Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Schneier, UW Team Show Flaw In TrueCrypt Deniability

timothy posted about 6 years ago | from the can't-prove-that-you-didn't-not-not-write-that dept.

Privacy 225

An anonymous reader writes "Bruce Schneier and colleagues from the University of Washington have figured out a way to break the deniability of TrueCrypt 5.1a's hidden files. What about the spanking-new TrueCrypt 6? Schneier says that 'The new version will definitely close some of the leakages, but it's unlikely that it closed all of them.' Meanwhile, PC World is reporting that the problems Schneier and colleagues found are bigger than just TrueCrypt. Among their discoveries: Word auto-saves the contents of encrypted files to the unencrypted portions of your disk, and this problem should apply to all non-full disk encryption software. Their research paper will appear at Usenix HotSec '08."

cancel ×

225 comments

Sorry! There are no comments related to the filter you selected.

usenix what? (5, Funny)

hostyle (773991) | about 6 years ago | (#24234199)

HotSex 08? Where do I sign up!

Re:usenix what? (1)

Red Flayer (890720) | about 6 years ago | (#24235105)

That's Unisex...

I think you may want to reconsider your enthusiasm for HotSex 08.

Or maybe not. Not that there's anything wrong with that.

Lucky for me... (5, Funny)

conner_bw (120497) | about 6 years ago | (#24234203)

I encrypt using a one way algorithm know as "fire" that transforms all my secrets into ashes.

Since matter can not be destroyed, only changed, decryption is just around the corner. Also, AJAX will be used somehow.

Bay area venture capital welcome!

Sorry, dude... (5, Funny)

Penguinisto (415985) | about 6 years ago | (#24234543)

Seems that someone found a semi-reliable decryption mechanism that can not only stand up to that, but can reverse an even stronger algorithm known as "volcano" [byu.edu] .

Didn't mean to dash your dreams, but you know how the security game goes...

/P

Re:Sorry, dude... (5, Funny)

jeiler (1106393) | about 6 years ago | (#24234711)

"Volcano" is, indeed, a stronger algorithm than "fire", but it's also much coarser-grained. Further research shows that the decrypted portions were not completely encrypted, merely provided with a partially-encrypted wrapper.

We can also discuss the even more advanced "Thermonuclear ground-zero" algorithm, but the ultimate form of this type of encryption (matter-antimatter annihilation) is only theoretically possible with our current technology.

Re:Sorry, dude... (2, Funny)

A440Hz (1054614) | about 6 years ago | (#24234913)

As Jack Handey rightly said, "If you drop your keys into a river of molten lava, forget 'em, 'cause man, they're gone."

Re:Lucky for me... (1)

Hordeking (1237940) | about 6 years ago | (#24234613)

I encrypt using a one way algorithm know as "fire" that transforms all my secrets into ashes.

Since matter can not be destroyed, only changed, decryption is just around the corner. Also, AJAX will be used somehow.

Bay area venture capital welcome!

Try not to get any AJAX into the cuts on your hands, or the burns from your fire algorithm....it really hurts.

Re:Lucky for me... (2, Funny)

nategoose (1004564) | about 6 years ago | (#24234693)

I've been using fire 2.0 for a year already.

Re:Lucky for me... (4, Funny)

xaxa (988988) | about 6 years ago | (#24234777)

I encrypt using a one way algorithm know as "fire" that transforms all my secrets into ashes.

Is that the algorithm invented by the Greek hacker, Prometheus? I heard he got in a bit of trouble over it, he ended up somewhere like Guantanamo, but eventually was rescued.

Re:Lucky for me... (0)

Anonymous Coward | about 6 years ago | (#24234845)

Isn't that more like encoding rather than encryption?

Fire isn't lossless and what you get back won't be quite the same.

Ashes are reversible (0)

Anonymous Coward | about 6 years ago | (#24234911)

Don't forget to mix the ashes with water, or you're in for a nasty surprise!

Get A Mac (-1, Troll)

billy901 (1158761) | about 6 years ago | (#24234229)

True Crypt has a problem eh... Windows should build in a encryption program like on Mac OS X. It would stop a lot problems and it would be Microsoft managed and it would work better because they have all the code for the OS and can provide a better service. In the Mac OS, there are no bugs that I have discovered yet on the built in encryption program. I would hope that True Crypt fixes this bug because it is a great program.

Re:Get A Mac (1)

George Beech (870844) | about 6 years ago | (#24234257)

I would look into EFS, it's not great but it is built in XP Pro, 2003 definatly probably 2000 server and possibly 2000 pro. It seems to fill your requirements of built in to the OS encryption.

Re:Get A Mac (0, Troll)

MobyTurbo (537363) | about 6 years ago | (#24234833)

Bitlocker has a back hole that Microsoft has revealed more than once to law enforcement.

RE: BitLocker Backdoor- Source? (1)

Coopjust (872796) | about 6 years ago | (#24234957)

Source? The most relevant article I can find says:

Microsoft has given law enforcement officials a new tool known as "Computer Online Forensic Evidence Extractor, [..]However, Microsoft pointed out, COFEE does not circumvent Windows Vista BitLocker encryption or undermine protections in Windows through secret "back doors" or other undocumented means."

