- If you use a service like Dropbox, use EncFS to encrypt everything in the cloud.
- For email, you'll need to start using a mail user agent like Mutt or Thunderbird with PGP/GnuPG. And then the problem will be that none of your friends use encryption anyway. Personally I'm telling everyone about using Bitmessage instead of email: https://bitmessage.org
It's like we're devolving back to Slashdot circa 1999. In reality, the Windows kernel is one of the most heavily audited carefully inspected codebases in the world, not because Microsoft spends a cubic fuckton of money getting external firms to do that (though they do), but because every vulnerability research firm in the world has reverse engineered the code --- which Microsoft tends to make very easy, for instance by publishing symbols.
The likelihood that Microsoft is shipping block-level encryption with secret backdoors is pretty close to zero.
Do we know what is secure against the likes of the NSA / what encryption they can break today?
I understand this is almost impossible for us to accurately answer, just curious if we have any clues regarding their codebreaking capabilities in this regard.
Get up to very most recent OS X. A dot release in OS X disabled Firewire while the machine was sleeping, which is important because Firewire is basically a thin veneer around direct DMA access to system memory.
Enable FileVault. Unlike the feature that used to be called FileVault, modern FileVault is block-level AES-XTS encryption. (Before FileVault, my recommendation would have been to buy PGP WDE).
Tell the system to forget its key during sleep; the most recent rubber chicken to wave for this appears to be "sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25".
Power down your machine whenever you can; don't just shut the lid.
Buy Knox.app from AgileBits, which is a nice UI on top of the VFS-level block AES encryption OS X does. Create virtual disk drives for each of your clients, or each of your projects, or whatever. Create another for your mail; create another for personal documents. Give each a separate key (you'll rarely have all of them unlocked or need to use all of them). Do not store the keys in the Keychain.
Copy ~/Library/Mail's contents to the virtual disk you made for Mail and then replace ~/Library/Mail with a link to that disk; now, you'll need to have that virtual disk unlocked to read your mail.
Disable sharing; make sure every box in "Sharing" under Preferences is unchecked.
Enable the firewall and block all incoming connections; Preferences->Security->Firewall, Enable, Options->Block All Incoming Connections.
Get GPGTools and GPGMail (the most recent official build supports Mt. Lion nicely). Install them, and use GPG, from your Mac only, to send mail.
Do not supply your GPG private key to any service, ever.
Uninstall Dropbox. Sorry. Dropbox is fantastic. We ban it wholesale.
Though we can't use it for a variety of contractual reasons, I highly recommend Colin Percival's Tarsnap for backup.
You cannot encrypt emails. Even if you'll satisfy your urge for privacy - the originator of email or addressee of email will still contain unencrypted copies. So forget about it.
The presence of encryption will raise more suspicion and cause further investigation in your activities.
So forget about it.
8 comments
[ 4.4 ms ] story [ 30.0 ms ] thread- Install the OS with full-disk encryption.
- If you use a service like Dropbox, use EncFS to encrypt everything in the cloud.
- For email, you'll need to start using a mail user agent like Mutt or Thunderbird with PGP/GnuPG. And then the problem will be that none of your friends use encryption anyway. Personally I'm telling everyone about using Bitmessage instead of email: https://bitmessage.org
The likelihood that Microsoft is shipping block-level encryption with secret backdoors is pretty close to zero.
I understand this is almost impossible for us to accurately answer, just curious if we have any clues regarding their codebreaking capabilities in this regard.
Get up to very most recent OS X. A dot release in OS X disabled Firewire while the machine was sleeping, which is important because Firewire is basically a thin veneer around direct DMA access to system memory.
Enable FileVault. Unlike the feature that used to be called FileVault, modern FileVault is block-level AES-XTS encryption. (Before FileVault, my recommendation would have been to buy PGP WDE).
Tell the system to forget its key during sleep; the most recent rubber chicken to wave for this appears to be "sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25".
Power down your machine whenever you can; don't just shut the lid.
Buy Knox.app from AgileBits, which is a nice UI on top of the VFS-level block AES encryption OS X does. Create virtual disk drives for each of your clients, or each of your projects, or whatever. Create another for your mail; create another for personal documents. Give each a separate key (you'll rarely have all of them unlocked or need to use all of them). Do not store the keys in the Keychain.
Copy ~/Library/Mail's contents to the virtual disk you made for Mail and then replace ~/Library/Mail with a link to that disk; now, you'll need to have that virtual disk unlocked to read your mail.
Disable sharing; make sure every box in "Sharing" under Preferences is unchecked.
Enable the firewall and block all incoming connections; Preferences->Security->Firewall, Enable, Options->Block All Incoming Connections.
Get GPGTools and GPGMail (the most recent official build supports Mt. Lion nicely). Install them, and use GPG, from your Mac only, to send mail.
Do not supply your GPG private key to any service, ever.
Uninstall Dropbox. Sorry. Dropbox is fantastic. We ban it wholesale.
Though we can't use it for a variety of contractual reasons, I highly recommend Colin Percival's Tarsnap for backup.
The presence of encryption will raise more suspicion and cause further investigation in your activities. So forget about it.