USB pen drives and safe cryptosystems (looking for references)

We are working on forensic cryptology and computer security expert
witnessing in Spain.

Right now we need a list of freeware cryptosystems for USB pen drives,
as well as comments or cryptoanalysis of standard ones. For instance,
we would like to know about Microsoft XP encryption options in
"properties" (we are very interested about any case or news concering
Microsoft help to Courts of Law or Police in order to crack their own
standard cryptosystem for USB pen drives), or manufacturers utilities
to allow partitioning, make the drive bootable and have a password
protected security area.like VFUEL_Security.exe you can download for
free at http://vfuel.net/driverstool.aspx

Our idea is to publish a Website in Spain with links to free downloads,
advice and news about risks on USB pen drives specially for lawyers.

I shall appreciate any help technical help, news and "off-the-records".
There is a lot of work to be done in Spanish speaking countries on USB
pen drives security.

Miguel A. Gallardo, cryptologyst (engineer and criminologist) at
www.cita.es

Re: USB pen drives and safe cryptosystems (looking for references)

"Miguel A. Gallardo en http://www.cita.es"
wrote in news:1151118334.895509.53570@c74g2000cwc.googlegroups.com:

> We are working on forensic cryptology and computer security expert
> witnessing in Spain.
>
> Right now we need a list of freeware cryptosystems for USB pen drives,
> as well as comments or cryptoanalysis of standard ones. For instance,
> we would like to know about Microsoft XP encryption options in
> "properties" (we are very interested about any case or news concering
> Microsoft help to Courts of Law or Police in order to crack their own
> standard cryptosystem for USB pen drives), or manufacturers utilities
> to allow partitioning, make the drive bootable and have a password
> protected security area.like VFUEL_Security.exe you can download for
> free at http://vfuel.net/driverstool.aspx
>
> Our idea is to publish a Website in Spain with links to free downloads,
> advice and news about risks on USB pen drives specially for lawyers.
>
> I shall appreciate any help technical help, news and "off-the-records".
> There is a lot of work to be done in Spanish speaking countries on USB
> pen drives security.


FreeOTFE (www.FreeOTFE.org) and TrueCrypt are pretty popular (and free!).
Both can be run from a USB drive and allow transparent encryption...

Re: USB pen drives and safe cryptosystems (looking for references)

"Miguel A. Gallardo en http://www.cita.es"
wrote in message
news:1151118334.895509.53570@c74g2000cwc.googlegroups.com...
> We are working on forensic cryptology and computer security expert
> witnessing in Spain.
>
> Right now we need a list of freeware cryptosystems for USB pen drives,
> as well as comments or cryptoanalysis of standard ones. For instance,
> we would like to know about Microsoft XP encryption options in
> "properties" (we are very interested about any case or news concering
> Microsoft help to Courts of Law or Police in order to crack their own
> standard cryptosystem for USB pen drives), or manufacturers utilities
> to allow partitioning, make the drive bootable and have a password
> protected security area.like VFUEL_Security.exe you can download for
> free at http://vfuel.net/driverstool.aspx
>
> Our idea is to publish a Website in Spain with links to free downloads,
> advice and news about risks on USB pen drives specially for lawyers.
>
> I shall appreciate any help technical help, news and "off-the-records".
> There is a lot of work to be done in Spanish speaking countries on USB
> pen drives security.
>
> Miguel A. Gallardo, cryptologyst (engineer and criminologist) at
>
www.cita.es
>

TrueCrypt is the best! I swear by it.



--
Posted via a free Usenet account from http://www.teranews.com

Re: USB pen drives and safe cryptosystems (looking for references)

"Miguel A. Gallardo en http://www.cita.es"
wrote in message
news:1151118334.895509.53570@c74g2000cwc.googlegroups.com...
> Miguel A. Gallardo, cryptologyst (engineer and criminologist) at
> www.cita.es

I decided not to comment on this for a while, but I find it sufficiently
problematic to call attention to it. Basically, a "cryptologist" who has no
clue about cryptography. The fundamental problem here is that a mining
engineer has decided that he's a cryptologist without any of the knowledge
or experience that goes into actually being one.

This would of course explain the complete lack of quality in all the
responses. Perhaps Miguel would have better luck with admitting he has no
clue, then his questions might actually get some decent answers.
Joe

Re: USB pen drives and safe cryptosystems (looking for references)

Widget wrote:

>
> "Miguel A. Gallardo en http://www.cita.es"
> wrote in message
> news:1151118334.895509.53570@c74g2000cwc.googlegroups.com...
>> We are working on forensic cryptology and computer security expert
>> witnessing in Spain.
>>
>> Right now we need a list of freeware cryptosystems for USB pen drives,
>> as well as comments or cryptoanalysis of standard ones. For instance,
>> we would like to know about Microsoft XP encryption options in
>> "properties" (we are very interested about any case or news concering
>> Microsoft help to Courts of Law or Police in order to crack their own
>> standard cryptosystem for USB pen drives), or manufacturers utilities
>> to allow partitioning, make the drive bootable and have a password
>> protected security area.like VFUEL_Security.exe you can download for
>> free at http://vfuel.net/driverstool.aspx
>>
>> Our idea is to publish a Website in Spain with links to free downloads,
>> advice and news about risks on USB pen drives specially for lawyers.
>>
>> I shall appreciate any help technical help, news and "off-the-records".
>> There is a lot of work to be done in Spanish speaking countries on USB
>> pen drives security.
>>
>> Miguel A. Gallardo, cryptologyst (engineer and criminologist) at
>>
> www.cita.es
>>
>
> TrueCrypt is the best! I swear by it.


Of the stego encryptors, TrueCrypt hidden volumes on Windows systems fail
against a thorough forensic analysis. So do FreeOTFE hidden volumes, and I'm
pretty sure all the rest do too. It's not a failing in the crypto, it's an
environmental failing - Windows is just not reliably secureable that way.

Although I must add that I somewhat blame the crypto writes for not making
this obvious. Sorry Sarah, not the best way to win friends and influence
people!

In fact almost _all_ encryption systems for Windows fail against such
analysis, which is why Microsoft are putting native encryption into Vista.
Windows leaves too many temp files and similar traces.



Worse, none, repeat none, of the disk cleaning utilities reliably find all
this data, never mind sucessfully overwriting it.

Paper (from PET again): One Big File Is Not Enough: A Critical Evaluation of
the Dominant Free-Space Sanitization Technique
Simson L. Garfinkel and David J. Malan
at http://petworkshop.org/2006/preproc/preproc_08.pdf

Best way is to copy all your files to another disk and overwrite the first
disk completely. This still doesn't catch reallocated sectors though.. and a
sort-of reallocation* happens with USB drives too.



However, if you use a USB drive for encrypted files created using FreeOTFE
or TrueCrypt from a BartPE CD boot environment, with a seperate key for each
file, you have a chance - leaves no on-disk traces :)

Or m-o-o-t, of course, but I shouldn't advertise :)

Or Curtains ... details to follow ...


*load balancing - the USB drive may decide that a sector has been
overwritten more often than it wants it to be, and instead of overwriting
that sector it allocates another free sector when a write is made, leaving
the original sector unchanged.


--
Peter Fairbrother

Re: USB pen drives and safe cryptosystems (looking for references)

Peter Fairbrother wrote :
> Or m-o-o-t, of course, but I shouldn't advertise :)

Was it released?

Kind regards
Ludovic

Re: USB pen drives and safe cryptosystems (looking for references)

Opera Portable One-Use 9.00
All settings, history, cache etc are completely destroyed after running.=

This is suitable if you run Opera Portable from LAN shares, CD/DVD, or =

other non-writable media.

http://www.kejut.com/operaportable

Or without overwriting the files automatically but keeping the settings =
=

(less secure):

http://www.opera-usb.com

-----------------------------------------------------



> "Miguel A. Gallardo en http://www.cita.es" om>
> wrote in message
> news:1151118334.895509.53570@c74g2000cwc.googlegroups.com...

Re: USB pen drives and safe cryptosystems (looking for references)

Ludovic Joly wrote:

> Peter Fairbrother wrote :
>> Or m-o-o-t, of course, but I shouldn't advertise :)
>
> Was it released?

Not yet - but probably soon now.

The Home Office have recently decided to bring the GAK law (Pt. III of RIPA)
m-o-o-t is designed to defeat into force, and m-o-o-t will be released the
day that happens. It has been on the books for six years, but has not yet
been brought into force.

The commencement process will take until probably early next spring.

Assuming that is that the Home Office manage to get it through Parliament of
course, which is quite likely, especially as it does not have to go through
the whole Parliamentary process, just a House of Commons Committee vote and
a full vote in the Lords - but it is still not impossible that it may be
rejected.

(the House of Commons could also decide to call a vote and vote against it,
which would be very unusual - however it's all tied up in terrorist politics
now, and almost anything could happen. The Home Affairs Select Committee
have finally begun to acknowledge that Pt III isn't going to actually catch
very many people, although they recommend that the Government implement Pt
III - however they _still_ don't seem to realise that it doesn't actually
work at all against suitable crypto)


I am in the process of updating the OS from OpenBSD 2.8 to OpenBSD 3.9, and
the crypto etc is, as usual, about half-done.


