Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Encryption? What Encryption?

Soulskill posted more than 4 years ago | from the these-are-not-the-files-you're-looking-for dept.

Editorial 500

Slashdot regular Bennett Haselton writes with his take on the news we discussed early this morning about the UK government's prosecution of two people who refused to disclose their encryption keys: "Is it possible to write a program that enables you to encrypt files without drawing suspicion upon yourself if anyone ever seizes your computer? No; a program by itself, no matter how perfectly written, couldn't do this because you'd still attract suspicion just for possessing the software. You'd need a social element driving the program's popularity until it gets to the point where people no longer look suspicious just for having the program installed. Here are some theories on how that could happen — but it would be a high bar to clear." Hit the link below for the rest of Bennett's thoughts.

Police in Britain have announced that two people have successfully been prosecuted under a UK law that forces defendants to give up their encryption keys and penalizes those who don't comply. Another UK woman's case had attracted attention two years ago, when the government demanded she give up her encryption keys after the police found encryption software on her computer, but the police say she was not one of the two defendant's charged. Is there a software solution to this problem — a way that people can encrypt files on their computers, without arousing the suspicion of law enforcement if the computers are seized?

File encryption, if properly implemented, is generally considered mathematically unbreakable. But to prevent suspicion falling on people just for encrypting files in the first place, requires a human solution as well as an engineering one. One way or another, some file encryption software would have to be in widespread use that has these two properties: (1) it's deployed on a large number of people's machines — not just a large absolute number, but a significant proportion of the total population, so that suspicion does not fall on people just for possessing the software — and (2) it should not be possible to tell the difference between machines where the users use the software regularly, and machines where the software has never been run. Then, and only then, would it be possible to use the encryption software on your machine, without anyone who seizes the machine having reason to think that you had ever encrypted anything at all.

(Of course, in a relatively free society, if law enforcement has probable cause to seize your machine in the first place, then they would presumably already have some evidence against you. But this would at least prevent police officers and judges from becoming more suspicious as a result of encryption software being present on your machine.)

Note that this is similar to the kind of problem that is normally solved with steganography, but by my reasoning, I don't think that using stego would actually gain anything in this situation. Whether you're talking about encryption software or stego software, if it's a program that not a lot of people have installed, then just by virtue of having it on your machine, you'll attract suspicion if your machine is seized. On the other hand, suppose you've cleared that hurdle and the software is installed on a lot of people's computers, so that just having installed it is not by itself grounds for suspicion. If it's stego, then you can embed the hidden data inside other images or videos, so that an intruder can't tell whether you've been using the software to hide anything (assuming the stego software is good enough that the intruder can't tell the images have been tampered with). But you could achieve the same thing with straight encryption software: just have every installation of the program create a "storage volume" file, where encrypted files will be stored. As long as a storage volume file with files embedded in it, is indistinguishable from a storage volume file that has never been touched, the presence of the storage volume file won't give you away.

I'm not actually aware of any encryption program that has that property: that for a given machine with the software installed, it's impossible to tell whether the software has ever been used to encrypt data. This is probably because this would normally not be a useful feature of an encryption program. The whole point of making it impossible to tell whether someone has used the program or not, is that people who have used the program would not attract undue attention to themselves as a result. But if the encryption program is only used by one thousandth of one percent of total Internet users anyway, then just the fact that a user has the program installed, would be enough to draw suspicion to the user if their computer is seized, so there's no benefit to concealing the fact that the program has been used. On the other hand, if the encryption program is installed on a significant proportion of users' machines anyway, then simply having the program installed is no longer grounds for suspicion. And that's when it would become a valuable feature for it to be difficult to tell whether the owner of the machine actually uses the encryption program or not.

This may be hard to implement correctly, and there are some tradeoffs that will have to be decided. For example, if the program creates a default "storage volume" file when it's installed, how big should that initial volume be? The problem with creating a small storage file initially and then letting it grow as encrypted files are added, is that this now makes it easy to tell who is using the program and who isn't — anyone whose storage file has grown beyond the default size, is using it to encrypt files (and is therefore a terrorist movie-downloading child pornographer, etc.). In order to avoid suspicion falling on people who use the program, the storage file would have to be the same size on everyone's computer. If you make it 1 GB, that wastes a lot of space on people's machines who aren't using it. On the other hand, if it's only 1 GB, it also means that users will only be able to store up to 1 GB of encrypted data — any more than that, and they'll have to expand the size of the storage file, thus calling attention to themselves if the machine is ever seized. And then, what about the fact that a large file which is created all at once, is normally not fragmented very much, but if the storage file is frequently modified, it is likely to become more and more fragmented — thus giving people a way to tell if the encryption program is being used frequently. (So you'd either have to deliberately create a very fragmented storage file by default on the first install, or create an unfragmented file on first install but then make sure to read and write from the file in a way that doesn't fragment it further.) I don't want to get too bogged down in implementation details. The point is just that you'd have to block all the possible ways that an intruder would be able to tell whether the software is used frequently — forget one thing, and you've given an intruder a way to identify people who are actually using the software to encrypt files.

A program called TrueCrypt achieves something close to this — TrueCrypt allows you to encrypt a storage volume with two different passwords, so that one password provides access to "innocent-looking" data, while the other password provides access to the data that you really want to keep secure. If someone is compelled to give up their password, they could provide only the password that unlocks the "innocent-looking" data — and there's no way, from examining the encrypted file, to tell that there is a second password guarding even-more secret data. (Of course, the "innocent-looking" data can't be truly innocent-looking, because it has to look like the kind of thing that someone would believe you might want to encrypt — so it should look suspicious enough that you would genuinely want to hide it, but not bad enough to get you in real trouble if you're forced to reveal it!) The Achilles heel of this scheme is that just having TrueCrypt on your computer in the first place, would at least signal to an intruder that you're encrypting files. And even if they can't prove that you might have another "super-secret password" guarding more private data on your encrypted volume, they would certainly suspect it, if they already had grounds to be investigating you and if they knew anything about how TrueCrypt works. To provide true plausible deniability of any encryption at all, you need a program that already exists on lots of people's machines, so that an intruder doesn't suspect anything when they find it on your computer.

(The same objection also applies to many other non-solutions to the problem, like using a Linux distro that encrypts your entire file system. Even assuming this would be within the technical means of the average person who wanted to do encryption, it's still going to look suspicious as long as the vast majority of people are not doing it.)

Which leads to the other half of the problem, which is getting the software widely deployed enough that it would not look suspicious for someone to have the program installed in the first place. Best of all for the purpose of avoiding suspicion, of course, would be for the program to come installed by default with a popular operating system. Windows XP and Vista have the built-in ability to encrypt folders, but anyone who seizes the machine can still see that you encrypted a folder, so this don't have the undetectability factor. Built-in deniable encryption of the kind that I'm describing, doesn't instinctively feel like the sort of thing that Microsoft would start bundling with its operating system. (Among other things, they might say that while companies often have business reasons for encrypting files, it's harder to think of a business case where employees would need to encrypt files and hide the fact that they were encrypting anything.)

Perhaps instead it could be bundled with a popular free software program beholden to no for-profit corporate masters. (My first thought was Firefox, but I was quickly told that Firefox was created specifically to strip out many of the features that had caused bloat in the original Mozilla project, and that any bundling of unnecessary tools would go against the whole ethos of the project.) Maybe a good place to include something like this would be the Google Pack — it's installed by lots of people, and currently doesn't have a file-encryption tool in the bundle. Beholden to for-profit corporate masters, yes, but ones that frequently declare "Don't Be Evil" and often seem to do cool stuff just to see what would happen.

Another possibility would be for a next-generation P2P program to bundle this capability with their software. This provides a nice dovetailing of interests — P2P users might want a way to hide the files that they've downloaded, while at the same time, intruders who seize the computer and found the P2P application installed, wouldn't necessarily suspect the owner of anything more than a little copyrighted file trading. "Well, he's got this NiftyP2P program installed, which comes with 'plausibly deniable' encryption, but most people use just NiftyP2P to download mp3 files and movies anyway. And I can't tell if he was actually using the encrypted file storage volume, because that's how 'plausibly deniable' encryption works. Is this the same guy who uploaded those subversive anti-government documents? I dunno."

Anyway, if you actually want to give people a way to run encryption software on their PCs, while ensuring that anyone who seizes their machine cannot tell that any encryption has been going on, these are the hurdles that you'd have to clear. I'm not sure whether this is better viewed as a blueprint for how to achieve this goal, or an argument for why it will probably never happen. There are lots of almost-solutions, like TrueCrypt with its ability to encrypt different sets of data into the same storage volume. But you still can't actually hide the fact that you're doing encryption in the first place.

