Is this privacy software any good? - Ubuntu

This is a discussion on Is this privacy software any good? - Ubuntu ; I'm currently using shred*, gpg and cfs to protect "sensitive" files from prying eyes. Are these privacy solutions okay? Or am I kidding myself? * I realise that shred is no good when used with journalled file systems. However, I'm ...

+ Reply to Thread
Results 1 to 15 of 15

Thread: Is this privacy software any good?

  1. Is this privacy software any good?

    I'm currently using shred*, gpg and cfs to protect "sensitive" files from
    prying eyes. Are these privacy solutions okay? Or am I kidding myself?

    * I realise that shred is no good when used with journalled file systems.
    However, I'm using ext3 in data=ordered mode, and according to the shred
    manpage:

    "In the case of ext3 file systems, the above disclaimer [about
    shred's ineffectiveness] applies (and shred is thus of limited
    effectiveness) only in data=journal mode, which journals file
    data in addition to just metadata. In both the data=ordered (default)
    and data=writeback modes, shred works as usual."

    So, according to the manpage, shred should work okay on my system. What
    I need to know is: does shred have vulnerabilities that the manpage
    *doesn't* discuss?


  2. Re: Is this privacy software any good?

    On 2008-03-28, firebrand wrote:
    > I'm currently using shred*, gpg and cfs to protect "sensitive" files from
    > prying eyes. Are these privacy solutions okay? Or am I kidding myself?


    They are OK if you use them correctly.

    For example, if you write down your passphrase and stick it to your
    fridge, then anyone who gets inside your house can get to your files.

    Or, if you leave your system running, cfs mounted, and screen
    unlocked, then anyone can stop by and scp your secret files to
    somewhere else or install a backdoor.

    Or, if you logon to home from an infected Windows computer, which has
    a keyboard logger program installed, then likewise your encryption
    will do you no good.

    Or if the FBI installs a physical keyboard logger dongle on your
    computer. That has happened.

    Or if you use some dumb software that makes copies of your files where
    you do not expect them. One pedophile was convicted based in large
    part on Windows creating hidden thumbs.db files that he was not aware
    about:

    http://www.news.com/8301-13578_3-989...l?tag=nefd.pop

    And now this guy is everyone's girlfriend in prison.

    So, security is more than just installing come packages. It is a
    combination of software as well as your key management practices.

    Another accused pedophile was able to avoid prosecution by cleverly
    shutting down his laptop that had a filesystem (Z drive) encrypted
    with PGP, before the border agents could copy files:

    http://www.washingtonpost.com/wp-dyn...011503663.html

    > * I realise that shred is no good when used with journalled file systems.
    > However, I'm using ext3 in data=ordered mode, and according to the shred
    > manpage:
    >
    > "In the case of ext3 file systems, the above disclaimer [about
    > shred's ineffectiveness] applies (and shred is thus of limited
    > effectiveness) only in data=journal mode, which journals file
    > data in addition to just metadata. In both the data=ordered (default)
    > and data=writeback modes, shred works as usual."
    >
    > So, according to the manpage, shred should work okay on my system. What
    > I need to know is: does shred have vulnerabilities that the manpage
    > *doesn't* discuss?
    >


    I think that you should keep sensitive stuff on CFS encrypted
    filesystem only, instead of relying on shred alone.

    I wrote a program wipedisk, that would simply fill all free space
    on a filesystem with garbage and then release it. I use it often just
    in case.

    If you read about computer forensics (google this term), you will find
    that most people install some "encryption software", think that they
    are protected, but they are not. This especially applies to Windows
    with its use of temporary files, swap, etc.

    This is really the same as a couple of people here who insisted that
    just because they have linux installed, they will never get hacked etc.

    Being secure, is a combination of using right software, good
    practices, and constant review.

    So you are very right to ask questions.

    Ubuntu Hardy has an option to set up an encrypted LVM, so that
    everything besides /boot lives on the encrypted logical volume.

    I use this option on my laptop and know that a thief could not get my
    credit card numbers, if he steals my laptop, as long as it is powered
    off (or powered on but screen locked).

    i

  3. Re: Is this privacy software any good?

    Ignoramus17370 schreef:

    > And now this guy is everyone's girlfriend in prison.
    >
    > So, security is more than just installing come packages.