Of course I am also working on Curtains :)


--
Peter Fairbrother

Re: USB pen drives and safe cryptosystems (looking for references)

Hi Peter:

"Peter Fairbrother" wrote in message
news:C0D16E64.CDB57%zenadsl6186@zen.co.uk...

> In fact almost _all_ encryption systems for Windows fail against such
> analysis, which is why Microsoft are putting native encryption into Vista.
> Windows leaves too many temp files and similar traces.

But for a USB drive EFS is perfect. Usability impact may be not acceptable
though - access to the Windows profile is required to read the information.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

Re: USB pen drives and safe cryptosystems (looking for references)

S. Pidgorny wrote:

> Hi Peter:
>
> "Peter Fairbrother" wrote in message
> news:C0D16E64.CDB57%zenadsl6186@zen.co.uk...
>
>> In fact almost _all_ encryption systems for Windows fail against such
>> analysis, which is why Microsoft are putting native encryption into Vista.
>> Windows leaves too many temp files and similar traces.
>
> But for a USB drive EFS is perfect. Usability impact may be not acceptable
> though - access to the Windows profile is required to read the information.

??

I thought it was just a keyword.

If the attacker can only get access to the USB key and not to the computer
there are several programs which will be secure, in fact most reputable
encryption programs will - but I have no idea whether EFS is one of them,
the source is closed.

You would also be well advised to change the key every time you use the
stick - if not there might be stuff left there under the same key which you
do not want even a person you give the key to to know.


--
Peter Fairbrother

Re: USB pen drives and safe cryptosystems (looking for references)

Joe, I studied several things, and I work in several fields. Ren=E9
Descartes explaned that nobody can really master just one thing, and to
learn about many helps to know more and better about every one of them.
Moreover, I am also a magician (seriously), and I would like to perform
nice mentalism tricks with USB Pen drives because I have some funny
ideas about how to make ilusionism with state of the art technologies
as you can see at http://www.cita.es/telemagic

I explaned cryptography invited byt the Army and the Diplomacy in China
(1994), also in Argentina 1995, and in Honk Kong as you can read at
http://www.cita.es/HK and shortly at http://www.cita.es/branding for
"object oriented cryptography" home made in Spain.

I translated to Spanish PGP 1.0 and 2.0 (you can ask to Phil Zimmerman
about me).

But you are right in 1 thin. I still have many things to learn in
Cryptology (that is why I am reading and asking over here). If you can
read Spanish, I suggest http://www.cita.es/secreto
http://www.cita.es/escuchas and http://www.cita.es/descifrar for
instance. I shall appreciate any comment or reference that let me to
improve my knowledge on "USB pendrive applied Cryptology" (By the way,
I think that Bruce Schneier must have new ideas about it).

miguel, www.cita.es

Joseph Ashwood ha escrito:

> "Miguel A. Gallardo en http://www.cita.es"
> wrote in message
> news:1151118334.895509.53570@c74g2000cwc.googlegroups.com...
> > Miguel A. Gallardo, cryptologyst (engineer and criminologist) at
> > www.cita.es
>
> I decided not to comment on this for a while, but I find it sufficiently
> problematic to call attention to it. Basically, a "cryptologist" who has =
no
> clue about cryptography. The fundamental problem here is that a mining
> engineer has decided that he's a cryptologist without any of the knowledge
> or experience that goes into actually being one.
>
> This would of course explain the complete lack of quality in all the
> responses. Perhaps Miguel would have better luck with admitting he has no
> clue, then his questions might actually get some decent answers.
> Joe

Re: USB pen drives and safe cryptosystems (looking for references)

"Miguel A. Gallardo en http://www.cita.es"
wrote in message
news:1153765560.625531.243630@i3g2000cwc.googlegroups.com...
[snip pointless.]

> I explaned cryptography invited byt the Army and the Diplomacy in China
> (1994), also in Argentina 1995, and in Honk Kong as you can read at
> http://www.cita.es/HK

Umm, yeah, this once again shows how little you know, that page is entirely
about gem stones, which has nothing to do with cryptography.

> and shortly at http://www.cita.es/branding for
> "object oriented cryptography" home made in Spain.

At this point you seem to be extremely confused about the difference between
physical security measures and information security measures. They are
extremely different areas, and by claiming it is cryptographic very quickly
proves that you do not even grasp the most basic concepts.

> I translated to Spanish PGP 1.0 and 2.0 (you can ask to Phil Zimmerman
> about me).

Anyone who is capable of speaking both languages can translate a program, it
shows nothing in terms of understanding.

> I shall appreciate any comment or reference that let me to
> improve my knowledge on "USB pendrive applied Cryptology" (By the way,
> I think that Bruce Schneier must have new ideas about it).

On that front I would gladly have supplied things, but the bottom line is
that you claimed to be a consultant, but you have demonstrated a complete
lack of knowledge or even the ability to grasp the core concepts.
Joe

Re: USB pen drives and safe cryptosystems (looking for references)

>
> I translated to Spanish PGP 1.0 and 2.0 (you can ask to Phil Zimmerman
> about me).

I have translated programs myself and I havent got a clue about computers
but I know how OpenOffice.org works.

>
I shall appreciate any comment or reference that let me to
> improve my knowledge on "USB pendrive applied Cryptology"

I haven't got a clue as I said but I can comment about your webpage
http://www.cita.es
which looks horrible viewed with Opera9.01 browser you really need to
redesign it if you
expect to look like a serious company.

Your other page: http:/www.cita.es/descifrar/ says:
"La "ESPIOLOGÍA" o estudio del espionaje es una ciencia empírica y
multidisciplinar"

Spanish is my native language and never in my life heard of the term
"espiologia" but
then I admit I am not too educated so I searched in
http://en.wikipedia.org and not a single
mention. I do not have the time to read all of course, but at first glance
for an average
persorn without knowledge of computers the website looks written in
Chinese very hard to navigate
and far too much to reading.

Ok, it is a negative review, sorry about that, but it is better than lying
to you I hope.

Re: USB pen drives and safe cryptosystems (looking for references)

Truncat wrote:


> I haven't got a clue as I said but I can comment about your webpage
> http://www.cita.es which looks horrible viewed with Opera9.01 browser
> you really need to redesign it if you expect to look like a serious company.

I agree. The home page is absolutely terrible :-((

Miguel, get a professional web designer to redesign your site. There is
no way that your current site will attract professonal clients. They'll
take one look at your home page - and never come back.

TC (MVP MSAccess)
http://tc2.atspace.com

Re: USB pen drives and safe cryptosystems (looking for references)

Hi all. I'm new on this group so i want to introduce myself. My name is
Gustavo, and I'm also a native spanish speaker, but I can communicate
in english just fine.

It's true that Miguel's page looks bad and maybe he isn't an encryption
expert, technically speaking; but sometimes (just sometimes) there are
things more important than that, like knowing what, when and how to
encrypt.

Speaking of cryptosystems on usb pen:
I think the problem is, if you use any encryption program (I recommend
truecrypt, allows many encryption algorythms fast and easy) in windows,
the on-the-fly un-encrypted files (and maybe your password too if you
configure it wrong) stays on memory, temp and page files (maybe other
files too, but i'm not sure about that). So you would need another
program to securely delete/defrag this files.

If everything else goes wrong and you really need to keep things
confidential, just degauss your hd after you use the pen drive :) (I'm
kidding, don't do that, Miguel).

Hope you keep researching on cryptosystems.

Gustavo.

Re: USB pen drives and safe cryptosystems (looking for references)

"TC" writes:


>Truncat wrote:


>> I haven't got a clue as I said but I can comment about your webpage
>> http://www.cita.es which looks horrible viewed with Opera9.01 browser
>> you really need to redesign it if you expect to look like a serious company.

>I agree. The home page is absolutely terrible :-((

>Miguel, get a professional web designer to redesign your site. There is
>no way that your current site will attract professonal clients. They'll
>take one look at your home page - and never come back.

No, I think it does exactly what he wants. It is cleary a scam outfit. He
has pages of text in one point type designed to get himself onto web
crawler's pages. anyone who is so incompetent and duplicitous should not be
taken seriously.

That this is not a mistake, here is code from the page source.

href="http://www.cita.es/descubrimiento">http://www.cita.es/ descubrimiento

href="http://www.cita.es/descubrimiento/y/revelacion/de/secr etos">http://www.cita.es/descubrimiento/y/revelacion/de/secr etos

href="http://www.cita.es/descubrimiento/y/revelacion">http:/ /www.cita.es/descubrimiento/y/revelacion



href="http://www.cita.es/secretos">http://www.cita.es/secret os

Re: USB pen drives and safe cryptosystems (looking for references)

On 26 Jul 2006 16:01:50 GMT, Unruh wrote:

>"TC" writes:

>>I agree. The home page is absolutely terrible :-((
[...]
>No, I think it does exactly what he wants. It is cleary a scam outfit. He
>has pages of text in one point type designed to get himself onto web
>crawler's pages. anyone who is so incompetent and duplicitous should not be
>taken seriously.
[...]

I don't know about the cryptography claims, and his page looks OK in
my old Netscape 4.08 browser, but also being a native Spanish speaker
(Latin-America) I would agree with this comment. From reading the page
I would say that someone that makes so many claims of studies,
diplomas and a succesful career (all documented in his own pages),
while at the same time works so hard to advertise himself looks
suspicious, to say the least.

