Drivecrypt PLUS PACK
Legolas
Lot's of changes on www.drivecrypt.com !! Nicer & cleaner webdesign :)
Most interesting is the new DriveCrypt Plus Pack, which finally allows Pre-
Boot authentication.
Until April 13th, the price is $49. That makes $10 more than I paid for DC.
Shaun, I was wondering if there was a time-limited, reduced upgrade price
for existing DC users.
Have a nice day,
Legolas
Sam Simpson
Before adoption some questions need to be asked:
1) How closely tied to the original DC source code is this product?
2) "256-bit military strength encryption using proven cryptographic
algorithms." - what are the algorithms? AES is obvious, but....
3) "Powerful Pre-Boot Authentication" - details of how this works?
4) "Completely transparent to the user" - apart from the boot
authentication I guess ;) Does this technology work with laptops that
hibernate etc?
5) "Sector level protection" - what does that mean?
6) "Anti dictionary and brute-force attack mechanisms, due to the nature
of DCPP it is the most difficult system to attack compared to anything
else available". Tut. Does this mean that is uses a salt? What else?
That's a grand claim and needs some technical backing.
7) Who was the lead developer?
Still, looks like a very interesting and welcome development.
Also, it appears that SecureStar offering penetration testing:
http://www.securstar.de/penetration.html - though they leave out more
general testing methods than they include.
The about page at http://www.securstar.de/about.html also got a smile or
two - e.g. the Our Team section where "Dr. Manfred Hafner" is introduced
as a "well regarded consultants and security technologists". Eh? I've
read every crypto book published in the last 10 years and 90% of
conference papers and have yet to hear of this guy...Let's hope it's not
this Dr Manfred Hafner
http://translate.google.com/translate?hl=en&sl=de&u=http://www.altavita.ch/av_vortrag02/av_autonomes_alter020202.htm&prev=/search%3Fq%3D%2522Dr%2BManfred%2BHafner%2522%26hl%3Den
(who appears to have a medical doctorate or MD).
The paragraph at the bottom of Our Team (quoted with under Fair Use
terms) sure deserves some critical appraisal:
"With impressive credentials and a great depth and variety of
experience, our founders, technology and management teams represent a
virtual Who's Who of the information security industry.
You could not have a better group in your corner protecting your systems
and data."
*sigh*
Sam
Regards,
Sam
--
Regards,
Shaun Hollingworth
wrote:
>Interesting, I knew nothing about the new announcement or new product.
>Before adoption some questions need to be asked:
>
>1) How closely tied to the original DC source code is this product?
It isn't... It has been developed by Paul Le Roux, rather than
myself...
>2) "256-bit military strength encryption using proven cryptographic
>algorithms." - what are the algorithms? AES is obvious,
'Tis AES
One can't have too many algorithms, when decrypting at boot level....
>but....
>3) "Powerful Pre-Boot Authentication" - details of how this works?
I'll post more when I've had a chance to exmaine in detail the program
for myself....
>4) "Completely transparent to the user" - apart from the boot
>authentication I guess ;) Does this technology work with laptops that
>hibernate etc?
Yes. The whole of the designated hard drive, including the OS, is
encrypted....
>5) "Sector level protection" - what does that mean?
It means that the encryption is lower than the filing system level...
>6) "Anti dictionary and brute-force attack mechanisms, due to the nature
>of DCPP it is the most difficult system to attack compared to anything
>else available". Tut. Does this mean that is uses a salt?
It is likely to, as Paul is rather fond of them...
>What else?
On a practical note, the encryption initially goes in at the BIOS
level, so it is very difficult to write software to try and read the
disk, unless the drive is removed and installed in another computer,
as a slave, or second drive... Certainly there is no operating system
to hand on which cracking software can be installed, for to boot up
the OS, you have to know the pass phrases!
> That's a grand claim and needs some technical backing.
>7) Who was the lead developer?
Not me. See above..
>
>
>Still, looks like a very interesting and welcome development.
>
>
>Also, it appears that SecureStar offering penetration testing:
>http://www.securstar.de/penetration.html - though they leave out more
>general testing methods than they include.
>
>The about page at http://www.securstar.de/about.html also got a smile or
>two - e.g. the Our Team section where "Dr. Manfred Hafner" is introduced
>as a "well regarded consultants and security technologists". Eh? I've
>read every crypto book published in the last 10 years and 90% of
>conference papers and have yet to hear of this guy...Let's hope it's not
>this Dr Manfred Hafner
>http://translate.google.com/translate?hl=en&sl=de&u=http://www.altavita.ch/av_vortrag02/av_autonomes_alter020202.htm&prev=/search%3Fq%3D%2522Dr%2BManfred%2BHafner%2522%26hl%3Den
>(who appears to have a medical doctorate or MD).
One of the finest books on Sinclair Spectrum programming (which I
still have somewhere) was called " The Complete Spectrum Rom
Dissassembly" by Dr Ian Logan, and Dr Frank O'Hara.... and it was a
complete documentation of the nuances of the Specrum OS, The Basic
Interpreter, and all the bugs..... I was sure those guys had Phd's in
computer science.... In fact they were a couple of GPs, (MDs for you
in the USA) as I learned when I met them personally...... The upshot
is that most MDs are probably at least as intelligent as is the
average computer scientist, and it wouldn't surprise me, if an MD
could find encryption interesting to the degree that he or she, became
some kind of authority on the subject.....
Regards,
Shaun.
nemo outis
Hooray! Finally, it's here: whole disk encryption for the masses.
Yes, I have a thousand questions and some reservations and worries, but, hey,
it's a great start and today is a great day. My $50 will be on its way
forthwith - fifthwith at the latest :-)
Regards,
PS Simon Hunt, time to get Safeboot Solo onto the market. Let's have a
little healthy competition.
Justme
>Most interesting is the new DriveCrypt Plus Pack, which finally allows Pre-
>Boot authentication.
>
>Until April 13th, the price is $49. That makes $10 more than I paid for DC.
>Shaun, I was wondering if there was a time-limited, reduced upgrade price
>for existing DC users.
From the website:
Thank you for your interest about DriveCrypt PlusPack (DCPP)
DCPP will be released to the plublic only around April 15th,
and will be sold at the price of US$ 149.95
To everybody willing to PRE-ORDER the DCPP BEFORE April 13th,
SecurStar GmbH will offer an absolute special price of US$ 49.95
----------------
I have a bit of a problem with the special pre-order price that's only
valid until 2 days BEFORE the product is released. Doesn't give any
opportunity to find out what other users are saying about the product,
and find out how it performs under various conditions and how
transparent it REALLY is.
$150 is totally out of the question.
If they offer the $49.95 price for a few weeks AFTER the product is
released and after I've seen posts from people about how it works,
then I'll probably order it.
No idea if the Securstar people read this group, but I hope they're
receptive.
fjwi...@hotmail.com
>>authentication I guess ;) Does this technology work with laptops that
>>hibernate etc?
>
>Yes. The whole of the designated hard drive, including the OS, is
>encrypted....
The operating system is encrypted? I didn't think that was really
possible.
I talked to a compa;ny that got a "rave review from PC World a few
years ago about a disk encryption method they were marketing, they
also said that the operating system would be encrypted, I don't
believe that it went much of anywhere.At a "non-commercial" discounted
rate of$, it's no wonder.
Chris Epler
updated yet, but I don't see any updates to the site...?
On Wed, 03 Apr 2002 21:18:58 GMT, Legolas <leg...@legoli.com> wrote:
Sam Simpson
fjwi...@hotmail.com wrote:
>>>4) "Completely transparent to the user" - apart from the boot
>>>authentication I guess ;) Does this technology work with laptops that
>>>hibernate etc?
>>
>>Yes. The whole of the designated hard drive, including the OS, is
>>encrypted....
>
>
> The operating system is encrypted? I didn't think that was really
> possible.
Why? Give me a detailed explanation why it's not possible. It's
already been done by other companies
> I talked to a compa;ny that got a "rave review from PC World a few
> years ago about a disk encryption method they were marketing, they
> also said that the operating system would be encrypted, I don't
> believe that it went much of anywhere.At a "non-commercial" discounted
> rate of$, it's no wonder.
Maybe they didn't have good programmers?
Sam Simpson
Shaun Hollingworth wrote:
> On Wed, 03 Apr 2002 23:54:58 +0100, Sam Simpson <s...@samsimpson.com>
> wrote:
>
>
>>Interesting, I knew nothing about the new announcement or new product.
>>Before adoption some questions need to be asked:
>>
>>1) How closely tied to the original DC source code is this product?
>
>
> It isn't... It has been developed by Paul Le Roux, rather than
> myself...
Do you know if it is an e4m derivitive or a new product?
>>2) "256-bit military strength encryption using proven cryptographic
>>algorithms." - what are the algorithms? AES is obvious,
>
>
> 'Tis AES
> One can't have too many algorithms, when decrypting at boot level....
I assume SHA is used for passphrase hashing or something?
>>but....
