NetBSD's Crypto-Graphic Disk

An anonymous reader writes "Security-minded laptop users live in fear of theft, not only of their computer but also of their precious secret data. NetBSD's CGD project is a cryptographic virtual disk that can protect sensitive data while acting like a normal filesystem. Recently its author, Roland Dowdeswell, was interviewed and provided a lot of details, and made a comparison with Linux's Loop-AES, FreeBSD's GBDE, OpenBSD's svnd. This is a must-read for any laptop owner (and paranoid androids)!"

God do I love the smell of slashdot in the morning

God do I love the smell of slashdot in the morning!

BSD IS DEAD

_d8b____________________d8b_______d8,
_?88____________________88P______`8P
__88b__________________d88
__888888b__.d888b,_d888888________88b_.d888b,
__88P_`?8b_?8b,___d8P'_?88________88P_?8b,
_d88,__d88___`?8b_88b__,88b______d88____`?8b
d88'`?88P'`?888P'_`?88P'`88b____d88'_`?888P'

______d8b________________________d8b
______88P________________________88P
_____d88________________________d88
_d888888___d8888b_d888b8b___d888888
d8P'_?88__d8b_,dPd8P'_?88__d8P'_?88
88b__,88b_88b____88b__,88b_88b__,88b
`?88P'`88b`?888P'`?88P'`88b`?88P'`88b

It is official; Netcraft now confirms: *BSD is dying

One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.

FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dying

Re:BSD IS DEAD

[pupeno]

The good thing is that free software never really dies. It may be frozen but it is still there for everyone and if someone wants to pick it, (s)he is free to do so.

Re:BSD IS DEAD

Holy shit, you suck.

What I know about BSD

what I know about *BSD

1. You can not play games on it.
2. It cannot be used by my grandma.
3. It lacks a GUI of any note.
4. There is no support available for it.
5. It is an assortment of fragmented OSes.
6. It cannot be run on the x86 platform.
7. You have to compile everything and know C.
8. Support for the latest hardware is always poor.
9. It is incompatiable with GNU/Linux.
10.It is dying.

Elegy For *BSD

I am a *BSD user
and I try hard to be brave
That is a tall order
*BSD's foot is in the grave.

I tap at my toy keyboard
and whistle a happy tune
but keeping happy's so hard,
*BSD died so soon.

Each day I wake and softly sob
Nightfall finds me crying
Not only am I a zit faced slob
but *BSD is dying.

mutually exclusive?

[User+956]

So the CGD disk is an encrypted pseudo disk driver. It sits on top of another partition and acts as a new virtual disk to the rest of the operating system. But what of those of us that have to use windows, or Mac OS X? This seems like it's only compatible with *nix OSes.

Re:mutually exclusive?

[cmdrbuzz]

If you are using Mac OS X then you have disk image encryption built in.

See FileVault for the automagic encrypted home directory

or see hdid for the command-line version of disk utility.

Re:mutually exclusive?

[pepdar]

Mac OS X is a *nix OS.
It also features an encrypted file system, FileVault.

Re:mutually exclusive?

You can create an encrypted disk image in Mac OS X, and use it like any standard filesystem.

Re:mutually exclusive?

[User+956]

Mac OS X is a *nix OS.

No, Mac OS X is a BSD. There's a difference.

Re:mutually exclusive?

[tamnir]

That is exactly why my prefered solution for on-the-fly hard disk encryption is TrueCrypt. Not only is it open source and cross platform (Windows/Linux), but it also happens to simply rock, surpassing many commercial products, with lots of nice features like the use of keyfiles, or for the true paranoid, cascade encryption (like AES-Blowfish-TripleDES) and plausible deniability (hidden volume).

Re:mutually exclusive?

Isn't NetBSD a BSD too?

Re:mutually exclusive?

[VincenzoRomano]

If you run Windows you have much more troubles in mind than encription of personal data!
Provided that your OS has not grabbed all of your free disk space!

Re:mutually exclusive?

[BokLM]

But what of those of us that have to use windows, or Mac OS X?

Thoses who use windows don't care about security, or they would be running something else. They don't need that.

Re:mutually exclusive?

[thebdj]

Actually, BSD is a unix derivative just like Linux. Both have their separation from Unix and neither is Unix.

In reality, it is probably still safe to call it a *nix, only the BSD zealots would like us to separate it into a "BSD", which is about as anal as separating the Linux distributions into different groups.

BTW, your original post compared it to *nix operating systems and complained about OSX. The Article refers to this about NetBSD, therefore making your statements a bit mixed.

The folks over at Wikipedia seem to agree with us on this one.

Re:mutually exclusive?

[gigel]

those of us that have windows (2000,xp,2003,vista) already know how to use the encrypting file system. if this http://www.iopus.com/guides/efs.htm quick howto does not make sense, then you cand find here http://tinyurl.com/dpy5n tons of microsoft documentation on it.

Re:mutually exclusive?

[croddy]

If Mac OS X is a BSD, then it's the only one without a /proc filesystem.

Re:mutually exclusive?

[muhgcee]

Give me a break. If you say something like that, it simply shows that you don't know how to administer Windows very well.

Re:mutually exclusive?

Uhh, if you're using OSX, you use FileVault.

If you're using Windows XP, you use the EFS.

next question?

Re:mutually exclusive?

[xxdesmus]

you ladies are so funny if your useless off topic posts. go back your *nix fanboys sites.

Re:mutually exclusive?

Which would be slashdot? No?

You really must have missed the bias so far, if you don't think that this is a fanboy site.

Re:mutually exclusive?

sorry, i was too busy using my secure system to have to worry about "administering" daily like with windows.

Re:mutually exclusive?

