In this day and ago of malevolent hackers and corrupt police witch hunts a citizen needs to actively exercise his right to privacy. Such a simple thing as encrypting your email communications or critical files can really help you out if you are falsely accused or have valuable secrets to protect from certain parties. The nature of the scientific experimentation carried out by some members is reason enough to desire extra security from the often overzealous ignorance of the authorities. Why give any malfeasant interest access to your private life, protect yourself now.

I have started this thread to allow members to share their stories about encryption using PGP utilities. I myself have started to use PGP Freeware by Network Associates. While I find this software quite handy, I also find it somewhat hard to learn. It is perhaps not as intuitive as many other software packages I have used. Once you know where and how to make a key, or to encrypt and decrypt messages it is quite easy to use. There are commercial versions of this program, the latest is available on the FTP I believe. Until recently the company who made this software has stopped producing it, now they have returned with a new commercial venture with an updated version of PGP in a beta version.

Our very own nbk2000 has been thoughtful enough to produce a thorough tutorial on the interworkings of this useful program. You may read about it here and comment on it in this thread.

I want to hear from other members as to what your experiences with PGP is. If you have any helpful hints, criticisms of the weaknesses of the encryption scheme, or other related software packages that use PGP. Also if anyone has any links to PGP encryption related sites, go ahead and post them. I will be using the information posted here, along with nbk’s guide, to make a how-to guide on the website. I hope to complete this with links to downloads to as many PGP packages as I can find so the progs will be available to everyone.

Please hold off from posting your PGP keys for right now, I will make something to handle that in the near future.

I will let nbk signoff on giving the link to his 19 page pdf tutorial before I post it, as it may still need to be edited? I have a copy and I would like to comment on it now. First off I would remind everyone that the tutorial is for PGP Freeware v. 7, which must be installed and running, duh. Second, do like the man says: make a 4096 bit key, I haven’t noticed it to be any slower than a smaller one. Third, I hope my private email and key details will be removed (even my public key has a private version) in the update of the tutorial :)
I find the tutorial to be quite thorough. It covers making keys, pass phrases, distributing keys, encrypting and decrypting messages and files, wiping files, and using self decrypting archives.

I've removed all details of everyone else e-mails or names, so that's good. I didn't bother obsuring key strengths since there's no way to know who's is who's.

Now, before I make this public, I'd like someone to set up a site from which it can be downloaded from as I don't like the idea of serving up a few hundred copies of a 500KB file from my site, what with the bandwidth and all.

Once that's set up, I'll upload it. It's now 23 pages, BTW, and is still a work in progress since this was done (firstly) to be included in my DVD and (secondly) to help staff set up PGP for our own uses.

And while there were plenty of tutorials and "how to's" about using PGP, none of them actually showed you what you'd be seeing when you were doing something. Pictures, thousand words, and all that.

I figured any self-respecting 21st century crim is going to have a computer, and any decent PD is going to have cyber-piggies, so (in accordance with RTPB), you've got to encrypt your'n shit nigga'! <img border="0" title="" alt="[Wink]" src="wink.gif" />

Obviously the free version I'll upload isn't going to have ALL the goodies the paid DVD version will have, but it'll be more than enough to get people up and going in using PGP for secure e-mail and file storage.

I have a few accounts that I could use NBK.

If they get closed down, or crippled by bandwidth issues, then it'll take me a few minutes to get another one set up. email me the file, or email where I can get it from, and I'll find the best place. I've been searching for web hosts for a while.

I'll even list a couple of mirrors, to keep bandwidth at any one site down, and keep it availiable if any one of them goes down.

I'm so glad that something like this is finally availiable... I've never used PGP because of the hassle. A quick and easy guide should clear things up.

NBK, you'll have to email me, as I can't really post the pass etc here, and you don't have a listed address.

I'll have the URL for you tommorow, after I've finished editing it.

Hi!

Another very good (and secure) product for data encryption is BestCrypt from <a href="http://www.jetico.com" target="_blank">Jetico</a>. It is similar to PGPdisk but it also works for the Linux users, it is even compatible with the Windows Version if you use the FAT filesystem for your virtual disk. The sourcecode of the Linux version and the SDK is also available.

