Encryption


A

Andrew DeFaria

bjn said:
Too many disclaimers in that sentence for it to be of any use.
Not my fault you can't deal in such logic - many of us can. Let me make
it simpler for you - most Quicken users don't need the high level of
security that you suggest.
Correct, we were not taling about spies, we were talking about
computer security. I was merely illustrating how your comment was an
exaggeration.Since you agreed with me that you exaggerated, .... I did no such thing.
So we agree that you exaggerated.
You misunderstood. My "exactly" referred to the first part of your
statement - not the last part.
Security is always a balance of how much do you need vs. how much
troubleyou have to go through to obtain it. Some of the security
products are surprisingly easy to set up and use, and do not get in
the way of your routines.

Your attempt to divert the discussion to paranoia merely illustrates
how little you know about the topic.
I know a lot about the topic. Again, for most Quicken users, they don't
need that much security as the likelihood of actually using it is quite
small. It's that balance thing and in the home, for Quicken it is
definitely not requiring of NSA strength security. People who suggest so
are paranoid. That's not a diversion of the topic - it's part of it!
It was just a little side commentary.
Talk about diversion of topic...
It's a shame your ego seems to get in the way of your message all the
time.
Right. It's a shame you can't simply discuss something without
personally attacking somebody...
Backups may not help in this area. Unless, of course, you back up
unencrypted copies. That, then, opens up another possible security hole.
You back up your keys - nimrod! (You started it).
That's ashame. Even Microsoft is telling Windows users that the only
way to eliminate some spyware is to erase and reformat the disk. Do
you really think you should take such a lackadaisical approach to
others' data?
It's hardly lackadasical! I'm speaking from my own experience. On the
net 24/7 since '98 - no AV software - never got a single virus! Spyware
- simple to eliminate - simple to avoid really. Most people can do the
same if they just follow a couple of simple and often suggested rules.
I'm living proof. So when idiots such as yourself start suggesting NSA
level security, AV up the wazho and reformatting hard drives to
eliminate spyware it's clear to me that they don't have a clue about how
to run a computer! I know because I do, for me and my clients.
 
Ad

Advertisements

A

Andrew DeFaria

DP said:
I don't have an answer to that, but isn't it true that Microsoft file
encryption is available with XP Pro but not with XP home? If so, that
would make a difference to some users. MS may not even be an option
for them.
EFS is part of NTFS. I believe XP Home supports NTFS and EFS. Don't know
for sure as I only use Pro.
 
A

Antoine Mitchell

Actually there's really little reason to use it considering the chances
of it being needed.
Perhaps, but it's extremely easy to set up an encrypted volume and keep your personal
data there. It makes it much easier to keep your data secure in case your PC gets stolen
(especially if it's a laptop) or if you need to bring your system in to a computer shop
for servicing.
Then again I've always found it extremely difficult
to reason with paranoid people because if there's one tiny iota of a
chance they will constantly argue without. It's like trying to explain
to advid lottery players that they odds are really slim....
There's a difference between paranoia and good common sense. If you have data that you
don't want other people to see, it makes sense to keep it encrypted, even if it's on a PC
that you normally control.
 
A

Antoine Mitchell

Not my fault you can't deal in such logic - many of us can. Let me make
it simpler for you - most Quicken users don't need the high level of
security that you suggest.
I agree that 256-bit AES is overkill for somebody securing their Quicken data file. Some
form of encryption, however, is a very good idea to minimize the chance that the data
gets accessed by somebody you don't want to access it.

If you're using Quicken on a laptop, and the laptop gets stolen, it's trivial for
somebody to open up your data file and know pretty much everything about your financial
situation. If you keep your personal data on an encrypted drive (i.e. using TrueCrypt),
it's basically impossible for anybody to access that data without your passphrase.
Putting the data on an encrypted drive is easy to do, but massively increases the
security of the data.
I know a lot about the topic. Again, for most Quicken users, they don't
need that much security as the likelihood of actually using it is quite
small. It's that balance thing and in the home, for Quicken it is
definitely not requiring of NSA strength security.
I agree. I wouldn't argue that military-grade security needs to be used. I would,
however, argue that some form of encryption be used to protect the data. But if you're
going to use encryption, why not use strong encryption? It's not any harder to do.
 
Ad

Advertisements

A

Andrew DeFaria

Antoine said:
Perhaps, but it's extremely easy to set up an encrypted volume and
keep your personal data there. It makes it much easier to keep your
data secure in case your PC gets stolen (especially if it's a laptop)
or if you need to bring your system in to a computer shop for servicing.
Sure, if you wish simply use EFS.
There's a difference between paranoia and good common sense.
Exactly, and that's why I specifically used the word paranoid.
 
A

Andrew DeFaria

Antoine said:
I agree that 256-bit AES is overkill for somebody securing their
Quicken data file. Some form of encryption, however, is a very good
idea to minimize the chance that the data gets accessed by somebody
you don't want to access it.