>>3) "Powerful Pre-Boot Authentication" - details of how this works?
>
>
> I'll post more when I've had a chance to exmaine in detail the program
> for myself....
That would be great, cheers.
>>4) "Completely transparent to the user" - apart from the boot
>>authentication I guess ;) Does this technology work with laptops that
>>hibernate etc?
>
>
> Yes. The whole of the designated hard drive, including the OS, is
> encrypted....
>
>
>
>>5) "Sector level protection" - what does that mean?
>
>
> It means that the encryption is lower than the filing system level...
I guess it works by hooking into BIOS level HD calls then?
Of course, I in no way meant that CompSci students are in anyway better
at coding than any other vaguely bright person. It just seems that
S-Star are "overplaying" some of the descriptions of the staff. I'd
like to know the details of Dr Hafners published work in the security
field - or are S-Star just using his PhD / MD because it looks flash?
Cheers,
Sam
Terry Johnson
than the OS. It loads before the OS loads and runs the decryption routine.
Then the machine boots as normal.
Examples of other software that perform similarly are bootloaders. In the
past, Maxtor used a special piece of software that allowed older machines to
use larger hard drives. This software was installed and even if the disk was
formatted, the software was still there. It would take a low level format to
be rid of the software.
Whole disk encryption software works in a similar manner. It is set to run
before the OS runs, it decrypts what is necessary to run the machine and
then passes over control to the OS.
Does this help clear it up for you?
Jeff Biggerstaff
fjwi...@hotmail.com
wrote:
>
>
>fjwi...@hotmail.com wrote:
>>>>4) "Completely transparent to the user" - apart from the boot
>>>>authentication I guess ;) Does this technology work with laptops that
>>>>hibernate etc?
>>>
>>>Yes. The whole of the designated hard drive, including the OS, is
>>>encrypted....
>>
>>
>> The operating system is encrypted? I didn't think that was really
>> possible.
>
>Why? Give me a detailed explanation why it's not possible. It's
>already been done by other companies
>
Sam, I am John Doe with this stuff, by no means an expert. When I
think of "operating system", I think of something no smaller than
Windows 3.1, or dos 5.0. which I believe was on 2 floppies.
It is natural to think the operating system is necessary for the
computer to boot up, though apparently it is not. I just thought that
any kind of program that was capable of it would have to be contained
on more than a single floppy disk.
If this is true, then I am interested. I keep my financial information
on my computer, and the location I live at is, I am afraid, burglar
friendly, a little remote. The only sure-fire way that I know of
protecting my financial data to MY satisfaction(call me paranoid) is
by creating large scramdisk containers, which I have already done, or
encrypting the entire hard drive.
Flare
Let's hope full source code will be released so
that I will be able to upgrade to XP :-)
PS - and let's also hope that those US guys've
done it well (AES ;)
aaaa
create virtual container(s) afterward?
Wouldn't the pre-boot encryption be as safe as the container version?
Is it totally secure?
Thanks
Sam Simpson
> fjwi...@hotmail.com wrote:
>
>
>>The operating system is encrypted? I didn't think that was really
>>possible.
>
>
> Sam Simpson <s...@samsimpson.com> wrote:
>
>>Why? Give me a detailed explanation why it's not possible. It's
>>already been done by other companies
>
>
> catch-22 situation. You need the operating system in place in order to load
> and run the encryption software and get the password from the user, but you
> need the encryption software to already be loaded and running in order to
> load and run the encrypted operating system. I don't see any way to do it
> without using a special hard drive interface card with its own processor to
> do the encrypting and decrypting work.
Not at all. Rather than simply booting the OS, why not use a different
boot loader that accepts the users passphrase, attaches an interupt
handler that captures HD read/writes that automatically decrypts data.
It's not rocket science (though it would be hard to implement!)
Sam Simpson
loading a BIOS interupt redirector to capture HD calls and on the fly
decrypt/encrypt data. This program could then call the normal OS boot
code and load the operating as normal.
Sam Simpson
in MyDocs or whatever and it'd also be encrypted automatically.
Sam Simpson
security problems with 95/98/ME/XP/W2k/NTv4 etc. Windows really needs
to be *dumped* for a better OS in reality!
Pogo P. Possum
<nob...@cotsebay.cotse.net> wrote:
>Hi i have a dump question:
>
>Is the Standart Drivecrypt software included in Drivecrypt Plus Pack or is it just a "add-on". If it is not included is there any need for the standard software if you have Drive Crypt Plus Pack??
>
>thanks
>
>Sh
>
>
In a private email to me, Shaun addressed this concern, because I had
it too. He essentially told me that unlke DriveCrypt, all partitions
are visible, once the system is up and running, and so you will also
need to have normal driveCrypt containers or partitions, if you wish
to turn things on and off......IE The two programs are designed to be
complimentary...
nemo outis
Much as I am delighted with the prospect of DriveCrypt Plus Pack (assuming it
works as described, has no back doors, etc.) I intend to supplement it with
another "container/partition encrypter" for additional security for sensitive
files.
Despite the merits of "regular" Drivecrypt I will use a product from another
manufacturer to mitigate risks if one manufacturer's products are defective or
compromised. Bestcrypt or Vdisk seem good candidates to use for containers
nested within (or alongside) a HD/OS more broadly protected by Drivecrypt Plus
Pack. (A future alternative could be, for instance, Safeboot Solo with regular
Drivecrypt containers inside - or on separate partitions.)
The HD/OS protector provides general protection (against OS info leaks,
terrain-denial for software keyloggers, etc.) while the container
file/partition holds sensitive data. If nesting doesn't have
performance/compatibility problems, then that is probably superior to using
the two protections separately (e.g., on different partitions).
Think of it as a castle with an outer wall and then the keep.
Regards,
Pogo P. Possum
wrote:
Yeah -- "If nesting doesn't have performance/compatibility problems."
I burn a lot of CD-Rs. I find that I can burn from a
Blowfish-protected container once opened, but I wonder about the
performance penalty from "nested" containers, especially if one is not
as fast as Blowfish. -- Am I going to start making coasters if I try
burning CD-Rs in such a case, I wonder? Does anyone have any thoughts
on this?
Regards back to ya!
fjwi...@hotmail.com
e-mail today.
>Hi,
>
>
>Thank you for your email.
>DCPP is a separate program then DriveCrypt.
>As a matter of fact it does not work with volumes but it encrypt entire hard
>disks.
>
>
>It is possible to run both programs simultaneusly ( DCPP on top of
>DriveCrypt ),
>however DriveCrypt is not included in the DCPP promotion
>
>
>If you buy DCPP now, you are automatically entitled to get the new DCPP
>version for Win 98 free of charge,
>however it may take around 2-3 months until that version will be ready.
>
>
>Best regards
>
>
>W. Hafner
>
Thinking about trying it out myself.
Hope this helps.
On Thu, 4 Apr 2002 02:50:05 +0200 (CEST), Nomen Nescio
<nob...@dizum.com> wrote:
>This looks really good. The only other game in town, that I know of, that
>offers full HD encryption is safeboot and as far as I know they only offer
>it to corporate users. This also seeems to put my fears of winding up with
>XP someday, and wondering whether to get BC or DC, to rest. If I preorder
>at the special price offered of $49, will I be able to upgrade (or downgrade,
>depending on how you look at it) to a 98 compatible version when it becomes
>available? The site says that it's not *yet* available for 98, is such a version
>really being worked on? I don't know when or if I'll be forced to move to
>XP, I'm just anticipating it if I ever have to get a new computer.
Flare
> Of course, having boot-level security doesn't solve the million other
> security problems with 95/98/ME/XP/W2k/NTv4 etc. Windows really needs
> to be *dumped* for a better OS in reality!
Yes, but in 2002 I don't see it realistic to expect all people using
personal computers could switch to Linux or another system. Windows are
so wide-spread now that we simply have to use them and also find
ways to improve their security and privacy instead of just dumping
them. BTW, tell me if you know a 100% secure OS.
(I'd say the most secure is the most encrypted one ;-)
Regards
David
Flare
> is probably superior to using the two protections separately (e.g.,
> on different partitions).
IMHO this would be a CPU load disaster. The system could even appear
to freeze. It is difficult to tell for how long periods of time. It
could freeze for a second or two every five seconds (depends on how
the driver is programmed.) It is difficult to tell, we'll have to
wait and see. Anyway, you should expect at least 50% performance
degradation.
You'd better put your "sensitive" BC/SD/DC containers outside
the DCPP partition. There are more reasons to place your OS on a
seperate partition or even a separate drive. I've always done it
so and never regreted.
Now, I hope that it will be possible to boot multiple operating
systems with DCPP. For example, you may want to have one OS for
internet surfing and another one as your main system (secured
by the absence of any net connection and probably entirely
encrypted.) You may also need Linux instead of MSWindows
sometimes.
Regards
David
Paul Le Roux
>
>Interesting, I knew nothing about the new announcement or new product.