Of course, it's closed source, so you have to take Microsoft at their word for it, but I can't find any reliable sources that state MS has given law enforcement a means to bypass BitLocker.

Re: BitLocker Backdoor- Source? (4, Interesting)

Coopjust (872796) | about 6 years ago | (#24234993)

I'm replying to myself, but I have additional info to add.

[...] it captures live data on the computer, which is why it's important for agents not to shut down the computer first, Fung said. A law enforcement agent connects the USB drive to a computer at the scene of a crime and it takes a snapshot of important information on the computer. It can save information such as what user was logged on and for how long and what files were running at that time, Fung said. It can be used on a computer using any type of encryption software, not just BitLocker.

So it looks like COFEE is a USB device that performs monitoring once Vista has been booted and logged in. Not having your BitLocker USB drive plugged in and not leaving your PC on would seem to defeat an attack by COFEE.

Re:Get A Mac (1)

Nos. (179609) | about 6 years ago | (#24234275)

You mean like Bitlocker or EFS?

Re:Get A Mac (1)

EvanED (569694) | about 6 years ago | (#24234283)

Windows should build in a encryption program like on Mac OS X

You mean like Bitlocker [wikipedia.org] ?

Re:Get A Mac (3, Interesting)

serviscope_minor (664417) | about 6 years ago | (#24234291)

True Crypt has a problem eh... Windows should build in a encryption program like on Mac OS X. It would stop a lot problems and it would be Microsoft managed and it would work better because they have all the code for the OS and can provide a better service. In the Mac OS, there are no bugs that I have discovered yet on the built in encryption program. I would hope that True Crypt fixes this bug because it is a great program.

I know there's often mindless maclove on /., but please try to think before posting. So, just to play along, what software do you propose to use on the mac to provide deniable encryption?

Re:Get A Mac (-1)

Anonymous Coward | about 6 years ago | (#24234325)

Gooo Mac Fanboi. So tired of uninformed fanboi comments about Windows. Can't wait for the day when Apple is huge and there are people on here talking about how they've "sold out" and "suck". I also seriously doubt that you've done the sort of digging that'd be necessary to find problems with OS X encryption.

Re:Get A Mac (4, Informative)

vux984 (928602) | about 6 years ago | (#24234423)

Windows should build in a encryption program like on Mac OS X

Uh... they did... 8 years ago.

They've had EFS (encrypting file system) since Windows 2000.
http://en.wikipedia.org/wiki/Encrypting_File_System [wikipedia.org]

They've added BitLocker Drive Encryption with Vista (Ultimate & Enterprise).
http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption [wikipedia.org]

A visit from the NSA (1, Troll)

twitter (104583) | about 6 years ago | (#24234819)

You know that M$ encryption is backdoored [slashdot.org] , don't you? Never trust closed source software for things that are important.

Re:A visit from the NSA (1)

bconway (63464) | about 6 years ago | (#24234901)

FUD. Dual_EC-DRBG is optional and off by default.

oh twitter (1, Informative)

Anonymous Coward | about 6 years ago | (#24234919)

You know that RNG was put in for NIST 800-90 compliance and is not the default in Vista or any other Microsoft OS, don't you?

You know that even an open source RNG of that type would have the same flaws, don't you?

You know you shouldn't use elliptic curve RNGs, regardless of who is providing them, don't you?

You know linking to Slashdot articles with question marks in the title proves absolutely nothing, don't you?

Re:A visit from the NSA (0, Offtopic)

Tim C (15259) | about 6 years ago | (#24234927)

You see that weird mark at the end of the title of the article? Ooh, like the one I just used in fact! That's called a "question mark", it indicates that the preceding phrase or sentence is a question, or is otherwise speculative. Note also the use of the word "may" in the summary, that's another good indication that it's speculation, not fact.

But thanks for playing. Yet again.

Re:A visit from the NSA (1, Funny)

Anonymous Coward | about 6 years ago | (#24235177)

The only thing backdoored around here is your mom.

Re:A visit from the NSA (0)

Anonymous Coward | about 6 years ago | (#24235209)

Isn't there a -1, Played-Out Vista FUD moderation?

Re:Get A Mac (2, Interesting)

vivek7006 (585218) | about 6 years ago | (#24234945)

I prefer Axcrypt [axantum.com] over Windows Compressed Folders password protection. AxCrypt is free and open-source.

From their FAQ:
Why is AxCrypt better than Windows Compressed Folders password protection?

In the July 2003 issue of PC World magazine, there is a description of how to password protect files using the built-in Windows Compressed Folders of Windows XP and ME. This is a WinZip compatible extension of the Windows Shell (Windows Explorer). The problem is that since it's WinZip-compatible it suffers from the same weakness as does WinZip. WinZip (and thus Compressed Folders) password protected archives use a proprietary and weak algorithm that is known to have the following weaknesses, exploited in numerous 'Password Recovery' products and services:
        * If the attacker knows the contents of one of the files in the archive, the password is susceptible to a so-called known plain-text attack. AxCrypt is never susceptible to this kind of attack.
        * If the archive contains 5 or more files, password recovery (i.e. cracked protection) is guaranteed. With AxCrypt you can have any number of files encrypted with the same passphrase without affecting the security.

