Welcome to (I think) version 5 of this website. Well it's progressed from a simple page on Bigpond, through some dodgy hand-coded HTML, then a love-hate relationship with Dreamweaver, and more recently an unsatisfying sojourn with Joomla, to finally settle on Moodle as my content management system.
Enjoy! I hope you find something here you like, however I may need some time to re-populate all the content.
News
Secure remote storage with Dropbox and TrueCrypt
by Mike Smith - Sunday, 19 December 2010, 11:37 AM
Dropbox is a service for backup and synchronization of files, and it runs on Windows, Mac OS X and Linux. As I pointed out before, I’d like to be able to use Dropbox without security torments. I don’t think that the guys who run Dropbox really want to peek inside my files, but the risk that someone else does indeed gain access to my data, accidentally or intentionally, is not negligible. A malicious employee, a security breach, the company is sold… I want to feel safe; I need a solution that, on top of Dropbox, adds the security I need. One of the best things about Dropbox is the ability to run on most computer platforms, so a nice solution to the security problem should also possess this quality. The most portable solution up to now seems to be the addition of TrueCrypt. TrueCrypt is a cross-platform encryption software that, among other functionalities, creates files that can be used as encrypted volumes. The idea is to put these encrypted files (that can be considered as safety vaults) inside Dropbox, and to use TrueCrypt on the local copy of the files to decrypt and access the private data. In this way, the data that is stored inside Dropbox is completely unusable by everyone, except the ones who can decrypt it. The decryption can involve a password that a user must remember, a key file that a user must have in his computer, or both. I like the idea of having both because then, in order to read my data, a potential spy must have:
The encrypted vault file (located in my Dropbox or any other computer linked to it)
The key file (located in my computers or inside a USB drive)
The password (located in my brain)
I think the only feasible attacks to read my data would then be aimed at reading it when I have decrypted it (other than beat me with a 5$ wrench to make me hand over my USB drive and spit out the password).
Another useful trick for Linux/Mac users is to keep the files in the Dropbox folder, and create a link where you need them using “ln -s targetlink_name“. For example, you can copy the “places.sqlite” file that is inside your Firefox profile, and contains your bookmarks and history, inside the Dropbox folder, and create a link to it in your Firefox profile folder. Doing so, you can synchronize your Firefox bookmarks for all your computers.
5 Responses “Secure remote storage with Dropbox and TrueCrypt” →
James Sigley
2009/11/09
I want to create a “dropbox” type website but with encryption. would you be interested in helping? Also checkout i D r i v e.com. this is ultimately what I want to create.
Hello James, unfortunately I don’t think I have the necessary free time to help consistently on a project like yours. I just have the time to hack together a solution with existing tools. If you accept suggestions, I think that a good solution should have: 1. open source client 2. client-side encryption (the server cannot see the content) AND/OR open source server that can be installed at home 3. portable client on different platforms 4. change-driven actions and not polling (using inotify on Linux and something like ReadDirectoryChangesW on Windows)
A possible implementation could be a big “image” file on the server that contains an encrypted filesystem, and the protocol gives you read/write access to the image. This could prove problematic with multiple contemporary accesses or multiple users accessing the same data.
thousand
2010/07/23
The problem with this technique is that if youre vault size ( or whatever your vault size is ) is large , then every time you update a single file in the vault , the entire vault is reuploaded… So if you added or modified a 1KB file, and your vault size is 500MB, you will cause yourself to have to reupload 500MB.
I thought so, but actually it doesn’t. I have a 10MB vault file. I tried to change a file inside it and monitor what happens in the network. Here is the result. The screenshot displays what happens when opening the vault, editing a file (a small file actually), closing the vault and waiting for the Dropbox icon to become a green tick (“V”) again, meaning that the files have been synchronized. As you can see, the upload phase is not sending 10MB of data, because it lasts only a few seconds. I don’t know what happens exactly because Dropbox is closed source, but I suppose that Truecrypt changes only a small block of the vault when a small file is changed, and Dropbox synchronizes only the parts of large files that have changed, using some sort of hashing technique to optimize bandwidth. You can try it for yourself if you’re skeptic.
[...] storage with Dropbox and TrueCrypt: Dropbox is a service for backup and synchronization of files,.. http://bit.ly/2Y4Pfe@Kroc @thomholwerda Those type of things work, I have a server with a few friends. That way we have [...]
Protecting yourself from the criminals of the Internet shouldn't cost you a fortune. In fact, it doesn't have to cost you anything.
Firewalls and antivirus programs can't do all the work of safe computing — small, targeted utility apps that encrypt your files, keep your passwords safe, and clean up your PC add to your protection.
