Re: Are computer forensics people as stupid as they seem?
- From: Privacy <privacyoriented@xxxxxxxxxxxxxx>
- Date: Thu, 07 Jun 2007 00:14:45 -0700
This is my second time trying to post this specific message using
Google (and this is my second reply to this post). Google seems to be
quite worthless. I'll post it as many times as it takes to show up.
So, bare with me if it shows up 10 times. Below these lines is the
response I attempted to post.
-----------------------------------------------------------------------------------------------
I'm going to reply to this again. But I'll do it in a different way
this time in case my original reply shows up. I'm going to state a
series of suppositions and challenge you to respond to them.
First off. There are 2 issues at stake here. Functionality/workability
and security. Let's totally ignore the workability now and focus on
security. Then we'll get to workability later.
1. Let's suppose you encrypted an entire drive (not partition) with
TrueCrypt. Then let's suppose you wiped another drive with a program
that overwrites an entire drive with statistically random data (and no
zero sectors anywhere on the drive. Could you tell the difference?
Use this thread as a reference if you need to: http://forums.truecrypt.org/viewtopic.php?t=3337
If you think you could tell the difference then the impetus is on you
to explain how you could do this (please be detailed). I maintain this
is undetectable because you can't prove what produced the output. If
you maintain this is detectable because any random appearing data is
detectable, then you are using a different definition than me (and
everyone else on the planet).
2. Let's suppose you overwrite this drive with either an operating
system or partitioning data. Could you detect what produced the random
data after the plaintext data. It stands to reason if you couldn't
detect (1) you can't detect (2). If the encrypted data still happened
to be functional (which it most certainly could be if you configured
it correctly) and if you couldn't detect what produced the random-
appearing data, then, congratulations, you have encrypted data that's
undetectable. It's not a hidden operating system, but it is a hidden
encrypted volume.
3. Let's suppose that you could find a way to make it look exactly the
same as (2) above but have the encrypted data at the end harbor an
actual hidden operating system. That's what I'm talking about. It
looks like (2) above, but instead of just an encrypted volume, it has
an encrypted operating system. And it looks like the data DBAN writes.
And it doesn't rely on DCPP hidden volumes. Most FDE packages will
work. And there's no decryption program lying around and the first 63
sectors do not give any indication that the drive is encrypted in any
way. The programs you have lying around your house are the same as
anyone else would/could have. And the plaintext operating system
doesn't have to be FAT32.
On Jun 6, 11:45 am, Cyberiade.it Anonymous Remailer
<anonym...@xxxxxxxxxxxxxxxxxxxxx> wrote:
Privacy <privacyorien...@xxxxxxxxxxxxxx> wrote:
On Jun 6, 9:11 am, Cyberiade.it Anonymous Remailer
<anonym...@xxxxxxxxxxxxxxxxxxxxx> wrote:
That being fact, any place you write your "hidden" encrypted data to
must be protected from being overwritten. The "unused" portions of the
drive (cluster slack?) must be locked, which means an easily detected
locking mechanism and/or "stale file syndrome".
No locking mechanism needed. All files function perfectly.
Not possible.
How long are we going to play "it's possible, it's not possible, it's
possible". I frankly don't care. But for those people who don't know
who to believe, think about this. What does it take to say something
is impossible? You have to have tried every conceivably possible
combination to actually say this. How often has someone actually said
something is impossible and it actually turned out to be right? Not
often.
What does it take to say something is possible? Getting it right once.
That's all it takes. Impossible isn't in my vocabulary, and it
shouldn't be in the vocabulary of anyone else reading this.
Or, your data is in
constant peril of being completely lost when a single bit of your
"hidden" content gets overwritten by normal, unencrypted operations
like booting the machine and generating a boot log. ;).
True. But I've been doing this for 2 years. I use both the unencrypted
and encrypted volumes routinely. I've never lost any data whatsoever.
If you knew how FAT32 works, you would know the data is written more
I assure you I'm well aware of how FAT file systems work, and know that
FAT of any generation is notorious among file systems for fragmenting
files. This is pretty common knowledge which makes much of the rest of
your claims specious at best.
Apparently you're using some sort of "end of the drive" scheme. It not
only fails due to the way FAT file systems utilize drive space, it's
going to be obvious to even casual observers that encrypted data
resides at some location on the drive. Consequently, your entire
"nobody can know you have encrypted data on the drive" assertion is
pure nonsense. You're not even really hiding anything at all.
Again, see my suppositions above. You absolutely must show that the
random appearing data is actually encrypted data. Since I most
certainly have done much more work on this subject than you (
http://forums.truecrypt.org/viewtopic.php?t=3337 ), I can say with
reasonable certainty that you cannot show the difference. If you can,
please clearly demonstrate a difference in the appearance of TC/DCPP
3.0 and that of DBAN or another GOOD wiping program. If you can't, you
are mistaken in your assertions. If you can, I would most certainly
like to hear what you have to say. I welcome any additional facts you
may have about this topic.
or less sequentially. There's minimal to no risk if you leave
Your usage of "minimal" is a waffle. You're fully aware that encrypted
data can be overwritten without some sort of protection or locking
mechanism, and you as much as admitted it with that utterance.
