Paradox
©
Fisana

Jump to content


Photo
- - - - -

PGP: Teach us please


  • Please log in to reply
37 replies to this topic

#21 pacingthecage

pacingthecage

    Mycophiliac

  • Expired Member
  • 32 posts

Posted 22 April 2005 - 08:31 PM

So if the law comes and takes your computer with your secret encryption key, they could probably read all your mail anyway, correct? This is just for internet privacy from other computers, correct?


Incorrect.

First, PGP is encryption for email or files. Has nothing to do with surfing.

Second, you have to have a keypair - private and public. Your public you can adverstise all over the internet if you want. There are even worldwide registries for anyone who wants to publish their public key. It's like your PGP address.

Your private key on the other hand belongs to just you. It's your password. Keep it in your head. When you decrypt incoming mail, you use it to read the mail, delete and 'wipe' whatever file and/or drive it's on. PGP Corp's 8.1 software comes with a built-in file 'wiper' and a 'Wipe Free Space' wizard.

#22 pacingthecage

pacingthecage

    Mycophiliac

  • Expired Member
  • 32 posts

Posted 22 April 2005 - 09:03 PM

.
If you want to protect your privacy, I urge you to join
organizations such as the Electronic Frontier Foundation
<[email protected]>.



Just a note:

This is the same Electronic Frontier Foundation that is behind Tor (discussed in the Free Anon Surfing thread here).

#23 dukex

dukex

    Mycotopiate

  • Expired Member
  • 583 posts

Posted 23 April 2005 - 06:47 AM

Very nice... thanks for the details

I personally beleive that the feds have a backdoor into PGP and that if they want into your email because you didnt delete/wipe they could.

Peace...

#24 Hippie3

Hippie3

    DUNG DEALER

  • Founders
  • 40,642 posts

Posted 23 April 2005 - 06:49 AM

i doubt it.
without your key
pgp is uncrackable.

#25 dukex

dukex

    Mycotopiate

  • Expired Member
  • 583 posts

Posted 23 April 2005 - 07:34 AM

I should have been a little more specific. As far as sending/receiveing emails i think you would be fine. If I had possesion of your computer I beleive I could brute force your passphrase let alone what the federallys could do.

Why do I think I can ? cause 90% of the passwords and passphrases are between 6-8 characters and even lowercase. That could be brute forced in a few hours. We could do a whole topic on this passwprd/phrase strength.

This is all good discussion but I still think the feds have the master key.

Peace...

#26 Hippie3

Hippie3

    DUNG DEALER

  • Founders
  • 40,642 posts

Posted 23 April 2005 - 07:37 AM

well, possession of my computer
by anyone other than me
is something i intend to prevent.
keep a can of gas nearby...

#27 dukex

dukex

    Mycotopiate

  • Expired Member
  • 583 posts

Posted 23 April 2005 - 07:42 AM

You are busy this morning :)

Exactly my sentiment with the gas.

Peace...

#28 the_other_chap

the_other_chap

    The Whelk of Reason

  • Expired Member
  • 919 posts

Posted 23 April 2005 - 07:53 AM

Why do I think I can ? cause 90% of the passwords and passphrases are between 6-8 characters and even lowercase. That could be brute forced in a few hours. We could do a whole topic on this passwprd/phrase strength.

Yes, but PGP gives you an indication of your passphrase strength as you're typing it. It doesn't reach "full" strength until at least 25 characters.

This is all good discussion but I still think the feds have the master key.

That's one of the good points about PGP, there is no possible "master key".
The source code of PGP is available for examination (and compiling yourself if you wish) so any "backdoors" would have been busted long ago.

If you want to encrypt your mail or files, I think PGP is probably one of the best ways of doing it.
Here's some info about PGP's security: http://axion.physics...pgp-attack.html

If you google "PGP vulnerability" there's plenty more info.