I have five of these small security apps that I wouldn't want to do without. Chances are you could use them, too; if not now, then someday.
What's even better — they're free. Lock your sensitive data in a hidden vault
First up is TrueCrypt, a free download (page) that gives you on-the-fly disk encryption. It works on all current versions of Windows plus Mac OS X and Linux systems.
We all have files that need to be kept private — financial spreadsheets containing credit-card and bank-account numbers, confidential business plans, lists of clients, or maybe just something very personal.
Forget about the encryption tools included with Windows, which are designed to be as simple to use as possible. For example, if you encrypt a folder through Windows, that folder is completely accessible when you're signed in and completely inaccessible when someone else is signed in to that PC with a different user account. You're never consciously saying, "Now I need access to my private information" or "Now I can lock that information away again." Your data is vulnerable every time you get up for a cup of coffee.
Windows encryption works for an IT department that wants to protect naive users, but not for someone who understands what encryption is and why it's necessary.
That's why you're better off with TrueCrypt, a free, open-source program that lets you create encrypted vaults. To someone without the password, a vault is a file filled with meaningless gobbledygook. But open it with TrueCrypt, and it becomes a virtual drive you can read from and write to, as you would any hard drive partition.
TrueCrypt vaults can use AES, Serpent, or Twofish encryption — three of the better encryption standards available for public use. If you use a strong password, no one else is going to get into that vault.
Even if someone used identity theft or extortion to get your password, TrueCrypt still offers protection. For instance, you can hide one vault inside another in such a way that, even with the outer vault open, the inner one is invisible (see Figure 1). The outer vault could contain data you'd plausibly want to protect but which a thief wouldn't find useful; the real secrets would be in the inner vault.
Figure 1. For files you really want to hide, TrueCrypt lets you hide encrypted vaults within another TrueCrypt vault. Organize your passwords in a safe place
No, not on an index card taped under your desk.
Here are two pieces of advice about passwords you probably already know: the best password is a long, random string of numbers and letters; you shouldn't use the same password for more than one purpose.
Great! Oh, but now you have to memorize dozens of long, random strings of numbers and letters.
The simple alternative is Password Safe (info page), an open-source password manager. Among the dozens of password managers available, this app is flexible, secure, and easy to use.
You can store all your passwords in its Twofish-encrypted data file, along with sign-in names, URLs, and whatever other information you choose to include. You can group entries into categories (business, memberships, retail, or whatever) for easy organization, and you can easily search the entire database if you don't remember which category you put windowssecrets.com into.
You can also cut a bit of time and indecision trying to think up those strong, totally random passwords that you won't remember anyway. Just click Password Safe's Generate button and let it create one for you. If it conflicts with a site's password policy, click the Password Policy tab to control the length and contents of the generated password (see Figure 2). You can also set a reminder for the expiration date of a password.
Figure 2. Password Safe includes extensive password-policy settings to correctly generate passwords for particular sites.
When it's time to sign in to a Web site, you simply double-click an entry to copy the password into the clipboard. You can also copy the sign-in name to the clipboard or have Password Safe automatically enter it and the password into a site's sign-in fields.
Just don't forget your Password Safe password! Lose that, and you could lose everything. Compress files and folders with real security
The ubiquitous .zip compression format comes with password protection that's every bit as secure as the locked door on a house without walls. Only a fool needs a key to get in.
That's unfortunate, since e-mailing a secure, compressed archive makes an extremely convenient way to pass on sensitive information to those you trust.
Luckily, most current commercial .zip compression programs include an option to use AES encryption. It's very secure, and it works across all higher-quality compression apps.
Unfortunately, the most common .zip program of all — Microsoft Windows — doesn't support AES encryption. Even with the password, you can't open a truly secure .zip file with Windows' built-in tools.
Does that mean you have to pay WinZip, WinAce, or one of their commercial competitors to create or extract secure .zip files?
Thanks to 7-Zip, yet another open-source program, the answer is no. It offers many of the features found in commercial programs such as WinZip, including compatible AES encryption.
It also means you can send secure, archived files to anyone; they can open your files simply by installing 7-Zip at no cost. (You'll also have to tell them the password, of course.)
7-Zip also supports less-common compression standards such as TAR and RAR, integrates with Windows Explorer, and can compress and e-mail files.
My only complaint: It has the ugliest user interface I've encountered since moving from DOS. Portable scanner works when your AV app fails
If you suspect that your PC is infected, you have good reason to worry that your resident antivirus program has been compromised, too. Malware, especially rootkits, often blocks security programs from updating and working properly. They may also block access to security sites where you can download more-specialized security programs.