An alternative to PGP (but fully compatible) is <a href="http://www.gnupg.org" target="_blank">GnuPG</a>. It runs under Linux, BSD, MacOS X, Windows, ... It is a command line tool but several fontends are avalible. This tool is GPL-licenced by thw way (free!).

There are a lot of shitty products on the market which claim "military encryption", "our secret encryption algorithm" etc. Don't trust them, too many of them are already broken. In general you should never trust an encryption software without the source code.
Good (and secure) encryption algorithms to use are AES (Rijndael), Twofish, Blowfish and TripeDES. For the hash digest use SHA-1, SHA-256 or RIPEMD160.

Another thing a lot of people don't think about is deleting files. If you delete a file it is still on your disk (and can be recovered!), only the entry in the fileystem is removed. If you don't want that, wipe your confidential files with a tool which overwrites the file several times like the program included in the PGP suite or BCWipe (from Jetico) does.

I hope this helps...

The shit with all encryption programs is that I'm almost sure there is a quick and easy backdoor on them for government abuse. This already has been the case with an earlier version of PGP which did not get a license because of the lacking backdoor...

The issue died down, but who says PGP didn't gave in on gov pressure( read blackmail)?

Hi!

Vulture:

Why should there be a backdoor in products like BestCrypt (from Finland) and GnuPG (international)? The source code is published thus everyone can read it, it would be very difficult if not impossible to hide a backdoor.

edit:

I forgot to mention the commercial PGP. Only the source code of PGP till version 6.5.8 is published, but not for 7.xx (yet). With PGP 8 (which will be hopefully released this year) they will release the source again.

<small>[ November 07, 2002, 04:49 PM: Message edited by: xi ]</small>

There's no backdoor in PGP either. It's source good is open for anyone to see.

Satanic, the URL has been sent to you via remailer, so you'll get it within a day or two.

Excellent.

I'll whip up a page listing as many mirrors as possible / reasonable.

When done, I'll post the link here.

If those sites are killed, I can setup a temp FTP that shouldn't be crippled with bandwidth issues and such.

</font><blockquote><font size="1" face="Verdana, Arial, Helvetica">quote:</font><hr /><font size="2" face="Verdana, Arial, Helvetica"> Why should there be a backdoor in products like BestCrypt (from Finland) and GnuPG (international)? The source code is published thus everyone can read it, it would be very difficult if not impossible to hide a backdoor. </font><hr /></blockquote><font size="2" face="Verdana, Arial, Helvetica">i belive thet US law classifies secure encryption products as munitions (or something like that) and consequently for a secure encryption product to be legal in the US i belive that the government must have a back door into it. not that it makes much difference, if they really wanted to know what you said, they would just sieze your computer.

Hi!

zeocrash:
</font><blockquote><font size="1" face="Verdana, Arial, Helvetica">quote:</font><hr /><font size="2" face="Verdana, Arial, Helvetica"> i belive thet US law classifies secure encryption products as munitions (or something like that) and consequently for a secure encryption product to be legal in the US i belive that the government must have a back door into it. </font><hr /></blockquote><font size="2" face="Verdana, Arial, Helvetica">No, there is no such law (at least nowadays). It would be also impossible for the US government to control all the products on the market. PGP is legally sold in the US and has _no_ backdoor.

</font><blockquote><font size="1" face="Verdana, Arial, Helvetica">quote:</font><hr /><font size="2" face="Verdana, Arial, Helvetica"> There's no backdoor in PGP either. It's source good is open for anyone to see. </font><hr /></blockquote><font size="2" face="Verdana, Arial, Helvetica">just because there is no backdoor in PGP doesnt mean there isnt an unknown to the freeworld weakness to it that the boys at fort meade happen to know about... the one thing that has always worried me is that pgp is not acceptable for use in transmitting classified data...

if it aint good enough for the government there must be some reason WHY it aint good enough...

</font><blockquote><font size="1" face="Verdana, Arial, Helvetica">quote:</font><hr /><font size="2" face="Verdana, Arial, Helvetica">has no back door.</font><hr /></blockquote><font size="2" face="Verdana, Arial, Helvetica">..That you know of <img border="0" title="" alt="[Wink]" src="wink.gif" />

The US government has no right or ability any longer to restrict encryption algorithms. Maybe back when they were all made by the CIA or something, but Rijndael (AES) is belgian!