If you're using Quicken on a laptop, and the laptop gets stolen, it's
trivial for somebody to open up your data file and know pretty much
everything about your financial situation. If you keep your personal
data on an encrypted drive (i.e. using TrueCrypt), it's basically
impossible for anybody to access that data without your passphrase.
Putting the data on an encrypted drive is easy to do, but massively
increases the security of the data.
I have the feeling of Deja Vu - do you?

Sure, if you wish to keep your data in such an insecure thing as a
laptop then you should encrypt it. But why go out and get yte another
application to maintain when EFS is already available to you (well XP
Pro users I guess).
I agree. I wouldn't argue that military-grade security needs to be
used. I would, however, argue that some form of encryption be used to
protect the data. But if you're going to use encryption, why not use
strong encryption? It's not any harder to do.
Because it is harder to do in some sense. Indeed any sort of encryption
adds complexity. I used EFS for a while then something screwed up and I
didn't have a valid copy of my keys. Result was I lost data. Nobody
broke into my house nor my computer, etc. yet I incurred a penalty
nonetheless.
 
A

Antoine Mitchell

Sure, if you wish to keep your data in such an insecure thing as a
laptop then you should encrypt it. But why go out and get yte another
application to maintain when EFS is already available to you (well XP
Pro users I guess).
Why bother using Firefox when Internet Explorer is available to you? Why bother using
Word when you can use Wordpad for free with Windows?

The bundled apps that come with Windows aren't always the best tools for the job.
 
H

HASM

Stubby said:
Is there some way that TrueCrypt is better than the standard Microsoft
Encrypted File System? I have not experimented with either.
Besides the already mentioned fact that it only works with XP Pro, isn't
NTFS encryption tied to one's login/password?

I don't think one can move the encrypted files to another system and
decrypt them there under a different login. And if one is part of a domain
and some domain admin resets one's password, one won't be able to decrypt
the files anymore. With TrueCrypt (and others) there's a different password
controlled by you, and files are portable.

Not necessarily bad to use NTFS encryption, just be aware of the above.

-- HASM
 
Ad

Advertisements

A

Andrew DeFaria

Antoine said:
Why bother using Firefox when Internet Explorer is available to you?
Why bother using Word when you can use Wordpad for free with Windows?

The bundled apps that come with Windows aren't always the best tools
for the job.
Yes I agree. But as I have been trying to point out to you, for this
job, not much is required and the standard Windows tools are often more
than enough. If you have military grade paranoia well then go for it dude!
 
J

Joe John

Your best bet is to use a 3rd party encryption program for these 3
reasons:

EFS in Windows XP Pro is a per-file only DES and has been broken. Its
well known in the encryption community and thus, how to decrypt it is
too.

Quicken filenames, locations etc., are well known and thus, easily
located [ thus copied] even by ActiveX scripts in websites or worse,
trojans.

Intuit has a service to break your password for a fee. This suggests it
either has a backdoor or the encryption is not very strong.

An example of a secure mode of installing files see Firefox or Mozilla
directory structure and filenames.

Of the encryption programs the only one that has the best encryption is
but ONE, Truecrypt. The reason is not only has the latest incarnation of
nearly ALL academic ciphers none of which have yet been reported broken,
it can be used in anyway the user desires [ so there is no 'model' for a
hacker to latch on to to decipher a file and you can multiply wrap each
file to your paranoia] and it leaves no 'footprint' for a file to be
found as a truecrypt file [ the same way viruses are found with antiviral
programs].

For example, you can install TC to use 3 ciphers in your laptop, but only
one in your desktop, because the laptop is a less secure device.
 
J

Joe John

WARNING: If you forget your password, no one has yet been able to decipher
it beyond a brute force attack, that is you use a weak password like a word
a decryption program will try all combinations of words to break it.

Beware.
 
S

Stubby

Joe said:
WARNING: If you forget your password, no one has yet been able to decipher
it beyond a brute force attack, that is you use a weak password like a word
a decryption program will try all combinations of words to break it.

Beware.
Right. File this under "Be careful what you wish for."
 
A

Antoine Mitchell

Yes I agree. But as I have been trying to point out to you, for this
job, not much is required and the standard Windows tools are often more
than enough. If you have military grade paranoia well then go for it dude!
See the post by HASM in this thread. The concerns with EFS aren't relating to its level
of security - they relate to the fact that the encryption is tied to your Windows login.
If your Windows user account gets hosed or you need to access the encrypted files from a
different system, you're out of luck.
 
Ad

Advertisements

A

Andrew DeFaria

Antoine said:
See the post by HASM in this thread. The concerns with EFS aren't
relating to its level of security - they relate to the fact that the
encryption is tied to your Windows login. If your Windows user account
gets hosed or you need to access the encrypted files from a different
system, you're out of luck.
That's why you back up your keys. There is a way to recover from the
situation that you speak of but yes you need to be careful and think
ahead of time.
 
