Domain: iq.org
Stories and comments across the archive that link to iq.org.
Comments · 27
-
Re:I've got this one...
Did he use a "rubberhose" during the act?
-
Re:Can someone link the report?
You mean his rubberhose?
"
Written by WikiLeaks founder Julian Assange, Rubberhose is a freeware
deniable encryption scheme for multiple file systems whose existence can only
be verified using a cryptographic key. -
Re:Complete solution in five words
-
Re:It depends....
If I give someone one file containing random data and another containing data encrypted with AES, will he be able to tell which is which?
Does the person to whom you give these two files have a rubber hose? Is he a member of the “extraordinary rendition” team?
The point of steganography is to not get caught in the first place. If you need plausible deniability, you’ve already lost.
Cheers,
b&
Speaking of rubber hoses, the rubber hose file system, aka Maru Tukku hides data in the (potentially discontiguous) free space, and was done by Julian Assange (of wiki leaks fame I believe). The intent of this was to use plausible deniability, since there could be multiple hidden aspects (sort of like partitions), each with an encryption key. I think they were set up hierarchically, much like in onion routing, to increase resistance to losing a single key.
-
Have a look at Rubberhose
Rubberhose (Pronounced Marutukku) is transparently deniable encryption, developed by (among others) Julian Assange.
This seems to do exactly what you're trying to do, so even if you want to go ahead and implement it yourself from scratch, it's worth reading up on what they've done to get some ideas and avoid some potential pitfalls.Rubberhose is a computer program which both transparently encrypts data on a storage device, such as a hard drive, and allows you to hide that encrypted data. Unlike conventional disk encryption systems, Rubberhose is the first successful, freely available, practical program of deniable cryptography in the world. It was released in an earlier form in 1997, but has undergone significant changes since that time. The design goal has been to make Rubberhose the most efficient conventional disk encryption system, while also offering the new feature of information hiding.
Rubberhose is a type of deniable cryptography package. Deniable cryptography gives a person not wanting to disclose the plaintext data corresponding to their encrypted material the ability to show that there is more than one interpretation of the encrypted data. What deniable crypto means in the Rubberhose context is this: if someone grabs your Rubberhose-encrypted hard drive, he or she will know there is encrypted material on it, but not how much -- thus allowing you to hide the existence of some of your data.
-
Re:What
TrueCrypt ( www.truecrypt.org )
Rubberhose ( http://iq.org/~proff/marutukku.org/ )Some others, but these come to mind first...
-
Re:Huh?
Story? What story?
It wouldn't be a story if he just Googled it. It's a bit outdated but Rubberhose was explicitly designed for this purpose. The idea is that it has multiple encryption keys to store different data in a given volume with no way to prove there is more than one key or more than one item being stored. You use one password or key to encrypt less-sensitive data and then there is no way to prove that you have another key or password encrypting much more sensitive data within the same volume. So the cops ask for your encryption keys, you give them the less-sensitive one, they see your financial records or something else to which they already had access, and cannot prove there is anything else on the volume.
-
Re:Is it worth it anymore?
According to Giganews, Usenet bandwidth is currently exceeding 5TB per day. (They have lovely, though slightly dated, graph demonstrating this point.)
That's a lot of storage and network infrastructure to manage for a service that almost none of an ISP's customers care about.
Now, of course, it could be argued that something like nntpcache, running locally on the ISP's network and fed by an outsourced service like Giganews might fit the bill well, by conserving bandwidth and storage on popular items and using very little for unpopular items. And, as someone who had previously (a decade ago) set up a system like this for a local ISP, I think I'm qualified to attest that it does work.
However, here's the way it probably went down with AT&T: Manager opens newspaper, sees some horrific headline about GM bankruptcy, and decides to cull the expenditures. "This Usenet thing is expensive," he thinks to himself, "and I don't think the cost is worth the 0.3% of customers who actually know it exists, let alone ever even use it." And then, just like that, AT&T's Usenet servers get thrown under the bus.
It's a sad state of affairs, I agree - I'm all for using networks efficiently, and BitTorrent just ain't it. But we (users) have to deal with what we've got to work with, and if BitTorrent's horrific network efficiency is the best we can do in a Usenet-free world, then so be it.
ISPs have been putting the axe to hosted Usenet services (or at least alt.binaries, or even alt.*) for years with minimal customer outcry, since almost nobody cares. However, the last time someone tried to fuck with BitTorrent on any grand scale (Comcast), it got the attention of all levels of government and Comcast turned their policy around in a (relative) hurry.
So, again: BitTorrent (or perhaps Giganews) it is.
