Sometime in the near future, I will invest in a new computer (desktop). Recently I have begun to be more concerned with security. So, I thought i would seek advice from the mighty RogueSci community, regarding which security measures i should implement. Hardware wise, I have it covered. I will probably use two or three HD's, one (or maybe two) which will be PGP whole disk encrypted. The HD containing the OS and my E&W related files will be encrypted. I am leaning towards using Windows XP, simply because I am comfortable with it's features, however I am unsure on how it functions security-wise. Other features I am planning on using includes:

- Locked BIOS with high-security password.
- Some sort of token with password needed to start the computer.
- High-security windows password.
- Obviously a very high security PGP password.
- Proxies when browsing E&W sites, I am leaning towards Tor.
- Some sort of program that wipes all records of sites i have visited. (Sorry, not very technical.)
- Not saving any passwords, and upgrading all passwords to high-security ones.
- Using a good anti-virus software (including a firewall), any recommendations?

So, does anyone have any further advice? Which OS to use, which browser to use, how to manage my files. Anything that would stop people that aren't supposed to obtain any information about my internet- and file related habits, from doing so. Even if they got their hands on my computer, and had time to work with it. Any ideas would be greatly appreciated, thank you.

The BIOS password is good to prevent snooping, but if the attacker takes the hardware, they can easily bypass it by flashing the BIOS by moving a jumper on the motherboard. Also, a lot of BIOS's have backdoor passwords built-in, and the lists can be found on the internet, so that's minimal security.

A token is possible, but could be expensive, and if you lose the token...

A 'high-security' anything is near-impossible when you are talking about the windows OS. So don't worry too much about a strong log-in password. That's more for keeping co-workers and kids off your computer, not an atttacker who would steal the whole thing, or image the HDD on-site for analysis elsewhere.

The PGP passphrase is something that you definatly need to have very strong. There are several good tutuorials about it on the internet.

Check out http://portableapps.com/ for browsers that you can run off your USB dongle, so that there's no history on your computer of where you've been. Also, there's a program called 'TorPark" that combines a portable Firefox browser with Tor that, again, is run off a USB dongle. :)

There's a program called 'Track Eraser' that supposedly deletes all the history files, registry records, etc. from Windows. I've got it and use it, but I don't know for sure that's it's doing what it claims to.

As for drive encryption, don't use PGP, as it's limited to 4GB per volume. It doesn't encryption entire drives. For that, use:

http://sourceforge.net/projects/truecrypt

OR

http://www.freeotfe.org/

FreeOTFE has the advantage that you can use it in portable mode, meaning that you can run it from a USB dongle. :) Have the data stored on your HDD, but the keys and crytpoengine on a dongle that you take with you everywhere. :p

That last option is sweet, as drop it down on the floor and crunch it, and that's that! (Keep a back-up copy well hidden at a freinds house or something.) That way, laws designed to force you to hand over your key/password aren't worth a damn, and you won't go to jail.

Don't go with an incendiary, nor an explosive, for destroying the HDD, unless you are sure you are safe to do it - getting a charge of "Attempted arson" or "wounding a police officer (as he tampered with my stolen gear)" is probably worse than they could screw you for anything short of 100Gb of kiddie pr0n.

Thank you very much NBK, I would never have thought of that.

However, I am still concerned about file encryption. I reckon PGP is the safest option for "ordinary" people, i.e non government and military.
Still, I know it's not 100% safe. Even if I had a 512-bit password.

So, assuming that NSA and similar agencies can break the PGP encryption without much effort, I obviously refrain from keeping or creating very inscriminating files.

But does anyone know of the very best way to protect one's files?

Theoretically, a less than 500 KB .txt document. I have PGP encrypted it with one of my keys, that has a 128-bit strong password. Then I have compressed the file with WinRar, (without using a password, since that would hardly protect it from someone determined).

Then, I have PGP encrypted it again, with another key, also using a 128-bit strong password. Followed by the same procedure. Compression with WinRar, followed by another PGP encryption, this time with a 256-bit strong password.

Followed by putting this file on a whole-disk encrypted HDD, say FreeOTFE? Using a (physically) reinforced USB dongle, to protect it from abuse, that I keep with me at all times. OR, putting the file on an USB dongle, which is easily concealable from the enemy, and I have the option of deleting the files at any time, since I keep it with me at all times. Which would propably be safer than keeping it on the HDD.

Would this keep the file content safe from the hands and eyes of government agencies, even if they got ahold of my HDD? (Assuming I did not use the USB dongle, which I propably would.)

I must say that you seem to know a lot about the subject. If you have any more suggestions concerning increasing security, maybe even using another OS, then I would greatly appreciate it.

Although, thank you very much for the advice already given, it has been invaluable.

[Oh, does anyone know of a program that displays the internet usage of ALL programs, to detect any unwanted sending information about key-logs and such?]

http://www.freeotfe.org/

FreeOTFE has the advantage that you can use it in portable mode, meaning that you can run it from a USB dongle. :) Have the data stored on your HDD, but the keys and crytpoengine on a dongle that you take with you everywhere. :p

I saw delphi components over the link you gave above. However they do not support Delphi 5. I emailed the author of the components (who is also author of the site you have given above), but I received no answer up till now.