(If you're willing to store your encryption software away from your computer, you could keep a steganography program on a CD or USB drive hidden in your house, and then whenever you need access to the encrypted data, plug in the program and use it to extract data that has been hidden in a large number of image or video files. That would achieve the goals I've outlined in the article: the ability to encrypt files, while still ensuring that anyone who seizes your computer won't be able to tell that you've encrypted anything. The problem is that it would require enough self-discipline to always return the CD or USB stick to its hiding place when you were done with it — and still, you'd have to hope that whatever authorities seize your computer, don't also search your house and find the CD or USB stick where you keep your stego software.)

Finally, risking the wrath of my civil-libertarian allies, I'll admit it may not actually be a positive thing for every citizen to be able to hide the fact from their local law enforcement that they're encrypting files on their computer. Many times if the police in a mostly-free country like the US or the UK seize a person's computer, they're trying to prevent real harm, and not every person with an encrypted file volume is a good guy. For some of the people who have left enough of an evidence trail that their computers get seized, it would be perfectly rational to view them with suspicion because of an encrypted volume found on their computer. But if you assume it's a worthwhile goal for people to be able to encrypt files without attracting suspicion, my argument is that the prerequisites in this article are necessary for that to work. At the moment it seems a long way off. But if someone created an encryption program with "deniability" — so that it was impossible to tell whether the program had ever been used after it was installed — and someone at Google thought "Hey, that's cool" and added it to the Google Pack, everything would change very suddenly.

cancel ×

500 comments

Better yet (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29037961)

is it possible to write a program to automatically post nigger jokes on slashdot? preferably the program would refresh the main page over and over again until it can get a first post. then it'll tell a nigger joke to get the easily offended to get their panties in a wad, which they do at the drop of a hat anyway. it'll also get the shittier mods to waste a point or two modding it down. if they were good mods theyd find something good and promote it but they are shitty mods so they get to mod down shitty posts.

What do you call a NIGGER with no arms and no legs? Trustworthy!

Huh? (1, Offtopic)

igny (716218) | more than 4 years ago | (#29037967)

Story? What story?

Re:Huh? (4, Informative)

causality (777677) | more than 4 years ago | (#29038133)

Story? What story?

It wouldn't be a story if he just Googled it [justfuckinggoogleit.com] . It's a bit outdated but Rubberhose [iq.org] was explicitly designed for this purpose. The idea is that it has multiple encryption keys to store different data in a given volume with no way to prove there is more than one key or more than one item being stored. You use one password or key to encrypt less-sensitive data and then there is no way to prove that you have another key or password encrypting much more sensitive data within the same volume. So the cops ask for your encryption keys, you give them the less-sensitive one, they see your financial records or something else to which they already had access, and cannot prove there is anything else on the volume.

Re:Huh? (4, Informative)

MozeeToby (1163751) | more than 4 years ago | (#29038451)

Um, no. In his editorial (there's no other word for it really), he specifically mentions similar functionality available from TrueCrypt. That is, the ability to host two (or more) encrypted volumes, one with stuff that you might want to hide but that isn't illegal and one with stuff that is illegal that you really want to hide.

The true thrust of his article is that just having TrueCrypt (or any other advanced encryption tool) installed on your machine is enough to pique the interest of law enforcement. If just having encryption installed on the PC is enough to lose privacy and invite harassment, then TrueCrypt and the like create a different problem from the one they solve. Ideally, the author argues, it would be best if everyone had strong encryption on their machines, as part of the OS or as part of some other common piece of software. This way, the police would see nothing out of the ordinary when they see the encryption software, because everyone has it.

Re:Huh? (5, Funny)

Oswald (235719) | more than 4 years ago | (#29038579)

Why the hell are you summarizing the essay (or whatever it is) for him? What makes you think he'll read your post if he didn't bother with TFA? Because your post is shorter? It's still longer than a tweet, so by definition Too Long To Read.

I suggest that in the future you not muddy up someone's confusion with a concise statement of fact.

Re:Huh? (1)

joelstobart (1238490) | more than 4 years ago | (#29038643)

and tweets are too short to be worth reading; which leaves one in a quandary?

Re:Huh? (5, Informative)

kdemetter (965669) | more than 4 years ago | (#29038815)

Actually , Truecrypt can be used as a stand alone executable , which could be put on an external medium , like a usb stick .
That way , you don't have to install it on your system , and there is no way to prove it , unless they find the stick.

Re:Huh? (1)

tom17 (659054) | more than 4 years ago | (#29038477)

And then the law enforcement, knowing that this is the premise of this software and assuming that you lawfully gave them the main encryption key, ask you for the dummy encryption key too as a kinda 'gotcha'. What's that? You don't have a dummy key? Then why are you using this software rather than PlainEncryptionTool?

Of course, I guess there could be the functionality for a 3rd encryption key as a 2nd dummy for these situations, or n-keys so that the law enforcement cannot know how many you are likely to have used.

It would get quite tricky keeping track of all these keys in case you got caught. I hope whatever it is you are hiding is worth it!

Tom...

Re:Huh? (1)

NormalVisual (565491) | more than 4 years ago | (#29038795)

Then why are you using this software rather than PlainEncryptionTool?

"Because it's faster than the other solution, takes up less memory, and didn't cost anything to download." :-)

I have only one thing to say ! (3, Insightful)

OeLeWaPpErKe (412765) | more than 4 years ago | (#29038563)

gWVg+xEojKXMDhE2m4cdSEMYkx1KkL6oTIGqxVFksjxhY6h4aELohkJDrFX+P6ESb/Qmhpjw6ySB
mg6nGIbrWVlQpCSTSaePyU8hCACOiAUQQ7HsV6S5dS9JKiklzPzXpLl1L0kqKSXM/NxpWKAVvARQ
t4DSEpQHz7zVuolJ/gBYUEHwIUUoSymmUFCAIg1H1GFWRL5GEMIP0klImAAdywQgAg3RhAkgsLCC
QcNpCdksSV0tgMgg/6qTIdQIMVDJBEGCdyBAQJ0zbBIOyQ1JAYQGQRogyxsoDGEEIhAkgmJqGoKg
iKTNVL+mmhAQIa7IQkA4VKCUwBWVVAQ+NAgExIGovYL0oETDQKoIRMVQHyacMEh+ilDACHYWxQEJ

oblig. (5, Insightful)

Em Emalb (452530) | more than 4 years ago | (#29038005)

http://xkcd.com/538/ [xkcd.com]

It's funny cause it's true.

Re:oblig. (1)

maxume (22995) | more than 4 years ago | (#29038345)

I always imagine a casual laptop thief not having easy access to my financial documents.

Self-incrimination (5, Insightful)

Anonymous Coward | more than 4 years ago | (#29038011)

A smart crook with stolen state secrets or child porn on their encrypted drives would just tell 'em to fuck off.

5 years in the pen for obstruction of justice ain't shit compared death for treason or being ganged-raped on a daily basis before having to live the rest of your life as a sex-offender.

People will respect you on the inside and the outside because inmates and corporations both don't like snitches.

captcha: harming
  -- Ethanol-fueled

Re:Self-incrimination (4, Interesting)

eldavojohn (898314) | more than 4 years ago | (#29038141)

A smart crook with stolen state secrets or child porn on their encrypted drives would just tell 'em to fuck off.

Well, I can't comment on your claim of "respect" in jail as I've never been but Bennett's lengthy argument is more concerned with those of us that have -- say personal or financial data -- that we just don't want out in the open. Now, since I tell the police to "F off" they probably think that I've got state secrets or kiddie porn (like you just assumed). Which might not be true, I could just be exercising my rights.

So he tries to come up with a modest proposal and in short he suggests it be piggy backed on a popular product so everyone has it installed (meaning installation does not equal incrimination in the eyes of the jury) and also that it has no logs to tell if or when or where it's been run. Also it should be hard to tell that you have encrypted files and he also looks into Truecrypt's double key trick where one key gives you harmless data and only after applying the second one do you get the real stuff. So just give them one key and shrug.

An interesting proposition. Why doesn't he submit a suggestion for such a tool to be included with the Linux kernel or popular distro? Unlikely it'll happen and someone has to write it but since Linux has no fragmentation, it could maybe store headerless file information at the end of the filesystem that looks innocuous. Then give the user information on how much they can fill up before they destroy that data. I'm not a filesystem guy so I don't know how well that would work, just throwing out a suggestion. His requirements are definitely hard to meet.

Re:Self-incrimination (5, Insightful)

Shakrai (717556) | more than 4 years ago | (#29038317)

So he tries to come up with a modest proposal

I have a modest proposal: The good citizens of the UK should vote the bastards running their country out of office.

Re:Self-incrimination (5, Insightful)

stupid_is (716292) | more than 4 years ago | (#29038573)

That shouldn't be a problem - only problem is the bastards that will replace them

Re:Self-incrimination (1)

Shakrai (717556) | more than 4 years ago | (#29038805)

Well, then you've got the jurybox and the ammobox if it comes to that.....

