Monitor security setup

[italia2006]

I already posted some of these options in my previous 3 posts, but I like this to be a seperate thread so we can discuss this:

My current idea about a good setup for securing my laptop:

- Use qemu or vmware with a livecd to browse online and to leave no traces on the local system.
- Use a VPN or SSH tunneling to encrypt your outgoing traffic.
- Use DriveCrypt Plus Pack to encrypt your OS and TrueCrypt to encrypt your sensitive files.

If I look at this and want to put a percentage on the safety norm, what would it be? 0-100%

What are things I forget about and what would you suggest to change?
In other words, what would be your shortlist of securing your privacy and your system?

Thank you for all the expertise!

[Mrkvonic]

Hello,
You seem keen on encryption. But that's one aspect of the thing. First, encryption will make things slower. Second, on your local computer, things will still be pretty much unencrypted while you use them, so you should aim at securing your own pc as well. A good firewall is the best thing. Sensible behavior also helps. Using vmware for browsing can be a smart choice. But you should not exclude other avenues of trouble like email, downloads, instant messaging etc. All of these can be malware distribution channels.
You should definitely:
Isolate system from personal data.
Limit internet applications like browser, im, mail, p2p - DropMyRights can be a good start.
Firewall to keep things quiet.
Solid browser with per-site control of contents, like Firefox with Noscript for good and sturdy browsing experience.
And in the end, it all comes down to YOU.
If you're "wise", you'll not be infected. And if you like to do stupid things, you will get infected, regardless of your setup. If the setup is there to protect you from you, you should change your habits then.
You can safely chat, pron, download and all, just a bit of caution and sensibility.
Mrk

[italia2006]

Mrk,

Let's just assume I am a smart guy and would not do anything stupid.
Then still there are many ways to leak data from your activity.

First of all the ISP will save all logs of your activity for a certain period of time. Second, your traffic from your local network to your ISP will be unencrypted by default and very easy for "hackers" to sniff the data.

Yes I am quite fond of encryption, for two reasons mainly.
-Online encrypted traffic to prevent sniffing and saved logs of your activity.
-Offline encrypted file(system) to prevent people to see data on your local system.

I created the thread to get a feeling of how good my own ideas are and if there options to increase security and still have flexibility.
So what you think on a scale of 0-100% and assuming that I know enough about general security to not do stupid things...?

What options I have to increase security?
I think the encryption offline is relatively easy. You just have to pick some encryption software you trust. As TrueCrypt is open-source, there are no hidden backdoors or whatever.
Online encryption and keeping your data safe, that is very tricky as we all know.
Two main things I want to accomplish online: keeping my ID (read IP) safe and prevent sniffing of my traffic.

Hope you can give me a bit more advice on what to do about that.

Thanks!

[Mrkvonic]

Hello,
First, it's not easy to hack data.
Second, why do you need to encrypt your traffic. So your ISP knows where you go. Big deal. Don't tell me you pay in cash only - because every credit card swipe is recorded too. Take it easy and relax. Don't take the internet too seriously.
Mrk

[italia2006]

"First, it's not easy to hack data." - I agree, but that is no reason to think that it will not happen.
I ask the question with good reason.

[Devinco]

Hi Italia2006,

Operating systems, in particular Windows, leave all kinds of private data traces scattered all over the hard drive.
So if you are interested in guarding against private data loss caused by physical theft, whole disk encryption can be a good solution.
TrueCrypt, while very good, does not provide whole disk encryption to protect the operating system partition.
DCPP, PGP Desktop Professional, PGP Whole Disk Encryption, and the Seagate Momentus 5400 FDE 2.5" Hard Drive all can encrypt the entire hard drive, including the OS.
The Seagate drive was promised by last winter and now they say 3rd or 4th quarter this year.

If you are concerned about other people who need to have physical access to the laptop while you are not present, consider also getting another hard drive for the laptop that you can take with you when you leave. Many laptops have quick release hard drive trays making it relatively simple to swap. This way the other people will still be able to use the laptop and you will have no traces left on the hard drive because you will take it with you.

[italia2006]

Very interesting the Seagate product, though I am always a bit sceptical about hardware embedded security.
I just remember the post about the FBI requiring every hardware router to have a backdoor and also I can remember the FBI require every encryption provider to have a built-in backdoor.

You could draw a diagram about this: The more sensitive the data becomes, the more chance it will fall into the wrong hands. Criminals who are after this data will most likely "expect" the system to be fully encrypted and secured. So they will be prepared for that.

There are two possible ways imo how they can get to this data:
- offline, by stealing the laptop
- online, by sniffing data traffic or hack into the system

Two options for me to try to secure this:
- offline and online encryption (full disk encryption, encryption containers, ssh traffic, vpn)
- securing the identity, i.e. IP protection (route traffic through multiple socks proxy or vpn servers)


Maybe others can add something to this?

[Devinco]

Anything is possible in theory.
The US government may require seagate to add a backdoor. Maybe that's why the extra delay in getting the drives to market.
The Chinese, who will actually manufacture the drive may add their own back door. Hardware devices are now so complex and integrated, it would be difficult to identify anything suspect.
Does this mean any of this is true? NO! Could it happen, maybe. Anything can happen.

Anything done that high up the ladder would only be known or used for government or high end corporate espionage.
So only government agencies and big corporations would have knowledge of such a backdoor, not low level criminals who would be the ones most likely to steal your laptop. That is really who you want to protect it from anyway.

Even Whole Disk Encryption can be compromised with video surveillance and physical theft. It just depends on how determined the thieves are.

Having the hardware based encryption on the hard drive could potentially be much faster than any software solution. It could also potentially mean less conflicts with other software. We'll see...

Note: video surveillance of the password being typed can be countered by requiring the encrypted volume use both a keyfile and password to open. As long as the keyfile is not stolen (locally or remotely), the volume would be safe.

[Devil's Advocate]

Full disk encryption options are not open source, so the paranoids might not trust that.

An interesting option is to run vmware in a truecrypt container.