>Before adoption some questions need to be asked:
>
>1) How closely tied to the original DC source code is this product?
the 2 programs share only small amounts fo code, this is due to the
fact that they work completely differently; DC pretends to be a block
driver, DCPP is basically a fancy filter driver, DCPP uses some code
from DC for the redscreen mode, that's about it.
>2) "256-bit military strength encryption using proven cryptographic
>algorithms." - what are the algorithms? AES is obvious, but....
it offers AES256 in CBC mode plus SHA1 is the crypto (SHA1 is iterated with
salt to expand the key out to 256 bits); why not SHA2, well it took
3 months for me to hand tune the SHA1 implementation in
386 assembler and get the size down to about 500 bytes, that's right the
code for a full SHA1 with padding the works is about 500 bytes, SHA2 would
be too big code size wise.
>3) "Powerful Pre-Boot Authentication" - details of how this works?
basically a small program is installed in the MBR of your harddisk which
loads before anything else, it presents a 800x600 VGA screen asking you to
enter the passphrases, (it has 2 lines not 4 like DC). once this is entered
the encryption is keyed with the SHA1 iteration from above, the proper
interrupts are hooked, at the machine continues to load the bits from the
O/S that's being started such as NTOSKRNL NTLDR etc
>4) "Completely transparent to the user" - apart from the boot
>authentication I guess ;) Does this technology work with laptops that
>hibernate etc?
yes and no, hidden hibernate partitions won't be encrypted, better to use
suspend if you can
>5) "Sector level protection" - what does that mean?
similar to DC with a different of producing the IV
>6) "Anti dictionary and brute-force attack mechanisms, due to the nature
>of DCPP it is the most difficult system to attack compared to anything
>else available". Tut. Does this mean that is uses a salt? What else?
it uses 64-bit salt plus iterates the SHA1 hash, to expand its output
but it is not using PKCS5, it is harder to brute force because accessing
the encrypted keys is much more difficult, also encrypted partitions are
not identified as they are in DC
> That's a grand claim and needs some technical backing.
>7) Who was the lead developer?
>
me
>
>Still, looks like a very interesting and welcome development.
>
>
>Also, it appears that SecureStar offering penetration testing:
>http://www.securstar.de/penetration.html - though they leave out more
>general testing methods than they include.
>
>The about page at http://www.securstar.de/about.html also got a smile or
>two - e.g. the Our Team section where "Dr. Manfred Hafner" is introduced
>as a "well regarded consultants and security technologists". Eh? I've
>read every crypto book published in the last 10 years and 90% of
>conference papers and have yet to hear of this guy...Let's hope it's not
>this Dr Manfred Hafner
>http://translate.google.com/translate?hl=en&sl=de&u=http://www.altavita.ch/av_
vortrag02/av_autonomes_alter020202.htm&prev=/search%3Fq%3D%252
Paul Le Roux
the BIOS which is nothing but another bit of coded loaded at start up,
you insert code in the chain anywhere and you can put in the encryption
of course there are many ways to do it...
In article <3cac935e...@news.earthlink.net>, fjwi...@hotmail.com says...
Paul Le Roux
yeah it's certainly not something you want to try without
first telling your wife you will be in your room for a year....
Paul Le Roux
other than this DCPP stops some thief from being able to do anything with
the data on your machine which for me is more important than the hardware
itself. it also stops your wife; your business partner; whatever;
from checking what
you've been looking at in IE, handles all the crap that windows splatters
all about the place like IE history, the cache, the hidden sync directory
on win2k etc.
In article <3CAD9FDB...@samsimpson.com>, s...@samsimpson.com says...
Paul Le Roux
In article <59sqaugjkk7sb9gdh...@4ax.com>, aaaa@ says...
>
>With pre-boot full disk encryption, why would it still be nessasary to
>create virtual container(s) afterward?
>
DCPP does not use any containers; you can use DC ontop of DCPP.
say for example you want C: encrypted, but you need to have access
to DC encrypted cd-roms you still need DC, or you may want to have your
really important stuff hidden in a WAV file using DC on top of your DCPP
encrypted computer...
Paul Le Roux
be. mainly thanks to MS Office and the continuing for the LINUX guys to right
there own drivers for each new bit of kit that hits the streets. it's a shame
but thanks to the fact that the US government does not have the balls to
do anything about them this problems not going away any time soon
In article <8d5e27d5.02040...@posting.google.com>,
flar...@yahoo.com says...
Paul Le Roux
>> If nesting doesn't have performance/compatibility problems, then that
>> is probably superior to using the two protections separately (e.g.,
>> on different partitions).
>
>IMHO this would be a CPU load disaster. The system could even appear
>to freeze.
says who?
It is difficult to tell for how long periods of time. It
>could freeze for a second or two every five seconds (depends on how
>the driver is programmed.) It is difficult to tell, we'll have to
>wait and see. Anyway, you should expect at least 50% performance
>degradation.
there's no reason not to have DC containers ontop of DCPP encrypted disks
the drivers are separate, both products use their own threads to access
the physical disks, each DCPP encrypted disk uses it's own thread, as
does each DC encrypted disk, you could also nest containers in each other
on top of each other then put the whole thing on a DCPP disk without problems,
obviously there will be a CPU hit but this is linear, also things like
pagefiles/web cache etc for example can be on DCPP disks without problems
Paul Le Roux
>
>Thanks for the reply Shaun, see further questions etc below:
>
>Shaun Hollingworth wrote:
>> On Wed, 03 Apr 2002 23:54:58 +0100, Sam Simpson <s...@samsimpson.com>
>> wrote:
>>
>>
>>>Interesting, I knew nothing about the new announcement or new product.
>>>Before adoption some questions need to be asked:
>>>
>>>1) How closely tied to the original DC source code is this product?
>>
>>
>> It isn't... It has been developed by Paul Le Roux, rather than
>> myself...
>
>Do you know if it is an e4m derivitive or a new product?
>
it's a fully new product, the nt driver does take some code from the
nt driver in E4M /SD/DC but it works very differently, shaun has not
yet seen all the code, much of it is hand coded in assembly, the GUI is
very different from everything that came before, it has fully a
integrated help system, 2 gui skins, support for BMP/WAV stego and
much more.
Paul Le Roux
is already done the low level stuff is the same as under NT/2K/XP because
it of course starts before they do... mainly it's the vxd and maybe
some tweaks to the gui that are needed under Win9x/ME
In article <58d9f83e6c047bf7...@dizum.com>, nob...@dizum.com
says...
Paul Le Roux
People may still want containers because the container allows deniability!
, if your presented with a DCPP password screen and you get the
password wrong your computer won't boot, obviously this means your using
crypto; if your forced to handover your key or you get 2 years or whatever
it is jail, you still need DC to hide the stuff your really don't want
people seeing once your box is booted....
IE: DCPP stops thieves, your wife, your children whatever from messing
with your stuff, DC+WAV based containers stops "whoever" when your forced
to handover your pass phrases because you have electrodes attached to your body
and bleeding from the head !! and there are plenty of places where this could
happen:--- if you happen to live in intolerant countries such as England or
Zimbabwe to name 2.
In article <3CAD99B4...@samsimpson.com>, s...@samsimpson.com says...
Pogo P. Possum
wrote:
Has anyone yet raised the issue (a hot one formerly with respect to
regular DC, as I recall) of closed versus open source code with Plus
Pack? Is this in fact even an issue? Does one need to be concerned
at all about a so-called "back door" that local LE or governments
might have pressured SecurStar into building into the PP code?
--Or am I merely betraying my "Idiot's Guide to Encyption" level of
understanding of this subject by raising this question?
A knowledgable--and hopefully not too condescending-- reply would be
appreciated.
Pogo
Chris Epler
got the name DriveCrypt in it, which is another product, then they add 'PLUS
PACK' which makes it sound VERY MUCH like an add-on to DriveCrypt. Not a very
smart choice of names.. If I were going to market this as an entirely
seperate product then I would NAME is entirely different.
Paul Le Roux
DCPP does not include DC as far as I know,but email securstar for the
answer to that one. DCPP offers complete OS encryption and supports
BMP and normal-Windows WAV stego for the DCPP KeyStores.
In article <2E2GWEFA373...@anonymous.poster>,
nob...@cotsebay.cotse.net says...
>
>Hi i have a dump question:
>
>Is the Standart Drivecrypt software included in Drivecrypt Plus Pack or is it
just a "add-on". If it is not included is there any need for t
>
>thanks
>
>Sh
>
>
>
Sam Simpson
single-handedly producing this solution.
We may agree on commercial aspects of SecureStar, but I certainly credit
you and Shaun with being the best programmers I know!
Sam Simpson
> yeah this is the problem LINUX is not yet masses ready and may never
> be. mainly thanks to MS Office and the continuing for the LINUX guys to right
> there own drivers for each new bit of kit that hits the streets.
This situation is changing now - you have to go out of your way to buy
hardware that isn't very well supported under Linux.
Linux runs on a billion more platforms than Windows and does so more
securely. I love Linux :)
> it's a shame
> but thanks to the fact that the US government does not have the balls to
> do anything about them this problems not going away any time soon
>
> In article <8d5e27d5.02040...@posting.google.com>,
> flar...@yahoo.com says...