[Riddlefox]

How good is the EFS in XP? I recall that in W2K, it wasn't exactly a fool-proof way to keep people from accessing your files (especially on a laptop, where people could have physical access to the machine), due to the way the RA was set up...

Re:mutually exclusive?

[Theatetus]

Install Open, Free, or NetBSD sometime and look for the /proc filesystem. It's not there.

Re:mutually exclusive?

[lachlan76]

Moreso than Linux. BSD is based on the original AT&T source code, although it was mostly rewritten over the years.

Re:mutually exclusive?

You have a higher /. UID than he does. Ergo, you should respect him.

Re:mutually exclusive?

[muhgcee]

I run Windows on my main desktop, and know how to do it well. I don't spend time daily administering my machine. I simply set it up correctly the first time. After installing Windows and all of my apps, I go through the list of processes that start on boot and only keep what I need. This is a basic strategy that administrators of *all* OSes (even "secure" ones) should use.

Combine this with being a smart user, and your system will be plenty secure. I don't even run anti-virus software. Never have. Never had a virus either.

Re:mutually exclusive?

Seriously, I just installed win xp for work reasons. I was ready to make my piece with windows. I was blown away-not only has it gotten more ilmannered since win98/2k. but my 60 gig drive is now "only" 40 gigs? grrrr, waiting for my terabyte array my GF sent me.

Re:mutually exclusive?

[kasperd]

That is exactly why my prefered solution for on-the-fly hard disk encryption is TrueCrypt.

TrueCrypt is vulnerable to watermarking attacks. Some time ago I created a watermarked file to demonstrate this weakness. If you put this file on a file system encrypted with TrueCrypt, some easily recognizable patterns will show up in the encrypted container. You simply take each pair of neighbor sectors in the encryption and XOR them with each other. When you reach the place where this file is located, the result is easily distinguishable from random.

Re:mutually exclusive?

[Lee_in_KC]

Oh come ON, who modded the parent +5 informative for a one line troll bait?

Re:mutually exclusive?

[kasperd]

This seems like it's only compatible with *nix OSes.

In Unix terms you would say, that these encryptions works on the block device layer. But that doesn't mean it cannot be done in other operating systems. AmigaOS had a similar concept, and I'm sure Windows has one as well. I don't know what it is called in Windows, but it is bound to exist because it is so tightly related to the way storage devices work. And there already exist multiple disk encryptions for Windows working on this layer.

Re:mutually exclusive?

[kasperd]

TrueCrypt is vulnerable to watermarking attacks.

I took a look through the list of new features in TrueCrypt 4.1, and apparently it has been improved to avoid watermarking attacks. So my previous comment only applies to volumes created with TrueCrypt 4.0 and earlier. I have not looked through the documentation and source to verify how secure the new mode is.

Re:mutually exclusive?

[LizardKing]

Install Open, Free, or NetBSD sometime and look for the /proc filesystem. It's not there.

Yet more ill informed Linuxite bull.

[chris@hooters]$ uname
NetBSD
[chris@hooters]$ mount
/dev/wd0a on / type ffs (noatime, nodevmtime, soft dependencies, local)
procfs on /proc type procfs (local)

Re:mutually exclusive?

[trifish]

This problem was fixed a month ago.

http://www.truecrypt.org/history.php

Re:mutually exclusive?

[trifish]

EFS is file encryption (which uses temp files). It is not on-the-fly disk encryption. There's a significant difference between those two concepts.

Re:mutually exclusive?

I guess you will also somehow "accidentally" forget to mention on your site that the watermark attack does not work anymore and that your file has become useless (well, the only purpose of it now could be to spread FUD).

Re:mutually exclusive?

[lky]

Loop-AES is not the current recommended way of doing this on GNU/Linux.

For the current method, check out device-mapper, dm-crypt and cryptsetup.

For more information, check out: http://www.saout.de/misc/dm-crypt/

And for a guided howto install Debian on a USB stick with everything but /boot encrypted, check out: http://www.debian-administration.org/articles/179

Re:mutually exclusive?

[Randseed]

Of course, they didn't bother to write a program to create a TrueCrypt volume under Linux, so for right now this program is utterly useless.

Re:mutually exclusive?

[kasperd]

I guess you will also somehow "accidentally" forget to mention on your site that the watermark attack does not work anymore

Nowhere on my site is it said, that TrueCrypt is still vulnerable (or even that it ever was). Do you think TrueCrypt is the only encryption which has been vulnerable to this attack? The first time I looked on cryptoloop for Linux (in February 2002), it was vulnerable to the exact same attack. I have mentioned two implementations that apparently independent of each other had the same vulnerability. That means there is a significant risk that some of the many other disk encryptions are also vulnerable.

The file I provided contains not just one watermark but a lot of them. There are a few minor variations with byte ordering, padding, and cipherblock sizes. It is convenient to be able to test an implementation without knowing these details beforehand. The file can still be used to perform such tests. (Of course passing this test doesn't prove an implementation is secure, but failing does prove it is weak).

Re:mutually exclusive?

The fact that you host the file and post links to it on the net without giving any additional information (such as that the attack does not work anymore -- which is crucial) is FUD spreading.

How can you stop spreading FUD?
1) Give complete information along with (or in) the file
2) Don't link to the file (or remove the TrueCrypt part).

I bet you'll choose 3) i.e. continue spreading FUD.

Re:mutually exclusive?

[latroM]

Actually, BSD is a unix derivative just like Linux. Both have their separation from Unix and neither is Unix.

Actually GNU's Not Unix. It is a system which behaves in the same, compatible way, not a derivate. Linux is a kernel.

Re:mutually exclusive?

[Theatetus]

Umm, yes if you install the Linux compatibility package for Open, Free, or NetBSD you'll have a /proc filesystem. It doesn't come that way naturally, though.

Re:mutually exclusive?

