Researchers at Erlangen University in Germany have demonstrated a cold boot attack against Android phones. Princeton researchers originally first demonstrated cold boot attacks in PCs. The DRAM in most computers (and mobile phones) will retain data for up to a few seconds after a device is shut off, and the period of time the data is retained can be extended significantly by lowering its temperature.
In the mobile device cold boot attack, the researchers put Android phones in a freezer that was -15 degrees Celsius, and left the device for an hour until its temperature fell below 10 degrees Celsius. The researchers then forced the phone to reboot into Android’s fastboot mode which allowed them to run their code to scan for encryption keys in RAM, contacts, photographs, etc. that survived the rebooting thanks to the extremely low temperature of the phone.
One oddity here is that while they were able to recover data from phones that had their boot loader unlocked and phones that still had the boot loader locked, they were only able to recover the full disk encryption keys from the unlocked phones,
To break disk encryption, the bootloader must be unlocked before the attack because scrambled user partitions are wiped during unlocking.
So at least for this sort of attack, you’re better off with a locked phone.
Phoneme is a Python script that will encrypt all of the email sitting in your Gmail account using GPG.
Every time it runs it will skip any messages that already start with “BEGIN PGP MESSAGE” in the body, so you won’t end up repeatedly re-encrypting messages.
A (very) simple script to encrypt all existing email in a gmail account with your gpg keys. The intent is that Phoneme is simple enough that even a layperson ought to be able to tell that there’s nothing suspicious going on with the code and it does what it says on the tin.
Phoneme goes through your email, encrypts it with your public key as the recipient, **DELETES THE PLAINTEXT UNENCRYPTED ORIGINAL** and appends it back to the folder it originally was in with the from and date information intact. It does not however remove the plaintext original from your trash folder, so when the full encryption process has finished you may want to check your trash folder and make sure everything is ok before you hit ‘delete forever’
Frequently security products insist on claiming that they use “military grade encryption.” Such claims are nonsensical marketing statements rather than factual statements about the strength of the encryption used by the product.
Andrew Fernandes made the case against the phrase best in a 1998 interview when asked about Microsoft’s claim that the _NSAKey he found in the Windows CryptoAPI just meant that Windows complied with “NSA encryption standards”,
It’s sort of like saying the phrase “military grade encryption.” Whenever you´re dealing with a security product and somebody says it´s military grade encryption your bullshit detector should really go off. And the reason for that is that the military has no standards of encryption. The military uses everything from good crypto to bad crypto to crackable crypto to uncrackable crypto to stuff that´s designed never to be used to stuff that should be used every day. And it uses it for all purposes and everything in between. But the phrase military grade crypto is an absolutely meaningless and content free statement.
Amazon Glacier is the cheaper, slower cousin to Amazon’s S3 storage. Whereas S3 currently costs US$0.095 per gigabyte per month, Glacier is a mere US$0.01 per gigabyte per month.
The tradeoff for the lower cost is that Glacier is effectively offline storage. If you want to download the data you have stored, you have to request that Glacier retrieve the data and make it available for download, and fulfilling that requests “typically” takes 3-5 hours according to Amazon.
Since the expectation is that Glacier data will only be accessed infrequently, there is also a US$0.12 per gigabyte charge to download more than a nominal 1 gigabyte per month.
So, storing 1 terabyte of data with Glacier will cost you roughly $10/month, but if you ever want to download it all in a month, that would run you $120.
Where something like Glacier shines is in long-term backups. For example, I have a 3 terabyte drive that stores all of my personal data. I have a couple of extra hard disks that I use to create local backups and store at various locations.
I used to use Amazon’s S3 as an online backup repository, but as I got closer to having 1 terabyte stored there, the cost became prohibitive and I ended up deleting it. But using something like Glacier, I could store 3 terabytes online for $30/month. The limitations on accessing the data really don’t concern me, since what I’m looking for is an offsite repository to store my data in case I experience a catastrophic failure with my local backups.
There are just two challenges: uploading the data to Glacier and protecting it adequately.
I’m primarily a Windows users, and have had a lot of success with FastGlacier, a freeware Windows tool designed to make it easier to upload data to Glacier and keep Glacier and local data in sync.
Glacier has a number of complications that S3 does not, and a program like FastGlacier helps smooth out some of the rough edges for those of us who just want to get our data into Glacier.
Protecting that data is another matter. Amazon encrypts the data that is uploaded to Glacier, but it is encrypted in a way that Amazon itself can decrypt. So if Amazon were hacked, for example, there is the potential that the keys to unlocking any data stored on Glacier (or S3) could be compromised.
It is absolutely crucial that any data intended for long-term storage be encrypted client-side by the person doing the uploading. Again, since I am primarily a Windows user I use the open source Gpg4Win to encrypt all of my files before I upload them to Glacier. Gpg4Win adds a GpgEX option in the file manager’s context menu so that it is relatively easy to encrypt specific files or entire directories.
I’ve been using AirVPN for a couple years now, and there are two basic forms of privacy I’m trying to achieve.
First, I do not want people who have access to the networks I’m using have the capability of monitoring what I amdoing. For example, I regularly connect my laptop to WiFi networks that I do not control, and want to ensure that no other users (including the operators of those networks) are able to see or record my activity.
Second, I do not want entities on the other end able to directly track my activity back to my actual IP address.
So for my case the most important thing was finding a VPN that doesn’t do any logging. As Pearson points out, a number of popular VPNs based in the United States — VyprVPN, HideMyNet, StrongVPN, etc. — actually keep logs of all activity through their systems so they can respond to DMCA requests. Pearson makes the case that not only is this the height of stupidity for a VPN, but that it is not even remotely required by US law.
The next most important thing, in my opinion, is to avoid any VPN based in the United States. With a lot of services, that option just isn’t there. With VPNs, many of them are based outside of the US and Europe, and the more obscure the jurisdiction the better.
Pearson raises a third use case for VPNs — avoiding monitoring by law enforcement.
So what happens if a law enforcement agency approaches a VPN, serves a subpoena, and demands a the company trace an individual, based on the timestamp and the IP address of one of their servers? VPN services, like all businesses, are compelled to abide by the law. However, there is no way of complying with the authorities if the data they require does not exist.
One of the few ways law enforcement could identify an individual using a privacy service, without logs, is if they served the owners a gag order and demanded they start logging the traffic on a particular server they know their suspect is using. We would shut down our business before co-operating with such an order and any VPN serious about privacy would do the same. So unless law enforcement were to arrest the VPN owners on the spot, and recover their keys and password before they could react, your privacy would be protected.
While I appreciate Pearson’s activism, I wouldn’t count on that sort of activist mentality to shield me from law enforcement. If law enforcement monitoring were a serious concern, I’d use multiple VPNs, switch servers within those VPNs regularly, and cycle through the VPNs I was using on a regular basis (as well as use TOR and other anti-monitoring countermeasures)
Even then, there are ways beyond direct logging for a persistent-enough law enforcement agency to track Internet activity back to specific users given enough time.