Tuesday, May 19, 2015

Some more digital security info from the Survival Blog

Some more digital security info from the Survival Blog

Where TrueCrypt left off, VeraCrypt has picked up the baton. (It has the exact same interface, same features with improvements made behind the scenes.)
The TrueCrypt letter specifically said that there “May still be unresolved security issues…” They didn’t say it wasn’t secure. They were quite vague. They were in the middle of an audit and quit before the results came out. VeraCrypt takes the results of the audit and appeared to correct some of the very minor issues. I was impressed by how few they are (i.e., increasing some iterations from a few thousand to hundreds of thousands), and bringing parts of the coding to current standards. They have a FAQ on their website. The transition has been stable for me. – C.S.

Hello from Russia!
This Friday, SurvivalBlog mentioned “Digital Security- Part 2, by Dakota”. As a computer specialist and a paranoiac, I must warn you about two things.
  1. Bitmessage is absolutely secure. (I mean that nobody can read an encrypted message or find the sender or recipient or fact of communication between them.) But the price of this fact is too high and is a security hole by itself:
Bitmessage client sends your message to every other client. What does it mean? In reality, every client would receive all the traffic the system creates. If, say, every one of 100 users sends one 10-kbyte message per day, then everyone would receive 1 MByte. Just 100,000 users would generate 1 GByte each. Also, as I can understand from their FAQ, the system finds connecting nodes automatically, so the adversary knows all the nodes.
So while the network is small enough the adversary could assume that every node is under suspicion and has enough resources to check all of them, but a big enough network would fall under its own weight.
I see two possible resolutions of this problem; one is use of some variants of Kademlia to route the mail to the nodes that are nearer in Kademlia meaning, and the second one is just I2P.
  1. MailPile security is not better than, say, Thunderbird configured to delete messages from the server since the official server may be (and often is) officially required to retain your letters for some period.
I see only one possible resolution of this problem if a standard e-mail protocol is used: install your own encrypted Sendmail on your own computer and ask your friends to do the same. But it still does not save you from metadata collection. (They know who writes to you.)
Best wishes. A.

[I can’t vouch for any of this info, either.]

No comments: