# Where r the computer geeks at?



## sudsy9977 (Mar 30, 2014)

Ok so this might be a stupid question and I might not even understand the answer but here goes....

So I read a bunch of forums...and on some there is a bunch of doomsday preppers and the like....a lot of them keep their personal info on a flash drive...seems like a good idea I guess. But how do u keep it from getting into the wrong hands.....can u put some type of passwords on a file so others can't see it....if u did loose it couldn't someone eventually open the files?....I know it's a weird question but I figured I'd ask.....I don't feel like asking on the other forums...I'm not a contributing member I just read them occasionally....ryan


----------



## Pensacola Tiger (Mar 30, 2014)

USB flash drives can be encrypted. I suppose the NSA might be able to break the encryption, but ...


----------



## sudsy9977 (Mar 30, 2014)

How do u encrypt a flash drive....so I guess once it's encrypted the average joe ain't gonna be able to look at the information? How do u view it....is there a password, special handshake?


----------



## Pensacola Tiger (Mar 30, 2014)

Many flash drives come with encryption software, but there are lots of alternatives.

http://www.esecurityplanet.com/views/article.php/3880616/How-to-Encrypt-a-USB-Flash-Drive.htm

Your operating system may have encryption utilities built in. OS X has File Vault, which can be used on an external drive.


----------



## Lefty (Mar 30, 2014)

Ummm, yeah. What Rick said....

Sometimes I wonder what Rick DOESN'T know.


----------



## riba (Mar 31, 2014)

i use truecrypt. pretty handy

http://www.truecrypt.org


----------



## TB_London (Mar 31, 2014)

Iron key drives can be set to 'Self-destruct' whereby they'll erase the data and encryption keys after 10 failed attempts. The enterprise ones also allow for extra features like geo location of use and remote erase.

True crypt is interestingly currently being reviewed for security after a crowd sourced fund paid for it to be fully tested.


----------



## icanhaschzbrgr (Mar 31, 2014)

geeks won't use flash drives. That's sooo 200x 
Nowadays geeks would use clouds + client side encryption tools. Check out something like https://www.cloudfogger.com or https://www.boxcryptor.com


----------



## Dave Martell (Mar 31, 2014)

The device that you plug into still has your info and if online then so does everyone else, or at least they could. Nothing is secret, there's just levels of difficulty in obtaining the info.


----------



## Pensacola Tiger (Mar 31, 2014)

icanhaschzbrgr said:


> geeks won't use flash drives. That's sooo 200x
> Nowadays geeks would use clouds + client side encryption tools. Check out something like https://www.cloudfogger.com or https://www.boxcryptor.com



That works until the internet doesn't.


----------



## Talim (Mar 31, 2014)

Knowing what NSA has been doing, do you really trust those clouds to keep your infos private?


----------



## icanhaschzbrgr (Mar 31, 2014)

Pensacola Tiger said:


> That works until the internet doesn't.


Not really. Solutions that I mentioned would just add encryption to the process of syncing your stuff between local machine and cloud. So you'd retain all the data encrypted locally all the time.


----------



## Pensacola Tiger (Mar 31, 2014)

icanhaschzbrgr said:


> Not really. Solutions that I mentioned would just add encryption to the process of syncing your stuff between local machine and cloud. So you'd retain all the data encrypted locally all the time.



You're missing the point. The objective is to keep all, and I mean ALL, of your sensitive data on the flash drive. No local copies that require synchronization, no copies in the cloud, just the flash drive, which you keep on your person. If you are sufficiently paranoid, you make another drive and entrust it to another person or hide it real well.


----------



## icanhaschzbrgr (Apr 1, 2014)

Pensacola Tiger said:


> You're missing the point. The objective is to keep all, and I mean ALL, of your sensitive data on the flash drive. No local copies that require synchronization, no copies in the cloud, just the flash drive, which you keep on your person. If you are sufficiently paranoid, you make another drive and entrust it to another person or hide it real well.


Yeah, I guess I'm really missing the point. If the data is so important then having only one or two copies is nothing but crazy 
If I were a real paranoid I'd try to infiltrate the world with as many copies as possible. Upload them everywhere. 

As for encryption itself my point is pretty simple: if you can decrypt it, then anyone else can decrypt it. The tricky part is, you can decrypt it almost instantly assuming you have you secret key, while all others would have to brute force key (or try to some other ways to weaken encryption) which could take very significant amounts of time.

I've seen too many dead flashdrives to trust them. Heck, I don't even trust the flash that's in my camera, cause I know it WILL fail one day. It already happened with my old camera once, so could happen again.


----------



## Salty dog (Apr 1, 2014)

Pensacola Tiger said:


> You're missing the point. The objective is to keep all, and I mean ALL, of your sensitive data on the flash drive. No local copies that require synchronization, no copies in the cloud, just the flash drive, which you keep on your person. If you are sufficiently paranoid, you make another drive and entrust it to another person or hide it real well.



I suggest a simple balloon. Condoms are too thin and finger cots aren't flexible enough. Also avoid the flash drives with sharp edges even if they're smaller. And a little Vaseline goes a long way.


----------



## Pensacola Tiger (Apr 1, 2014)

icanhaschzbrgr said:


> Yeah, I guess I'm really missing the point. If the data is so important then having only one or two copies is nothing but crazy
> If I were a real paranoid I'd try to infiltrate the world with as many copies as possible. Upload them everywhere.
> 
> As for encryption itself my point is pretty simple: if you can decrypt it, then anyone else can decrypt it. The tricky part is, you can decrypt it almost instantly assuming you have you secret key, while all others would have to brute force key (or try to some other ways to weaken encryption) which could take very significant amounts of time.
> ...



You're confusing backups with security.


