Privacy Tools, Talk, Apps, Etc

eliquid

Digital Strategist
Joined
Nov 26, 2014
Messages
1,170
Likes
2,437
Degree
4
Thought this might be a good place to talk about privacy/security related stuff.

Stuff like Wordpress, Windows, Equifax breach, etc..

While my data was not in the breach, my data has came up on a few sites that got hacked back in the day like Vbulletin, Myspace, etc.

Since I run a SaaS and I have a family, I have been more and more concerned about privacy not only for myself, but my clients ( freelance, agency, & SERPWoo ).

I've been looking at tools and such for sharing data and files and lot of them seem cumbersome having to install a certain app that you also have to pay monthly for. That ,or the app is free but cumbersome, maybe it's no longer maintained or you can't view the source to ensure its solid.

I wanted something I could send my mom and she could easily use for free with apps she might already have. Like Dropbox or some other public file sharing site.

I mean, why can't something be extremely easy and simple with already existing tools almost anyone has or can get easily for free too? Something that isn't a vault but still secure to pass to other people on already existing platforms like Dropbox or Box.com or even Amazon S3? Even just plain email....

So I came up with something that seemed secure enough for me to use until I find something better.

https://www.dropbox.com/s/z768eskx8lznds6/privacy.zip?dl=0

The way it works in a nutshell is:

1. You place items in the "base" folder.
2. You click the .bat file
3. You enter in 3 passwords
4. An embedded copy of 7zip archives whatever is in the "base" folder 3 times, each archive has the passwords you put in
5. 7zip password files are AES 256 encrypted
6. You must know all 3 passwords to get the file(s) you encrypted
7. Anything in the "base" folder is deleted now ( the original file ), but even in the "recycle bin" the copy is encrypted too, so no chance of prying eyes.
8. You can know share what you encrypted on Dropbox or some other public file share with another person without much risk of having what you encrypted read by someone else.
9. The other person does not need 7zip. They can open the archive with WinRar or another unzip/zip tool.
10. I'm sure someone can find a flaw. There is a flaw in everything, even paid tools. At least this is free and simple enough my mom can use quickly without more/other software. That was the goal of this.. easy, simple, free.


If this works out, I'd like to make it a larger tool set for use by the masses publically. Right now, its just a "concept" without having to have a "vault" like other apps.

.

I should point out that in the batch file ( .bat )

Line 21 I have this setup as
Code:
C:\Encrypt\
If you uninstall this elsewhere on your system, you have to change that line. Users you send the file to will not have to do anything.

Next version I will put in code to detect/use without a direct folder path
 
I guess the question is... why? I don't see how this solves any problem that another tool (even just plainly using 7zip to encrypt a file)

Why use 3 passwords when you could just simply use one really good password? Why limit the passwords to 16 characters?

A 16 alpaha numeric password has ~85 bits of entropy, which means it couldn't be cracked even by someone with mass computing power for like hundreds of years.

Have you looked in to using something like Signal or Wire? Keybase looks really interesting too. These could be better alternatives if you want to share things easily with someone whom you don't think can handle punching a password in to 7zip.
 
Re: Signal, Wire, Keybase
  • Doesn't solve my need for simplicity. It's yet another app the receiver would need to have in order to get my message or files. I don't want my receiver to have to bother with another app.
  • All 3 look like "yet another chat app". I don't want to chat ( even if it lets me send files ).
  • This doesn't help me solve protecting important files. Say customer data in S3 I need to store maybe ( not saying I am, but as an example ).
  • I'm locked into a platform now for sharing and privacy, which I didn't want. I didn't want a platform.
  • I didn't look, but is the code for these 3 open source? How do I know they are really keeping my stuff private if I can't inspect it. I'm on their platform, so I am at their mercy.
  • Some of these tools ( not saying the above ones are, I havent looked ) are just in the wrong jurisdiction. Lookup "lavabit". I don't want my privacy in the hands of a platform, that might also be in a jurisdiction that is not privacy friendly. See "14 eyes". If I handle the encryption myself on my end, I know it's safe not matter where I store it, like S3, Dropbox, or a "14 eyes" state.

