseeable, so I cannot feel sorry for him. I would have bet money on something like this happening.
Then again, the real issue here is proabably not that he is such a n00b, rather, he wanted to take the credit for breaking the news… ahh.. pride broke his neck… maybe he had the means to do it anonymously, but he sought recognition, and now he’s got it – who’s to complain about that? – Same is true about the Manning/Wikileaks cables – not content with what he did, he had to go around and brag about… what a fool. If there were no criminal charges attached to what Manning did, he should still go to prison for being that stupid. I had to think about him again, as he is in the news these days, and I just cannot bring myself to feel sorry for him on that basis alone – riles me up without end… it is like f*cking up the ‘perfect crime’.
So then kids, don’t go out and buy one of these, thinking you are invincible, especially if you get one of the type that doesn’t actually encrypt the data, even if the manufacturers all try to make them look as if they did (sometimes this isn’t 100% clear even after reading the tech specs sheet). And then encryption may not get you anywhere, if you reside in the ‘wrong’ country (e.g. UK). Long story short – don’t do naughty things 😛
Being aware of computer security is not a crime, and is actually actively endorsed by many governments (e.g. in Germany, they are actively peddling Live Linux CDs, advise on encryption, etc – you can download that directly from your friendly government) – only then running off with it and doing naughty things is not ok.
As a matter of fact, don’t buy this and save your money if you don’t have a clue about computers (that’s 95% of you for this purpose). – That is the case if you felt like owning one of these would actually do something for you after reading the article – and some of the comments show that you are hot candidates….
If you are e.g. a Windows 7 user, Windows will write (yes, actually write) backup copies of ALL your personal and system files with the volume shadow copy service (by default of the C drive, but you should check), and it does that regularly (who’s even heared of that before?). So even if you deleted your files and have them ‘secure’ on your USB, it takes anyone with a clue (= the guy examining your HD) 5 seconds to access the shadow copy and retrieve your data. (shadow copy is a bit more complex than can be explained in one line) If you don’t have a clue how, where and when your OS writes data, then you don’t need a secure USB key.
There are many more concerns attached to avoiding and/or getting rid of this type of data, which I will not elaborate on, so don’t run off, delete your shadows and think you are up to something. You don’t have to go all the length for practical purposes, but you would have to go a veeery long way if you were looking forward to an interview at the police station and I cannot help you with that. – When they clone your drives, eventually they will find anything that’s on it, and even heaps more you didn’t even think or know about, e.g. shadow copies and other fun stuff.
Don’t go out and buy this because chances are you won’t be a happy camper in the end, no one here is well advised by getting an encrypted key (that often isn’t actually encrypted to begin with).
Of course having an encrypted key is great when you lose it at the local Starbucks or the library. In the UK, full/any HD encryption is also no help, because you would have to reveal the key. Which is why I don’t even bother – but then, I am not in the business of downloading/leaking data illegally… (actually, I once lost an external drive because I just couldn’t remember the password 🙂 I think that is when I stopped messing with encryption because I have no use for it beyond curiousity)
Getting one of these encrypted USBs will be ‘security by obscurity’ for many or most people reading here for one reason or another – if the concern is that the police comes knocking at your door and not just general data security.
Encryption is NOT the subject Tallbloke should have contemplated, it is that other subject, all righties?
The prospect of being able to encrypt data or remain anonymous should not embolden anyone to do naughty stuff – you should, however, consider it as a matter of good practice.
This is not at all a complete guide on how to keep your system clean – I would be sitting here all day typing to achieve that (but it is not one of my concerns to do that for you), so if you are Dr Evil, you need to dig a bit deeper still in your own time.
d55mayD55may says:
December 16, 2011 at 5:05 pm
Whats up with the advertising?
Yes, terrible isn’t it, the idea of advertising on a privately run blog. Well, clearly Anthony is in the pay of big USB. Isn’t that obvious, d55may? Duh.
Not a whole lot of sense there Matt. Are you positive that you have even followed ClimateGate 2.0? I would review the facts if I were you.
To the best of our knowledge, Tallbloke was the first blogger on whose blog there was a 3rd party person (FOIA) write a blog comment and post the link to the ZIP file. FOIA then went to several other sites and did the same. That is it. This whistleblower (FOIA) essentially did what you just did here, writing a comment on a blog.
Tallbloke reported it by commenting on a comment to his blog and several others. What exactly do you mean by ‘taking credit’? The thrust of your statement implies to me that Tallbloke somehow deserves this or was asking for it. I suggest you back that up.
P.S. Enough with the wikileaks comparison. Climatology is not equal to the Federal Military or State Department or state secrets. The punk stole classified material. In normal times he would be swinging from a tree before nightfall.
* Hiding the decline or MWP sold separately.
I am afraid this device wouldn’t help Tallbloke in the UK. As Jeremy ((5:09PM) and John (5:53PM) have already pointed out, in the UK you can be compelled to disclose your personal passwords. In the UK this is sanctioned by the ‘Investigatory Powers Act, which imposes a penalty of 2 years imprisonment for failure to disclose. People have already been imprisoned under this act in the UK, so simply saying that you have forgotten it won’t work. However, I do not believe that there is any such law in the US.
What you have to do is encrypt files without making it clear that files are encrypted., e.g. no password is prompted for when the file is accessed Alternatively, some software allows double encryption keys; what data you get to see depends on which password you type in.
Um…
For a blog which is meant to support a scientific approach there seems to be a lot of proposing of favourite answers before the question has been fully understood…
The start point with security is not necessarily an encrypted USB stick, or, indeed, an encrypted anything. It is Risk Analysis.