#29 pacingthecage

pacingthecage

    Mycophiliac

  • Expired Member
  • 32 posts

Posted 23 April 2005 - 09:22 AM

Yes, but PGP gives you an indication of your passphrase strength as you're typing it. It doesn't reach "full" strength until at least 25 characters.


This is true, at least for PGP Corp's 8.1. There is a meter that indicates strength of passphrase as your typing it in.


As far as sending/receiveing emails i think you would be fine. If I had possesion of your computer I beleive I could brute force your passphrase let alone what the federallys could do.

Why do I think I can ? cause 90% of the passwords and passphrases are between 6-8 characters and even lowercase. That could be brute forced in a few hours. We could do a whole topic on this passwprd/phrase strength.


The point is, I think, PGP security comes down to one thing - the strength of your passphrase. You can make your passphrase as simple or as complicated as you'd like. The more complicated it is, the stronger it is; but also the more inconvenient it becomes - can you memorize all those characters? Do you store your passphrase on your PC or write it down somewhere, thus compromising secrecy?

#30 dukex

dukex

    Mycotopiate

  • Expired Member
  • 583 posts

Posted 23 April 2005 - 09:30 AM

"This is true, at least for PGP Corp's 8.1. There is a meter that indicates strength of passphrase as your typing it in."

It doesnt force you to use 25 characters or to mix upper and lower case with special characters.

"The point is, I think, PGP security comes down to one thing - the strength of your passphrase. You can make your passphrase as simple or as complicated as you'd like. The more complicated it is, the stronger it is; but also the more inconvenient it becomes - can you memorize all those characters? Do you store your passphrase on your PC or write it down somewhere, thus compromising secrecy?"

That was one of the points I was trying to make thanks for articulating it.

Peace...

#31 the_other_chap

the_other_chap

    The Whelk of Reason

  • Expired Member
  • 919 posts

Posted 23 April 2005 - 10:06 AM

A good passphrase needn't be hard to remember.
Something like "My Large Belly Will Not Fit Through This Door" is fine, and just as safe as "fl33t 0f F00t anD 6r33n dre4MIn6ly sI33P.

#32 phalanx

phalanx

    Mycotopiate

  • Expired Member
  • 609 posts

Posted 23 April 2005 - 01:47 PM

well, possession of my computer
by anyone other than me
is something i intend to prevent.
keep a can of gas nearby...


The problem there is that you may burn your house down too unless you have time to bring it outside to burn it. What about a sledge hammer? I'm thinking of a situation where you had only seconds before the cops burst into the room. Maybe you could shoot the hard drive with a gun, but the cops may shoot you when they burst in.

I heard if you throw a hard drive on the ground hard then it is busted and can't be used. Maybe determined cops could re-mount the disc. You could throw the main comp unit out the window if the comp room is high up, but if you hit anyone with it on the way down it would be further trouble.

#33 the_other_chap

the_other_chap

    The Whelk of Reason

  • Expired Member
  • 919 posts

Posted 23 April 2005 - 01:57 PM

I heard if you throw a hard drive on the ground hard then it is busted and can't be used.

Not as true as it used to be. Most drives now can withstand being physically abused, and even if you do break it mechanically, the data is still on the disk platters, and is easy to retrieve.

No method is going to be quick & easy enough to destroy your data when the cops are already at the door. (although a thermite charge to melt the disk in situ might be worth considering)

#34 pacingthecage

pacingthecage

    Mycophiliac

  • Expired Member
  • 32 posts

Posted 23 April 2005 - 04:49 PM

Need destruction of your hard drive and FAST?

Money no object?

YOU NEED A DEGAUSSER!

Degaussing: Degaussing, named after the German scientist Carl Friedrich Gauss, is the process of removing permanent magnetism (magnetic hysteresis) from an object. It is accomplished by passing the object through a magnetic field that oscillates with diminishing amplitude.