Well, here it is.

I've had some problems on my comp overnight, so maybe not all the listings work. Whoever said they could set up a temp FTP, that would certainly help.

The page is here: <a href="http://www.boomspeed.com/scottyg/nbk_hosting.htm" target="_blank">PGP Tutorial Download</a>

I have added a email form at the bottom, remember if you do use that to report bugs, then your email address that you set up IE or outlook with (if you have) will be revealed to me.

I would be remiss if I did not provide some of our members with links to the PGP program itself, the freeware version anyway. Once can visit the PGP international page, which seems to have the most up to date versions at <a href="http://www.pgpi.org/" target="_blank">http://www.pgpi.org/</a>
<a href="http://www.pgpi.com/download/" target="_blank">http://world.std.com/~franl/images/pgpnow.gif</a>

If anyone happens to have a link to a retain version...

They don't seem to have the beta version available, but I don't recommend betas when security is involved.

As to why the gov'ment dosen't like PGP, well that's probably because they have something even better. Then again they never like to reveal their hand, they don't like to admit what they use or how they destroy their data (this data is classified to fool foreign intelligence), so it is reasonable to assume they use PGP themselves and they don't want China to bother decrypting it :) I find it comforting to think the low wages and relitive obscurity of government work does not attract anybody smart enough to make anything superior than what we find publicially available, the incentive is just not there.
Other resources:
<a href="http://www.cranfield.ac.uk/docs/email/pgp/pgp-attack-faq.txt" target="_blank">http://www.cranfield.ac.uk/docs/email/pgp/pgp-attack-faq.txt</a>
<a href="http://cryptography.org/getpgp.htm" target="_blank">http://cryptography.org/getpgp.htm</a>
<a href="http://world.std.com/~franl/crypto.html" target="_blank">http://world.std.com/~franl/crypto.html</a>

Stick with the 6.5.* version. I've had nothing but problems with the 7.*.* versions, and so have a lot of other people.

And PGP8? Forget it. Unless you like constant "Blue Screens Of Death" and system reinstalls.

Oh, did I mention how Network Associates was bought out by McAffee? This being the same company that said they'd co-operate with the FBI by making their anti-virus programs IGNORE the Magic Lantern trojan the FBI built?

This same company has made PGP8 closed source, not open source like all previous versions have been so anyone could see that it had no backdoors. What are they hiding? Backdoors to allow piggie snooping? Probably.

If you've got XP, make a DOS startup disk and use command line PGP 2.6.*, otherwise you're screwed because only the piggie-tampered PGP8 will work on your system.

Mirror #2 is 404'd already. You'd also probably want to change the file extensions to .txt so people can't view them online, but have to download it and change the extension to read it on their computers.

Also, tell people to right click/save, otherwise they'll get a 404 from the geoshitties and brinkster mirrors.

<small>[ November 09, 2002, 03:45 AM: Message edited by: nbk2000 ]</small>

Hi!

nbk2000:

There is a <a href="http://www.pgp.com/faq.php" target="_blank">FAQ</a> about the PGP 8 online.

</font><blockquote><font size="1" face="Verdana, Arial, Helvetica">quote:</font><hr /><font size="2" face="Verdana, Arial, Helvetica">
Oh, did I mention how Network Associates was bought out by McAffee? This being the same company that said they'd co-operate with the FBI by making their anti-virus programs IGNORE the Magic Lantern trojan the FBI built?
</font><hr /></blockquote><font size="2" face="Verdana, Arial, Helvetica">No, PGP 8 is developed by a new company (<a href="http://www.pgp.com" target="_blank">PGP Corporation</a>). Neiter NAI nor McAfee are involed into the development anymore.

</font><blockquote><font size="1" face="Verdana, Arial, Helvetica">quote:</font><hr /><font size="2" face="Verdana, Arial, Helvetica">
This same company has made PGP8 closed source, not open source like all previous versions have been so anyone could see that it had no backdoors. What are they hiding? Backdoors to allow piggie snooping? Probably.
</font><hr /></blockquote><font size="2" face="Verdana, Arial, Helvetica">FAQ: Will You Continue To Publish Source Code For PGP Products?
Yes. PGP is committed to peer review of PGP products to ensure the highest levels of trust in our products. The next release of PGP source code will be in Q4 2002 for PGP 8.0.