As an AT&T subscriber, long-time Usenet fan, and someone who remembers when the daily bandwidth of Usenet exceeded that of a then-common 14.4kbps v.32bis modem, I'm neither surprised, shocked, nor offended by this move. *shrug*
-
Re:Ethernet cabling at home
It's true, that you'd want true sterility when committing a crime that would get 'the man' really pissed at you, but there are other things, things you could be sued for rather than prosecuted for, that it might be good to have some plausable deniability against. I'm thinking that with an open wireless AP ( or even one that was openable so you could claim you opened it when the activity occured or just recently shut it off ) and running a filesystem similar to rubberhose filesystem then you might be OK. What if, for instance you wanted to critisize Scientology, without the hassle of the inevitable litigation? Sure you'd win, but who wants to deal with courts and lawyers?
I'm not sure if the fifth amendment extends to civil stuff anyway.. But couldn't you plead the fifth if you didn't know WHETHER the secret you are keeping was a crime? Until you had the advice a lawyer at least? I'm thinking that if the fifth doesn't extend to civil action then you'd have no right to consult a lawyer to determine if something was indeed a crime... That's why it would make sense for the fifth to extend to civil stuff, but then sense usually has nothing to do with it...
I wouldn't trust Rubberhose or any such thing to be breakproof against the efforts of the government, but if there were ever a situation that cropped up where I could 'try' to depend on it to keep a secret, then I would depend on it and hope that it held up, as it might. It would give one a certain peace of mind to know that you were running rubberhose and owned an openable wireless ap. Go ahead and expose Tom Cruise as Xenu. You're armed with a reef of shit they'll have to wade through before they can even bother you.
-
Re:So anyone want to do this....You're looking for deniable encryption...
- Rubber Hose crypto http://iq.org/~proff/rubberhose.org/ here.
- Truecrypt http://www.truecrypt.org/ provides a hidden, encrypted partition-within an encrypted partition for plausible deniability.
You get caught, you give them the top-level keys, etc. There's no way to prove that the second layer exists! And yes, a/c because even telling you about this sort of software is probably illegal now in the UK (think of the children! Stop the terrrrrists! etc!)
<rant>(Curtain-twitching, Daily-Mail-Reading, Noseyfuckingbastards Sheeple)</rant> -
Plausible Deniability
If you're worried about having to give up the password to your encrypted drive, try Rubberhose:
-
Which is better?
Truecrypt or rubberhose?
-
Re:Fading memory
Rubberhose, Truecrypt's stepbrother.
-
Re:Dual BootIf they choose to store the contents of your hard drive for later analysis, not at all. Nor will it protect you against minimally-clever forensics tools.
of course there's always deniable encryption, ie rubberhose.
-
Re:No you have a choice.
It's called TrueCrypt and is available for Windows, Linux and to some degree for OS X.
the important thing about truecrypt is the concept of 'deniable encryption' -- that encrypted data is indistinguishable from garbage on disk, and the number of encrypted 'aspects' on a disk are indeterminable. what this means is that you can give up the password to the aspect that contains your collection of chickpea recipes and still keep the password to the apsect that holds your other data to yourself. this is nice since, you know, if you get waterboarded it's nice to have something to tell your inquisitors.
in the same vein as truecrypt, there is also rubberhose which, according to the site, "deniably encrypts disk data, minimising the effectiveness of warrants, coersive interrogations and other compulsive mechanims, such as U.K RIP legislation". the theory, as the name implies, is that the only way anyone is going to get all the passwords to all the crypted aspects on your disk is by hitting you with the aforementioned length of tubing. rubberhose, however, is still only in alpha and the project appears to be abandoned so it's a 'use at your own risk' kinda deal.
lastly, of course, there's always steganography -- the art of hiding the data, often in conjunction with crypting it.
now, if you steg up your precious data, throw it on a deniably crypted filesystem and then write the whole thing to a series of 5" floppies that no border guard is reasonably going to have the equipment to read... well, you should be okay. -
Lack of ability to correct and warnings.
Okay, I started investigate. A number of things don't ring fully true. They are very careless about discussing physical and local security for the whistleblowers. I found this worrying but decided to try to correct it. I noticed that they claim to be a normal open wiki and so I tried to sign up... no sign up page on the login page. Then I tried forcing the link by copying from wikipedia: https://wikileaks.org/wiki/index.php?title=Specia
l :Userlogin&type=signup&returnto=Wikileaks:Main_Pag e "You are not allowed to create an account / To be allowed to create accounts in this wiki you have to log in and have the appropriate permissions.". https://wikileaks.org/wiki/Advisory_Board shows that the Advisory board has some credibility, but does it really exist? Interestingly several of them have blogs http://iq.org/ http://www.wangdan1989.com/ http://www.links.org/ but I haven't been able to find any references to Wikileaks. Why is there no information from the EFF or other similar bodies? -
Re:Guilty until proven innocent
These people are selling products and services to prosecutors. Defense attorneys only need to be aware of flaws in forensics software and practices that can result in false positives.