Re:Get A Mac (4, Informative)

xrayspx (13127) | about 6 years ago | (#24234437)

My bet would be that if you have the DFS filesystem mounted, then Spotlights (or Beagle on Linux) would just index it like any part of the filesystem.

They're not trying to decrypt files here, but just prove that files exist. TrueCrypt lets you put an encrypted volume inside an encrypted volume, such that if you mount the "outer" volume, you can't show evidence that there even exists an "inner" volume. However, if you mount that "inner" volume and use the files in it, Windows will make a Recent Documents shortcut to its location, thus disclosing the fact that there are files there.

I'm a TrueCrypt user, but not a DFS user, since I care more about the encryption than I do about plausible deniability, but I'm interested in trying this out. The test case might be along the lines of:
  • Mount a DFS volume on a Mac
  • Do a spotlights search for something inside that volume
  • Unmount the DFS volume
  • See if theres any cached data from Spotlights that still hints at the existence of the file within your hidden filesystem

Since Spotlights also does a full-text search, does it cache any of that full-text data to make the next search faster?

Re:Get A Mac (4, Informative)

blueg3 (192743) | about 6 years ago | (#24234517)

Spotlight's index is stored in the root of the volume it's indexing. Encrypted filesystems are independent volumes, so their indexes are stored in their volume root. The index of the primary filesystem isn't altered.

I'm not sure it leaks zero information -- there have been some bugs with Spotlight indexes and FileVault-encrypted home directories.

Re:Get A Mac (1)

xrayspx (13127) | about 6 years ago | (#24234831)

Thanks, that answers that, go Apple. I'm happier every day that I bought Macs. It's funny, you also now have to think about other apps that might leak the "recent documents" paths, OpenOffice, Adobe apps, pretty much anything.

It's good food for thought if nothing else.

Re:Get A Mac (0)

Anonymous Coward | about 6 years ago | (#24234743)

I'm a TrueCrypt user, but not a DFS user

Right, neither am I.

Re:Get A Mac (4, Informative)

blueg3 (192743) | about 6 years ago | (#24234593)

Really?

All of Mac OS X encryption operates on user-managed encrypted disk images (volumes) or "encrypted home directories" (FileVault), which is really an OS-managed encrypted disk image.

FileVault home directories are no stronger than your login password. As this password is stored hashed only once (albeit salted, as of 10.4), it had better be immune to brute-force-guessing. They're also only as strong as your system-wide FileVault recovery keychain, as a copy of the key is stored in that, too.

Non-FileVault encrypted images at least use 1000-round PBKDF rather than a single hash and don't, by default, use a recovery keychain. At only 1k rounds, though, it had still better be immune to brute-force guessing.

None of this addresses the fact that using a Mac OS X system with an encrypted directory still leaks information about the contents of that directory onto the unencrypted parts of the drive. In fact, if anything, TrueCrypt is better about not doing this than the Mac, though neither of them hide their tracks all that well. The best approach is to have TrueCrypt running full-disk encryption so that there's nowhere for data to leak to.

Re:Get A Mac (1)

Supergibbs (786716) | about 6 years ago | (#24234741)

it would be Microsoft managed and it would work better

I think you forgot your sarcasm tag....

Re:Get A Mac - Get Windows! (1)

DigitalJer (1132981) | about 6 years ago | (#24234747)

Windows DOES have encryption built in :)

Re:Get A Mac (0)

Anonymous Coward | about 6 years ago | (#24234801)

there are no bugs that I have discovered yet

Oh, really, so you and your little mac haven't noticed any problems. Might, just might, that be due to the fact that you aren't the closest thing security analysis has to a rock star with a crack team?

Could it also be that you don't regularly sit down and write research papers about the subject?

Further, until you can point me to a better OSS encryption tool, STFU.

And this is exactly why.. (2, Informative)

Anonymous Coward | about 6 years ago | (#24234249)

you run at least full disk encryption. If one needs further plausible deniability, THEN you can run truecrypt. Also, cleaning out temp files should be a regular occurrence, as should running on an encrypted swap file/partition.

Re:And this is exactly why.. (2, Insightful)

EvanED (569694) | about 6 years ago | (#24234311)

Full disk encryption doesn't protect against the threat model that TrueCrypt's hidden files try to. The model there is that you are being forced to give up your key (or stand in contempt of court until you do), which means full disk encryption doesn't help you.

Re:And this is exactly why.. (1)

SanityInAnarchy (655584) | about 6 years ago | (#24234877)

It would be tricky, but should be possible to mount a hidden volume as root -- or, failing that, a loopback file in that hidden volume.

It wouldn't encrypt the entire disk, and it might be tricky to maintain a dummy root or two, but it could be done.

Re:And this is exactly why.. (4, Insightful)

serviscope_minor (664417) | about 6 years ago | (#24234671)

you run at least full disk encryption. If one needs further plausible deniability, THEN you can run truecrypt. Also, cleaning out temp files should be a regular occurrence, as should running on an encrypted swap file/partition.

This is why secutiry needs to be left to the professionals and requires scrutiny. It is very hard to get right and very easy to leave holes. You run full disk encryption, but in many parts of the world, you can be compelled to disclose your keys. So, since your keys are disclosed, you now may as well assume that you never had the encryption in the first place. That puts you right back to square 1 and there is now evidence that you have a hidden volume.

Full disk encryption protects you against the consequences of theft, and for this, deniability has no utility. Deniability protects you against certain governments, and for this, full disk encryption often provides little utility.

They should use a one time pad (0)

Anonymous Coward | about 6 years ago | (#24234263)

They should use a one time pad

Let me get this straight (4, Funny)

carp3_noct3m (1185697) | about 6 years ago | (#24234279)

So Vista, Word, and Google Desktop make truecrypt less viable? Im Shocked I tell you! Shocked. Please..If you are serious about using truecrypt please tell me that you are savy enough to know how to get around some of these holes. Googledesktop?-aka, I spy on everyone and read your brain desktop? Its like saying my iron has a security hole if someone installs a hardware keylogger on my system. Duh! But just because Schneier is involved, the hacking gods must bow and agree with every word he says. Anyway, now Im rambling, but I use truecrypt only on my secure linux box, which doesnt have these problems. I hide all my stuff that would get me into lots of trouble if!@#@!#%T^GD no carrier

Re:Let me get this straight (0)

Anonymous Coward | about 6 years ago | (#24234425)

There's little worry anyhow. How could you possibly open your porn vids in Word anyway?

Re:Let me get this straight (4, Interesting)

Hatta (162192) | about 6 years ago | (#24234651)

Anyway, now Im rambling, but I use truecrypt only on my secure linux box, which doesnt have these problems

Are you sure? Have you checked your ~/.bash_history file? Are you sure your editor isn't leaving autosaves in /tmp? There could even be plain text in your swap partition. It's hard to really know.

If I needed plausible deniability I'd put a virtualbox image in the deniable container. Then I'd turn off swap and link ~/.bash_history to /dev/null. And I'm sure I've forgotten something.

Re:Let me get this straight (1)

jim.hansson (1181963) | about 6 years ago | (#24235191)

if I remember correctly.
in virtualbox you create a "profile/shortcut" that will point to this image. those are saved and they should contain path to the image.
and remember to clear the RAM after you have shutdown virtualbox dont want them to come and freeze you RAM or use a firewire cable

Re:Let me get this straight (1)

pembo13 (770295) | about 6 years ago | (#24235201)

seems like you would want /tmp as a mem disk if you're going to be paranoid. (not that I have a problem with paranoia)

Re:Let me get this straight (4, Insightful)

Ant P. (974313) | about 6 years ago | (#24235221)

If you want _plausible_ deniability, which is what this is about, then having no history file is only going to arouse suspicion. Open a shell with HISTFILE=/dev/null only when you're running the secret VM, and run the shell command using a GUI+script or some other method that doesn't keep tracks.

Re:Let me get this straight (2, Informative)

Eighty7 (1130057) | about 6 years ago | (#24235169)

Something I found amusing, GDS (google desktop search) linux is strictly opt-in on folders while GDS windows is opt out. I use it on my ubuntu box because it beats the hell out of tracker/beagle.

My Iron (1)

carp3_noct3m (1185697) | about 6 years ago | (#24234293)

Meant to say ironkey =)

Re:My Iron (3, Funny)

Vectronic (1221470) | about 6 years ago | (#24234409)

I was wondering about that, I was thinking your security flaw was as simple as someone saying: "Hey, you left your iron on!" then they just rummage through your shit while yer distracted.

"It's ok, im completely secure as long as my iron is off"

Word and what? (4, Informative)

frovingslosh (582462) | about 6 years ago | (#24234295)

Among their discoveries: Word and auto-saves the contents of encrypted files to the unencrypted portions of your disk,...

If you're like me (meaning that you pay attention to what you read), you may be wondering what in the world "Word and auto-saves" means. I wondered so much I even followed the link, and saw that the omitted term was Google Desktop, omitted because of very sloppy cut and paste of the article.

Re:Word and what? (3, Funny)

jd (1658) | about 6 years ago | (#24234317)

Damn. I thought someone had found a neat new extension to Word, called "and", that bypassed your security.

Re:Word and what? (0)

Anonymous Coward | about 6 years ago | (#24234737)

saw that the omitted term was Google Desktop, omitted because of pro-Google bias

Fixed that for you.

About Bruce Schneier (5, Funny)

dwalsh (87765) | about 6 years ago | (#24234299)

Some of you may not be aware of the stature of Bruce Schneier in the field of computer security, so here is some background information:

http://geekz.co.uk/schneierfacts/facts/top [geekz.co.uk]

Bruce Schneier once decrypted a box of AlphaBits.

Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.

Bruce Schneier knows Alice and Bob's shared secret.

Vs lbh nfxrq Oehpr Fpuarvre gb qrpelcg guvf, ur'q pehfu lbhe fxhyy jvgu uvf ynhtu.

Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.

Bruce Schneier knows the state of schroedinger's cat

Bruce Schneier writes his books and essays by generating random alphanumeric text of an appropriate length and then decrypting it.

