"Frank Merlott" <***@nomail.com> wrote in news:***@aopenxpc:

...
Just so. Your method is pretty reasonable given the
constraints we all face, but as you obviously recognize (and
such phrases of yours as "gut feel" amply confirm) your method
is pretty subjective. And just as obviously, others could
well favor a different but arguably equally defensible
process.

Nothing wrong with that - in many areas of life decisions come
down to a matter of judgment especially when the "hard
evidence" is more sparse and vague than we would like.

But, given your method, what is your confidence level in it?
Or more specifically, what is your level of *doubt* regarding
it? What is your assessment of the chance that your selection
(s) are wrong and do, in fact, contain a fatal bug, backdoor,
weak key, etc.? 1 in 10? 1 in 100? 1 in 1000? 1 in a million?

And how do you propose minimizing your exposure to those
residual risks?

My answer to that question is to use two (or even more) levels
of encryption from sources which, in my judgment, are likely
not to share common sources of failure (such as susceptibility
to pressure from the same TLA).

If each of my choices has a 1:1000 chance of failure then
their (uncorrelated) joint use only has a 1:1000000 chance of
failure.

In short, I don't just make my "best choice" and rely
exclusively on it. Instead **I explicitly recognize my
ignorance and the weaknesses of the assessment methods I must
use.**

So I propose a method to at least partially compensate for the
fact that deciding which crypto software to trust is a
difficult problem with weak hard evidence. So I try to
compensate for risk and uncertainty rather than pick just one
"prime candidate" and then rely entirely on it. Using two
*independent* nested crypto programs is my answer to the
problem of the unavoidable residual ignorance and doubt of
assessing crypto software.


... snip other interesting points, some of which I agree with
and others which I don't ...

Regards,


PS My main reason for preferring open-source crypto software
(where possible) has very little to do with the availability
of the source code (e.g., I think such code is very seldom
scrutinized by sufficiently skilled reviewers).

Instead it has much more to do with the *process* of producing
such crypto code. And here I would favor an "open process"
whereby many folks can join the team and participate in the
code's development. Not necessarily because this results in
higher quality code (there is the "too many cooks..." problem)
but because an open process makes it much harder for, say, a
TLA to corrupt the group without exposure.

So I'm a big fan of "open process" but much less enthusiastic
about "open source" for crypto code (non-crypto code is a
different matter). Sadly however, few crypto programs use an
open process.

The other thing I favor besides open source is "open review."
rather than just relying on the "user community" or interested
academics to review the source code (typically on an ad hoc
unstructured basis). I would like to see the "review team" be
formally structured and just as prominent a group as the "code
development team" working in parallel with it through every
release. But there's a lot of "glory" in development and not
much in reviewing, so nobody does this - sigh :-(

PPS

One other point about Truecrypt before we move on. 99.9% of
people use the binaries and do not compile the source. Even
if Truecrypt's source code is squeaky clean, 99.9% of folks
could still get fucked if the binaries are corrupt (which is
what I would do if I were the NSA).

In fact, it's a bastard to compile the source for all but the
most determined (e.g., you must hunt down the old 16-bit C
compiler from the mid-90s to compile drivers, etc - which I
have done!)

And even if you do compile the source yourself you *WON'T* get
the same binaries as Truecrypt distributes! Not just because
of the endless permutations of compiler switches, etc. but
because Truecrypt signs some of its binary modules and you
therfore CAN'T duplicate those binaries without having the
developers' private key!

I'm going to talk about two issues: scrubbing and backups.

In this post I'll talk about scrubbing.

Scrubbing is a losing game, for two reasons:

1) It's very slow if done right.
2) It's extremely difficult to do right
(No, make that EXTREMELY difficult - i.e., to ensure that you
have been sufficiently thorough and haven't missed anything.)

The fact that scrubbing is slow means:

1) There will be a temptation to do it too infrequently
2) There is a gigantic window of vulnerability while the
scrubbing is going on and isn't complete.

As I said, scrubbing is slow. Several hours to do properly
for a large drive. This means that it can't be done instantly
(well, duh!). For example, if there's a no-knock raid on your
house to seize the computer you're using, there won't be a
hope of instantly getting the necessary scrubbing done.
You're nicked, mate!

