This is just too funny not to blog about it...
You might have heard that the mafia boss Bernardo Provenzano has been arrested recently. Now people found out that he used some "cryptography" in his messages to relatives and so on. They were decrypted pretty fast: Mafia Boss's Encrypted Messages Deciphered.
"Looks like kindergarten cryptography to me. It will keep your kid sister out, but it won't keep the police out. But what do you expect from someone who is computer illiterate?" security guru Bruce Schneier, author of several books on cryptography, told Discovery News.
(via Bruce Schneier)
Among the contents of the drive are unreleased songs from the past six years and two songs which should be released on a new single in a few weeks. Apparently those two songs on the drive were the only instance they had, off-site backups only contained older "beta" versions of the songs. As the band is touring at the moment (i.e. no time for re-recording the songs), it's unclear whether the single can be released in time.
 Well, I am a paranoid computer geek, and I'm probably not a normal person, but you get the point ;-)
 Oh, and if the thieves are stupid enough they will get caught while uploading the files ;-)
As I have bought a new 300 GB external USB disk drive on Friday, I have tried something new this time: disk encryption using dm-crypt / LUKS. It has been suggested to me multiple times that dm-crypt is superior to loop-aes, however I didn't get a real reason. Yes, it doesn't require any kernel patches and is easier to setup. But has any serious cryptographer looked at it sharply, yet? Did it withhold his eye contact?
Anyways, here's how I encrypted my 300 GB drive. I largely followed the guide at the EncryptedDeviceUsingLUKS wiki page...
badblocks -c 10240 -s -w -t random -v /dev/sdb
/dev/sdbwith whatever is correct on your system. If you're really paranoid, and are willing to wait one or two days, do this:
dd if=/dev/urandom of=/dev/sdb
apt-get install cryptsetup
cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb1
cryptsetup luksOpen /dev/sdb1 samsung300gb
mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/samsung300gb
mount /dev/mapper/samsung300gb /mnt/samsung300gb
/mnt/samsung300gbwill be encrypted transparently.
cryptsetup luksClose /dev/mapper/samsung300gb
After unmounting, nobody will be able to see your data without knowing the correct passphrase. Drive is stolen? No problem. Drive is broken, and you want to send it in for repair without the guys there poking in your data? No problem. You leave the USB drive at home and some jerk breaks into your house, steals your drive, rapes your wife, and kills your kids? No problem. Well, sort of, but you get the idea ;-)
There's more things you can do, thanks to LUKS: have multiple passphrases which unlock your data, change/add/remove passphrases as you see fit, etc.
Update 2006-04-17: You have to use cryptsetup from unstable if you want LUKS support. cryptsetup in testing does not support this (thanks Ariel).
This seems to be pretty old, but I only stumbled over it recently:
Just in case you were considering buying a Kensington lock to secure your laptop while you're away... don't. Some lock picker from toool.nl (Barry Wels, it seems) has demonstrated how you can open such a lock within seconds, using only a roll of toilet paper and some duct tape. Watch the pretty impressive video (7.5 MB).
Favorite quote from the video: ...so actually you're
militarizingminiaturizing the roll of toilet paper.
Well, leaving a laptop unattended in a "hostile" environment is always a stupid idea (with or without a lock, with or without a screen saver with password). One of the many reasons for that is that your box can be owned by an iPod within seconds if you have a Firewire port...
(via Boing Boing)
Update 2006-03-20: I misquoted. He said "miniaturizing" and not "militarizing". Thanks Michael Goetze.
New versions of Drupal are out for the 4.5.x, the 4.6.x and the 4.7.0-beta branches which fix 4 (in words: four) security issues from four different categories, namely: access control bypassing, cross-site scripting, session fixation, and mail header injection.
Warning: If you're using 4.5.x, the patches for DRUPAL-SA-2006-003 will not fix the security issue immediately. You have two options: a) upgrade to 4.6.6 instead of 4.5.8, or b) upgrade to PHP >= 4.3.2.