[Fweeky]

proc/linprocfs are part of the base system, they just aren't mounted by default:

-# grep PROC /usr/src/sys/amd64/conf/GENERIC
options PROCFS # Process filesystem (requires PSEUDOFS)
options LINPROCFS # Cannot be a module yet.

Re:mutually exclusive?

The fact that you host the file It was already explained why the file is still relevant. Besides the file has been in that location for more than half a year, and when it was originally placed there TrueCrypt was in fact vulnerable. Do you expect all evidence that there was ever a vulnerability in TrueCrypt to be removed from the net?

without giving any additional information The additional information is in the comment you replied to. Do you always reply without reading the comment you reply to?

Give complete information along with (or in) the file Changing the file wouldn't make any sense. First of all unless you took a lot of care, changing it would mean it would no longer contain the watermarks demonstrating the weakness. Besides additional information was given.

Don't link to the file (or remove the TrueCrypt part). There is no mention of TrueCrypt neither in the file or in the file name.

I bet you'll choose 3) i.e. continue spreading FUD. You just proved that you are a jerk. (Why am I not surprised?)

Re:mutually exclusive?

This problem was fixed a month ago. The reply above also stated that. There is no need to repeat it.

Re:mutually exclusive?

[Poltras]

shut up.

Re:mutually exclusive?

What does GNU have to do with anything? We are talking about BSD.

Re:mutually exclusive?

[digitalunity]

I don't even run anti-virus software. Never have. Never had a virus either.

How do you know?

A well written virus wouldn't even have symptoms of it's existence... You could have a root-kit right now and not even know.

Re:mutually exclusive?

[TCM]

Could you stop spreading bullshit if you obviously have no clue? Thank you very much.

Re:mutually exclusive?

[Chreo]

No procfs is a separate option when you edit the kernel config on FreeBSD. It is REQUIRED when using Linux compatibility tho but you can use procfs whitout the Linuxcompat

Re:mutually exclusive?

[krakrjak]

Actually Linux is not a derivative like BSD is. All BSDs and all commercial Unicies (HP/UX, AIX, Solaris, VMS, etc.) can trace their lineage back directly to AT&T Unix. Linux does not have this direct lineage. It was grown out of the workalike needs of one particular developer. Therefore it is wrong to say that Linux is a Unix derivative whereas, MACH, the BSDs and all commercial Unicies are definately derivatives.

Re:mutually exclusive?

Don't be retarded. The *BSD group was sued by AT&T UNIX and barred from ever openly associating themselves with the UNIX name. Hence the *nix crap as if it's a trademark infringement just to write the word UNIX on the Internet somewhere. It has nothing to do with being anal or elitist or anything else for that matter. BSD was burned legally for trying to turn the word UNIX into a household name like Frisbee and like a good child they're steering clear of the cookie jar before supper.

Re:mutually exclusive?

[LizardKing]

As others have pointed out, procfs is not a Linux compatability thing, although many Linux binary emulation packages require it. I have Linux binary support turned off in my kernel config as I only used it to bootstrap the build of a native JDK with Sun's Linux one. Also, if you do have proc mounted for Linux emulation it isn't /proc anyway, it's /emul/linux/proc

Re:mutually exclusive?

Mac OS X uses the same tired Mach microkernel that apple has always used.

It has a BSD layer glued on top of that. Mac OS X is not BSD based.

Re:mutually exclusive?

[Nutria]

All BSDs and all commercial Unicies (... VMS, etc.) can trace their lineage back directly to AT&T Unix

Bemused snikering at people who have forgotten what VMS is, and how important DEC was to the growth of computing.

Re:mutually exclusive?

[BitchKapoor]

Apple hasn't always used Mach. Mach came to Apple via NeXT(Step). MacOS versions up to 9 used cooperative multitasking, and early versions didn't even have any memory protection (later versions had "guard pages," but no true application isolation).

Paranoid Android?

[fionbio]

Why do you think that Marvin's brain was running NetBSD? Otherwise, what use could he make of a laptop, with his "brain the size of a planet" ?

Re:Paranoid Android?

[Urusai]

What he doesn't clarify is that the planet in question is the NPC Democratus from Anachronox. The movie makes this somewhat clearer.

Interesting but not exactly new news

[Ffakr]

This is interesting and all, but this isn't exactly a ground-breaking news item.
PGP lets you do this on various platforms.
As a matter of fact, this is how I manage personal info on my OS X Macintosh. I create an strong-encrypted virtual disk image with banking, internet login, software key, and (un)related information. When I need something I mount it and when I'm done I umount it and it's nice and safe (as long as I never tell Keychain to remember the password).
You can do this on a vanilla OS X install with Disk Utility.

ffakr

Re:Interesting but not exactly new news

[BokLM]

PGP lets you do this on various platforms.

PGP lets you encrypt a file, not a filesystem.

Re:Interesting but not exactly new news

[nighty5]

The grand parent is correct, you can encrypt the entire filesystem: under Windows XP.

A new feature of PGP 9.0.

Re:Interesting but not exactly new news

[Riddlefox]

PGP had a feature that allowed you to create encrypted volumes. I know in PGP 8.0, it wasn't part of the 'free' version, but it could be unlocked when you registered.

Re:Interesting but not exactly new news

[PhraudulentOne]

I create an strong-encrypted virtual disk image with banking, internet login, software key, and (un)related information.

Pr0n...

Re:Interesting but not exactly new news

[jcr]

As a matter of fact, this is how I manage personal info on my OS X Macintosh. I create an strong-encrypted virtual disk image

That has nothing to do with PGP. The Mac OS has had this feature since Panther, and the encryption it uses is AES-128.

-jcr

Re:Interesting but not exactly new news

[trifish]

> PGP lets you do this on various platforms

You say "various" but I know only of two. (Win and Mac). Name the others please.