Security is about providing appropriate responses to threats. If you want to ‘do security’ in a professional manner, you should start by considering what you have got, considering what the threats to it are, and from that information, how you are going to protect it. If you do not do this, you will be looking for countermeasures without a clear idea of why you need them. You will be a salesman’s dream…
There are a lot of cowboys out there selling defences which do not work. But even if you buy something that does work, it is useless to you if it doesn’t protect you, at an appropriate level, from the threats you actually face. And when you approach security in this way you will understand that a bit of hardware or software is usually of limited value without the physical, procedural and personnel countermeasures which need to go with it….
Anthony, are you aware that Phil Jones and his cabal of scientists read this blog?
Dam… now look what you’ve done. They now know about Data Guardian, and are in an even better position to hide their incriminating voodoo pseudo science when the police start investigating Lord Monckton’s complaint’s against them. They police will have to properly investigate.
Lord Monckton has stated: “I have begun drafting a memorandum for prosecuting authorities…to establish…the existence of numerous specific instances of scientific or economic fraud in relation to the official ‘global warming’ storyline…they will act, for that is what the law requires them to do.”
Of course, we know there will be a problem… the whereabouts of all the Data Guardian USB memory sticks that will have been unfortunately misplaced by Phil “Amnesia’ Jones!!!!
davidmhoffer December 16, 2011 at 10:20 pm
3. Encryption is a very good way to protect sensitive data, but encyrption isn’t 100%. As noted above, breaking an encryption key is only a matter of time and resources versus the value of the data.
I don’t think that’s true. Based on what I’ve read, AES-256 is unbreakable, at least for some years to come, and it might be unbreakable, period.
Now you are being stupid again, Anthony.
Why are you implying that Tallbloke had files to hide?
It was all about IP tracing a comment to a blog post.
“If they seize someone’s hard drive, however, there is nothing to prevent the reading and evaluating of other utterly unrelated files at leisure, and by many different individuals. That leaves one open to abusive use of that information. ”
It’s worse than that. If, in the process of looking for what they grabbed the drive for, they come across other material deemed to be illegal or evidence of illegality, you’ve just entered an entirely new world of hurt. To be sure, they have to handle the next steps properly to ensure the judge won’t throw the case out on a premise of illegal search and seizure, but thats a formality of paperwork, not inherent constitutional protection. Remember that folder with all those, ahem, downloaded MP3s and mpegs….?
Any ‘rationale’ aside, this is much more in the vein of “contract law” when you, in effect, agreed to those terms when you ‘signed on the dotted line’ in the process of obtaining your driver’s license.
This is well-settled law, I might add; complaints voiced in a “tell it to the judge” moment will more than likely (exc in certain liberal enclaves and on most ‘uber-conservative’ and Laup Nor boards) fall on deaf ears.
BTW, on the name pls note the “_” attached before the “Jim” yielding a composite “_Jim” so’s we can keep our Jims on WUWT straight.
.
Is forgetfulness a crime?
A previous commenter mentioned difficulty of remembering a really good password. The key to a really strong password is a combination of length and a decent mix of letters, numbers and special characters and eliminating spaces. And as it turns out, a really good password does not have to be hard to remember.
For example, start with this pass phrase: “I really hate Joe Romm with a passion”. Now add in your mother’s birth year “1925”. finally, add your favorite special character “&”. Now combine them in this format keeping the upper case letters: &1925IreallyhateJoeRommwithapassion&
To brute force or crack this pass phrase by any known method would take this long: 5.07 hundred billion trillion trillion trillion centuries, as per this security expert’s web site https://www.grc.com/haystack.htm .
The key is creating a phrase you can easily remember but no one else is going to guess (eg, “I absolutely love Xmas turkey”), then you eliminate the spaces while keeping the upper case, then you add some number and then add a few special characters and voila, a massively secure password.
C3 Editor December 17, 2011 at 7:07 am
To brute force or crack this pass phrase by any known method would take this long: 5.07 hundred billion trillion trillion trillion centuries, as per this security expert’s web site
That’s not the time needed for “any known method.” It’s the time needed for brute-force search. Password strength depends on the encryption scheme used, not only the number of possible passwords of the same length.
There are encryption schemes with which your “&1925Ireallyhate…” could be discovered in far less then 1 second. For example, consider a scheme that XORs the cleartext with so many catenated copies of your password as needed for the text length. If the text contains a line of all spaces or all any other character, it is utterly trivial to discover the password. Otherwise it’s more difficult, but extremely fast.
John Silver says:
December 17, 2011 at 5:23 am
I think you’re confused. The Tallbloke post is over there at http://wattsupwiththat.com/2011/12/14/uk-police-seize-computers-of-skeptic-in-england/ . However, do note that the blog host was not at Tallbloke’s residence, the cops were looking for data on his personal systems that may have been through the blog. And anything thing else they might stumble across.
This post is about personal data security in general, not blog hosts.
Anthony is not implying Tallbloke has files to hide, the people who applied for the search warrant did.
Jeremy says: “You would essentially be in obstruction if you used hardware encryption to keep information away from the law.”
They need to offer a booby trap destruct feature. Enter a specifically ‘wrong’ password and acid is released onto the die etching off all the evidence.
“OPPS! I’m so sorry officer! I’m not very good with these things and I accidentally gave you the wrong password. ”
Now they have the burden to PROVE that you intentionally gave them the destruct code.
(This comment will self destruct 30 seconds after you read it – good luck Mr. Phelps!)
That isn’t stated correctly. What you mean is that properly implemented AES-256 that only allows brute-force attacks is essentially unbreakable as no computer exists that would take less than the age of the universe to brute-force the key. The problem with your statement is that brute-force attacks are not the only way to attack encryption.
never forget: http://xkcd.com/538/