>
>>Sam Simpson <s...@samsimpson.com> wrote in message
>
> news:<3CAD9FDB...@samsimpson.com>...
>
>>>Of course, having boot-level security doesn't solve the million other
>>>security problems with 95/98/ME/XP/W2k/NTv4 etc. Windows really needs
>>>to be *dumped* for a better OS in reality!
>>
>>Yes, but in 2002 I don't see it realistic to expect all people using
>>personal computers could switch to Linux or another system. Windows are
>>so wide-spread now that we simply have to use them and also find
>>ways to improve their security and privacy instead of just dumping
>>them. BTW, tell me if you know a 100% secure OS.
>>(I'd say the most secure is the most encrypted one ;-)
>>
>>Regards
>>David
>
>
Sam Simpson
I have no doubt it's going to be closed source with no release or peer
review.
> Is this in fact even an issue?
YES! Closed source crypto is, according to crypto experts, next to useless.
People should be actively discouraged from buying closed source crypto.
> Does one need to be concerned
> at all about a so-called "back door" that local LE or governments
> might have pressured SecurStar into building into the PP code?
Yep, as well as accidental bugs etc.
> --Or am I merely betraying my "Idiot's Guide to Encyption" level of
> understanding of this subject by raising this question?
Not at all - you are spot on. Wagner showed years ago that closed
source software has no benefits from a user perspective.
> A knowledgable--and hopefully not too condescending-- reply would be
> appreciated.
In alt.security.scramdisk? ;)
Sam Simpson
> well the main problem with windows is to get yourself a good firewall,
It's a good start, but then you get problems like Outlook content
autorunning, IE bugs left right and center, 350,000 machines hit by the
various IIS bugs *in one go* and the rest of the problems. Firewalls
don't protect against any of these things.
> other than this DCPP stops some thief from being able to do anything with
> the data on your machine which for me is more important than the hardware
> itself.
Of course.
> it also stops your wife; your business partner; whatever;
> from checking what
> you've been looking at in IE, handles all the crap that windows splatters
> all about the place like IE history, the cache, the hidden sync directory
> on win2k etc.
So true. Sigh, I looked at writing a "machine cleaner" that cleaned
down the registry, file system etc for this same purpose. I started
writing it and then quickly gave up when I found how inconsistent
Windows implementation was and how they (appear....) to go out of their
way in making the program so hard to write.
Now I have a 30 line Linux a shell script (that also calls some Perl
code etc) that does the job nicely.
Paul Le Roux
encrypted disks unlike SD/DC, the key for the boot disk is stored encrypted
in the mbr, keys for other disks are stored in keystores which can be
either straight files, or BMP or WAV files.
both normal file keystores and BMP/WAV keystores contain no identifying
information, and are encrypted with SHA1 based AES. also this means
many disks could be protected with one key if you wanted this, unlike
DC/SD.
In article <96089edd7d06c0fb...@dizum.com>, nob...@dizum.com
says...
>
><DCPP offers complete OS encryption and supports
><BMP and normal-Windows WAV stego for the DCPP KeyStores.
>
>What do you mean by this? Are you saying that you can create stego containers
>in bmp and wav files with DCPP? What are the "DCPP keystores"?
>
Sam Simpson
> Sam Simpson <s...@samsimpson.com> wrote in message news:<3CAD9FDB...@samsimpson.com>...
>
>>Of course, having boot-level security doesn't solve the million other
>>security problems with 95/98/ME/XP/W2k/NTv4 etc. Windows really needs
>>to be *dumped* for a better OS in reality!
>
>
> Yes, but in 2002 I don't see it realistic to expect all people using
> personal computers could switch to Linux or another system.
No: only people who care about security. If you aren't serious about
security (for example are on a corporate LAN away from the internet),
then you have fewer drivers to move.
> Windows are
> so wide-spread now that we simply have to use them
No, you don't. It's cheaper, more secure and more flexible to use
another OS (Linux, BSD, Sun etc etc - even the new OS from Apple is
better than MS).
> and also find
> ways to improve their security and privacy instead of just dumping
> them.
Only to find that Microsoft seem to go out of their way to make security
easy to obtain? No thanks.
> BTW, tell me if you know a 100% secure OS.
I've never made that assertion. I *can* however tell you about
operating systems that are designed by teams that take security
seriously, that adhere to common security standards and protocols and
are re-active to user comments.
BTW, my rationale for moving to Linux is here if you are interested:
http://www.samsimpson.com/linux.php see esp the security engineering
section.
> (I'd say the most secure is the most encrypted one ;-)
Not once you've booted it though! Then the OS you are using can be
exploited irrespective of the drive encryption....
Paul Le Roux
yes exactly you want something that works, solves your problem
that took a year to write, cost thousands of dollars to create in time,
salaries etc, but you want it free!
In article <3cb1acb5....@news.atl.bellsouth.net>, arnei...@GoFor21.com
says...
>
>Sam Simpson <s...@samsimpson.com> wrote:
>
>>I have no doubt it's going to be closed source with no release or peer
>>review.
>
>What a waste! It sounded so interesting - just the sort of thing I've been
>waiting for, but without open source code it's essentially worthless.
>
>http://www.counterpane.com/crypto-gram-9909.html#OpenSourceandSecurity
>--
>"Arneil Moky" is actually 53179...@GoFor21.com (53179 24680).
> 012345 6789 <-Use this key to decode my email address and name.
> Other messages to this domain will bounce.
>
Paul Le Roux
Sam please lets not turn this into a linux advocacy group, i'm asking
that we keep it on topic, but to answer you:
first off you have to go out of your way to buy hardware that supports linux
not the other way around, I give you examples such as Winmodems, PCI Modems
generally, Winprinters, video capture cards (and for that matter video editing
software), normally you can buy linux supported kit but typically you find
that a) it's 1 or 2 generations away from the current model, b) it ships
with a driver that won't support your new kernel.
i'm not trying to spread anti-Linux FUD that is MS's job, but lets not build
it up into something it's not.
the next major problem is the real rub: does anyone know who to make money
from linux applications? i don't think so; most people such as Redhat
etc make money from support, this to me is the real problem preventing
quality linux applications from appearing....
In article <3CB0A35E...@samsimpson.com>, s...@samsimpson.com says...
nemo outis
>Sam Simpson <s...@samsimpson.com> wrote:
>
>>I have no doubt it's going to be closed source with no release or peer
>>review.
>
>waiting for, but without open source code it's essentially worthless.
>
>http://www.counterpane.com/crypto-gram-9909.html#OpenSourceandSecurity
In every security situation the question of trust comes up. To be sure
open-source security programs are, in many ways, much preferable to
closed-source programs, since you don't have to extend much trust towards the
software manufacturer. However, even open-source is not a panacea.
As one (surprisingly, NOT hypothetical) example, even with open-source code
you would have to be sure your compiler doesn't introduce a back door. Or do
you want to examine the compiler's source code, and so forth?
Even if, say, Bruce Schneier reviewed and OKed the code, you would have to
have some trust in his opinion. Hell, even if *I myself* reviewed the source
code, I would extend little "trust" to my opinion because of my very limited
competence in cryptography - I hope I don't also have to worry about
deliberate self-deception :-)
Regards,
PS If you're truly paranoid, buy a copy of DCPP, reverse engineer Securstar's
code, and then recode your own version.
Terry Johnson
am in the process of the converting to Linux and this is something I would
like to be able to do. Does it delete the data or truly erase it (Guttmann)?
Anyway, read your page on why you moved to Linux. I agree with most of them
and am in the process of doing the same thing. Thanks for a good page.
Doug Goss
This sounds very interesting and I will likely try/buy it. One question
that affects me and our company is the use of Novell Netware client (are
running client version 4.80.SP3.4.83and NW5 but likely to upgrade the
client and later the NW version). This is installed on all our machines
for LAN/WAN access and authentication.
Has DCPP been tested with this?
Also is it commercial ware (ie could be used as a comany solution?)
Doug Goss
Sam Simpson
decent cipher is used - I see no reason why double encryption would kill
a machine - it would just mean that CPU util (under heavy read/writes)
would be around (I guess) 20%.
Sam Simpson
> Sam please lets not turn this into a linux advocacy group, i'm asking
> that we keep it on topic, but to answer you:
In light of the Scramdisk for Linux effort, I view Linux as "on topic"
for the group ;)))
> first off you have to go out of your way to buy hardware that supports linux
> not the other way around, I give you examples such as Winmodems, PCI Modems
> generally, Winprinters, video capture cards (and for that matter video editing
> software), normally you can buy linux supported kit but typically you find
> that a) it's 1 or 2 generations away from the current model, b) it ships
> with a driver that won't support your new kernel.
The examples you provide are good...I guess I (and other people I know)
have been lucky in peripheral selection!
> i'm not trying to spread anti-Linux FUD that is MS's job, but lets not build
> it up into something it's not.
