Question re accepted items

Heated discussions about long term goals please. Pretty much everything goes.

Re: Question re accepted items

Postby Sabbath » Tue Jun 10, 2014 5:56 pm

Merlin wrote:I can't honestly declare I'm totally persuaded either way


I would appreciate it if you would continue in your role, it would help us enormously. I have never learnt of a compelling argument against this feature which could not be solved. I was hoping you might be the person to find one.

Your contribution of, batting for the other team, so to speak is helpful. The last thing we want is developers stood idle while forum members vacillate over simple functionality decisions.

It would be fantastic if we could resolve this now, so there are no problems moving forward. It may also assist you to make your own mind up, as you state you have no particular preference.

Reading your argument, I suggest you need to expand it to encompass hidden volumes altogether, for obvious reasons.
Sabbath
 
Posts: 49
Joined: Sat Jun 07, 2014 9:05 am

Re: Question re accepted items

Postby Merlin » Tue Jun 10, 2014 10:51 pm

I'm just trying to put myself in the position of a user who's been detained by the authorities, perhaps mistakenly because the airports are on high alert, I might legitimately want means to prove conclusively I have cooperated fully, for the sake perhaps of nothing more than a speedy resolution, not everyone cares sufficiently to stand up for their right to stay silent, even where they have such a right, I may feel whatever I'm travelling to do is more pressing even if others would say less important.

I simply hand over my password, they see I've cooperated.

Hidden volumes complicate that, especially as a feature of the program, the suspicion always remains I may have used the feature, despite any denial I might make, we'll make it somewhere resonably civilised, I'm merely delayed further while more investigation is carried out, I'm not wanting to be overly dramatic, this isn't a spy movie.. I do not wish to be subjected to this delay. Used with care nobody can prove differently than "I never set a hidden volume up", but unless used with care it often can be proved if I did, and I'm stuck waiting while they ransack an image of my drive(s) trying. (And probably succeeding if I've not been very careful how I used a hidden volume, if I'd been untruthful).

"Use bitlocker instead" great.. and how do I access my encrypted USB on my Linux machine/ Mac? TC is the only cross platform solution out there, no go.

Enter TrueCrypt, it has this hidden volume feature I neither want nor need, and supports hidden operating systems too. I'm a typical user, and my laptop only has one partition, so I don't have to argue about a hidden OS, you might not be able to prove one has been set up, but not having a second partition proves you don't.. no problem there.

So how do I be cooperative and prove this USB stick has no hidden volume? Well with only one level available, I set up a tiny empty one in advance, and set the password "password" on it.. they can look.. nothing to find there!

With n levels, I can't do that, I'm back to arguing "I didn't set one up", if I do what I did with the current version I just proved I know all about the hidden volume feature, and the suspicion level goes up rather than down.

Never mind the technical trouble protecting multiple levels of hidden volume from damage when you're using an intermediate one, which password to mount and which to use for protection is going to get confusing so fast people will have to write it down, or store lists in a password vault.

It may all be academic anyhow, because it may not be possible without changing the header format and breaking compatibility with all existing volumes, It's certainly at varience with code simplification.
Merlin
 
Posts: 43
Joined: Sun Jun 08, 2014 4:57 pm

Re: Question re accepted items

Postby Sabbath » Wed Jun 11, 2014 1:09 am

OK I understand. I believe these are your points...

You are not prepared to use any other, or more suitable encryption programs instead, which provides the level of security needed by most people. I presume civilian hackers, thieves stealing a laptop etc.

You require definitive and expedient proof there are no hidden containers on a flash drive / hard drive.

Solution

Fill your flash drives empty space with ballast files. No empty space means no hidden volume and only one password to remember. This could be a feature to pre fill empty space with data (not random obviously). The data should be in reasonable sized blocks, user defined size, so the user can delete one or two when further space is required. You could just repetitively copy a video file for example.

I believe this solves the problem and it is immediately evident to an investigator. It also allows chipershed to retain multi hidden volumes for other users.