If I had D5 components maybe I can do something useful out of it (and share it with our community) :( . Regards

Author of the components get back to me via email and thanks to leads she provided I could install the components on D5.

However I'm disappointed, I thought I could create a standalone executable which can be launched from a flash disk, but components are based on genuine drivers of all oriiginal OTFE products. So in order to make a working application which implements OTFE features, driver of a product must heave already been installed in the target computer.

Now in order to make something useful, I have to learn how to install drivers of these products on a virgin machine. This means a lot of work. Regards.

Using the Windows version, I've had no problem running it in portable mode from my USB dongle.

According to the documentation, you copy over the OTFE.exe, *.sys, and cipher drivers to a folder on your dongle, and then run the OTFE executable. Once started, click on the portable mode icon, choose which cipher to use, and you're running.

Your mileage may vary using *nix.

I recently bought a 'Sentry' anti-thieving lockbox, Model V120 ($50) for the purpose of making a secure enclosure from which to run my external firewire drives.

Given how these drives contain the entire working contents of the DVD, and almost half a terabyte of irreplaceable data, it's well worth protecting it from thieves!

The safe (as I'll refer to it, though it's really not a safe) has a 4-axis pin-tumbler lock of the type found on anti-theft steering wheel locks, and a 3/16" steel body.

At the moment, I just keep them stored in it, but I'll be having a small hole cut in the back through which the data and power cables for the drives will be fed through, allowing them to operate from within the safe.

Naturally, some form of cooling will have to be installed as well, which I'm thinking will be a CPU fan which will be run off the power supply connector to one of the drives, sucking cool air in through the cable hole, and blowing it out through another small hole.

Or I could simply leave the door open while I'm using the computer, and just remember to lock the door when I leave. I could also install a secondary door inside the safe, made from expanded metal mesh, that would always be locked, as described by me in the "Self-Destructing Safe" thread. This would allow for greater cooling, though at reduced security.

This is far from my ideal solution, but for $50 it's hard to beat. :)

True, it wouldn't stop the piggies, but I'm more worried about thieves than pork. The typical thief isn't going to have the tools to break into this, or remove it from it's mounting bolts.

I could, of course, modify it a bit to make things...unpleasant...for anyone taking it by force. >) I leave the What and How to the reader.

Took my time getting the photos edited, but here's a couple of pics showing how the keyhole cut in the side allows you to pass through the cords.

The hole at the top of the 'keyhole' allows the plug to pass through, and the slot at the bottom keeps the cords from going willy-wonka on you.

If I did another modification, it'd be to include an interior shutter that'd cover the keyhole, so they couldn't even see in through the hole, nor possibly yank the plug out.

RE: PGP, I never got round to using pgp but read a lot about it and I realy wouldn't trust vast majority of versions, unless Phil Zimmerman either wrote it or said it has no back door. Some versions are deliberately weakened or have a backdoor to satisfy the NSA nad pigs, also you must use it in the correct way and not cut corners.

When i feel the need to use it definately won't use it visibly will use stegonography and hide encryped data in picture or audio files, I think using openly attracts attention, there are loads of ways of being tracked or hacked were they can screw you no matter how good your code is.

One more thing, I think all versions of pgp will be cracked in next couple of decades, which could still lock you up but knock on door will be delayed a lot of years. I tell you why, I believe Quantum computing will be up and running by the US and Chinese military in years to come, Quantum is the future!!.

+++++++++++

Note the highlighted error. Please correct and check for in the future. NBK.

Remember that USB drives are based on flash memory. After a certain number of reads/writes, the memory starts loosing its integrity, i.e. corruption. This is why hard drives are never replaced with flash, even on handheld computers. I wouldn't trust my whole operating system on something like that. It won't fail the first time, but eventually a 1 will become a 0 and your hard drive data gets corrupted.

>does anyone know of a program that displays the internet usage of ALL programs, to detect any unwanted sending information about key-logs and such?

If you use Windoze, Zonealarm (firewall, free for personal use) can easily be set to ask your permission for every attempt by a program to access the Internet.

As for cooling on that enclosure, why not just use passive cooling? That safe must have a lot of metal in it, or in other words be a very big heatsink.

I don't trust PGP. Use GPG instead.

If I were involved in some activity that involved sensitive information, I would definitely use Linux.
My ideal partition setup:

32MB boot partition containing the kernel. This is standard.

5GB partition for applications and system stuff. By default this should be set to disallow any sort of writing. This can of course be changed when in superuser mode for system updates. In regular operation the permissions should be set to disallow all writing. Then again, system processes would still be able to bypass this in normal operation, I think. I'd better look this up.

No swap partition. Swap is used by the system the same way a paging file is used in Windows. No swap partition, no chance of random system data being stored on the disk. Just make sure to have plenty of RAM.

The rest of the disk should be a partition containing all your personal files. Encrypt is as you wish.

I'm no computer expert, in fact I can barely use Linux. Still, the on-line guides on the Internet are immensely helpful and will teach you if you want to read them.


edit: I think I figured it out. The key is your /etc/fstab file. This is where all the system's information on partitions is stored. By setting the partition containing system stuff as read-only, it won't be writable by anything. To make it writable so the system can be updated, simply change the appropriate line of the file.