As far as other tools that are similar, see above. Most are "vaults". Again, another piece of 3rd party software they have to download and have.
  • Pretty much everyone has a zip/unzip program already installed by default that can open 7zip. No additional software needed.
  • It's free. Other tools, some are free but a lot are not
  • Anyone who creates the files to be encrypted can read the source code and see there are no backdoors. Not true with other similar tools
  • No platforms I've stuck to, that might get hacked later or need to be maintained and updated. At worse you might need to update the version of 7zip embedded, but its not a central platform open to attack since it's on your computer. The files you send are not really prone to attack to the user, where as them using a platform would be.

As far as 1 password vs 3 and the 16 char stuff... why have or offer 2FA if we can all have just 1 good password? You could go round and round in circles on this so why bother. 3 is better than 1 generally for the feel good fuzzies.

As far as the 16 limit. It wouldn't be simple to send most people ONE ( or three ) 84+ character passwords in another format, say Signal or Skype.. w/e. So instead of ONE 84+ character password, I choose the simpler THREE 16 char limit passwords. What if the format is paper or TXT message on phone that they have to now enter on their desktop manually? Just not simple.

All in all, ease and simplicity was a goal, along with being reasonable secure. ONE 84+ char password, or THREE 84+ char password just wouldn't be simple if I needed to send this to a journalist, my mother, a lay tech person, my wife, etc.

I think THREE 16 char passwords would be much simpler to handle and use.

.

And your right, a 16 char password would take a long time to crack IF it's a good password. "abcdefghijk123456789" just won't cut it.

What if the creator didn't create a good 1st password? The additional 2 passwords helps in that regard now if one of those two passwords ends up marginally secure/better than the first.

Again, I might be working with lay tech people so I have to account for lowest denominator.
 
edit: Had to remove all the quotes I had because it keeps adding quote tags where I don't want them so this is a little harder to follow then it was originally wrote. Hope you get the idea.

You want simplicity and talk about how you could have like your mom open a file this is one of the easiest ways to do it. *shurg*

True. But really just encrypting a file with a proper password would do the same thing and is less complex, you system doesn't really solve any problem.

The signal protocol is open source so yeah you could look through it. I has a very good reputation. Moxy is considered a thorn in the ass of the establishment.

Wire and Keybase are both open source as well.

Let me bring you up to date in the world of software, just because something is open source does not indeed mean that it does not have bugs, or even the devs are competent. Some times open source stuff is good, some times it is trash. Do you have the background in cryptography to even look at the source and audit it? If not what does it really matter? There is this fallacy that just because something is open source that people have thoroughly looked at it and it's good to go. To get a tool properly audited will usually cost considerable money too.

Really all you can go on is it's reputation. If something is bad like Telegram the general crypto community typically sniffs it out.

If this stuff scares you, you should take your computer and throw it in the trash. At the end of the day you have to trust someone. If the feds really want your stuff, they could just come to your house and hit you with a hammer until you told them everything.

Do you know why there are all these valuts? Because it's generally the best way to do it. But really a vault is simply a bunch of encrypted files. It's like if you tool all this information and used 7zip to encrypt it with your password. It's really not much different.

There are lots of free encryption tools out there. Veracrypt for hard drives, usbs, and hard drives. Cryptomator for general file system vaults. Keepass XC for passwords and other files. There are of course a lot more.

But lets say you wanted to store some files from your server on S3, why not install 7zip on your server and zip all the files with a proper password and upload to S3?

2FA exists for a few different reasons.

  1. people are generally bad with passwords. So if you use a shit password at least you have a second factor to authenticate from. Lots of people also use only one password sadly so if any of the next happen its Game Over.
  2. If the password you used was ever recovered due to the user getting breached. Think your password gets stolen some how, or you get caught up in a phishing scheme.
  3. If the service gets breached and credentials where not being stored properly (which happens way more than people would admit).

1 shit password, or 3 shit password would not make a significant difference. If anything just coaching users to use one really good password would have more effect.

Again, I might be working with lay tech people so I have to account for lowest denominator.

Yeah that's the hard part man. Encryption is not this super simple thing. If you want to target the lowest denominator you are going to have to coach your team on proper security techniques how to use basic tools. If you did that honestly you'd be miles ahead of most if not all the people I've worked for in the past. It's actually scary how much people don't know, understand, or use this stuff.
 
Last edited:
I don't think you understand.

This does solve a problem. A problem I had personally and I know others have, or thought of, too.

If my solutions weren't solving problems I wouldn't have been copied and had ideas stolen from me on a massive scale almost monthly the last 10 years of my life that run into the ( total ) billions of dollars of revenue in multiple businesses now. Yes, Ive tracked it via reports from the FTC and the fact I've been a contractor/employee at places that stole from me and I was able to obtain their financials.

SERPWoo is copied daily even today from big brand names with VC backing. It never stops when it comes to solutions I've came up with.

I'm not saying this is a massive solution I made, this is something I did pretty much for me and now Im just sharing it for free.


1. My mom can open a file with a default app on her desktop inserting a password or 3. This is typical of many more people. It's point and click for her, no other action needed like downloading more software and having to learn it and keep it around. I offer ease and simplicity over those options allowing you to use a tool you already have and a process most people know and understand how to do, inserting a password.

2. My mom wouldn't be the type of person to input in a 36+ char keyword though easily. I can barely do that. When I get to the 19th one I even start questioning myself if I put in the last char right and "which char am I on now" situation. This only works in copy and paste situations. Many times the password(s) might not be in a copy and paste situation though. My phone has a 16 char password, I have to type it in to use the phone. I fail at least 4x a day inputting it in and I know it by heart. My thumb always seems to hit the wrong key on the phone somehow while typing. Could you imagine having to type in a 36 or 84+ key and getting it wrong? It would just be infuriating for a lot of people. I offer ease and simplicity over those options with a shorter password, but having to enter it in a few more times over a super long one that can be confusing and easy to mistype unless you copy and paste which brings up its own security/privacy issue.

3. Having my file/data sitting on the internet with 1 password, not gonna cut it.

If you deal with customer or client data, you should be thinking the same too. What would be more secure all things being equal.. 1 strong password, or 3 strong passwords? I didn't ask what would be overkill.

If you asked your customers, the majority would say 3 is better and would opt to have their data protected by 3 passwords instead of 1 if given the chance and all things being equal. Again, this isn't about overkill and all things are equal otherwise. I offer 3 passwords, which most people would agree is better than 1 when protecting their own sensitive data on some other network.

4. Having to always have some "app", "platform", or "network" I am locked into that I don't own is an issue. I don't want to have to require someone else to HAVE to sign up for Signal, download Veracrypt, or use Protonmail because they can't figure out PGP on Thunderbird.. They should just be able to download the file and open it pretty much without other software or now be locked into a platform and its action. I offer ease and simplicity over those options.

Yes, your point about open source being buggey is also an issue. However, it is better to be able to look at their code and verify the process, then with a close solution even though it could be buggy or prone to attack another way on the filesystem the software is hosted on. Why? In the end the closed source solution is also open to the same buggy code and attack too. At least I was able to check for it, offer my advice to patch and fix, and verify no backdoors. In the closed source solution I have ZERO of that while still open to the same risk.

Hence, why I rather have the product on my desktop, I encrypted into a container ( the zip ), and passed on as more secure. Otherwise my data is just sitting on someone's platform I can't control or verify and is open to more attack or prying eyes potentially.

5. I don't need to be brought up to date on software. I never said open source didn't have bugs, but being able to verify is better than not being able to. See my point above. I've been programming since 1999.

No offense, but when you were hating on frameworks at Wickedfire, I was building them and profiting from them. I don't need lessons on how software works.

A lot of the mainstream open source crypto stuff has actually been audited by a 3rd party. The lesser knowns, haven't. I don't play with lesser knowns. However, I wouldn't play with a big name that was closed source either. Anyone can look over my code and decide for themselves, which is what A LOT of people concerned with privacy ASK FOR and actually DO and make their considerations ON. If you are involved in privacy, you would see this on forums and blogs and other places talking about it.

6. I'm not scared of the feds and could care less. I'm protecting my client and customer data as well as that of my kids and myself from ID thieves and hackers on systems I own or control. Also, this serves as good backup process for other things like backing up to S3 or FTP on some other server. Signal, Wire, etc doesn't help in that last sentence.

Do you think I want to be on news columns of several privacy websites because SERPWoo leaked out/got hacked a bunch of client data that contained sensitive info? I'm doing everything I can and more to protect my clients and customers even if it might be overkill. My competitors, I can't say they do that or are concerned as much.. They don't talk or advocate it and I don't seem them contributing to help the issue either so I have to assume they don't.

No worries, they will copy SERPWoo again so in the next 18-24 months I am sure they will start spouting off how "secure" they are now because they will see this and panic. If one of them do get breached, I'll be able to show customers how we have been super protecting their data ( bank info, their client info if agency, their niches and data ) for a while now.

7. I'm not wanting a vault like you keep mentioning. Again another piece of software having to be downloaded and kept around. My end users shouldn't have to hunt down software, learn how to use it, and keep it around. Also, what if there is a bug in that software that leads to a flaw? Having a bug in many lines of code in something like Veracrypt or Signal is more likely than a zipped archive sitting on someone's disk. Also, having to update these programs when an update is available.. again more work to keep some other software around. I offer ease and simplicity over those options.

8. Your 2FA example contains reasons why I made this, namely your #1 point. People have weak passwords. With 3 ( unless they use the SAME password 3 times, which I can prevent later code wise ), they have a bit more security. #3 of your point is EXACTLY why I don't want to use a "platform " to have my user ensure their privacy.

9. If coaching people worked, there would be no need for a lot of the tools you mentioned in your above replies because we would all use 1 or 2 tools with 1 strong password. Coaching people just does not work. You have to spoon feed people and hold their hand the entire process for most things.

Coaching just does not work... don't make people think because they will screw it up. You offer solutions so people don't have to figure it out or think about it.

10, The idea behind this isn't for massive amounts of people to use it. It isn't so that massive amounts of people encrypt files themselves and have them laying around.

Its for the end user so they don't have to download, get locked into some platform or system, learn some tool like Veracrypt, have software just hanging around on their filesystem, have to worry about maintaining it or updating it when it needs patched, etc.

How simple is a zipped archive?
  • Everyone can open it.
  • No new software to download
  • No new software to learn
  • No software just laying around my filesystem rarely used except for when I get a "secret" file.
  • They don't have to worry about super long passwords to remember or keep somewhere else for copy and paste ( and thus would need to secure also ) or mistype.
  • All things equal, people if given an option would choose their data protected by 3 passwords over 1
  • 3 shorter passwords overcomes the challenge of 1 super long password.
  • Anyone can view the code and see no backdoor of leaking their info. The software also sits on their desktop and not online where I could easily change the code in the backend of the online service. It's on your desktop/laptop.. I can't modify the code once you have it unless I update and you download it, which again you can view easily.
  • 3 passwords offers a barrier or moat to get to the info just like 1 password, but I've went into detail WHY I chose 3 passwords ( length issues, security, weak password, etc ). Anything past 3 ( 4+ ) I feel would be too cumbersome to the end user.

I mean why not tell Cryptomator they are not solving an issue. We have zip files we can put on Dropbox with 1 super strong password, right? Same with Veracrypt.

What's App implemented Signal end to end crypto, so why did we need Wire or Signal as a product, or the 3rd one you mentioned?

We also don't need protonmail and the others... We have PGP for email.

However, they all solve a specific need for a specific demo.

.

.
 
Last edited:
I had my assistant call all 3 credit agencies and freeze my credit. I have no debt and wont need it in the future for any purchase I can think of.

That way no one can open a bank account or credit card or do anything financial under my identity.

Theoretically they could still make use of the info for other things (like to commit a crime under my name and get themselves imprisoned under my identity) but this solves the financial part in about 15 minutes.
 
Back