Ben's Bits

About a month and a half ago I wrote about open source whole disk encryption software (this was just before TrueCrypt 5 came out) and mentioned an open source program called DiskCryptor which has been available since late fall and was the first open source whole drive encryption (system partition encryption) utility to support Windows that I'm aware of.

DiskCryptor has releases hosted on SourceForge and additional information on the primary developer's website. Though the developer's site is in Russian the Google translation facility does an ok job of translating it.

I started using DiskCryptor a few weeks before TrueCrypt 5 came out and was really impressed. Once TrueCrypt was released I tried that and while I do appreciate some aspects of the super redundancy in TrueCrypt whole disk encryption I soon went back to using DiskCryptor for a couple of reasons.

First, I had problems with TrueCrypt blue-screening on me and sometimes preventing my system from shutting down properly (it would sometimes reboot instead of shutting down). This made me quite uncomfortable as I was trusting my data to the software. I understand there have been a few patches to TrueCrypt since I tested version 5.0 which fixes some of the problems people were having and which I have not tried yet but there are other reasons I prefer DiskCryptor.

Second, while all the hand holding and redundant systems in TrueCrypt do make it (to some extent) dummy-resistant they are actually quite a pain when being utilized by a power user and there is no way to bypass them. In some cases it is either inconvenient or unnecessary to create a recovery CD. DiskCryptor does not require that a recovery CD be created and has different, perhaps more robust methods of recovering the data should the need arise.

Third, DiskCryptor supports hibernation! This is reason enough to use DiskCryptor for many laptop users. I understand that TrueCrypt 5.1 includes hibernation support but it appears a bug may have been introduced at the same time with dire consequences for drive security. Read about this bug in English and see the code problem in Russian. This may be fixed in TreuCrypt 5.1a but is not specifically mentioned as fixed in the TrueCrypt changelog as far as I can see.

Fourth, DiskCryptor has (in my mind) more robust/useful recovery options. This is for several reasons. While there is no recovery CD or extensive boot loader decryption ala TrueCrypt the encrypted volumes are fully compatible with standard TrueCrypt encrypted volumes (including pre-TrueCrypt 5). This means you can take a DiskCryptor encrypted volume and physically attach the drive to another system or boot into another OS and then mount and decrypt the drive with TrueCrypt. You cannot even do this with TrueCrypt encrypted drives as the technology behind TrueCrypt whole drive encryption is not compatible with regular TrueCrypt encrypted volumes. To me this is really exciting and useful as it allows me to move drives between systems and retain access to the encrypted data. There is also a BartPE plugin for DiskCryptor so you can boot from a BartPE CD and decrypt/access the encrypted drive. Finally, support is in version 0.3 (coming out shortly) for installing the DiskCryptor boot code on other media (eg. flash memory keys, CD-ROMs, etc.)

Fifth, DiskCryptor appears to be faster than TrueCrypt 5 WDE. At least on my system I noticed no slowdown with DiskCryptor but TrueCrypt 5 significantly slowed down my disk intensive operations. This is a major reason I personally switched back to DiskCryptor and I'm not the only one as evidenced by some posts in the DiskCryptor forums which indicate that in terms of MB/s DiskCryptor is as much as twice as fast as TrueCrypt 5, at least on some systems. Based on my experience I would agree. I understand there have been some performance enhancements in TrueCrypt 5.1a which include some assembly optimization (which was already a part of DiskCryptor) and I have not had a chance to test this latest version yet but believe speed improvements have also been made in the latest version of DiskCryptor which may still give it the edge.