Re:Interesting but not exactly new news

[bot24]

There is also a secure note storage area in your keychain, and you can create new keychains(which can be locked when you aren't using them). The OS has the tools in it for creating it's own secure note storage areas already without creating disk images that take up unnecessary space.

Re:Interesting but not exactly new news

[grub]

There was a program called PGPDisk which was part of the PGP package ages ago. I don't know if it's still available but worked well. I kept 650 MB PGPDisks backed up onto CDRW.

Re:Interesting but not exactly new news

There's also some useful software from jetico (.com? I think..) that will create a encrypted file and allow it to be mounted as a file system across multiple OSes (e.g. create a 512meg encrypted file on a zip/thumb/external USB drive and mount it as a file system under linux and M$... there may be a mac client, although I wouldn't recall). The also have some decent wiping software and some other goodies. and I'm not even a salesman. :)

Re:Interesting but not exactly new news

[waterwingz]

The version of PGPDisk I used was not supported once WinXP came out. As there was no upgrade path and I wasn't going to buy the software again just to get a newer version, I switched to Dekart Private Disk Light. Free version available at www.dekart.com

Re:Interesting but not exactly new news

[yarbo]

Your OS can't treat a file as a filesystem? bummer

Re:Interesting but not exactly new news

[BokLM]

It can, if it's not encrypted. If it's encrypted then it depends of the program used to decrypt the file.

God do I love the smell of slashdot in the morning

God do I love the smell of slashdot in the morning!

Do you? In France /. smells like Garlick in the morning, in Germany it reeks of whats left over of a stew made out of last weeks left over knockwurst, In the USA like it smells lukewarm spray-on cheese and in the UK I hear it smell like a glass half full of stale Guinness covered by a layer of cigarette butts. Where are you from?

Cool, but for who?

[jaymzter]

This is a great idea, honestly... but who runs NetBSD on their laptops? I'd posit that it's a relatively low amount of folks. So while this is cool, until the code migrates to a better known F/OSS OS it isn't much use in the real world.

Re:Cool, but for who?

[LurkerXXX]

So if someone writes a cool utility for Linux, I should just ignore it and say it doesn't matter until it's migrated to Windows, because Linux has such a small amount of folks using it compared to Windows.

Sorry, it is of use. Even if it isn't on the OS YOU choose to run.

Re:Cool, but for who?

[MobyTurbo]

This is a great idea, honestly... but who runs NetBSD on their laptops?

Actually, due to it's (at least at one time) better support for laptop features, many *BSD users chose it over FreeBSD. NetBSD may have less drivers quantitatively, but when it has drivers (and it has a decent amount), they are of very high quality.

questions to ponder

[digitaldc]

What happens if cdgconfig file is lost or damaged?
If you lose the cdgconfig file, is your data irrecoverable?
When it overwrites data, is it truly unreadable?
How taxing is this system, how long does it take to execute?
What happens when you lose your PW?
Are there knowledgable people in the same continent that can provide support for this?

Re:questions to ponder

[Aurix]

Simple answer really... You lose your data, that's why the interview tells you to back it all up.

Re:questions to ponder

I have used cgd before on my laptop and it is very nice. I like it a lot. If you lose your password or anything though, your data is gone, so don't lose it. It is not taxing to system resources, I ran it on my 500mhz laptop and noticed no difference in performance from when I was not using cgd. It really is a good solution to keep pretty much everything on your hard drive encrypted, at all times.

The only drawback of course is that it's only availible for netbsd, if it ever got ported to other OS's I think it would see a lot more usage. You probably could do something similar with cryptoloop on Linux or whatever encryption solutions the other BSD's have. I just have not looked into it.

Re:questions to ponder

[vidarlo]

What happens if cdgconfig file is lost or damaged? If you lose the cdgconfig file, is your data irrecoverable? When it overwrites data, is it truly unreadable? How taxing is this system, how long does it take to execute? What happens when you lose your PW? Are there knowledgable people in the same continent that can provide support for this?

If you loose your config, I guess (I don't know) that you easily can make a new config file. It'd be no problems to store the config on a set of superblocks on the volume, in a unencrypted fashion. When you overwrite encrypted data with more encrypted data, or unencrypted, it is as unreadable as before I'd guess. And if you loose your passphrase... Well, you're done. You could have it written down in a secure location, eh? But a good crypto system can't have backdoors, so if pp is lost, goodbye to data.

Re:questions to ponder

If this is anything like FreeBSD's GBDE the config file is _not_ easily replacable, and is basically as important a part of accessing your data as the password itself.

Re:questions to ponder

LOSE rhymes with BOOZE.
LOOSE rhymes with GOOSE.

*BSD?

Free BSD versus Windows XP

XP: Has the most advanced and easy to use GUI available.
FreeBSD: Has no GUI of note.

XP: Supported by the world's largest and most trusted software company.
FreeBSD: Supported by some losers who got kicked off of the 386BSD core team

XP: Available for free preinstalled on computers from every major manufacturer.
FreeBSD: Available for free as an unstable source release that you have to compile yourself in C and then manually build your own base system.

XP: Stable and reliable, and scalable from the desktop to the datacenter.
FreeBSD: Basically unusable due to major bugs. And it doesn't fix FreeBSD's SMP problems, so don't worry about running it on your server.

XP: Everyone else uses it, so it has all the popular software.
FreeBSD: It runs...uh...vi...and...uhm...thats it actually...

XP: Microsoft has a licensing agreement with SCO, so all SCO IP is fully licensed when you buy a licensed copy of XP!
FreeBSD: You may be liable for the same $699 licensing fee as linux users if you use it, after all, Microsoft is already paying licensing fees for the same code.