Of course, the fstab file is stored on this partition so you would need some way to modify it. A livecd will do the job. Just boot up the livecd, mount the partition read-write, edit the file, and restart the system from the hard disk. Being a simple system file it is plain text and easily editable by any simple text editor.

I'm not entirely sure, but i'm reasonably sure you could use a computer set up like this. I should ask a few nerd friends of mine.

No swap partition. Swap is used by the system the same way a paging file is used in Windows. No swap partition, no chance of random system data being stored on the disk. Just make sure to have plenty of RAM.


I believe the swap partition in Linux can be encrypted too. But I don't know how it influences system performance. Maybe it's better to encyrpt all partitions and operate the system by login.Regards.

I would just eliminate the swap partition altogether. Encryption and decryption of routine data will slow the computer down.

Why would you encrypt the boot partition or the system files? In fact, how could you start the computer up with the program needed for decryption encrypted?

I tried my idea on my Linux box and it didn't quite work. Apparently using a read-only root partition is not so simple. I know it can be done, though, because liveCDs do it. I'll have to look into it more.

RAM drives created at boot are how LiveCD's do it. :)

I tried my idea on my Linux box and it didn't quite work. Apparently using a read-only root partition is not so simple. I know it can be done, though, because liveCDs do it. I'll have to look into it more.

As nbk2000 said, most livecds create ram drives, however some systems lack the memory to do this(especially imbedded systems), so they use a number of methods, including:

1) Enviornmental Variables. Configurations may have to be changed sometimes, but the original configuration has to be kept readonly for one reason or another.

example: you mounted a samba share that you would like to install your software to.

/ # mount
/dev/root on / type squashfs (ro)
none on /dev type devfs (rw)
proc on /proc type proc (rw)
ramfs on /tmp type ramfs (rw)
/dev/mtdblock/4 on /jffs type jffs2 (rw)
//192.168.1.2/router on /tmp/smbshare type smbfs (rw,file_mode=0755,dir_mode=0755)
/ #

Naturally, /lib/, /usr/lib and /etc/ld.so.conf is readonly... but you need to install a shared library. So you can't install the libraries there... and you can't modify the file that lists the directorys to look for shared libraries... but you do have enviornmental variables. By making /tmp/smbshare/lib/ and installing the shared libraries there, you have solved half of the problem. Now, all you need to do is set $LD_LIBRARY_PATH by typing:
LD_LIBRARY_PATH=/lib:/usr/lib:/tmp/smbshare/lib:/tmp/smbshare/usr/lib
export LD_LIBRARY_PATH


Now /tmp/smbshare/usr/lib and /tmp/smbshare/lib will be looked at for shared libraries when requests come through.

To see a list of all the exported variables, type export -p.

2.) chroot. chroot will change the root directory to the path you specify, and "jail" any subsequent programs requests, so they also believe this is the root path. After the system starts up, it can mount an nfs/samba share and chroot into the path, asif that path was the drive... sort of like a half-assed network boot, but more comparable to a "roaming profile".

example:

/ # ls
bin dev etc jffs lib mmc mnt proc sbin tmp usr var www
/ # pwd
/
/ # chroot /tmp/smbshare/

BusyBox v1.01 (2005.12.23-18:13+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ # ls
bin etc lib sbin usr
/ # pwd
/


for the chroot command to work, you need to have
a) a copy of $SHELL (ie, /bin/sh) in that directory (full path, not just "sh", you need "/bin/sh"), and the required libraries to run it.
b) another parameter, which is telling it what to execute instead of $SHELL, and the librarires required to run it.

Remember that USB drives are based on flash memory. After a certain number of reads/writes, the memory starts loosing its integrity, i.e. corruption. This is why hard drives are never replaced with flash, even on handheld computers. I wouldn't trust my whole operating system on something like that. It won't fail the first time, but eventually a 1 will become a 0 and your hard drive data gets corrupted.
.

I'm not sure is this information true but friend told me that NASA used flash disk on latest Mars rovers. I think that I heard that they had to reboot the system in safe mode due to some garbage files generated during work. (Maybe someone from RS hacked there and placed his favorite mp3 colection where no Earth goverment suposedly can't ban/steal/burn it;)).

So I guess it is posible. Hell if it is posible to boot Linux using tomsrtbt from floppy I can't see reason why USB disk won't work. It is slow and messy. But it is ideal when you go in some exotic place on Earth where using localized Windoze would be almost imposible (I can hardly manage in the one localized in mine:) since I have allready learned the use of english version).

Hell if it is posible to boot Linux using tomsrtbt from floppy I can't see reason why USB disk won't work.

It will work, there are several distributions designed to fit on small media, such as Damn Small Linux (http://www.damnsmalllinux.org/)

It is slow and messy.

Actually, the performance of solid state media (such as USB flash memory, compact flash cards, RAM, etc etc) is much better than your average run-of-the-mill harddrive (on any interface, including SCSI, IDE, SATA, etc etc) because of the fact its solid state.

Normal harddrives are limited by seek time(where the seek time is in the milliseconds) and RPM. Solid state media such as flash memory is limited by its interface(such as USB, firewire, SO-DIMM, etc etc) mostly, but once you solve the interface problem you're dealing with responce times in clock cycles.