When Bruce Schneier observes a quantum particle, it remains in the same state until he has finished observing it.

If we built a Dyson sphere around Bruce Schneier and captured all of his energy for 2 months, without any loss, we could power an ideal computer running at 3.2 degrees K to count up to 2^256. This strongly implies that not only can Bruce Schneier brute-force attack 256-bit keys, but that he is built of something other than matter and occupies something other than space.

Though a superhero, Bruce Schneier disdanes the use of a mask or secret identity as 'security through obscurity'.

Re:About Bruce Schneier (5, Funny)

EvanED (569694) | about 6 years ago | (#24234359)

Personally, I like "Bruce Schneier already has a backup plan for when the second person discovers P=NP."

Re:About Bruce Schneier (1)

electricbern (1222632) | about 6 years ago | (#24234427)

So, like, Bruce Schneier is the Chuck Norris of security?

Re:About Bruce Schneier (5, Funny)

kwabbles (259554) | about 6 years ago | (#24234455)

I ran into Bruce Schneier at an airport once. While we were waiting for a plane, I asked him if he would show me a "cool computer trick". He popped the RAM out of my laptop and quickly tasted the edge with the gold leads. He then told me that at 11:23pm the previous night I had visited ideepthroat.com with Firefox. Damn he's good.

Re:About Bruce Schneier (1)

Shakrai (717556) | about 6 years ago | (#24234713)

Damn he's good.

Or he bought off someone at your ISP ;)

Re:About Bruce Schneier (3, Funny)

Eighty7 (1130057) | about 6 years ago | (#24235207)

We really need that -1 Informative mod...

Re:About Bruce Schneier (2, Funny)

oahazmatt (868057) | about 6 years ago | (#24234473)

Vs lbh nfxrq Oehpr Fpuarvre gb qrpelcg guvf, ur'q pehfu lbhe fxhyy jvgu uvf ynhtu.

With his what? It could probably cause a cave-in as everything oozes out, with the right frequency of course, but physically crushing?

Re:About Bruce Schneier (2, Informative)

azzuth (1177007) | about 6 years ago | (#24234567)

if you asked Bruce Schneier to decript this, he'd crush your skull with his laugh.

He decripted it for me, and I still have my skull. On the other hand, he did take my soul. :( not really a fair trade in retrospect.

Re:About Bruce Schneier (0)

Anonymous Coward | about 6 years ago | (#24234729)

That's nothing compared to what my professor (computer sciences) can do:
http://www.facebook.com/group.php?gid=23662585158

(Yes, I realize that a few stories down Facebook's privacy guarantee was completely shot down.)

Re:About Bruce Schneier (1)

Daimanta (1140543) | about 6 years ago | (#24234853)

Bruce Schneier once proved the infinitude of twin primes -- by enumeration.

Bruce Schneier generated his RSA key with the two largest prime numbers.

As a way to hide recreational substances, Bruce Schneier invented a method to encrypt matter.

Re:About Bruce Schneier (1)

jim.hansson (1181963) | about 6 years ago | (#24235229)

Bruce Schneier generated his RSA key with the two largest prime numbers.

good, then we now what they are, wait, what is the two largest prime numbers?

Re:About Bruce Schneier (1)

retchdog (1319261) | about 6 years ago | (#24235017)

When Bruce Schneier observes a quantum particle, it remains in the same state until he has finished observing it.

This is the only thing Bruce and I have in common it seems...

Re:About Bruce Schneier (1)

againjj (1132651) | about 6 years ago | (#24235143)

Vs lbh nfxrq Oehpr Fpuarvre gb qrpelcg guvf, ur'q pehfu lbhe fxhyy jvgu uvf ynhtu.

If you asked Bruce Schneier to decrypt this, he'd crush your skull with his laugh.

For you lazy people out there.

Full-disk is the way (1)

^_^x (178540) | about 6 years ago | (#24234305)

I prefer full-disk encryption anyway, IMO there is just less worrying to be done. Still, I wouldn't be surprised if Word put stuff in C:\Windows\TEMP\ by default.

I love FileVault in OSX though I never really researched the encryption used since I just use it out of habit and not for anything important. By all means, tell me why I'm a fool for using it...

Re:Full-disk is the way (2, Informative)

conspirator57 (1123519) | about 6 years ago | (#24234629)

you're not a fool per se. everything has deficiencies of one sort or another. but have you looked to see whether there is any configuration guidance for your particular choice?

I know NSA IAD has a security configuration guide for MacOS X. It may include a section on FileVault. If so, it ought to be at least a good place to start from and provide you with good search terms.

http://www.nsa.gov/snac/downloads_macOSX10_4Server.cfm?MenuID=scg10.3.1.1 [nsa.gov]

Re:Full-disk is the way (1)

KDR_11k (778916) | about 6 years ago | (#24234761)

This is in addition to the full disk encryption. When you have an encrypted disk someone might wonder what's on it, with this you can show them a harmless part and they won't even realize there's more data on there than they see. Or should, if there were no flaws.

Re:Full-disk is the way (0)

Anonymous Coward | about 6 years ago | (#24234763)

tell me why I'm a fool for using it...