Of course.
> the next major problem is the real rub: does anyone know who to make money
> from linux applications? i don't think so; most people such as Redhat
> etc make money from support, this to me is the real problem preventing
> quality linux applications from appearing....
Making money from Linux isn't my problem. I'm a user - I want the best
possible system (*), for the minimum cost.
Windows: a) Isn't the best system b) Isn't minimum cost. Apart from
that it's great ;)
(*) By any metric I guess: security, stability, functionality,
flexibility blah blah blah
Cheers,
Sam
Sam Simpson
Ken Y. Ramoil wrote:
> pau...@rocketmail.com (Paul Le Roux) wrote:
>
>
>>yes exactly you want something that works...
>
>
> You're close. When it comes to encryption software, there's really no way
> for the user to know whether it works or not. He can know whether it looks
> pretty on his screen, and whether it crashes his computer or not, but he
> can't know if his data is truly protected from a motivated attacker until
> it's too late. And after all, that's the entire objective, isn't it?
>
> I don't just want something that works, I want something that I know works.
You are spot on. To quote Schneier: "Security is orthogonal to
functionality - just because a security product functions properly does
not mean it's secure".
>>but you want it free!
>
>
> Open source code won't make anything free for me that wouldn't be free
> anyway. If someone wanted to steal your program, closed source code wouldn't
> stop that.
As Shaun found out when SD4NT was released on a warez group.
> It would only stop people from finding and exposing flaws in your
> coding that you would prefer to keep secret.
Even worse: it prevents end users from finding flaws. TLA's and LEA
have the resources to find flaws anyway.
> And I guarantee that something
> that took a year to write has no chance whatsoever of being free of flaws.
True.
> You can't trust your secrets to a system whose inner workings are kept
> secret from you.
Andy Jeffries
> Sam please lets not turn this into a linux advocacy group, i'm asking
> that we keep it on topic
Scramdisk for Linux is developing (unfortunately I'm not getting any time
on it at the moment, but I know a man who is...). Therefore as this
group is called alt.security.scramdisk (note: not
alt.security.drivecrypt) this discussion is definitely on-topic.
> first off you have to go out of your way to buy hardware that supports
> linux not the other way around, I give you examples such as Winmodems,
> PCI Modems generally,
So buying an external modem is going out of your way. Most consumer
shops (i.e. the likes of PC World, putuey!!) tend to recommend external
modems because they are easier for the consumer to install. All external
modems work under Linux, so is this going out of the way.
> Winprinters,
Like what? New printers such as Lexmarks (supported by the
manufacturer), Canon or HP (both have good community support)? Or
high-end printers which are usually PostScript (and work a treat) like
the TekTronix colour wax jobby in front of me.
> video capture cards (and for that
> matter video editing software),
Concede!
> normally you can buy linux supported kit
> but typically you find that a) it's 1 or 2 generations away from the
> current model, b) it ships with a driver that won't support your new
> kernel.
What like Nvidia cards?
> i'm not trying to spread anti-Linux FUD that is MS's job, but lets not
> build it up into something it's not.
You are trying to stop it being promoted for something it is. A system
that users can use just as easily (when you break them out of their
MS-Borg mindset) as Windows, but is much more stable and powerful.
Can you show me Windows running on a Mac or how about an Archimedes?
> the next major problem is the real rub: does anyone know who to make
> money from linux applications? i don't think so; most people such as
> Redhat etc make money from support, this to me is the real problem
> preventing quality linux applications from appearing....
Don't you understand, Linux has a more stable and in some situations
faster environment and it is 99% produced by people not being paid to do
it. Microsoft are being paid to develop an operating system (and are
quite frankly making huge piles of money from it) and have been able to
write a system that crashes given the simple line of C code in my .sig.
If you believe income=quality, you are sadly blinded by Microsoft FUD!
Regards,
--
Andy Jeffries
Linux/PHP Programmer
http://www.andyjeffries.co.uk/
- Windows Crash HOWTO: compile the code below in VC++ and run it!
main (){for(;;){printf("Hung up\t\b\b\b\b\b\b");}}
Andy Jeffries
> Would you mind posting your shell script for cleaning on a Linux
> platform? I am in the process of the converting to Linux and this is
> something I would like to be able to do. Does it delete the data or
> truly erase it (Guttmann)?
I can't vouch for how sam's code does it, but there is a standard utility
installed with most distros called "shred" go to a command prompt and
type "man shred" (or for you GUI guys, run Galeon and go to "man:shred".
> Anyway, read your page on why you moved to Linux. I agree with most of
> them and am in the process of doing the same thing. Thanks for a good
> page.
Good man, glad to see you joining us.
Cheers,
Sam Simpson
> On Sun, 07 Apr 2002 22:25:54 +0100, Paul Le Roux wrote:
>
>>Sam please lets not turn this into a linux advocacy group, i'm asking
>>that we keep it on topic
>
>
> Scramdisk for Linux is developing (unfortunately I'm not getting any time
> on it at the moment, but I know a man who is...). Therefore as this
> group is called alt.security.scramdisk (note: not
> alt.security.drivecrypt) this discussion is definitely on-topic.
Anyway Jeffries, what do you know? You didn't create this group. Oh,
hang on..... ;)
Sam Simpson
1) Shred (doesn't delete file by default)
2) Truncate to size 0 (hides previous file size).
3) Rename to zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz (to hide
previous name).
Also see e.g. http://wipe.sourceforge.net/
Andy Jeffries wrote:
> On Mon, 08 Apr 2002 04:51:03 +0100, Terry Johnson wrote:
>
>>Would you mind posting your shell script for cleaning on a Linux
>>platform? I am in the process of the converting to Linux and this is
>>something I would like to be able to do. Does it delete the data or
>>truly erase it (Guttmann)?
>
>
> I can't vouch for how sam's code does it, but there is a standard utility
> installed with most distros called "shred" go to a command prompt and
> type "man shred" (or for you GUI guys, run Galeon and go to "man:shred".
>
>
>>Anyway, read your page on why you moved to Linux. I agree with most of
>>them and am in the process of doing the same thing. Thanks for a good
>>page.
>
>
> Good man, glad to see you joining us.
>
> Cheers,
>
>
--
Sam Simpson
Paul Le Roux wrote:
> In article <3CAB8842...@samsimpson.com>, s...@samsimpson.com says...
>
>>Interesting, I knew nothing about the new announcement or new product.
>>Before adoption some questions need to be asked:
>>
>>1) How closely tied to the original DC source code is this product?
>
>
> the 2 programs share only small amounts fo code, this is due to the
> fact that they work completely differently; DC pretends to be a block
> driver, DCPP is basically a fancy filter driver, DCPP uses some code
> from DC for the redscreen mode, that's about it.
>
>
>>2) "256-bit military strength encryption using proven cryptographic
>>algorithms." - what are the algorithms? AES is obvious, but....
>
>
> it offers AES256 in CBC mode plus SHA1 is the crypto (SHA1 is iterated with
> salt to expand the key out to 256 bits); why not SHA2, well it took
> 3 months for me to hand tune the SHA1 implementation in
> 386 assembler and get the size down to about 500 bytes, that's right the
> code for a full SHA1 with padding the works is about 500 bytes, SHA2 would
> be too big code size wise.
Sounds like a good reason to use SHA1 to me!
>>3) "Powerful Pre-Boot Authentication" - details of how this works?
>
>
>
> basically a small program is installed in the MBR of your harddisk which
> loads before anything else, it presents a 800x600 VGA screen asking you to
> enter the passphrases, (it has 2 lines not 4 like DC). once this is entered
> the encryption is keyed with the SHA1 iteration from above, the proper
> interrupts are hooked, at the machine continues to load the bits from the
> O/S that's being started such as NTOSKRNL NTLDR etc
Right, that's what I thought - but it pays to check.
>>4) "Completely transparent to the user" - apart from the boot
>>authentication I guess ;) Does this technology work with laptops that
>>hibernate etc?
>
>
> yes and no, hidden hibernate partitions won't be encrypted, better to use
> suspend if you can
My Dell laptop for example hibernates to c:\hibernate.sys - this should
work?
<SNIP>
Paul Le Roux
In article <pan.2002.04.08.11....@andyjeffries.remove.co.uk>,
ne...@andyjeffries.remove.co.uk says...
>
>On Sun, 07 Apr 2002 22:25:54 +0100, Paul Le Roux wrote:
>> Sam please lets not turn this into a linux advocacy group, i'm asking
>> that we keep it on topic
>
>Scramdisk for Linux is developing (unfortunately I'm not getting any time
>on it at the moment, but I know a man who is...). Therefore as this
>group is called alt.security.scramdisk (note: not
>alt.security.drivecrypt) this discussion is definitely on-topic.
>
>> first off you have to go out of your way to buy hardware that supports
>> linux not the other way around, I give you examples such as Winmodems,
>> PCI Modems generally,
>
>So buying an external modem is going out of your way. Most consumer
>shops (i.e. the likes of PC World, putuey!!) tend to recommend external
>modems because they are easier for the consumer to install. All external
>modems work under Linux, so is this going out of the way.
