Encrypted Fileserver with Bittorrent Web Interface 266
mistermark writes "I built a fully encrypted (samba) fileserver with a web interface for managing torrent downloads on it. All I used is OpenBSD 3.6 and its package collection, except for the TorrentFlux-interface (which you need to install separately). Anyway, it can be built using binary packages only. I included a rough HOWTO on how to make one of these yourself."
Nice (Score:5, Funny)
why? (Score:5, Insightful)
Re:why? (Score:5, Funny)
No need.
Re:why? (Score:3, Informative)
Re:why? (Score:5, Insightful)
Sure, store them on an AES-256 encrypted filesystem, sure, use SSL for the transfer. But it doesn't help the fact that the downloaders/uploaders are known.
Re:why? (Score:2)
Would this work if it was used in conjunction with an anonymizing HTTP proxy service? Or freenet?
Re:why? (Score:2, Insightful)
I'm pretty sure that no HTTP proxy service would be terribly thrilled should you start hammering their connection with your warez'd bittorrent transfers.
Not to mention you don't know if they are logging who uses their proxy servers. It wouldn't be hard to track + log connections. And, should they get a subpeona, they WILL relinquish that information.
Re:why? (Score:2, Insightful)
I don't know. TFA says:
"You at least need to proof the person actually possesses the data and in my case... good luck proofing that."
Actually... Bittorrent shows who's connected to you, who's uploading to you, and who's downloading from you. Those logs, at least in the good 'ole US of A, are proof enough for God the RIAA to file a lawsuit against you (or as the case may be, your IP address). The RIAA has never had to confiscate a file sharer's HD or computer, but I bet if they did, they could find som
even the author doesn't know... (Score:2)
From the site:
"Use? Actually, I'm not sure"
As others have pointed out- wiretaps, "give us the key or you go to jail just as long", as well as simply not unplugging the box...all make this project pretty pointless.
I also got a kick out of the author bragging, under a screenshot showing links to numerous illegal torrent sites, "that's a legal torrent I'm downloading!" Do these people think they're clever or something?
Re:even the author doesn't know... (Score:2)
So in the end if they can't keep you in jail till you give them the keys. Also, the RIAA surely can't make you tell them.
Re:even the author doesn't know... (Score:2)
So pick a good passphrase and memorize it and don't
now that's useful (Score:3, Funny)
Re:now that's useful (Score:3, Funny)
Be very, very careful when using EFS!!! (Score:5, Informative)
Be very, very careful when using the Windows XP built-in file encryption, called EFS (Encryping File System).
EFS is very poorly documented. The encryption is tied to your user password in a way that is apparently not documented. EFS depends on being part of a Windows 2003 Server domain in a way that is not clearly documented; if you are using Windows XP on a stand alone computer, there are situations in which you will lose your files forever.
Microsoft technical support agrees with what I just said, and provides no help or fixes.
The official Microsoft forums contain the complaints of many people who have lost their files due to problems with EFS. One man said he lost 11 years of research.
People complain about Microsoft every day on Slashdot, but I've never seen a discussion by anyone who seemed to realize how bad Microsoft truly is.
Re:Be very, very careful when using EFS!!! (Score:3, Informative)
Re:Be very, very careful when using EFS!!! (Score:5, Insightful)
Re:Be very, very careful when using EFS!!! (Score:5, Insightful)
Regards,
Steve
Re:Be very, very careful when using EFS!!! (Score:2, Insightful)
Re:Be very, very careful when using EFS!!! (Score:2)
I don't remember any traffic cop giving me leighway because "I'm just a user trying to go from A to B, I don't want to learn about this technical car stuff like indicators and road-signs"
EFS is yet another example of IF YOU DONT KNOW WHAT IT DOES DONT TOUCH IT. If you can't see the danger in encrypting important stuff so nobody else can see it and don't check up to find how it determines you from everybody else... and then don't back up.
Re:Be very, very careful when using EFS!!! (Score:2)
I'm guessing that his backups were encrypted... (Score:2)
I'm guessing that his backups were encrypted and he didn't realize that the encryption was tied to his user password, and to an undocumented hidden number associated with his user profile. Creating another account with the same login name and password does NOT allow decryption.
Who would guess that the encryption was insecure? When you read Microsoft's documentation, there is a lot of talk of file recovery, but the documentation doesn't say that it applies only to computers that are members of a Windows do
For Your Eyes Only... (Score:3, Informative)
Recovering Encrypted Files
Any data recovery agent can recover an encrypted file when a user's private key fails to decrypt the file.