Intelligence is soluble in alcohol

That signature rocks, btw :)

Re:Self-incrimination (1, Interesting)

Anonymous Coward | more than 4 years ago | (#29038413)

Good point, but if the harmless personal or financial data has nothing to do with the reason why the cops want to see your hard drive then it is not feasible to hide stuff from them because of one's stubborn idealism. If that happened to me, I'd just give them the key. That way, I'd be more likely to get my laptop back fast and reducing the likelihood of having it confiscated in the first place.
 
Is it really that difficult to delete midget porn before you go on that trip? Somebody who can't last a week without midget porn is somebody who deserves to be laughed when they cede their key to the TSA goons.

captcha: rigidly
Ethanol-fueled

Re:Self-incrimination (1)

maxume (22995) | more than 4 years ago | (#29038841)

Showing them your harmless personal or financial data doesn't prevent them from wondering if there is a more sinister volume hidden within the Truecrypt volume.

So you could have nothing to hide from the police, show them all of your encrypted data, and still be suspected of hiding something.

Re:Self-incrimination (-1, Troll)

RiotingPacifist (1228016) | more than 4 years ago | (#29038521)

Now, since I tell the police to "F off" they probably think that I've got state secrets or kiddie porn (like you just assumed).

If you have nothing to hide, once a court "asks" you for data, why not give it!
move it to the real world, if you have a perfect safe that can only be gotten into with your combination, what would happen? In the UK im fairly sure that if you didn't hand over the combination you would be charged with something and spend time in jail, the current ruling makes sense (in the UK)!

Re:Self-incrimination (0)

Anonymous Coward | more than 4 years ago | (#29038223)

self-incrimination is only a small part of the problem here....
The real issue is that you have to prove your innocence by providing something (keys) which YOU MIGHT NOT HAVE.
Actually, this sounds like a REALLY good way to frame someone. Don't like the Arab guy living next to you?
Put a file called plans.crpt on a USB drive and drop it in their pocket. Then phone them in as a terrorist.

Re:Self-incrimination (2, Insightful)

MozeeToby (1163751) | more than 4 years ago | (#29038237)

If you're arguing that the law is pointless because it allows criminals to keep their mouth shut and avoid some prison time, you're wrong.

Without the law the criminals would be off scott free if the don't share the password. With the law, the criminals are guaranteed a certain amount of prison time for refusing to give the password and still run the risk of being convicted of whatever the police are accusing them of. For example, if the police think some guy has kiddie porn but he won't give his encryption password, not only will he be convicted for not handing over the password he may also still be convictable for kiddie porn based on other evidence (ISP logs for example); especially with the circumstantial evidence that he won't give his password to exonerate himself (the law says that not giving a password is not covered by the UK equivalent to the 5th amendment).

Personally, I think it should be up to the police to be able to make their case without having access to the encryption password. That means getting a warrant and monitoring his internet connection, peering through his window with a telescope, even breaking down the door when it appears he is in the act of breaking the law. I don't understand why the police would want to rely on a single piece of evidence to make their entire case anyway.

ATTENTION! DO NOT MOD DOWN! +5 INFORMATIVE (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29038013)

I submit David Hasselhoff is the AntiChrist

And I have the proof

How can one explain the phenomenal global success of one of this country's least talented individuals? There are only three ways.

        * Mr. Hasselhoff actually is talented, but this goes unnoticed in his own country.

        * Mr. Hasselhoff has sold his soul to Satan in return for global success.

        * David Hasselhoff is the AntiChrist.

            I vote for the latter -- and perhaps, after seeing the facts involved, the rest of the world will agree.

The Facts First, the obvious. Add a little beard and a couple of horns -- David Hasselhoff looks like the Devil, doesn't he? And the letters in his name can be rearranged to spell
fad of devil's hash.

What does this mean? Well, Baywatch is David's fad. David is the devil. The Hash is what makes Knight Rider popular in Amsterdam.

(I was actually hoping to make the letters in his name spell out he is of the devil, which would be possible if his middle name was "Ethesis," which it might be. I'm sure his publicist would hide such a middle name if it were true.)

Second -- and most importantly -- David Hasselhoff and his television series were foretold in the Bible. Biblical scholars worldwide may quibble over interpretations, but they all agree on this. For a few telling examples let's skip to the end of the Bible. If any book of the Bible will tell us who the AntiChrist is, it's the Revelation of Saint John, which basically describes the AntiChrist and the Armageddon He causes. I'll just give you the verse, and the current theological interpretation of that verse.

Who is the Beast?

Rev 13:1 And I stood upon the sand of the sea, and saw a beast rise up out of the sea, having seven heads and ten horns The Beast, of course, is David Hasselhoff. The Heads are His separate television incarnations. Young and the Restless, Revenge of the Cheerleaders, Knight Rider, Terror at London Bridge, Ring of the Musketeers, Baywatch and Baywatch Nights.
The ten horns represent His musical releases: Crazy For You, David, David Hasselhoff, Do You Love Me?, Du, Everybody Sunshine, I Believe, Looking For Freedom, Night Lover and Night Rockers.
Not only does Mitch The Lifeguard literally "rise out of the sea" on Baywatch, but David's musical career has mostly occurred in Europe, a metaphoric rise to fame from across the sea.
Rev 13:3 And I saw one of his heads as it were wounded to death; and his deadly wound was healed: and all the world wondered after the beast. Of course, this is a reference to his third head: Knight of the Phoenix, the first episode of Knight Rider. In this episode, "Michael Long, a policeman, is shot and left for dead. The shot is deflected by a plate in his head, but ruins his face. He is saved and his face reconstructed. He is reluctant, but agrees to use K.I.T.T. to help the Foundation for Law and Government fight criminals who are 'beyond the reach of the law'. " Knight Rider has been shown in 82 countries.
Rev 13:5 And there was given unto him a mouth speaking great things and blasphemies; and power was given unto him to continue forty and two months. The following blasphemies are actual quotes from David Hasselhoff -- I read these while he was 42 years old.

"I'm good-looking, and I make a lot of money."

"There are many dying children out there whose last wish is to meet me."

"I'm six foot four, an all-American guy, and handsome and talented as well!"

"Before long, I'll have my own channel -- I'll be like Barney."

"(Baywatch) is responsible for a lot of world peace." which the Hoff said at the Bollywood Oscars. Don't believe me? Read the original article!

And here's a blasphemy that came from David's recent (Feb 2004) visit to the Berlin Wall museum. I couldn't have made something this great up by myself. He was upset that the museum didn't spend more time devoted to his personal role in the fall of Communism. You can read more about it here, if you don't believe me.

The Second Beast: Television

Rev 13:11-13And I beheld another beast coming up out of the earth; and he had two horns like a lamb, and he spake as a dragon.
And he exerciseth all the power of the first beast before him, and causeth the earth and them which dwell therein to worship the first beast, whose deadly wound was healed.
And he doeth great wonders, so that he maketh fire come down from heaven on the earth in the sight of men,

        The Second Beast, with it's dual antennae, is obviously the Television -- merely a pawn in Hasselhoff's underworldly regime. His stereo speaker (the dragon's voice) spews forth the blasphemy of Baywatch until He has caused all people of the earth to worship and watch Baywatch and Baywatch Nights. How well has he done? Baywatch is now seen by about one billion viewers in 140 countries -- the most watched series ever.

You probably never knew this, but the entire historical purpose of television has been to attract a worldwide audience for the eventual syndication of Baywatch. And how does it accomplish this global distribution? Via satellite - from heaven to the Earth.

Rev 13:15 And he had power to give life unto the image of the beast, that the image of the beast should both speak, and cause that as many as would not worship the image of the beast should be killed. How does television work? By giving life unto Hasselhoff's image. I'm pretty sure the second part hasn't happened yet.

Lifeguards: Denizens of the Underworld

These biblical revelations will show that the lifeguards on Baywatch are foretold as servants of the Devil. (Need I say who that is again?)

Rev 20:11And I saw a great white throne, and him that sat on it, from whose face the earth and the heaven fled away; and there was found no place for them

Rev 20:13And the sea gave up the dead which were in it; and death and hell delivered up the dead which were in them...

        Doesn't this sound like an exact description of what the lifeguards on Baywatch do? They sit on their big white wooden throne, and watch out over the sea -- waiting for a dying person to get cast up.
Rev 9:6 And in those days shall men seek to find death, and shall not find it; and shall desire to die, and death shall flee from them.

        One word: CPR

Rev 10:2 And he had in his hand a little book open: and he set his right foot upon the sea, and his left foot on the earth, Sounds like a lifeguard, eh? Standing on the beach reading a paperback?

