how secure is encrypted TW5 and DropBox?

[Bill Dixon]

After having a heart attack 2 weeks ago, I'm finally making detailed notes for my wife, with stuff like life insurance policy info, 401k info, backing account numbers, etc.  My idea is that if I were to die, she could just pull up the TW file and have all the information she needs to handle whatever she needs to do to close my affairs and do things I normally do (balance checkbook, etc).

My idea is to put the TW file on DropBox, and put a shortcut to it on my wife's laptop.  That way, I can continually (over the years) update my copy, and if anything ever happens to me she'll have all the information she needs in one place.

I have all the passwords to the various sites I mention in KeePass, and it's secure enough that I trust putting it on DropBox (and I hope I'm not mistaken here).  But there's a lot of other sensitive information I'm putting in tiddlers.  I suppose I could put all stuff like that in KeePass as comments, but I'd rather put everything except passwords themselves in TW.

Just how safe would it be to encrypt a TiddlyWiki file with a password, and then put it on DropBox?

If it isn't safe, then I'll just try to remember to copy the file to her laptop whenever I make significant changes, but I'd rather not have to worry about remembering to do that.  (My memory is horrible.)

Thanks,

Bill

[cangaroo joe]

Your idea is not bad. An other solution would be Evernote (online synchronization and the encryption of sensitive information). Or you can simply organize your digital documents, notes, etc. in folders then archive and password protect it with zip or rar archivers and put the package in dropbox. Truecrypt is the safest but a bit complicated method. I would never put personal info in the cloud unencrypted. Always make backups of your data. Take care.

[Stephan Hradek]

Hi Bill!

Sorry to read about your heart attack. But to be honest: I don't think, TiddlyWiki or any other electronic stuff would really help your wife in the worst case.

You know what I'd do: Talk with her. Show her what she will have to do and to know. I think this is much better than having to hack yourself through a huge bunch of electronic bits of information she does not yet know.

Just my 0,01 Eurocent ;)

[Jeremy Ruston]

Hi Bill

I'm very sorry to hear of your heart attack.

I think the idea of using an encrypted TiddlyWiki to pass on a cache of vital personal information is pretty good. There are a couple of TiddlyWiki files that I share with family members in the same way, using encrypted files in Dropbox.

It's difficult to give an unequivocal answer as to how safe the arrangement might be. Right now TW5 is pretty new, and I don't think that the encryption features have yet been subjected to the kind of systematic external review that we might want. However, I'm pretty confident that the underlying crypto library that TW5 uses is solid; it's widely used, and has been subject to review:

http://bitwiseshiftleft.github.io/sjcl/

So, I think a reasonable strategy for the moment might be to stick with KeePass for the most sensitive financial information, and use an encrypted TW for the rest. As Cangaroo Joe points out, you can give yourself an extra layer of protection by wrapping the TW file in an encrypted zip file.

The way that I think about this stuff is to compare what I'm doing with email; we need to treat email as if it's pretty close to public domain, and so anything that you are prepared to put in an email I'd say would be not unreasonable to put an encrypted wiki in Dropbox.

Anyhow, I hope you find a good solution, and do keep asking questions.

Best wishes

Jeremy

--
You received this message because you are subscribed to the Google Groups "TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+...@googlegroups.com.
To post to this group, send email to tiddl...@googlegroups.com.
Visit this group at http://groups.google.com/group/tiddlywiki.
For more options, visit https://groups.google.com/groups/opt_out.

--
Jeremy Ruston
mailto:jeremy...@gmail.com

[PMario]

If you search for "zip password recovery" with google. I doubt, you'll really want to use this.

Truecrypt is great but as you mentioned, a bit more complicated.
-m

[Jason Cunliffe]

Hello

Sorry to hear about your health.

..I have also been thinking recently about the same basic issue.
Plus visited a dear friend in December with advancing terminal cancer.
She has been busy putting all her affairs in order. Simplifying etc.
Had just completed 99% that when I visited.
Said she felt much more relaxed and prepared for herself and for her family.

MAKE A BOOK
She highly recommended creating an old fashioned paper dossier
~ book with the essential/crucial information and instructions.
A single binder [transparent pockets] and drop in printed pages
{and/or handwritten}.
Something simple direct, portable and always-ON.
throw in photos / copies of comments / things etc
even can be very helpful. Where are the keys, which keys etc.
How to turn on/off such-and-such

Very accessible to family in times of loss grief and unexpected
paperwork to deal with.

