Re: [gentoo-user] Please help me get my printer working again.
Alan Mackenzie wrote: So, thanks for the email, it brought me back to sanity. I wish a email could work like that on a lot of people, including me some days. ;-) Glad you got it working. James has some good advice on hplip too. I use it to set up my printer. It works a lot better. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Volker Armin Hemmann wrote: Am 01.06.2014 14:31, schrieb Tanstaafl: Wow, I've been mostly offline for a few days, and this morning when playing catch up on the news, learned that Truecrypt, one of my all time favorite apps, is no more. Some links of interest: https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html https://news.ycombinator.com/item?id=7812133 http://community.spiceworks.com/topic/505372-truecrypt-is-dead?page=1 well, if true: good riddance. But I suspect some hacker-y or power struggle. I'm considering encrypting my home partition one of these days. Given the things that have come out in recent months, back doors and such, what is a good program/software/tool to use that is well . . . secure? Is there such a thing now? Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Am 02.06.2014 10:22, schrieb Dale: Volker Armin Hemmann wrote: Am 01.06.2014 14:31, schrieb Tanstaafl: Wow, I've been mostly offline for a few days, and this morning when playing catch up on the news, learned that Truecrypt, one of my all time favorite apps, is no more. Some links of interest: https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html https://news.ycombinator.com/item?id=7812133 http://community.spiceworks.com/topic/505372-truecrypt-is-dead?page=1 well, if true: good riddance. But I suspect some hacker-y or power struggle. I'm considering encrypting my home partition one of these days. Given the things that have come out in recent months, back doors and such, what is a good program/software/tool to use that is well . . . secure? Is there such a thing now? Depends on your needs, for encrypting complete devices/partitions try the kernels dm-crypt/luks module. If you just want to encrypt a directory try encfs, and for file encryption there's openssl and gpg signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Mon, 02 Jun 2014 10:53:51 +0200, Michael Hampicke wrote: I'm considering encrypting my home partition one of these days. Given the things that have come out in recent months, back doors and such, what is a good program/software/tool to use that is well . . . secure? Is there such a thing now? Depends on your needs, for encrypting complete devices/partitions try the kernels dm-crypt/luks module. If you just want to encrypt a directory try encfs, and for file encryption there's openssl and gpg Definitely dm-crypt/LUKS for partitions/devices, but why use encfs which needs FUSE, when ecryptfs does the same thing in kernel space? -- Neil Bothwick Blessed be the pessimist for he hath made backups. signature.asc Description: PGP signature
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Am 02.06.2014 10:22, schrieb Dale: Volker Armin Hemmann wrote: Am 01.06.2014 14:31, schrieb Tanstaafl: Wow, I've been mostly offline for a few days, and this morning when playing catch up on the news, learned that Truecrypt, one of my all time favorite apps, is no more. Some links of interest: https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html https://news.ycombinator.com/item?id=7812133 http://community.spiceworks.com/topic/505372-truecrypt-is-dead?page=1 well, if true: good riddance. But I suspect some hacker-y or power struggle. I'm considering encrypting my home partition one of these days. why? if you are hacked, they just read what you are reading. Encryption does not help you there at all. If your box is used by the state against you they just force you to give them the keys. Just rm -rf /home if they a knocking on your door.
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Mon, 02 Jun 2014 11:24:35 +0200, Volker Armin Hemmann wrote: I'm considering encrypting my home partition one of these days. why? if you are hacked, they just read what you are reading. Encryption does not help you there at all. It helps if your computer is stolen. This is more, but not only, relevant to laptops. -- Neil Bothwick Member, National Association For Tagline Assimilators (NAFTA) signature.asc Description: PGP signature
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Neil Bothwick wrote: On Mon, 02 Jun 2014 11:24:35 +0200, Volker Armin Hemmann wrote: I'm considering encrypting my home partition one of these days. why? if you are hacked, they just read what you are reading. Encryption does not help you there at all. It helps if your computer is stolen. This is more, but not only, relevant to laptops. I admit, I have never used encryption like this before. I am assuming that if I logout of my GUI, then it is encrypted at that point? Once I log back in, it decrypts it again? Am I at least close? I do have a desktop system. No lappy, yet anyway. Maybe one of these days. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On 02/06/2014 11:48, Dale wrote: Neil Bothwick wrote: On Mon, 02 Jun 2014 11:24:35 +0200, Volker Armin Hemmann wrote: I'm considering encrypting my home partition one of these days. why? if you are hacked, they just read what you are reading. Encryption does not help you there at all. It helps if your computer is stolen. This is more, but not only, relevant to laptops. I admit, I have never used encryption like this before. I am assuming that if I logout of my GUI, then it is encrypted at that point? Once I log back in, it decrypts it again? Am I at least close? All disk encryption works to this general plan: You log in (or boot up), the system asks for a password/key or whatever, then unlocks the encryption used. Reads for the disk are decrypted on the fly, writes are encrypted on the fly. What is on disk is always in an encrypted state. Safety depends on how you set it up - if you use full disk encryption then you must unlock it at boot time. The disk is still readable until you power off or reboot. If you encrypt your home directory then you unlock it when you log in so logging out of your DE safely locks things again. You most likely want the second option, the odds that you have a valid need to protect /usr and /opt are not good. As a regular user out there, the stuff you want to protect is in /home (or you could easily move it to /home). You'd also want to encrypt /tmp and swap as your running apps often write secret stuff there (like ssh and gpg sockets) - that is really just an extension of why you want to encrpyt /home itself I do have a desktop system. No lappy, yet anyway. Maybe one of these days. Dale :-) :-) -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On 6/1/2014 1:45 PM, Volker Armin Hemmann volkerar...@googlemail.com wrote: Am 01.06.2014 14:31, schrieb Tanstaafl: Wow, I've been mostly offline for a few days, and this morning when playing catch up on the news, learned that Truecrypt, one of my all time favorite apps, is no more. Some links of interest: https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html https://news.ycombinator.com/item?id=7812133 http://community.spiceworks.com/topic/505372-truecrypt-is-dead?page=1 well, if true: good riddance. Just because you don't like something doesn't mean it has no value. Yes, on linux, there are much better options, but for windows users, it is (was) the best solution available bar none, and an amazing product. But I suspect some hacker-y or power struggle. Which means you took zero seconds to verify the veracity of the information. Uninformed comments are less than useless. And I forgot that most here are not windows users for whatever reason (some are just elitist pricks, some are purists for philosophical reasons, and some simply don't have to use Windows for a $dayjob. The fact is, Truecrypt is (was) THE GoTo encryption method for purely Windows based systems. I just thought there might actually be some rational people on the list that would like to discuss the ramifications of such a major happening. Guess I was wrong.