You're not a fool for using it.

I never really researched the encryption used

This is why you're a fool.

Not just researching the encryption algorithm, but unless you actually look into how your applications and your encryption system itself works, you'll be bitten by things like tempfiles or hibernation or plenty of other things.

Re:Full-disk is the way (1)

Sloppy (14984) | about 6 years ago | (#24235135)

Well, this is all within the context of a user that wants to have deniability. You can't really have deniability with full-disk encryption. ;-) At a minimum, they're going to get the key to the outermost layer. This is really about information accidently getting stored in a less-hidden layer than the user intended.

Re:Full-disk is the way (1)

againjj (1132651) | about 6 years ago | (#24235187)

Remember, the problem is that the hidden partition's existence is what is revealed, not the data on it. Full disk encryption does not hide the existence of the partition, and thus does not allow plausible deniability. This is expanded upon a lot more in other posts.

Not to bash MS but.. (0)

Anonymous Coward | about 6 years ago | (#24234323)

Umm.. Word autosave metadata blabla what??

Hey, if you're serious about security to the point that you want to hide even the existence of encrypted data you should stay away from Word. This should be obvious anyone with a clue.

No Problem Here (1)

collywally (1223456) | about 6 years ago | (#24234333)

Nothing to worry about here. Three programs that I don't use: Vista, Word and Google Desktop. Though I think I'll be a little more aware of how the software I use can be looking around my computer and getting information without me realizing it.

Re:No Problem Here (2, Informative)

TheSpoom (715771) | about 6 years ago | (#24234397)

Be careful you don't use slocate if you're on Linux either. (Hint: you probably do without knowing it.)

The point of this paper is that any automatically indexing software could reveal a hidden partition's existence; they were simply giving a few hard examples.

Re:No Problem Here (1)

josh82 (894884) | about 6 years ago | (#24234839)

Be careful you don't use slocate if you're on Linux either. (Hint: you probably do without knowing it.)

Keep in mind, though, that you can simply add exceptions to your updatedb.conf file, such that the directories/partitions you list will not be indexed (and hence will not be locatable by slocate).

Re:No Problem Here (4, Funny)

McGiraf (196030) | about 6 years ago | (#24234991)

"Keep in mind, though, that you can simply add exceptions to your updatedb.conf file, such that the directories/partitions you list will not be indexed (and hence will not be locatable by slocate)."

yes, put your hidden directories/partitions in /etc/slocate then slocate will not reveal their existence.

It seems to me there is something wrong with this sheme but I cannot put my finger on it. Hum ... but then again I'm not a security specialist.

Re:No Problem Here (1)

Sloppy (14984) | about 6 years ago | (#24235199)

It reminds me of the set of all sets that don't contain themselves.

Summary is inaccurate (5, Informative)

TheSpoom (715771) | about 6 years ago | (#24234365)

Schneier et al don't break TrueCrypt's deniability, per se. They simply show that Word, Google Desktop, and other automatically-indexing programs may reveal a hidden partition's possible existence.

This is a concern, of course, but can be avoided by careful use of the software invoked when using a TrueCrypt partition (i.e. killing processes except for TrueCrypt, etc).

I believe there's also a portable version of TrueCrypt that can be used that leaves no traces on the OS install once you're finished.

Re:Summary is inaccurate (0)

Anonymous Coward | about 6 years ago | (#24234417)

mod up!

Re:Summary is inaccurate (0)

Anonymous Coward | about 6 years ago | (#24234989)

Not 100% sure, but if you open a file (a Word doc) from an encrypted volume on a portable disk... Word doesn't care that it's being opened with "TrueCrypt: Without a Trace," it will still more than likely save a temp file with it's autosave feature.

Re:Summary is inaccurate (1)

WMIF (1175429) | about 6 years ago | (#24235005)

I am not really sure why this is such a big news story. This is the type of technique that we have used in digital forensics for a while. Artifacts like this help to identify missing volumes of all types: thumb drives, cds/dvds, encrypted, etc.

Found? (1, Insightful)

Anonymous Coward | about 6 years ago | (#24234373)

From TFA:

But Schneier, chief security technology officer with British Telecom and researchers from the University of Washington *found* that Microsoft Vista, Word, and Google Desktop each can blow the cover of files using this so-called âoedeniable file systemâ (DFS) feature.

Translation:

Renowned security experts state obvious security flaws of ciphered units and unciphered temporary folders, having nothing to do with plausible deniability

HW Encryption - the only way (1)

Gat0r30y (957941) | about 6 years ago | (#24234435)

I have no particular beef with any of the software options for encryption, but if you want encryption worth its mustard - I say there is nothing besides Hardware encryption. Get one of the Full disc encryption drives with HW encryption if you need security. If you ask me, every laptop with any degree of sensitive information should use an FDE drive.
A little more on topic - can you recover old autosaves from disc after a save? can you recover old autosaves after the program is quit? what about after reboot?

Re:HW Encryption - the only way (1, Informative)

Anonymous Coward | about 6 years ago | (#24234583)

A little more on topic - can you recover old autosaves from disc after a save? can you recover old autosaves after the program is quit? what about after reboot?