You can get around this with the SUPERAntiSpyware Portable Scanner (download page). This utility, one of the better anti-malware scanners, is free for personal use. (Professional IT users need to pay a license fee.)
SUPERAntiSpyware.com also offers its Free Edition, which makes an excellent supplement to whatever resident antivirus program you keep running in the background. But SUPERAntiSpyware Portable is better if you think you've got a really nasty infection — or if you're helping a friend with an infected machine.
As the name implies, the Portable Scanner doesn't need to be installed before use. The app's simple, clean main menu, borrowed from their commercial product, displays plenty of options that aren't supported (or even relevant) in the portable edition (see Figure 3). The only control you have to bother with is "Scan your Computer." If it finds anything, it will ask you what you want done with the miscreant.
Figure 3. SUPERAntiSpyware Portable Scanner is an effective anti-malware tool that can be downloaded and run directly on an infected PC or added to a USB drive as part of a portable AV toolkit.
If you think you've got a really bad infection, go to another computer, download the SUPERAntiSpyware Portable Scanner, and put it on a flash drive. Then boot the suspect computer into Windows' Safe Mode. Next, plug in the flash drive and launch the scanner. The program is updated regularly, so to ensure you have the latest definitions, download the scanner just before you need to use it.
Portable Scanner should find and eliminate the malware. When all else fails — get a Registry report
If SUPERAntiSpyware doesn't find and destroy the culprit, you may need an expert opinion. But before you pack up your PC and hand over your credit card to the local PC mechanic, try getting free expert help using TrendMicro's HijackThis — a powerful little utility that's been a mainstay for PC diagnosticians for years.
Warning: All PC users should employ this app with caution. The information is not easily interpreted, and using the app incorrectly could delete critical system files.
This simple freebie scans your Windows Registry and file system. It then generates a somewhat obtuse snapshot report of your system settings and what's running. It doesn't decide what's malicious and what's legitimate.
What do you do with that report? Nonexpert PC users should post it to one of the many online forums frequented by knowledgeable good Samaritans who, hopefully, can help you with your problem. More-expert users can press the AnalyzeThis button for an online analysis by TrendMicro.
One button on this app, Fix checked, should be used with extreme caution. It lets you selectively remove specific items in your system, giving you a way to eliminate bad actors on a very granular level. But it's a one-way street; if you remove a critical Windows or apps system component, you can't undo the damage. Back up your machine before proceeding.
Productivity utilities every PC should have
For more essential utilities, see senior editor Woody Leonhard's article, "Indispensable utilities for every PC user," in the paid portion of today's Windows Secrets newsletter.
Have more info on this subject? Post your tip in the WS Columns forum.
Lincoln Spector writes about computers, home theater, and film and maintains two blogs: Answer Line at PCWorld.com and Bayflicks.net.
News
Links / 
Entries
By Lincoln Spector 
James Sigley
2009/11/09
I want to create a “dropbox” type website but with encryption. would you be interested in helping? Also checkout i D r i v e.com. this is ultimately what I want to create.
Balau
2009/11/10
Hello James,
unfortunately I don’t think I have the necessary free time to help consistently on a project like yours. I just have the time to hack together a solution with existing tools. If you accept suggestions, I think that a good solution should have:
1. open source client
2. client-side encryption (the server cannot see the content) AND/OR open source server that can be installed at home
3. portable client on different platforms
4. change-driven actions and not polling (using inotify on Linux and something like ReadDirectoryChangesW on Windows)
A possible implementation could be a big “image” file on the server that contains an encrypted filesystem, and the protocol gives you read/write access to the image. This could prove problematic with multiple contemporary accesses or multiple users accessing the same data.
thousand
2010/07/23
The problem with this technique is that if youre vault size ( or whatever your vault size is ) is large , then every time you update a single file in the vault , the entire vault is reuploaded… So if you added or modified a 1KB file, and your vault size is 500MB, you will cause yourself to have to reupload 500MB.
Balau
2010/07/23
I thought so, but actually it doesn’t. I have a 10MB vault file. I tried to change a file inside it and monitor what happens in the network. Here is the result. The screenshot displays what happens when opening the vault, editing a file (a small file actually), closing the vault and waiting for the Dropbox icon to become a green tick (“V”) again, meaning that the files have been synchronized. As you can see, the upload phase is not sending 10MB of data, because it lasts only a few seconds. I don’t know what happens exactly because Dropbox is closed source, but I suppose that Truecrypt changes only a small block of the vault when a small file is changed, and Dropbox synchronizes only the parts of large files that have changed, using some sort of hashing technique to optimize bandwidth. You can try it for yourself if you’re skeptic.