Geo

PS:
'NEGOCIAR COMPLEX PROFESSIONAL NEGOTIATIONS'
A Curriculum in Spanglish?

Re: USB pen drives and safe cryptosystems (looking for references)

"9ust4v0" <9ust4v0@gmail.com> wrote in message
news:1153924102.485612.93360@b28g2000cwb.googlegroups.com...
> It's true that Miguel's page looks bad and maybe he isn't an encryption
> expert, technically speaking; but sometimes (just sometimes) there are
> things more important than that, like knowing what, when and how to
> encrypt.

When attempting to sell services as a cryptography expert, especially to a
court of law, it has little to do with anything except being a cryptography
expert.
Joe

Re: USB pen drives and safe cryptosystems (looking for references)

LOL, I just visited again the webpage of cita.es and saw this on the
frontpage:

"Nota: A veces, los mensajes se pierden, muy a nuestro pesar (recibimos
varios miles cada semana, y es francamente difícil diferenciarlos del SPAM
que nos invade). Si no se recibe respuesta, por favor llámenos por
teléfono (hay contestador en el Tel.: 914743809)"


It basically says: "Note:Sometimes we lose the emails you send to us
because we receive thousands of them everyweek and we can not
differenciate them from SPAM. If we do not reply please call us on phone
number: 914*****

He maybe a cryptographic expert but it seems he hasnt got a clue about how
to stop SPAM, go and tell the judge in that important fraud case that the
emails from the prosecution got lost because you couldn't differenciate
them from SPAM.




> When attempting to sell services as a cryptography expert, especially to
> a court of law, it has little to do with anything except being a
> cryptography
> expert.
> Joe
>
>

Re: USB pen drives and safe cryptosystems (looking for references)

Joseph Ashwood ha escrito:

> "Miguel A. Gallardo en http://www.cita.es"
> wrote in message
> news:1153765560.625531.243630@i3g2000cwc.googlegroups.com...
> [snip pointless.]
>
> > I explaned cryptography invited byt the Army and the Diplomacy in China
> > (1994), also in Argentina 1995, and in Honk Kong as you can read at
> > http://www.cita.es/HK
>
> Umm, yeah, this once again shows how little you know, that page is entirely
> about gem stones, which has nothing to do with cryptography.

I shall be pleased to explain as much as I can the basic idea of
"object oriented cryptography" applied to very expensive objects like
gemstones shortly explained at http://www.cita.es/branding

Anyhow, I appreciate your time and effort visiting anything at
www.cita.es


> > and shortly at http://www.cita.es/branding for
> > "object oriented cryptography" home made in Spain.
>
> At this point you seem to be extremely confused about the difference between
> physical security measures and information security measures. They are
> extremely different areas, and by claiming it is cryptographic very quickly
> proves that you do not even grasp the most basic concepts.

I do not know how to prove that anybody does not know anything. I can
confirm and evidence whatever is known by whoever, and to prove
whatever whoever does not know is a diabolical proof of negative facts.
I respect the bad opinion of anybody about me, my thoughts, my words,
or my website pages, but I disagree with any supposed proof of anything
that I do not know, because I have the hope to learn.

> > I translated to Spanish PGP 1.0 and 2.0 (you can ask to Phil Zimmerman
> > about me).
>
> Anyone who is capable of speaking both languages can translate a program, it
> shows nothing in terms of understanding.

OK. At least I am an old translator of an old cryptosystem. But I am
here to learn new things.

> > I shall appreciate any comment or reference that let me to
> > improve my knowledge on "USB pendrive applied Cryptology" (By the way,
> > I think that Bruce Schneier must have new ideas about it).
>
> On that front I would gladly have supplied things, but the bottom line is
> that you claimed to be a consultant, but you have demonstrated a complete
> lack of knowledge or even the ability to grasp the core concepts.

OK. I am a very bad consultant for you, and you think that I have
demonstrated a complete lack of knowledge on everything.

Now I know that you want to look like an expert just devaluating me.

Can you give me 3 names of good cryptologists and 3 books useful for
USB pen drives protection?

miguel, www.cita.es

Re: USB pen drives and safe cryptosystems (looking for references)

Truncat ha escrito:
> I haven't got a clue as I said but I can comment about your webpage
> http://www.cita.es
> which looks horrible viewed with Opera9.01 browser you really need to
> redesign it if you
> expect to look like a serious company.

Thanks for the advice. Maybe I do not want to look so serious. My
company is useful for bills and advertising, and www.cita.es is good
enough for my approach. Anyhow, I always appreciate good advices.

> Your other page: http:/www.cita.es/descifrar/ says:
> "La "ESPIOLOG=CDA" o estudio del espionaje es una ciencia emp=EDrica y
> multidisciplinar"
>
> Spanish is my native language and never in my life heard of the term
> "espiologia" but
> then I admit I am not too educated so I searched in
> http://en.wikipedia.org and not a single
> mention. I do not have the time to read all of course, but at first glance
> for an average
> persorn without knowledge of computers the website looks written in
> Chinese very hard to navigate
> and far too much to reading.

I wrote more about that idea at http://www.cita.es/contraespionaje
and it is also in the background of http://www.cita.es/secretos

> Ok, it is a negative review, sorry about that, but it is better than lying
> to you I hope.

No problem. I repeat that I appreciate any critical approach to
www.cita.es

miguel, www.cita.es/conmigo

Re: USB pen drives and safe cryptosystems (looking for references)

TC ha escrito:> Miguel, get a professional web designer to redesign
your site. There is
> no way that your current site will attract professonal clients. They'll
> take one look at your home page - and never come back.

Maybe. I do not want to come back anybody that is not able to search in
google:

whatever_you_want site:cita.es

I have too much traffic so it is not a problem for me to attract
clients.

Here I am just looking for USB pen drives hard&soft protections and if
possible, any magic trick (yes, I am also interested in illusionism for
USB and I am working in some special effects with magic that I must to
keep confidencial). Illusionism and cryptology are 2 very complementary
approaches to pen drives in my honest opinion.

miguel, www.cita.es/conmigo

Re: USB pen drives and safe cryptosystems (looking for references)

9ust4v0 ha escrito:
> Hi all. I'm new on this group so i want to introduce myself. My name is
> Gustavo, and I'm also a native spanish speaker, but I can communicate
> in english just fine.

Bien, bien.

> It's true that Miguel's page looks bad and maybe he isn't an encryption
> expert, technically speaking; but sometimes (just sometimes) there are
> things more important than that, like knowing what, when and how to
> encrypt.

I am not important, and I prefer to speak here about ideas, technology
and magic for pen drives than on www.cita.es

> Speaking of cryptosystems on usb pen:
> I think the problem is, if you use any encryption program (I recommend
> truecrypt, allows many encryption algorythms fast and easy) in windows,
> the on-the-fly un-encrypted files (and maybe your password too if you
> configure it wrong) stays on memory, temp and page files (maybe other
> files too, but i'm not sure about that). So you would need another
> program to securely delete/defrag this files.

I respect that approach, but is not the only one to protect an USB pen
drive. I would like to make a catalogue of hard&soft options.

> If everything else goes wrong and you really need to keep things
> confidential, just degauss your hd after you use the pen drive :) (I'm
> kidding, don't do that, Miguel).

Sorry, but I do not understand what you mean exactly. I shall
appreciate an explanation that I can understand in English and/or in
Spanish.

> Hope you keep researching on cryptosystems.

I shall do my best, for sure.

miguel, www.cita.es/conmigo

Re: USB pen drives and safe cryptosystems (looking for references)

Joseph Ashwood ha escrito:
> When attempting to sell services as a cryptography expert, especially to a
> court of law, it has little to do with anything except being a cryptography
> expert.

I respect your opinion. However, I think that a criminology
understanding, a forensic interest&experience, and a deep democratic
feeling helps to accept hard critics. Honestly, I must to admit that
many lawyers agree with you and would like me to know only about
cryptography, but I keep my mind as open as I can even if I respect
your right to close yours one, if you want to do so.

miguel, www.cita.es/conmigo

Re: USB pen drives and safe cryptosystems (looking for references)

Truncat ha escrito:

> LOL, I just visited again the webpage of cita.es and saw this on the
> frontpage:
>
> "Nota: A veces, los mensajes se pierden, muy a nuestro pesar (recibimos
> varios miles cada semana, y es francamente dif=EDcil diferenciarlos del S=
PAM
> que nos invade). Si no se recibe respuesta, por favor ll=E1menos por
> tel=E9fono (hay contestador en el Tel.: 914743809)"
>
>
> It basically says: "Note:Sometimes we lose the emails you send to us
> because we receive thousands of them everyweek and we can not
> differenciate them from SPAM. If we do not reply please call us on phone
> number: 914*****
>
> He maybe a cryptographic expert but it seems he hasnt got a clue about how
> to stop SPAM, go and tell the judge in that important fraud case that the
> emails from the prosecution got lost because you couldn't differenciate
> them from SPAM.

Maybe you are much better than me selecting relevant messages, or you
use a wonderful tool to do it. I admit that I deleted interesting
messages and I apologice for it while asking to repeat anyone unreplied
or just to call me to check it on-line.