Short answer, yes. If Word or OpenOffice in particular (as well as other programs I've seen that have an auto-save feature) crashes I've seen those auto-save files stick around. They're not suppose to, but they do if the app crashes. This is where Word and OpenOffice get their ability to recover files if the app crashes.

BTW, once they've been written to disk unencrypted, even if they get deleted, they can still be potentially recovered.

Won't really matter (3, Interesting)

MikeRT (947531) | about 6 years ago | (#24234457)

Any government that would force you to give up such information short of a very serious incident is one that will likely torture the shit out of you until it has proven that either you have a will of steel or don't have an encrypted volume. The "hackers" used in the article are a red herring.

Re:Won't really matter (1)

Tumbleweed (3706) | about 6 years ago | (#24234603)

The "hackers" used in the article are a red herring.

By the book, Mr RT:

Regulation Forty-six-A: "If transmissions are being monitored during battle..."

"...no uncoded messages on an open channel..."

"Red Herring" is actually a code phrase meaning there's an upgrade available for Firefox.

Then again, it could mean you don't get the shrubbery until you cut down the largest tree in the forest.

One of those two, I'm sure of it.

Re:Won't really matter (0)

Anonymous Coward | about 6 years ago | (#24234633)

will likely torture the shit out of you

While the domain of use cases for TrueCrypt is large (fraud, illegal materials, investigation, privacy, etc.) the domain of activities that would actually justify torture is small (treason, terrorism, etc.) The difference between the large and small domains is sufficient to obviate your stupid argument.

Turtles all the way down. (3, Interesting)

Zarhan (415465) | about 6 years ago | (#24234635)

Depends, but then you can do turtles all the way down.

So, have an encrypted (obviously visible volume) that has "boring" stuff in it, like your basic groceries accounting and letters to grandma. Have a hidden volume that has embarassing but non-incriminating stuff (porn folders). Have a hidden volume inside THAT that contains embarassing stuff that you'd pretend people shouldn't really want to find out (eg. gay porn). Have a hidden volume inside that that contains your master plan of converting all WoW players into your army of midgets to take over the world...add as many layers as you want.

That's the idea with the deniability, They can never know if there actually is a hidden volume in there. So assuming torture, you are probably so lost yourself that you cannot even remember the scheme yourself anymore...Even if they go with the assumption that since you are using Truecrypt there MUST be a hidden volume - but there's no way to know how many nested hidden volumes there are.

This is what prompts Linus' comments... (2, Insightful)

Anonymous Coward | about 6 years ago | (#24234469)

I like Bruce, I think he's got a lot of good insight, but when he spins up a "white paper" that basically says that applications are doing what they're supposed to be doing, and TrueCrypt isn't changing their native behavior, it does everyone in the "Security" community a disservice.

Bruce, if you're trying to make a point - make it. Don't sit there and *publish* nitpicky crap that basically is a bug (or lacking feature) of the software. You'd be far better to say that security applications do not provide adequate deniability, and then cite the sources.

The fact that this sort of stuff passes for "High academia" makes me weep. Let's try to do more than just scratch the surface and point fingers, shall we?

Re:This is what prompts Linus' comments... (0)

Anonymous Coward | about 6 years ago | (#24234827)

"This is what prompts Linus' comments..."

Funny, I read those comments and all it shows is that Linus really is a developer, people forget that just because he's helped manage the creation of a really good piece of software it doesn't mean he knows shit worth listening to when it comes to security.

Deniability on SSD? (5, Interesting)

Anonymous Coward | about 6 years ago | (#24234555)

This has been bugging me and I wonder if anyone out there can answer this: would the write-leveling used by flash drives defeat deniability as well? After all, if the most recently written-to portions of the drive are in a supposedly unused block, isn't that a bit of a giveaway?

Re:Deniability on SSD? (4, Informative)

compro01 (777531) | about 6 years ago | (#24234733)

the Truecrypt documentation mentions the possible implications of this.

Wear-Leveling

Some storage devices (e.g., some USB flash drives) and some file systems utilize so-called wear-leveling mechanisms to extend the lifetime of the storage device or medium. These mechanisms ensure that even if an application repeatedly writes data to the same logical sector, the data is distributed evenly across the medium (logical sectors are remapped to different physical sectors). Therefore, multiple "versions" of a single sector may be available to an attacker. This may have various security implications. For instance, when you change a volume password/keyfile(s), the volume header is, under normal conditions, overwritten with a re-encrypted version of the header. However, when the volume resides on a device that utilizes a wear-leveling mechanism, TrueCrypt cannot ensure that the older header is really overwritten. If an adversary found the old volume header (which was to be overwritten) on the device, he could use it to mount the volume using an old compromised password (and/or using compromised keyfiles that were necessary to mount the volume before the volume header was re-encrypted). Due to security reasons, we recommend that TrueCrypt volumes are not stored on devices (or in file systems) that utilize a wear-leveling mechanism. If you decide not to follow this recommendation and you intend to use system encryption when the system drive utilizes wear-leveling mechanisms, make sure the system partition/drive does not contain any sensitive data before you fully encrypt it (TrueCrypt cannot reliably perform secure in-place encryption of existing data on such a drive; however, after the system partition/drive has been fully encrypted, any new data that will be saved to it will be reliably encrypted on the fly). To find out whether a device utilizes a wear-leveling mechanism, please refer to documentation supplied with the device or contact the vendor/manufacturer.