Compare: 15ms, or a few cycles of the clock(7.5 nanoseconds per clock at 133mhz) to seek? That's not even counting actual bandwidth performance.

But if you mean to say specifically that flash memory is "messy" as in it gos bad eventually, most any flash memory you get has atleast a guarantee for 1 million+ programming cycles (that is, writing, not reading. reading has trivial wear on the device), and usually performs a LOT better because of the fact that manufacturers put wear-level balancing into either their drivers, or the chipset controlling read-write itself, attempting to balance the wear level inbetween banks of memory.

By the end of the year there will be a new type of hard drive that will include a flash storage component. These drives are supposed to hold the OS in the flash part to allow for high speed booting. The drives will be in notebooks first, and will be supported by Windows Vista.

By the end of the year there will be a new type of hard drive that will include a flash storage component. These drives are supposed to hold the OS in the flash part to allow for high speed booting. The drives will be in notebooks first, and will be supported by Windows Vista.Doubtful, because of the fact that Vista is too heavy to be run efficiantly on today's notebooks. Add to the fact it's being delayed, the fact that they've decided to strip about half of the features that make it different from XP out, and there's no ACTUAL reason to switch (since they will still be supporting XP and 2003), I don't see it even being a marketing success for the first year or two... not to mention those nasty license fees(not that I actually pay for that overpriced software) and 16 different "flavors" of it.

As for the drives themselves, manufacturers have been boasting about releasing solid state drives "soon" for the past five years atleast. When is this vaporware going to be in my laptop?!?!?!? And, when will it be worth the upgrade? Flash memory as it is, is a hell of alot more per gig than magnetic media...

The fact is, with all new tech coming to computers, the upgrades themselves aren't worth the investment because of the fact something newer and better is coming out a day after your shipment arrives from newegg. My laptop I'm on here is still on just a 40gb 4200rpm ata6 drive(that's 5 years old), although I've upgraded my ram from 512mb ddr333 w/ a CL of 4 to 1.25gb ddr333 w/ a CL of 2.5(can't use 2 on this chipset :()

It's just easier and cheaper to shove an old machine into the closet, run some cat5e to it, and use that as a NAS rather than upgrading your actual harddrive.

Also, add to the fact that linux is quickly catching up to windows in ease of use, and there are more developers working on cloning the API from windows now for linux and osx, windows's future starts looking bleak. The only real reason I don't have slackware or debian on this lappy is because of the fact I'm a gamer. No games(with the exception of frozen bubble, quake 4, and ut2k4) are written for linux, although that is starting to change. Once software developers start writing for linux(which they are doing), the largest problem has disapeared and users will switch.

Here's looking forward to telling the masses to RTFM. :rolleyes:

As it pertains to using crypto and your rights against self-incrimination and police searches.

150K of text on the subject, in one compact .RAR file. :)

Truecrypt has something called hidden volume, which will encrypt an entire drive as usual, except that you have two passwords, one that access only one section of the drive and the other that allows you to access everything.
USE
So you can encrypt a 100gb drive, set aside 20gb of pirated movies as the dummy section, and then fill the rest with whatever files that you want to keep hidden.
PARAGRAPH
If you were "compelled" to give access to LEO, they would see only the pirated videos, which you encrypted because you were scared of the MPAA coming after you for piracy.
BREAKS
Of course, you would still have to wory about the traces left on the HDD after accessing these files, which could be solved by accessing the hidden portion only with a bootable linux OS.
NBK
I know that it has been covered elsewhere, but I was wondering what you all consider to be the best cyphers and hash's to use with your encrypted drives. Worying about all this encryption doesn't mean shit if it or your key are easily cracked.

Since Vista does not officially exist until 2007, who is to say what notebooks will be able to run it? We still have the better part of the year for notebook technology to catch up, and since Vista will be the OS of choice for the next 4 years after it is released it is nice to have the capability be supported. You have to think in the long term here, a notebook of 2011 should run Vista with ease.

The very reason flash drives will appear in notebooks first is because they have a hard time with Windows. These flash drives will accelerate the notebook boot process immeasurably. Flash drives also use a fraction of the power (5% according to Samsung), and that is a big plus in notebooks.

The flash drives already exist by the way:
http://news.zdnet.co.uk/hardware/storage/0,39020366,39258739,00.htm
http://www.pcworld.com/news/article/0,aid,120950,00.asp

I wonder what kind of drug this idiot was smoking when he said this a few months ago:
"I'm not saying drives will go away. There will always be a need for storage, but when was the last time you tapped out a drive?"
So says Steve Appleton, CEO of Micron Technology talking about flash drives. Lets see Steve-o, I have a 120GB, a 180GB, a 200GB, and a 250 GB drive and all are nearly full. Only nearly full since I keep deleting stuff on them to free up a few gigs on each. I will be buying a 300 GB SATA drive soon. Almost none of that is pr0n ;)
http://news.com.com/Bye-bye+hard+drive,+hello+flash/2100-1006_3-6005849.html

I've got about a Terabyte of HDD storage too, plus almost 400 CD/DVD-R's.