A

Andrew DeFaria

Joe said:
Your best bet is to use a 3rd party encryption program for these 3
reasons:

EFS in Windows XP Pro is a per-file only DES and has been broken. Its
well known in the encryption community and thus, how to decrypt it is too.
Any encryption scheme is crackable given enough resources. I've heard
that if you lost your keys then you might as well kiss your data goodbye
because decrypting it is very difficult. Hell even you seem to
contradict yourself in your next post:

WARNING: If you forget your password, no one has yet been able to
decipher it beyond a brute force attack, that is you use a weak
password like a word a decryption program will try all combinations
of words to break it.
Quicken filenames, locations etc., are well known and thus, easily
located [ thus copied] even by ActiveX scripts in websites or worse,
trojans.
Quicken files can be located in different places. For example, mine are
not in the standard place. Still this provides little to no security.
Intuit has a service to break your password for a fee. This suggests
it either has a backdoor or the encryption is not very strong.
The password associated with a Quicken database is a totally separate
thing or issue WRT encrypting the files with something like EFS or this
TrueCrypt thing.
An example of a secure mode of installing files see Firefox or Mozilla
directory structure and filenames.
What?!? It does no such thing! I wrote and posted a simple Perl script
to not only find where Firefox or Mozilla store their directory
structure (AKA profile) and grep through the address book extracting
email addresses. Having a slt component of the path to the profile does
nothing, one can easily traverse the users file system once they are
code running on the users machine. It's the file system itself that
tells you where things are and supplies any missing directory names.
Trivial to do and not secure at all!
Of the encryption programs the only one that has the best encryption
is but ONE, Truecrypt. The reason is not only has the latest
incarnation of nearly ALL academic ciphers none of which have yet been
reported broken, it can be used in anyway the user desires [ so there
is no 'model' for a hacker to latch on to to decipher a file and you
can multiply wrap each file to your paranoia] and it leaves no
'footprint' for a file to be found as a truecrypt file [ the same way
viruses are found with antiviral programs].

For example, you can install TC to use 3 ciphers in your laptop, but
only one in your desktop, because the laptop is a less secure device.
Right. Again, for most Quicken users this is nothing but overkill, an
additional application to install and keep up to date and more
complexity with little payback. It's sort of like installing 6 locks on
your front door and then only like 3 of them...
 
A

Antoine Mitchell

Any encryption scheme is crackable given enough resources.
Your statement is true, but not very useful. An encryption scheme that would take
current high-end computers millions of years to crack is, for all intents and purposes,
uncrackable in the forseeable future. There are encryption algorithms that have been
shown to be insecure (an example is the old ZIP password protection), and can be cracked
using a typical computer in a very short period of time. Something like AES isn't likely
to be cracked by a typical computer (or even several thousand typical computers) in any
reasonable timeframe, particularly if a strong passphrase is chosen.
Right. Again, for most Quicken users this is nothing but overkill, an
additional application to install and keep up to date and more
complexity with little payback.
Perhaps, but TrueCrypt is pretty darn easy to use, and generally isn't something that
needs to be updated regularly. On my system, the only extra complexity is that I
periodically need to enter my passphrase to access that data. The payback is that my
data is totally secure, even if somebody steals my machine.
 
Ad

Advertisements

J

Joe John

(e-mail address removed) says...

Your statement is true, but not very useful. An encryption scheme
that would take current high-end computers millions of years to crack
is, for all intents and purposes, uncrackable in the forseeable
future. There are encryption algorithms that have been shown to be
insecure (an example is the old ZIP password protection), and can be
cracked using a typical computer in a very short period of time.
Something like AES isn't likely to be cracked by a typical computer
(or even several thousand typical computers) in any reasonable
timeframe, particularly if a strong passphrase is chosen.
Further, the encryption schemes used in TC are designed to NOT be
crackable, by any computer. That is the whole field of cryptography,
finding an algorithm that resists such attacks. These folks dedicate
their careers making and breaking, such algorithms. The over 8??
algorithms in TC have not yet been reported cracked. Even if one is,
mixing them together reduces any possibility of deciphering _your_
combination.

Perhaps, but TrueCrypt is pretty darn easy to use, and generally isn't
something that needs to be updated regularly. On my system, the only
extra complexity is that I periodically need to enter my passphrase to
access that data. The payback is that my data is totally secure, even
if somebody steals my machine.
Yes, totally secure by what exits in todays technology. Far better than
what any 3rd party to date, Microsoft or Quicken provides by default.
And, its free.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Encryption? 2
encryption? 1
Encryption - unable encrypt the data at the required level 1
2003 Encryption 0
Encryption Type 1
Encryption Level 2
Encryption error 1
quicken's encryption 9

Top