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Am 02.06.2014 11:20, schrieb Neil Bothwick: On Mon, 02 Jun 2014 10:53:51 +0200, Michael Hampicke wrote: I'm considering encrypting my home partition one of these days. Given the things that have come out in recent months, back doors and such, what is a good program/software/tool to use that is well . . . secure? Is there such a thing now? Depends on your needs, for encrypting complete devices/partitions try the kernels dm-crypt/luks module. If you just want to encrypt a directory try encfs, and for file encryption there's openssl and gpg Definitely dm-crypt/LUKS for partitions/devices, but why use encfs which needs FUSE, when ecryptfs does the same thing in kernel space? True, I totally forgot about ecryptfs :-) signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Alan McKinnon wrote: On 02/06/2014 11:48, Dale wrote: I admit, I have never used encryption like this before. I am assuming that if I logout of my GUI, then it is encrypted at that point? Once I log back in, it decrypts it again? Am I at least close? All disk encryption works to this general plan: You log in (or boot up), the system asks for a password/key or whatever, then unlocks the encryption used. Reads for the disk are decrypted on the fly, writes are encrypted on the fly. What is on disk is always in an encrypted state. Safety depends on how you set it up - if you use full disk encryption then you must unlock it at boot time. The disk is still readable until you power off or reboot. If you encrypt your home directory then you unlock it when you log in so logging out of your DE safely locks things again. You most likely want the second option, the odds that you have a valid need to protect /usr and /opt are not good. As a regular user out there, the stuff you want to protect is in /home (or you could easily move it to /home). You'd also want to encrypt /tmp and swap as your running apps often write secret stuff there (like ssh and gpg sockets) - that is really just an extension of why you want to encrpyt /home itself The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. I'll have to get me a new hard drive first tho. I'm going to try and get a 4TB drive at some point and use the current 3TB drive for backups, encrypted to I hope. Thanks for the info. Water is not quite so muddy. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Mon, Jun 2, 2014 at 6:06 AM, Alan McKinnon alan.mckin...@gmail.com wrote: You log in (or boot up), the system asks for a password/key or whatever, then unlocks the encryption used. The more common approach is to not prompt for a password/key, but instead store it in the TPM using a trusted boot path. This is possible on Linux, but the only distro using it is ChromeOS as far as I'm aware (granted, there are probably more Chromebooks in desktop use these days than all the other distros combined). On Windows this is how just about everybody does it. This is far more convenient as it does not require a password when booting. If you don't trust the person who will be using the machine it is more secure against attacks by the legitimate user (typically in these situations the computer is owned by a corporation, not the end-user). On the other hand, if somebody steals your laptop they can boot it without issue. Then if they have some way to exploit the running OS they can get at the contents of the drive (though the home directory could still be encrypted using the user's password on top of full-disk encryption). For attacks by anybody other than the NSA using the TPM is potentially a lot more secure. Instead of depending on a bunch of rounds of crypto to prevent brute-forcing of a simple password you are depending on the security of the TPM. The TPM can be told to forget the key after a certain number of failed attempts to get at it. If you're worried about the NSA it seems likely that your TPM has a back door for them, but my sense is that if the NSA is THAT determined to get your data there really isn't anything you're going to be able to do about it. Rich
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Mon, 02 Jun 2014 12:06:18 +0200, Alan McKinnon wrote: If you encrypt your home directory then you unlock it when you log in so logging out of your DE safely locks things again. You most likely want the second option, the odds that you have a valid need to protect /usr and /opt are not good. As a regular user out there, the stuff you want to protect is in /home (or you could easily move it to /home). With one notable exception. There is sometimes sensitive information in /etc, like wireless passwords. -- Neil Bothwick Being defeated is a temporary condition. Giving up is what makes it permanent signature.asc Description: PGP signature
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. -- Neil Bothwick Capt'n! The spellchecker kinna take this abuse! signature.asc Description: PGP signature
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Am 02.06.2014 12:22, schrieb Tanstaafl: On 6/1/2014 1:45 PM, Volker Armin Hemmann volkerar...@googlemail.com wrote: Am 01.06.2014 14:31, schrieb Tanstaafl: Wow, I've been mostly offline for a few days, and this morning when playing catch up on the news, learned that Truecrypt, one of my all time favorite apps, is no more. Some links of interest: https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html https://news.ycombinator.com/item?id=7812133 http://community.spiceworks.com/topic/505372-truecrypt-is-dead?page=1 well, if true: good riddance. Just because you don't like something doesn't mean it has no value. Yes, on linux, there are much better options, but for windows users, it is (was) the best solution available bar none, and an amazing product. no, I mean good riddance of a shady, probably stolen software with unknown devs behind it holding the keys to your data. You should sweat a lot right now. But I suspect some hacker-y or power struggle. Which means you took zero seconds to verify the veracity of the information. Uninformed comments are less than useless. I took a lot of time to gather information. And came to the conclusion mentioned above. But please continue to waste my time with your useless posts on this ml and your overall insulting tone. Oh, you know what, forget it. I am always eager to lower the overall standards of conversation. And I forgot that most here are not windows users for whatever reason (some are just elitist pricks, some are purists for philosophical reasons, and some simply don't have to use Windows for a $dayjob. what does this mangled mess of a sentence has to do with anything? Besides, you forgot: people who just don't like Windows or MacOSX and are happy that they don't have to use that garbage at home. Bad enough that you have to use it at work. The fact is, Truecrypt is (was) THE GoTo encryption method for purely Windows based systems. really? Why? And why should I care? There are many (good) methods. Another one will take over soon. But if I ask any of my 300 co-workers, I am sure that only 3 would know what truecrypt is. I just thought there might actually be some rational people on the list that would like to discuss the ramifications of such a major happening. Guess I was wrong. what 'ramifications'? that a shady software, developed in the shadow, with a strange licence suddenly goes away?