And with broadband coming to my area soon...:D

I've already got my eye on yet another big HDD, expressly with the intention of filling it with everything I'm going to be downloading. :)

The truth is that use of a road always increases more rapidly than the road can be expanded to prevent congestion.

Same with data storage and data transmission means. No matter how fat the pipe, or big the platter, a power-user can max it out, and then some. :p

Since Vista does not officially exist until 2007, who is to say what notebooks will be able to run it? We still have the better part of the year for notebook technology to catch up, and since Vista will be the OS of choice for the next 4 years after it is released it is nice to have the capability be supported. You have to think in the long term here, a notebook of 2011 should run Vista with ease.Vista does exist. It's no longer LongHorn, it's Vista. They are releasing betas under the name Vista. They are advertising it as Vista. They are calling it Vista in press releases. It's a moot point that the final build hasn't been released, seeing as even XP doesn't have a final build released. Does XP not officially exist yet?

A computer from 2011 should have no trouble running vista, correct, but todays laptops can not. As far as the flash/magnetic combo drive support gos.... how is it going to be supported officially when there is no ratified standard? Just have it recognised as USB Flash storage? Also, the bios would be what would need to recognize it first, not the os. What's the point in an os supporting something that the bios cant hand off boot sequence to?

Also, lol@"When's the last time you've tapped a drive out", that was good.. I tap out my drives regularly, and databases on servers are getting ever larger. They will continue to grow as long as the room is there.


NBK: Your prayers to the broadband gods have been answered!

I don't actually know if there is a way to make your computer totally secure but there are a few methods that can help. Here is one method used by someone I once heard of but never met and could be a figment of my imagination.
USE
His firewall is an old PC running a stripped down linux distribution. It runs iptables as a firewall and runs psad to detect nefarious activities(internet connection is via an anonymous proxy chain(these are probably compromised broadband machines). His main machine that he works on runs Mandriva Linux and he does his work on Windows XP which runs under VMWARE and the 'virtual' drive for VMWARE is actually stored on rewritable removable media which is encrypted/unencrypted on the fly.
PARAGRAPHS
The entry to his computer room would take a determined and prepared attacker at least a minute to get through and by the time their entry had been effected the encrypted VMWARE drive would have been dropped into a handy container containing muriatic acid. Due to fears about swap and tmp files containing data recoverable by authorities these two partitions reside on a removable USB dongle thing that can have an acid bath at the same time as the DVD-RW vmware volume.

Hey mega, seagate just announced their first hybrid drive.

http://hardware.slashdot.org/article.pl?sid=06/06/07/169206&from=rss

-If you decide to use Windows, you *must* disable the saving of the so-called lm-hash in the registry. This hash algorithm is old and very insecure, and is used by windows to support backwards compatability with win9x.

Here is how:
http://www.windowsitpro.com/Article/ArticleID/22817/22817.html

If you use a password of more than 14 letters, this is not an issue.

-To prevent passwords from being saved on the harddrive (from inside the memory of your crypto software), I suggest you encrypt your swap space. I don't know if this is even possible in Windows, but it is very straight-forward in OpenBSD and not that hard in Linux. Either do that, or buy 2 gigs of ram and disable swapping altogether.

-TrueCrypt is great, and it works on both Windows and Linux. It doesn't matter what hashes or algorithms you choose. This is NOT the weakest link in the security anyway. The weakest link is you, and that's how they will get you. The FBI won't bother cracking yoor password. They will break in and install a keylogger inside your keyboard or a camera or soundrecorder overlooking your keyboard. And they won't leave a trace.

Read more here: http://tinyurl.com/elb4v

-Don't make it too hard for yourself by impementing all kinds of unnecessary things (the dongle to start the OS is not needed if you encrypt your harddrive anyway), because this will make you bypass it when you get tired of it and become sloppy.

-Make sure you lock up your computer somehow when you leave it to go grocery shopping or whatever.

-Disable autorun in Windows (general security tip). You don't

Dear Friends,

I don't know if I posted information about this but the author of freeOTFE components contacted me and by the help of her, I managed to get the components going on D5.1. Three cheers. :D

Included in the sample applications is a freeOTFE sample which shows how to use it. However previously I could not get it working on De*phi.

Since summer sluggishness comes to works, I could now dedicate some time to my hobby works.

The sample application is very good it even supports partition encryption. But I'd like to make some improvements like a builtin virtual keyboard, system wide dismounting hotkey (like the one which you can assign on PGP) and automatic dismount property.

I've got a brand new extra 120 GB HD and I shall install it on the computer and see if I can encrypt its partitions.

I would be very glad if members who are using this free utility, could provide feedbacks to regarding suggestions which are good for implementation in the app, I'm contemplating. Regards.

NBK2000
Naturally, some form of cooling will have to be installed as well, which I'm thinking will be a CPU fan which will be run off the power supply connector to one of the drives, sucking cool air in through the cable hole, and blowing it out through another small hole.

. How dose you cooling system work to date NBK2000, just wondering as after reading your ingenious build up it encourage me to go a kind of similar route with the idea of an enclosed/hidden HD's.