    ^^^^

    I think this is getting a little off-topic )

  4. Re: Is this privacy software any good?

    Ignoramus17370 schreef:

    >
    > Being secure, is a combination of using right software, good
    > practices, and constant review.
    >
    > So you are very right to ask questions.
    >
    > Ubuntu Hardy has an option to set up an encrypted LVM, so that
    > everything besides /boot lives on the encrypted logical volume.


    Recently there was a big change in Truecrypt, it can now encrypt partitions.
    http://www.truecrypt.org

  5. Re: Is this privacy software any good?

    On 2008-03-28, Dirk T. Verbeek wrote:
    > Ignoramus17370 schreef:
    >
    >>
    >> Being secure, is a combination of using right software, good
    >> practices, and constant review.
    >>
    >> So you are very right to ask questions.
    >>
    >> Ubuntu Hardy has an option to set up an encrypted LVM, so that
    >> everything besides /boot lives on the encrypted logical volume.

    >
    > Recently there was a big change in Truecrypt, it can now encrypt partitions.
    > http://www.truecrypt.org


    Does it have any advantage over encrypted LVM?

    I thought that TrueCrypt was not peer reviewed?

    i

  6. Re: Is this privacy software any good?

    Ignoramus17370 schreef:
    > On 2008-03-28, Dirk T. Verbeek wrote:
    >> Ignoramus17370 schreef:
    >>
    >>> Being secure, is a combination of using right software, good
    >>> practices, and constant review.
    >>>
    >>> So you are very right to ask questions.
    >>>
    >>> Ubuntu Hardy has an option to set up an encrypted LVM, so that
    >>> everything besides /boot lives on the encrypted logical volume.

    >> Recently there was a big change in Truecrypt, it can now encrypt partitions.
    >> http://www.truecrypt.org

    >
    > Does it have any advantage over encrypted LVM?
    >
    > I thought that TrueCrypt was not peer reviewed?
    >
    > i


    It's Open Source, your chance to fame!

    There have been reviews on the older versions but with the 5.* version
    only out since February I don't think much will be available.

    The way I perceive it it is somewhat modular and the important modules
    exist since a long time.

    I have no idea of advantages versus encrypted LVM except I find it is
    fairly well documented and transparent in how to set it up.
    The main advantage to me is that it's portable, both as on removable
    media and as on different platforms.

    Personally I only use Truecrypt containers of about 4GB, the size of a
    DVD, this is obviously susceptible to the temp files hole you mentioned.

  7. Re: Is this privacy software any good?

    On 2008-03-28, Dirk T. Verbeek wrote:
    > Ignoramus17370 schreef:
    >> On 2008-03-28, Dirk T. Verbeek wrote:
    >>> Ignoramus17370 schreef:
    >>>
    >>>> Being secure, is a combination of using right software, good
    >>>> practices, and constant review.
    >>>>
    >>>> So you are very right to ask questions.
    >>>>
    >>>> Ubuntu Hardy has an option to set up an encrypted LVM, so that
    >>>> everything besides /boot lives on the encrypted logical volume.
    >>> Recently there was a big change in Truecrypt, it can now encrypt partitions.
    >>> http://www.truecrypt.org

    >>
    >> Does it have any advantage over encrypted LVM?
    >>
    >> I thought that TrueCrypt was not peer reviewed?
    >>
    >> i

    >
    > It's Open Source, your chance to fame!
    >
    > There have been reviews on the older versions but with the 5.* version
    > only out since February I don't think much will be available.
    >
    > The way I perceive it it is somewhat modular and the important modules
    > exist since a long time.
    >
    > I have no idea of advantages versus encrypted LVM except I find it is
    > fairly well documented and transparent in how to set it up.
    > The main advantage to me is that it's portable, both as on removable
    > media and as on different platforms.
    >
    > Personally I only use Truecrypt containers of about 4GB, the size of a
    > DVD, this is obviously susceptible to the temp files hole you mentioned.