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Neil Bothwick wrote: On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. True but just in case they decide to sit down and give it a whirl first, may as well be encrypted. It gives me a shot at least. I access my bank and such on this thing. I'd rather they not get that for sure. That said, my UPS claims it will run for about a hour or so. They could go quite a ways around here in a hour. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Mon, 02 Jun 2014 06:04:44 -0500, Dale wrote: That said, my UPS claims it will run for about a hour or so. They could go quite a ways around here in a hour. Mine won't last that long, but it does make quite a racket when you disconnect the mains, maybe loud enough to have a thief leave it behind. -- Neil Bothwick Life is a sexually transmitted disease and the mortality rate is 100%. signature.asc Description: PGP signature
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Monday, June 02, 2014 11:56:24 AM Neil Bothwick wrote: On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. You only need a UPS that can keep a machine running for about a few minutes. First start the portable generator, then unplug the UPS from the wall and plug it into the portable generator. Then when in the car/van/truck/... plug it over from the portable generator into a 12V / 24V - 120/240V DC/AC converter and drive to a location where you have the tools to hack into a running machine. Best configure the machine to auto-power-down when it looses connection to a fixed device in your home, like the smart meter, bluetooth headset,... or anything else that has a built-in wireless capability. -- Joost
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Monday, June 02, 2014 12:10:38 PM Neil Bothwick wrote: On Mon, 02 Jun 2014 06:04:44 -0500, Dale wrote: That said, my UPS claims it will run for about a hour or so. They could go quite a ways around here in a hour. Mine won't last that long, but it does make quite a racket when you disconnect the mains, maybe loud enough to have a thief leave it behind. Those alarms are silenced when plugged back into a powersource and usually there is a silence-button on the UPS. -- Joost
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Mon, Jun 2, 2014 at 6:56 AM, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. If you're worried about casual thieves then just about any kind of properly-implemented encryption will stop them. If you're worried about a government official specifically tasked with retrieving your computer, my understanding is that it is SOP these days to retrieve your computer without powering it off for just this reason. They won't use your UPS to do it. Typically they remove the plug just far enough to expose the prongs, slide in a connector that connects it to a UPS, and then they pull it out the rest of the way now powered by the UPS. See something like: http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ Presumably somebody who is determined will also have the means to retrieve the contents of RAM once they seize your computer. Besides directlly accessing the memory bus I think most motherboards are not designed to be secure against attacks from PCI/firewire/etc. Rich
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Neil Bothwick wrote: On Mon, 02 Jun 2014 06:04:44 -0500, Dale wrote: That said, my UPS claims it will run for about a hour or so. They could go quite a ways around here in a hour. Mine won't last that long, but it does make quite a racket when you disconnect the mains, maybe loud enough to have a thief leave it behind. I have a CyberPower 1350 and it runs quiet. It does have a small fan that comes on when running off the batteries but it's quiet enough. The beeping gets on my nerves tho. My puter only pulls about 150 watts and that is with the router, modem and monitor all running. If they unplug all that except for the puter, then it may run for over a hour. What I should do when I have the puter turned off again is run the power plug through my desk or something in such a way that it would have to be unplugged before moving the puter. Well, I guess they could take the desk to but given the layout of the place, good luck with that. I had to disassemble the desk to get it down the hallway. Gosh, this could get a bit crazy after a while. Thing is, I don't have any trust in the Govt here. It's been questionable for a good long while but now, zip, nada, null etc etc etc. Now to catch those 4TB drives on sale. ;-) Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Mon, Jun 2, 2014 at 5:20 PM, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 02 Jun 2014 10:53:51 +0200, Michael Hampicke wrote: I'm considering encrypting my home partition one of these days. Given the things that have come out in recent months, back doors and such, what is a good program/software/tool to use that is well . . . secure? Is there such a thing now? Depends on your needs, for encrypting complete devices/partitions try the kernels dm-crypt/luks module. If you just want to encrypt a directory try encfs, and for file encryption there's openssl and gpg Definitely dm-crypt/LUKS for partitions/devices, but why use encfs which needs FUSE, when ecryptfs does the same thing in kernel space? for dual-boot systems, or simply from the point of system recovery, I find it really attractive that I can, for example, open an encfs filesystem in the other operating system (there's an encfs for windows). Besides, I think the fact that you're doing encryption / decryption on the fly completely overshadows the performance hit from running a userspace filesystem anyways. Also, it's extremely convenient to be able to mount / unmount the encfs on the fly without su, sudo, or messing with fstab, as, for instance, with the case of portable hard disks or usb sticks, where you don't want to automatically unencrypt the contents unless you're prompted for the password. -- This email is:[ ] actionable [x] fyi[ ] social Response needed: [ ] yes [x] up to you [ ] no Time-sensitive: [ ] immediate[ ] soon [x] none