To recover an encrypted file
1. Log on to a computer that has access to the user's profile; for example, a computer that has a designated recovery console or a recovery key on removable media such as a floppy disk. You might log on at the user's computer or the user might have a roaming profile.
2. Locate the encrypted fi
Many scattered, poorly written documents about EFS (Score:3, Informative)
I've read the many scattered, poorly written documents about EFS. I find them very misleading. For example, the information above does not say that it applies only if the encrypting computer is part of a Windows domain.
Re:Be very, very careful when using EFS!!! (Score:2)
See? Security through obscurity _can_ be effective.
Re:Be very, very careful when using EFS!!! (Score:3, Informative)
Re:Be very, very careful when using EFS!!! (Score:2)
On second thought, why not just make a backup of the file regularly.. but if it's a large file, some real-time system is preferrable. In which case, crypting of a raid disk is a good idea. Ok, I guess I answered my own question.
Re:Be very, very careful when using EFS!!! (Score:2)
Other experience? (Score:2)
I'm very interested to know if other people have experience with other encrypting file systems.
TrueCrypt seems excellent, however, the recent bug fixes [truecrypt.org] look somewhat serious. Is TrueCrypt mature?
Re:Be very, very careful when using EFS!!! (Score:2)
I bet he won't do that again.
Re:Be very, very careful when using EFS!!! (Score:4, Informative)
http://support.microsoft.com/default.aspx?scid=kb
Summary: Rejoin your original domain and change your password to your original password.
People complain about Microsoft every day on Slashdot, but I've never seen a discussion by anyone who seemed to realize that if all you wannabe Windows Administrators left the "market", the world would be a better place for everyone.
Re:Be very, very careful when using EFS!!! (Score:3, Informative)
"You're just a user so screw off. We're far too important to worry about your stupid data."
I can't see any other explanation.
You act sure, but you say, "I believe." (Score:4, Informative)
You said, "This is another example of mod-by-agreement. Anyway, EFS is documented perfectly well."
Correction: This is another example of someone on Slashdot acting sure when he knows nothing about the issue, and didn't even read the document at his first link in his Google Search: Microsoft Windows XP - Data Recovery and Data Recovery Agents [microsoft.com], which says:
"The default design for the EFS recovery policy is different in Windows XP Professional than it was in Windows 2000 Professional. Stand-alone computers [using Windows XP] do not have a default DRA, but Microsoft strongly recommends that all environments have at least one designated DRA.
"In a Windows 2000 environment, if an administrator attempts to configure an EFS recovery policy with no recovery agent certificates, EFS is automatically disabled. In a Windows XP Professional environment, the same action enables users to encrypt files without a DRA. In a mixed environment an empty EFS recovery policy turns off EFS on Windows 2000 computers, but only eliminates the requirement for a DRA on Windows XP Professional computers."
This information means that you can lose your files in Windows XP in a way that you could not lose them in Windows 2000. Microsoft made this change, but provided no on-screen warning.
The Microsoft document quoted above says, "Stand-alone computers do not have a default DRA,..."
It should say, Stand-alone computers CANNOT have a DRA that allows decryption of files from a different computer with the same user name and password.
As I mentioned, this was verified by Microsoft Tecnhical Support representatives, as was the information in my parent post.
You said above, "I believe the process can be started with a simple cipher
Re:You act sure, but you say, "I believe." (Score:3, Interesting)
Yeah, you can lose your data, if you reset the user's password. Before you reset a password, a big ugly warning box is shown stating that the user might expierence data loss. (a dialog not present in 2000). It's not like you'll magically lose your files in XP for no reason.
Microsoft Technical Support says no. (Score:2)
I was told by a Microsoft Technical Support representative that the procedure you are recommending [microsoft.com] does not work. I've tried it, and they are right, it doesn't work.
The title is, "Designating a Data Recovery Agent in a Stand-Alone Environment". That is VERY misleading. The Data Recovery Agent works only if you happen to know the other password, generated by Windows XP. If you put the same login name and password on another computer, you cannot recover your files, because the hidden password will be diff
EFS encrypts with two passwords. (Score:2)
EFS encrypts with two passwords, one is a hidden password generated by Windows XP. Backing up one password does not actually prevent data loss, because there is a hidden password that is not backed up. That's my best understanding, after discussing this with Microsoft Technical Support.
Re:EFS encrypts with two passwords. (Score:3, Informative)
You are right, and Microsoft tech supp. is wrong? (Score:2)
slashdotted (Score:5, Funny)
Well, I guess he USED to be your friend, until you slashdotted his internet connection....
Also encrypted my machine (Score:5, Funny)
Re:Also encrypted my machine (Score:2)
Flames! 3 inches high! Firebrigade! And drama!
I would be impressed if.. (Score:2)
Another pitfall is that samba.. not secure.. again, if he'd install vpn server there that would create secured medium for accessing it, would be another story.
The saddest part probably is that he raped SGI 320 and put AMD in it! just to have cool case for his desktop, seesh, he'd have much more geek respect, by keeping that SGI intact.
Note to law enforcement. Dont reboot. (Score:5, Interesting)
And oh yeah, with SMB as your network file system, is the traffic securely encrypted? Weakest link, and all that...
Baz
PS yes, I know you're only doing legal stuff
And another thing... (Score:2)
cryptfs -m Encryption key: secretstring
dont forget to zap your
Baz
Re:Note to law enforcement. Dont reboot. (Score:2)
Even worse HES DOWNLOADING FROM BITTORENT. Why would the feds need to bust in? The **AAs will just catch him like every other bt user since the bt protocol itself isnt encrypted. Like any other P2P network, users connect to other users would have the data. Just start downloading a torrent and log everyones ips that connect to you.
Re:Note to law enforcement. Dont reboot. (Score:2)
Re:Note to law enforcement. Dont reboot. (Score:2, Interesting)
I've always had the power strip for my box on the floor next to my left foot. If I need to do an emergency power-off cuz the FBI wants to talk to me or because I got some Jenna Jameson on the screen and my boss just walked in, I can hit it in a hearbeat.
Not that I would ever put myself in a situation like that, but I'd rather be prepared "just in case".
Re:Note to law enforcement. Dont reboot. (Score:3, Interesting)
Of course, that's dd from a CD-ROM full of statically linked programs. Investigators shouldn't trust target machines for anything. And if you ever look at a machine that may wind up in court, make sure you don't do anything that writes to the hard disk.
The Secret Service guidelines for seizing computers say to consult a computer specialist if possible before doing anything, but if there's no specialist to be had they say to yank the power cord.
Doing investigations ri
Big fan... (Score:4, Funny)
Re:Big fan... (Score:2)
Re:Big fan... (Score:2)
The 90mm fan size was common on IBM power supplies that fit in their full sized AT case. They were huge, about twice the size of our current standard, and typically the cover had a hole cut into it so you could actually use the big ass switch. It was normal for me to see the hole for the big switch on clone power supplies covered with a plate with wires com
Re:Big fan... (Score:2)
Re:Big fan... (Score:2)
As others have pointed out, 120mm (4.72 inches). This is pretty much the perfect size to mount in three 5.25 inch bays. I have one mounted on my s
Re:Big fan... (Score:2)
Re:Big fan... (Score:2)
Re:Big fan... (Score:2)
I did this once... (Score:5, Funny)
Re:I did this once... (Score:3, Funny)
After that my program will print a message about the commercial version having support for decryption and where to send $25.00 via Pay Pal.
Re:I did this once... (Score:2)
Defeats the purpose... (Score:5, Insightful)
Re:Doesn't help (Score:2)
Re:Doesn't help (Score:2)
Yes, but the 5th amendment is against the patriot act.
Which one do you think would win?
--MarkusQ
Re:Doesn't help (Score:2)
Now, what the parent failed to mention was that you could provide a password that was WRONG, and merely say you've forgotten. Unless there is some overt giveaway that you are lying, they can't hold your poor memory against you.
Re:Doesn't help (Score:2)
Re:Doesn't help (Score:2)
Re:Doesn't help (Score:2)
Mirror? (Score:2, Interesting)
Obstruction of justice (Score:5, Informative)
http://www.ohiobar.org/pub/lycu/index.asp?article
Re:Obstruction of justice (Score:3, Interesting)
Re:Obstruction of justice (Score:3, Insightful)
Re:Obstruction of justice (Score:2)
1. Have a special remote control handy (use inconspicuous TV remote for example).
2. When you open door, and law enforcement places inconvenient demands, discreetly press button.
3. Server receives signal, overwrites key and makes all data disappear.
4. Stall law enforcement until data wipe has completed.
5. Evidence of evidence destruction does not exist.
7. Profit! (???)
Re:Obstruction of justice (Score:2)
Re:Obstruction of justice (Score:2)
Re:Obstruction of justice (Score:2)
And the link you so thoughtfully provided says nothing about forcing someone to testify against themselves, which is what you're talking about.
Damn, did I just feed a troll?
Re:Obstruction of justice (Score:2)
You can invoke the fifth amendment while being questioned by the police or testifying before a court. The privilege is pretty much defined as a limited right to remain silent. It does not allow you to obstruct the execution of a lawful search warrant or discovery process without paying a price.
Re:Obstruction of justice (Score:2)
Re:Obstruction of justice (Score:2)
Re:Obstruction of justice (Score:2, Insightful)
Re:Obstruction of justice --misleading wording. (Score:3, Funny)
Let's take two examples.
Example One
You say: "Fuck you dirty rat coppers, I have the key and I spit at your entire justice system which I haven nothing but contempt for. I have the key and I refuse to give it to you. Go to hell."
Well, in that case I think you might be right.
But let's try another instance of "don't hand over" that has different implications.
Example Two
You say:
Re:Obstruction of justice (Score:5, Interesting)
Re:Obstruction of justice (Score:2, Interesting)
Re:Obstruction of justice (Score:2)
Re:Obstruction of justice (Score:3, Informative)
I'm not sure if we're thinking of the same project, but the one I knew was called "rubber hose". For a while, it was hosted at www.rubberhose.org, but that site dropped off the net several years ago, and to the best of my knowledge has not reappeared since.
A fe
Stenography Steganography Stegasaurus (Score:2)
Or as said in the Princess Bride, "that word, I do not think it means what you tjink it means..."
umm... I believe you mean "steganography", though if you don't know shorthand, the scribbles of a stenographer are rather cryptic.
You have to assume a known algorithm (Score:2)
Basic crypto says you should expect your opponent to know what algorithm you're using. Even if you do your encryption and decryption in hardware, sooner or later the Polish resistance will capture one of your machines and hand it over to British intelligence.
So if you have software that hands out bogus plaintext in response to a bogus key, whoever's investigating you will know to ask for BOTH keys.
Re:Obstruction of justice (Score:3, Informative)
Let me get this straight with another example:
Cop: "Are you guilty of [crime]?"
Me: "No!" or
Me: "..."
Despite my handsomely elaborate defense, I end up in jail for [crime] with a definitive sentence.
At that point, the zealous cop shows up and tells me he's also going to charge me with obstruction of justice, because he kindly asked me a question the first time around, and I lied or said nothing?
You got it backwards, I guess. The suspect is never required to collaborate with his/her prosecutors. They ma
Re:Obstruction of justice (Score:2)
Interesting. I'm curious, by the way. Which country do you live in? The situation you describe is quite different from that in the United States, and I'm curious as to how other cultures and legal systems work.
Re:Obstruction of justice (Score:2)
Already Been Done (Score:2, Informative)
Why is my way better? Well, the default BitTorrent client is somewhat lacking feature wise. Azureus is more powerful and gives you more control over what to do with the torrents when they are done downloading. Not to mention the support for trackerless torrent [slashdot.org]
Differentl laws in that country make this useful! (Score:3, Insightful)
The theory in his country being if they can't find anything on your drive, then they can't prove shit.
Must be nice...
Slashdotted - Mirrors Here (Score:2, Informative)
Re:Slashdotted - Mirrors Here (Score:2)
Maybe a OS limitation?
It would be nice to know how to harden a system from slashdotting so that you can optimize the failure to occur in bandwidth, not the system.
Warning: mysql_connect() [function.mysql-connect]: Can't create a new thread (errno 35). If you are not out of available memory, you can consult the manual for a possible OS-dependent bug in
Site *not* slashdotted! (yet) (Score:2)
Now watch the server get a real slashdotting from all the refreshes.
Website Fried (Score:5, Funny)
404 Fried too (Score:3, Insightful)
Re:Piracy how-tos? (Score:5, Insightful)
Blizzard (Score:5, Funny)
Douche bag.
Re:Piracy how-tos? (Score:2, Interesting)
Re:Piracy how-tos? (Score:5, Insightful)
Re:I prefer VNC & Azureus (Score:2)
Re:oops url (Score:3, Funny)