I respect anybody else policy, but at the moment, that what I do.

miguel, www.cita.es/conmigo

Re: USB pen drives and safe cryptosystems (looking for references)

Unruh ha escrito:
> No, I think it does exactly what he wants. It is cleary a scam outfit. He
> has pages of text in one point type designed to get himself onto web
> crawler's pages. anyone who is so incompetent and duplicitous should not be
> taken seriously.

I an not sure what you mean with "scam outfit". I just wanted to keep a
link from www.cita.es to the most important pages and I admit that I
have no time and/or tools to keep www.cita.es alive in Google. But
there is no scam and no fraud at all. You can visit it your you can ask
at Google for site:cita.es and of course you can ignore it. Where is
the ethical problem with my source?

> That this is not a mistake, here is code from the page source.
>
> > href="http://www.cita.es/descubrimiento">http://www.cita.es/ descubrimiento

> > href="http://www.cita.es/descubrimiento/y/revelacion/de/secr etos">http://www.cita.es/descubrimiento/y/revelacion/de/secr etos

> > href="http://www.cita.es/descubrimiento/y/revelacion">http:/ /www.cita.es/descubrimiento/y/revelacion

>

> > href="http://www.cita.es/secretos">http://www.cita.es/secret os

Re: USB pen drives and safe cryptosystems (looking for references)

"GEO"Me@home.here ha escrito:
> I don't know about the cryptography claims, and his page looks OK in
> my old Netscape 4.08 browser, but also being a native Spanish speaker
> (Latin-America) I would agree with this comment. From reading the page
> I would say that someone that makes so many claims of studies,
> diplomas and a succesful career (all documented in his own pages),
> while at the same time works so hard to advertise himself looks
> suspicious, to say the least.

1. I use an old Netscape-Mozilla composer, so I understand it looks OK
in your browser
2. I do not claim anything that I did not studied, and I am still
studing many things.
3. I accept to look suspicious, at least as a member of the Spanish
Magician Association and also as a criminologist workking on forensic
technologies (always learning for better approaches to difficult
evidences).

> PS:
> 'NEGOCIAR COMPLEX PROFESSIONAL NEGOTIATIONS'
> A Curriculum in Spanglish?

Maybe. I learned a lot while teaching http://www.cita.es/negociar
and now everyday as a http://www.cita.es/commercial/agent

But I do not understand why is so important my image or my titles in
order to speak about USB pen drives and state-of-the-art cryptosystems.
Maybe it could be better an humouristical approach than an hard
technology one, but I am open to think as a magician or a cryptologist
trainee in both point of views.

miguel, www.cita.es/conmigo

Re: USB pen drives and safe cryptosystems (looking for references)

Various contradictions on your shitty site have been noted. Personally,
the one that truly scandalizes me is the correlation between Magic and
illusionism. After checking on Wikipedia, you might be not as wrong as
you should be - to the mainstream. The confusion between stage magic
and sorcery is quite widespread. But still... Can't you feel that
sorcery makes AES-2048 so... easy to factor? Ask the competent ones.
Ask JSH.

Kind regards
Ludovic

Re: USB pen drives and safe cryptosystems (looking for references)

"Miguel A. Gallardo en http://www.cita.es"
wrote in message
news:1154103837.246742.167370@p79g2000cwp.googlegroups.com.. .
> Joseph Ashwood ha escrito:
>
>> "Miguel A. Gallardo en http://www.cita.es"
>> wrote in message
>> news:1153765560.625531.243630@i3g2000cwc.googlegroups.com...
>> [snip pointless.]
>>
>> > I explaned cryptography invited byt the Army and the Diplomacy in China
>> > (1994), also in Argentina 1995, and in Honk Kong as you can read at
>> > http://www.cita.es/HK
>>
>> Umm, yeah, this once again shows how little you know, that page is
>> entirely
>> about gem stones, which has nothing to do with cryptography.
>
> I shall be pleased to explain as much as I can the basic idea of
> "object oriented cryptography" applied to very expensive objects like
> gemstones shortly explained at http://www.cita.es/branding

This I just have to hear. How does pure information relate to physical
objects?

I can see tagging objects, but cryptographic properties are irrelevant at
that level (the various fingerprinting methods for gem stones would be
superior). Cryptography does not solve any problem related to properties of
gemstone, for example a short amount of time on a grinding stone will have
little to no effect on cut, brilliance, refraction, and defraction
properties, but it will dramatically affect the fingerprint, and will
radically change any cryptographic properties associated with it.

>> > and shortly at http://www.cita.es/branding for
>> > "object oriented cryptography" home made in Spain.
>>
>> At this point you seem to be extremely confused about the difference
>> between
>> physical security measures and information security measures. They are
>> extremely different areas, and by claiming it is cryptographic very
>> quickly
>> proves that you do not even grasp the most basic concepts.
>
> I do not know how to prove that anybody does not know anything. I can
> confirm and evidence whatever is known by whoever, and to prove
> whatever whoever does not know is a diabolical proof of negative facts.
> I respect the bad opinion of anybody about me, my thoughts, my words,
> or my website pages, but I disagree with any supposed proof of anything
> that I do not know, because I have the hope to learn.

I have no problem with you learning, but you began this conversation by
claiming to be an expert. Even a couple of paragraphs ago, you once again
claimed to be an expert. If you want to learn there is a great deal of
knowledge in a few of the groups you posted to (we really should start
trimming it, I doubt microsoft.public.security or comp.security.misc has any
interest in debates about your claim of expertness), if you are already an
expert then you certainly don't prove it very well.

>> > I shall appreciate any comment or reference that let me to
>> > improve my knowledge on "USB pendrive applied Cryptology" (By the way,
>> > I think that Bruce Schneier must have new ideas about it).
>>
>> On that front I would gladly have supplied things, but the bottom line is
>> that you claimed to be a consultant, but you have demonstrated a complete
>> lack of knowledge or even the ability to grasp the core concepts.
>
> OK. I am a very bad consultant for you, and you think that I have
> demonstrated a complete lack of knowledge on everything.
>
> Now I know that you want to look like an expert just devaluating me.

Actually a large part of what I'm doing is working to protect the legal
system. Testimony from an expert that is far from expert tends to lead to
major issues. Since you made overtures towards being used as an expert
witness your lack of knowledge of the subject is of extreme importance.

Since you and I are in no way competitors, devaluing you would be for no
purpose.

> Can you give me 3 names of good cryptologists

Shannon, Feistel, Vigenere. None of which will likely be of use to you, as
I've specifically chosen them to be of little use to you, even though they
are exceedingly applicable.

> and 3 books useful for
> USB pen drives protection?

Safecracking for the Computer Scientist
Between Silk and Cyanide
Rethinking Public Key Infrastructures and Digital Certificates

Again, don't think these will help you much, understanding their application
to pen drives will be difficult.

More to the point. Can you?
Joe

Re: USB pen drives and safe cryptosystems (looking for references)

"Miguel A. Gallardo en http://www.cita.es"
wrote in message
news:1154104396.872626.204240@m79g2000cwm.googlegroups.com.. .
> Illusionism and cryptology are 2 very complementary
> approaches to pen drives in my honest opinion.

Now we're getting somewhere. It seems you have never been actually
introduced to cryptography. Well then I'll revise my earlier statement of
the three important cryptologists, remove Feistel and add Kerckhoffs. If you
actually understand Kerckhoffs principles you will very quickly see that
illusionism/magic/mysticism/anything else that has at points in history been
linked has nothing to do with cryptography. To summarize:
1. The system must be practically, if not mathematically, indecipherable;
2. It must not be required to be secret, and it must be able to fall into
the hands of the enemy without inconvenience;
3. Its key must be communicable and retainable without the help of written
notes, and changeable or modifiable at the will of the correspondents;
4. It must be applicable to telegraphic correspondence;
5. It must be portable, and its usage and function must not require the
concourse of several people;
6. Finally, it is necessary, given the circumstances that command its
application, that the system be easy to use, requiring neither mental strain
nor the knowledge of a long series of rules to observe

You will find that in particular magic/illusionism breaks 1, 2, 3, 4, and 6,
and that some examples break 5 as well.

You have once again demonstrated that you don't have the foundation
knowledge necessary, it is necessary for you to read up on the implications
of Kerckhoffs principles, on Shannon's work, and on Viginere's effects even
today simply in order to understand your own question.
Joe

Re: USB pen drives and safe cryptosystems (looking for references)

I must to take with humour your scandal.

I love magic as a way to make difficult things with easy but mostly
unknown procedures.

Of course, quantum computing and Shor algorithm are not easy
procedures, but I can imagine that it can be used by somebody, and
maybe can be simmulated by a good menthalist very smart on "cold
reading" (something that I do not want to explain here and now) in
order to look like a NSA contact.

I am not so fluent in English, but in Spanish I played with some real
USB pen drives in order to make the people imagine that I got
information in a missdirected way. It was funny because I noticed how
paranoid some people can become while I keep their pen drive in my
hands (even if they gave me for the trick). I mean that a pen drive is
a "paranogical factor", something that can give a chance for good
magic, and I am working on that. Unfortunately, I can not demonstrate
how can I perform some magic tricks for pen drives here and now, so
"believe it or not..."

miguel, www.cita.es

Ludovic Joly ha escrito:

> Various contradictions on your shitty site have been noted. Personally,
> the one that truly scandalizes me is the correlation between Magic and
> illusionism. After checking on Wikipedia, you might be not as wrong as
> you should be - to the mainstream. The confusion between stage magic
> and sorcery is quite widespread. But still... Can't you feel that
> sorcery makes AES-2048 so... easy to factor? Ask the competent ones.
> Ask JSH.
>
> Kind regards
> Ludovic

Re: USB pen drives and safe cryptosystems (looking for references)

I must to take with humour your scandal.