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Monday, June 02, 2014 07:28:53 AM Rich Freeman wrote: On Mon, Jun 2, 2014 at 6:56 AM, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. If you're worried about casual thieves then just about any kind of properly-implemented encryption will stop them. If you're worried about a government official specifically tasked with retrieving your computer, my understanding is that it is SOP these days to retrieve your computer without powering it off for just this reason. They won't use your UPS to do it. Typically they remove the plug just far enough to expose the prongs, slide in a connector that connects it to a UPS, and then they pull it out the rest of the way now powered by the UPS. See something like: http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ Hmm... Those are nice, but can be easily built yourself with an off-the-shelf UPS. Presumably somebody who is determined will also have the means to retrieve the contents of RAM once they seize your computer. Besides directlly accessing the memory bus I think most motherboards are not designed to be secure against attacks from PCI/firewire/etc. Hmm... add something to auto-shutdown the computer when a hotplug event occurs on any of the internal ports and remove support for unused ports from the kernel. I wonder how they'd keep a computer from initiating a shutdown procedure or causing a kernel panic when it looses (wireless) connection to another device that is unlikely to be moved when powered up? -- Joost
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Rich Freeman wrote: If you're worried about casual thieves then just about any kind of properly-implemented encryption will stop them. If you're worried about a government official specifically tasked with retrieving your computer, my understanding is that it is SOP these days to retrieve your computer without powering it off for just this reason. They won't use your UPS to do it. Typically they remove the plug just far enough to expose the prongs, slide in a connector that connects it to a UPS, and then they pull it out the rest of the way now powered by the UPS. See something like: http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ Presumably somebody who is determined will also have the means to retrieve the contents of RAM once they seize your computer. Besides directlly accessing the memory bus I think most motherboards are not designed to be secure against attacks from PCI/firewire/etc. Rich Now that is wicked. Like I said, this could get crazy. ROFL Thing is, with Linux, it could be set up to run a script so that if say the keyboard/mouse/some other device is removed, it runs shutdown. It seems the biggest thing as for as Govt goes, having it do something they can't anticipate it doing that locks things down or does a rm -rfv /* or some other nasty command. I might add, on a older rig I tried that command once. I ran rm -rfv /* and it didn't erase everything like I thought it would. I figured the command would be loaded in ram and would run until the end of the / structure. It didn't. I can't recall how far it got now but I think it was in the /proc directory. I figure it deleted the process and sort of forgot to finish. It's been a while since I did that tho. Details are fuzzy. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Jun 2, 2014, at 16:40, J. Roeleveld jo...@antarean.org wrote: On Monday, June 02, 2014 07:28:53 AM Rich Freeman wrote: On Mon, Jun 2, 2014 at 6:56 AM, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. If you're worried about casual thieves then just about any kind of properly-implemented encryption will stop them. If you're worried about a government official specifically tasked with retrieving your computer, my understanding is that it is SOP these days to retrieve your computer without powering it off for just this reason. They won't use your UPS to do it. Typically they remove the plug just far enough to expose the prongs, slide in a connector that connects it to a UPS, and then they pull it out the rest of the way now powered by the UPS. See something like: http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ Hmm... Those are nice, but can be easily built yourself with an off-the-shelf UPS. Presumably somebody who is determined will also have the means to retrieve the contents of RAM once they seize your computer. Besides directlly accessing the memory bus I think most motherboards are not designed to be secure against attacks from PCI/firewire/etc. Hmm... add something to auto-shutdown the computer when a hotplug event occurs on any of the internal ports and remove support for unused ports from the kernel. I wonder how they'd keep a computer from initiating a shutdown procedure or causing a kernel panic when it looses (wireless) connection to another device that is unlikely to be moved when powered up? Well i have a switch in the door of the server room. It opens when you open the door. That signals the kernel to wipe all the encryption keys from kernel memory. Without the keys there is no access to the disks. After that another kernel is executed which wipes the memory of the old kernel. If you just pull the plug memory will stay in its state for an unspecified time. Swap uses random keys. network switches and routers get power only after firewall-server is up and running. There is no easy way to enter the room without wipeing the encryption keys. Booting up the server requires that a boot disk is brought to the computer to decrypt the boot drive. Grub2 can do this easily. This is to prevent some one to tamper eith a boot loader. System is not protected against hardware tamperment. The server room is an RF-cage. I consoder this setup quite secure. -- -Matti