Rev 17:3-5 ...and I saw a woman sit upon a scarlet coloured beast, full of names of blasphemy, having seven heads and ten horns. And the woman was arrayed in purple and scarlet colour, and decked with gold and precious stones and pearls, having a golden cup in her hand full of abominations and filthiness of her fornication: And upon her forehead was a name written, MYSTERY, BABYLON THE GREAT, THE MOTHER OF HARLOTS AND ABOMINATIONS OF THE EARTH.

    and if that wasn't enough, try
Ezekiel 23:17 And the Babylonians came to her into the bed of love, and they defiled her with their whoredom, and she was polluted with them, and her mind was alienated from them.

        The fabled "Whore of Babylon." Well, people have been calling Hollywood "Babylon" since long before I was making web pages. And of all the women in Hollywood, whose wedding night video is the most popular? Hmmm.... Did someone say "Barb Wire?"

Rev 18:11 And the merchants of the earth shall weep and mourn over her; for no man buyeth their merchandise any more Do you know any merchants who invested heavily in the acting career of this "whore of Babylon?" I've seen that "VIP" show of hers, and I'd be weeping if I had spent money on the merchandising rights.

Rev. 18:21 ... a mighty angel took up a stone like a great millstone, and cast it into the sea,...

        Speaking of lifeguards chucking rocks at innocent people, listen to this excerpt from a recent lawsuit against his Hasselness: "while Plaintiff was in the audience of the Rosie O'Donnell Show, Defendandt DAVID HASSELHOFF came on stage and threw a stack of cards depicting himself into the audience, striking Plaintiff in the eye. . . [he] should have known that throwing cards into an audience could cause injury to the audience."

Rev 18:14 And the fruits that thy soul lusted after are departed from thee, and all things which were dainty and goodly are departed from thee, and thou shalt find them no more at all. He stands to lose money in this lawsuit -- or maybe even all those dainty and goodly things he bought.

The Number of the Beast

The Bible shows us another way to prove a person is the AntiChrist, namely through numerology. Rev 13:18 says: "Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six."

That's a bit cryptic, to be sure. One score is twenty, so threescore is 60, the number of the beast is 666.

Now, the way biblical scholars and numerologists usually convert the names of men into their numbers is through a simple numerical code. Let's assign the 26 letters of the alphabet the numbers 1 through 26. It looks like this:

a 1 i 9 q 17 y 25

b 2 j 10 r 18 z 26

c 3 k 11 s 19

d 4 l 12 t 20

e 5 m 13 u 21

f 6 n 14 v 22

g 7 o 15 w 23

h 8 p 16 x 24

Now, we take the letters from Mr. Hasselhoff's name, assign numbers to them, and calculate his number.

D A V I D H A S S E L H O F F

4 1 22 9 4 8 1 19 19 5 12 8 15 6 6

Now, since thirteen is such a fitting number for evil, let's multiply the first 13 numbers together. The total (65,874,124,800) is approximately 6.6 billion. Tack on the remaining 6's from the end of his name, and you've got yourself the mark of the beast.

Another tactic you could use would be to add the letters in "David" (I think you should get 40) and the letters in Hasselhoff (99) and then multiply them together. 40 x 99 = 3960. Now, 3960 is 660 x 6. And of course, 660 plus 6 is -- again -- the mark of the beast.

Not enough proof for you? Well, let's see what else the winning combination of the Bible and numerology have in store for David.....

As he explains it in his interview, David Hasselhoff first decided to act at the age of 7 when he saw a local production of Rumplestiltskin. His acting debut was in Peter Pan. Knight Rider ended its run in 1986, when Hasselhoff was 32. Baywatch debuted in 1989, when Hasselhoff was 35. His first televised role was as Snapper Foster on the Young and the Restless at the age of 19. If we look at the 37th chapter of the 19th book of the Bible (Psalms) -- at verses 32 and 35, we notice an interesting phenomenon. Take a look:

32. The wicked watcheth the righteous, and seeketh to slay him.

35. I have seen the wicked in great power, and spreading himself like a green bay tree.

Viewers of Baywatch may have thought they were watching the good leader Mitch Buchannon -- whose main job as head lifeguard is to watch over the righteous babes at the beach, and save them. According to the Bible, he is really trying to slay them. But can we be sure that the show in question is actually Baywatch? Well, count the number of letters in Rumplestiltskin and Peter Pan. 15 and 8, right? Now look at those bible verses again. Find the 15th word of verse 35 - and the 8th word from the end of verse 32. Put them together.

35. I have seen the wicked in great power, and spreading himself like a green bay tree.
32. The wicked watcheth the righteous, and seeketh to slay him.

TrueCrypt? (0)

Anonymous Coward | more than 4 years ago | (#29038025)

I'm the head of IT for my company.
We use TrueCrypt for whole-disc encryption.
Most companies use something similar. So why is it thought that encryption on computers is few-and-far-between?
AFAI can tell, encryption software is common, bordering on ubiquitous.

Re:TrueCrypt? (5, Interesting)

mlts (1038732) | more than 4 years ago | (#29038381)

I do consulting myself. For individuals and small companies, I urge them in no uncertain terms to either use TrueCrypt [1] (and perhaps give a small donation to the TC Foundation), or if their machine has a TPM, BitLocker. For a small company, the burned system CDs with a known passphrase stored in a tape safe are good enough for a lost password recovery mechanism.

An encrypted laptop with a real passphrase (20 characters if there is no TPM, and over 8-10 chars if there is a hardware mechanism that locks permanently or refuses access for longer and longer periods of time the more wrong guesses given) means that a theft results in an insurance claim and a police report. The same laptop with no encryption can mean having to put a news article in a number of newspapers detailing a breach, and having to provide every single customer with credit record protection for several years. So compared to the cure cost, prevention is very cheap. (TC is licensed at no charge, most laptops for corporate use have TPM security chips so BitLocker is a no brainer, and PGP isn't that expensive per seat.)

Larger companies are a different breed and require different solutions. They need scalable recovery methods. BitLocker can scale by having the recovery data stored in Active Directory. However, for machines without TPMs, I recommend a commercial solution like SafeBoot, PGP WDE, or something with centralized policy control. Reason for this is auditing and recovery which is mandated by a lot of corporate regs (HIPAA, Sarbanes Oxley, etc.)

Other operating systems also have solutions. OS X doesn't have a complete whole disk solution unless you buy PGP or PointSec, but FileVault can do decently for home directory protection. Most Linux distros have some sort of FDE encryption available at install time.

Yes, encryption is out there, and is easily used. The easiest to use by far is BitLocker on TPM based hardware. You turn on the TPM in the BIOS, let Windows take ownership of it, save the recovery info to a USB flash drive (or a TC volume in a safe place), and pretty much forget that it is there. There just isn't a reason for people not to use encryption.

Of course, people ask what does one have to hide that encryption is needed. The answer: A lot. A thief can gather a lot of intel about a company from the data on a laptop, especially if the laptop has the ability to connect to the corporate VPN and log into a trusted E-mail account without a password. Good encryption keeps a thief well away from any data that might compromise a company (or an individual for that matter).

[1]: I've used TrueCrypt, PGP, BestCrypt, WinMagic, and SafeBoot. All are very good. TrueCrypt is licensed at no charge, thus for SMBs, its almost a must have.

The Human Solution (4, Funny)

Monkeedude1212 (1560403) | more than 4 years ago | (#29038031)

You see, you keep the noncriminating data encrypted on the computer - and you keep the criminating stuff hidden in the Program Files\Microsoft Office folder.

They'll be so concerned about accessing the encrypted stuff, that when they discover its just pictures of lolcats and epic fails, they'll stop searching your PC.

As a failsafe, if they DO find your stuff in the office folder, tell them it must be Microsoft's doing!

Re:The Human Solution (0)

Anonymous Coward | more than 4 years ago | (#29038225)

Man I hope this is a poorly thought out joke.

Re:The Human Solution (1)

jgardia (985157) | more than 4 years ago | (#29038411)

Another option is to have a truecrypt file with party pictures that you don't want to show, and a truecrypt partition with the important stuff. You can always say that you have it just for the pictures, and the partition is not encrypted, it's just empty in case you need more space/different os, etc.

Do not collect $200 (1)

auric_dude (610172) | more than 4 years ago | (#29038045)

>Applications>Others>Truecrypt>Busted!

Distress Keys and Images (3, Interesting)

Algorithmn (1601909) | more than 4 years ago | (#29038071)

Some crypto junkies talk about distress keys. Where a user can enter two different keys depending on the situation. The real key loads the real OS. The distress key loads the "fake" OS. There are many ways to detect this in modern experiments. None will work without manipulating low level HD blocking.

Re:Distress Keys and Images (0)

Anonymous Coward | more than 4 years ago | (#29038757)

If you use a smart card with a chip that is protected from tampering (even with the guys that have access to SEM labs), duress code functionality may be a good thing.