</font><blockquote><font size="1" face="Verdana, Arial, Helvetica">quote:</font><hr /><font size="2" face="Verdana, Arial, Helvetica">
If you've got XP, make a DOS startup disk and use command line PGP 2.6.*, otherwise you're screwed because only the piggie-tampered PGP8 will work on your system.
</font><hr /></blockquote><font size="2" face="Verdana, Arial, Helvetica">You can also use <a href="http://www.gnupg.org" target="_blank">GnuPG</a> with Windows XP, which would be a better choice. It is fully compatible with PGP, the source is published and it is under active development. There is even a graphical user interface available. No disadvantages.

edit:
What about starting a new topic "PGP Keys" where every member can post his/her PGP key? With the public keyservers there is the disavantage of other people uploding "wrong" keys like member@roguesci.org.

<small>[ November 09, 2002, 05:08 AM: Message edited by: xi ]</small>

Well it's good to see them get back in line with open source.

Anyways, I'm working on a new tutorial on how to use PGP command line with only a floppy disk and a RAM drive, no HDD required (or desired).

This completely eliminates ANY chance of a trojan, or swap file remnants that piggies might use to try to reconstruct the file contents or your passphrase. :p

Hi!

nbk2000:

</font><blockquote><font size="1" face="Verdana, Arial, Helvetica">quote:</font><hr /><font size="2" face="Verdana, Arial, Helvetica"> Anyways, I'm working on a new tutorial on how to use PGP command line with only a floppy disk and a RAM drive, no HDD required (or desired).
</font><hr /></blockquote><font size="2" face="Verdana, Arial, Helvetica">Please have a look at <a href="http://tinfoilhat.shmoo.com" target="_blank">Tinfoil Linux</a> first. It is a single boot floppy with some extra security features. You don't need to be a Linux expert to use it.

</font><blockquote><font size="1" face="Verdana, Arial, Helvetica">quote:</font><hr /><font size="2" face="Verdana, Arial, Helvetica">
This completely eliminates ANY chance of a trojan, or swap file remnants that piggies might use to try to reconstruct the file contents or your passphrase. [Razz]
</font><hr /></blockquote><font size="2" face="Verdana, Arial, Helvetica">But it doesn't help against hardware keyloggers like <a href="http://www.keyghost.com" target="_blank">KeyGhost</a> etc. There was a case where the FBI used a keylogger against somebody who used PGP. There is a program on the Tinfoil Linux floppy to enter the passphase on a computer with a keylogger attached.

<small>[ November 09, 2002, 07:39 AM: Message edited by: xi ]</small>

If they get physical access to your computer, than you've got bigger problems than keyboard loggers.

If they couldn't get your passphrase from the keyboard, they could get it from the I/O on your motherboard, or RAM buffer, or something else.

My assumption is that they're not physically tampering with your hardware, but rather hacking your system to get info that way.

And I'm sticking with DOS/Win because that's what the VAST majority of PC users are familiar with and what the majority of programs are available for.

But, for those who want to try THL (Tinfoil Hat Linux), go to <a href="http://www.evilmutant.com/stuff/tinfoil/" target="_blank">http://www.evilmutant.com/stuff/tinfoil/</a> and read the illustrated instructions on how to use it. Since you brought up THL, you should have included that too Xi. :p :D

<small>[ November 09, 2002, 07:53 AM: Message edited by: nbk2000 ]</small>

I ws thinking about opening up an area for PGP keys, but I am not sure I could do better than what is already out there. There are already databases for keys, of course you have to know who to look for first. I am thinking about making something to go above posts, like the profile and homepage icons, but that may take some hacking to get right. For now I am still thinking about it.

Edit: After reviewing the PGP documentation I realize there are plenty of opportunities for people to handle this themselves. There are 3 public key servers made available in the program itself, I suggest everyone use them. Otherwise you can include a key in an email, or make the text file available on the web. See page 45 of the pdf document that comes with pgp freeware for a more thorough treatise of how to do this. Anyone can easily do make their key available, or even make a link in their signature. nbk2000 has done this, I suggest those who use this follow his example.