Sixth, the development of DiskCryptor is both more active and more responsive to users than TrueCrypt. "ntldr" the developer of DiskCryptor has been very open to suggestions and very responsive to users through the forum on their website http://freed0m.org/forum the same cannot be said for TrueCrypt. Based on what I've seen from various TrueCrypt users they have been often ignored by the TrueCrypt developers who seem to be a small group of developers who do not respond particularly well to users or accept development assistance (one of the major benefits of open source development). The disenfranchised users include the DiskCryptor developer "ntldr" along with OS X users who started a project called OS X Crypt because of the unresponsive nature of TrueCrypt developers. I think this potentially will be a huge problem for TrueCrypt and it makes me somewhat concerned about the motives and long term success of the TrueCrypt development team. This is also manifested in the somewhat restrictive nature of the TrueCrypt source license compared with other open source licenses such as the GPL (which is used by DiskCryptor). While TrueCrypt may be open source it is most definitely not GPL software and not GPL compatible (read about the issues of including this with GPL software here)

There is one downside to DiskCryptor, there is currently no real help file or instructions for using it but I was able to figure it out by looking at the menu options all of which seem fairly straightforward to me. This is an acknowledged flaw and is being actively worked on by a few DiskCryptor users. In the meantime the primary developer is more concerned about enhancing the feature set and eradicating bugs than on developing documentation, an understandable position for many volunteer software developers.

Communication and publicity is not a strong suit for DiskCryptor and this may be partially to the fact that English is not the first language of the developer. In my opinion this, more than anything, is holding back what is otherwise an excellent (and in my mind superior to TrueCrypt) product. Much of the information is available but it's in the DiskCryptor forums which contain a mix of Russian and English making them not the most user friendly way to learn about the software. There has also been little tech press coverage of the program.

I am not so much trying to make the case by myself that DiskCryptor is a better product for everyone, though it was for me. I am trying to bring some attention to the first open source whole disk encryption program (there was even a Wikipedia vote where it was decided to eliminate the page for DiskCryptor as non-notable and where people seriously questioned if it was just a knock off of TrueCrypt 5!) and encourage others to talk about and try DiskCryptor. Certainly the program could use some English language press if it is to grow significantly. Hopefully by explaining my reasons for selecting DiskCryptor as my choice I've encouraged you to at least keep an open mind and try the software then write and share your experience with others.

My laptop is one of the IBM (Lenovo) Thinkpads which includes a fingerprint reader and TPM chip which can be used to both unlock the system at boot and log on to Windows using software supplied with the computer. One thing that the supplied software does not do but something that I've been interested in doing is whole disk encryption (something also called by a few other names depending on the vendor and software.

You can learn more about whole disk encryption in this article written by Bruce Schneier a couple of months ago or from the Wikipedia article. Essentially the idea is to encrypt the entire hard drive rather than a small subset of files. Obviously this does not protect the files while the computer is operating but is especially useful if you have a laptop (something prone to being stolen) and want to ensure that if someone stole it the data on it would be useless. While some free utilities such as TrueCrypt have allowed you to encrypt entire volumes they have not allowed you to encrypt the boot drive, at least not when using the Windows operating system. You see the trick with encrypting the boot drive is that you need to unencrypt it for the system to boot so a driver must be loaded at boot time which will prompt the user for a password and thus unlock the key allowing the drive to be unencrypted and the system booted. Until recently there were no free or open source programs which allowed you to do this with the Windows OS (solutions for Linux were available).

In the span of just over a month that has all changed. In December a Russian security consultant released the open source program DiskCryptor (and on SourceForge) which allows you to install a Windows driver (which can be renamed for extra obscurity) which will encrypt your drive and also allow you to install a boot time driver onto the disk which allows for the encryption of the boot volume. The encryption algorithm and container is TrueCrypt compatible so if need be you can access the drive by putting it in another computer which has TrueCrypt installed and mount the volume (with the appropriate password of course). This is an especially nice touch as it ensures some kind of compatibility between the open source projects and makes data recovery from an otherwise dead system a bit less problematic. I've been successfully running DiskCryptor on my laptop boot drive for several weeks now and have found the program works as advertised though there is essentially no help file or other documentation so you have to learn the program by playing around with it and looking at menus.