Now I have a question or scenario arguing the opposite.

You successfully convince the ciphershed developers to remove the extremely valuable hidden volume feature.
Our protagonist is wrongfully arrested, his computer, external drives and flash drives are seized.
He is forced by the RIPA act to provide his password. As he is a 100% innocent man, why should he not cooperate ?

On his hard drive he has written many private thoughts and letters, possibly critical of the current government or police officials which may be misinterpreted or misunderstood. He may have evidence from whistle-blowers exposing senior government officials or council. In the current paranoid climate the police or prosecution services may totally overreact to the contents of his drive and try him in the courts as a terrorist.

If he opens his drive he may face 15 years branded as a subversive.
If he does not provide a password he will serve 6 to 10 years for not complying with RIPA.

Can you please recommend a simple and decisive way out for our innocent man ?

I hope you appreciate the compelling case for hidden volumes. We are not trying to protect the guilty, just the vulnerable.
Sabbath
 
Posts: 49
Joined: Sat Jun 07, 2014 9:05 am

Re: Question re accepted items

Postby Merlin » Wed Jun 11, 2014 1:56 am

In the case you cite, the single level already provided of hidden volumes is sufficient.
Though quite why "I didn't set up a hidden volume" is more plausible than "I forgot my passphrase" is an entirely different debate.
Or even claiming the header must be damaged after supplying a wrong one, lord knows I've seen plenty of users with damaged TC headers.
I actually have forgotten passphrases in the past.. More than once, seems entirely plausible to me....
The existing setup is already one anyone arguing the case I put can live with.

And I have two definitive and expedient means to prove I have nothing hidden in undisclosed containers.
Since you pointed out a second, although Windows complains like a mother-in-law about full drives... Making it the less satisfactory of the two.
Especially as you'd only need a tiny volume to hide a compromising text file in. Meaning you'd have to keep the volume completely full, errors from Windows or not.

Where is the need to complicate the code providing multiple layers? Other than "It's a cool feature"
Who *actually needs* two layers? If the first is truly deniable, what purpose does a second serve?
If the first layer isn't truly deniable, it just proves the concept is flawed, not that more layers are needed.

I contend the current functionality is the best compromise between the two viewpoints on the matter of hidden volumes.
So why complicate code one of the project's goals is to simplify?
Merlin
 
Posts: 43
Joined: Sun Jun 08, 2014 4:57 pm

Re: Question re accepted items

Postby Sabbath » Wed Jun 11, 2014 1:45 pm

Originally I suggest you needed to expand your case to encompass hidden volumes altogether.

If you don't expand it to cover the whole idea of hidden volumes (including single level) then you are placing any user in an awkward legal position with your single layer option. You will effectively be forcing them to create a hidden volume when they don't need one. If they fail to do so, or forget the second password, they will be suspected of concealing one and a lengthy prison sentence awaits them.

RIPA is a nightmare and an example of a badly thought out law. Hidden volumes single or multiple are a legal and plausible way out. Without this feature, you effectively remove the option to encrypt data from every single user who suffers under the oppression of RIPA.

You ask how multiple volumes are useful.

Firstly you should be asking this from the perspective of single hidden level, for the reasons I explained above.

Secondly they are useful when confronted with an uneducated aggressor, violent force etc. You are able to open your "special" volumes and allow them to view the contents.

Another benefit is it prevents an expansion of RIPA. How long would it be before RIPA is changed to force the user to reveal 2 passwords per container ? You have effectively offered them this option by restricting the number of hidden volumes. Laws have to be worded carefully and multiple hidden volumes make this impossible to define. The only legal wording that could possibly be used to counter multiple volumes is, a victim must continue to provide correct passwords until sufficient evidence is found to convict. Obviously this would be laughable.

Multiple volumes have another very neat and devastating feature. I communicate daily with experienced hackers and crackers on my forums and the single most feared subject is that of uncertainty.

