[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How about deniability? (read:http://www.zdnet.co.uk/print/?TYPE=story&AT=39269746-39020330t-10000025c)

To: Jari Ruusu <jariruusu@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: How about deniability? (read:http://www.zdnet.co.uk/print/?TYPE=story&AT=39269746-39020330t-10000025c)
From: Matthias Schniedermeyer <ms@xxxxxxx>
Date: Sun, 21 May 2006 17:25:33 +0200
Cc: Thomas Weinbrenner <thomas@xxxxxxxxxxxxxxxxxxxxx>, linux-crypto@xxxxxxxxxxxx
In-reply-to: <44705BB9.B1EA4A97@users.sourceforge.net>
List-archive: <http://mail.nl.linux.org/linux-crypto/>
List-help: <mailto:ecartis@nl.linux.org?Subject=help>
List-id: <linux-crypto.nl.linux.org>
List-owner: <mailto:ecartis-owner@nl.linux.org>
List-post: <mailto:linux-crypto@nl.linux.org>
List-software: Ecartis version 1.0.0
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=unsubscribe>
References: <b224d3290605200949g5e135efai7bb97763d227136d@mail.gmail.com> <20060520185431.GA6154@genius.thomas-weinbrenner.de> <44705BB9.B1EA4A97@users.sourceforge.net>
Sender: linux-crypto-bounce@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041217 Mnenhy/0.7

Jari Ruusu wrote:

Thomas Weinbrenner wrote:

The timestamps will show that the files weren't accessed for months or
even years. And there are also all those logfiles in /var/log which
include dates. I think there will be enough proof that the system wasn't
can't be the system you are normally using.

Q:  Why haven't files been accessed for months?
A:  Because file system superblocks contain "noatime" default mount option.

Q:  Why aren't there any log files in /var/log/* ?
A:  Because init scripts have been modified to shred and remove /var/log/*
    and some other files and directories in /var on shutdown.

In addition, a shell script, run as cron job once a week from 'normal' root
partition /dev/hda4, does these: (1) Fsck and mount /dev/hda2 (via encrypted
loop) and /dev/hda1 partitions so that their previous fsck and mount times
are updated on their superblocks. (2) Touch some decoy files and directories
from /dev/hda2 partition.

That wouldn't work in the police-case, when the computer was switched on when sized, or when you can recover the "real" time of last use. For perfect denyability you would have to update the "decoy" system continously, when the real-system is used.

Or you could configure syslog to "/dev/null" everything, or switch off syslog entirely. OTOH it would be "fishy" if only of the system-parts were missing that provide time-information, even if they are per definition unusable as PROVE.

Otherwise you could still somewhat prove that the "decoy" system wasn't the one running when the computer was switched off (as you have the switch-off "timestamp").

But if one doesn't need 100% deniability: In an article about warez-servers i read that at least once they encountered a server that was 100% "on the fly" configured. The whole system was on ramdisk(/ramfs/tmpfs). After switching of there was nothing left, except a bootstrap barebone-system on HDD(*).

A loop-aes-partition with random-key would be equally secure, when switched off if configured "on-the-fly" the key would be unrecoverable. Only the work and time needed to get the system flying the first time and every time it is rebooted, for whaterver reason, seams a bit much. ;-)

*: The "root"-servers i worked with allow to be booted via network into a "rescure"-system. This way even the HDD isn't needed to bootstrap the server.

Bis denn

--
Real Programmers consider "what you see is what you get" to be just as
bad a concept in Text Editors as it is in women. No, the Real Programmer
wants a "you asked for it, you got it" text editor -- complicated,
cryptic, powerful, unforgiving, dangerous.


-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

References:
- Re: How about deniability? (read:http://www.zdnet.co.uk/print/?TYPE=story&AT=39269746-39020330t-10000025c)
  - From: Michael Garibaldi
- Re: How about deniability? (read:http://www.zdnet.co.uk/print/?TYPE=story&AT=39269746-39020330t-10000025c)
  - From: Thomas Weinbrenner
- Re: How about deniability? (read:http://www.zdnet.co.uk/print/?TYPE=story&AT=39269746-39020330t-10000025c)
  - From: Jari Ruusu

Prev by Date: Re: How about deniability? (read:http://www.zdnet.co.uk/print/?TYPE=story&AT=39269746-39020330t-10000025c)
Next by Date: Benchmarks VIA PadLock
Previous by thread: Re: How about deniability? (read:http://www.zdnet.co.uk/print/?TYPE=story&AT=39269746-39020330t-10000025c)
Next by thread: Benchmarks VIA PadLock
Index(es):
- Date
- Thread