----------



## wenus2 (Apr 3, 2014)

Salty dog said:


> I suggest a simple balloon. Condoms are too thin and finger cots aren't flexible enough. Also avoid the flash drives with sharp edges even if they're smaller. And a little Vaseline goes a long way.


:eek2:
He said ON your person, not IN your person.
Sheesh Salty!


----------



## Salty dog (Apr 3, 2014)

If you're serious about security................


----------



## Zerob (Apr 4, 2014)

Im a computer forensics guy. So download truecrypt and install it on any drive you want encrypted (it's easy to use and there's lots of documentation for it). Also use a password/key that's long. How I do passwords is that I pick a long sentence I can easily remember and change letters to signs. Like @ for all As. Every so often I'll change the signs instead of @ for As, I'll use 3 for Es. 


Why i stress long passwords:

You have to think that choosing one lowercase letter is 26 combinations. So a 3 letter password with repetition is 26x26x26 = 26^3 combinations. If you have upper and lower case then it's 52 combinations. 52^3 for a 3 letter password that's only uppercase and lower case. The number gets astronomical when you add symbols/punctuation and have a long password. The general formula is (How many total different symbols) ^ (length of password) = (number of combinations).

The goal is to make it long enough so someone will have to spend too much time to break it. I know guys still running a password brute force program to break a criminals hard drive for over 2yrs.

I have a lot of data so I use a two 2.5" external drives for backup. I find those laptop hard drives as more reliable than flash drives for backup.

And people posting about AES encryption being cracked. It's not true. AES is the standard. People know how these formulas work, but no one has found a fast way to break them. It will still take millions of years to crack an AES key. Don't worry about 128k vs 192k vs 256k. No real difference yet. But people "feel" safer with the higher number.


----------



## Zerob (Apr 4, 2014)

I forgot. I don't hold sensitive data on cloud storage like Dropbox or other companies because you never know what happens to that data if the company goes under. The general rule I've learned is that once something is online, it's there forever.


----------



## Namaxy (Apr 4, 2014)

Late to this conversation. I use an ioSafe portable SSD.


----------



## Lizzardborn (Apr 4, 2014)

Software developer here. Golden rule of backup is 3 copies at least one of which should be on second location.

In general about encryption - every encryption is susceptible to thermorectal/rubberhose cryptoanalysis. So if someone is really interested and don't mind doing a few felonies they will get the info just by beating the keys out of you. In that case you need obscurity too - the entity should not now you even posses it.

A little about NSA and encryption - there are two main kinds of encryption. Symmetrical and asymmetrical. The first is used for data storage, the later for web security, bank transfers, electronic signings. The second is vulnerable because it is relying on math quirks - so NSA probably could hide a few aces up their sleeves. The symmetrical is very different beast - is usually uses a lot of very simple math operations (plus, rot, xor) scrambling data lots and lots of times and there aren't many theoretical attacks that could be used.

What NSA and the likes usually do is use vulnerabilities in the implementation of the algorithms and the operating systems/browsers themselves. So unpatched computer is greater danger than the NSA ability to crack the key. If you have something that may get their attention - make an airgap. On https://www.schneier.com/ there are some very good tutorials and explanations.

A good home setup is you create a truecrypt volume with a strong key/strong passphrase that you mount and fill. Then store it in some cloud storage, on your hard and on a flash if needed. Or external hard drive. It is pretty secure and simple to use. And due to the way dropbox and the other operate - if you change something inside you will only sync the changed parts.


----------



## mr drinky (Apr 5, 2014)

I largely keep mine on paper. And I don't always record it correctly on the sheets on purpose, but I know my patterns so I can still fill in the blanks for my use. This way if someone finds my sheet of paper among thousands in my house, they will still have to decipher them to some degree. I've gone retro, but I used to keep them on key drives encrypted.

I also create a system where I often don't know my own passwords. I simply shift my fingers over, up, or down on the keyboard and type a common long phrase. Your fingers will respond to muscle memory while typing and you don't even need to look at the screen or keyboard, and that is it: you now have a password that even you don't know. I kid you not when I say that I have not known my password for gmail for the last four years and yet access it multiple times a day (I also never save my important passwords to my computer). It does really suck though when you try to log in on a mobile device. 

Lastly, I used to work anti-fraud in a couple of different fields, and it is useful to keep in mind a couple of things: (1) fraud/theft usually seeks out low transaction cost. Difficult and expensive fraud is usually conducted less often, and in conjunction with that (2) value is also important. Fraud is still a business, and seeking out higher value targets versus cost is often more worth while. Would you want to hack someone's account with a nice expensive zip code or someone on the other side of the tracks? Redlining was a frowned-upon practice, but somehow I don't think hackers give a crap. 

Also, for example, US debit cards have had horrible security (compared to Europe) for 10+ years [low transaction cost] and often did not provide the same protections/security that credit cards did and ALSO linked directly to bank accounts [high value]. I never use or used debit cards at transaction terminals. I think it is no surprise that the Target breach involves a company with extensive debit card issuance that links to people pins and bank accounts. Now in Minnesota it is finally required to use a pin with all debit card transactions. We are only 15 years behind Europe on this one. Bravo.

Anyhow, I am rambling -- but any system IMO can be hacked. The more high-tech you go, you can also get beat in some other low-tech way. Target debit card holders who did everything right still had their information compromised regardless of how they stored their data on some flash drive (or in my case: a piece of paper). 

Just as a side story: I remember watching Penn and Teller (the comedians) on a TV show once and they talked about a magic trick on Letterman that they did once. Their response when asked how it was done was something to the effect: "As long as you can pay a very small man some money to sit in a cramped box with his hand in a fish for 20 minutes, you can pull off most any trick." 

There is always some way to do get it done: the best you can do is try to raise that transaction cost as much as possible so people have a hard time doing it. 

k.


----------