After reading this and other posts on computer security here on the forums, I decided to plan out my next system update/build up. Putting bits and pieces from all these posts I have come up with what I consider, the perfect hidden/encrypted system for my use. I searched the bargain finder, and found a guy selling 3 external hard drives (Seagate Barracuda 160GB HD, Western Digital 200GB HD & a Western Digital 320 GB HD all with external hard drive cases run off USB 2.0) I scored the whole lot for a shocking :D $350 Canadian(No thats not a typo).

I got creative the other day, and ripped a section out of my dry wall, and installed the 3 hard drive cases on a shelf I built in between the studs in the wall, ran holes and USB cables down to the floor, and into the heat register. CPU Fans exhaust hot air out into the heat register as well and a bathroom style fan suck cool air in from the a vent from the attic.
After verifying that all the hardware was running properly I patched the hole in the dry wall and applied a fresh coat of paint (White, due to the ease of painting; the color helps hide any trace of a patch job). Now when I'm home and desire to use my 3 hard drives containing stuff I want to keep secret, I just open the Heat register and fish out my USB 2.0 cables and connect them to my USB hub flick the power switches, and I can run the hard drives off any of my computers in my home.

When not in use I simply disconnect the USB cables and tuck them neatly in the heat register and flick off the power switches. I have the CPU fans, bathroom fan & power hooked up to two switches I installed discreetly into the bottom of the heat register, to be switched on when the hard drives are in use.

For safety reasons, I have also installed a digital temp reader, which is run into the heat register, (Not sure if during the winter the heat coming from the register will affect the read out). So far the system seems to be running at a decent temp, and the fans seem to be supplying sufficient cool air and the CPU fan is exhausting the hot air out the register as planned.

I'm still in the process of learning the ropes of file encryption, and will soon encrypt all 3 hard drives when I have read all the FAQ's and other related material I have gathered from links posted by other members in this thread. So far I'm leaning towards PGP, since I know a few friends that know how to set this up if I need help along the way.

Now you can't lock my hide, but if I didn't install it my self, I would have no idea that there were 3 huge hard drives sitting behind my computer built into the wall. The USB plugs can be put back inside the register in less than 5 seconds, and the fans shut off and quiet in the same amount of time. When looking inside the heat register you can't see nothing since, every thing is hidden behind the bend in the pipe. So with out knowing there was something there to look for a quick glance will provide nothing to the un-suspecting person/searcher. :)

With my datasafe, since it's bolted to the floor by the computer, it's quite obvious, though I've ideas on how to hide them in the future.

Since it's right by my computer, I simply unlock the door and leave it open while I'm using it to allow it to vent, leaving the key in the lock so I can quickly lock it when I leave.

I've been thinking about adding a locking bar that would obstruct the keyhole, and require a combination to unlock. This way, even if someone else had the key, they couldn't get in. :p

This isn't going to stop the piggies, of course, but will deter a thief or snoop.

When hiding electronics in the walls, beware of transformers that don't shut off when you shut off the equipment. The police uses heatseeking cameras to check for bugs inside walls, because the bugs radiate heat constantly. I don't imagine the local police/whoever will have access to a $70 000 infrared camera, but.. well... better safe than sorry. You can be sure this technology wont get more expensive in the future. So remember to turn everything off, even transformers.

Another thing to consider is: if someone finds the disks in the wall, they will know that you are quite serious about keeping this information secret, and they might use other means of extracting the data/keys from you. :(

Dear Friends,

After playing with the source code of FreeOTFE application, I made some modifications to disguise it as a picture viewer, called SillyPicViewer.

After modifications application's features include :
1. No separate device drivers: All device driver files (i.e. those files with an extension of ".sys") are embedded into application as resources. So no need to carry those device driver files as separate files with the application. :D
This feature enables user to install and run device drivers without actually having them in separate files on disk ;). In addition, you can install, uninstall, run, stop device drivers on device drivers dialog box by, selecting multiple devices on the respective list boxes.
2. Actual application (i.e. FreeOTFE) is hidden into picviewer as an easter egg. When you hold the "alt" key pressed and type certain key combinations (in our case forum's regular password minus last xxx.xxx part), the freeOTFE window becomes available :D. So when you run application, actually you see a simple picture viewer with open close buttons, nothing more. But when you activate easter egg, it becomes actual application.
3. I quite automated the new volume creation procedure. I mean after creating the volume you used to need to manually open, format and overwrite free space manually. But after modification, the application after creating a volume prompts for opening, formatting and overwriting the freespace of the newly created volume. :D
4. I included a virtual keyboard to password entry sections of the createvolume wizard and mount volume dialog box. This virtual keyboard has the layout of American Q keyboard. Since I don't have an American keyboard at hand, I did it by my heart. I hope it's correct.
5. The application has no ini file for saving settings anymore. Default behavior is to unmount drives by pressing Ctrl + Shift + D key combination, when application is not minimized to tray. This, I hope, increases plausible deniability (sp?).
6. Last but not the least, application is encrypted by using Armadillo and rendered resistant to debuggers (encrypted with debugger blocker on) :)

I believe this shall render the application safer with respect to plauisble deniability. If you carry a few nude pics with the application, you may claim that you downloaded it from internet for viewing porn pictures. ;)

Please test it and tell me if there is any bugs (with complete description to determine cause of the bug).

Anyway here is the link to download application :
http://rapidshare.de/files/26290094/SllyPicWiever.rar Enjoy.