Pleading the fifth in front of a jury when you're the defendant is tantamount to an admission of guilt. But there was an encryption/steganography system called Rubberhose ( http://iq.org/~proff/rubberhose.org/ ) that allowed you to create an arbitrary number of encrypted volumes in one disk segment, where each volume took up a random sequence of blocks. You could have four or five encrypted volumes, one of which contained the incriminating material and the rest of which contained plausibly embarrassing and private material. Then you can comply; nobody can prove that you haven't decrypted everything, since the entire disk segment is filled with random-seeming data.
TrueCrypt does almost as well as Rubberhose, and it's maintained. It allows you to create nested encrypted volumes, but defaults to two volumes deep, and I'm not sure whether it supports any more than that. -
the link - Re:"Rubberhose"
Rubberhose transparently and deniably encrypts disk data, minimising the effectiveness of warrants, coersive interrogations and other compulsive mechanims, such as U.K RIP legislation. Rubberhose differs from conventional disk encryption systems in that it has an advanced modular architecture, self-test suite, is more secure, portable, utilises information hiding (steganography / deniable cryptography), works with any file system and has source freely available. Currently supported ciphers are DES, 3DES, IDEA, RC5, RC6, Blowfish, Twofish and CAST.
Written by Julian Assange, Ralf P. Weinmann and Suelette Dreyfus
-
Re:No back doors?
Truecrypt is a nice idea, except that if the interrogators find truecrypt on your harddisk, they may automatically assume you have a hidden volume inside your encrypted volume.
Then you make 12 different volumes, each having progressively more-private/sensative information.
This is the idea behind Rubber Hose: http://iq.org/~proff/rubberhose.org/ -
Re:Moo
Well, that's where criptography comes in... someone posted this link in response to a post of mine a few days ago... seems very interesting...
They cannot find the data if it's all covered with garbage...
-
Re:Other drive content and RIAA fishing expedition
-
Rubberhose.
Or you use rubberhose.
-
Re:TrueCrypt
this reminds me of rubber hose linux. granted this is only for a volume not a secure OS.
http://iq.org/~proff/rubberhose.org/ -
Re:Nah, you have *partitions* of random characters
Perhaps what's needed is a bit more development of an encrypted file system where the entire disk partition is full of pseudorandom data. And if you are compelled to give up one key, or three, theres no way of knowing what else is hiding in the garbage, or even of proving there is anything else hiding in the garbage.
-
If the government wants my keys...
...i'll let them have some.
-
Re:Homeland Security Vrs RIAA
What's to stop the government from seizing both you and your computer, flying you out of the country, and then torturing you until you give up the password?
Well, the obvious one being that installing a pinhole camera, keystroke logger, or parking a tempest van outside would be infinitely cheaper and easier.
The second one being your brain, and a rubber-hose: http://iq.org/~proff/rubberhose.org/current/src/do c/review.html -
The technical solution is trivial.Not "I refuse to follow your honor's order" (that would be contempt).
But "I do not know who my anonymous source it and I there is no way to determine who it is from the information I have."
Let's also assume that the reporter, plans to deny that he knows who the source really is. This is a fair assumption since the other alternative is to simply stonewall. Which he can already do.
Convincing the judge is the challenge. No matter what technical solution is applied, if the reporter can't convince the judge that he doesn't know the source's secret identity, the judge will find unpleasant ways to motivate the reporter's compliance.
Rubberhose comes to mind. Oooh, nifty, neato, keen. I won't tell and you can't make me! Nerds are saving the world from oppression. And thumbing our noses at authority. Ah, yes.
The technical solution is trivial. Work on the social part of the solution. How does the reporter convince the judge to leave him alone? Convince the judge he really doesn't know? It's hard to prove a negative. Convince the judge that the reporter has a right not to tell? Supreme court says no such right exists. And how does the source get the reporter not to rat her out just to save his own ass?
The current solution is to stonewall. To have reporters that are willing to go to jail to protect their sources and inform the public. That willingness deserves our respect.
Yes, I know. The reporter recently in the news DID NOT reveal the identity of the agent who was compromised. The reporter refused to identify a source to whom anonymity was promised. What is the value of a free press? The "fifth estate", the unelected branch of government is not a police force. I acknowledge these are issues worth discussing, but not what I'm concerned with in this post.