XP: Alive
FreeBSD: Dead

As you can see, Free BSD is the clear choice!

Re:*BSD?

[TheBogie]

It seems this AC has made a convincing argument for using XP as opposed to FreeBSD. Since I don't really know anything about FreeBSD, could some expert please offer a rebuttal of this AC's arguments? I know it seems like feeding the trolls, but I never see any real answer to any of these issues.

Re:*BSD?

[Secrity]

Who is "AC"? Arguments and opinions are just like assholes, everybody has one. Install FreeBSD on a spare box and play with it for a while if you want to know something about FreeBSD.

Re:*BSD?

Actually... *BSD ain't so bad. I am sure this guy just pulled some sh*t out of his ass.
Here is some information about FreeBSD if you are interested.

Re:*BSD?

[ettlz]

This has all the hallmarks of a known troll. In fact, it has appeared as this post before. Silly person with nothing better to do.

Re:*BSD?

[anothy]

the parent is a troll and an idiot, but you seem to be genuinely asking, so i'll take the time to answer.

GUI quality: The troll gives no indication of what or how he's measuring. it's difficult to deny that MS's GUIs are more polished, but there are numerous inconstancies. GUIs available on unix systems, including FreeBSD, tend to be more configurable. i'm inclined to agree that traditional X11-based GUIs are behind that of Windows, but that's a far cry from FreeBSD not having one, as the troll claims. also, OS X is widely agreed to be easier to use than Windows' and is unquestionably more technically advanced (we'll see what Vista brings).
Support: The troll's claims that Microsoft is "the world's most trusted software company" is simply laughable. major failures in security and stability in Microsoft products are legendary; their reputation for quality is thoroughly mediocre. they are, however, quite large and do stand behind their products (such as they are) for defined periods of time, which has a certain level of comfort associated with it. FreeBSD, on the other hand, has much higher initial quality and also has commercial support available from various sources. the open source nature of FreeBSD and the vibrant community existing around it also means particularly obscure problems are more addressable than they are in Windows, where you're left waiting for Microsoft to release a patch. again, there are trade offs to be made, but i think FreeBSD is a clear winner here.
Cost and convenience: It is undeniable that having the system pre-installed is a huge win for convenience. but the troll goes way off-track from there. first, XP is available pre-installed, but for how many architectures, maybe two (x86 and itanium)? FreeBSD is available on about a half dozen (NetBSD, incidentally, is available on dozens); this is particularly important in the sever and appliance realms, which are FreeBSD's primary target spaces. FreeBSD is available pre-installed at least on server equipment (i don't know of anyone who does workstations/laptops). the troll claims that XP is free, which is flatly false: the cost is bundled in the cost of the hardware. the troll is also implicitly defining terms like "every major manufacturer" to be only ones he cares about: get me an XP system from Sun or Apple, for example.
Stability/scalability:Again, the troll gives no measurements. at a minimum, XP has a reputation for being unreliable. in my experience at work, XP is a step down in stability and reliability from 2000, although both of these are still leaps ahead of any Microsoft system predating that (except probably DOS, which was highly stable by virtue of being so tremendously simple). DoS-style attacks which bring down the system remain common against XP and virtually unheard of against FreeBSD. FreeBSD is highly stable. the standard edition of XP also scales to 2 processors; special versions are available to get it up to higher number, but still pretty modest number of processors (i think it was 16, but i don't remember). i'm not sure specifically what SMP problems the troll is talking about (again, no specifics), but i've personally run FreeBSD on dual-processor SMB systems without issue and other BSDs on systems much, much larger than any Microsoft product has any hope of touching. for reference, note that BSD-based systems hold many places in the Top 500 supercomputer list, including several in the top 20; Windows can't hope to touch that level of performance.
Software availability: No, troll, not everyone uses it. but yes, it does have more software. for that reason, when i was Director of IT for our company, we continued to by Windows boxes; our accounting package wasn't available on any other platform. but this very much depends what you need. FreeBSD certainly runs a far cry more than vi. most things that'll run on other open-source systems like Linux,

Re:*BSD?

The End of FreeBSD

[ed. note: in the following text, former FreeBSD developer Mike Smith gives his reasons for abandoning FreeBSD]

When I stood for election to the FreeBSD core team nearly two years ago, many of you will recall that it was after a long series of debates during which I maintained that too much organisation, too many rules and too much formality would be a bad thing for the project.

Today, as I read the latest discussions on the future of the FreeBSD project, I see the same problem; a few new faces and many of the old going over the same tired arguments and suggesting variations on the same worthless schemes. Frankly I'm sick of it.

FreeBSD used to be fun. It used to be about doing things the right way. It used to be something that you could sink your teeth into when the mundane chores of programming for a living got you down. It was something cool and exciting; a way to spend your spare time on an endeavour you loved that was at the same time wholesome and worthwhile.

It's not anymore. It's about bylaws and committees and reports and milestones, telling others what to do and doing what you're told. It's about who can rant the longest or shout the loudest or mislead the most people into a bloc in order to legitimise doing what they think is best. Individuals notwithstanding, the project as a whole has lost track of where it's going, and has instead become obsessed with process and mechanics.

So I'm leaving core. I don't want to feel like I should be "doing something" about a project that has lost interest in having something done for it. I don't have the energy to fight what has clearly become a losing battle; I have a life to live and a job to keep, and I won't achieve any of the goals I personally consider worthwhile if I remain obligated to care for the project.

Discussion

I'm sure that I've offended some people already; I'm sure that by the time I'm done here, I'll have offended more. If you feel a need to play to the crowd in your replies rather than make a sincere effort to address the problems I'm discussing here, please do us the courtesy of playing your politics openly.