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Mon, 2 Jun 2014 19:34:40 +0800, Mark David Dumlao wrote: Definitely dm-crypt/LUKS for partitions/devices, but why use encfs which needs FUSE, when ecryptfs does the same thing in kernel space? for dual-boot systems, or simply from the point of system recovery, I find it really attractive that I can, for example, open an encfs filesystem in the other operating system (there's an encfs for windows). I don't use Windows, so my other operating system is usually System Rescue Cd :) Besides, I think the fact that you're doing encryption / decryption on the fly completely overshadows the performance hit from running a userspace filesystem anyways. Or adds to it... Also, it's extremely convenient to be able to mount / unmount the encfs on the fly without su, sudo, or messing with fstab, as, for instance, with the case of portable hard disks or usb sticks, where you don't want to automatically unencrypt the contents unless you're prompted for the password. AFAIR ecryptfs doesn't require root privileges. -- Neil Bothwick Anyone able to feel pain is trainable. signature.asc Description: PGP signature
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
I might add, on a older rig I tried that command once. I ran rm -rfv /* and it didn't erase everything like I thought it would. I figured the command would be loaded in ram and would run until the end of the / structure. It didn't. I can't recall how far it got now but I think it was in the /proc directory. I figure it deleted the process and sort of forgot to finish. It's been a while since I did that tho. Details are fuzzy. # rm -rfv / rm: it is dangerous to operate recursively on ‘/’ rm: use --no-preserve-root to override this failsafe # rm -rfv --no-preserve-root / ** deletes lots of stuff** ** cannot delete in /proc ** ** cannot delete in /sys ** ** deletes more stuff ** ** finshed with status 0 ** System broken :-) Don't worry, it was only a virtual machine. signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Jun 2, 2014, at 15:06, Dale rdalek1...@gmail.com wrote: Rich Freeman wrote: If you're worried about casual thieves then just about any kind of properly-implemented encryption will stop them. If you're worried about a government official specifically tasked with retrieving your computer, my understanding is that it is SOP these days to retrieve your computer without powering it off for just this reason. They won't use your UPS to do it. Typically they remove the plug just far enough to expose the prongs, slide in a connector that connects it to a UPS, and then they pull it out the rest of the way now powered by the UPS. See something like: http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ Presumably somebody who is determined will also have the means to retrieve the contents of RAM once they seize your computer. Besides directlly accessing the memory bus I think most motherboards are not designed to be secure against attacks from PCI/firewire/etc. Rich Now that is wicked. Like I said, this could get crazy. ROFL Thing is, with Linux, it could be set up to run a script so that if say the keyboard/mouse/some other device is removed, it runs shutdown. It seems the biggest thing as for as Govt goes, having it do something they can't anticipate it doing that locks things down or does a rm -rfv /* or some other nasty command. I might add, on a older rig I tried that command once. I ran rm -rfv /* and it didn't erase everything like I thought it would. I figured the command would be loaded in ram and would run until the end of the / structure. It didn't. I can't recall how far it got now but I think it was in the /proc directory. I figure it deleted the process and sort of forgot to finish. It's been a while since I did that tho. Details are fuzzy. Well rm does not remove anything. It just unlinks the data. If you use journalling fs, everithing is recoverable from journal easily. And even without the journal you will easily get most of the data. dd if=/dev/zero of=/dev/your-root-drive bs=4096 This will wipe data so that it is quite hard to retrive it. Retriving would require opening the drive, etc... -- -Matti
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Le 2014-06-02 13:23, Matti Nykyri a écrit : On Jun 2, 2014, at 16:40, J. Roeleveld jo...@antarean.org wrote: Well i have a switch in the door of the server room. It opens when you open the door. That signals the kernel to wipe all the encryption keys from kernel memory. Without the keys there is no access to the disks. After that another kernel is executed which wipes the memory of the old kernel. If you just pull the plug memory will stay in its state for an unspecified time. Swap uses random keys. network switches and routers get power only after firewall-server is up and running. There is no easy way to enter the room without wipeing the encryption keys. Booting up the server requires that a boot disk is brought to the computer to decrypt the boot drive. Grub2 can do this easily. This is to prevent some one to tamper eith a boot loader. System is not protected against hardware tamperment. The server room is an RF-cage. I consoder this setup quite secure. It's nice to encrypt and wipe things automatically, but what about the backups?