However, having just software that does this likely won't do much. Any forensic team who has any experience at all will use a hardware write blocker and be examining the image of a machine in a VM. So, if someone gives them a self destruct code, they will just chop off another finger and say say "sorry, try again".

Re:Distress Keys and Images (1)

DrMaurer (64120) | more than 4 years ago | (#29038777)

Uhh, really? I mean, I suppose you could use a variant of LILO to boot to different systems, crippled to not read the disk of the other...

I don't know if that's possible, even. But it makes sense to me...

Comments (4, Insightful)

Hatta (162192) | more than 4 years ago | (#29038075)

If he has comments, he should post them under the story like everyone else. If they are good, they'll be modded up. There's no reason to post two stories on the front page on the same day for the same event. It's still a dupe, even if you acknowledge the previous story.

Re:Comments (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29038267)

shut the fuck up fag. i'd beat the shit out of a little bitch like you.

Re:Comments (5, Insightful)

ojintoad (1310811) | more than 4 years ago | (#29038711)

If that's true, then let's run an experiment. I'll completely copy a comment that got +5 insightful on the other thread. [slashdot.org]

It's an appalling piece of legislation for a number of reasons:

1. It makes forgetting your decryption key/passphrase/whatever illegal. Yes, seriously. The burden of proof is on the accused to show that they can no longer decrypt the data - how the hell do you prove you don't have something?

2. The people who it was originally intended to inconvenience - the real terrorists, if you like - aren't going to be even remotely concerned by it. They know full well that there is a risk they'll be caught and spend time in jail. If it's a choice between "reveal the decryption key, thus providing the police with the only evidence they're likely to find which implicates you and a number of others for so many criminal activities you'll be in prison for 20 years and when you get out you'll get a bullet in the head for the people who you dropped in it" or "keep your mouth shut, go to prison for two years", I wonder which one they'll chose?

why isn't this the default during user setup? (5, Insightful)

Raleel (30913) | more than 4 years ago | (#29038079)

I've often wondered why when you are setting up your user account on a box, and it gets to the part with setting up email, it didn't give you a chance to generate or import public/private keys right there and them upload the public to a server. Particularly on linux boxes, this seems like a completely feasible option.

One might also envision having a secret key storage mechanism, either by local external media or via remote storage where it could go look.

One place to hide is game files. (5, Interesting)

mr exploiter (1452969) | more than 4 years ago | (#29038089)

One option to hide well the existence of encription software and data could be to put them among game files.

It's common for games to have large data files, for example precompiled texture caches. You could change the program extension from .exe to .whatever and put it between those files. For extra stealth use a rare used packer (to avoiding signature matching) and also erase the first 2 bytes of the executable 'MZ', and use a good editor to put it back in place before executing it. The data it's encrypted and I don't think the NSA have parser for any arbitrary file in existence (game files in this case) so they won't suspect a think. Make sure that the date of change of those files don't draw attention to them.

Re:One place to hide is game files. (4, Informative)

shadowknot (853491) | more than 4 years ago | (#29038449)

This is a perfectly viable option but, as someone working in computer forensics, the major issue missed in this editorial and the subsequent comments is that most people really can't be bothered with encryption. I have examined many computers with versions of truecrypt and other, less reputable, encryption packages on them that are simply not used. Maybe I was foiled I hear you say and maybe yes I was (in my recollection there were no large unknown files with cryptic looking signatures and unfathomable data structures (normally a big pile of what looks like junk)) but the evidence was still resident (possibly replicated) in the unencrypted portion of the filesystem anyway.

If I were to have the ability and/or inclination to design a system of encryption designed to not arouse suspicion it would have to be something that is there by default like having a separate partition or container file for each user with the encryption tied-in to their user account so when logging in their login credentials are the encryption key and the volume is auto mounted transparently. Maintaining a separate file or partition for each user would assure privacy both within the system and upon any kind of post-mortem analysis (such as a forensic analysis using EnCase, FTK or TSK). These are just my musings and as the author of the article said getting any kind of wide support for such a technology is unlikely and will probably never happen. It's interesting to muse on it however!

Plausible Deniability (1)

daffy951 (546697) | more than 4 years ago | (#29038097)

You may find this interesting: http://www.truecrypt.org/docs/?s=plausible-deniability [truecrypt.org] "In case an adversary forces you to reveal your password, TrueCrypt provides and supports two kinds of plausible deniability"

Re:Plausible Deniability (1)

RiotingPacifist (1228016) | more than 4 years ago | (#29038327)

which is pointless as the fact you have truecrypt gives away that you have a hidden partition (and as its impossible to chain hidden partitions, you cant hid your data in a 3rd one)

Re:Plausible Deniability (3, Interesting)

sifi (170630) | more than 4 years ago | (#29038617)

According to truecrypt (and my limited understanding). What you do is this:

1) Setup an encrypted volume (password=dummy)
2) Put some plausible files in the volume (secrets.txt - full of information you don't mind others seeing)
3) Create a hidden volume (within the first encrypted volume) (password=secret)
4) Put your real secret stuff in here.

When you use the partition you use the (password=secret) and get access to the hidden volume, should the police turn up tell them that the password is dummy, and all they see is "secrets.txt"

The clever part is that it is impossible to tell whether there is a hidden volume or not as the space that it occupies is normally full of random data anyway.

More details here:
http://www.truecrypt.org/docs/?s=security-precautions [truecrypt.org]

Re:Plausible Deniability (1)

Bluesman (104513) | more than 4 years ago | (#29038621)

You can have a hidden partition WITHIN the encrypted partition. It's impossible to prove it's there. So you give the password, complying with the law, and say, "Yeah, I encrypted these documents because they have personal data on them."

Now what? They say that you must have another password? Based on what? It's impossible to prove, and you've ostensibly cooperated every step of the way.

argh (0)

Anonymous Coward | more than 4 years ago | (#29038117)

So now this Bennett dumbass has editors other than kdawson posting for him? wtf?

Can we get an option to hide stories from submitters, not just editors? I never want to see anything Bennett submits ever again. Please give me that option. Even hiding kdawson stories won't help now, it seems.

Pffft. (1)

Aim Here (765712) | more than 4 years ago | (#29038129)

Why hide your sooper seekrit encrypted data? Just run uuencode or MIME/Base64 encode on a few megabytes of /dev/random and rename it 'killobama.txt.php' and let the spooks knock themselves out trying to uncover your fiendish plot.

Just keep your REAL encrypted gubbins between the regexp delimiters in your perl scripts and nobody will be any the wiser.

Re:Pffft. (4, Insightful)

nedlohs (1335013) | more than 4 years ago | (#29038475)

because when you can't provide them the encryption keys for that random file they'll lock you in jail for 2 years.

Re:Pffft. (1)

Aim Here (765712) | more than 4 years ago | (#29038709)

Not legally, surely.

Now obviously a country that can pull people from , stuff them in orange jumpsuits and have them tortured in , isn't all that worried about due process n'all, but I was led to believe that in order to sentence you in a courtroom to jailtime, they'd have to prove beyond a reasonable doubt the falsehood that your random file was in fact encrypted sooper-seekrit stuff, and not just a chunk of random file. Which, if the law works the way the guvmint say it does, should be impossible.

So umm, you're maybe right in practice, if not in theory.

Business opportunity for Pirate Bay? (4, Interesting)

gambino21 (809810) | more than 4 years ago | (#29038135)

Maybe this is a new business opportunity for the Pirate Bay. In addition to the private VPN service, you could also get remote anonymous encrypted storage. If you only access the storage through the VPN, it could make it pretty difficult to track.

4th, 5th Does not apply in the UK (or the US) (1)

Duradin (1261418) | more than 4 years ago | (#29038151)

Instead of focusing on hiding *LEGAL* activities perhaps some effort should be directed towards making sure that our rights to be free of unwarranted search and seizure, to be secure in our person and our documents and most importantly the rights to not being required to incriminate ourselves are not so easily and casually violated.

Unfortunately the only way to ever truly and safely encrypt something is to not store that information at all. "Never write when you can talk, never talk when you can nod, and never, ever, put anything in an email."

hide it in your bra (4, Interesting)

bombastinator (812664) | more than 4 years ago | (#29038161)

The standard technique for moving such files a while was to hide the data inside pornography. They are one of the most commonly trafficked file types on the internet and people prefer not to look at it too closely. Or did before it became a standard..

Re:hide it in your bra (2, Funny)

Shakrai (717556) | more than 4 years ago | (#29038395)

The standard technique for moving such files a while was to hide the data inside pornography. They are one of the most commonly trafficked file types on the internet and people prefer not to look at it too closely

You wouldn't happen to know where I could apply for a job looking for this hidden data, would you?

