Armouring up online: Duncan Campbell's chief techie talks crypto with El Reg

Truecrypt, PGP, GPG - but NEVER Skype


Beware the old "C:\Windows\Temp" catch

Truecrypt is the simplest to understand out of all these tools. Your data is protected by the password you enter when you set it up. If you use a good long password, the data it has protected for you is pretty much perfectly secure. It won’t stop you if you insist on using a short, easily attacked password – and if you forget your really awesome password then there is no magic "recovery" route available.

truecrypt

Truecrypt - version 7.1 considered safe, although caution is advised

Of course, Truecrypt can't help you if the files you have stored inside its robust cryptographic storage are also present in C:\Windows\Temp, or available for forensic recovery after you move them into your Truecrypt container. If you are worried about that, you can get TC to encrypt your boot partition so you have to enter your password to even get Windows to begin booting. Of course, that's still vulnerable if someone snatches your booted-and-unlocked laptop from your grasp.

Despite the recent scares, many people are still comfortable with using the previous (7.1a) release of the massively popular encrypted storage application. Now that the dust has settled a little, I am too.

I share Steve Gibson's opinion that the dire "it's insecure, stop using it" message put out by its developers should more accurately be interpreted as "we quit, there will be no support from us going forward, so please use something else".

At this point, although version 7.1a of Truecrypt is considered safe, it is appropriate to urge a little bit of caution about where you download. This would be a great opportunity for ne'er-do-wells to put up fake mirrors serving compromised, weakened or malware-addled versions of the software. I would recommend either Steve Gibson's mirror on his GRC page, or the new Truecrypt.ch site hosted in Switzerland, as being appropriate and trustworthy.

Now we've got all that out of the way, here's a link to a decent tutorial to walk you through the basic setup (creating a container-file based volume).

For greater depths of background reading, Andrew Y has reconstructed the original Truecrypt website for reference purposes, including the Documentation section.

Securing email with PGP/GPG

While you certainly can use Truecrypt to send files to someone else, that would require you to either pre-arrange a shared password in advance, or have some other already-secure channel to transmit it to them. That's not hugely useful in many situations, such as a whistleblower wanting to communicate securely with a journalist they’ve never met.

That's where the clever maths of Public Key Cryptography comes in. Rather than the "symmetric" model used by Truecrypt (encrypt with a password, decrypt with the same password), Public Key tools work with a mathematically-related pair of really massive numbers. One of those can be shared freely with the entire world and is used to encrypt data (the Public Key), but that ciphertext can then only be decrypted by the other half of the pair, which you keep secret (the Private Key).

The de facto standard for this is OpenPGP, descended from the original Pretty Good Privacy created by Phil Zimmermann. The Free Software toolset GPG (GNU Privacy Guard) is the most commonly used implementation.

There are a number of possible configurations available for GPG, depending on if you would rather use it as a plugin to a local email client or use it entirely as a stand-alone app. My personal preference is to use the Enigmail plugin for the Mozilla Thunderbird mail client, whereas a more-manual approach which requires less changes to your general way of working (not needing you to use a different email client) would be to use the Gnu Privacy Assistant (GPA) standalone app from the GPG4Win bundle.

There are also Chrome extensions which implement OpenPGP in client-side Javascript inside your browser, to aid using it with webmail services. I haven't used any of these and I'm not sure if they would provide seriously top-tier protection – there are hazards like Gmail's autosaving of unsent emails that could cause your message to be sent to Google "in the clear".

This would be another "security versus convenience" trade-off. For best security, don't compose your sensitive emails in a webmail page – write them locally in Notepad, run them through GPG by hand, then copy+paste the encrypted version in to Gmail to send it.


Other stories you might like

  • Monero-mining botnet targets Windows, Linux web servers
    Sysrv-K malware infects unpatched tin, Microsoft warns

    The latest variant of the Sysrv botnet malware is menacing Windows and Linux systems with an expanded list of vulnerabilities to exploit, according to Microsoft.

    The strain, which Microsoft's Security Intelligence team calls Sysrv-K, scans the internet for web servers that have security holes, such as path traversal, remote file disclosure, and arbitrary file download bugs, that can be exploited to infect the machines.

    The vulnerabilities, all of which have patches available, include flaws in WordPress plugins such as the recently uncovered remote code execution hole in the Spring Cloud Gateway software tracked as CVE-2022-22947 that Uncle Sam's CISA warned of this week.

    Continue reading
  • Red Hat Kubernetes security report finds people are the problem
    Puny human brains baffled by K8s complexity, leading to blunder fears

    Kubernetes, despite being widely regarded as an important technology by IT leaders, continues to pose problems for those deploying it. And the problem, apparently, is us.