    Very interesting. Somehow it is not available as a Ubuntu
    package. Anyway, I am fairly set with dm-crypt, I think, for now, but
    thanks, I learned something useful. The stego capability is surely
    very useful.

    i

  8. Re: Is this privacy software any good?

    Ignoramus17370 schreef:

    >
    > Very interesting. Somehow it is not available as a Ubuntu
    > package. Anyway, I am fairly set with dm-crypt, I think, for now, but
    > thanks, I learned something useful. The stego capability is surely
    > very useful.
    >
    > i

    You can find two Ubuntu packages, x86 and x64, on their website,
    download, right click and install.
    http://www.truecrypt.org/downloads.php

  9. Re: Is this privacy software any good?

    On 2008-03-29, Dirk T. Verbeek wrote:
    > Ignoramus17370 schreef:
    >
    >>
    >> Very interesting. Somehow it is not available as a Ubuntu
    >> package. Anyway, I am fairly set with dm-crypt, I think, for now, but
    >> thanks, I learned something useful. The stego capability is surely
    >> very useful.
    >>
    >> i

    > You can find two Ubuntu packages, x86 and x64, on their website,
    > download, right click and install.
    > http://www.truecrypt.org/downloads.php


    Thanks. I like dm-crypt. I think that I will stay with it and keep it
    regularly up to date with the rest of repos, etc.

    i

  10. Re: Is this privacy software any good?

    On 2008-03-28, Dirk T. Verbeek wrote:
    > Ignoramus17370 schreef:
    >
    >> And now this guy is everyone's girlfriend in prison.
    >>
    >> So, security is more than just installing come packages.

    > ^^^^
    >
    > I think this is getting a little off-topic )


    No, it is a typo, surely you have seen these before

  11. Re: Is this privacy software any good?

    Gordon schreef:
    > On 2008-03-28, Dirk T. Verbeek wrote:
    >> Ignoramus17370 schreef:
    >>
    >>> And now this guy is everyone's girlfriend in prison.
    >>>
    >>> So, security is more than just installing come packages.

    >> ^^^^
    >>
    >> I think this is getting a little off-topic )

    >
    > No, it is a typo, surely you have seen these before


    Oh...You think so?

    Woosh!

  12. Re: Is this privacy software any good?

    In article <47ed3107$0$1403$c5fe31e7@reader.usenet4all.se>,
    firebrand wrote:
    > I'm currently using shred*, gpg and cfs to protect "sensitive" files from
    > prying eyes. Are these privacy solutions okay? Or am I kidding myself?


    It depends on what you are doing. When you decrypt your data to use it,
    what are you doing it with? For example, if this is your work flow:

    * decrypt foo.gpg onto foo.tmp
    * edit foo.tmp
    * encrypt foo.tmp onto foo.gpg
    * shred foo.tmp

    then you have to worry about any temp files your editor created, and
    also any page files from your editor (and possibly your other processes)
    in the swap space.

    No one can tell you whether what you are doing is safe or not without
    knowing about (1) what you are doing, and (2) who you are afraid of.

    If you are afraid of your wife snooping, for example, then you can
    probably ignore swap space (assuming she's not a kernel hacker or data
    recovery specialist), but if you are involved in activities that would
    draw the interest of major government agencies and the "sensitive" files
    could land you in jail, then swap space is something to worry about.

    --
    --Tim Smith

  13. Re: Is this privacy software any good?

    On Fri, 28 Mar 2008 16:14:55 -0500, Ignoramus17370 wrote:

    > On 2008-03-28, Dirk T. Verbeek wrote:
    >> Ignoramus17370 schreef:
    >>> On 2008-03-28, Dirk T. Verbeek wrote:
    >>>> Ignoramus17370 schreef:
    >>>>
    >>>>> Being secure, is a combination of using right software, good
    >>>>> practices, and constant review.
    >>>>>
    >>>>> So you are very right to ask questions.
    >>>>>
    >>>>> Ubuntu Hardy has an option to set up an encrypted LVM, so that
    >>>>> everything besides /boot lives on the encrypted logical volume.
    >>>> Recently there was a big change in Truecrypt, it can now encrypt
    >>>> partitions. http://www.truecrypt.org
    >>>
    >>> Does it have any advantage over encrypted LVM?
    >>>
    >>> I thought that TrueCrypt was not peer reviewed?
    >>>
    >>> i

    >>
    >> It's Open Source, your chance to fame!
    >>
    >> There have been reviews on the older versions but with the 5.* version
    >> only out since February I don't think much will be available.
    >>
    >> The way I perceive it it is somewhat modular and the important modules
    >> exist since a long time.
    >>
    >> I have no idea of advantages versus encrypted LVM except I find it is
    >> fairly well documented and transparent in how to set it up. The main
    >> advantage to me is that it's portable, both as on removable media and
    >> as on different platforms.
    >>
    >> Personally I only use Truecrypt containers of about 4GB, the size of a
    >> DVD, this is obviously susceptible to the temp files hole you
    >> mentioned.