Hidden volumes introduce doubt, an attacker may brute force a volume and it opens up. If the number of volumes is fixed to 1 the attacker knows his job is done. If the total number of possible volumes is 2 then the attacker will continue, if the contents of the first volume doesn't look plausible enough.

With this "doubt" increasing with multiple hidden volumes the attacker will never know when it is reasonable to stop. This is a considerable drag on resources and extremely expensive to apply to many hard drives. The feasibility of the cost to reward escalates so dramatically the powers that be will be choked with work. Not only are you protecting your own volumes, but should your volumes be seized and worked on, you are contributing to the greater good of others who follow you.

The more I think of multiple hidden volumes the better protection I realise they provide. It is a devastating feature if you look on it from the side of an attacker.
Sabbath
 
Posts: 49
Joined: Sat Jun 07, 2014 9:05 am

Re: Question re accepted items

Postby Merlin » Wed Jun 11, 2014 9:32 pm

Sabbath wrote:If you don't expand it to cover the whole idea of hidden volumes (including single level) then you are placing any user in an awkward legal position with your single layer option. You will effectively be forcing them to create a hidden volume when they don't need one. If they fail to do so, or forget the second password, they will be suspected of concealing one and a lengthy prison sentence awaits them.

No I'm not, yor own other means of solving the issue of a means to prove the negative case is sort-of viable too.

I've just deleted most of what I was going to write, I had a lightbulb moment :idea: while I was walking the dog, thanks for mentioning brute forcing, it caused what was nagging subconciously to precipitate.

I do not need anymore to argue about if hidden volumes are good or bad in and of themselves, multiple levels of them absolutely are, and proveably so compared to a single level:

Situation #1 Current capabilities:
Alice has sensitive documents which she has stored in a hidden volume inside an encrypted container, she understands the security requirements to not leak information and has set a good passphrase,she is compelled (by law) to give up the passcode to the outer volume at the border, and complies.
Finding nothing sensitive, the authorities now attempt brute force attacks attempting to open the hidden container they suspect but can't prove for some period of time, if Alice's password is reasonable strength, they have a fixed chance of doing so before they exceed the ime and financial constraints they're under.

Situation #2
Alice divided her sensitive information between 4 hidden volumes, with 4 different passphrases, everything else remains the same:

Let's now look at the differece, for each iteration of the password cracker, the authorities now have 4 times as much chance of exposing 1/4 of Alice's sensitive information, Alice is now 4 times as likely to be locked up.

Conclusion:
Extending the capability is simply bad security, all other arguments have become side issues.

Even if Alice puts all the sensitive data in one hidden volume only, disclosing a decoy won't stop an adversary atempting to brute force knowing another may be present, and her chances of detection remain completely unchanged from the present.
Merlin
 
Posts: 43
Joined: Sun Jun 08, 2014 4:57 pm

Re: Question re accepted items

Postby Merlin » Wed Jun 11, 2014 10:20 pm

I see the next argument coming already, which is to cascade them so each must be unlocked after the next:
The decision an adversary makes "do I go after another level?" is exactly the same one they'd have if they found a nested file based outer volume and had to decide "does this one have a hidden volume too?"
You still make no practical gain in security.

Of course anywhere you can't be compelled to give up the outer volumes, simply nesting containers means twice the number of brute force attacks per n hidden volumes compared to cascaded hidden volumes alone.
Merlin
 
Posts: 43
Joined: Sun Jun 08, 2014 4:57 pm

Re: Question re accepted items

Postby Sabbath » Wed Jun 11, 2014 10:49 pm

Ha !

I suspect your dog suggested this, your comeback is too witty and the spelling is better. :D


The cascading argument is more effective than you presume it to be. You add the doubt I was talking about previously. The attacker would never know when to stop or if they had actually found what they were looking for.

The decoy items in volume 1, 2 or even 3 may be sufficient. Adding doubt, brought on by multiple volumes, to the attackers burden is enormously effective and soul destroying. More importantly, for a major adversary (you know who I mean) they will have to start to prioritise work on these confiscated drives. If they have the advantage of knowing there can only ever be a maximum of 2 volumes per device they know after finding a second, they can end the attack. With multiple volumes they will have to continue indefinitely, continuously draining resources and delaying attacks on other peoples drives, who follow after you.

