I think that again people look at a specific scenario without realizing that in this case it doesn’t matter much what you do.
If you’re dealing with an adversary that can torture you or lock you up indefinitely without any serious evidence or reasonable legal proceedings, just because you are a suspect for some reason (or because the way you behave), then they can do it no matter what you do, whether you use encryption or not, whether you carry any sort of device at all or not. They can lock you up and torture you until you give up your secrets regardless of any digital data stored or not stored somewhere. This isn’t a question of encryption or technology. The discussion in this case is superfluous.
Now, when your adversary does have an authority over you, but, absent evidence the most they can do is some short time arrest or a trial that has reasonable chances to fail, while the content of your data, if revealed, can have much more serious consequences, this is a much more interesting discussion in my opinion.
In this case protection of the data is a higher priority than avoiding pissing off your adversary or making them “even more persistent” . Now what would you do in this case?
this is why i stress simply not having the data. if you have to travel with a computer, travel with a clean one. if the internet is available in your destination, there is simply no need to run the risks of traveling with the data on your physical devices.
Started to look into LUKS, way too complicated and I can see why mistakes can easily be made there. Too much for me at this point, I still consider myself a beginner re everything that has to do with Linux, I will stick to TrueCrypt / Veracrypt.
So with this setup, users has two systems that are encrypted: the decoy OS, that can be the one the user actually uses for normal activities (it actually should be used, to appear that it is used often), and the hidden OS.
Veracrypt boot loader does not know if there is a hidden system or not. It follows the same actions in both cases (try to use the password for one location, then another, even if there is no hidden volume).
So, in this case:
Data saved by the OS should all be kept hidden. It’s not VirtualBox installed in a hidden partition while the OS saves data all over the place.
When forced to give the password (Veracrypt boot loader makes it obvious that there is something encrypted), user provides the password to the decoy system (those with theatrical tendencies can try to resist already at this stage, until it begins to really hurt LOL). The decoy system should seem legit enough, since it is actually being used daily for everything but the most sensitive activities. Or it can even contain enough info (embarrassing / confidential / grey area legal) the user is not happy but still willing to provide, to assist in plausible deniability.
Now, if the adversary had concrete information that suggests more data should be stored elsewhere, this will not work. But it might in the cases adversary must collect evidence in order to take significant steps against user.
And no, it may also not work if the adversary can accurately correlate activity times etc.
(It is interesting to note though that when discussing various solutions and protection mechanisms the adversary is deemed all-powerful, all-knowing with control over ISPs, VPNs, Entry and Exit relays, has absolute legal authority and what not. But when discussing Whonix components, the adversary is somehow reduced to a script-kiddie sending trojans by mail).
Some of the users you’re conversing with (enr0py) have a much better understanding of Whonix. Trying to incite a reaction is not how you get your point across. Its done by convincing users of your argument.
It’s impossible to tell if the motivation is an honest attempt to
contribute or deliberate destructive trolling. While motivation matters
(why I am writing this wall of text), in result, it doesn’t matter and
is the latter.
I was wondering how I should handle threads like this:
I am under no obligation to read everything or to discuss every subject
with everyone until it’s discussed until everyone is happy and agrees.
It’s also not possible time wise as the project grows.
Question to the community: What do I do? Just ignore, unsubscribe form such forum threads and hope
the community will deal with it?
It takes far less time to can ask more questions and make allegations
than to rebut them. So in a way, makings things dirty is a lot easier
than cleaning up things. So while the usefulness is unclear, at best it
takes away energy and time from the Whonix community and at worst
everyone gives up and questions and allegations remain unchallenged and
a source of FUD.
A huge backlog of analysis isn’t helpful either. Let’s do research,
development and deployment at the Whonix project. But a ton of research
that is theoretic, not well organized and not actionable actually takes
away time from actual progress, development.
The feedback by pano at the moment doesn’t help to move the Whonix
project forward. It’s currently not in a format that is actionable.
Theoretic discussions are old and plentiful online. There are places
where these are welcome and I can understand the mental fun of reading
them and engaging in them. That’s in essence how I got interested in
first security, later anonymity and then started working on Whonix.
In essence, what the Whonix project needs is clear, concise, well
described, actionable tickets on phabricator.whonix.org and people who
If pano heavily disagrees, pano is free to move on to other endeavors in
places where pano’s style of discussion is more appreciated. pano is
also welcome to use or not use Whonix as everyone else including raising
any opinion in other places which welcome such (own blog, other forum,
public protest :), …).
Something similar happened with the Tails forum long time ago. In
reaction, the Tails forum was closed. History won’t repeat in Whonix
forums. Whonix’s forums purpose will be limited to Whonix user support
and productive research and development. Won’t be a free speech platform
Thoughts on by the community are welcome in public or private. Possible
pano (and similar later accounts) can go on as is, I unsubscribe from
threads and do actual development, community deals with these
discussions if deemed useful
pano (and similar later accounts) gets a warning to slow down (and if
ignored account disabled)
I would “vote” for this, i think @entr0py@0brand and @tempest are doing a great job in this discussion and if something useful comes out of these Posts one can create a task at phabricator to notify you.