I love magic as a way to make difficult things with easy but mostly
unknown procedures.

Of course, quantum computing and Shor algorithm are not easy
procedures, but I can imagine that it can be used by somebody, and
maybe can be simmulated by a good menthalist very smart on "cold
reading" (something that I do not want to explain here and now) in
order to look like a NSA contact.

I am not so fluent in English, but in Spanish I played with some real
USB pen drives in order to make the people imagine that I got
information in a missdirected way. It was funny because I noticed how
paranoid some people can become while I keep their pen drive in my
hands (even if they gave me for the trick). I mean that a pen drive is
a "paranogical factor", something that can give a chance for good
magic, and I am working on that. Unfortunately, I can not demonstrate
how can I perform some magic tricks for pen drives here and now, so
"believe it or not..."

miguel, www.cita.es

Ludovic Joly ha escrito:

> Various contradictions on your shitty site have been noted. Personally,
> the one that truly scandalizes me is the correlation between Magic and
> illusionism. After checking on Wikipedia, you might be not as wrong as
> you should be - to the mainstream. The confusion between stage magic
> and sorcery is quite widespread. But still... Can't you feel that
> sorcery makes AES-2048 so... easy to factor? Ask the competent ones.
> Ask JSH.
>
> Kind regards
> Ludovic

Re: USB pen drives and safe cryptosystems (looking for references)

I must to take with humour your scandal.

I love magic as a way to make difficult things with easy but mostly
unknown procedures.

Of course, quantum computing and Shor algorithm are not easy
procedures, but I can imagine that it can be used by somebody, and
maybe can be simmulated by a good menthalist very smart on "cold
reading" (something that I do not want to explain here and now) in
order to look like a NSA contact.

I am not so fluent in English, but in Spanish I played with some real
USB pen drives in order to make the people imagine that I got
information in a missdirected way. It was funny because I noticed how
paranoid some people can become while I keep their pen drive in my
hands (even if they gave me for the trick). I mean that a pen drive is
a "paranogical factor", something that can give a chance for good
magic, and I am working on that. Unfortunately, I can not demonstrate
how can I perform some magic tricks for pen drives here and now, so
"believe it or not..."

miguel, www.cita.es

Ludovic Joly ha escrito:

> Various contradictions on your shitty site have been noted. Personally,
> the one that truly scandalizes me is the correlation between Magic and
> illusionism. After checking on Wikipedia, you might be not as wrong as
> you should be - to the mainstream. The confusion between stage magic
> and sorcery is quite widespread. But still... Can't you feel that
> sorcery makes AES-2048 so... easy to factor? Ask the competent ones.
> Ask JSH.
>
> Kind regards
> Ludovic

Re: USB pen drives and safe cryptosystems (looking for references)

OK. I read Merkle approaches to public key cryptography long time ago,
and I am aware of some Eurocrypt and Asiancrypt papers but in my honest
opinion cryptology is not only about algorithms or access protocols. On
1991 I published about some PANDORA approaches, and now "we" (at least
in Spanish I got some very respected experts on computer security to
understand some new ideas) are thinking in a "doberman pen drive" that
can ciphper a partion, can contaminate from another one, and can
attack, even physically, some electronics of the computer where it is
being unauthoricedly used. As far as we foresaw, there are 5
problems/solutions for pen drives:

1. The legal approach to be completely sure that the cracker is very
well aware that he/she is not authoriced.
2. False/true data inside (magical/theatre/humour/fun)
3. Software (internal and external) beyond known cryptosystems
4. Hardware vulnerabilities from USB interface
5. Messages or any tracking way from the pen drive to any open channel
of the owner

I admit that it is just a brain-storming, but we are free to project
many things in our pen drives, and of course, some ideas are only for
people involved. However, I am always open to suggestions of whoever
knows more than me about anything....

I am very happy to learn that I now very little about almost nothing.
However, I do not think that Feistel, Kerckchoffs, Shannon clasical
fundamentals or, for instance, Feige-Fiat-Shamir or Guillou-Quisquater
identification schemes or Diffie-Hellman key exchanges have too much to
do with USB pen drives real risks. I foresee new approaches specific
for pen drives even if I am not smart enough to explain my intuitions
right now, sorry. I know some of my limits, and that one is here right
now.

miguel, www.cita.es/conmigo

Joseph Ashwood ha escrito:

> "Miguel A. Gallardo en http://www.cita.es"
> wrote in message
> news:1154104396.872626.204240@m79g2000cwm.googlegroups.com.. .
> > Illusionism and cryptology are 2 very complementary
> > approaches to pen drives in my honest opinion.
>
> Now we're getting somewhere. It seems you have never been actually
> introduced to cryptography. Well then I'll revise my earlier statement of
> the three important cryptologists, remove Feistel and add Kerckhoffs. If you
> actually understand Kerckhoffs principles you will very quickly see that
> illusionism/magic/mysticism/anything else that has at points in history been
> linked has nothing to do with cryptography. To summarize:
> 1. The system must be practically, if not mathematically, indecipherable;
> 2. It must not be required to be secret, and it must be able to fall into
> the hands of the enemy without inconvenience;
> 3. Its key must be communicable and retainable without the help of written
> notes, and changeable or modifiable at the will of the correspondents;
> 4. It must be applicable to telegraphic correspondence;
> 5. It must be portable, and its usage and function must not require the
> concourse of several people;
> 6. Finally, it is necessary, given the circumstances that command its
> application, that the system be easy to use, requiring neither mental strain
> nor the knowledge of a long series of rules to observe
>
> You will find that in particular magic/illusionism breaks 1, 2, 3, 4, and 6,
> and that some examples break 5 as well.
>
> You have once again demonstrated that you don't have the foundation
> knowledge necessary, it is necessary for you to read up on the implications
> of Kerckhoffs principles, on Shannon's work, and on Viginere's effects even
> today simply in order to understand your own question.
> Joe

Re: USB pen drives and safe cryptosystems (looking for references)

"Miguel A. Gallardo en http://www.cita.es"
wrote in message
news:1154133133.080321.183360@m79g2000cwm.googlegroups.com.. .

> OK. I read Merkle approaches to public key cryptography long time ago,

That was no where on the list, but I'll fairly well ignore that.

> and I am aware of some Eurocrypt and Asiancrypt papers but in my honest
> opinion cryptology is not only about algorithms or access protocols.

Then once again, you clearly do not understand what cryptography is.

> On
> 1991 I published about some PANDORA approaches, and now "we" (at least
> in Spanish I got some very respected experts on computer security to
> understand some new ideas) are thinking in a "doberman pen drive" that
> can ciphper a partion, can contaminate from another one, and can
> attack, even physically, some electronics of the computer where it is
> being unauthoricedly used.

So basically you have dreamed up something completely pointless. Allow me to
introduce you to how *I* would break a pen drive. First I would take the
drive apart, then slip the Flash chip into any of a few boards I actually
have around, and simply read the data off. I have now completely eliminated
the contamination, and any chance you have for attack, that leaves only the
enciphered content, which since you can't seem to even spell cipher, or
recognise that it is the incorrect word there, I doub't would pose much
problem.

> As far as we foresaw, there are 5
> problems/solutions for pen drives:
>
> 1. The legal approach to be completely sure that the cracker is very
> well aware that he/she is not authoriced.
> 2. False/true data inside (magical/theatre/humour/fun)
> 3. Software (internal and external) beyond known cryptosystems
> 4. Hardware vulnerabilities from USB interface
> 5. Messages or any tracking way from the pen drive to any open channel
> of the owner

You missed the core problem. Pen Drives are assembled from two primary
chips; the NAND Flash chip itself (usually either Samsung or Toshiba), and
the bridge chip that converts between the NAND Flash interface and SCSI over
USB (typically Atmel). All you're doing is creating something that serves no
purpose, has no real use, and the security you've given so far is
fundamentally flawed against the most basic attack. Attacking the drive
itself allows the attacker to eliminate your options with 1, distinguish
false/true data in 2, eliminates the software in 3, provides hardware
vulnerabilities that you are not addressing that completely eclipse 4, and
eliminates 5. In short, what you have "foreseen" is sidestepped through some
of the most trivial processes available, eliminating all of the security
that you pretend exists. This is the core difference between real security
people, and people who decide to declare themself an expert as you have
done.

> I am very happy to learn that I now very little about almost nothing.
> However, I do not think that Feistel, Kerckchoffs, Shannon clasical
> fundamentals or, for instance, Feige-Fiat-Shamir or Guillou-Quisquater
> identification schemes or Diffie-Hellman key exchanges have too much to
> do with USB pen drives real risks.

Like I said, you will not understand how they apply, further demonstrating
your lack of understanding.