Later today TrueCrypt plans to release version 5.0 of their popular open source encryption software which among other things promises to include a boot driver for Windows systems which will allow the encryption of the boot drive. I plan to try out this software once it becomes available. I am excited to see that there will be two open source solutions to whole drive encryption and look forward to improvements in one or both of the programs.

A few things to note. Neither of these solutions (as far as I'm aware) supports the TPM chip and fingerprint reader in my laptop. This means that you need to enter a separate password to unlock the hard drive in addition to unlocking the computer. It also means that the encryption is all taking place in software and utilizing CPU cycles and slowing down drive access times. While I haven't noticed a pronounced effect in my usual word processing and Internet browsing on this system I can see that this might be problematic for a media or gaming intensive situation. Hopefully advancements to these solutions will allow for better integration with hardware acceleration and authentication to improve this situation.

Once upon a time batch files were king in the PC world. Hardly a magazine issue, BBS discussion or user group meeting would go by without one of these handy scripts to add some functionality or usability to systems. Since the reign of Windows batch file programming has been on the decline. Of course shell scripting remains popular and extremely popular in Linux where most settings on the system are still controlled by text configuration files and command line utilities but in Microsoft land the script has been largely supplanted.

Even though the NT based operating systems (NT, 2000, XP, etc.) have actually made significantly more configuration available from the command line and there was a push for a new 'Windows Scripting' language these things have become largely forgotten and there are now an extremely limited number of users comparable to the Windows operating population which are comfortable writing scripts to automate things in Windows. Even among large corporate IT departments where there is perhaps the most to be gained by writing these sort of mini-utilities scripting is a dying art. One of the reasons for this is that most magazines and technical publications no longer regularly mention scripting or command line configuration utilities so there is a limited opportunity to learn about these tools.

Nevertheless these tools exist and when you find them they can be extremely useful. Take the "netsh" program for example. This handy little tool allows you to set and manipulate many of the Windows network settings from the command line and when combined with scripting it is possible to create scripts which will completely reconfigure your network interfaces (say from DHCP to a static address to another static address) for various network configurations all with the simple execution of a script.

You can learn more about this powerful tool from a few different Microsoft sites but while these provide some syntax and information perhaps the best place to get started is at one of the third party sites which covers it. Or now that you know about the utility you could just start experimenting with things.

For example running the "netsh -c interface dump" command will dump all kinds of interesting information about how your interfaces are currently configured to the prompt. It's possible to capture this information to a text file and then 'replay' the data to reconfigure things as they currently are using something like "netsh -f netsettings.txt"

Keep the art alive!

One of the many misconceptions about the D-STAR digital amateur radio protocol is that it is closed and will prevent tinkering by hobbyists. This turns out to be far from the truth indeed. Last year at the Dayton Hamvention there were several exhibits by D-STAR enthusiasts which included an entirely home brewed D-STAR radio and a home brewed D-STAR repeater controller. Well now someone has built a DV interface adapter which can provide a D-STAR digital voice interface on many existing transceivers. Of course some functionality is missing as there is no ability to change various DV settings from the minimal interface but it proves yet again that there is the possibility for much experimentation with this new digital mode.

On other fronts the OpenDSTAR group has released several software tools which build on existing commercially available repeaters and Internet gateways to extend functionality. Still in the pipe from that group is a USB dongle called the DV Dongle which will allow end users to encode audio in the AMBE format used by D-STAR digital voice for later playback through the repeater or, ostensibly, for live PC to repeater communications. Indeed the home brew spirit of amateur radio is alive and well in the world of digital communications, it just looks different than it has in the past.

A few months ago I learned of an interesting website called myNetWatchman. This is a very interesting and free website which aggregates firewall logs from various sources around the Net (you are free to contribute your logs as well) and analyzes them for trends and potential infections by IP address. System administrators are then able to enter IP addresses of servers they manage into the site and see whether those servers have been exhibiting any malicious behavior towards the monitored firewalls. This is just one additional useful tool for sysadmins to monitor the behavior of their servers.