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Monday, June 02, 2014 03:23:03 PM Matti Nykyri wrote: On Jun 2, 2014, at 16:40, J. Roeleveld jo...@antarean.org wrote: On Monday, June 02, 2014 07:28:53 AM Rich Freeman wrote: On Mon, Jun 2, 2014 at 6:56 AM, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. If you're worried about casual thieves then just about any kind of properly-implemented encryption will stop them. If you're worried about a government official specifically tasked with retrieving your computer, my understanding is that it is SOP these days to retrieve your computer without powering it off for just this reason. They won't use your UPS to do it. Typically they remove the plug just far enough to expose the prongs, slide in a connector that connects it to a UPS, and then they pull it out the rest of the way now powered by the UPS. See something like: http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ Hmm... Those are nice, but can be easily built yourself with an off-the-shelf UPS. Presumably somebody who is determined will also have the means to retrieve the contents of RAM once they seize your computer. Besides directlly accessing the memory bus I think most motherboards are not designed to be secure against attacks from PCI/firewire/etc. Hmm... add something to auto-shutdown the computer when a hotplug event occurs on any of the internal ports and remove support for unused ports from the kernel. I wonder how they'd keep a computer from initiating a shutdown procedure or causing a kernel panic when it looses (wireless) connection to another device that is unlikely to be moved when powered up? Well i have a switch in the door of the server room. It opens when you open the door. That signals the kernel to wipe all the encryption keys from kernel memory. Without the keys there is no access to the disks. After that another kernel is executed which wipes the memory of the old kernel. If you just pull the plug memory will stay in its state for an unspecified time. You don't happen to have a howto on how to set that up? Swap uses random keys. network switches and routers get power only after firewall-server is up and running. networked powersockets? There is no easy way to enter the room without wipeing the encryption keys. Booting up the server requires that a boot disk is brought to the computer to decrypt the boot drive. Grub2 can do this easily. This is to prevent some one to tamper eith a boot loader. System is not protected against hardware tamperment. The server room is an RF-cage. I consoder this setup quite secure. Makes me wonder what it is you are protecting your server from. :) -- Joost
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Jun 2, 2014, at 15:36, godzil god...@godzil.net wrote: Le 2014-06-02 13:23, Matti Nykyri a écrit : On Jun 2, 2014, at 16:40, J. Roeleveld jo...@antarean.org wrote: Well i have a switch in the door of the server room. It opens when you open the door. That signals the kernel to wipe all the encryption keys from kernel memory. Without the keys there is no access to the disks. After that another kernel is executed which wipes the memory of the old kernel. If you just pull the plug memory will stay in its state for an unspecified time. Swap uses random keys. network switches and routers get power only after firewall-server is up and running. There is no easy way to enter the room without wipeing the encryption keys. Booting up the server requires that a boot disk is brought to the computer to decrypt the boot drive. Grub2 can do this easily. This is to prevent some one to tamper eith a boot loader. System is not protected against hardware tamperment. The server room is an RF-cage. I consoder this setup quite secure. It's nice to encrypt and wipe things automatically, but what about the backups? Well i have backups on their own drive with its own keys. I have backups of the keys in another location. The drives are LUKS drivers with detached LUKS info. -- -Matti
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Jun 2, 2014, at 17:52, J. Roeleveld jo...@antarean.org wrote: On Monday, June 02, 2014 03:23:03 PM Matti Nykyri wrote: On Jun 2, 2014, at 16:40, J. Roeleveld jo...@antarean.org wrote: On Monday, June 02, 2014 07:28:53 AM Rich Freeman wrote: On Mon, Jun 2, 2014 at 6:56 AM, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. If you're worried about casual thieves then just about any kind of properly-implemented encryption will stop them. If you're worried about a government official specifically tasked with retrieving your computer, my understanding is that it is SOP these days to retrieve your computer without powering it off for just this reason. They won't use your UPS to do it. Typically they remove the plug just far enough to expose the prongs, slide in a connector that connects it to a UPS, and then they pull it out the rest of the way now powered by the UPS. See something like: http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ Hmm... Those are nice, but can be easily built yourself with an off-the-shelf UPS. Presumably somebody who is determined will also have the means to retrieve the contents of RAM once they seize your computer. Besides directlly accessing the memory bus I think most motherboards are not designed to be secure against attacks from PCI/firewire/etc. Hmm... add something to auto-shutdown the computer when a hotplug event occurs on any of the internal ports and remove support for unused ports from the kernel. I wonder how they'd keep a computer from initiating a shutdown procedure or causing a kernel panic when it looses (wireless) connection to another device that is unlikely to be moved when powered up? Well i have a switch in the door of the server room. It opens when you open the door. That signals the kernel to wipe all the encryption keys from kernel memory. Without the keys there is no access to the disks. After that another kernel is executed which wipes the memory of the old kernel. If you just pull the plug memory will stay in its state for an unspecified time. You don't happen to have a howto on how to set that up? Well i have a deamon running and a self made logic device in COM-port. Very simple. It has a single serial-parallel converter to do simple IO. Currently it just controls one relay that powers the network-devices. Swap uses random keys. network switches and routers get power only after firewall-server is up and running. networked powersockets? A normal logic port and a transistor and then relay that controls power to the sockets of the network-devices :) There is no easy way to enter the room without wipeing the encryption keys. Booting up the server requires that a boot disk is brought to the computer to decrypt the boot drive. Grub2 can do this easily. This is to prevent some one to tamper eith a boot loader. System is not protected against hardware tamperment. The server room is an RF-cage. I consoder this setup quite secure. Makes me wonder what it is you are protecting your server from. :) Well just a hobby. I wanted to play with electronics. The server controls my heating, locks of the house, lights, airconditioning, fire-alarm and burglar-alarm. Gentoo-powered house... -- -Matti
