[cryptome] Re: What Is Good Encryption Software?

  • From: doug <douglasrankine2001@xxxxxxxxxxx>
  • To: cryptome@xxxxxxxxxxxxx
  • Date: Fri, 28 Nov 2014 19:14:41 +0000

You can forget absolute security or privacy, with or without encryption.

Unfortunately, it isn't about security software so much as your own personal needs and knowledge about security methods and how good you are at what is called "operational security", which counts the most. You can have the best encryption software in the world, but security is a chain, and the weakest link is nearly always the human being(s) using it. It is like having a hi fi system, no good spending a fortune on having the best quality amplifier, speakers, microphones, recording and playback media and sound proofed rooms, all matching the same standard and specification if you are deaf...like me...:-). Better to check your hearing first...i.e. operational security and device security.

In an ideal world you could have unbreakable encryption, but that isn't the end of the story. Operational security is also important. A hard disk can be encrypted with unbreakable encryption, but forensic software can take the disk back to its "new" condition and analyse everything which was ever recorded on it, up to the point of the encryption. The encryption part can be broken by using a variety of methods, brute force, analytics, heuristics, or just plain bringing you before a court and, on the pain of imprisonment or other such punishment, force you, under law to reveal your passphrase. The nasty people will just threaten to squeeze your spherical objects. Traffic analysis can also be used to find out when, for how long, and who you are sending to or receiving data from.

In todays world, as soon as you go on the internet, then everything you do, emails, downloading, uploading, installing, removing, updating, visiting websites, visiting the bank, joining a network, arranging a holiday, at home or abroad, or using social media, are all collected and stored by one or another (or all of them) state security or intelligence services in the world. Even if you aren't a target, your activities will be recorded and kept for a long time, this is called the metadata...and it will be kept in different places, some more secure than others. It may or may not be read by an intelligence analyst at some stage, but it won't be discarded.

A profile of you is or will eventually be created, which allows computer tracking software to map out your internet of things, computers, tablets, phones, routers, and other electronic devices...as long as they have executable files on them, they can be manipulated and their use recorded..from afar, no matter where you are in the world. Where you are in the world and when, and for how long, can also be mapped; whenever an electronic device is used, credit or debit cards, passport, i.d. card, computer An incomplete profile or a confused profile, will eventually have the "dots connected up" to paraphrase Mr. Obama.

If you are a target, then your devices will be "tagged" with different kinds of tags, depending on your position in the hierarchy of risk deemed by those agencies. Different security tags will set different levels of risk, or security, and take your information different places, depending on how much of a risk you are considered to be and what kind of risk. Your information, depending on how important you are considered to be, may be shared amongst the main intelligence or law enforcement agencies and secret services. You will be unaware of this for some time, or even for as long as you live, as remotely controlled software has been used on various occasions, such as stuxnet and such like, or finfisher in the private sector. When your passport is swiped through the computer terminal at the border, if you are on any lists, your passport will be tagged accordingly and the information sent off to the destination deemed by the tag. Not even the Customs or Passport Controller will know anything about it.

How do you become a target? Well, there are the usual, normal ways, suspected terrorism, serious crime, drug crime, threat to the security of the state or nation. Sod's law operates here as well, a stupid joke to a security officer at an airport, venting your frustration at having to wait so long, carrying cup cakes on an aeroplane without a valid reason apart from causing suspicion. Here in England a serious crime can be putting the wrong kind of litter in a litter bin, allowing the local council to use RIPA to keep an eye on you. Yep, even the trivial can get you put on some kind of international list.

Encryption...you mean you haven't got it? Lucky you, there might just be the slightest chance that you won't be targeted. The security services say that anyone who uses encryption on the internet which they cannot crack will automatically be stored until such time as it can..."Yes...we can". Using TOR or Tails and other such anonymising or "secure" software? Visited the website, downloaded it? Then your activities may well have moved you up the list. No point in having secure encryption software if your computer is being monitored for the creation of the passphrase.

Contacted cryptome or on one of those lists which the state may consider to be a threat? who could possibly consider Cryptome to be a threat? After all, it is open, democratic website which exposes the failings of democracy, particularly those which the secret services and other organs of state would rather hide; and is not operated for a subversive, illegal or immoral purpose. Then you will be a target of some kind. Someone, somewhere will have taken note.

Anti-virus software, trojan horses, data tracking cookies and and all sorts of other malware can compromise your systems. Nation states, as well as the private and the criminal sectors on the internet already use such software on a large scale. The likes of Symantec and Kasperski and AVG can't keep up with it...though it is still a good idea to have good anti-virus and privacy software and a firewall on your network of devices.

So, my advice is, if you are involved in any of the usual hanky panky, like banking or legitimate trading, or communicating with colleagues and friends...don't bother about encryption. Anyway, you might not have any friends who use encryption. To give your activities some protection against the private sector, in terms of security and privacy, particularly if you are in business, then, the higher up you are in the financial chain, the more you become a target, for industrial or commerical espionage and you should take a course along with other people who are involved in your business. Such awareness, of course doesn't prevent you or your data from being spied on.

There is literally no way you can protect your security or privacy absolutely. There is very little oversight of the intelligence and security communities throughout the world, and things are hotting up so much these days, that even those legitimate forces of law and order are using...shall we say...intrusive software which they have invented themselves which can not only map your internet of things, but take away your control over them. Just as no one allows their children to go to the park on their own these days, then nation states are using the very real dangers of international terrorism and conspiracies to enhance,"improve" and expand their security and intelligence systems, at a huge cost of money and resources.

Even air gapping your computers can hit problems. Air gapping means not connecting to the internet or to other computers. There are security concerns even there, about executive files somehow jumping over and installing themselves on a so called sterile computer.

Theoretically, that is the picture as I see it, practically, there is still a lot of catching up to do. if you want to keep a secret, don't share it, keep it in your head and think of something else...:-).

On 28/11/14 13:25, John Young wrote:
Reader asks: What Is Good Encryption Software?


I have contacted you asking about certain security questions.
After reading a few of the Snowden leaked documents, I have
started to be more aware of my privacy being at risk. I have a
few questions concerning certain programs and safety tips.

First, I've recently started to doubt about my encryption software.
Is Symantec's "PGP Endpoint" a good hard drive encryption software?

In other words, is it trustworthy since it is an American company.
And if not, what encryption software is the best for Mac.

Second, is "ProtonMail" as secure as they say it is? If not, what
email provider doesen't let the NSA see into my account.

Third, is Jetico inc's "Bestcrypt Container Encryption" trustworthy?
If not, what could be an alternative.

Fourth, are these encryption types good? Blowfish, Gost & AES - 256bit.
And which encryption type remains the best above all?

Last, is Kaspersky a good anti-virus software? If not, which one is the
best for Mac.


Important, difficult questions, likely to produce a range of answers.
We will publish for answers.

Other related posts: