Privacy/Encryption Software, Lemons, and Economy

This started out as a simple link to an interesting article or two on security products, and somehow ballooned into needless ruminating over encryption tools. Ah well, but by bearing with this, you’ll get three solid recommendations for file encryption, and couple good reads besides.

Requisite image of an old lock of some sort.
Requisite image of an old lock of some sort to indicate the subject is, indeed, security.

Let’s start off with some good software recommends:

Like some, I’m a bit more concerned with my privacy than it is healthy, both on and off the net, in electronic forms and otherwise. In the electronic world, I do my best to use decent passwords, common sense, and at the file level, three free tools, based on their use cases:

  • TrueCrypt: best when it is useful or necessary to encrypt huge slabs of data, such as a file/folder hierarchy, a whole disk or partition, or a significant portion of a flash drive.
    • Pros: A highly scrutinized bit of software, and thus less likely to break its promise of security. Once an encrypted volume is mounted, it behaves just like a separate disk. Cross-platform. Can be run portably.
    • Cons: Complicated. A bit clumsy to use, even with knowledge of the command line switches and shortcuts. Portable use requires administrative rights. Encryption containers are basically unresizable, meaning you’ll need to over-estimate the container size, and live with it.
  • AxCrypt: good for encrypting individual or small groups of files seamlessly with Windows.
    • Pros: Supports near-invisible integration with Windows for painless use: once a file is encrypted, you can open, modify, and save it like any other file, prompted with a password at appropriate times. Small and tight, the install package is less than two megabytes.
    • Cons: requires installation, so rather limited in portable use. Doesn’t recurse subdirectories. No apparent cross-platform support.
  • dsCrypt: also good for encrypting individual or small groups of files, and has the added benefit of being portable and install-free.
    • Pros: Doesn’t require  installation or administration rights. It’s incredibly tiny and fast, and sports an easy drag-n-drop usage. One tiny executable does it all.
    • Cons: Doesn’t integrate with the OS, though this is a plus for its use case as a portable app. Encrypted files require the parent app decryption, whereas AxCrypt can create self-decrypting executables. Doesn’t recurse directories, and can only be operated by drag-n-drop, though this can arguably be part of its built-in anti-brute-force features. Not cross-platform, but its standalone nature should make it easy to use in Wine or similar.
  • fsekrit: an encrypted notepad replacement, for private notes or password storage. I’m not aware that it’s been designed with anti-brute-force measures in mind, so use long passwords with it.  
  • Passpack: by the maker of dsCrypt, Passpack is an incredibly tiny and mildly paranoid password keeper that “features exceptional resistance to brute-force password search attacks.” It seems incredibly secure, but it’s not the easiest thing to use, so you might want to consider Keepass instead, which focuses much more strongly on usability.
  • CyberShredder: a drag-n-drop file shredder, it will securely delete any files or folders, overwriting them with meaningless data. Portable software. AxCrypt includes a similar shredding feature in Windows context menus.

Additional notes:

  • All of the above software makes use of common, strong AES encryption, and TrueCrypt supports other competing methods.
  • All of the above software is free, no more bloated than they need to be, and, if necessary, securely wipe temporary cache files from memory and disk with no user interaction necessary.
  • Many email systems filter out executables as a security measure. To safely email an encrypted fsekrit note or AxCrypt executable, you can probably compress it into a zip file, but at that point, you may as well use the encryption built into the compression software (7-zip is free and has AES encryption). Or, just use dsCrypt and make sure the recipient has a copy of the program (it’s pretty tiny).
  • None of the above software is of much use if you use stupid passwords that are either easily guessed or easily forgotten.

And now, for some light reading.

A recent thread on a forum I frequent discusses favorite software and methods for securing data, and someone pointed to an article from Wired.com:

How Security Companies Sucker Us With Lemons

The article’s concern is one we mostly ignore: the conditions that make it possible for security software companies to shovel worthless security solutions onto a trusting, uninformed public… that slowly loses its trust. How do you know that your encryption software is going to protect your data if it isn’t challenged?

The Wired article, in turn, links to an even more interesting Wikipedia article summing up George Akerlof’s economic paper “The Market for Lemons: Quality Uncertainty and the Market Mechanism.” These days, it’s hard to read things like this in a way that doesn’t make them seem prophetic.

Finally, Wikipedia’s article on the AES encryption standard itself is an interesting scan and a decent introduction to the guts of file encryption. Couldn’t hurt to educate yourself a bit:

Advanced Encryption Standard (AES) (Wikipedia)

Advertisements