From a technical perspective, the project faces a set of challenges that significantly outstrips our ability to deliver. Some of the resources that we need to address these challenges are tied up in the fruitless metadiscussions that have raged since we made the mistake of electing officers. Others have left in disgust, or been driven out by the culture of abuse and distraction that has grown up since then. More may well remain available to recruitment, but while the project is busy infighting our chances for successful outreach are sorely diminished.

There's no simple solution to this. For the project to move forward, one or the other of the warring philosophies must win out; either the project returns to its laid-back roots and gets on with the work, or it transforms into a super-organised engineering project and executes a brilliant plan to deliver what, ultimately, we all know we want.

Whatever path is chosen, whatever balance is struck, the choosing and the striking are the important parts. The current indecision and endless conflict are incompatible with any sort of progress.

Trying to dissect the above is far beyond the scope of any parting shot, no matter how distended. All I can really ask of you all is to let go of the minutiae for a moment and take a look at the big picture. What is the ultimate goal here? How can we get there with as little overhead as possible? How would you like to be treated by your fellow travellers?

Shouts

To the Slashdot "BSD is dying" crowd - big deal. Death is part of the cycle; take a look at your soft, pallid bodies and consider that right this very moment, parts of you are dying. See? It's not so bad.

To the bulk of the FreeBSD committerbase and the developer community at large - keep your eyes on the real goals. I

Same as Linux's loop-aes?

[Aurix]

This appears to be the same as linux's cryptoloop (loop-aes, etc), or am I missing something?

It's nothing really special, until it's implemented so laptop users can easily set up an encrypted root filesystem and be able to boot into it easily.

Re:Same as Linux's loop-aes?

[BokLM]

This appears to be the same as linux's cryptoloop (loop-aes, etc), or am I missing something?

Yes, it's similar.

It's nothing really special, until it's implemented so laptop users can easily set up an encrypted root filesystem and be able to boot into it easily.

It's aldready possible.

http://www.tldp.org/HOWTO/Encrypted-Root-Filesyste m-HOWTO/

Re:Same as Linux's loop-aes?

[the_loon]

Hrm, I know RTFA is a little much for most /. readers, but dang, do we have to do RTFS now too?

Recently its author, Roland Dowdeswell, was interviewed and provided a lot of details, and made a comparison with Linux's Loop-AES, FreeBSD's GBDE, OpenBSD's svnd.

Re:Same as Linux's loop-aes?

[croddy]

On Debian, setting up an encrypted root filesystem is not difficult at all. Install cryptsetup and have a look in /usr/share/doc/cryptsetup/CryptoRoot.HowTo -- with a Debian 2.6.12+ kernel and yaird it's practically automatic.

(...yeah, there was that nasty bug in yaird a couple of weeks ago but it's been marked 'done' :-)

Re:Same as Linux's loop-aes?

[Aurix]

errr, he didn't actually compare it to cryptoloop or loop-aes. He only mentioned it.

Perhaps you should RTFA.

What about privileged users?

[MattPat]

NetBSD's CGD project is a cryptographic virtual disk that can protect sensitive data while acting like a normal filesystem.

If it acts like a normal filesystem, that means that nothing special needs to be done to access it, provided you have an account with rights to use that filesystem (I'm assuming it needn't be root). So what if the person stealing your laptop gets a hold of your password? How does it become any more secure?

In retrospect, most BSD users probably don't keep their passwords on a sticky note inside their laptop like some Windows users I know...

Re:What about privileged users?

[BokLM]

So what if the person stealing your laptop gets a hold of your password? How does it become any more secure?

You mean, if I tell everybody my password, then it's no more secure ? Really ? Are you sure ?
I've been doing that for years, you scare me !

Re:What about privileged users?

[Eil]

I don't know how GCD in particular works, but with Unix disk encryption, the designers typically allow for the entire filesystem to be encrypted from root (/) on down. In this case, you are asked for a passphrase by the kernel or some utility before the relevant parts of your disk are "unlocked." System accounts don't even enter into it since /etc could very well (and probably should) be encrypted on a sensitive machine. The attacker can know your user password, root password, and the blood type of your first-born son, but they aren't going to get at your data any time soon without the encryption passphrase.

I've personally always found encrypted disks (Linux and BSD) to be more trouble than they're worth to set up. I realized long ago that I'm much better at just keeping sensitive data off my laptop rather than trying to keep it secure. If my laptop is ever stolen, the most valuable thing they'd walk away with (data-wise) are a few DS9 episodes and maybe logins to a few non-essential websites.

TrueCrypt for WIndows and Linux.

[Futurepower(R)]

TrueCrypt is disk encryption software for Windows XP/2000/2003 and Linux. Version 4.1 was released last month. It seems to have been designed by people who are VERY serious about encryption. For example, TrueCrypt "provides two levels of plausible deniability".

Re:TrueCrypt for WIndows and Linux.

[evanism]

For XP Cypherix's Cryptainer is pretty schmick too...

Re:TrueCrypt for WIndows and Linux.

Although I have not used TrueCrypt myself, I have serious doubts about the fundamental insights that its developers have in cryptography. To develop secure cryptography software, understanding of the algorithms much more important than actually implementing them.

Take for example the Truecrypt FAQ. They state that "On legacy volumes, which are encrypted in CBC mode, data within each sector (sector is 512 bytes) are chained so when a block becomes corrupted, each successive block within the sector will become corrupted as well."

Wrong. Using CBC (cipher block chaining), one corrupted encrypted block leads to two corrupted blocks after decryption, not an entire sector. This Wikipedia article explains it best: the red blocks indicate corrupted data.

I have not examined Truecrypt further, but I can imagine that there could be more cryptographical mistakes. The people developing Truecrypt may be great programmers, but apparently no (big-name) academic cryptographists are involved (or I must have overlooked them).

