I am looking to protect a file that I am sending, it should have a password or key to open it. I know there are various windows programs to password a file, even winzip or winrar can do this. But they seem a little mickey mouse to me, and perhaps crackable.
What I am thinking of is: I remember a couple of years ago, there was a whistleblower, perhaps Edward Snowden, not sure, who made available a password protected file over the internet for download that needed a key to open it. It was sort of his protection from being assassinated. If he should die, the key would be made public by trusted friends and all the data revealed. It seemed like a crack-proof hack-proof program…
So what was this type of encryption? Is there a program that does this?
Truecrypt is a practical program for this. I don’t know if it is what Snowden used, but it is mentioned as being used by someone who works with those files.
This link seems to have a pretty good overview of the quality of Windows’ built-in scheme for ZIP files:
Its recommendation of 7-Zip sounds like a quick and easy recommendation. You can try PGP and etc. but they’re likely to end up being far more arcane than you need.
Probably the most important thing will be to choose a password that’s very long. You might consider going to RANDOM.ORG - Byte Generator and asking for a hundred bytes or so of hexadecimal (depending on how many characters you’re able to put into 7-Zip for your password).
I only want to encrypt a couple of files. I have been reading about some of the programs that have been mentioned in this thread. Yes they do look complicated. What’s so special about 7Z?
Cryptainer can do this. You simply password protect the file, send it off, and SMS the person regarding the password. Apparently it’s very secure. Plus the lite version is free.
Yes. I guess it is worth emphasising that if you are sending encrypted files, it’s nearly* always a good idea to send the password by a completely different route (not just in a separate email).
*possible exception being when the sole purpose of encryption is to get an exe file past an email server that blocks executables.
Here’s a method to get information from one computer to another. First you open a gmail account with a very strong password ie, y^KWoGV3!Y2mb!r which you give to the other person.
The you make an email with the files or information you want to pass on, but you don’t send it. You place it in your draft folder. You then send the intended receiver a code to alert them they have a message (“the Raven flies at midnight”) is a suggestion.The other person logs in and copy/pastes that info onto their computer.
So the info is never actually sent over the internet. If you time it carefully, the info is only in your draft folder for a few minutes before the receiver deletes it. It’s probably safer to edit it rather than delete it. To intercept this message you would have the know about the gmail, then crack the password during the few minutes that the message was in the drafts folder. Also, you can tell if your gmail has been used by checking the recent logins. Feel free to tear this method to shreds.
It is sent from your computer to whatever machines the gmail account is stored on when you put the email in the “drafts” folder. It is sent again from the gmail machines to your recipient when she logs in and reads it from the drafts folder.
It is never sent as an email, but it is certainly sent, and anyone monitoring yours or your conspirator’s internet connection will be able to retrieve the info.
(plus, “deleted from your drafts folder” is not the same as “unrecoverable” – Google’s file system routinely makes redundant copies of all data and those just don’t disappear when you click “delete”.)
Are you saying a third party could access my gmail account and look at files in my folders? and do it without leaving a trace in the log in details? I’d be very surprised “If anyone” can do it. How do they bypass the login password? and 2 step verification?
OK, what if you use a POP email account? Does a message in a POP email account folder actually get sent around the internet?
You are misunderstanding - The mere act of “viewing” the email causes the data in it to be sent over the Internet. Even though the file never gets stored on any intermediate servers, anyone who is “sniffing” your data will be able to read the email.
This. No matter what you do, the data are still getting from point A to point B, and they ain’t travelling by carrier pigeon. The security of GMail does not affect this truth.
One could argue that using DoY’s technique, if both parties are careful to connect to GMail only using https, that the data are protected by ssl/tls on both legs of their journey through the internet, which might save some worry about encryption if one is free to assume that “on Google’s servers” is “secure”, which may or may not be a valid assumption depending on the sophistication and persistence of your adversary and whether or not they are a Google employee. But DoY argued that it isn’t sent over the internet at all, which is plainly false.
Ok, I get that the data is going over the internet, but what level of sophistication is required to obtain this? Are we talking FBI or Homeland Security, or the kid next door?
This is no safer than sending it to the recipient’s Gmail account directly. It’s probably less safe, since now you have to find a way to send them that password too. There’s nothing magical about the drafts folder that makes it different from any other folder, in term of security.
The file is stored on Google’s servers, and the bytes that made up the file traveled through many other computers along the way. Any one of them could’ve chosen to record those bytes and attempt to decrypt them later on.
For casual use, the security risk from this is negligible.
It’s hard. But it depends on how careful you are. If you’re using somebody else’s WiFi or network, they could make a fake Gmail website that looked and functioned the same way. If you don’t notice that it’s not https and login, now they have your password and your file. And they could also make a real Gmail account for you and upload the file there, so it’ll look to you like it worked the way you wanted to even though they secretly have your file.
You don’t go after the strongest part of the security system – the encryption algorithms, the two-factor authentication, etc… You go after the weakest part, and that’s almost always the user.
The government can access anything you send to Google with a subpoena, legally, or with the NSA’s help, illegally. Unless you encrypted the file yourself prior to sending, it’s transparent to them. Google’s security measures don’t matter because they can access the servers directly.
The kid next door – probably not, unless you’re unlucky enough to have a malignant hacker living near you. The attack I mentioned above could be done by anybody with reasonable know-how. Joe Public wouldn’t be able to, but Joe Public also couldn’t care less what you’re sending with your 1000-character password, so that’s not really a useful gauge.
A more skilled hacker can compromise one of the internet’s many Certificate Authorities and issue fake certificates for Gmail, making the process that much more transparent to the end-user. This happened to a bunch of Iranians.
Gmail, and the HTTPS model in general that powers the whole “encrypted” Internet, is safe enough for average everyday use. But not against good hackers or sovereign entities.
If you save it as a draft on your computer, no, but then your recipient would never see the draft. If you send it across the Internet, then yes.
With Gmail, everything lives in the cloud from the moment you start typing, and as soon as you insert any sort of image or attachment.
With POP3, everything is on your computer until you click Send. Then it goes through a bunch of intermediary mail computers until it finally reaches your recipient’s ISP, where it sits in plaintext waiting to be read by your recipient or any evil system administrator.
Because you specifically mentioned that you wanted something “crack-proof, hack-proof”, Cryptainer LE is probably not it. It is a closed-sourced, proprietary program that uses an older encryption algorithm (Blowfish) whose author said not to use it anymore.
There is no guarantee that Cryptainer knows what they’re doing and implemented the encryption well, and even if they did, Blowfish is not necessarily the safest choice any longer.
In general, you want to use computer security programs that have had the most eyes reviewing its source code. In this case that would be something like PGP or GnuPG or Truecrypt, as mentioned before.