Ubuntu. (0)

Anonymous Coward | more than 4 years ago | (#29038163)

Ubuntu seems to be including an encryption tool. But the configuration information reveals whether you've enabled it. If you manually mount your encrypted data there is no indication that you are the creator of that suspicious file... other than it being your computer.

Strong crypto is often pointless (3, Insightful)

harl (84412) | more than 4 years ago | (#29038181)

What all the talks on crypto seem to forget is that crypto only protects your data when you are not using it.

If they are investigating you to the point where they are going to be seizing your computer they have means of acquiring your password.

They can get a warrant an put a key logger on your system. Optionally they could acquire a warrant to install some sort of surveillance with the intent of either shoulder surfing the password or to simply read the data off the screen.

Re:Strong crypto is often pointless (0)

Anonymous Coward | more than 4 years ago | (#29038399)

been there done that [cnet.com]

the govt will just get a black bag warrant to put a keylogger on your computer, snag the passphrase, and it is game over

you check the back of your computer every time you use it to see if there's a keylogger attached to the keyboard, right?

Re:Strong crypto is often pointless (2, Informative)

s31523 (926314) | more than 4 years ago | (#29038429)

Exactly! Case in point: My buddy has encryption running on his laptop to encrypt files for work (financial spreadsheets, etc.). I bet him a six pack I could pull up a spreadsheet. So I basically ran a file recovery program (he was smart enough to "delete" the unencrypted file after use) and pulled up a spreadsheet of his. After I took part in my reward I showed him what I did and then gave him a shredder program that decreases the chance of file recovery. I am sure some crypto programs have this whole process integrated, but he was just using a stand alone program. This is a very good point, most people seem to forget about what happens to the unencrypted file after its use.

Re:Strong crypto is often pointless (1)

Kjella (173770) | more than 4 years ago | (#29038831)

If they're aware or assume that you have an encrypted system, then yes. What's the odds of that really? It's pretty much impossible to find out from the outside. Are they going to covertly sneak into your house to figure that out, and see if they need to do covert surveillance? Yeah, right. In about 99.9% of the cases they'll come in with a normal warrant, and then you're already tipped off. If you know the police is onto you, then this just won't work. Either you stop, or you rig some kind of tripwire system to tell you it's been tampered with. Halting an intruder is hard, detecting that there's been an intruder not so much.

TrueCrypt Hidden Volume - DUH (0)

Anonymous Coward | more than 4 years ago | (#29038191)

TrueCrypt thought of this problem a long, long, long time ago. It's called a hidden volume. It is designed *specifically* to deal with the problem of an adversary forcing you to reveal your key/password. Read more at http://www.truecrypt.org/hiddenvolume and http://www.truecrypt.org/docs/?s=hidden-operating-system

Re:TrueCrypt Hidden Volume - DUH (1)

lordandmaker (960504) | more than 4 years ago | (#29038401)

He mentioned TrueCrypt. Read more at the paragraph starting "A program called TrueCrypt achieves something close to this"

A long long time ago (0)

Anonymous Coward | more than 4 years ago | (#29038201)

About 99 or 2000, I found a browser made by a hacker on one of my random hacking sites. It had some really cool features, such as split screen browsing(as opposed to tabs, back then I thought it was quite novel) but one feature that stood out was that it had a built in message encryption/decryption tool for text. So you you write a plaintext email, select the text and select the algorithim and strength and the opposite for when you got it back. I'm talking about using it for email but it had many other potential uses, and the whole browser was still light and fast. I think I agree that the best way nowadays to make something really really common is to make it into a browser. On a side note, about once a year I dig through my old file archives and favorites trying to find this old hacker browser, and still haven't found it.

Re:A long long time ago (1)

lordandmaker (960504) | more than 4 years ago | (#29038339)

This sounds like Nucleii (I'm pretty sure there were two i's). Which I found at a similar time, and haven't seen any trace of since shortly afterwards.

Re:A long long time ago (1)

clone53421 (1310749) | more than 4 years ago | (#29038653)

Seems to me there was a story on here recently [slashdot.org] about a firefox plugin called "Vanish" that does basically this, but distributes the key on a P2P network so that the user never knows it. Due to the way the P2P network works, the key is irrecoverably lost after ~8 hours.

Ubuntu and gnupg (0)

Anonymous Coward | more than 4 years ago | (#29038229)

While this does not do everything you want, every computer with Ubuntu already has gnupg installed - it is used by the package manager to verify the downloaded packages. You could use the atime on the gnupg executable to see if it has been used, except that the package manager itself already uses it, and if you use noatime instead of the default relatime (which you should, to get a little bit more performance while only breaking stuff if you do not use Maildir, which again you should for several reasons), there is no way to tell it has been executed.

The only missing piece of the puzzle would be to get a Perl guru to coin an easily-memorizable one-liner which does simple steganography (it has to be easy to memorize so you can type it every time you want to use it, remembering to temporarily disable bash's history functions first).

Make it part of the OS or... (4, Insightful)

bhsx (458600) | more than 4 years ago | (#29038235)

If it's not going to be a part of the OS itself, make it a part of the browser. Firefox could "reclaim the heart of the people" by adding this as a part of browser security. By default, the browser should encrypt all personal data, such as passwords and even file/URL history. Add a small option as a menu item in Tools/Privacy/Encryption/Personal History and allow you to create as large a file as you want (password protected of course) and use the browser to save to/browse the file.
This tool should also use a form of "hidden volumes" like truecrypt and it should save in the browser history folder, but give you the option to create it anywhere you want.
If 25%-plus of the population has it installed, it becomes much less suspicious.
Hell, if MS put it in IE 8.1 it would possibly even win-over the geek crowd.

Long and totally empty article (0)

Anonymous Coward | more than 4 years ago | (#29038257)

Ad 1: Whoever wrote the article is paranoid and should be treated.

Ad 2: The article is totally false from the first letter on. The reason is: all encryption can be broken. The NSA has found a math proof and a practical mat framework which cracks both prime based and ellipse based ciphers in practical time using 5000 node or larger x64 supercomputers. Forcing you to divulge the key or go to prison is simply a way to save on the electricity bill in Langley or the MI5/6 headquarters.

Ad 3: I can't understand how anybody could believe in strong encryption in the first place. If there was anything easy to cipher and harder to crack, it would violate the conservation of energy. Essentially you could run a perpetual machine off AES power. This is so trivial!

Plausible deniability (0, Redundant)

Bluesman (104513) | more than 4 years ago | (#29038259)

Truecrypt solves this problem: Plausible Deniability [truecrypt.org]

In effect, you can encrypt some stuff, and encrypt another volume with a different password. The second volume is indistinguishable from random data, so if you give the password to the first volume, there is no way to prove that you are witholding anything.

They also offer hidden volumes within encrypted volumes for the same reason. There's no way to ever prove that a person has withheld ALL of the passwords, or that any data even exists in that space.

Re:Plausible deniability?! What about entropy?? (0)

Anonymous Coward | more than 4 years ago | (#29038627)

I've been wondering about this for some time. I'm no crypto expert, but no amount of AES/Twosword encryption and/or Spinfish hashing will alter the entropy or correlation function of the volume's content. So IMHO it is possible to generate entropy 'fingerprints' or correlation functions of most felonious data (kiddy pron, state secrets etc.) and match these against the volume contents. Simply said, if I have a document in plain English, some characters will correlate more than others. The sequence 't-h-e' will for instance be more prominant than 'x-v-b'. Encrypting with anything other than a one-time-pad (i.e. an absolute random (correlation==0) encryption key with exactly the same bit length as the data to encrypt) will IMHO not change the correlation function. So the encrypted data can be identified as a plain English text document. Same will aply mutatis mutandis for pictures and movies. Or am I missing something???

Francis Bacon got here first (1)

Kupfernigk (1190345) | more than 4 years ago | (#29038261)

Back in the 17th century he suggested sending encrypted messages by various nonobvious means, for instance firing a gun at intervals that represented a binary code, or making prick marks through certain letters in a book. In effect, back to steganography.

Steganography was very big at the time. For instance, some people believe that Wm Shakespere was involved in the King James Bible but could not be credited because, as an actor, he was not respectable. Find the King James Version, find psalm 46, find 46th words from the start and the end. The nice thing is it could be pure coincidence, which is a core principle of staganography.

How to hide encrypted data? Easy... (1)

Viol8 (599362) | more than 4 years ago | (#29038283)

Tag it into the end of some other sort of binary file (executable, image file etc) that will work fine with extra data on the end but is not human readable therefore cannot be easily checked. Eg adding binary data onto the end of a .txt file would be spotted by all but the most stupid technician.

Re:How to hide encrypted data? Easy... (1)

maxume (22995) | more than 4 years ago | (#29038417)

If I were doing serious forensics work, I would hash and categorize every file I ever saw (on any system). I can't imagine this idea is particularly original, and it would quickly expose any interesting binary files ('quickly' especially in terms of investment of human time).