Personal note:

I'm a cryptography student at ESAT (K.U.Leuven, Belgium), where among other things AES (Rijndael) was developed. Although have not contributed to AES myself, I am being mentored by the same experts who were involved. Check my ip address if you want.

Re:TrueCrypt for WIndows and Linux.

[jbarr]

I agree 100%. TrueCrypt lets you manage not only entire encrypted disks, but smaller, user-definable "container" volumes as well. These are all mounted as virtual drives, and are seamless to use. TrueCrypt works especially well with Thumb Drives.

One thing I really like about TrueCrypt is that it just works. I have tried several commercial options and several that come with Thumb Drives, and they tend to be either too cutsey or kludgy to use. In almost all cases, they are cumbersome and just have an "unstable" feel about them. TrueCrypt is solid, quick, and also importantly, doesn't require any installation other than copying a couple files and launching the app. (It does come with an installer, but it isn't necessary.)

Have a read of their FAQ and and you will see that a LOT of thought and effort has gone into this application.

Re:TrueCrypt for WIndows and Linux.

[trifish]

However, the question is whether the website and docs were written by the developers and designers of TrueCrypt or by their webmaster and docs maintainers.

They have a forum admin, forum moderators, etc, and the project is quite big so I doubt that the software devs/designers maintain the website and docs themselves.

Re:TrueCrypt for WIndows and Linux.

[trifish]

Not open source though (AFAIK). Closed source security = no real security.

Re:TrueCrypt for WIndows and Linux.

[trifish]

You forgot to write a very important thing:

TrueCrypt is open source and free (as in freedom and beer).

Re:TrueCrypt for WIndows and Linux.

[Thundersnatch]

I use TrueCrypt, and it's great on a USB stick, but it does not provide encryption of the boot volume, which can be quite important (especially in Windows).

Re:TrueCrypt for WIndows and Linux.

[RedStar]

The statement you qoute is no longer present in the faq

Re:TrueCrypt for WIndows and Linux.

(grandparent replying)

The FAQ states it is: "Last Updated December 28, 2005".

Apparently the TrueCrypt team is very responsive. Congratulations!

Given the growing popularity of TrueCrypt and the apparently vibrant team behind it, I'm considering doing a full analysis of TrueCrypt from a cryptographic viewpoint. That is, as soon as I have the time (I'm quite busy now with my exams).

I wonder if there are other K.U.Leuven people involved with TrueCrypt, who maybe convinced the project team to include Whirlpool? Please reply. I know you are reading this thread or you wouldn't have updated the FAQ :-)

Re:TrueCrypt for WIndows and Linux.

[kasperd]

I have not examined Truecrypt further, but I can imagine that there could be more cryptographical mistakes.

There are other mistakes. TrueCrypt use the sectornumber for IV, which makes it vulnerable to watermarking. I mentioned this in another comment. This problem violates the plausible deniability mentioned by Futurepower.

Re:TrueCrypt for WIndows and Linux.

[mspohr]

The FAQ includes a method to encrypt the boot volume on Windows.

Re:TrueCrypt for WIndows and Linux.

[trifish]

That problem was fixed one month ago.

Re:TrueCrypt for WIndows and Linux.

[kasperd]

That problem was fixed one month ago.

You are right. I just noticed that. I found the problem back in June when somebody asked me about the security of TrueCrypt. I haven't paid that much attention to TrueCrypt development in the meantime, because back then it could only be used with Windows. The fact that TrueCrypt appears to be bit more secure than it was back then and that it can now be used on both Windows and Linux means that maybe we should start paying more attention to it. At least I'll take a closer look on the mode being used. It is still deterministic and provides no integrity, but maybe it is strong enough for some scenarios.

Re:TrueCrypt for WIndows and Linux.

> I found the problem back in June

The problem was first discovered and reported in November this year (after 4.0 was released) on sci.crypt. If you say you found it five months earlier, then I wonder why you did not contact the developers to tell them to fix it? You should prove what you say (eg. a link to a mailing list, forum message where you announce the attack). IMO, you are probably just another liar.

Re:TrueCrypt for WIndows and Linux.

[trifish]

At least I'll take a closer look on the mode being used. It is still deterministic and provides no integrity

The new mode was recommended to them by several experts on sci.crypt (one of the experts was David Wagner, codesigner of Twofish).

Re:TrueCrypt for WIndows and Linux.

[Thundersnatch]

Making a boot CD to run the OS is hardly a workable alternative. And the Windows SAM and registry would still be unencrypted, just on the CD, which will always be near the laptop.

My point is there are quite a few commercial products that do full-disk encryption, and Vista will include it as well. I presume they do this with code loaded from the MBR. Most can even encrypt an existing disk.

Full-disk encryption would be a killer feature, and make TrueCrypt much easier to use for the average business traveller. Until then, my organization is stuck with the closed source alternatives such as PGP desktop.

We are looking at the new hardware-encrypted laptop disks from Seagate, however.

Re:TrueCrypt for WIndows and Linux.

[kasperd]

If you say you found it five months earlier, then I wonder why you did not contact the developers to tell them to fix it?
Because I had more important things to do (like finishing my PhD dissertation on disk encryption). And I didn't really care much as I couldn't use the software myself, since at the time it would only work on Windows. I did tell about it to a few users of the software. Apparently they didn't care enough about the problem to contact the developers.

I know by experience how hard it can be to get people admit that there is a security problem in some software they wrote. At that time I just didn't feel like spending much time on it.

Finally I must say, that although the situation has been improved, it is still deterministic. It has been proven that there will always exist attacks against such a scheme. And I found it much more valuable to continue my research on how to do something more secure.

You should prove what you say
Just read this thread on google groups.

IMO, you are probably just another liar.
That statement says more about you than about me.

