This wouldn't work if you were hospitalized, since they could easily scan or duplicate your fingerprints while you're sleeping or medicated. No thanks. Not flawless or bulletproof here, and easily subject to coercion or the $5 wrench method.

That's how I do it for my employers (large fireproof safe, book sealed so you can't open it without me noticing, etc.) and for myself.

Sealed how? For every way you can seal an article, I can probably name a handful of ways to get around it without disclosure. Wax seals, adhesive, envelopes, locks, string, ink stamps, stickers, all easily and transparently bypassed.

What method are you using with your books?

If you find that your residence, automobile, or other personal effects have been entered/searched without your consent or direct knowledge, and everything "looks intact", consider that they didn't come to take something away, but to put something in.

Once your personal effects, especially high-capacity electronics like smartphones and laptops, are out of your direct control, in some other room for hours at a time while you're in a holding cell, you can no longer trust them.

If they can get access to the physical hardware, they can install malware, rootkits, key loggers, replace the network card with one that is known-trojaned, manipulate your certificates, trusts, replace firmware on your devices and anything else they want.

No, once you get your gear back, immediately wipe it. Do not log into it, not even once, and just sell it on eBay or Craigslist.

You can't trust it, so dump it as soon as you can.

They do openly state on their website that they randomly x-ray scan packages however:

http://www.fedex.com/gh/shippingguide/terms/#11

...use "a long", not "along", damn Mac keyboard! :)

Or hash it with a strong algorithm and use along, non-entropic, unpredictable, rotated salt.

Write it down. Heck, even the USPS or FedEx seems to be less compromised - they record the address info (metadata) but I haven't seen anything to imply they've been opening the letters.

They do photograph every single letter and parcel, as well as x-ray scan everything that goes through their facility.

Is that "safe"? I don't know.

Can they discern written text inside a letter in an envelope, through x-ray scanning? I don't know.

Are they photographing every letter under extreme bright lights, making the container effectively transparent?

Not sure, but it's worth exploring every single one of those questions.

You should be pointing people to this instead:

"Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers"

http://www.dwheeler.com/trusting-trust/

As for the the guy talking down the "bunch of words"-approach I guess one could take words from different languages and then throw in a few extra characters and numbers in a few groups here and there just to mess up if someone only use dictionaries and then it would become somewhat harder.

Actually, no.

What you've done is make it take marginally longer to guess your password, but not impossible. By marginally, I mean minutes to hours in most cases, not days, weeks, months or years. Just try sticking a sample password of words from different languages into Google for example, and watch it cleanly cleave those words apart into a logical search.

Lexical matching + brute force is a solved problem. Password cracking doesn't just bash letters against a wall until it gets a match anymore. At least good ones don't.

Why not use KeePass on your phone then? It supports BlackBerry, Android and iOS.

Or export the data from KeePass and GPG ascii-armor that and email it to youself?

There's plenty of ways to do that. I keep lots of non-web data within KeePass, and it's been remarkably useful to me for more than just "logins".

I love how people with a clue suggest people use different passwords everywhere and then more or less every single page in the universe require you to have a freaking login and often don't use any central stuff for doing so (somewhat better now with facebook and Google then again do I really want to connect my accounts that way?)

I'm confused. Are you saying we shouldn't use individual logins, and should use a centralized system of login and authentication instead? That's precisely what we do NOT need. Reusing passwords across multiple sites increases the speed and attack vector.

Using a centralized service ("Log in with your Facebook or Twitter Account here...") magnifies the problem even further.

No, if you want true security in the current environment, always choose to create an account, using the local system's own mechanism, and keep a unique, strong password embedded in that system.

Sharing passwords across systems or reusing the same authentication mechanism across systems is just opening a huge hole so big you could swim in it.

What happens when a flaw in the central authentication system is discovered? What happens when your Facebook credentials are stolen, and now hundreds of other sites you've enabled their use upon, suddenly become open to the criminals who obtained your Facebook authentication?

Resist the urge to centralize you authentication. Seriously, you're asking for trouble. Don't do it.

No source.
Non-free.
No Mac version.
Nothing for mobile devices.

No thank you.

LBE Security, DroidWall and Permission Manager. Use all three.

Oh, and if you want to fool the Google Play into delivering an app that claims to be incompatible, use Market Helper, or install FDroid or AppBrain Market.

I use a combination of LBE Security, DroidWall and Permission Manager to lock things down tightly. Silly free flashlight apps that try to read my SMS datastore? Nope, denied. Calculators that try to use WiFi or my cellular network? Denied. Games that try to read my IMEI? Denied.

Super secure, tight controls and you can lock everything down, in or out. Use all three.

According to TFA, NSA knows full well exactly this and tried it, but couldn't gain control of a sufficient number of exit nodes. That's not surprising, it really would take controlling quite a lot of exit nodes.

Are we sure they didn't just root the botnet around mid-August/early September?

http://www.infosecurity-magazine.com/view/34453/massive-botnet-is-behind-tor-usage-spike-/

Can we be absolutely certain that the botnet itself, and every single node, is 100% secure and non-rootable from the NSA's 0-day toolkits?