Forums Community AxCrypt 2 makes me sad… Reply To: AxCrypt 2 makes me sad…

#6552 Reply


Experts don’t recommend it and there’s a good reason why

Actually that’s an incredible amount of bullshit. No security expert – read that NONE – will support using the same password across different levels of security. The same principle applies to websites the fact remains different levels and different types of security with the same password are functionally worthless. The only “experts” who don’t recommend multiple passwords for different layers of security are fools, most likely fools who are operating on the assumption users are forgetful and lazy. No security expert would say “Use the same password for windows, for your password manager, for websites, for every file, etc.”, once a password is compromised they’ll have access to everything that constitutes your online presence. You also failed to state this “Good reason why” that isn’t tied to forgetting or getting lazy.

  • I’m using multiple pieces of software (more risk of critical bugs: malicious or otherwise)

Yes, there’s something to be said about increasing your attack service, I wonder though what OS do you use? If you’re using Windows you likely have a wide number of services you don’t need enabled. Remote Registry? SMB v1.0? Don’t act as though you’re super concerned about your attack surface.

  • More chance of making a mistake and completely compromising my security

Again, maybe you’re incompetent but I am not.

  • Using proprietary encryption methods designed to look secure, but aren’t proven

Open Source doesn’t equate to security, all of my most critical files (including my system backups) are stored within VeraCrypt encrypted volumes. VeraCrypt has been audited and is a fork of TrueCrypt which was also audited, has AxCrypt been audited? I suspect not. It comes down to trust, I don’t trust that BCArchive will keep my files safe from the government then again I’d never trust AxCrypt with that either. I do however believe that it will keep personal files secret from the kinds of people who modify and redistribute existing malware.

  • Having to keep a record of multiple encryption passwords

I’m not an Alzheimer patient I do just fine in regards to keep my passwords, I use KeePass should I forget them but I rarely have to do so.

  • Moving data in and out of the VM/sandboxed process

Arguing against Sandboxing\Virtualization now? Suppose google shouldn’t bother sandboxing websites either.

I use Sandboxie and VirtualBox, both of which are well known software.

I’m not concerned about the one password methodology because I know that if a hacker can get into my system to steal that one password then he’d be able to get at all of my information anyway.

The obvious question stands then: What does AxCrypt protect you from?

Any piece of malware – ANY – can steal your AxCrypt encrypted files because AxCrypt stores your key in memory and decrypts the files without prompt. The ONLY way AxCrypt offers ANY protection is if you manually sign out.

If you’re going to use AxCrypt you’re better of using Bitlocker with a good windows password, because AxCrypt doesn’t protect you in any way from invasive malware that reads your files. Any file – whether an unencrypted cached version exists or not – is vulnerable.
AxCrypt v2 does nothing, it protects you from nothing, anyone with a method of FDE encryption already has the full protection of AxCrypt. The only advantage AxCrypt provides is a far simpler method of key-sharing.

I’m desperately curious what your answer to the question “What does AxCrypt v2 protect you from?” is.

As a closing note Windows tracks all keyboard input (including passwords) and sends it back to Microsoft even if you’ve got telemetry turned off.

I certainly hope you have a citation for that, I monitor my own traffic and I’ve never seen anything of the sort. Then again I’m running a customized version of windows with various components (i.e. Everything to do with Cortana, Metro, & xbox) removed.

It’s like I said before – you’re never safe you’re only seeking to make the cost of attack less worthwhile. It’s all a matter of what you’re protecting and from who and how far you’ll go to protect it. At some point down the line you’re going to have to trust someone.