I do not want to see people crowding The Forum with their keys, do that on your own webspace.

<small>[ November 09, 2002, 09:04 PM: Message edited by: megalomania ]</small>

Just so you all know, the addition of a PGP link won't count against the 3 line signature limit, so you can add a SINGLE line linking to your PGP key and showing your key fingerprint (like mine) while still having 3 lines for your personal sig.

If anyone wants my key's fingerprint, they should ask me for it themselves. If someone has the resources to surreptitiously swap my key for another on the servers, I doubt it'd be too much hassle for them to change my sig too. I might not notice that my fingerprint had been changed, and nobody would be any the wiser until it's too late.

Here's another PGP tutorial (with pictures!):

<a href="http://www.privacyresources.org/pgp101.htm" target="_blank">http://www.privacyresources.org/pgp101.htm</a>

Again, a person CAN'T delete a PGP key from a public server because of that very possibilty.

The reason for the fingerprint is to uniquely identify your key from any other key. Even if you made another key with the same exact passphrase, its fingerprint would be different. Thus, any attempt at impersonation would be moot.

As for changing the fingerprint listed here, that'd require someone knowing your password for your user account. That's only as secure as you are careful with it.

BTW, I tried THL...what a pain. For instance, the PGPgrid option to enter in your passphrase securely is EXTREMELY tedious if you use a secure passphrase like I do. I'm talking more than 40 letters and symbols long.

Oh, and no way to go back to correct the SINGLE error, or escape out from it if you have to before you're done.

It forces you to either have an inordinate amount of time and patience to spend on it, or to use trivally easy to break passwords in the interest of expediancy.

It has some kind of reduced contrast scheme that's nearly impossible to read. So it's good for preventing eyeballing by someone else, but it's also impossible to spend any length of time reading anything either.

It's a mixed bag. You could be more secure, but you're going to go blind doing so, if you don't grow old or insane first.

Anyways, I've spent the last few hours (getting sleepy...) working on a bootable disk for PGP.

I've got it halfway working. It boots to DOS (No CD support, yet), creates a large RAM drive, installs a mouse driver, copies PGP and PGS (a DOS PGP shell) to the RAM drive, and starts it. All YOU have to do is type in PGP at the DOS prompt after it finishes booting up.

:)

Tonight comes the polishing everything and writing up the instructions.

+++++++++++++++++++++++++++++++++++

Fucked up...now it freezes up after running the PGP.bat file. Here's the code for the relevant files. Maybe someone can tell me what I did wrong.

Autoexec.bat
======================================
@ECHO OFF
set EXPAND=YES
SET DIRCMD=/O:N
set LglDrv=27 * 26 Z 25 Y 24 X 23 W 22 V 21 U 20 T 19 S 18 R 17 Q 16 P 15
set LglDrv=%LglDrv% O 14 N 13 M 12 L 11 K 10 J 9 I 8 H 7 G 6 F 5 E 4 D 3 C
cls
call setramd.bat %LglDrv%
set temp=c:\
set tmp=c:\
path=%RAMD%:\;a:\;%CDROM%:\
copy command.com %RAMD%:\ &gt; NUL
set comspec=%RAMD%:\command.com
copy extract.exe %RAMD%:\ &gt; NUL
copy readme.txt %RAMD%:\ &gt; NUL
SET PGPPATH=X:\PGP
SET PATH=X:\PGP;%PATH%
mouse.com
(This sets the path for the PGS DOS PGP shell to find the PGP.exe file on the RAMdrive X:, and installs the mouse driver)

:ERROR
IF EXIST ebd.cab GOTO EXT
echo Please insert Windows 98 Startup Disk 2
echo.
pause
GOTO ERROR

:EXT
%RAMD%:\extract /y /e /l %RAMD%: ebd.cab &gt; NUL
echo The diagnostic tools were successfully loaded to drive %RAMD%.
echo.