One never knows in whose office, or at what teller's counter
one will need to pull out some key information or proof-of...
especially these days. Plus need to perhaps add notes on the fly.

My friend has minimal computer skills, and is teacher/writer/historian
so she relates deeply to tangible documents, books.
Think:  passports, certificates, account statements, utility bills etc.
And sometimes just a simple color photo or scan-copy is worth so much.

However, she is right that single portable dossier is a great gift to
the living left behind.

Higher TECH 2014 >> TW5 WAY
Having said all that, I think at the very minimum you should copy whatever data/code/documents
to a USB key, and literally put that on special KEY-CHAIN for your wife.

So FIRST show and test together an offline, local encrypted file which contains
logins and passwords. I'd suggest you start with a single TEXT file for logins only.
 
Then/meanwhile build up a TW document for all the other information.
As you proceed, you might find that you want to keep all logins/passwords separate,
or may opt to include  some or all in your TW-based solution.
test and test again. {this is the argument for PAPER-BOOK}

Yes, TW could be a great modern extension
of ye olde dossier...

I already keep PDFs of various documents on my server.
Recently twice was able to quickly bring up the page on my phone and at my bank.
pinch zoom and so much trouble+time saved.

STEGANO
This week have been looking again at steganography and password
encryption options. I trust less and less ANY commercial/mainstream service,
and feel that even some little effort to roll-ones-own, using appropriate tech is maybe best. 

So for example, I am very interested in TW5 and Node so I looked at Node.js graphics libraries for testing
stenographic methods. Plus various simple OpenSSL encryption tools and techniques.
By regular SSH Terminal shell on PC or ipad, Powershell on Win7, plugin for SublimeText2 ..
And soon I'll dig in to TW5 and its encryption features and workflow

There is for example the old classic ImageMagick library.
http://www.imagemagick.org/

It has an very interesting and fun stegano {as in steganography} function.
Many uses..

These days the fork called GraphicsMagick is recommended.
Used by Flickr et alia.
And now a Node.js interface
http://aheckmann.github.com/gm/

I am not there yet, but Like the scope of using images.
With the right key-tools in hand, it makes it easy to hide them in
plain-sight. Plus have some fun, or even provide personal visual-mnemonic
tips to gain full access to ones protected target.

Your need is likely more urgent to get information in order NOW.
Please continue to post any progress or problems you encounter with
your use of TW or other tools.

I think potentially all this is a great use-case for TW, and hopefully
with some real-use help many people manage personal media sanely  a in a semi-public
context.

Good Luck and I hope your health improves in 2014

~jason

[Bill Dixon]

Jason,

Thanks for the suggestion of a paper document.  I have actually considered that, because my wife is definitely non-technical. (I've been in I.T. for 33+ years, so I know I tend to gravitate toward the high-tech solutions.)

My biggest concern about using paper is that I won't keep it up-to-date.  My goal is to have a single TW tiddler that's along the lines of a "read-me-first" document, with sections for:

• Life Insurance
  
• Retirement Funds
• Stocks and Bonds
• Wills
• Miscellaneous Financial Information
• Miscellaneous Topics

These are the sections I've come up with so far.  Each section basically has links to other tiddlers.  For example, the Retirement Funds section has links to individual tiddlers for the 401(k) accounts from various employers I've had lately.

By having the TW database residing on my laptop, I should be able to keep it up-to-date.  By also storing it somewhere like DropBox, with a shortcut on my wife's laptop, she will always have access to the latest version.  And I'm also working on updating my will, and plan on including a note as an attachment, with instructions on how to access the TW entries in the event both of us die at the same time.  And yes, I will definitely walk her through the entire documentation once I have it all in place.

Actually, I suppose the best of both worlds would be if there was a way to easily print out the information in all the tiddlers, preferably in a semi-automated manner.  That way, I could print it out once a year, replace (and shred) the older copy, and make sure my wife knows where to find it.

So, right now I'm just trying to convince myself that if I encrypt the TW5 database with a password, is it safe to place that html file on a public server?  Even without the passwords to financial web sites, there will still be a lot of sensitive information in it.

Thanks to everyone for their thoughts and assistance,

Bill

[Jason Cunliffe]

Bill

I'll think about your use-case some more.. {and my own}
We geeks, passionate technorati have so very hard time understanding
non-techie people's relationship to all this we know and love-to-know.