Degaussing magnetic data storage media

Data are stored in magnetic media, such as hard drives, floppy disks and magnetic tape, by making very small areas called magnetic domains change their magnetic alignment to be in the direction of an applied magnetic field. This phenomenon occurs in much the same way that a compass needle points in the direction of the earth's magnetic field. Degaussing, commonly called erasure, leaves the domains in random patterns with no preference to orientation, thereby rendering previous data unrecoverable. There are some domains whose magnetic alignment is not randomized after degaussing. The information that these domains represent is commonly called magnetic remanence. Proper degaussing will ensure that there is insufficient magnetic remanence to reconstruct the data.

Erasure via degaussing may be accomplished in two ways: in AC erasure, the media is degaussed by applying an alternating field that is reduced in amplitude over time from an initial high value (i.e., AC powered); in DC erasure, the media is saturated by applying a unidirectional field (i.e., DC powered or by employing a permanent magnet). A degausser is a device that can generate a magnetic field for degaussing magnetic storage media.
Source National Computer Security Center TG-025.
http://en.wikipedia.org/wiki/Degauss

The DoD has approved both overwriting and degaussing as methods to clear or purge this media. See Section 4, "Risk Considerations," and DoD 5200.28-M for additional information. Degaussed disks will generally require restoration of factory installed timing tracks. Type I degaussers and approved hand-held magnets can purge this media up to a coercivity level of 1100 oersteds. If hand-held magnets are used, then the magnet must be placed in almost direct contact with the disk, separated by only a tissue to prevent scratching the disk. Sometimes it is possible to insert the magnet between the platters without disassembling them. As a practical matter, if the drive must be disassembled, it is usually easier to destroy the platters than to degauss and then reinstall them.

Recently completed research has indicated that degaussing is an effective method to purge rigid disk media. Large cavity degaussing equipment can be used to erase the data from sealed disk packs and Winchester style hard disk drives while the platters remain in the drive. Care must be exercised to ensure that the disk drive is not encasqd in a material that conducts a magnetic field. Research has shown that aluminum housings on Winchester disk drives attenuate the degaussing field by only about 2 db. Operational guidance is now being developed for the DoD.
http://all.net/books.../standards.html

All About Degaussers and
Erasure of Magnetic Media
http://www.athana.co...tdegaussers.htm

Introducing the

Athana International

V85 Magnetic Media Degaussing Wand

Department of Defense Certified

Features:

Certified by the Department of Defense
Degausses all flat-surface magnetic media
Multi-polar design insures complete erasure
Magnetic shield provides safe storage
Easy-to-use design
Degausser does not require electricity for operation
Holes in handle enable degausser to be hung when not in use
Comes in BlackOps Black, Gunmetal Grey, RogueAgent Red or Hot Pink ;)

Applications:

Government organizations
Military organizations
Financial institutions

Media erased:

Hard disk drives
Disk packs
Drum memory
Flexible disks
Flat surface magnetic memory

**YOURS FOR ONLY**

$1,195.00

http://www.athana.com/ddequip/v85.htm

:cool:

#35 phalanx

phalanx

    Mycotopiate

  • Expired Member
  • 609 posts

Posted 23 April 2005 - 06:25 PM

It sounded ideal until I got to the price.

My apple comp has a thing called File Vault. When activated, it encrypts the home folder and decrypts it when I log in. I don't know how secure it is but the instructions suggest I will be totally fucked if I forget my login password. Maybe there are similar programs available for pcs. All you would have to do is log out and the whole thing is safely encrypted, apparently.

#36 Hippie3

Hippie3

    DUNG DEALER

  • Founders
  • 40,642 posts

Posted 23 April 2005 - 07:13 PM

you may burn your house down too


yep, i know.
;)

#37 shobimono

shobimono

    Chat Admin

  • Free Member
  • 833 posts

Posted 25 April 2005 - 03:45 AM

Keep in mind that a chain is only as strong as it's weakest link

http://www.washingto...-2005Mar28.html

#38 pacingthecage

pacingthecage

    Mycophiliac

  • Expired Member
  • 32 posts

Posted 25 April 2005 - 08:39 AM

very good article.

thx.


[ed.
active thread = here




Like Mycotopia? Become a member today!