My Thoughts and News

Those who hide the truth or prevent the truth from being known, are the very ones who wish to hide the real truth and rewrite history.

A (fairly) comprehensive guide to privacy and encryption

Posted by mythoughtsandnews on February 17, 2006

I know I’m not the only paranoid bastard around here, so I’ll attempt a
run down of the best programs and practices I’ve come across. Keep in
mind that there’s no such thing as complete security, but this is about
the best it gets.

File Encryption
For storing any private files on disk, I recommend TrueCrypt,
an open source disk encryption application. It blends seamlessly into
Windows and allows you to encrypt entire partitions, devices such as
floppies or flash drives, and also allows you create and mount virtual
disks which are stored in a single encrypted file.

TC supports most major encryptions, including AES-256, Blowfish, CAST5,
Triple DES and Twofish. It also employs a nice little security feature
in the event that you’re forced to reveal your password to somebody; a
hidden volume can be created inside an existing TC volume. Because free
space in TC volumes is filled with random data by the default, it’s
impossible to distinguish this hidden sector from empty space.

Another popular method of file encryption is PGP (see below).

Email Encryption
PGP is a public key encryption method commonly used in emails. The ‘public key’ is in essence a large passcode (example here)
which can be distributed however you like to allow other people to send
you encrypted messages. Despite this key being public, messages
encrypted using it can only be decrypted using your private key, which
you keep to hidden and to yourself. PGP can also be used to encrypt
regular files on the hard disk, but I’d recommend using TrueCrypt for
that, as in most cases the original file will have been present on the
disk before the encryption process took place. With this in mind, it’s
very likely that the original file could be recovered even after
deletion, whereas with TC the original file will be encrypted on the
fly so long as it exists inside a TC volume. A more indepth report on
the innards of PGP can be found here.

Not long ago PGP went commercial and closed source, this along with
(likely fabricated) accusations of NSA backdoors means that some might
be more comfortable with GPG, which essence it’s no different than and open source clone of PGP and is 100% compatible with it.

IM Encryption
The first option for instant messaging users is a protocol known as Secure Internet Live Conferencing, or SILC. It supports all of the features you’d expect to find in an IM protocol, however all communications are encrypted.

Switching from your regular IM programs to a whole new network isn’t
very practical for most people though, so another option is to use the GAIM
client. GAIM allows you to log in with all of your IM accounts at once
and supports AIM, ICQ, MSN, Yahoo, IRC, Jabber, SILC and a few more.
Once using GAIM you can install a security plugin called Off The Record,
which allows you to encrypt IM conversations over any of the supported
networks so long as both participants have OTR installed. Whilst
arguable not as secure as using SILC, the fact that it can be used in
conjunction with regular AIM and MSN accounts makes it worth a look at.

Secure Deletion
As I’m sure most people know by now, when you delete a file from your
computer you do nothing but delete the reference to it in your file
table. The contents of that file are still on your hard drive and can
be accessed in no time at all with any number of file restoration
applications on the market.

from SysInternals is a free command-line program for Windows that
allows for secure deletion of files from your disk, implementing
Department of Defense standards for data deletion. The program allows
you to overwrite a file any number of times with useless data to hinder
retrieval. Specialist hardware and software will always be able to
retrieve some data from the disk, given enough time and resources, but
the more passes you make over the file the harder retrieval becomes.
However the best feature of Sdelete in my opinion is the ability to
securely delete any past files and empty space on a disk. With Sdelete
running on command line only it might not be to some people’s tastes,
but it’s the best free solution I’ve come across, so it’s worth
checking out.

HTTP Privacy
For secure website browsing, the two best solution available are TOR and JAP.
Both achieve similar results in that they encrypt and route your
connection through another server to disguise the user’s online
identity and protect them from any electronic eaves dropping along the
way. Again, as with everything in this post, privacy isn’t guaranteed
and if, for example, a law enforcement agency were willing to invest
the time and effort required to discover where a website request
originated from, they could do just that. Of TOR and JAP, my personal
favourite is the former, admittedly I’m slightly put off by the fact
that JAP was at one time backdoored by the German government. TOR can
also be used to route any network application with support for the
SOCKS proxy protocol, so it’s far from restricted to web traffic.

General Tips

  • Grab Firefox
    if you’re not already using it. If you’re like me you’ll want to run it
    as clean as possible, disable caching, cookies, history, address
    saving, form/password saving, etc.
  • Ccleaner
    is another useful free tool; clears usage history for a ton of
    applications as well as Windows itself, can be set to run automatically
    on start up.
  • TweakXP is a handy tool from Microsoft which can be used to disable document history, run history, address bar history, etc…
  • To
    get into the habit of using different passwords for all of your
    accounts, using symbols as well as upper and lowercase alphanumeric
    characters. Most brute force password crackers will only attempt
    lowercase passwords up to about 8 characters; so don’t make the job any
  • I can’t count the number of people I know who have had
    accounts stolen via the ‘secret question’ function. It doesn’t matter
    how strong your password is, if you’re reminder question is something
    as simple as a pet’s name it’s not going to do any good; you’re giving
    an attacker an easy way to circumvent your password. If you’ve got a
    good memory it’s worth using an incorrect or irrelevant secret answer.

Most of what’s in this post is irrelevant for most people’s purposes,
but they do give peace of mind. As I’ve mentioned, there’s no such
thing as complete anonymity and security, but the solutions detailed in
this post will certainly help.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: