Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Everything posted by BuckoA51

  1. BuckoA51


    Just catching up on Hak5 and eager to try Keybase too, can anyone please send me an invite?
  2. Well guess what he didn't even bother to e-mail back when I asked him to use Lastpass. Frankly, I hope this kind of thing isn't the norm for Wordpress companies (I had to call out the last firm I used for custom Wordpress work for sloppy security too, but they changed policy based on my recommendations almost immediately). I think it's time to name and shame.. Never EVER buy or advise a client to buy a theme from Skywarrior themes http://themeforest.net/user/Skywarrior
  3. It's a compromise, I can unfuck a website with a backup, I couldn't unfuck a woman. :)
  4. Oh I'll be making a full backup for sure. Frankly if he doesn't agree to the Lastpass suggestion I'll just tell him to get lost and either try to fix the problem myself (be good coding experience) or just get a new theme.
  5. No, he didn't have admin access previously, I installed the theme myself after purchasing it. I offered to send a full backup of the site using the Wordpress duplicator plugin, that can then install on a local XAMPP server for testing. I explained that I had the exact same issue when running my Wordpress site within XAMPP as I do when it is running live. He still refused to help me "Lol you are only person i've meet in my career with such security norms". Frustrating to the extreme! I have one more idea that's to use Lastpass. I don't really like Lastpass as a password manager as I don't want my passwords in the cloud, even encrypted, but it should do for this situation as per - https://foliovision.com/sharing-sensitive-information I'll let you know.
  6. Hi, so here's some background. I run 3 Wordpress sites as part of my own little web empire. The sites use themes I've purchased from various places that included support. Anyway to cut a long story a little shorter, one of my sites themes started acting weird after the latest Wordpress upgrade. I contacted the themes author and asked for support. This is when things get bad. He's demanding that I hand over my admin login to my Wordpress site. Initially he said I should post it on their forum, but make the post "private". I said "No, that's terrible practise, can you use PGP?" At first he said yes but then e-mailed back with "sorry, what is this? i dont know how to use it". So now I'm stuck, this guy wants me to e-mail the keys to my kingdom via unencrypted e-mail. he's saying I'm unreasonable and no other clients have ever asked for this kind of security. Frankly, I think he's the one being unreasonable in not being more professional with HIS security. I suggested a compromise where I sent him a backup of my site instead but he refused, claiming it was no good as he wants to check for hosting issues. What would you guys do? I know I could just e-mail the details then change passwords once he was finished, meaning things would only be at risk for a day or so but the whole thing irks me no end, this is terrible practise and I shouldn't be the one criticised for wanting to do things properly.
  7. Hi all, was listening to the radio this lunchtime (Radio 4, how very intellectual of me :) ) and a piece on these guys came on:- http://www.remapleics.org.uk/ They're kind of like a hacker space that takes and mods all kinds of tech for disabled people. For instance they made a drinking machine (for all kinds of beverages I assume!) and a newspaper reading machine for two of their clients. It sounds like a neat idea and one that other hacker spaces could contribute to, so I thought I'd make you all aware of it. Could make for an interesting segment on Hak5 too.
  8. Hmm, see the thing is the US government is unpopular enough at the moment, if word got out that it WAS the government who put a stop to Truecrypt, there would be a huge outcry. I just don't see it, if you are the NSA and you want in to someones files, much easier to hack their PC while it's running and decrypted, or grab your target and torture them for the password. In short, Truecrypt is probably nothing more than a nuisance to the US govt and not worth risking the potential backlash of taking it down when there are quieter, more effective ways to get what you want. Of course, I could be totally wrong....I mean it's actually really scary that the CIA/NSA is basically getting away with so much as it is.
  9. Drivecrypt plus may also be worth considering, though I don't know if it supports Linux.
  10. The audit so far seems to suggest there's no serious vulnerabilities. Frankly I think I'm going to keep using it in the short term and I see no reason to panic and switch over to another solution just yet. Longer term is another matter of course, lets hope something comes of truecrypt.ch
  11. I use Windows and Linux but honestly I prefer Windows as my "day to day" OS, and I doubt a lot of people who were using Truecrypt because it was free and convenient on Windows would want to change to Linux. I know for instance my dad wouldn't change to Linux and will probably just run his laptop unencrypted.
  12. The more I think about this the more I think it's a massive blow for privacy advocates around the world. I've been looking into alternatives and they are either expensive commercial products (e.g Drivecrypt, PGP Disc, Bitlocker only works with Windows Pro) or somewhat under-developed (DiskCryptor). There's no way Bitlocker is a replacement for Truecrypt, the only product I've found that does hidden volume/hidden OS is Drivecrypt, and it's nearly £100 per computer, the licensing is too inflexible for hackers and hobbyists. I know a number of folks that used Truecrypt because it was free, convenient and relatively easy to setup. Hopefully I've helped a bunch more with my tutorials too. Now, I imagine a lot of people will look at the alternatives and decide they would rather just take their chances and stay unencrypted than shell out a lot of cash or try to get DiskCryptor working. Sad times indeed.
  13. Heartbleed? What has a SSL vulnerability got to do with Truecrypt? Or do you mean that's how logins were stolen for the website?
  14. true but wouldn't that suggest more than a mere website hack?
  15. "the binaries appear to be signed with the same GPG key that the TrueCrypt Foundation used for previous releases." Interesting....
  16. I don't use IE because, well, it's IE (memories of 6 and 7.. shudders) but to be fair isn't it pretty secure these days? On the whole I mean, I know it had that serious vulnerability lately but so do all the other browsers. I'm talking about the latest version, IE11 of course.
  17. I guess time travelling monkeys would work quite well at brute forcing containers now that you mention it. More speculation here:- https://news.ycombinator.com/item?id=7812133
  18. Ah but speculation is such fun!
  19. http://truecrypt.sourceforge.net/ "The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform." Okay anyone got any ideas? This seems rather unlikely. I can understand Truecrypt devs throwing the towel in but, migrate to Bitlocker?! A closed source solution, I don't think so.
  20. Don't want to sound too melodramatic but everything I've read today on this subject has shaken my faith in humanity in general. I feel close to tears.
  21. BuckoA51


    This might be a dumb question (my second one today) but, are private keys shared by Chrome if you use Mailvelope? By that I mean, if I mailveloped on my desktop, then logged into a chromebook with my Google password, would my private key be waiting for me there? If so, isn't that kind of a security risk having your private key stored by Google in the cloud?
  22. Yeah I remember seeing the Hak5 episode on cold boot. It's a pity keyfiles cannot be used for pre-boot authentication, maybe in the future. Truecrypt could create a USB drive full of random keyfiles, and you only needed to enter your password and remember which keyfile it was on the USB stick when booting.
  23. Yep that makes sense thanks, the more you know. If only humans were better at remembering random strings of letters and numbers.
  24. Right yeah I understand I think, with Hashcat you're basically brute forcing passwords against the hash rather than against the container itself, because that's simply faster?
  25. First of all, please don't beat me too hard if I've got something wrong in this post, I'm not a security expert by any means. So I read about the improvements in Hashcat and how you can now crack Truecrypt volumes more efficiently. I started wondering if my Truecrypt passwords were adequate enough and ways to strenghthen them and I remembered Ubikey. Ubikey can add a bunch of random characters to your password to make it harder to crack. Now, what made me pause for thought is this. Let's say an attacker steals my computer and my Ubikey. Assuming I'd locked the machine, there are few scenarios for attacking the Truecrypt container:- 1) Brute force - He/She could simply add the ubikey random text to his word list. Simple, but will still be inefective if my password isn't in his/her dictionary. 2) Hashcat - Now, here's where I think I understand but might not. Am I right in saying that, because hashes are designed so that changing the password a little results in a completely different hash, that knowing /part/ of a password (in this scenario the part stored on the Ubikey) is absolutely no help whatsoever if you are trying to break a hash? Or have I misunderstood completely?
  • Create New...