Multiple hidden volumes seriously congest the system, which is a significant benefit you are not acknowledging. It doesn't seem right to ignore their huge contribution regarding uncertainty.

Your dog conveniently side stepped one of my main points RIPA ! How can you prevent RIPA changing the law to encompass 2 passwords must be provided per TC or chipershed volume ? With a fixed number of hidden volumes you are making this easy for them to do, with multi volumes they cannot word the statute.
Sabbath
 
Posts: 49
Joined: Sat Jun 07, 2014 9:05 am

Re: Question re accepted items

Postby Merlin » Thu Jun 12, 2014 12:30 am

No civilised country is going to change the law to compel a password for something they have no evidence is there, if you've used a hidden volume correctly there isn't, if you haven't it doesn't matter how far up the chain it was when it leaked the fact it exists.

But here's the other thing people are missing, because they simply don't understand the math and how it affects things, some might say it's counterintuitive.

I'm using GRC's password haystacks page for this:

Lets's say you have two nested hidden volumes, to keep it simple I'll use fairly short passwords, but try it yourself with longer ones, short ones yeild more human understandable numbers though.

Hidden level one has the password
a1A!b2
Hidden level two has
B"c3C£

Our adversary brute forces using a fast offline attack
Hidden level 1 takes him 7.43 seconds to crack
Hidden level 2 takes him an additional 7.43

A total of 14.86 seconds

If instead we add just the first letter B from the second password to a single level even that is (much) stronger than both levels and takes
11.76 minutes (about 47 times longer)

If we concatenate the passwords to give a1A!b2B"c3C£ (we're remembering the EXACT SAME PASSWORDS) it now takes our attacker a mere
1.74 THOUSAND CENTURIES (I'm not even going to calculate how many times longer that is)

Dividing up our password for the sensitive stuff into little chunks by having multiple levels rather weakens things doesn't it?

So don't set two levels.. just combine the passwords and apply them to the first one, it gains you one hell of a lot more!

The same principle and same dramatic differences in time to crack still apply with better passwords, and absolutely no more strain on our poor human memories.

Doesn't matter how you spin it you're always better combining the passwords you would use for two levels into one password for the first.
If you want better security, use a better password, don't complicate the code!
Merlin
 
Posts: 43
Joined: Sun Jun 08, 2014 4:57 pm

Re: Question re accepted items

Postby Merlin » Thu Jun 12, 2014 4:21 am

The more levels you do, the worse it gets....

Bill George and why multi-level hidden volumes are a bad plan

Bill and George both have information they need to keep secret from the NSA

Bill thinks he's clever and creates a hidden volume within a hidden volume within a hidden volume
He sets the passwords:
Hidden1 Hermione
Hidden2 tooSexxy
Hidden3 Grainger

The NSA confiscate his drive and use their massive cracking array as specified at
https://www.grc.com/haystack.htm

To crack
Hidden1 takes 0.545 seconds
Hidden2 takes 0.545 seconds
Hidden3 takes 0.545 seconds

He's arrested after 1.635 seconds..
The NSA are in faster than he could have done it from the keyboard.
His head spins.

George really is clever and creates one hidden volume.
His memory is no better than Bill's and they look at the same pictures.
He sets the password:
Hidden1 Hermione tooSexxy Grainger

The NSA use the same massive cracking array (it's free already Bill didn't occupy it long)
To crack Hidden1 takes
4.70 hundred trillion trillion centuries

The NSA can't even locate the dust from George's bones anymore....
He died of old age still laughing at Bill.

Don't do it, just combine the passwords you would have used.

Point made yet?
Merlin
 
Posts: 43
Joined: Sun Jun 08, 2014 4:57 pm

PreviousNext

Return to Long-Term Goals / Wish List

Who is online

Users browsing this forum: No registered users and 1 guest