I watched my friend struggling to just order a simple medical bracelet
on-line last month. She was confused and unhappy by the end of that session.
A sobering fresh reminder that one person's path/tool is often not another's.

some questions:
- So you have lots of documents in several categories/contexts which need updating at least once a year?
- If it were a book, how many pages?
- How many changes how often?
- Does the README-FIRST need to change much?
-- If not, or anyway write that first.

I'd argue still for personal USB-Key as the most private, secure and portable.
Why do you, or your wife, need more or /different than that.

Dedicated INSTRUMENTS/DEVICES are often simpler to use and maintain, by their design-use focus.

PLAN A-B.
 Why not buy a dedicated Wifi tablet?

{ie Nexus 7 or very nice ipadMini}

Android is poised to run Node.js soon {hope}
and thus make a brilliant modern digi-dossier
and for TW too in 2014++
 
FIRST just Put all your memos, scans, photos, TiddlyWikis whatever on there.

BUT Put your main effort now into:

file/folder naming,
readable grouping // guided by the README-FIRST of course ;-)
gathering up the documents, copies and meta-=notes thereof.

If you get the order right, and with minimal choreography
TW and/or any other set of slide or presentation tools,
you can have full screen fast swipe access
IN SEQUENCE
or in demand
or via link for each topic and sub-detail.
Update as necessary or time allows.

Photos of documents - start of just simple images
then maybe use TW to annotate them..

This way one has the sort-of-maybe-best mostly of both worlds.
As things progress, you can print out to suit your Wife's perspective.
Tablets are the modern book. BUT need power/recharge.

~jason

[PVHL]

Hi Bill

My idea is to put the TW file on DropBox, and put a shortcut to it on my wife's laptop.  That way, I can continually (over the years) update my copy, and if anything ever happens to me she'll have all the information she needs in one place.

I've never mentioned the project I work on here, but I think I'll break my silence just this once. Sorry that this will sound like a sales pitch; it's not my intention and I shan't mention it again. I'm mostly doing so because other software has already been mentioned, and my suggestion is a good fit, especially for an inexperienced user.

Woas is similar to Tiddlywiki in that it stores multiple wiki pages in a single HTML file using a markup language (and uses the same TiddlySaver.jar, if needed, and now works with TiddlyFox). I believe it was originally inspired by TWC. Many find it much simpler to use than TW, primarily, I think, because of it's linear wiki nature and simple UI (more like a book). I am in the last stages of releasing an update to what is currently available (next few days). The current file is labelled 'Alpha' (the update will be labelled 'Beta'), but it's actually well tested code with a long history; I labeled it this way because of the recent browser changes that broke both Woas and TWC; it needed testing on multiple browsers and operating systems. (It also has the same TiddlySaver issues that TW has, issues we are currently working to resolve, though this is only ever an issue for saving, and then only for browsers that need the jar file.)

Woas can save images within itself and has a full Help system, tags, macros, and plugins. My project is an update of the original WoaS (Wiki-on-a-Stick) project; that project is currently pretty unusable. It is vastly improved from the original (if I do say so myself), and the coming update will clear up any remaining, fairly subtle issues, ones that don't affect general use of Woas.

Anyway, any page can be locked in Woas, with each page using the same or a different password. The password is not saved anywhere. Encryption is AES 256, the same as used in KeePass and DropBox itself. A good 256-bit password should be used, and Woas helps you in creating one. If the password is lost there is, obviously, no way to unlock or recover the information.

There are theoretical attacks for AES 256, and recent revelations claim world governments can easily break any current encryption method, but I am not aware of any practical threats.

Except, of course, for the obvious one: you have to share the password with someone and they (or you) could compromise it.

It seems to me that a file encrypted with AES 256 on a privately shared DropBox folder is pretty safe, especially if it isn't named "All my precious banking information"! (Someone would need to go to an awful lot of trouble and have some very advanced equipment to have even a faint chance of cracking it, unless they already have the password.) I would also keep a backup on a USB Key somewhere or, as I do, email the updated file. (I am, personally, comfortable doing this with my own private information, including passwords. Each to their own, of course, and I disclaim all responsibility if you decide to do this too; just saying ;0)

That said, I actually think Jasonic's idea is the best. Make a folder/box that contains everything precious and put it in a safe place, or a safe-deposit box. The idea you suggested of printing everything in the file could also be done with Woas using a macro. I'd be happy to help you with the macro if you decided to go this route. (Actually, the macro I have in mind is simple and will eventually be one of the included system macros.)

Cheers, Paul.