True. It can be overwritten. It hasn't happened to me yet. But if you
can't accept that risk, you shouldn't be attempting this. These are
serious modifications with serious risks. That being said, I always
keep backups in case I make a mistake, but I haven't yet. And I
routinely use both my encrypted and unencrypted data.
sufficient space between the end of your plaintext data and the
beginning of your encrypted data. Actually, I routinely delete and
Again you self defeat by describing some sort of demarcation between
encrypted and unencrypted data. Nothing is actually hidden here.
Protected or not, the encrypted data is in plain view.
That doesn't defeat anything. You have to use this to do the job. I
never stated there were no demarcations. The encrypted data is in
plain view just like it would be in a TC volume. If you go to the TC
site, you will see they state they offer 2 types of plausible
deniability. ONE is the hidden volumes, which no one can prove exists.
TWO (and this is the important one here) is that the output TC
produces cannot be distinguished from random. So, if you filled an
entire drive with TC data, no one could prove TC produced it. Again
look at this thread http://forums.truecrypt.org/viewtopic.php?t=3337
..
If you have a problem with this, I suggest you take it up with the TC
developers before you take it up with me. I doubt you will though
because of your apparent fondness for TC (same as me).
So, now that we've established that encrypted data in plain view does
not prove you have encrypted data, let's move on.
write huge files to my unencrypted volumes. I routinely get within 50
MB of my encrypted data, and I'm confident nothing will be
Your confidence level is irrelevant in the real world, where users can
and will write data to a drive that will demolish their unprotected
encrypted volumes. Truecrypt has addressed this issue about as well as
anyone can with their nested volume and "dual password" scheme, and
even that's anything but undetectable.
TC's approach is undetectable. If you think it's not, write a detailed
report of how you would do this. Put your money where your mouth is
please.
Yes, we've established your data can be overwritten if you don't use a
protection scheme. About this we're in complete agreement. Where we
disagree is about the odds.
But I'm willing to bet my experience with this issue greatly
outclasses yours. And I'm telling you you're blowing the risks way out
of proportion.
As a novice who has already admitted they know very little about how
file systems and encryption work, are you now trying to tell us you
know more than the developers of Truecrypt?
As I've stated on the TC forums, I routinely provide misinformation
about myself. My intention with creating the HexMan persona was to be
able to post with a consistent voice, so people would know who I am
and what to expect when I post. It was not my intention to create an
accurate picture of who I am in real life.
That is, in fact why I've recently dumped that persona entirely. I
changed the password about 2 weeks ago then erased it so I wouldn't be
tempted to post again. It was for security reasons because I thought I
was giving away too much about myself.
You should understand the need for privacy Cyberiade, if that is in
fact your real name.
But now that you bring out what you know about me. What do any of us
know about you? You use an identity that countless other people here
use. Why should people trust you over me? The answer is you have less
credibility than me and you always will unless you tell us something
about yourself or show us some posts you (and not some other
Cyberiade) made. And these posts should preferably be something where
you went out on a limb, made a bold statement, and defended that
statement.
As we all know, the easiest thing to do is to TRY to shoot someone
else down. No doubt it's a boost for the old ego to come here and jump
all over someone you don't know.
overwritten. If you know the precise amount of space you have to work
If??
You *must* know this magic number, and be totally aware of exactly
where the data of each type resides, or your data is at risk.
Simple as that.
True. But if you leave enough space, you can always know that no
matter what you do you will never approach your encrypted data. Hell,
you can leave several gigabytes (or more) of space between your
encrypted and unencrypted data. That's a tiny fraction of the space
available on modern drives. You can leave so much space, you will
never risk your encrypted data. I like to push all my space to the
limits, but there is nothing that says you have to do this, and you
should no better.
Here's the vibe I'm getting from you. Your posts smell of desperation.
Are you really this worried about the boundaries between encrypted and
unencrypted data. This is a functionality issue, not a security issue.
Are you so desperate to score points off of me that you would debase
yourself by continuing to address this issue so heavily (on a forum
dedicated to security). I've told you for the umpteenth time. It's
workable. There is a pretty big risk with this.
But I'm assuming anyone willing to do this is willing to take the
risk. End of story.
with, you can get within 1 byte of your encrypted data and be
confident it won't be overwritten. It takes basic math skills
(addition, subtraction, etc.), but I would assume everyone on this
board has those skills. I always keep backups just in case I make a
mistake, which I haven't until this point.
This is practical experience, not a bunch of "discussion" by people
who've never tried it and have no idea how it actually works.
This is where your assumptions fail you. Many of us have tried to
devise schemes like yours and know from first hand experience how
horribly they fail.
Tough luck. Try harder next time.
We've "been there discussed that" in this group several times now. The
consensus is that "stenographic" drive or volume encryption is mostly
snake oil in principal.
No skin off my sack. That's less risk for the rest of us that know
better. If you want to actually try something instead of just
pondering about it, you might be surprised.
Given the fact that you claim to have solved problems the entire OTFE
encryption industry has wrestled with for years an not quite solved,
but rely on keeping the solution a secret to continue making your
claims, this is moderately amusing.
Put up, or expect to be taken to task on your obvious nonsense.
Uhmm. I don't respond to threats and bullying. I would respond to
someone genuinely curious about this and asking for some help. It's
all about give and take. If you've read anything I've ever written as
HexMan, I like for people to put in equal work before I'll say
anything. Just look at http://forums.truecrypt.org/viewtopic.php?t=3337
and you'll see that theme continuing to pop up.
I want to know that someone actually cares about this, is willing to
try it, and is providing me with some tangible evidence they're
thinking about it.
I have no incentive whatsoever in convincing anyone. I'm not trying to
sell anything (hence a questionable snake oil claim). Like I said,
Monetary gains are far from the alpha and omega of motivation. There's
a whole breed of nut jobs out there spouting all sorts of nonsense just
for the recognition.
I don't give a rat's ass about recognition. I genuinely want to end
this nonsense of peoples' personal property (their 1's and 0's) not
belonging to them. What's on your computer is your own business. What
I want most of all is for people to understand that there is a genuine
risk to their privacy out there. And I want them to try to proactively
protect it. I'll do what I can to accomplish this.
This is more accomplished by my words than by me providing some
technical how-to. I'm willing to provide it if someone actually wants
it.
it's less risk for me if everyone thinks it's impossible. I'm just
here because I want to help others (if they want it) to secure their
Empty, unsupported claims don't help anyone.
They won't be unsupported if someone actually wants help doing
something. That's the way I operate. I want to see some interest, then
I'll start slowly providing some how-to's. Not until there's some
interest.
data. I feel what's on your computer is your own business and no one
else's. And I'm willing to help others achieve that if they want.
It is a little strange that you would respond that it's impossible in
a thread where I've not only stated it's possible but I've been doing
Relating facts in response to vaporous rhetoric isn't strange at all.
It's how experienced posters help less experience posters avoid snake
oil peddlers.
Yeah, you're the big man helping everyone avoid a snake like me. Who
are you again? That information seemed to have been lost somewhere.
it for a long time. I've not only been doing this for 2 years but I've
been continually refining the process every time I think of something
new. It's so refined at this point that I'm confident in saying it's
fully undetectable. I have so much practical knowledge about this
Burn an image of a sample drive with your so called "undetectable"
encryption scheme, and make it available for download somewhere. A
small partition would do fine.
This data will uniquely identify me and I would have to redo that
entire drive to maintain my own personal security. You know that don't
you.
I'll bet cash money it's anything but undetectable, but then that's a
pretty safe bet because I doubt you have the guts to put your snake oil
to the test after a couple years of empty claims.
Again, we have to get on the same page with what the word
"undetectable" means. If you're on the same page as the rest of the
planet, then no, it's not detectable.
If you're in your own little world and think any random appearing data
must be encrypted data. Then by that ridiculous definition, it would
be detectable. Happy?
issue that I could write volumes about quite a few crypto, wiping,
partitioning, and forensic programs.
Odd. In this very thread you admitted a level of knowledge that would
make this impossible. At least in any useful fashion.
Again, I often post inaccurate information about myself. I think
giving away my true experience may be sufficient to link my online
persona with my real life.
Here's the important issue. Based on my posts and the way I conduct
myself, it seems to me I'm the more credible person than you are. I've
given my posting history. You've given what again? I try to treat
people with respect (all but my initial post about forensic examiners
of course). You act like a child, call people names, and try to demean
them.
Most of all, I don't care what you say about me. This persona will be
gone for good in a week. HexMan is never coming back. I just don't
like you spreading misinformation. That misinformation is due to a
thread I started, so I want it corrected before I go. I hate the word
impossible, and I hate that you're using that word about things that I
know work.
Bye.
.
- Follow-Ups:
- Re: Are computer forensics people as stupid as they seem?
- From: Cyberiade . it Anonymous Remailer
- Re: Are computer forensics people as stupid as they seem?
- References:
- Re: Are computer forensics people as stupid as they seem?
- From: Privacy
- Re: Are computer forensics people as stupid as they seem?
- From: Cyberiade . it Anonymous Remailer
- Re: Are computer forensics people as stupid as they seem?
- Prev by Date: Re: Hostility?
- Next by Date: Re: Hostility?
- Previous by thread: Re: Are computer forensics people as stupid as they seem?
- Next by thread: Re: Are computer forensics people as stupid as they seem?
- Index(es):
Relevant Pages
|
