[dm-crypt] Re2: nuke password to delete luks header

Jonas Meurer jonas at freesources.org
Wed Jan 15 11:00:32 CET 2014


Am 2014-01-15 07:01, schrieb Arno Wagner:
> Huh? I think you do not understand my arguments at all.
> 
> A) It puts people in danger
> 
> [...]
> 
> I do not think I need to repeat how dangerous, disconnected from
> reality and stupid this approach is, do I? Your "analysis" shows
> perfectly why having a "nuke" option is not a good idea. People
> will start taking risks (carrying sensitive data, trying to nuke
> in a dangersous situation) they would otherwise not take because
> they will wrongly think this method protects them.
> 
> Here is a real-world scenario: You do not nuke, but you pretend
> to give a password, yet it is invalid. Guess what, before
> a forensic examination, this behaves exactly the same as "nuke"!
> After a forensic examination, they _will_ suspect you of having
> nuked the password in the nukle case. Not good at all.

I fail to see the point of your "dangerous" argument. A lot of
things/tools/techniques are able to put people in danger. Still
they're useful. With the same logic, you could argument against
cryptography in general. People could actually forget the password
and see themselves confronted with a bad evil person/institution/
state who tries to force them to tell the password.

There's quite some situation where being accused of having nuked
the password is not a problem at all. In german law for example,
you're not required to help investigative authorities with their
investigations. Actually, it's not a criminal action to destroy
your data. Indeed it is, if the data itself is criminal. But that
has to be proved first, which might be much harder in case that
it's not recoverable anymore.

As I tried to explain above, I still see legitimate scenarios
for using a nuke password function.

In cases where using the feature makes things worse, people
should not use it. But this decision has to be made by the
individuals themselves. Not implementing a feature because
people could use it in a stupid way is not an argument, is it?

I agree with you, that controversal features need some extra
protection and documentation. But this can be fixed easily:
the process of setting a nuke password could include a big
fat warning and point to further documentation.

The argument against false sense of security again could be
used for every security technique. People do need to understand
the limitations of security and cryptography. That's what
documentation is for (and by the way: your FAQ is a great
example of doing documentation right. Thanks for your work on
it!)

> [...]
> Nuke is a bit like carrying a gun: Instead of running away (which
> is a surprising effective strategy), people will try to stay and
> fight. This may work sometimes and will get them killed sometimes.
> Running away or avoiding the situation in the first place is
> much, much safer. This risk analysis is different for somebody
> that has a) training in using a gun in a fight and b) authorization
> to use a gun in certain situations and training in recognizing
> these situations.

Phew! If it at all, nuke passwords are a defensive weapon. And
then, Actually, I don't like the comparison at all. Would you
compare cryptography with an armor? Then, this again could encourage
people to be more brave, to stay and fight, whatever.

> Security is hard. One very important thing is to make sure
> non-experts cannot shoot themselves in the foot easily.

I agree with you on that to some extent. But ...

> "nuke" makes that far more easy as non-experts do not understand
> its implications, and hence it has no place in a tool aimed
> at the general public.

I don't agree on that, as I tried to explain above. Sorry if my
arguments don't come straight. I try my best to explain, but
writing in a non-native language implicates some limitations :(

Kind regards,
  jonas



More information about the dm-crypt mailing list