>
yes this is exactly out of the way, why? cost, an external modem is
about GBP 50, a PCI card modem is about GBP 20, mores the point if I already
have a PCI card modem (ie: it shipped with the machine from PC World
it will not work!). of course all external modems work under linux, no driver
is needed other than the existing serial driver, as soon as you start needing
something with a driver the linux argument falls away quickly.
same thing goes with alot of USB hardware, there just arn't drivers; try
getting some of the crypto tokens running on linux.
>> Winprinters,
>
>Like what? New printers such as Lexmarks (supported by the
>manufacturer), Canon or HP (both have good community support)? Or
>high-end printers which are usually PostScript (and work a treat) like
>the TekTronix colour wax jobby in front of me.
>
the point is you need to go out spend more money on a brand printer
that is 100% supported, or you buy a cheap model which works only under
windows which many people will do..., I cannot remember all the brands
involved; there are also similar problems with PCI sound cards, to get
sound working on my linux box I needed to buy a 16-bit ISA card which is
getting pretty hard to come buy, but as I said I don't think
linux v's windows is an appropriate discussion for this group; that
is almost has tried and exhausted a discussion point as free vs closed
software.
Ken D.
>
> On Sun, 07 Apr 2002 22:25:54 +0100, Paul Le Roux wrote:
> > Sam please lets not turn this into a linux advocacy group, i'm asking
> > that we keep it on topic
>
> Scramdisk for Linux is developing (unfortunately I'm not getting any time
> on it at the moment, but I know a man who is...).
Shhhh! :) i havent had time the last couple weeks either :)
(i've gotten further, but it still corrupts the container on writes)
Paul Le Roux
Yes; that should work (only the hidden partition style will cause problems).
The only proviso would be if they had done something funny, like installed
their own ATA driver which would be at a lower level
that the DCPP driver (which sits 1 level above the ata driver), then they
would be bypassing the crypto & the OS for that matter.
Paul.
Shaun Hollingworth
wrote:
>Paul Le Roux wrote:
>> Sam please lets not turn this into a linux advocacy group, i'm asking
>> that we keep it on topic, but to answer you:
>
>In light of the Scramdisk for Linux effort, I view Linux as "on topic"
>for the group ;)))
>
Scramdisk for Linux ? Where ? When ?
Shaun.
Sam Simpson
containers. Oh, it's kind of read-only at the moment too, but that
doesn't appear to be a show stopper.
I am putting my head together with the brains behind the development and
see what the release plan is.
Do you intend on making the DriveCrypt container format publicly
available so that we can offer both SD and DC containers readable from
Linux? I know the changes were relatively small?
Cheers,
Sam
Paul Le Roux
It has not been tested with Netware, but should not impact Netware
because all file access is done in "USER MODE", compared to DC/SD/E4M
which are accessing files in Kernel & User mode which caused
problems with the network redirector (yes mainly the Novell one).
It is a viable company solution, and is commercial.
hope this helps
regards
Paul Le Roux
In article <3cb1...@news.nz.asiaonline.net>, d...@iconz.co.newzealand says...
Flare
> Currently DriveCrypt / Scramdisk / E4m use about 5% CPU time when a
> decent cipher is used
How do you measure that please?
Drivers' CPU load/usage does not normally show in Taskinfo alike software.
> - I see no reason why double encryption would kill
> a machine - it would just mean that CPU util (under heavy read/writes)
> would be around (I guess) 20%.
Yes, you only guess, but I have a practical experience.
I also did not say it would kill the machine ('short freezing' - read
better please.) I use SecureDrive along with Scramdisk and I get
this sort of freezing when copying files between them (partitions).
I got AMD Duron @ 750. I also said we would have to wait and see.
But some people pre-order DCPP even now, so there should be some
views available in advance...
Regards
David
Sam Simpson
Flare wrote:
> Sam Simpson <s...@samsimpson.com> wrote in message news:<3CB1548D...@samsimpson.com>...
>
>>Currently DriveCrypt / Scramdisk / E4m use about 5% CPU time when a
>>decent cipher is used
>
>
> How do you measure that please?
> Drivers' CPU load/usage does not normally show in Taskinfo alike software.
Performance monitor - shows system processes too (inc driver overhead).
>>- I see no reason why double encryption would kill
>>a machine - it would just mean that CPU util (under heavy read/writes)
>>would be around (I guess) 20%.
>
>
> Yes, you only guess, but I have a practical experience.
> I also did not say it would kill the machine ('short freezing' - read
> better please.)
>
> I use SecureDrive along with Scramdisk and I get
> this sort of freezing when copying files between them (partitions).
> I got AMD Duron @ 750. I also said we would have to wait and see.
Unlikely to be CPU bound: more likely to be unbuffered IO writing back
to the disk.
> But some people pre-order DCPP even now, so there should be some
> views available in advance...
--
Mike Taylor
I am trying to get an idea of file locations that need to be watched.
Thanks.
Sam Simpson
clr ~sam/.ee/minis/
clr ~sam/.ee/icons/
clr ~sam/.gqview/history/
clr ~sam/.gqview/thumbnails/
clr ~sam/.gqview/collections/
clr ~sam/.pan/data/ntl/
clr ~sam/.pan/data/cache/
clr ~sam/.wine/wineserver-pc*.*
clr ~sam/.mozilla/default/4d0hephv.slt/Cache/*
clr /mnt/win2/recycled/
clr /mnt/windows/recycled/
mkdir /mnt/win2/recycled
mkdir /mnt/windows/recycled
clr ~sam/dead.letter
clr ~sam/web/sql.log
find ~sam/web/ -name 'ws_ftp.log' -exec clr {} \;
find ~sam/ -name 'core' -exec clr {} \;
find ~sam/ -name 'core.*' -exec clr {} \;
clr "/mnt/windows/Program Files/Paint Shop Pro/"*.jbf
find /usr/local/apache/htdocs/ -name 'core.*' -exec clr {} \;
find /usr/local/apache/htdocs/ -name 'core' -exec clr {} \;
find "/mnt/windows/Program Files/Paint Shop Pro/" -name 'core' -exec clr
{} \;
find "/mnt/windows/Program Files/Paint Shop Pro/" -name 'core.*' -exec
clr {} \;
Where clr is an "rm" replacement that wipes, zeros the size etc.
I'm also looking at producing a quick "sub-wipe" - e.g. where you can
wipe just single lines out of INI files etc.
As I mentioned above though, the script is pretty useless if you use
different software to me.
Flare
> Flare wrote:
> > Sam Simpson <s...@samsimpson.com> wrote in message news:<3CB1548D...@samsimpson.com>...
> >
> >>Currently DriveCrypt / Scramdisk / E4m use about 5% CPU time when a
> >>decent cipher is used
> >
> >
> > How do you measure that please?
> > Drivers' CPU load/usage does not normally show in Taskinfo alike software.
>
> Performance monitor - shows system processes too (inc driver overhead).
>
> >>- I see no reason why double encryption would kill
> >>a machine - it would just mean that CPU util (under heavy read/writes)
> >>would be around (I guess) 20%.
> >
> >
> > Yes, you only guess, but I have a practical experience.
> > I also did not say it would kill the machine ('short freezing' - read
> > better please.)
> >
> > I use SecureDrive along with Scramdisk and I get
> > this sort of freezing when copying files between them (partitions).
> > I got AMD Duron @ 750. I also said we would have to wait and see.
>
> Unlikely to be CPU bound: more likely to be unbuffered IO writing back
> to the disk.
Yes, so I hope now you see there is a certain reason for me to expect
freezing. Depends on how well the driver is done :-)
Regards,
David
Flare
> Flare wrote:
> > Sam Simpson <s...@samsimpson.com> wrote in message news:<3CAD9FDB...@samsimpson.com>...
> >
> >>Of course, having boot-level security doesn't solve the million other
> >>security problems with 95/98/ME/XP/W2k/NTv4 etc. Windows really needs
> >>to be *dumped* for a better OS in reality!
> >
> >
> > Yes, but in 2002 I don't see it realistic to expect all people using
> > personal computers could switch to Linux or another system.
>
> No: only people who care about security. If you aren't serious about
> security (for example are on a corporate LAN away from the internet),
> then you have fewer drivers to move.
OK, once more: could you imagine all people using PC's moving to
Linux? Could you? Really? Be realistic. A couple of years ago
I worked with AmigaOS. People were telling me to leave it and
go for Windows, and I always refused saying: 'This OS is a
kind of spyware - no thanks.' And now I use it, because
I did not want to be a renegade and wanted the best software
which is mostly written for MSWindows.
> > Windows are
> > so wide-spread now that we simply have to use them
>
> No, you don't. It's cheaper, more secure and more flexible to use
> another OS (Linux, BSD, Sun etc etc - even the new OS from Apple is
> better than MS).
Sorry, I need the best software... That's why I left Amiga.
> > and also find
> > ways to improve their security and privacy instead of just dumping
> > them.