Shannon always matters because he laid out the groundwork that you are
attempting to violate.
Kerckhoffs matters because you are violating basically every basic principle
Feistel matters because he showed that it is possible to have practical
security without perfect secrecy
Vigenere matters because he uncovered the fundamentals of block
encipherment, which is exactly what you will have to do.

In addition you missed probably the most important of the books to
understand Safecracking for the Computer Scientist is critical to what you
are attempting to do. I strongly encourage you to actually read the
references I gave, they will most certainly help.

Back to the show. To repeat myself. "More to the point. Can you [name 3]?"

Re: USB pen drives and safe cryptosystems (looking for references)

Joseph Ashwood ha escrito:

> "Miguel A. Gallardo en http://www.cita.es"
> wrote in message
> news:1154133133.080321.183360@m79g2000cwm.googlegroups.com.. .
>
> > OK. I read Merkle approaches to public key cryptography long time ago,
>
> That was no where on the list, but I'll fairly well ignore that.

OK. You are free to ignore whatever you ignore forever. I loved the way
he solved 2 cryptographic problems with just 1 idea. I think he is a
genius, even if an ignorant like me can appreciate how smart he is
(obviously, anybody that has ideas that I can not appreciate could be
much better, but if I can not apprecite him, I can not know if he is a
genious or not). I hope to know about Merkle pen drives now that he is
working in nanotechnology, as far as I know.

> > and I am aware of some Eurocrypt and Asiancrypt papers but in my honest
> > opinion cryptology is not only about algorithms or access protocols.
>
> Then once again, you clearly do not understand what cryptography is.

OK. You know everything about what I know, and I know nothing about
whatever you know. That is very good for me. I have nothing to loose
then.


> > On
> > 1991 I published about some PANDORA approaches, and now "we" (at least
> > in Spanish I got some very respected experts on computer security to
> > understand some new ideas) are thinking in a "doberman pen drive" that
> > can ciphper a partion, can contaminate from another one, and can
> > attack, even physically, some electronics of the computer where it is
> > being unauthoricedly used.
>
> So basically you have dreamed up something completely pointless. Allow me=
to
> introduce you to how *I* would break a pen drive. First I would take the
> drive apart, then slip the Flash chip into any of a few boards I actually
> have around, and simply read the data off. I have now completely eliminat=
ed
> the contamination, and any chance you have for attack, that leaves only t=
he
> enciphered content, which since you can't seem to even spell cipher, or
> recognise that it is the incorrect word there, I doub't would pose much
> problem.

I have no idea about whatever have you around but it seems that you are
breaking some protections everyday. But I am sure you did not catched
what I mean with contamination. It is my fault because I am thinking in
Spanish. And I bet that you will not be happy with my "decoy"
(se=F1uelo) approach to magic criptography using "missdirection" effect
because I can not give a citation index reference. I hope to find
something in citation index about "decoy" approaches, but I am still
searching for something like that. Maybe I found something new.

> > As far as we foresaw, there are 5
> > problems/solutions for pen drives:
> >
> > 1. The legal approach to be completely sure that the cracker is very
> > well aware that he/she is not authoriced.
> > 2. False/true data inside (magical/theatre/humour/fun)
> > 3. Software (internal and external) beyond known cryptosystems
> > 4. Hardware vulnerabilities from USB interface
> > 5. Messages or any tracking way from the pen drive to any open channel
> > of the owner
>
> You missed the core problem. Pen Drives are assembled from two primary
> chips; the NAND Flash chip itself (usually either Samsung or Toshiba), and
> the bridge chip that converts between the NAND Flash interface and SCSI o=
ver
> USB (typically Atmel). All you're doing is creating something that serves=
no
> purpose, has no real use, and the security you've given so far is
> fundamentally flawed against the most basic attack. Attacking the drive
> itself allows the attacker to eliminate your options with 1, distinguish
> false/true data in 2, eliminates the software in 3, provides hardware
> vulnerabilities that you are not addressing that completely eclipse 4, and
> eliminates 5. In short, what you have "foreseen" is sidestepped through s=
ome
> of the most trivial processes available, eliminating all of the security
> that you pretend exists. This is the core difference between real security
> people, and people who decide to declare themself an expert as you have
> done.

I must to take this seriously. Please give me some time to check your
technical references. Maybe I am using very inexpensive Pen Drives that
you can find at www.vfuel.net but I do not think that the standards you
mentioned are the only ones. As you admit, we can speak about them
"typically".

Anyhow, your Pen Drive "autopsia" does not demonstrate that 1-5
approaches are always useless, in my honest opinion.

> > I am very happy to learn that I now very little about almost nothing.
> > However, I do not think that Feistel, Kerckchoffs, Shannon clasical
> > fundamentals or, for instance, Feige-Fiat-Shamir or Guillou-Quisquater
> > identification schemes or Diffie-Hellman key exchanges have too much to
> > do with USB pen drives real risks.
>
> Like I said, you will not understand how they apply, further demonstrating
> your lack of understanding.

You are very kind, and of course, you must be always right. I can
imagine how happy can be all the people you have around...

> Shannon always matters because he laid out the groundwork that you are
> attempting to violate.

Yes. And Pythagoras too.

> Kerckhoffs matters because you are violating basically every basic princi=
ple

I hope that those principles get pregnant because that way we can get
very interesting children.

> Feistel matters because he showed that it is possible to have practical
> security without perfect secrecy

I must to take this point very seriously indeed. I worked with Vernam
ciphers and I even used XOR with long key files. Right now I am
thinking in pen drives as one time keys, as well as for complex secret
sharing protocols. However, as you said before, I am still dreaming in
order to get somebody to pay for the project at least for a beta
version.

> Vigenere matters because he uncovered the fundamentals of block
> encipherment, which is exactly what you will have to do.

Please remember that I am like Forrest Gump so I can not do anything
exactly. Long time ago I explanied International Data Encryption
Algorithm (IDEA) fundamentals, and I have the doctoral thesis of Xuejia
Lay in my personal library. I understand what you mean, but please be
kind and do not limit my dreams to block encipherment. I know a little
about steganography and I even understand PK and Shor algorithm, so I
am much more mind open than that.

> In addition you missed probably the most important of the books to
> understand Safecracking for the Computer Scientist is critical to what you
> are attempting to do. I strongly encourage you to actually read the
> references I gave, they will most certainly help.

Yes. You gave me some good references and better ideas, mixed with some
unpolite approaches to my lack of knowledge, but I admit that your
dialectic is good for my brainstorming. Your worst fault is that you
are so sure that I know nothing that it is so funny that I enjoy it a
lot. You remind me some lawyers than pretend to know in just 1 minute
all my background and my several weeks hard work on an expert
witnessing problem on forensic computing. Of course I always take a lot
of time to think what to do in the next minute, and sometimes, the
judge understand the whole movie just smiling.


> Back to the show. To repeat myself. "More to the point. Can you [name 3]?"

OK. If you just want to speak about
3 Software (internal and external) beyond known cryptosystems
I prefer to speak about what you said this way:
"I would take the drive apart, then slip the Flash chip into any of a
few boards I actually
have around, and simply read the data off".

Have you done anything like that already? If so, please let me to know
more about you, your tools, and the whole movie you played.

miguel, www.cita.es/conmigo

Re: USB pen drives and safe cryptosystems (looking for references)

"Miguel A. Gallardo en http://www.cita.es"
wrote in message
news:1154172066.192979.205850@b28g2000cwb.googlegroups.com.. .
Joseph Ashwood ha escrito:

>> "Miguel A. Gallardo en http://www.cita.es"
>> wrote in message
>> news:1154133133.080321.183360@m79g2000cwm.googlegroups.com.. .
>>
>> > OK. I read Merkle approaches to public key cryptography long time ago,
>>
>> That was no where on the list, but I'll fairly well ignore that.

> OK. You are free to ignore whatever you ignore forever.

I ignored it because it is generally irrelevant, you might as well have said
"I enjoy Root Beer" it makes no difference to what you're trying to do.

>> > and I am aware of some Eurocrypt and Asiancrypt papers but in my honest
>> > opinion cryptology is not only about algorithms or access protocols.
>>
>> Then once again, you clearly do not understand what cryptography is.
>
>OK. You know everything about what I know, and I know nothing about
>whatever you know. That is very good for me. I have nothing to loose
>then.

Actually you have a great deal to lose. Bringing this back to the original
discussion, you have now admitted that you lack the knowledge to be a
forensic expert. So anyone actually looking for such can safely ignore you.

>>> ["doberman pen drive"]
>
>> So basically you have dreamed up something completely pointless. Allow me
>> to
>> introduce you to how *I* would break a pen drive. First I would take the
>> drive apart, then slip the Flash chip into any of a few boards I actually
>> have around, and simply read the data off. I have now completely
>> eliminated
>> the contamination, and any chance you have for attack, that leaves only
>> the
>> enciphered content, which since you can't seem to even spell cipher, or
>> recognise that it is the incorrect word there, I doub't would pose much
>> problem.

>I have no idea about whatever have you around but it seems that you are
>breaking some protections everyday.