Why would you have the software on your computer? (1)

ceoyoyo (59147) | more than 4 years ago | (#29038291)

Why would you have the software on your computer anyway? Encrypt your data, put it in an unmarked area of the drive and delete the encryption program. Travel. When you want to decrypt the data, download the decryption program (better do it on a USB stick) and run it. The data, while encrypted with a decent algorithm, looks like random noise on the hard drive unless it's VERY carefully analyzed. Just don't write anything to the drive in the meantime.

This whole "story" seems suspiciously like an attempt to work the buzzword "social" into the discussion.

Re:Why would you have the software on your compute (1)

Locklin (1074657) | more than 4 years ago | (#29038655)

I don't know of any encryption software that creates an encrypted file that isn't easily identifiable. Heck, running "file passwords" on my machine results in:

passwords: GPG encrypted data

I'm sure it's possible to try to hide encrypted data as noise, but that doesn't seem to be the default operation

Portable steganography (2, Interesting)

xtracto (837672) | more than 4 years ago | (#29038303)

Whether you're talking about encryption software or stego software, if it's a program that not a lot of people have installed, then just by virtue of having it on your machine, you'll attract suspicion if your machine is seized.

Using a portable program like [url=http://sourceforge.net/projects/hide-in-picture/]hide-in-picture[/url] along with some easy to use portable GUI to make it easier to hide several files is a suitable solution.

On the one hand, you could have such program (along with any indexing it creates) in a USB thumb drive, or just upload it somewhere in a server where you always have access (thus, you do not need it in your computer while passing through unreliable points).

On the other hand, pictures are something that everyone has in their computers (I have around 4GB of pictures taken with 5megapixel cameras...). Thus, it should be trivial to hide whatever information in such libraries.

The steganography technology already exists, what is still lacking is software which makes it easy and convenient to use it. That is what truecrypt did for cryptography.

The issue is with truecrypt (or other crypto program) is that even when using a portable version, a fast WinDirStat scan will yield some big files.

OK, how about this... (1)

Zocalo (252965) | more than 4 years ago | (#29038305)

You don't put the program on your compute; you keep it as a portable executable on a memory stick that is kept somewhere where it's highly unlikely to be found by a casual search; not too difficult given how small they can be. Combine that with something like TrueCrypt's hidden partitions that are supposedly(*) undetectable and as long as you don't slip up and divulge the fact there is a hidden "key", you can leave them searching through some suitably innocuous collection of data files.

(*) I refuse to believe in any "absolutes" like this when it comes to IT; many of the more innovative exploits out there take advantage of the mistaken belief that something can't be done or isn't an issue. People used to say it wasn't possible to write a program that could replicate by itself, and we all know how that turned out.

Re:OK, how about this... (1)

Locklin (1074657) | more than 4 years ago | (#29038837)

TrueCrypt's hidden partitions are only hidden because they are inside another, regular TrueCrypt partition, which is relatively easy to discriminate. If I find a TrueCrypt partition, why would i care whether you had the software installed?

Not worth a lot (0)

Anonymous Coward | more than 4 years ago | (#29038307)

I am ardently in favor of a huge increase in deployment of encryption. Everyone should encrypt everything by default. There's no such thing as information "not worth encrypting," because processors are so damn fast; encryption is free.

That said, I don't see the big deal about plausible deniability. (Granted, I don't live in UK.) When goons get you tied to a chair, you have lost. It's over. Plausible deniability doesn't change that. You're going to give up the goods, and your dignity has already been violated.

So it's about not attracting suspicion? I don't buy it. There is way too much crime and accidents, for use of encryption to even be a modest hint that someone is doing something possibly suspicious. Things get stolen. Laptops get lost. Backup tapes go unaccounted for. These are very real, not theoretical, risks. It's not weird to protect against such risks; it's simply wise.

So I guess while I'd like to see plausibly deniable encryption be deployed on a wide scale, it's really just because I want to see encryption deployed. If deniability is the marketing gimmick that gets the job done, well ok, I'm not going to complain.

As for UK, y'all just need to repeal that law. You have an evil government, and installing some kind of magic software isn't really going to fix your problem.

Removable media a better option? (1)

Exp315 (851386) | more than 4 years ago | (#29038311)

This whole problem has arisen because people are storing everything on a single hard drive now instead of using removable media as they did in the past, e.g., with floppy disks. Removable media makes it easy to take your sensitive data away and hide it. Removable media can be encrypted. And if you have multiple units, you can plausibly claim that you forgot the password to that old disk because you don't use it every day (a claim that's hard to make about your main hard drive).

meta stego (1)

stiller (451878) | more than 4 years ago | (#29038321)

Hide the stego program inside another binary. Running an application with a hidden option would then turn it into a stego program. No idea how viable this is.

Encrypted USB Drive (1)

SevenHands (984677) | more than 4 years ago | (#29038329)

Why not just put the sensitive data on an encrypted USB drive. These devices are far from rare these days, so common that I'd venture to guess that Grandma down the street probably has her raspberry jam recipe encrypted, just because that's how the damned thing is set up when you plug it in.

Software with single+double key technique (0)

Anonymous Coward | more than 4 years ago | (#29038335)

Er, instead of going to those lengths, why not just include this 'double key' encryption technique in commonly used encryption software (which might also pack as well), and have a *choice* of using an ordinary single key or a double key. Software such as winrar or 7zip could add it for instance.

TrueCrypt (4, Interesting)

skiman1979 (725635) | more than 4 years ago | (#29038341)

A program called TrueCrypt achieves something close to this â" TrueCrypt allows you to encrypt a storage volume with two different passwords, so that one password provides access to "innocent-looking" data, while the other password provides access to the data that you really want to keep secure. If someone is compelled to give up their password, they could provide only the password that unlocks the "innocent-looking" data â" and there's no way, from examining the encrypted file, to tell that there is a second password guarding even-more secret data. (Of course, the "innocent-looking" data can't be truly innocent-looking, because it has to look like the kind of thing that someone would believe you might want to encrypt â" so it should look suspicious enough that you would genuinely want to hide it, but not bad enough to get you in real trouble if you're forced to reveal it!) The Achilles heel of this scheme is that just having TrueCrypt on your computer in the first place, would at least signal to an intruder that you're encrypting files. And even if they can't prove that you might have another "super-secret password" guarding more private data on your encrypted volume, they would certainly suspect it, if they already had grounds to be investigating you and if they knew anything about how TrueCrypt works. To provide true plausible deniability of any encryption at all, you need a program that already exists on lots of people's machines, so that an intruder doesn't suspect anything when they find it on your computer.

It's been a while since I've used TrueCrypt, so maybe things have changed. I do remember the feature where you can have a 'hidden volume' inside your TrueCrypt encrypted volume, which sounds like what the quote above is talking about, that is protected by a second password. The thing with TrueCrypt is, at least the version I used around 2003, you don't have to have the software installed on the computer in order to use it. TrueCrypt can run entirely off of a flash drive or other removable media.

From what I understand, the hidden volume's data is stored in the free space of the main encrypted volume, so the filesystem doesn't actually have handles to this data, something like that. I wonder if it would be possible to store this hidden volume directly inside the free space of an NTFS volume instead of inside a TrueCrypt encrypted volume? So then an intruder would have to know that TrueCrypt was used, and then use the tool to scan the NTFS volume for hidden data, rather than just seeing that there's an encrypted volume there, and suspect there may be hidden data as well.

Re:TrueCrypt (1)

RMH101 (636144) | more than 4 years ago | (#29038769)

Your point is cogent, informative, and well-written.
Are you new here?
I'd just add that TC state that their hidden volumes are indistinguishable from random noise, i.e. cannot be detected.

Installed? Sure! But not used (4, Interesting)

honestmonkey (819408) | more than 4 years ago | (#29038357)

I have a bunch of programs on my computer that are installed because they seemed kind of cool, but that I never used because I'm lazy or they weren't so cool after all. So yeah, Truecrypt is on my PC, but I never used it. Forgot to delete it, thought I might use it one day, maybe. So I don't have a password or anything encrypted.

Why does having the program imply use? I've got a weed-wacker in my garage I haven't used in years. Tent up in the attic, I haven't been camping in decades.

I've got utilities that were going to save me time and money, some of which I even paid for, that I never used beyond the initial install. That's my story, and I'm sticking to it.

plausible deniability (1, Interesting)

Tom (822) | more than 4 years ago | (#29038365)

What a long piece of nonsense.

We solved this problem 20 years ago. It's called "plausible deniability". There are various ways to get it. The easiest one is this:

Use an encryption tool that can hide encrypted volumes, like TrueCrypt.
Encrypt your porn collection on the outer shell, your private data on the inner.
If someone asks for your decryption key, stall a bit, then blush and hand them the porn key.