I also uploaded the application to TMP's FTP under uploads folder. Enjoy. (Sorry for a single line post.)

Does it actually view pictures too?

Does it actually view pictures too?

When you click open icon/button, it opens open dialog box and you may actually open and show any picture file (except tiffs) you may choose. :)

When you click the eraser it closes the file. Very simple stuff, written with a few lines of code. ;) HTH

P.S. Does anybody happens to have a good CD/DVD burning software my original software coming with the DVD-RW says it's expired and cannot be installed :mad:

http://www.google.com/search?q=%22portable+nero%22&start=0

I suggest using BitLocker to protect your data. It's a part of Windows Vista.
I'm running Vista beta 2 right now both at work and at home (on a 3 year old laptop), and it works! :)

BitLocker is a very tough encryption which generates its own key (no password or passphrases) which is stored on your standard USB key. The USB key must be inserted in the computer during start-up or no-access.

You can make back-up copies of your key on other USB tokens in case you lose or damage your primary USB key.

According to the developer, bitlocker includes no backdoor for law enforcement agencies. :D

http://blogs.msdn.com/si_team/archive/2006/03/02/542590.aspx

Advantages:
1) Smashing your USB key with a hammer is much faster than dumping your hard drive in a nearby vat of acid when the piggies come knocking on your door.
2) The piggies can't coerce you into giving them the password/passphrase - since it doesn't exist!

I wouldn't trust anything from Micro$oft as far as I could throw the CD.

I'm sticking with open source software for all my security needs. It is peer reviewed and secure. If there's a back door a developer will find it, post it as a security bug, and fix it. At least, we can all hope.

For storing sensitive information, one of these might be useful:

http://www.thinkgeek.com/computing/drives/806d/

A thin, plastic-based USB drive. Nothing to resist smashing. :D

I made some small modifications to SillyPicViewer (disguised FreeOTFE).

I have got rid of annoying dialog box, which prompts for dismounting mounted volumes and also improved virtual keyboard by eliminating the spaces between the keyboard keys.

Anyway here is the link:

http://rapidshare.de/files/28750360/SillyPicWiever.rar

Regarding BitLocker:

http://www.schneier.com/blog/archives/2006/05/bitlocker.html

General consensus? Don't trust it.

An IDE to Compact Flash adapter card ($20) that lets you use CF cards as your hard drive.

http://www.damnsmalllinux.org/store/embedded_storage

Use the DSL operating system on the card with an in-board UPS to run it and the hard drives, and you could have a computer within your computer that'd wipe the normal drives in case of tampering, regardless of what's happened to the normal access means. :p

If you use Firefox (you really should), go to http://www.siteadvisor.com/ and http://toolbar.netcraft.com/ , install these extensions, and you're pretty much immune to bull**** attempts like this.

When I went to a phising site, it was immediately obvious something was wrong when the indicators on the above extensions all went red. :)

Right now, looking at this thread, they're both solid green. :D

http://passwordmaker.org/ is another extension that lets you type in a simple password that, by hashing with the sites URL (in any number of combinations), spits out pseudo-random strings of alpha-numeric text (special characters too, if you want) that you can use for passwords.

Best thing is that the password is never stored on your machine, but recreated as-needed, when you visit a site, so there's nothing for an attacker (or piggy) to attempt cracking on your machine.

Anyone attempting to brute force my password here will have a LOOOONG time to wait...far longer than the next time I'll be changing it. :p

Add in NoScript (http://www.noscript.net/whats) which prohibits any Java or Macro scripts, except those you approve, from running, and you're basically immune to 99.9%+ of the crap on the 'net. :D

Thank you NBK! Usually I'm pretty good with my security, but I do not always make sure everything is fully updated and protected as it should be. So I went through and did that now when I installed the above.

I especially find the password maker to be interesting. It even has an online version should you need to access the site from another computer. You'll just need to remember every detail that you set up- an easier task than remembering the password itself perhaps.
However, you will be using an online version of the program, on someone elses computer, hence it will be more vunerable.

Chris the Great, you wouldn't be thinking of BO2K, or maybe Black Lantern, would you? ;)

Wiping the free space on a drive, best done after defraging, may be a pain, but can keep stray data from lingering there until overwritten. Even then, monitoring the AGC on the drive read circuits can reveal what was overwritten, which is why three overwrites with random and non-random data is recommended. Certain patterns of data will also hide the AGC leakage.

Do not forget the unused space in partially used sectors.

I keep many unvarying files, even unsensitive ones, on CD's to save space. While it keeps sensitive data off of the computer, swap files can still put it there if the disk isn't wiped.

In many areas of the world, crypto is outlawed, or requires divulging the keys to authorities. In the "pdf fingerprints" thread, I posted an idea of using error correcting codes to secure data, both from loss and exposure. It is a raw idea that needs development.

Software that encrypts a disk may seem like a good idea, but what keeps me from using it is what happened to Phil Zimmerman (PGP author). The government wanted him to put a back-door into it, and he refused. They made life miserable until he found the loopholes in the laws. Will others have that kind of moral courage?