>
> Only to find that Microsoft seem to go out of their way to make security
> easy to obtain? No thanks.
Microsoft sucks! ;-)
> > (I'd say the most secure is the most encrypted one ;-)
>
> Not once you've booted it though! Then the OS you are using can be
> exploited irrespective of the drive encryption....
Not, if I am disconnected ;-)
Regards
David
Sam Simpson
Flare wrote:
> Sam Simpson <s...@samsimpson.com> wrote in message news:<3CB0A97B...@samsimpson.com>...
>
>>Flare wrote:
>>
>>>Sam Simpson <s...@samsimpson.com> wrote in message news:<3CAD9FDB...@samsimpson.com>...
>>>
>>>
>>>>Of course, having boot-level security doesn't solve the million other
>>>>security problems with 95/98/ME/XP/W2k/NTv4 etc. Windows really needs
>>>>to be *dumped* for a better OS in reality!
>>>
>>>
>>>Yes, but in 2002 I don't see it realistic to expect all people using
>>>personal computers could switch to Linux or another system.
>>
>>No: only people who care about security. If you aren't serious about
>>security (for example are on a corporate LAN away from the internet),
>>then you have fewer drivers to move.
>
>
> OK, once more: could you imagine all people using PC's moving to
> Linux? Could you? Really? Be realistic.
My parents use Linux, I have not IT related friends that use Linux.
If it comes pre-loaded and works out of the box, why not?
> A couple of years ago
> I worked with AmigaOS. People were telling me to leave it and
> go for Windows, and I always refused saying: 'This OS is a
> kind of spyware - no thanks.' And now I use it, because
> I did not want to be a renegade and wanted the best software
> which is mostly written for MSWindows.
That's probably where we disagree. The best e-mail server? The best
web server? A good office package, drawing package, brower, mail client
etc. All for free.
>> > Windows are
>>
>>>so wide-spread now that we simply have to use them
>>
>>No, you don't. It's cheaper, more secure and more flexible to use
>>another OS (Linux, BSD, Sun etc etc - even the new OS from Apple is
>>better than MS).
>
>
> Sorry, I need the best software... That's why I left Amiga.
What software is best? Most users don't need more than 2% of Words
power and can use OpenOffice in it's place.
Flare
> >> If nesting doesn't have performance/compatibility problems, then that
> >> is probably superior to using the two protections separately (e.g.,
> >> on different partitions).
> >
> >IMHO this would be a CPU load disaster. The system could even appear
> >to freeze.
>
I did. As I've said in this thread I have a SecureDrive (OTFE) partition
and a Scramdisk partition. When copying files between them system freezes
for one second every five seconds. The mouse pointer can't be moved etc.
This experience led me to that worry, that similar thing MIGHT happen
with DCPP-nested SD/BC containers. Again: it depends on how well it is
coded.
And let me ask again: will it be possible to boot multiple operating
systems (partitions) with DCPP?
Paul Le Roux
yes, if you multi boot nt/2k/xp there are no issues, if you multi boot
with win9x/me you will be able to see the nt/2k/xp encrypted partitions but
they will be read-only, but win9x/me will switch into compatibility mode,
the win9x/me support is a stop gap until we can provide a full win9x/me
driver...
Andy Jeffries
>>>Sam please lets not turn this into a linux advocacy group, i'm asking
>>>that we keep it on topic
>>
>> Scramdisk for Linux is developing (unfortunately I'm not getting any
>> time on it at the moment, but I know a man who is...). Therefore as
>> this group is called alt.security.scramdisk (note: not
>> alt.security.drivecrypt) this discussion is definitely on-topic.
>
> Anyway Jeffries, what do you know? You didn't create this group. Oh,
> hang on..... ;)
LOL...
:-)
Andy Jeffries
>> On Sun, 07 Apr 2002 22:25:54 +0100, Paul Le Roux wrote:
>> > Sam please lets not turn this into a linux advocacy group, i'm asking
>> > that we keep it on topic
>>
>> Scramdisk for Linux is developing (unfortunately I'm not getting any
>> time on it at the moment, but I know a man who is...).
>
>
> Shhhh! :) i havent had time the last couple weeks either :)
Slacker ;-)
I'll get some time next week I hope (company is getting me a laptop, so
I'll be able to work on it on the train).
> (i've gotten further, but it still corrupts the container on writes)
That's OK, we'll follow the Microsoft closed source methodology and we'll
release it as Scramdisk for Linux XP, then fix that bug in a later
version :-)
Cheers,
Andy Jeffries
>>So buying an external modem is going out of your way. Most consumer
>>shops (i.e. the likes of PC World, putuey!!) tend to recommend external
>>modems because they are easier for the consumer to install. All
>>external modems work under Linux, so is this going out of the way.
>>
> yes this is exactly out of the way, why? cost, an external modem is
> about GBP 50, a PCI card modem is about GBP 20, mores the point if I
> already have a PCI card modem (ie: it shipped with the machine from PC
> World it will not work!). of course all external modems work under
> linux, no driver is needed other than the existing serial driver, as
> soon as you start needing something with a driver the linux argument
> falls away quickly.
OK, I had a PCI card which worked fine (USR something or other...before I
went to cable). WinModems support is getting better:
> same thing goes with alot of USB hardware, there just arn't drivers;
I currently have a USB digital camera, printer and joystick working under
Linux....
> try
> getting some of the crypto tokens running on linux.
Admit I've never tried that one.
>>> Winprinters,
>>
>>Like what? New printers such as Lexmarks (supported by the
>>manufacturer), Canon or HP (both have good community support)? Or
>>high-end printers which are usually PostScript (and work a treat) like
>>the TekTronix colour wax jobby in front of me.
>>
> the point is you need to go out spend more money on a brand printer
> that is 100% supported, or you buy a cheap model which works only under
> windows which many people will do..., I cannot remember all the brands
> involved;
I'd never recommend to anyone to buy one of the less popular brands
(Canon, HP, LexMark, etc.) anyway as the support is generally a lot worse.
> there are also similar problems with PCI sound cards, to get
> sound working on my linux box I needed to buy a 16-bit ISA card which is
> getting pretty hard to come buy,
What was your PCI sound card? I haven't had a problem with any PCI sound
card yet?
> but as I said I don't think linux v's
> windows is an appropriate discussion for this group; that is almost has
> tried and exhausted a discussion point as free vs closed software.
I agree a Windows vs Linux discussions isn't on-topic, but defending the
discounting of Linux as a valid platform is on topic, particularly as
there is a current Scramdisk (not the new DriveCrypt) development effort
occuring on that platform.
Cheers,
Andy Jeffries
>> OK, once more: could you imagine all people using PC's moving to Linux?
>> Could you? Really? Be realistic.
>
> My parents use Linux, I have not IT related friends that use Linux.
My 2 year old god-children use Linux :-)
Only for starting Gcompris, playing it and closing it.
Andy Jeffries
>> > Windows are
>> > so wide-spread now that we simply have to use them
>>
>> No, you don't. It's cheaper, more secure and more flexible to use
>> another OS (Linux, BSD, Sun etc etc - even the new OS from Apple is
>> better than MS).
>
> Sorry, I need the best software... That's why I left Amiga.
LOL, Microsoft Windows having the best softwa-....sorry this author has
made an illegal operation, please press enter to reboot....
crypto
Pluspack? After trying to educate myself on OTF encrytion in the last
few days I had decided to go with Drivecrypt. I had intended to buy a
copy in the next few days until I ran across this discussion of
Drivecrypt Pluspack. I have a multiboot system with three drives.
First drive has three partitions, a primary and two logical. First
partition is FAT16 and contains Windows Me, MS-DOS 6.2 and a command
line version of Windows 98. Second partiction is FAT32 and doesn't
contain any OS files. Third partition is NTFS and contains Windows
2000. Of course it's initial boot files (ntloader, etc) are on c:\.
I'm using an old copy of System Commander to boot between all these
Microshit OS's. The second and third drives are NTFS data drives - no
OS files on these drives. I stay in Win2k mostly and just boot to ME
when I want to game. I want to encrypt drive 2 & 3. I had planned on
buying Drivecrypt, backing up my data, repartitioning and encrypting
the drives with DC and restoring the data. After discovering the new
DC Pluspack, it sounds like a better way to go. And if I went with
DCPP then I'd probably want to go ahead and encrypt the Win2k
partition on drive one also. I don't particularly want to encrypt the
1st and 2nd partion of drive one (the Windows ME partitions).
I think I'm starting to ramble but my question is will DCPP work with
this configuration? Compatibility mode in Windows ME would not be
acceptable since I use it for it's better performance while gaming.
Don't want to take a performance hit obviously. If I don't encrypt
the Windows ME partitions would the compatibility mode limitation
still apply?
And lastly, how does the installation and encryption of drives work
with DCPP? Does it encrypt your pre-existing drives or do you have to
configure the drives fresh and then restore the data?
pau...@rocketmail.com (Paul Le Roux) wrote in message news:<a8uhbs$6tr$1...@reader11.wxs.nl>...
