Armouring up online: Duncan Campbell's chief techie talks crypto with El Reg

Truecrypt, PGP, GPG - but NEVER Skype

Crypto toolbox, Part I I think I was about 15 or 16 when PGP was making headlines for being classified as munitions by the US government and was (supposedly) banned from export. While I wasn’t a subversive type at the time, I got a very strong sense that any software that scared the mighty USA so badly was something I ought to play with and try to understand – even if I didn’t need it.

Coming up to nearly the present day, I have fallen into a personal and working relationship with investigative journalist and occasional Reg contributor Duncan Campbell.

Among other things, such as interpreting tedious corporate MS Access databases for our work on the Offshore Leaks tax haven investigation, and now getting involved with his forensic IT work, I ended up being personal tech support for anything Duncan can't sort directly or doesn’t have the time to research. This has also led me to presenting the technical side of our work on Offshore Leaks at a couple of journalism conferences.

And then Edward Snowden, Laura Poitras and Glenn Greenwald changed the world. Or perhaps they just revealed that we'd been living in a fantasy world for a good long while.

Suddenly, Duncan “Echelon” Campbell was getting back in to serious top-tier investigative journalism again. And my opinion and assistance were sought on the tools people were telling him to use.

After I assisted some of The Register's team with the necessary crypto tools to discuss Duncan's recent articles securely, group editor Joe Fay approached me and asked if I would write something myself about the tools and how they fit together.

It should be noted that these are not the only potentially suitable tools – just the ones I'm directly familiar with. There are some alternative options at Reset The Net's Privacy Pack site.

The tools I'm going to outline here are not going to improve your productivity. They aren't here to make your life easier; rather, they're to make the lives of anyone trying to snoop on your stuff harder. If you have a big team project and nobody apart from one or two crypto-fans have ever used PGP before, the feel-good factor that might be gained from being all techno-futuristic will be very rapidly overshadowed by the feel-bad problem of not getting any work done.

At the point I joined the team for ICU’s Offshore Leaks project, Duncan had just finished winning an internal battle about the use of PGP. Specifically, convincing everyone NOT to use it.

If you have a big team project and nobody apart from one or two crypto-fans have ever used PGP before, the feel-good factor that might be gained from being all techno-futuristic will be very rapidly overshadowed by the feel-bad problem of not managing to get any work done.

Duncan wisely pointed out that the threat model for the project did not include governments – as we understood it, they had already received the same data we were working with and reporting on. So, there was no need to go to Defcon 1 in order to try to keep them out. A slow and convoluted manual PGP-and-email arrangement was replaced with a dedicated private forum system (provided by team member Sebastian Mondial) which was invite-only and delivered over SSL – but not specifically trying to be secure against government-level adversaries.

However, during the preparation of Duncan's recent articles about NSA GCHQ and the Snowden papers, all of the top-tier tools were absolutely in play.

Don't feel you have to use the tools in this article at every possible opportunity. Consider who you're trying to keep secrets from when deciding how much extra effort to go to.

Local storage: Truecrypt

Truecrypt can encrypt an entire physical drive (HDD, USB flash stick, whatever you like), or you can create a "container file" of a fixed size to hold the data you want to store securely. When you run Truecrypt, enter your password and mount your encrypted volume, it shows up as a new drive on whatever drive letter you choose.

Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading

Biting the hand that feeds IT © 1998–2022