Don't forget Windows Explorer, too (4, Insightful)

Praxx (918463) | about 6 years ago | (#24234601)

Opening an encrypted partition with Windows Explorer is also a risk, because explorer will happily cache the directory structure of everything you browse to. Those paths and filenames show up in the explorer history, even if the drive is offline.

Not Truecrypt's fault, it appears (1)

Spy der Mann (805235) | about 6 years ago | (#24234811)

FTA:

The researchers found that Windows Vista shortcuts can give away the existence of a hidden file. Vista, which automatically creates shortcuts to files that get used, then stores the shortcuts in the Recent Items folder. And the auto-save feature in Word, meanwhile, saved versions of the hidden files.

"An attacker can use information gleamed from these files - as well as other information leakage from the primary application - to not only infer that a hidden volume exists, but also recover some of its contents," the researchers wrote in their report.

Google Desktop is another culprit that exposes hidden files in TrueCrypt versions below 6.0, according to the report. The Google app's lists of recently changed documents and logs of recent file actions can reveal the existence of a hidden file.

In other words, it's the applications that exposed Truecrypt, when the hidden files were VISIBLE.

The moral of the story: If you have something to hide, turn off the damn logs or put them where they'll be destroyed (encrypted temporary partitions, for example). And don't depend on closed source, proprietary software.

Re:Not Truecrypt's fault, it appears (2, Interesting)

imsabbel (611519) | about 6 years ago | (#24234887)

A more sane conclusion (without that stupid "propritary software" nag at the end) would be:

If you want _deniability_, you have to encrypt _everything_ belonging to the system you want to deny knowledge of.
Have another OS, and page file/partition around. But keep _everything_ that can be accessed by the other OS encrypted.

Otherwise, usage statistics, paged out memory, crash dumps, index files, any of a million different items could give you away.

Since I've got Office 2007 on my machine... (1)

hyades1 (1149581) | about 6 years ago | (#24234867)

...I guess I should be careful not to write any pr0n. ;)

UW = University of Waterloo (0)

Anonymous Coward | about 6 years ago | (#24234909)

*sigh* Silly UWashington students ... after all this time we *still* have to correct you. You're UWash or UWashington. Waterloo is UW. Why? Because USENET says so.

I remember back in the good ol' days, lots of UWash students would post ads to the uw.forsale newsgroup, and then wondering why nobody bothered to call them about their sublets.

lol

leakage (1)

Sloppy (14984) | about 6 years ago | (#24235065)

Isn't it pretty well-known that you have to be careful about leakage? An example of that would be that most (all?) encryption HOWTOs tell you that you should encrypt your swap, because you just never know when some of your data might end up in there. If there's a lesson here, it's just that swap might not be enough; you need to think bigger.

I can think of plenty of other ways that something, at least a hint of the existence of the data (if not the data itself) can leak around. Suppose /home/sloppy/ isn't encrypted (yeah, a weird contrived example), but /home/sloppy/secrets/ is. I mount that, load /home/sloppy/secrets/loveletter.txt into my word processor, work on it, save, and then unmount. My word processor's "recent documents" might contain a reference to the filename /home/sloppy/secrets/loveletter.txt, because that list of recent documents is store unencrypted in /home/sloppy/.wordprocessor/blahblah. If I'm just trying to protect the contents of loveletter.txt, I'm probably ok. But if I was depending on the filesystem's or block device's "deniability feature" and trying to hide the fact that loveletter.txt exists inside /home/sloppy/secrets/ then I just failed miserably. The guy with the rubber hose is going to know it's there, so he'll eventually persuade me to cough up the key.

You really need to at least encrypt from your home directory down, and I think most apps will behave. The key is "think" -- the user really has to know what all his apps do, and that makes setting up deniability hard. But assuming the app isn't setuid root, it probably won't be able to write in other places. When you get to strange systems like MS Windows and huge legacy apps like MS Word, though.. yeah, that's really hard. Neither the almighty Schneier nor the Truecrypt dudes really even have a chance of finding all the possible leakages. If they found one, great, but they can't find everything. Only Microsoft would be able to do that.

I said it before, I'll say it again (4, Informative)

Abalamahalamatandra (639919) | about 6 years ago | (#24235107)

Windows caches all types of stuff about filesystems it touches in the registry. Open regedit some time and search for "OpenSaveMRU" and you'll see that pretty much every file you click to open in Windows is in there.

Not that Linux is any better, at least Gnome systems - check out ".nautilus" in your home folder. Same thing going on there with the directory structure, you name it. The first thing I do on a new Ubuntu box is remove ".recently-used.xbel" and create a directory with the same name, and make ".nautilus" owned by root and not world-writable. /tmp is obviously a problem on Unix-type systems as well, along with the swap partition.

Of course if your whole system is encrypted these are not problems, but then you don't exactly have a deniably-encrypted filesystem.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>