Paul Le Roux
valid platform for server side stuff, that may change over time, but
the parties not here yet, but i've had endless linux v's windows debates.
they really don't belong here, although i'm not saying your scramdisk
for linux effort should not be discussed here, when & if it becomes
available.
In article <pan.2002.04.09.15...@andyjeffries.remove.co.uk>,
ne...@andyjeffries.remove.co.uk says...
Paul Le Roux
crypt...@yahoo.com says...
the trouble is that if you encrypted win2k you would need to install
the pre-boot authentication which would automatically force your winme
into compatability mode, the only way around that is to create an emergency
floppy disk after installing the pre-boot authentication, & then remove the
preboot authentication, and use that to boot into your win2k partition, which
is ugly, also you would need to make sure system commander
is not using more than 512 bytes within the mbr.
>
>And lastly, how does the installation and encryption of drives work
>with DCPP? Does it encrypt your pre-existing drives or do you have to
>configure the drives fresh and then restore the data?
>
it encrypts existing drives, (and existing data) there's no need
to repartition or copy/restore files, basically it encrypts even
the boot / & system partitions
even while the system is running because the driver locks out concurrent
reads and writes, even for example a defrag
running while C: is being encrypted causes no issues, backups
are always recommended, a power failure whould be problem in the middle
of a disk encrypt or decrypt
in DC the data is destroyed because DC slaps a header at the front of
the partition which contains the encrypted keys and the per sector IV
data, DCPP puts nothing onto the disk, each sector is encrypted in place,
the IV's and keys are stored in files called "Key Stores" which can
be regular file based, or BMP / WAV based. Or if you install pre-boot
authentication, the key & iv is stored in the mbr itself encrypted
with a salt based iterated sha1 hash using your 2 line passphrase
(it's uses 2 passphrase lines not 4 like DC)
Paul
Geoff Dyer
<ne...@andyjeffries.remove.co.uk> wrote:
> All external
>modems work under Linux, so is this going out of the way.
All external *COM port* modems. A lot of the cheaper USB modems are
apparently "winmodems".
>> Winprinters,
>
>Like what? New printers such as Lexmarks (supported by the
>manufacturer), Canon or HP (both have good community support)? Or
>high-end printers which are usually PostScript (and work a treat) like
>the TekTronix colour wax jobby in front of me.
Lexmark apparently has two product divisions - the office-oriented
stuff is supported by the manufacturer, the el cheapo stuff is kept
very secret indeed.
Brother's MFC stuff is usually a problem (but my Brother HL-730,
originally considered a "winprinter" except in emulation modes, is now
supported, which will be nice if/when I get Linux onto the partitions
I've set aside for it).
Roll on SD4L !
--
Geoff
(to e-mail me, remove any instances of "-nospam" from my address)
crypto
3rd drives? As I said before, all the OS's are on the first drive and
the 2nd and 3rd are ntfs and are only used in Win2k. In that case,
the keys would reside in keystores and the mbr would not be modified,
is that correct? If that is a correct assumption then I suppose you
would manually mount the drives after you've booted into Win2k like
with DC?
So your options would be to encrypt all drives in which case the keys
would be stored in the mbr and you would get an "enter password"
screen before booting - or encrypt only non-OS partitions in which
case the keys are stored in keystores and you mount them manually
after booting as with DC?
Thanks for answering my questions, I'm trying to decide if I need DC
or DCPP before the April 13th deadline for getting the special price
on DCPP...
pau...@rocketmail.com (Paul Le Roux) wrote in message news:<a92il3$hqk$2...@reader11.wxs.nl>...
Flare
...
> is ugly, also you would need to make sure system commander
> is not using more than 512 bytes within the mbr.
Would it somehow be possible to install a keylogger in the
MBR simultaneously with the DCPP MBR-code? If so, will
you perform any post-boot MBR check to verify the MBR integrity?
If such feature is not implemented yet, will you consider
coding it in future?
> basically it encrypts even the boot / & system partitions
> even while the system is running because the driver locks out
> concurrent reads and writes, even for example a defrag
> running while C: is being encrypted causes no issues
Wow :-)
...
> Or if you install pre-boot
> authentication, the key & iv is stored in the mbr itself encrypted
> with a salt based iterated sha1 hash using your 2 line passphrase
> (it's uses 2 passphrase lines not 4 like DC)
Will you provide a *reliable* utility for MBR backup/restore in the
DC+ package?
I suppose that if the MBR is accidentally overwritten, your DCPP-encrypted
data are gone (unless you want to perform a brute-force rescue
operation or wait for quantum computers... ;-)
Regards,
David
Paul Le Roux
>Would it somehow be possible to install a keylogger in the
>MBR simultaneously with the DCPP MBR-code? If so, will
>you perform any post-boot MBR check to verify the MBR integrity?
yes anything is possible! there's also nothing stopping someone writing
a program which installs itself on top of the DCPP MBR code even when the
DCPP MBR code is already installed on your box. that person would need to:
1. install his own device driver on your box giving him write
access to your mbr (or boot dos or linux from a floppy to access the mbr)
2. install his own code which is a patched up copy of the DCPP mbr code
which first jumps to his code, installs his own keyboard isr, then
jumps to the original code
3. as each passphrase key is pressed he uses int13 to save each key to some
part of the disk using the bios address for int13 he saved away at 2.
4. get some other app to email him the passphrases read from the disk
with the help of the driver installed at 1.
there is no crc or other checking of the DCPP mbr at this stage
>If such feature is not implemented yet, will you consider
>coding it in future?
>
yes it's a good idea, but it will not actually do much good to prevent
someone who really wants you key bad enough to write the stuff at the
top of this reply, cause someone would just disable the checking code.
for example the person could also provide an INT13 hook himself, when the
dcpp mbr code reads itself from the disk his hook returns the original
unmodified 512 bytes from that sector, not his patched up sector, the
dcpp mbr would still calculate the correct crc and think that nothings
wrong
>
>Will you provide a *reliable* utility for MBR backup/restore in the
>DC+ package?
>I suppose that if the MBR is accidentally overwritten, your DCPP-encrypted
>data are gone (unless you want to perform a brute-force rescue
>operation or wait for quantum computers... ;-)
>
>
that's already there in the form of the DCPP emergency disk, of course don't
blow the mbr while the disk is encrypted unless you have one of these
or your own backups!
nemo outis
to ensure that no software keyloggers are installed into/over it or that it
has otherwise been tampered with. Both depend on having made a tamper-proof
medium such as a CD with known-good info before any compromise.
1. boot from the CD and reinstall the first 63 sectors (or whatever) from
the CD and then reboot, this time from the HD. (a bit clumsy but workable).
2. boot from CD and verify the signature (MD5, SHA-1, etc.) of the first
63 sectors, and if OK, then reboot from the HD (If not OK, perform step 1)
Regards,
PS For the ultra-paranoid such a verification CD with known-good info could
even check that the various BIOSes have not been tampered with.
(Theoretically, a sufficiently smart compromised BIOS could "lie" about its
state being unaltered but this would be tricky to do in practice.)
Regards,
In article <a947lj$l9$1...@reader08.wxs.nl>, pau...@rocketmail.com (Paul Le Roux)
wrote:
Shaun Hollingworth
wrote:
>I have it working now on my Linux box - at least for Blowfish SVL
>containers. Oh, it's kind of read-only at the moment too, but that
>doesn't appear to be a show stopper.
>
Do you know - please send me the source code, and I will see if I can
finish it myself.....
From ground zero upwards......
Regards,
Shaun.
Flare
> On Mon, 08 Apr 2002 19:14:21 +0100, Flare wrote:
> >> > Windows are
> >> > so wide-spread now that we simply have to use them
> >>
> >> No, you don't. It's cheaper, more secure and more flexible to use
> >> another OS (Linux, BSD, Sun etc etc - even the new OS from Apple is
> >> better than MS).
> >
> > Sorry, I need the best software... That's why I left Amiga.
>
> LOL, Microsoft Windows having the best softwa-....sorry this author has
> made an illegal operation, please press enter to reboot....
Yes, I expected a response like that.
Andy Jeffries
>> > Sorry, I need the best software... That's why I left Amiga.
>>
>> LOL, Microsoft Windows having the best softwa-....sorry this author has
>> made an illegal operation, please press enter to reboot....
>
> Yes, I expected a response like that.
Sorry Flare, couldn't resist ;-)
Cheers,
Andy Jeffries
>>I have it working now on my Linux box - at least for Blowfish SVL
>>containers. Oh, it's kind of read-only at the moment too, but that
>>doesn't appear to be a show stopper.
>>
> Do you know - please send me the source code, and I will see if I can
> finish it myself.....
Are you allowed to work on other related products under the terms of your
employment with SecurStar? To be honest, if you have picked up much
about Linux Kernel development, I'm sure we'd (speaking for the other
Scramdisk Linux developers without asking them first) love to have your
help.
> From ground zero upwards......
If you are working from ground zero, why do you need the source code?