My next computer will be whatever I can build cheaply, but for browsing reading and such, prettymuch anything besides the occasional game or non high profile web browsing, I am building a linux system for a 4GB USB thumbdrive, all of the data I need will fit onto it, along with tools for erasing my tracks and securing data stored on the drive.

I could take it to a library computer and use it without fear. It will even fit nbk's book, although not the software which would be useless anyways on a non windows os pc I am assuming. Speaking of your book, I look forward to it's eventual release.

As for data storage, wow you guys use a lot 8o! I've never had a hard driver bigger than 40GB, and never used more than 5GB of that for user created data (e.g. not software installs, etc...) and much of that was music. Of course I am not one to download full websites and any page that takes my interest (as I suppose you are).

Onto that topic. What are your views on downloading what you believe to be important data? Just hoard all you can get just in case?

Jellywerker, you should check out some of the new Linux software that emulates Windows. Not perfect yet, but getting close. If the current rate of improvement continues, Linux will look like Windows to almost all programs within a year. Go to http://www.networkworld.com/ to sign up some of their free newsletters, particularly for Linux.

They also have some interesting newsletters for Windows (and other software) security upgrades, identity management and similar info tech subjects. The e-mail newsletters have a lot of semi-advertising links before they get to the meat, but it is worth it often enough to be useful.

Personnally, I have a computer that NEVER gets connected to anything except via CD's. I also use BCWipe to clean up the free space. The History, Recent, Temp, etc files have to be cleaned manually, or with some program like Evidence Eliminator. Best to let those run overnight while you sleep.

If you see something interesting, save a copy of it right-then, because it can be gone the next time you look for it.

I've had it happen a few times where there'd be an interesting website with a lot of neat files, and I leave the page up in the browser while I go do something, only to come back, try to download something, and find out the page went 404 in the time I was gone. :eek: :(

Had this happen most recently with a military site that had PDF's online that they weren't supposed to be having there. Fortunately someone else here had found it at the same time and downloaded everything. :)

And, regarding my datasafe, I found out it's important to block the cable hole, as otherwise mice might decide your datasafe is a good place to nest in. :rolleyes:

And not only do you have to guard your computer, but also your cellphone, as these often have such things as schedules/contact lists/etc., that can easily recovered.

Go to:

http://www.wirelessrecycling.com/home/data_eraser/default.asp

for instructions on how to delete all the information from your phone prior to selling/disposing of it.

Also, you can download a copy of 'Security Engineering', in PDF'd chapters (complete book) from http://www.cl.cam.ac.uk/~rja14/book.html :)

What cellphone? I find it best to not have one! Besides being insecure it's a ball and chain, a modern day slave rope! Hypocritically though, I am intending to get a prepaid one late this year, probably with a pager, mostly just for calling an ambulance when someone eventually hits me while cycling or for getting a ride to school when it rains or I get a flat.

I'll try to start saving interesting or possible useful pages, for the most part I just memorize information I think I'll find handy.

Diabolique: Wine? Or is it different?

One last thing about computers. An ongoing project of mine is to make a small, rugged linux machine for tactical/on the run (from adversaries, not jetsetting type on the go...) use. Something like a 6x5x3in rectangle, topped with a 7in touchscreen and a battery pack on the bottom. Inside is a solid state hard drive (10g should be enough, once you figure out what info you need), some covered input ports (usb, etc...) an amd geode processor, a slot for a tablet pen, a wifi antenna and gps, enough ram to run quickly and shock resistant springs and such. Integrated to a fold out panel on the top would be a keyboard. I'll post some design ideas someday, perhaps a better funded hacker can make it a reality.

US Patent application 20060179490, Method and device for protection of an mram device against tampering, by Phillips Electronics.

Basically, a non-volatile RAM memory device that self-destructs if the case is tampered with. The case, being made of Mu metal, is enclosed in a magnetic casing. If the Mu metal is pierced, the magnetic flux enters the RAM, wiping it out. :)

Now how long till it becomes commercially available is another story. :(

On I Side note I'd like to quickly point out a couple of flash memory devices that may be useful for storing encryprion keys etc.

http://www.thinkgeek.com/computing/drives/806d/

http://www.aria.co.uk/ProductInfoComm.asp?ID=24262


>On the subject of linux instalations on flash drives, this caught my eye

http://www.thinkgeek.com/computing/drives/80be/


>finally, on the topic of having a dongle to log onto your computer

http://www.aria.co.uk/productinfocomm.asp?id=21504

http://www.aria.co.uk/productinfocomm.asp?id=22864

For linux on usb stick, creating your own is the best way to go, or having an associate craft it to your needs. As for the stick itself, a Lexar Jumpdrive or a cruzer titanium would be my pick, the Lexar being top choice, it's shock and water resistant, so you wouldn't have to carefully dry it before you could use it, and it's a rather sturdy drive. Depending on what you carry, a 128mb could be sufficient, but best to go 1-8gb, although the Jumpdrive I believe is only offered up to 2bg.

Jellywerker:

http://www.gizmag.com/go/6222/

:)

Ooh, I could live with one of those. Definitely. I'd like to see what rugged versions there will be of the second generation UMPC's too though.

Nifty little video showing a military circuit self-destruct being fired.

http://www.spectreenterprises.net/Video/ExternalTorch.swf