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Mon, Jun 2, 2014 at 8:06 AM, Dale rdalek1...@gmail.com wrote: Now that is wicked. Like I said, this could get crazy. Meh. I don't encrypt my disks for desktops at home. My Chromebook comes encrypted out-of-the-box (no doubt the NSA can have it unlocked on request). If I had any other laptops I'd probably use full-disk encryption of some kind on it. My threat model for disk encryption is that somebody steals my laptop and wants to rummage for passwords/credit card numbers/etc. If they stole my desktop they'd probably give up when they find the data is stored on btrfs in raid1 mode, and even the vanilla ext4 backup disk probably would deter them, but if they're stealing my desktop they're probably stealing my passport, birth certificates, and all that other good stuff anyway. As far as the NSA sending Ninjas through the windows goes, I really see the threat there as having two levels. One is that the NSA does pervasive monitoring of virtually everything they can get their hands on to look for trends/etc. The other is that the NSA has a specific interest in you, for whatever reason. For general NSA monitoring simply using https/TLS/etc is about as good as you're going to get. Chances are they aren't interested in attacking your PC due to the economics of it, and if they use zero-days widely there is a risk of them being detected (and thus the bug they exploit gets fixed and they have to find another). They probably read any unencrypted packets that go through a router at any of the big choke points - probably a substantial part of the total volume crossing the internet. They probably do not store most of that data - they look for whatever they look for and discard the rest. They probably have root on major service provider networks (either with or without cooperation), so they're reading your Gmail/Facebook/etc, so they really don't care if you use https to connect to those services. If you're a target of interest then the gloves come off, depending on just how interesting you are. Most likely you're going to be targeted for a remote exploit with professional management of a rootkit on your devices. All your network traffic might be captured and retained. If you're really interesting they might send the ninjas at night. You get all those nice value-added-services like pre-installed rootkits in any hardware you buy, probably from any vendor as long as it passes through a country that is US-friendly (which is just about everywhere). If you're looking to evade general monitoring your best bet is to not communicate with anybody who isn't as paranoid as you are. You probably should refrain from posting on lists like this one, as they are recording the people you correspond with to determine what sort of person you are. Honestly, you're best off not using the Internet at all, since there isn't anybody you can talk to who won't leak everything to the NSA unwittingly. However, the reality is that most of us are pretty boring, so the NSA probably doesn't care what we do. If you're looking to evade specific monitoring then I don't know what to tell you. They targeted the Iranian uranium enrichment program and that was behind a sneakernet. I suspect that they have different levels of effort for various targets. For example, Snowden revealed that the NSA looks to root boxes belonging to sysadmins who have access to services they're interested in - so if they wanted to poke around on the Gentoo forum logs to find IPs they might look to root members of infra, even though the members of infra aren't of interest otherwise. I run a tor relay and I wouldn't be surprised if they rooted my box as a result - rooting all the tor relays would allow them to de-anonymize tor completely. Sure, you can wire up the door to drop your server in a vat of acid, but that doesn't help if they have a zero-day for your server. Honestly, I just don't worry about it. If they want to root me, I doubt worrying about it is going to change anything. I'd rather if they didn't, or if they are going to do it anyway I wish that I could just ask them to send me a copy of my data so that I could stop worrying about running my own backups. Rich
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Monday, June 02, 2014 04:23:07 PM Matti Nykyri wrote: On Jun 2, 2014, at 17:52, J. Roeleveld jo...@antarean.org wrote: On Monday, June 02, 2014 03:23:03 PM Matti Nykyri wrote: On Jun 2, 2014, at 16:40, J. Roeleveld jo...@antarean.org wrote: On Monday, June 02, 2014 07:28:53 AM Rich Freeman wrote: On Mon, Jun 2, 2014 at 6:56 AM, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. If you're worried about casual thieves then just about any kind of properly-implemented encryption will stop them. If you're worried about a government official specifically tasked with retrieving your computer, my understanding is that it is SOP these days to retrieve your computer without powering it off for just this reason. They won't use your UPS to do it. Typically they remove the plug just far enough to expose the prongs, slide in a connector that connects it to a UPS, and then they pull it out the rest of the way now powered by the UPS. See something like: http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ Hmm... Those are nice, but can be easily built yourself with an off-the-shelf UPS. Presumably somebody who is determined will also have the means to retrieve the contents of RAM once they seize your computer. Besides directlly accessing the memory bus I think most motherboards are not designed to be secure against attacks from PCI/firewire/etc. Hmm... add something to auto-shutdown the computer when a hotplug event occurs on any of the internal ports and remove support for unused ports from the kernel. I wonder how they'd keep a computer from initiating a shutdown procedure or causing a kernel panic when it looses (wireless) connection to another device that is unlikely to be moved when powered up? Well i have a switch in the door of the server room. It opens when you open the door. That signals the kernel to wipe all the encryption keys from kernel memory. Without the keys there is no access to the disks. After that another kernel is executed which wipes the memory of the old kernel. If you just pull the plug memory will stay in its state for an unspecified time. You don't happen to have a howto on how to set that up? Well i have a deamon running and a self made logic device in COM-port. Very simple. It has a single serial-parallel converter to do simple IO. Currently it just controls one relay that powers the network-devices. I actually meant the software side: - How to wipe the keys and then wipe the whole memory. I consoder this setup quite secure. Makes me wonder what it is you are protecting your server from. :) Well just a hobby. I wanted to play with electronics. The server controls my heating, locks of the house, lights, airconditioning, fire-alarm and burglar-alarm. Gentoo-powered house... I would keep the system controlling all that off the internet with only a null-modem cable to an internet-connected server using a custom protocol. Anything that doesn't match the protocol initiates a full lock-down of the house. ;) -- Joost
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
So you backup on harddrive, not tape and theses are not incremental backups. But my question about backup was not only for you but for all that encrypt their servers. The backup part is generally the weakest point. Le 2014-06-02 13:58, Matti Nykyri a écrit : On Jun 2, 2014, at 15:36, godzil god...@godzil.net wrote: Le 2014-06-02 13:23, Matti Nykyri a écrit : On Jun 2, 2014, at 16:40, J. Roeleveld jo...@antarean.org wrote: Well i have a switch in the door of the server room. It opens when you open the door. That signals the kernel to wipe all the encryption keys from kernel memory. Without the keys there is no access to the disks. After that another kernel is executed which wipes the memory of the old kernel. If you just pull the plug memory will stay in its state for an unspecified time. Swap uses random keys. network switches and routers get power only after firewall-server is up and running. There is no easy way to enter the room without wipeing the encryption keys. Booting up the server requires that a boot disk is brought to the computer to decrypt the boot drive. Grub2 can do this easily. This is to prevent some one to tamper eith a boot loader. System is not protected against hardware tamperment. The server room is an RF-cage. I consoder this setup quite secure. It's nice to encrypt and wipe things automatically, but what about the backups? Well i have backups on their own drive with its own keys. I have backups of the keys in another location. The drives are LUKS drivers with detached LUKS info.