Some folks think scrubbing just means overwriting erased files
(1, 5, 35 or whatever number of times). Bzzzt! Wrong!
Overwriting an erased file is a necessary part of scrubbing,
true, but it's the easy part, the small part.

The far bigger problems are:

1) Files that are created by the OS or various programs that
get written hither and yon (log files, ini files, config
files, recently used files, temporary files, event logs,
automatic backups, restore points, print spools, journal
files, and on and on. And on and on and on...)

2) Files that get written as in 1 above and then erased
without knowledge of the user. Files that exist only briefly,
that twinkle on and then twinkle off unobserved.

3) Leakage, especially metadata

Regarding number 3, leakage, that should be LEAKAGE! using a
72-point font. We'll get to that leakage but first let's deal
with the first two categories.

For the first category it is next to impossible to have a
complete list of files that should be erased. Some "eraser"
programs try to keep a database of all such things, but it's
impossible for the list to ever be complete or for the user to
be sure that all such files will be deleted by the eraser
program. The user may have installed an "unusual" program
not on the eraser program's list, or, say, version 7.2 of some
program may have introduced new files different from those
used in version 7.1. It's a game of whack-a-mole the user is
sure to lose.

Files that get written and erased without the user's knowledge
and other sources (old detritus, partial uninstalls, etc.,
etc.) cause the sorts of problem in the second category.
(Some of the "shadow" files used for live backups also fall
into this category.) Thoroughly protecting against this one
takes a lot of time. It means that all unused (free) space on
a drive (partition) and all files "tips" must be regularly
overwritten (multiple times for paranoids). This takes a LOT
of time.

While the meaning of free space should be fairly obvious, not
everyone realizes the danger in "file tips". The problem
arises because the OS allocates space for a file in blocks
(typically 4096 bytes for NTFS) rounding up the space
allocated for a file from its actual size to the nearest whole
block. The remaining space left between the end of the actual
file and the end of its last allocated block (the file "tip")
may contain leftover data from previous files. That "tip"
must be erased! (Incidentally, overstating the real size of a
file and hiding other data in the large file tip was an old
data-hiding ploy before encryption.)

The last category, leakage, is a real bastard. (Incidentally,
it is the rock on which many plausible deniability schemes
founder.) I'm only going to touch on it, but hopefully enough
to convince most folks NOT to rely on scrubbing.

There are of course, the many "file-ish" places where the OS
(and programs) can leak data - places like the page file, or
dll caches, or inf file stashes, etc. But beyond these are
the two real killers for leakage: the registry and the MFT
structure on drives/partitions. (You can try to avoid the MFT
problems by using FAT but this has its own problems which I'll
pass over)

I'll talk about just a few aspects of the registry, including
one or two things very few people know. For instance, did you
know that all keys in the registry have date/time stamps? (the
"LASTWRITE" value). Well, they do, even though very few
registry editors ever show them (but forensic ones do!). The
lastwrite value gets changed whenever a key is created,
modified, or deleted! Yes, deleted too (and we'll come to
that). (Incidentally, you can see the lastwrite time for a
key if you export it to a text file)

The OS and programs squirrel away all kinds of metadata in the
registry, some of which can rat you out bigtime! For example,
there're the "userassist" entries which are protected by
encryption (lousy rot13 but still encryption). Some programs
tuck away encrypted or coded data that means God-only-knows-
what but which could come back to bite you on the ass. Also,
even though you delete a particular key, earlier versions of
it may still exist in the "internal backup" structure of the
registry (controlset00n). Trying to make sure you have
thoroughly purged the registry of all evidence that could be
incriminatory is a gigantic task that is virtually guaranteed
to NOT be fully done! The registry is the place where
scrubbing is guaranteed to come up short!

Oh, and about that "deleted" timestamp. The registry is a
database spread over several files (and they have backup
versions too!). Deleted entries in the registry aren't really
deleted - they're just "flagged" that way (and totally
available for a forensic investigator!). The only way you can
be (fairly?) sure to get rid of them is to compact the
registry. Do you trust your tools to do this right? How
would you know if they messed up and missed something?

On to the MFT. This too can getcha! It stashes all kinds of
info you probably didn't know about. For instance, did you
know that files have **4** timestamps, not just the standard 3
(created, modified, accessed) and that the MFT keeps *two*
separate copies of them (only the first version gets changed
by most date-tweaking programs). In fact, the MFT can contain
whole files within itself (if they're small).