I think these Posts are important to show how professional our Moderators work and that even the unspecific Posts from Pano get a proper response.
I guess a “bad” example does help and shows other users how they should Post feedback and suggestions.
First, in @pano’s defense, he hasn’t been destructive (by vandalizing threads or spamming) and he hasn’t issued personal attacks or insults. I think he’s well within forum rules as they stand. Some people ask questions to get answers, some people ask questions to give their own answers.
Tell the moderators to do their job. It’s the moderator’s job to keep threads on topic and sufficiently focused. And to lock them when they become unproductive and run in circles. I’ve always erred on the side of free speech but that comes at a cost of time and aggravation. And most importantly, as Patrick said, leads to a buildup of FUD when the community gets exhausted by intentional or misinformed trolling. Speaking for myself, I’ll be more assertive going forward along with:
adding per-forum stickied posts describing what type of posts are appropriate; and what information needs to be provided to get help. also include links to troubleshooting, faq, how to ask questions, unsupported, free support principle, free speech, etc.
marking posts with stackexchange-like tags when appropriate (too vague, off-topic, opinion-based, etc) and linking back to stickied posts
Its very difficult to know if a users posts are due to a lack of knowledge or they are arguing just for the sake of arguing. Knowing what action should be taken (if any) is even more difficult. Regardless, there comes a point when continuing the thread would no longer benefit the community. The problem is this is also hard to know.
Part of the solution may be for the mods to communicate with each other when they see the beginnings of a potential issue. The longer it goes for, the more embolden the user gets. Intervene sooner and it never gets to that point (When I say intervene I mean communicate with the user). Then if it becomes a problem the mods can decide the best course of action. Always better to get feedback from each other before any action is taken (if possible).
Our job it to lessen Patrick’s workload so we need to start being more proactive. Keep in mind its very important that moderators actions ( or lack there of ) are consistent. This is why communication is vital. Plus jr mods could use a little guidance from time to time as well.
if i’m not mistaken, this is relatively easy to determine as well. what’s the size of the hd? what’s the size of the partitions for the loaded os? not equal? red flag. with veracrypt, you have an additional partition with encrypted information for such a set up. same risks as discussed before apply
again, at the end of the day, “plausible deniability” with encryption is more theoretical than practical. it involves a risk component that simply isn’t there if you are in the company of an attacker with no problematic data. minimizing risk is key here.
If I understand correctly the whole disk size is accounted for. But I didn’t go into the details and I don’t have a good enough understanding of disk structure for that:
When running, the hidden operating system appears to be installed on the same partition as the original operating system (the decoy system). However, in reality, it is installed within the partition behind it (in a hidden volume). All read/write operations are transparently redirected from the system partition to the hidden volume. Neither the operating system nor applications will know that data written to and read from the system partition is actually written to and read from the partition behind it (from/to a hidden volume).
But if we put that idea aside, what do you of the following instead:
Host: Debian, with LUKS FDE set at installation. This should take care of theft, loss, random visitors, fools.
VirtualBox with immutable drives as you suggested. This should take care of say, basic forensics level.
Sensitive data always saved on a separate USB drive, LUKS encryted. This adds a physical aspect - location of the USB when not plugged in.
Clear logs and history (where can I find everything that is saved by the VMs?), and use something like Nautilus-wipe regularly for deletion of files and clear “available space” in VMs as well as in the host.
pano does not heavily disagree (pano would have appreciated a personal message though, instead of public flogging, it would have worked just as well). In any case, point taken, pano will keep it as technical as possible and will abstain from discussing wider issues.
there’s an additional encrypted partition. again, that will be a red flag, particularly if it is noticed by an attacker that you have a 500 gig hd with approximately only 250 gigs available to your operating system.
i don’t want the point of immuitble drives to be misconstrued. it is not anti-forensic. files will be created for use sessions with immutible drives. they are simply erased when you start the virtual machine on another occasion. thus, if someone has decrypted your hd, file recovery of such sessions is possible. the immutible drive setup is only for mitigation of less advanced malware threats.
if anti-forensics is of particular concern, tails is likely a better choice over others.
I understand that now, I am still not clear though about the advantage of immutable drives over always restoring the state to a particular snapshot. I previously thought deletion of the temporary data is done when the machine is powered off, but as you mentioned (and as I’ve seen when I tested the immutable drives) it happens only at the next activation of the machine - so performing an active step after shutdown is required anyway.
For either of those cases - say we restored the machine to a previous state (for a normal drive), or just restarted it (in the case of an immutable drive) - doesn’t wiping available space help on the forensics front as well? Even in Tails, when working on ongoing projects one will need to save data somewhere, and clear it when it’s not necessary any more, so wiping issues still need to be handled.