Re: [gentoo-user] How to extend the tmux status 'title' for each pane or window
On Sat, 31 May 2014, at 4:22 pm, Mick michaelkintz...@gmail.com wrote: I am using tmux and find it convenient especially for managing remote sessions, but I have noticed that the commands running in a session shown at the bottom right hand side, within the status line, are too short. Can I extend the number of characters to be able to see more of the command being run at any time? I only see a *maximum* length option in the manpage - presumably because tmux allocates as much space as possible to the left and right statuses, but space must be consumed by the window titles in the middle. Is it possible you can give the right hand side more room by reducing the maximum of the left? I'm interested to know what you're displaying on the right - it's been so long since I set up tmux, I can't remember what the defaults are. Could you possibly post the output of `tmux show -g status-right`, please? I have: $ tmux show -g | grep -E 'status-[lr]' status-left #[fg=blue]#T status-left-attr none status-left-bg default status-left-fg default status-left-length 20 status-right #[fg=blue][#S] status-right-attr none status-right-bg default status-right-fg default status-right-length 40 $ Stroller.
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Am 02.06.2014 12:56, schrieb Neil Bothwick: On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. if they go so far to steal his box, they will probably be willing to use some rubber hose attacks to break the key...
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Am 02.06.2014 13:28, schrieb Rich Freeman: On Mon, Jun 2, 2014 at 6:56 AM, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. If you're worried about casual thieves then just about any kind of properly-implemented encryption will stop them. If you're worried about a government official specifically tasked with retrieving your computer, my understanding is that it is SOP these days to retrieve your computer without powering it off for just this reason. They won't use your UPS to do it. Typically they remove the plug just far enough to expose the prongs, slide in a connector that connects it to a UPS, and then they pull it out the rest of the way now powered by the UPS. See something like: http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ only works with sockets of unsafe design - aka american stuff. Can not be used with Schuko sockets.
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
On Monday, June 02, 2014 07:14:27 PM Volker Armin Hemmann wrote: Am 02.06.2014 13:28, schrieb Rich Freeman: On Mon, Jun 2, 2014 at 6:56 AM, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. If you're worried about casual thieves then just about any kind of properly-implemented encryption will stop them. If you're worried about a government official specifically tasked with retrieving your computer, my understanding is that it is SOP these days to retrieve your computer without powering it off for just this reason. They won't use your UPS to do it. Typically they remove the plug just far enough to expose the prongs, slide in a connector that connects it to a UPS, and then they pull it out the rest of the way now powered by the UPS. See something like: http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ only works with sockets of unsafe design - aka american stuff. Can not be used with Schuko sockets. Actually, it can be used with Schuko sockets, just a bit risky... 1) Strip the wire 2) split off the power wires 3) plug the powersupply directly onto the core of the cable. 4) unplug from the wall -- Joost
Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Am 02.06.2014 16:52, schrieb J. Roeleveld: On Monday, June 02, 2014 03:23:03 PM Matti Nykyri wrote: On Jun 2, 2014, at 16:40, J. Roeleveld jo...@antarean.org wrote: On Monday, June 02, 2014 07:28:53 AM Rich Freeman wrote: On Mon, Jun 2, 2014 at 6:56 AM, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: The second option does sound what I am looking for. Basically, if I log out but leave my computer on, leave home, some crook/NSA type breaks in and tries to access something or steals my whole puter, they would just get garbage for data. That seems to fit the second option best. If they steal your computer they will have to power it off, unless you are kind enough to leave them a large enough UPS to steal along with it, so any encryption will be equally effective. If you're worried about casual thieves then just about any kind of properly-implemented encryption will stop them. If you're worried about a government official specifically tasked with retrieving your computer, my understanding is that it is SOP these days to retrieve your computer without powering it off for just this reason. They won't use your UPS to do it. Typically they remove the plug just far enough to expose the prongs, slide in a connector that connects it to a UPS, and then they pull it out the rest of the way now powered by the UPS. See something like: http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ Hmm... Those are nice, but can be easily built yourself with an off-the-shelf UPS. Presumably somebody who is determined will also have the means to retrieve the contents of RAM once they seize your computer. Besides directlly accessing the memory bus I think most motherboards are not designed to be secure against attacks from PCI/firewire/etc. Hmm... add something to auto-shutdown the computer when a hotplug event occurs on any of the internal ports and remove support for unused ports from the kernel. I wonder how they'd keep a computer from initiating a shutdown procedure or causing a kernel panic when it looses (wireless) connection to another device that is unlikely to be moved when powered up? Well i have a switch in the door of the server room. It opens when you open the door. That signals the kernel to wipe all the encryption keys from kernel memory. Without the keys there is no access to the disks. After that another kernel is executed which wipes the memory of the old kernel. If you just pull the plug memory will stay in its state for an unspecified time. You don't happen to have a howto on how to set that up? Swap uses random keys. network switches and routers get power only after firewall-server is up and running. networked powersockets? There is no easy way to enter the room without wipeing the encryption keys. Booting up the server requires that a boot disk is brought to the computer to decrypt the boot drive. Grub2 can do this easily. This is to prevent some one to tamper eith a boot loader. System is not protected against hardware tamperment. The server room is an RF-cage. I consoder this setup quite secure. Makes me wonder what it is you are protecting your server from. :) some people really want to hide their porn collection. No, I don't know what is in that black aluminium case. Yeah, lost the keys a long time ago. No, I don't want to throw it away, the plant looks so nice on it ...