Well then perhaps we should start there. I have around me a number of
dissected pen drives by various manufacturers, specifically used for
research into a seperate project having to deal with them. In short I have a
year of deep research into how they are designed, built, and constructed, I
have prototypes (of my design) of a variation available to me. So basically,
with pen drives I really do have all the knowledge you're looking for. And
I'm telling you that if you're looking to make a pen drive, the only cost
effective way is exactly what I have told you, the only exception would be
if you are trying to exceed 4GB right now, 8GB within 6 months, etc. where
you will need custom chips, even then it is cheapest to use a different
controller than the basic Atmel along with multiple of the standard NAND
flash chips unless you are looking to exceed 50GB.

> But I am sure you did not catched
>what I mean with contamination.

Actually I did, and it is completely irrelevant to the security.

> And I bet that you will not be happy with my . . . magic criptography

You're right I won't, because such "magic cr[y]ptography" will violate the
fundamentals that you refuse to learn, and as such it will completely fail.

> Maybe I found something new.

Maybe you found something so useless that they realized it before
publishing.

>> > As far as we foresaw, there are 5
>> > problems/solutions for pen drives:
>> >
>> > 1. The legal approach to be completely sure that the cracker is very
>> > well aware that he/she is not authoriced.
>> > 2. False/true data inside (magical/theatre/humour/fun)
>> > 3. Software (internal and external) beyond known cryptosystems
>> > 4. Hardware vulnerabilities from USB interface
>> > 5. Messages or any tracking way from the pen drive to any open channel
>> > of the owner
>>
>> You missed the core problem. Pen Drives are assembled from two primary
>> chips; the NAND Flash chip itself (usually either Samsung or Toshiba),
>> and
>> the bridge chip that converts between the NAND Flash interface and SCSI
>> over
>> USB (typically Atmel). All you're doing is creating something that serves
>> no
>> purpose, has no real use, and the security you've given so far is
>> fundamentally flawed against the most basic attack. Attacking the drive
>> itself allows the attacker to eliminate your options with 1, distinguish
>> false/true data in 2, eliminates the software in 3, provides hardware
>> vulnerabilities that you are not addressing that completely eclipse 4,
>> and
>> eliminates 5. In short, what you have "foreseen" is sidestepped through
>> some
>> of the most trivial processes available, eliminating all of the security
>> that you pretend exists. This is the core difference between real
>> security
>> people, and people who decide to declare themself an expert as you have
>> done.

>I must to take this seriously. Please give me some time to check your
>technical references. Maybe I am using very inexpensive Pen Drives that
>you can find at www.vfuel.net but I do not think that the standards you
>mentioned are the only ones. As you admit, we can speak about them
>"typically".

They are standardized this way for a reason. The reason that SCSI is used as
the interface is to allow the OS to load it without placing a usability load
on the user, ATA would've worked but it would require additional logic on
the controller ASIC. NAND flash is used because it allows for near-optimum
design of the chip's storage areas and a vast reduction in the control
logic, the end result being a noticable decrease is the production cost, and
a noticable increase in the functioning speed of the device. The only
exceptions would generally be a small number of designs that include both
the Flash RAM (or FRAM, not the same thing) and the controller on the same
chip, Atmel has a few of these for smaller sizes, and various other
suppliers offer them as well, but again Atmel is the most popular, they
really seem to pretty much own the Flash controller market.

> Anyhow, your Pen Drive "autopsia" does not demonstrate that 1-5
> approaches are always useless, in my honest opinion.

It means that while your efforts are likely to bite the legitimate user, the
attacker will simply bypass them. So you're right they are not useless, they
are detrimental.

>> Shannon always matters because he laid out the groundwork that you are
>> attempting to violate.
>
>Yes. And Pythagoras too.
>> Kerckhoffs matters because you are violating basically every basic
>> principle

>I hope that those principles get pregnant because that way we can get
>very interesting children.

>> Feistel matters because he showed that it is possible to have practical
>> security without perfect secrecy

>I must to take this point very seriously indeed. I worked with Vernam
>ciphers and I even used XOR with long key files. Right now I am
>thinking in pen drives as one time keys, as well as for complex secret
>sharing protocols. However, as you said before, I am still dreaming in
>order to get somebody to pay for the project at least for a beta
>version.

Rest assured, even the most basic vetting of the concept will result in them
viewing this thread, and seeing that everything you have attempted is based
on flawed concepts, is a problem only for the legitimate user, and was
completely dismantled. If it gets funded it will only be by your family,
unfortunately they will lose any money they invest.

> Please remember that I am like Forrest Gump

I just have to: "Stupid is as stupid does."

> so I can not do anything
> exactly. Long time ago I explanied International Data Encryption
>Algorithm (IDEA) fundamentals,

Being able to explain the way an algorithm works does not mean you
understand why the decision of the algorithm have been made. When you are
attempting to design a new concept for security it is necessary to
understand the whys, it is completely irrelevant whether or not you can
recite the algorithm.

> I know a little
>about steganography and I even understand PK and Shor algorithm

Neither of which has any bearing at all on what you are proposing.
Steganography will only server to lower the storage capacity of the drive,
and PKC serves only to weak the security. Shor is completely irrelevant.

> You remind me some lawyers than pretend to know in just 1 minute
> all my background and my several weeks hard work on an expert
> witnessing problem on forensic computing.

Just another decade to go before you can be considered minimally qualified.
You have admitted several times that you simply don't have the foundations
necessary, this is only the most recent.

>> Back to the show. To repeat myself. "More to the point. Can you [name
>> 3]?"
>
>OK. If you just want to speak about
>3. Software (internal and external) beyond known cryptosystems

And how does your pretend book (no mention on Google or Amazon, turns out
"beyond known cryptosystems" is a phrase that results in 0 hits on Google
when enclosed in quotes), have anything to do with pen drive security? Mine
had very particular purposes, but the 1 you supplied doesn't even seem to
exist.
Joe

Re: USB pen drives and safe cryptosystems (looking for references)

Joseph Ashwood ha escrito:

> "Miguel A. Gallardo en http://www.cita.es"
> wrote in message
> news:1154172066.192979.205850@b28g2000cwb.googlegroups.com.. .
> Joseph Ashwood ha escrito:
>
> >> "Miguel A. Gallardo en http://www.cita.es"
> >> wrote in message
> >> news:1154133133.080321.183360@m79g2000cwm.googlegroups.com.. .
> >>
> >> > OK. I read Merkle approaches to public key cryptography long time ago,
> >>
> >> That was no where on the list, but I'll fairly well ignore that.
>
> > OK. You are free to ignore whatever you ignore forever.
>
> I ignored it because it is generally irrelevant, you might as well have said
> "I enjoy Root Beer" it makes no difference to what you're trying to do.

I recommend to you
SIMMONS, G. J. "Contemporary Cryptography" N.J. Ed. IEEE Press,
Piscataway, NJ, 1992, pp. 137 where Whitfield Diffie explained a
problem approach of Merkle. In my honest opinion, the heuristics and
hermeneutics of my dreams have something to do with it, and I am sorry
if I am not able to make you to doubt just a little.

> >> > and I am aware of some Eurocrypt and Asiancrypt papers but in my honest
> >> > opinion cryptology is not only about algorithms or access protocols.
> >>
> >> Then once again, you clearly do not understand what cryptography is.
> >
> >OK. You know everything about what I know, and I know nothing about
> >whatever you know. That is very good for me. I have nothing to loose
> >then.
>
> Actually you have a great deal to lose. Bringing this back to the original
> discussion, you have now admitted that you lack the knowledge to be a
> forensic expert. So anyone actually looking for such can safely ignore you.

I am very happy if everybody is safe ignoring me. However, I am a
little bit more happy if just 1 reader is interested in my doubts.

> >>> ["doberman pen drive"]
> >
> >> So basically you have dreamed up something completely pointless. Allow me
> >> to
> >> introduce you to how *I* would break a pen drive. First I would take the
> >> drive apart, then slip the Flash chip into any of a few boards I actually
> >> have around, and simply read the data off. I have now completely
> >> eliminated
> >> the contamination, and any chance you have for attack, that leaves only
> >> the
> >> enciphered content, which since you can't seem to even spell cipher, or
> >> recognise that it is the incorrect word there, I doub't would pose much
> >> problem.
>
> >I have no idea about whatever have you around but it seems that you are
> >breaking some protections everyday.
>
> Well then perhaps we should start there. I have around me a number of
> dissected pen drives by various manufacturers, specifically used for
> research into a seperate project having to deal with them. In short I have a
> year of deep research into how they are designed, built, and constructed, I
> have prototypes (of my design) of a variation available to me. So basically,
> with pen drives I really do have all the knowledge you're looking for. And
> I'm telling you that if you're looking to make a pen drive, the only cost
> effective way is exactly what I have told you, the only exception would be
> if you are trying to exceed 4GB right now, 8GB within 6 months, etc. where
> you will need custom chips, even then it is cheapest to use a different
> controller than the basic Atmel along with multiple of the standard NAND
> flash chips unless you are looking to exceed 50GB.

I am taking your technology knowledge very seriously. It is obvious
that you know what you are speaking about. It is a pity that it will be
so difficult to negotiate with you because I am interested in added
value pen drives and I think I can sell some over here explaining or
just translating for Spanish customers.

> > But I am sure you did not catched
> >what I mean with contamination.
>
> Actually I did, and it is completely irrelevant to the security.

I respect your opinion, but I disagree.