And the MFT is a database. Metadata for deleted files isn't
really deleted from the MFT, it's just flagged as deleted. So
even if your eraser file properly overwrote the actual file a
dozen times, the name, attributes , size, etc. of that deleted
file could live on in the MFT (Incidentally, an MFT can grow
but never shrink).

Several years ago I looked for an eraser program that did a
good job of erasing MFT traces (besides, of course,
overwriting the file itself). I found only one at that time
that worked - Bcwipe - all others left traces I could find
with Encase. (It's possible other programs have caught up by
now but it's a danger area - don't trust your eraser program
unless you check it out with a forensic recovery tool!)

And then there are the odds and ends that can get you, things
like alternate data streams.

Moreover, because scrubbing can only be thoroughly done when
the computer is "quiescent", (most) scrubbing can only be done
at the end of a session. And few have the discipline to
remain in their seat in front of the computer (continuous
control and custody) while the tedious scrubbing happens
(although this aspect generally only arises if encryption is
also used).

But enough! I've made my point. Scrubbing is slow and it's
likely to be imperfectly done.

So what to do?

The answer is: Don't scrub, encrypt!

(which I'll explain below. However, for recalcitrant scrubbers
I will give one or two tips in a postscript)

Encrypt the entire system - use whole disk encryption. By
doing so you no longer have any need to scrub - there's no
place for data to leak to, nothing an adversary can look at.
Or, as Gertrude Stein said, "There's no there there."

Use Truecrypt, or Diskcryptor, or DCPP, or Compusec, or...
But to use them properly you have to understand them. And by
understand them, I don't mean just the technical bits about
options and features, I mean the philosophy of their use.

You see, hard disk encryption is a paradox: it only protects
you when you're not using it :-) It only protects data "at
rest." If you're using the data, if you've entered the
password and the key is in memory and the disks are mounted,
you're vulnerable.

(Aside: What would be ideal is if we could magically work on
data while it was still encrypted. Somewhat surprisingly, it
was recently proved that it is theoretically possible to do
this. However, the abstract proof involves an unbelievably
complicated and slow process that is completely impractical
even on the fastest supercomputer. But still, perhaps one
day.)

So with the aside aside we're back to "So what to do?"

One must realize that whole disk encryption is only half the
answer. The other half is this...(drum roll)... Instant
shutdown on tamper!

That is, if we're actually using the encrypted data, we must
be able to instantly shut the computer down (either
automatically by sensors, or more commonly, by manually
flipping a big red switch). The computer must shutdown on
tamper (or interference, etc. such as LEAs trying to seize the
computer - any attempt at unauthorized access). By being able
to instantly shut the computer down, ***to instantly put the
data back "at rest" again,*** we ensure its (and our)
security.


**True data security requires BOTH whole-disk encryption and
instant shutdown on tamper.**


This is why (unless you live in a fortress, or have a sensor
network, etc.) you must always be right in front of the
computer when the keys are in memory and drives are mounted.
And it's why scrubbing should *not* be done to an encrypted
computer since you will not have the self-discipline to stay
there while this long tedious process is performed.

Regards,


PS For those who perversely insist on scrubbing, here're a
few things you can do:

1) Use FAT for your partition type (strongly deprecated) or,
much better, use BCWipe to ensure the MFT is scrubbed clean.

2) Consider using a smaller block size than 4096 for NTFS
partitions. This has a number of downsides (including slower
performance) but it does reduce the time needed to scrub file
"tips" (I don't like this one much but I thought I'd throw it
in.)

3) Because scrubbing free file space on a large hard drive
is so slow, consider filling most of it with "dummy" files
leaving only a small working free space for new files. You
can erase one or more dummy files whenever you need more free
space.

For instance, if there's 300 GB of free space consider filling
most of it with 29 10GB dummy files. Scrubbing free space
will be much quicker. (Incidentally, if you tweak the file
dates on these dummy files to be very old your defragger will
always push them to the end of the partition.)

You could use plain old fsutil to create the dummy files
(after you'd already scrubbed the free space of course) but I
find the following program more useful (and not just for this
purpose): Random File Generator v1.1
http://www.chmaas.handshake.de/delphi/freeware/freeware.htm


-- 30 --

If you stopped pontificating you might understand that there is no
need to try to convince me thus, because, my haughty friend, you are
wrong. In other words, why don't you try getting off your high horse
and listen?
Ah, we have a similar saying, "Don't put perfume on a pigs ear". In
your case, it still smells like pig.
A zealot? As I said in the last post, go to Truecrypt forums where
much more knowledgable people than you, and I for that matter, will
tear you to shreds in a much quicker and more complete manner than I.
For those who are following this, I do insist you go to Truecrypt
forums (google) and read some of the information there. It still
won't be too simple to set up your two partitions, especially getting
the sizes right, but you will see just how superior an encryption
package TC is. Whatever you do, don't listen to this guy, he is
probably arrayed with some three letter agency in the US whose design
is to scare the less initiated off from useing TC, which is
impenetrable.
And you are a judge now, my salubrious friend? Let my scalpel now
dissect your ruminations, deceptive though they be.
The term has been around since the mid-80's and is a realistic
strategy for personal security. As I said, TC is used all over the
world, point out one example of a hidden volume being identified to
the satisfaction of any court in any country. Just one example.
Oh, I can see that you are trying to be articulate, but you are only
succeeding in being verbose. English, when properly used and applied,
can actually be an elegant language - something which will probably
escape *your* appreciation for the forseeable future. By the way, my
silly and stupid objection on my part was in response to your
startlingly obtuse usage of HM's english.
You are a prickly old fart, ain'tcha? Here was my polite response to
your first response to the OP (third post on this thread).

"This is true, the "attack" is simply picking the password out of
memory. The best method to avoid this is to disable firewire
(IEEE-1394) in BIOS rather than in the OS, which is equivalent to but
preferable to disconnecting the port on the mainboard. This is
because to reset BIOS the adversary needs to reboot the OS thereby
wiping memory.

So far, at least until the advent of practical quantum computing, TC
is unassailable on an unbooted PC."

You, mr seat-of-all-knowledge, then went on to try to destroy my
statement that TC was unassailable on an unbooted PC. That pompous
meandering by *you* resulted in where we are now, namely, you trying
to salvage your reputation as some sort of oracle of encryption.
It was the closest possible thing, which was OTFE (whole disk
encryption, the police couldn't get into the OS). Using your
reasoning, which is the use of one implies the use of the other (the
other being a hidden volume), aren't the odds in favour of their being
also a hidden volume? Seems to me that encryption works, and they
didn't even get to the stage where they could determine the existence,
or non-existence, of a hidden volume.
Here is the link again, it got truncated for some reason:

http://www.tomsguide.com/us/PC-Camera-Encryption-Video-Peephole,news-4910.html

From this, if you read for comprehension, you will see he served time
in lockup on remand (ie *before* he was convicted) then he was put on
probation - *not* jailed!

Also, he was not convicted of the original allegations, which if the
police had been able to crack the encryption, he would have been.
Sure, and many many more where he and I come from. The odds are
against you being right, and I should know, I'm an actuary
(mathematical statistician).
You are again, *not* reading for comprehension. Regardless of your
claims, I am talking about VOLUMES, not containers. I am specifically
talking about firstly finding the damn volume, when it is buried
within a second, adjacent partition. The secret, and please read this
and read this again, is that the hidden volume cannot be, under any
circumstances, found. So, you hand your passphrase over to TLA for
the decoy OS (encrypted of course), and they say, well there is a
second partition here, we suspect that is TC as well, and you put up a
fuss etc, but then hand over the second passphrase for the outer
volume on the second partition. Yet, there is a third passphrase, for
the hidden volume on the second partition, which cannot be identified.
I think that after handing over two passphrases, no judge on earth is
going to believe (reasonably believe, in Australian law - the
Cybercrime Act 2001 as amended) that there is a third passphrase to be
handed over, for something unidentifiable.

See, your problem is that you haven't, and can't, tell me or your
audience how to identify that there is indeed a hidden volume on the
second partition. That's my challenge to you. If you can tell me
how, technically, the hidden volume can be identified, either from the
headers, the nature of the bits on the volume, or whatever, then you
will have converted me. You won't do it though, because it can't be
done.

And, unlike you, I don't have an agenda, so I am truly open minded to
proper discourse and argument.
Wrong again. I didn't mention absolute proof, and I don't even know
what you are talking about here. That term does not exist in law. I
was talking about the evidence in the citation provided by me.
I have never pretended to practice or to apply law in any other
country than Australia. You are practicing the black art of double
speak.
You'd be surprised what I know about law, but what you know about law
wouldn't surprise me in the least.
Hang on buster, didn't you say above he was also jailed? Which he
wasn't. You are exhausting my patience - once again, I was discussing
the fact that this fellow had a fully encrypted OS, they couldn't even
get into his HD, and he was not convicted on the original charges
because they couldn't decrypt the alleged evidence (videos etc). He
was convicted on lesser charged, and not even jailed - given
probation. This shows how impregnable a hidden volume is, because
they couldn't even get past the first layer of encryption, what TC
describes as the "decoy os". Therefore it not only works, it works
under pressure. More so than your ridiculous virtual machines and so
on.

If you can, I suggest you try and set up for your own trial the unholy
trio, decoy, outer and hidden volumes/os. You will see what a fine
system it is. If you need help with the mathematical aspects (size
balancing because of the journalling by NTFS), just yell and I'll drop
everything a help you out.
Silly man. Surely you can intuit what I mean, which is that OJ was as
guilty as hell, but due to evidence tampering, they couldn't convict
him (the detective, I can't remember his name, but he tainted the
entire prosecution case). It couldn't be proven at all, but he was
clearly guilty, as most of your colleagues in the US would agree.
Please don't. Try to restrain yourself.
Now you *are* being silly. Yet, you seem to agree with my remarks
about pomposity.
Why do you believe in the context of double or triple layered
encryption that civil litigation is apt? No indictments, no TLA or
LEA, resources generally limited to less than state coffers, etc etc.
Copyright? Its a crime, not civil. Naughty videos of the neighbours
wife? Its a crime, not civil. Give me an example, explicitly please,
of civil litigation where triple layered encryption might be involved.
You are citing me out of context. I know it was containers, files
encrypted with vanilla flavour, but that wasn't my point. Here is the
My response was to your statement that RIPA reverses the burden of
proof. I clearly showed with this citation that (a) the RIPA was
applied; and (b) there was no indication anywhere that the RIPA
"reversed the burden of proof" as you asserted.

Why did you snip this out?
So what? My point was that there was no reversal of the burden of
proof, as you asserted. You selectively snipped out your comment, to
which I was responding. Simply, plain encryption was discovered and
identified, he was required by law and in due process to hand over the
password, he didn't, and he was jailed. No reversal of the burden of
proof, so you are wrong (again).
Isn't that what I agreed with above? Read it again, there is no
argument. However, its only because of the nature of what they are
looking for, which is a banned import (whether it is there or not). It
is in accordance with regulations, not something they can do ultra or
mala fides (sorry, lapsed into a dead language there :).
Do you not understand that it is not arbitrary? It is a prohibited
import, under several jurisdictions (state, federal). That empowers
Australian Customs Service to look at electronic devices, they have
always had that legal **power**.
It does if they find an encrypted partition on your laptop.
Rubbish. You must be an expert witness for the defence, because you
don't have the correct state of mind for the other side. This sounds
like conspiracy theory to me, especially in this day and age when
stinking terrorists took out America's two front teeth!
Yes I do. Even in your country, I would believe in it (yes, I have
been all over the US, even down to Louisiana).
You still have not responded to my main points in the penultimate
post. Your snippers are out again. Those points are, and I challenge
you:

1. Are you an encryption expert and if so, what are your
qualifications? I'm an actuary with a passing interest in encryption.
My knowledge of the law comes predominantly from civil insurance
cases, with a salting of the other. Whence yours?

2. Can you point to one case involving TC where the hidden volume
has been discovered? (or even DCPP)

3. When you take your arguments against OTFE with hidden volumes over
to TC fora, can you let me know please so that I can follow
proceedings?
Fuck Cato and Scipio and all the rest, they have all been dead for 2K
years. Something more useful for you to ponder, perhaps, is this
thread. Please note the sage comments under Peter's post.

http://www.peterkleissner.com/?p=11

This is the only way really to penetrate TC because until TC 6 came
along, even Bruce Schneier could only pick on leakage from an
encrypted container to unencrypted (that's fixed now with 6, there can
be no leakage whatsoever from the hidden OS as all writing outside of
that volume is prohibited).

thang