[dm-crypt] cryptsetup with Python subprocess + pipes

Arno Wagner arno at wagner.name
Fri Jun 24 18:58:16 CEST 2016


On Fri, Jun 24, 2016 at 18:33:37 CEST, Police Terror wrote:
> You obviously did not look at the example because the data is not hidden
> steganographically.

You obviously did not understand what I wrote, because
I never claimed that in this case it was. I only claimed that
at this time this is the only valid known way to do plausible 
deniablility.

[...] 

> About a well engineered solution: today I just found VeraCrypt which
> actually works well. I encourage people to try it. It can create hidden
> volumes.

... and that have all the problems hidden volumes come with. 
They also managed to create additional problems TrueCrypt does
not have, for example a broken password "quality" assessment
that cannot be bypassed (alternatively you get a broken 
password iteration, that can lead to minutes of unlock time).
My trust in the VeraCrypt developers is much, much lower than
in the original TrueCrypt developers.

Seriously. Bright-eyed "can do" attitudes have no place in 
IT security. They do much more harm than good and they endanger
users.
 
Regards,
Arno

> Arno Wagner:
> > What I would like to see is a plausible deniability technique
> > that is not just a worthless tech-demo, but where the 
> > "plausible" part was actually well engineered with regards
> > to how things work in the real world and that is not limited
> > to a very small amount of steganographically hidden data.
> > So far, none exists.
> > 
> > The thing is, for an incompetent attacker it is already 
> > enough to just remove a partition from the partition table 
> > and re-create it at need in the same place. For a competent
> > attacker, the things that exist today just provide probable
> > cause that you are trying to hide something and hence make
> > things worse.
> > 
> > As it is, these tools are of negative worth, as they give 
> > users a false sense of security.
> > 
> > Also refer to FAQ 5.18 for my analysis of the status-quo.
> > The paper by Schneier et. al. I reference provides an 
> > excellent in-depth analysis of the problems with the idea 
> > of plausible deniability in a real OS environment.
> > 
> > Regards,
> > Arno
> > 
> > On Fri, Jun 24, 2016 at 14:16:05 CEST, Police Terror wrote:
> >> Here's the tool:
> >>
> >> https://github.com/RojavaCrypto/hiddencrypt
> >>
> >> Mostly proof of concept for now.
> >>
> >> Would be cool in the future to work something better out by hacking
> >> cryptsetup itself. Maybe if there's headerless volumes (that just look
> >> like random data).
> >>
> >> Multiple deniable Linux installs would be a killer feature.
> >>
> >> Milan Broz:
> >>> On 06/24/2016 11:56 AM, Police Terror wrote:
> >>>> Ahhh yes! Thank you Diagon and Milan.
> >>>> I've added now the -q switch.
> >>>>
> >>>> I looked at the pycryptsetup but 2 things:
> >>>>
> >>>> 1. It's not Python 3
> >>>> 2. It's an extra dependency and not in the repos.
> >>>
> >>> Fedora has both Python3 and 2 builds but other
> >>> distros do not compile it probably.
> >>>
> >>> (It was designed for Anaconda installer mainly.)
> >>>
> >>> Milan
> >>> _______________________________________________
> >>> dm-crypt mailing list
> >>> dm-crypt at saout.de
> >>> http://www.saout.de/mailman/listinfo/dm-crypt
> >>>
> >> _______________________________________________
> >> dm-crypt mailing list
> >> dm-crypt at saout.de
> >> http://www.saout.de/mailman/listinfo/dm-crypt
> > 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list