Email-based security



  • I was at a graduation party for a friend, and I was talking to a person there who I had never met before.   We were talking about various filesharing programs, like i2hub and all those that used to be around, and he got on the topic of security.  He said that his hard drive that he stored all his pirated movies/software/music on was encryptedso no one at the RIAA/MPAA could get him if they tracked him down.  I asked if he was using some sort of private-key system like AES to do this.  He said he wasn't, that he wrote his own encryption program in "scoripion".  I'm not an expert in security by any stretch of the imagination, but I think that AES or serpent are probably more secure then his solution (and I told him so).  He explained that his program re-encrypted the files based on a random password every day, and it emailed him the new password after it was done. 

     

    Take that, big content!  I'm sure they'll never figure out how to crack that one! 



  • Did you ask him what happens if the smtp server happens to be down?



  • I would have to wonder what the overhead would be for re-encrypting that many large files every day.  What's more, you're bound to have a long period where some files are encrypted with yesterday's password and some with today's.  That's got to be a joy to figure out.  Finally, the files probably have to be decrypted by hand instead of using a convenient filesystem-level encryption method.

     

    TRWTF is encrypting your pirated content, though.  Even if the encryption is unbreakable you can still find yourself in jail for refusing to turn over the keys.



  • If he is just leeching, then he is most likely safe from RIAA etc.  From what I understand they go after the sharers (though I could be behind the times).  If he is sharing, then the file must be available to the p2p software.

     Not only is he e-mailing his password (probably in the clear), his "scorpion" software is saving the password (in order to change the password the next day).  I bet that is plaintext too!



  •  I didn't even think of that, actually.  I really think that is the least of the WTFs going on here though...



  • @warrior said:

    I didn't even think of that, actually.  I really think that is the least of the WTFs going on here though...
    Didn't think of what?



  • Geeze, this is what I use PGP for. Of course, I also have the loopback/crypto device support on Linux, so that is another solution as well.

    If this guy really, really wants to keep himself out of grubby *AA hands, he'd better check TrueCrypt's deniable filesystems. Though I don't think the RIAA/MPAA subpoenas have enough power to ask you for decryption keys. It is a civil lawsuit after all, not a criminal one. (Even if the RIAA would like you to think it is.



  • @warrior said:

    He said he wasn't, that he wrote his own encryption program

    This is the Real WTFTM. Everything else is just icing on the cake.



  • @Carnildo said:

    @warrior said:

    He said he wasn't, that he wrote his own encryption program

    This is the Real WTFTM. Everything else is just icing on the cake.
    public String my1337alGoreIthmForEncryption(String plaintext) {
               return new BASE64Coder.encode(plaintext);
    }



  • @danixdefcon5 said:

    public String my1337alGoreIthmForEncryption(String plaintext) {
               return new BASE64Coder.encode(plaintext);
    }

     

     He probably used a simple PRNG with a pin as seed and used the output to encrypt the data using Cesar's algorythm. But I don't think anyone with more cryptology skils then he would struggle.

    But most probably he was bluffing.



  •  Another WTF: doesn't it mean that the re-encryption program needs to store the key somewhere? So by cracking the re-encrypter, anyone could decrypt his files.



  •  Why does he need it to be reencripted everyday anyway? If they're encripted they're probably not uploading or used in any way so they just sit on the hard-drive. Unless his hard-drive is under constant surveillance by the **AA he could just encript it once. 

    Also, you could just put the stuff in an archive and encript that. Unless you decript them you can't tell what's inside. Then the **AA won't be able to ask you to decript those or you would have a better case against it at least: you could say that they're homemade movies or something (to explain the size) and you don't want people to see them.



  • @TGV said:

     Another WTF: doesn't it mean that the re-encryption program needs to store the key somewhere? So by cracking the re-encrypter, anyone could decrypt his files.

    Looks up.  I think this idea was mentioned already  ;)


  • @hvm said:

    Then the **AA won't be able to ask you to decript those or you would have a better case against it at least: you could say that they're homemade movies or something (to explain the size) and you don't want people to see them.

    First, it's "encrypt", not "encript".  Second, if a court orders you to decrypt the files and you refuse you can find yourself in jail.  Lying about the contents is only going to make things worse for you.  Encryption cannot protect you from the legal consequences of your actions.  I find it amazing people will go to such absurd lengths but can't be bothered to shell out $15 for a DVD.  Seriously, it doesn't make you an awesome hacker, you're still just a little cheapskate who is stealing the property of others.


  • Garbage Person

    @morbiuswilters said:

    I find it amazing people will go to such absurd lengths but can't be bothered to shell out $15 for a DVD.  Seriously, it doesn't make you an awesome hacker, you're still just a little cheapskate who is stealingduplicating the intellectual property of others.

     

    FTFY. Not debating piracy any further than correcting that.

    At any rate, it amazes me just how many little twats will spend vast amounts of time, money and effort safeguarding the data once they've gotten it (where you're not vulnerable to discovery) as opposed to spending a tiny bit of time, money, and effort safeguarding the channels through which you acquire it, where you can, and if you're an idiot WILL be spotted. 

     It's like doing a drug deal in front of the police station and presuming you're safe because you keep your stash in an armageddon-proof tape safe, which should keep the cops away from it, rather than doing a drug deal in the shadowy corners of the ghetto and keeping your stash in a stash box.

     



  • @Weng said:

    @morbiuswilters said:

    I find it amazing people will go to such absurd lengths but can't be bothered to shell out $15 for a DVD.  Seriously, it doesn't make you an awesome hacker, you're still just a little cheapskate who is stealingduplicating the intellectual property of others.

     

    FTFY. Not debating piracy any further than correcting that.

    Intellectual property is property.  I cannot understand why people think tacking "intellectual" on the front changes the meaning or makes it less credible.  And when it comes to intellectual property, duplication without the consent of the creator is the same thing as theft.  You're not even debating piracy, you're just trying to obscure your theft with synonyms.



  • @morbiuswilters said:

    Intellectual property is property.  I cannot understand why people think tacking "intellectual" on the front changes the meaning or makes it less credible.  And when it comes to intellectual property, duplication without the consent of the creator is the same thing as theft.  You're not even debating piracy, you're just trying to obscure your theft with synonyms.

    I think you are wrong. At least it is my opinion that you are wrong.
    Picture (I didn't make it)
    Words to avoid ("piracy" is listed there as well, even though the picture says "piracy" on it)



  • @zzo38 said:

    I think you are wrong. At least it is my opinion that you are wrong.
    Picture (I didn't make it)
    Words to avoid ("piracy" is listed there as well, even though the picture says "piracy" on it)
     

    Wow. You just keep getting stupider.



  • @morbiuswilters said:

    Intellectual property is property.  I cannot understand why people think tacking "intellectual" on the front changes the meaning or makes it less credible.  And when it comes to intellectual property, duplication without the consent of the creator is the same thing as theft.  You're not even debating piracy, you're just trying to obscure your theft with synonyms.

     

    Fine. Duplicating the property of others. But there's still  a big difference betwene copying and stealing. If I build a car identical to yours, I haven't stole anything. You still have a fucking car.



  • @ailivac said:

    If I build a car identical to yours
     

    How is that anything like copying music?

    If you form a cover band and play my music, that is different than copying my music as well.


Log in to reply