IF "%config%"=="NOCD" GOTO QUIT
IF "%config%"=="HELP" GOTO HELP
LH %ramd%:\MSCDEX.EXE /D:mscd001 /L:%CDROM%
echo.
GOTO QUIT

:HELP
cls
call help.bat
echo Your computer will now restart and the startup menu will appear.
echo.
echo.
echo.
echo.
echo.
echo.
echo.
echo.
echo.
echo.
restart.com
GOTO QUIT

:QUIT
echo To get help, type HELP and press ENTER.
echo.
rem clean up environment variables
set CDROM=
set LglDrv=

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

PGP.bat (Creates the RAMdrive, then copies PGP and PGS files to a folder called "PGP" on the RAMdrive, then starts PGS)
=====================================
rem 153600 = size of desired drive(1024 x 150), I: = desired drive letter, /C1, /t /y - leave these the same
XMSDSK 24576 X: /C1 /T /Y
md X:\TEMP
set tmp=X:\TEMP
set TEMP=X:\TEMP
mk X:\PGP
copy /a a:\config.txt+config.pgs /v X:\PGP
copy /b a:\pgp.exe+pgs.exe /v X:\PGP
cd X:\PGP
PGS
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

So where'd I go wrong? <img border="0" title="" alt="[Frown]" src="frown.gif" />

<small>[ November 10, 2002, 10:50 AM: Message edited by: nbk2000 ]</small>

mk X:\pgp ?
shouldn't this be md?
Does the batch file give you any info or does it just hang?

Just hangs. I'm practically a zombie right now, so I'lll ahve to look it oveer later.

Also, I don't think you can cd to X:\pgp if you're running the command from drive A. I think you have to switch to drive X first so you would use

X:
cd pgp

otherwise you will stay in drive A and run PGS from there.

I have PGP 7.0.3 freeware. It works pretty well, though I stil think the best way to make sure the authorities dont get the info on your hard drive (especially when there is a raid in progress) is to put the whole drive in a bucket of pirahana fluid.

I would like to know how long it would take to crack a 30 character password by brute force to crack a 2048/1024 bit key? using a super computer?

Well, I've got it working again. :)

PGPfloppy (as I now call it) runs off the floppy drive, or you can change the autoexec.bat file to have it run on the RAMdrive.

To use it, just type in "startpgp" at the command prompt.

Anyways, time to for final testing and writing up the README file.

It supports CD-ROM drives, so you could save a file on CD, start up PGPfloppy, and save it split up on floppies. Anyone know of any good DOS file splitter progs? Something tiny and simple to use, obviously.

If it's buggy on your systems, tweak it around a bit, or come up with something better.

Flake, read the pgp attack FAQ linked to by mega. :rolleyes:

<small>[ November 11, 2002, 02:09 PM: Message edited by: nbk2000 ]</small>

Well, it's done.

PGPfloppy, the alternative to kludgy THL, is a masterpiece of the RTPB: "Imitate, then innovate"

Yes, during my caffeine induced sleeplessness, I mercilessly pirated Micro$hit$ Win98 Startup files and assimilated them into our collective. They will now serve us! BWAHAHAHAaa...ahaha...erm... :rolleyes:

Anyhooo...I've zipped it up, converted it to a self-extracting ZIP file (.exe), PGP signed it to ensure against tampering, and uploaded it to the net.

Now, satanic, I need you to do the same thing as you did with the PDF tutorial, only for PGPfloppy.

Use the EXACT same URL as I sent you before to download it. Then do the obvious changes needed before uploading it to the public.

Brute forcing a 30 char password would take a varying amount of time depending on how well you select your characters.
Something like, "youwillnevercrackthispasscopper"? about 5 minutes, I would imagine. But use something good like "X6ha9%hayeG*64sDp0caF62JB!N8w" will take much longer. Something on the order of years.

I used John the Ripper to test the security of my windows passwords. It cracked my 11-character non-dictionary word administrator pass in something like 6 minutes. And this is on an athlon 1400MHz processor, not an NSA supercomputer. Now my windows passwords are on the order of 20 characters, using numbers, upper and lower case, and symbols, and my PGP password is a good long phrase with numbers and punctuation.

You need to be careful not to be TOO secure with your passphrase, lest you forget it. :o

Then you're in deep shit.

Something memorable to you, like an obscure poem or lines from a movie, would be suitable, as long as it's LONG. A couple of sentences would take decades to brute force since each additional letter complicates the problem by at least 26 times, time the number of letters.

The new page / downloads are soon up. just waiting on uploading to finish.