    >
    > Very interesting. Somehow it is not available as a Ubuntu package.
    > Anyway, I am fairly set with dm-crypt, I think, for now, but thanks, I
    > learned something useful. The stego capability is surely very useful.
    >
    > i


    There's a neat stego app in the Ubuntu repositories, called "steghide".

    --

    "They say: 'Evil prevails when good men fail to act.' What they
    ought to say is: 'Evil prevails.'" - Yuri Orlov


  14. Re: Is this privacy software any good?

    On Fri, 28 Mar 2008 16:14:55 -0500, Ignoramus17370 wrote:

    > On 2008-03-28, Dirk T. Verbeek wrote:
    >> Ignoramus17370 schreef:
    >>> On 2008-03-28, Dirk T. Verbeek wrote:
    >>>> Ignoramus17370 schreef:
    >>>>
    >>>>> Being secure, is a combination of using right software, good
    >>>>> practices, and constant review.
    >>>>>
    >>>>> So you are very right to ask questions.
    >>>>>
    >>>>> Ubuntu Hardy has an option to set up an encrypted LVM, so that
    >>>>> everything besides /boot lives on the encrypted logical volume.
    >>>> Recently there was a big change in Truecrypt, it can now encrypt
    >>>> partitions. http://www.truecrypt.org
    >>>
    >>> Does it have any advantage over encrypted LVM?
    >>>
    >>> I thought that TrueCrypt was not peer reviewed?
    >>>
    >>> i

    >>
    >> It's Open Source, your chance to fame!
    >>
    >> There have been reviews on the older versions but with the 5.* version
    >> only out since February I don't think much will be available.
    >>
    >> The way I perceive it it is somewhat modular and the important modules
    >> exist since a long time.
    >>
    >> I have no idea of advantages versus encrypted LVM except I find it is
    >> fairly well documented and transparent in how to set it up. The main
    >> advantage to me is that it's portable, both as on removable media and
    >> as on different platforms.
    >>
    >> Personally I only use Truecrypt containers of about 4GB, the size of a
    >> DVD, this is obviously susceptible to the temp files hole you
    >> mentioned.

    >
    > Very interesting. Somehow it is not available as a Ubuntu package.
    > Anyway, I am fairly set with dm-crypt, I think, for now, but thanks, I
    > learned something useful. The stego capability is surely very useful.
    >
    > i


    There's a neat stego app in the Ubuntu repositories, called "steghide".


  15. Re: Is this privacy software any good?

    On Sat, 29 Mar 2008 22:57:08 -0700, Tim Smith wrote:

    > In article <47ed3107$0$1403$c5fe31e7@reader.usenet4all.se>,
    > firebrand wrote:
    >> I'm currently using shred*, gpg and cfs to protect "sensitive" files
    >> from prying eyes. Are these privacy solutions okay? Or am I kidding
    >> myself?

    >
    > It depends on what you are doing. When you decrypt your data to use it,
    > what are you doing it with? For example, if this is your work flow:
    >
    > * decrypt foo.gpg onto foo.tmp
    > * edit foo.tmp
    > * encrypt foo.tmp onto foo.gpg
    > * shred foo.tmp
    >
    > then you have to worry about any temp files your editor created, and
    > also any page files from your editor (and possibly your other processes)
    > in the swap space.


    Hmm. The work flow you described above is kinda similar to some stuff
    I've done. How would I check for temp files created by (for example)
    gedit? How would I check swap for this stuff?

    Oh, and if foo.gpg decrypted to a html file, which I then viewed with
    firefox, would closing the browser and selecting to delete the saved info
    of the last session get rid of saved instances of foo.html?


+ Reply to Thread