Silk Road forums
Discussion => Security => Topic started by: RIPDonnasummer on May 25, 2012, 09:58 pm
-
I finally got it loaded on my computer and have a great password. Is there anyway in the world anyway anyone can crack my computer without my password?
-
Not a chance. The drive has major encryption and won't be able to be cracked for a very long time if ever. The only downside to this is that if you ever forget your password, your files are gone forever.
Here is a news story to back up the claim:
http://g1.globo.com/English/noticia/2010/06/not-even-fbi-can-de-crypt-files-daniel-dantas.html
-
There's always a way to get into your computer so I wouldn't trust it 100%. The best way is to get a usb drive and encrypt it using truecrypt but make a hidden encrypted volume and then put your files in that volume. In case you were ever to be forced to decrypt your drive it will simply unlock the regular encrypted volume while your hidden volume stays well....hidden ;)
Also I would look into tails and use it as a live o/s to get onto SR, it's much safer than doing it off your regular harddrive/o/s.
-
I forgot to add, passwords with random numbers, letters, and symbols are easy to crack. What you really want is a 4 word password with spaces or periods in between (ex go.fuck.yourself.leo). These types of passwords are much harder to break. The reasoning behind it is explained here: http://preshing.com/20110811/xkcd-password-generator
-
Well if you say it is always possible to get into my computer please explain how? I have a 25 character password with both letters and numbers and they are well good.
-
There are different ways to take over a computer. FDE protects from someone with physical access to the machine getting to the encrypted contents (ie: the entire contents of the drive, minus the bootloader in most cases) without the password. They can't crack good encryption algorithms or passwords. They could always try to steal them with physical keyloggers and such though, or they could cold boot the memory and dump the key from it if they get it while the drive is mounted.
FDE also does nothing to protect from hackers. When you connect to SR you expose your system to the internet via Firefox. A vulnerability in Firefox could be exploited that will allow the attacker to take over the permissions of firefox, and probably quickly EOP to root via a desktop environment leak. Now they can remotely steal your encryption keys from memory, plus spy on everything you do and generally control your system. FDE only protects from local attackers, not remote attackers.
-
No it's not 100% safe, neither is Tor, neither is anything really. For the most part if you're using full disc encryption with a decent alphanumeric password the police won't be able to do anything. The biggest real threat to encryption is distributed computing, if law enforcement have access to this then it's plausible they can gain access quickly - fortunately they don't (yet). And then there's the hardware keyloggers and all of the other obscure vulnerabilities that exist, however it's very unlikely the police will use such tactics.
There's also laws (I know in the UK and other places) which means the police can send you to jail for refusing to provide a password (raping our freedom under the guise of fighting terrorism again), for that of course there's hidden partitions and all that other bullshit. Definitely check for these laws in your country, however I believe they cannot exist in the USA due to the constitution saying Americans have a right not to incriminate themselves or something.
-
Well if you say it is always possible to get into my computer please explain how? I have a 25 character password with both letters and numbers and they are well good.
If your password is indeed 25 characters, with numerals, upper/lowercase letters, then this password would yield about 148 bits of entropy, which is more than adequate.
Just ensure that there are NO copies of it either written-down or stored ANYWHERE -- the password should be kept ONLY in your head.
As far as methods to keep from forgetting your password go, there is one method that you could use. It's called Shamir's Secret Sharing Scheme. Adi Shamir is a cryptographer, who was one of the developers of the RSA encryption scheme. (The S in RSA refers to him.)
He developed a scheme whereby a secret could be broken into a number of equal-sized pieces, or shares. One could specify a threshold which must be met for the shares to be used to re-constitute the secret. For example, let's assume that you have some information you want to safeguard, but you don't entirely trust the person(s) you're giving it to. Shamir's secret-sharing scheme allows you to break up a secret (such as a password) into say, 7 shares. In order to re-constitute the password, you could require that 4 of the 7 pieces be required to do this. Any one piece is cryptographically secure. Any number of pieces lower than the threshold for re-combining (i.e. 4) will yield no more information than if they had no copy of the piece/share whatsoever.
To illustrate what I mean, the best way is to head over to the following web page, and play with the online demo.
UNDER NO CIRCUMSTANCES SHOULD YOU PUT YOUR REAL PASSPHRASE INTO THE DEMO.
The demo can be seen at: http://point-at-infinity.org/ssss/demo.html
Windows versions of the software can be downloaded from: http://www.seidlitz.ca/ssss/
From the demo... Let's take the passphrase (without the quotes): "THis is my very secret passphrase!"
Splitting the secret into 7 parts, with 4 required to re-constitute, yields the following:
Output from the ssss-split invocation:
1-35809eeb2e7833e57e189a23745aa9b687a33c0b2694e9dc1d1a0f37bd28eb3f
2-9503d727ef41cde4ce82d0fb393c94644fea3a363e101a906d9f6030e7dbd810
3-c063a585ebaa90c250776335975b4979afa87723a336040568cbcf58108ac1ee
4-aeaf1e659438fe11b5ed2d382481aa6a34df65d9715dec92bec3b2b44b560f19
5-bc640a7f3b7f2c399571b798b4986ca15e6616e1b581278c610180b5ade57e98
6-93b18ec2ad1fcc255939af9c850266de83d96c861ef07fd7a4a9d560d4d29d49
7-2df4e0e6e1baf1d42bb0e0f3aabf7e526af3cdb1c4bf2891e55ab874ef9a4d78
The idea is that each of these lines, numbered 1 through 7, should be printed-out and one line each given to various people you trust.
If you lose your passphrase, and you need to re-constitute it, you need merely retrieve 4 pieces from the 7 people you gave it to. Any 4 pieces are sufficient to re-constitute the secret; less than 4 will not work.
Guru
Thanks for this guru, I found it very informative and interesting. I will now always be on the lookout for something to use this with, just because I like it so much.
At the OP - yes, it's completely safe AS LONG AS your password isn't compromised. It would be compromised if you tell anyone, write it down, store it elsewhere, or your keys are logged.
-
THere is no way on earth someone could figure out my passcode, they would have to know me intamately and event then it would random guessing. It involves things from childhood adult hood #s and everything. If someone cracked it then ill gladly just go to jail. I also gave 4 friends in different parts of the country that do not know each part of my password. So just by the small chance i forget I can piece it back together. It wont happen, i even impressed myself with 25 letters, numbers, caps long word that i can remember
-
Ok so what is the point of the rescue disk truecrpty made me do ? Isnt there a way someone can make my laptop boot straight to the drive and recover the computer? I never understood the recover disk once everything was encrypted it shouldnt matter
-
The recover disk is in case of corruption
-
Combine a password with a keyfile and it's actually impossible to decrypt without the corresponding file + password. Tell TrueCrypt not to remember any settings and select a picture, for example, to use together with your good password and not even the NSA can crack that. You would need to know what file makes up the compound password + file to ever decrypt.