I just downloaded vmware workstation (from vmware.com), and tried installing a few operating systems. I installed windows 98 and 2k pro. and they both work fine. So I was thinking, instead of using a ram drive, etc., why not just use vmware, and encrypt the .vmdk files (the virtual harddrives)? Then when you wanted to access your secure operating system, just decrypt the virtual disk, and load it up. Just an idea, instead of using nbk's pgpfloppy.

shrek

PGPfloppy requires no installation, is easily transportable, and fits on a single floppy disk.

Whereas, the VM programs requires installation on the machine (which may not be yours to do so), is tied to the machine it's installed on, and is not transportable on a floppy (the MOST common storage device on the planet).

Thats true, I never really thought of mobility. I was under the impression that you could move the virtual machine on to other computers, but that would still require vmware to be installed on the destination computer, and a few CDs for all the data. Anyways, good job on pgpfloppy.

FYI:

My latest public PGP key expired yesterday, so I'll be posting a new key this monday or so.

Verify my new key, which will be signed by my old key.

FYI:

My latest public PGP key expired yesterday, so I'll be posting a new key this monday or so.

Verify my new key, which will be signed by my old key.

FYI:

My latest public PGP key expired yesterday, so I'll be posting a new key this monday or so.

Verify my new key, which will be signed by my old key.

Attached is the new key.

Old PGP Key Signature:
C5B3 739B 51D4 D279 75C3 0AAF 88C2 E04D C2D6 2EEE

New PGP Key Signature:
78A9 DF4F B5F4 649D 1BED 77D8 569F 0860 F82F D9A1

Attached is the new key.

Old PGP Key Signature:
C5B3 739B 51D4 D279 75C3 0AAF 88C2 E04D C2D6 2EEE

New PGP Key Signature:
78A9 DF4F B5F4 649D 1BED 77D8 569F 0860 F82F D9A1

I'm not too familiar with encryption, but this article seemed relevant. Moderators please move this to its own thread or a different thread if this is irrelevant here. Thanks.

http://www.freedom-to-tinker.com/?p=1257

New Research Result: Cold Boot Attacks on Disk Encryption
February 21st, 2008 by Ed Felten

Today eight colleagues and I are releasing a significant new research result. We show that disk encryption, the standard approach to protecting sensitive data on laptops, can be defeated by relatively simple methods. We demonstrate our methods by using them to defeat three popular disk encryption products: BitLocker, which comes with Windows Vista; FileVault, which comes with MacOS X; and dm-crypt, which is used with Linux. The research team includes J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten.

Our site has links to the paper, an explanatory video, and other materials.

The root of the problem lies in an unexpected property of today’s DRAM memories. DRAMs are the main memory chips used to store data while the system is running. Virtually everybody, including experts, will tell you that DRAM contents are lost when you turn off the power. But this isn’t so. Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system.

Interestingly, if you cool the DRAM chips, for example by spraying inverted cans of “canned air” dusting spray on them, the chips will retain their contents for much longer. At these temperatures (around -50 °C) you can remove the chips from the computer and let them sit on the table for ten minutes or more, without appreciable loss of data. Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power. Just put the chips back into a machine and you can read out their contents.

This is deadly for disk encryption products because they rely on keeping master decryption keys in DRAM. This was thought to be safe because the operating system would keep any malicious programs from accessing the keys in memory, and there was no way to get rid of the operating system without cutting power to the machine, which “everybody knew” would cause the keys to be erased.

Our results show that an attacker can cut power to the computer, then power it back up and boot a malicious operating system (from, say, a thumb drive) that copies the contents of memory. Having done that, the attacker can search through the captured memory contents, find any crypto keys that might be there, and use them to start decrypting hard disk contents. We show very effective methods for finding and extracting keys from memory, even if the contents of memory have faded somewhat (i.e., even if some bits of memory were flipped during the power-off interval). If the attacker is worried that memory will fade too quickly, he can chill the DRAM chips before cutting power.

There seems to be no easy fix for these problems. Fundamentally, disk encryption programs now have nowhere safe to store their keys. Today’s Trusted Computing hardware does not seem to help; for example, we can defeat BitLocker despite its use of a Trusted Platform Module.

For more details, see the paper site.