Obviously, you didn't want your wife to find out about your porn collection, which is why you encrypted it. No, officer, there's nothing else there.

Modify for your particular case. If you have serious sensible material, you need more serious stuff to hide it behind, e.g. the e-mails from your mistress or whatever.

There's no need whatsoever for any complicated solution. On the contrary, it makes you more vulnerable, not less.

Encryption != suspicious (1)

GargamelSpaceman (992546) | more than 4 years ago | (#29038441)

Encrypting one's entire filesystem ( especially on a laptop ) is a common corporate policy to prevent a stolen laptop from resulting in bad guys getting company data. Having such software installed is common for legitimate reasons.

A promising looking p2p data storage system which meets your requirements is this: http://www.madore.org/~david/misc/freespeech.html [madore.org] . It's based on the fact that the same data can be interpreted in more than one way. 128k of bytes can be interpreted by another 128k of bytes as an MP3 song fragment, or by yet another 128 k of bytes as an illegal list of credit card numbers.

bundle program with os... (1)

zoso (105166) | more than 4 years ago | (#29038487)

Bundle program with os (so it's installed on every computer) and use encrypted distributed storage (there are some projects out there) as virtual hard disk.
Connect to that disk manually on every computer startup so there are no traces in init.d/autoexec.bat.
I was thinking about using the unused parts of the harddisk but the encrypted data bits should be really random while your deleted jpegs aren't so it would be
very easy to detect....

Widespread encryption software (1)

PishiGorbeh (737623) | more than 4 years ago | (#29038495)

What about Microsoft's Bitlocker? It's built into most editions of Vista and Windows 7. Is that not what was meant by widespread?

Re:Widespread encryption software (1)

PyroMosh (287149) | more than 4 years ago | (#29038849)

And EFS before that (in XP, and I believe 2000). Seriously, this is not a new thing. I completely agree with you. I'll go out on a limb and call Windows "common".

What the author fails to mention, is that the application not only has to be very common, but it has to leave no obvious trace of encryption. It would be trivial to write a batch file, or application that lives on a flash drive, and you plug into a notebook, when then interrogates the notebook, and says, "hey, have any BitLocker / EFS stuff?" and then the OS gives it up. The hooks are there FOR that purpose, right in the OS, right next to the ones that say "show me all shared files" and "show me all files named 'bob*.*'"

Instead, the author really wants something common, but with Trojan Horse functionality. Like if Photoshop had a built-in function to store a tiny bit of data in each and every jpg on a hard drive, evenly distributed among all of them. Then it becomes a question of "our scans detected encrypted data. Please decrypt it so we can check it out".

Hell, Winzip, 7zip, and WinRAR are very common too. They all support (admittedly weak) encryption. but they also fail the first test. The presence of the files is easy enough for any smart app to find, and determine the encrypted nature of.

Right to remain silent... (3, Informative)

Anita Coney (648748) | more than 4 years ago | (#29038525)

In the US the government can force a suspect/defendant to turn over a key to the safe, but not to turn over the combination to the safe.

Doe v. United States, 487 U.S. 201 (1988)

Um, what if it is a standard? (2, Insightful)

filesiteguy (695431) | more than 4 years ago | (#29038533)

Okay, the author makes an interesting statement - unless you have something to hide, why encrypt? IOTW, for those looking at computers, the author argues that encryption is nto widespread enough to have it be looked at without suspicion.

Now - let's turn it around. In my work, we manadate that all laptops and usb keys are encrypted. Always. When we get a laptop (I think my department has around 800 laptops, with mine the only one running Ubuntu.) the hard drive gets encrypted. Any USB key gets encrypted.

I do the same for home. My three desktop PCs (two Ubuntu one Vista) are all encrypted.

Why?

In the case of work, they don't want the possibility of any portable device having personal or otherwise comprimising data being stolen. (See: http://www.washingtonpost.com/wp-dyn/content/article/2006/09/21/AR2006092101602.html or http://blog.internetnews.com/agoldman/2009/04/lost-laptop-okdhs.html for examples.)

In the case of my house, I don't want the possibility of my home PC being run off with my last years tax statements in plain view. (Actually I have those on a separate hard drive, but you get the idea.)

Now - for downloading pr0n, one should simply do what comes naturally and use a neighbors open unprotected wifi connection... ;)

A twist on TrueCrypt (2, Interesting)

stevegee58 (1179505) | more than 4 years ago | (#29038577)

OK, first off you idiots who didn't read the whole editorial and suggested TrueCrypt: try expanding your attention spans beyond the length of a tweet.

Now on to my own contribution. Since TrueCrypt is open source, one could come up with their own custom build that would no longer have the same appearance as the original. By appearance, I mean the GUI could be modified or eliminated (command line only). In addition the executable file could be sufficiently scrambled so that its pedigree could be hidden: it would not look like a TrueCrypt derivative.

One project that's on my to-do list is to make a customized version of TrueCrypt's whole-disk encryption (with bootloader) that makes the computer look like it's broken when you try to boot it. Talk about deniability. You just tell them they broke it. In reality it's prompting you for a password but it just doesn't look like it.

Political action, not more tech (1)

cohomology (111648) | more than 4 years ago | (#29038581)

Did you vote in the last election? Did you campaign door-to-door? When was the last time you attended a demonstration? These are the things that will improve your legal rights, not trying to use tech to hide your use of encryption.

For a start, you might snail-mail your representative and ask how you can communicate with their office privately, now that governments are starting to claim the right to intercept and store snail-mail, email, and telephone calls.

trivially fixed (2, Funny)

Nomen Publicus (1150725) | more than 4 years ago | (#29038635)

I keep telling people, "Keep your illegal porn and plans to assassinate [insert name here] on other peoples PCs."

what about Wuala? (3, Interesting)

Ianopolous (1080059) | more than 4 years ago | (#29038641)

Doesn't Wuala solve this? It stores your files in encrypted pieces spread over multiple remote machines (so you can't see the size used without your password). It already has a large number of users as well. The password is not stored anywhere.

What happened to... (1)

Dyinobal (1427207) | more than 4 years ago | (#29038663)

What happened to simply "I forgot my password". You know going to jail and such is a traumatic experience I can see no reason as to why one might not be able to recall their password/phrase.

VIRUS WRITERS HELP US. (1)

gurps_npc (621217) | more than 4 years ago | (#29038721)

Please, write a virus that installs TrueCrypt on every computer it infects.

There, solved the problem of suspicious because he has the file.

Shit outta luck (1)

plams (744927) | more than 4 years ago | (#29038729)

Convenience and plausible deniability [wikipedia.org] are somewhat mutually exclusive. Forensic traces are really hard to combat. Even if you memorize the ones and zeros, the "encryption" can mostly be broken with rubber-hose cryptoanalysis. [wikipedia.org]

An interesting solution would be a browser plug-in gaining popularity which integrates with several major image hosting providers, offering client-side stenography and crypto. Only small files would fit though, but it'd be usable in some of the same scenarios Freenet [freenetproject.org] was meant for, e.g. communication without 3rd parties being able to prove the communication takes place.

Hiding the *fact* of encryption ... (1)

BenBoy (615230) | more than 4 years ago | (#29038771)

That's a tougher problem than most people seem to realize. If I'm hiding my collection of exotic photos of, I dunno, under-aged parrots or skanky sheep (but here, I perhaps reveal too much), I have to worry about my computer's environment as a great big system ... I have to ensure that, for example, windows doesn't index that mounted drive (or whatever you're using), I have to make sure that my picture viewer doesn't cache thumbnails in an awkward place, or that editing doesn't create unencrypted temp files. My "recently opened documents" has to be, what, encrypted too? Regularly overwritten 60 billion times per day? Turned off? Something.

It's not that the things I've mentioned are themselves insurmountable, or even difficult. It's that there are so many little leaks, based on so many convenient services that a relatively complex software ecosystem provides.

Not as difficult as you might think (0)

Anonymous Coward | more than 4 years ago | (#29038797)

High bar? Not really.. In order to make encryption software pervasive, all you would have to do is convince a few of the filesharing programs and bit torrent clients to bundle truecrypt with their software. That'll get you several million within a month or so. Furthermore, the next time an update for that software rolls out, you'd see increases in the 5 to 10s of millions. Likely enough people using p2p often could use a good encryption method.

Bitlocker To Go (1)

Ececheira (86172) | more than 4 years ago | (#29038821)

How about using Bitlocker To go to encrypt your USB devices? It's installed/available on all Win7 SKU's (though you need Enterprise/Ultimate to initally encrypt the device). As it's part of the OS, there's no suspision for having it...

bad. (2, Insightful)

n30na (1525807) | more than 4 years ago | (#29038843)

First rule of crypto: you do not talk about crypto.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...