> > And I bet that you will not be happy with my . . . magic criptography
>
> You're right I won't, because such "magic cr[y]ptography" will violate the
> fundamentals that you refuse to learn, and as such it will completely fail.

Sorry for my faults. I do not refuse to learn (or "relearn" because I
studied and teached about it already) anything. You are the one that
refuse to learn, for instance, what is "cold reading" in serious magic
(yes, magic can be very serious indeed). I hope to have a chance to
play some tricks for you in the near future.

> > Maybe I found something new.
>
> Maybe you found something so useless that they realized it before
> publishing.

Maybe.

> >> > As far as we foresaw, there are 5
> >> > problems/solutions for pen drives:
> >> >
> >> > 1. The legal approach to be completely sure that the cracker is very
> >> > well aware that he/she is not authoriced.
> >> > 2. False/true data inside (magical/theatre/humour/fun)
> >> > 3. Software (internal and external) beyond known cryptosystems
> >> > 4. Hardware vulnerabilities from USB interface
> >> > 5. Messages or any tracking way from the pen drive to any open channel
> >> > of the owner
> >>
> >> You missed the core problem. Pen Drives are assembled from two primary
> >> chips; the NAND Flash chip itself (usually either Samsung or Toshiba),
> >> and
> >> the bridge chip that converts between the NAND Flash interface and SCSI
> >> over
> >> USB (typically Atmel). All you're doing is creating something that serves
> >> no
> >> purpose, has no real use, and the security you've given so far is
> >> fundamentally flawed against the most basic attack. Attacking the drive
> >> itself allows the attacker to eliminate your options with 1, distinguish
> >> false/true data in 2, eliminates the software in 3, provides hardware
> >> vulnerabilities that you are not addressing that completely eclipse 4,
> >> and
> >> eliminates 5. In short, what you have "foreseen" is sidestepped through
> >> some
> >> of the most trivial processes available, eliminating all of the security
> >> that you pretend exists. This is the core difference between real
> >> security
> >> people, and people who decide to declare themself an expert as you have
> >> done.
>
> >I must to take this seriously. Please give me some time to check your
> >technical references. Maybe I am using very inexpensive Pen Drives that
> >you can find at www.vfuel.net but I do not think that the standards you
> >mentioned are the only ones. As you admit, we can speak about them
> >"typically".
>
> They are standardized this way for a reason. The reason that SCSI is used as
> the interface is to allow the OS to load it without placing a usability load
> on the user, ATA would've worked but it would require additional logic on
> the controller ASIC. NAND flash is used because it allows for near-optimum
> design of the chip's storage areas and a vast reduction in the control
> logic, the end result being a noticable decrease is the production cost, and
> a noticable increase in the functioning speed of the device. The only
> exceptions would generally be a small number of designs that include both
> the Flash RAM (or FRAM, not the same thing) and the controller on the same
> chip, Atmel has a few of these for smaller sizes, and various other
> suppliers offer them as well, but again Atmel is the most popular, they
> really seem to pretty much own the Flash controller market.
>
> > Anyhow, your Pen Drive "autopsia" does not demonstrate that 1-5
> > approaches are always useless, in my honest opinion.
>
> It means that while your efforts are likely to bite the legitimate user, the
> attacker will simply bypass them. So you're right they are not useless, they
> are detrimental.
>
> >> Shannon always matters because he laid out the groundwork that you are
> >> attempting to violate.
> >
> >Yes. And Pythagoras too.
> >> Kerckhoffs matters because you are violating basically every basic
> >> principle
>
> >I hope that those principles get pregnant because that way we can get
> >very interesting children.
>
> >> Feistel matters because he showed that it is possible to have practical
> >> security without perfect secrecy
>
> >I must to take this point very seriously indeed. I worked with Vernam
> >ciphers and I even used XOR with long key files. Right now I am
> >thinking in pen drives as one time keys, as well as for complex secret
> >sharing protocols. However, as you said before, I am still dreaming in
> >order to get somebody to pay for the project at least for a beta
> >version.
>
> Rest assured, even the most basic vetting of the concept will result in them
> viewing this thread, and seeing that everything you have attempted is based
> on flawed concepts, is a problem only for the legitimate user, and was
> completely dismantled. If it gets funded it will only be by your family,
> unfortunately they will lose any money they invest.

OK. I hope that none of my family members will find any problem with my
project, but if they have, I will recommend them to contact you.

> > Please remember that I am like Forrest Gump
>
> I just have to: "Stupid is as stupid does."

You are very kind.

> > so I can not do anything
> > exactly. Long time ago I explanied International Data Encryption
> >Algorithm (IDEA) fundamentals,
>
> Being able to explain the way an algorithm works does not mean you
> understand why the decision of the algorithm have been made. When you are
> attempting to design a new concept for security it is necessary to
> understand the whys, it is completely irrelevant whether or not you can
> recite the algorithm.

I promiss that I did my best at least on confussion/difussion criteria,
and my pupils seem to be smart enough to understand even better than
me. They appreciated Xuejia Lai thesis synthesis that I did for them.
About the "whys", I agree with you. I study philosophy right now, and I
never recited any algorithm in my life (I can not imagine myself doing
anything so boring).

> > I know a little
> >about steganography and I even understand PK and Shor algorithm
>
> Neither of which has any bearing at all on what you are proposing.
> Steganography will only server to lower the storage capacity of the drive,
> and PKC serves only to weak the security. Shor is completely irrelevant.

1. Steganography can be very useful for pen drives critical tasks, but
I do not want to waste your time, or even worse, to get you angry. I
also foresee some other pen drives applications on secret spliting and
secret sharing (I recommend Schenier Applied Cryptography Second
Edition 3.6-3.7)
2. Yes, I agree with you. PKC only weak security but sometimes is a
must.

> > You remind me some lawyers than pretend to know in just 1 minute
> > all my background and my several weeks hard work on an expert
> > witnessing problem on forensic computing.
>
> Just another decade to go before you can be considered minimally qualified.

I respect very much old people.

> You have admitted several times that you simply don't have the foundations
> necessary, this is only the most recent.

Yes, I admit my doubts very often. Is something very healthy, in my
honest opinion.

> >> Back to the show. To repeat myself. "More to the point. Can you [name
> >> 3]?"
> >
> >OK. If you just want to speak about
> >3. Software (internal and external) beyond known cryptosystems
>
> And how does your pretend book (no mention on Google or Amazon, turns out
> "beyond known cryptosystems" is a phrase that results in 0 hits on Google
> when enclosed in quotes), have anything to do with pen drive security? Mine
> had very particular purposes, but the 1 you supplied doesn't even seem to
> exist.

I shall try to explain what I wanted to mean in 3. and I will be very
proud if anybody understand anything new that nobody can find in Google
or Amazon (I hope to make a paper with citation index one day in the
near future).

First of all, I must to tell where the inspiration comes from. I am in
touch with several thousands of professional magicians and I asked for
magic tricks to many of them. They had no references, but many are very
interested in any new idea because many people in their shows use them.
I had some experiences with critical pendrives, and I played with my
friends and customers some tricks with humour. After some comments I
understood that there is still a lot to do in Pen Drives Software
(internal and external) so I am thinking (or dreaming or projecting or
forecasting or brainstorming) beyond known cryptosystems.

It is obvius that you are familiar with Pen Drive technologies, so now
let me to make some clear questions, because if you know a
manufacturer, I prefer to buy and resell than to design and develop
anything:

1. Do you know a way or a product that can send a message to my e-mail
address with information of the system where my pen drive is being used
without my permission?

2. Do you know PC software that can be used only when a Pen Drive is
installed?

and the most important 3. Do you have a pen drive manufacturers contact
list that would like to provide added value and customer oriented
design?

and 4. Do you know any one of them that would appreciate translation,
technical support, marketing and sales in Spanish?

Seriously, I am looking for special pen drives, as well as very cheap
ones in order to sell as many as I can over here to judges, lawyers,
diplomats, managers and other customers that I have already, because I
am also a commercial agent as you can read at
http://www.cita.es/commercial/agent

miguel, here and now just www.cita.es/commercial/agent

Re: USB pen drives and safe cryptosystems (looking for references)

Peter Fairbrother wrote:

> Of the stego encryptors, TrueCrypt hidden volumes on Windows systems fail
> against a thorough forensic analysis. So do FreeOTFE hidden volumes, and I'm
> pretty sure all the rest do too. It's not a failing in the crypto, it's an
> environmental failing - Windows is just not reliably secureable that way.

[...]

> However, if you use a USB drive for encrypted files created using FreeOTFE
> or TrueCrypt from a BartPE CD boot environment, with a seperate key for each
> file, you have a chance - leaves no on-disk traces :)

the older verwsion, TrueCrypt 4.0 was shown here in sci.crypt to have
the hidden volume detectable

this was 'corrected' by the TrueCrypt people in the later editions

the current version of TrueCrypt is 4.2

is there a reference describing an analysis that detects the presence
of a hidden volume for version 4.1 or later?
(assume the BartPE CD boot)

and is there a minimum hidden file/carrier ratio needed for detection?

(i.e. most *critical* information, special secret keypairs and
keyrings, etc.
can easily be contained in 5 mb of space,
so,
for a 5gb TrueCrypt volume, would a 5mb hidden volume (0.1%) be
detectable?)


TIA,

vedaal