    The open source container orchestration software, being used or evaluated by 96 per cent of organizations surveyed [PDF] last year by the Cloud Native Computing Foundation, has a reputation for complexity.

    Witness the sarcasm: "Kubernetes is so easy to use that a company devoted solely to troubleshooting issues with it has raised $67 million," quipped Corey Quinn, chief cloud economist at IT consultancy The Duckbill Group, in a Twitter post on Monday referencing investment in a startup called Komodor. And the consequences of the software's complication can be seen in the difficulties reported by those using it.

    Continue reading
  • Infosys skips government meeting – and collecting government taxes
    Tax portal wobbles, again

    Services giant Infosys has had a difficult week, with one of its flagship projects wobbling and India's government continuing to pressure it over labor practices.

    The wobbly projext is India's portal for filing Goods and Services Tax returns. According to India's Central Board of Indirect Taxes and Customs (CBIC), the IT services giant reported a "technical glitch" that meant auto-populated forms weren't ready for taxpayers. The company was directed to fix it and CBIC was faced with extending due dates for tax payments.

    Continue reading
  • Google keeps legacy G Suite alive and free for personal use
    Phew!

    Google has quietly dropped its demand that users of its free G Suite legacy edition cough up to continue enjoying custom email domains and cloudy productivity tools.

    This story starts in 2006 with the launch of “Google Apps for Your Domain”, a bundle of services that included email, a calendar, Google Talk, and a website building tool. Beta users were offered the service at no cost, complete with the ability to use a custom domain if users let Google handle their MX record.

    The service evolved over the years and added more services, and in 2020 Google rebranded its online productivity offering as “Workspace”. Beta users got most of the updated offerings at no cost.

    Continue reading
  • GNU Compiler Collection adds support for China's LoongArch CPU family
    MIPS...ish is on the march in the Middle Kingdom

    Version 12.1 of the GNU Compiler Collection (GCC) was released this month, and among its many changes is support for China's LoongArch processor architecture.

    The announcement of the release is here; the LoongArch port was accepted as recently as March.

    China's Academy of Sciences developed a family of MIPS-compatible microprocessors in the early 2000s. In 2010 the tech was spun out into a company callled Loongson Technology which today markets silicon under the brand "Godson". The company bills itself as working to develop technology that secures China and underpins its ability to innovate, a reflection of Beijing's believe that home-grown CPU architectures are critical to the nation's future.

    Continue reading
  • China’s COVID lockdowns bite e-commerce players
    CEO of e-tail market leader JD perhaps boldly points out wider economic impact of zero-virus stance

    The CEO of China’s top e-commerce company, JD, has pointed out the economic impact of China’s current COVID-19 lockdowns - and the news is not good.

    Speaking on the company’s Q1 2022 earnings call, JD Retail CEO Lei Xu said that the first two years of the COVID-19 pandemic had brought positive effects for many Chinese e-tailers as buyer behaviour shifted to online purchases.

    But Lei said the current lengthy and strict lockdowns in Shanghai and Beijing, plus shorter restrictions in other large cities, have started to bite all online businesses as well as their real-world counterparts.

    Continue reading
  • Foxconn forms JV to build chip fab in Malaysia
    Can't say when, where, nor price tag. Has promised 40k wafers a month at between 28nm and 40nm

    Taiwanese contract manufacturer to the stars Foxconn is to build a chip fabrication plant in Malaysia.

    The planned factory will emit 12-inch wafers, with process nodes ranging from 28 to 40nm, and will have a capacity of 40,000 wafers a month. By way of comparison, semiconductor-centric analyst house IC Insights rates global wafer capacity at 21 million a month, and Taiwanese TSMC’s four “gigafabs” can each crank out 250,000 wafers a month.

    In terms of production volume and technology, this Malaysian facility will not therefore catapult Foxconn into the ranks of leading chipmakers.

    Continue reading
  • NASA's InSight doomed as Mars dust coats solar panels
    The little lander that couldn't (any longer)

    The Martian InSight lander will no longer be able to function within months as dust continues to pile up on its solar panels, starving it of energy, NASA reported on Tuesday.

    Launched from Earth in 2018, the six-metre-wide machine's mission was sent to study the Red Planet below its surface. InSight is armed with a range of instruments, including a robotic arm, seismometer, and a soil temperature sensor. Astronomers figured the data would help them understand how the rocky cores of planets in the Solar System formed and evolved over time.

    "InSight has transformed our understanding of the interiors of rocky planets and set the stage for future missions," Lori Glaze, director of NASA's Planetary Science Division, said in a statement. "We can apply what we've learned about Mars' inner structure to Earth, the Moon, Venus, and even rocky planets in other solar systems."

    Continue reading

Biting the hand that feeds IT © 1998–2022