Re:TrueCrypt for WIndows and Linux.

[whiskeypete]

My bigest fear with hardware encrypted laptop drives:

User: I forgot my password to my laptop. Can you reset it?
Tech Support: Sorry, the encryption is set at the disk level. You have lost all of your files.
IT Manager: Too many users are losing their encryption password. We will now have a default password that will be the same for all users.

Re:TrueCrypt for WIndows and Linux.

Just read this thread on google groups.

It would be great if someone translated it for those of us who speak only English and French.


I did tell about it to a few users of the software.

Hundreds of thousands of users downloaded the software and you told about the weakness only to "a few users" (instead of the developers)? Gee.

Re:TrueCrypt for WIndows and Linux.

[kasperd]

It would be great if someone translated it for those of us who speak only English and French.
You didn't trust me before, so would you trust that I gave a correct translation? Only English and French? You do read C don't you? In one of the comments you will find a small C program generating some of the watermarks. You doubted that I had found the problem back then. The fact that I did post a program demonstrating the weakness should be enough to prove that I knew about it.

In case anybody wonder about the text in that posting, it says that this is pretty simple, but it doesn't seem to work yet. But when I have more time I will try to modify TrueCrypt enough to make it compile with gcc, so I can see what happens. Further investigation showed, that the watermarks did in fact work. I had just been XORing the wrong encrypted sectors thus not noticing the patterns.

you told about the weakness only to "a few users" (instead of the developers)?
I told it to those who were asking the question.

Re:TrueCrypt for WIndows and Linux.

[Thundersnatch]

PGP Desktop allows multiple authentication methods per disk. Users can have USB tokens with a short passphrase, and IT can escrow a long, strong passphrase for recovery purposes.

I can only assume that the hardware-encrypted drives would have similar functionality (we haven't been able to get one yet for testing). Otherwise, those drives would be worthless to the security-conscious enterprises they're targeting as customers.

Re:TrueCrypt for WIndows and Linux.

[fbjon]

Won't there always exist attacks against any practical scheme? I'd say TrueCrypt is (or will be, if you will) secure enough for many tasks, such as storing illegal downloads, private mail, password lists, and other non-life-threatening, non-military stuff.

Re:TrueCrypt for WIndows and Linux.

> You forgot to write a very important thing:
>
> TrueCrypt is open source and free (as in freedom and beer).

The hidden and false implication: the NSA/FBI/etc can not write or fund Open Source software.

Re:TrueCrypt for WIndows and Linux.

[kasperd]

Won't there always exist attacks against any practical scheme?
It depends on your definition of attacks and practical. Serious research in the area operate with different kinds of access to the encrypted media. The weakest attack is the one where the adversary is just given read access to the media once. The strongest attack is one where the adversary controls the media and sees all writes, and decides what the media replies to all reads. They correspond to different scenarios namely the case of theft of an encrypted disk, and encrypted storage on an untrusted server.

With the recent improvements of TrueCrypt, it may already be secure enough for the weakest case. It clearly is not secure enough for storing the container on an untrusted server.

I say it may be strong enough because I haven't seen any attempt at formally proving this. Of course a formal proof would be nice. If I see one and is able to verify it, I will immediately start recommending LRW mode.

What is practical is not an easy question. Most existing implementations use a mode that does some kind of 1:1 mapping between logical and physical sectors. This does not give any significant cost in storage or I/O performance, and the CPU requirements is acceptable for many situations. I'd say this is practical.

Anything more complicated than such a 1:1 mapping have an additional cost in I/O performance. The additional CPU requirements does not appear to be much of a problem. GBDE has something slightly more complicated than a 1:1 mapping, and still it seems some people find it practical. I would have done a few things different from GBDE, but one of the modes I could come up with have same I/O patterns as GBDE and use a similar amount of CPU power.

But GBDE may have a problem with atomicity. And it still only focus on the theft scenario, it has no protection against a general passive attack or an active attack.

Most of the problems can be solved using journaling and various tree structures. Those are things that already exist in file systems, and as such I'd say they are practical from an I/O perspective. And the CPU requirement wouldn't have to be more than a factor of two compared to just encrypting each sector.

But that doesn't mean it is trivial to do. Because what I have mentioned here is a lot of layers which would each contribute to the performance overhead. Together it may turn out to give a too poor performance to be practical.

The layers could be integrated in a way that means you only need journaling in one place, and the trees used by the disk encryption closely match those used by the file system to avoid additional seeks. The problems with such an approach are that first of all it is no longer a general purpose disk encryption. Being tied to a particular file system means it should rather be considered an encrypted file system. But what I think is even worse is the fact, that it is a nightmare to provide a formal analysis.

Maybe somebody can come up with a good abstraction to built on top of a block device which is simple enough to encrypt and analyze, but OTOH sophisticated enough to provide all the journaling and tree structures needed by a file system.

Another problem with all of these models is, that no attempt is made to hide access patterns from an adversary monitoring the media. If the adversary knows which physical sector numbers you read and write, he can deduce which logical sector numbers you access. Currently the most efficient solution I know for this problem involves caching all of the data in RAM.

I'd say TrueCrypt is secure enough for many tasks, such as storing illegal downloads
Maybe it is now. But with the possibility of watermarking it wouldn't have been secure enough. How long before producers of for example software started watermarking it such that it could be recognized on an encrypted media?

Re:TrueCrypt for WIndows and Linux.

[fbjon]

Well, by practical I mean usable.

I imagine that Truecrypt is used by individuals for the most part (a larger company would probably want something with more of a guarantee or contract). Now, while a lot of people have all kinds of spyware festooning all over, these are not the people who would know what Truecrypt is, anyway. A Truecrypt user is also likely to have the media in question reasonably sealed off from network access.

Thus, the scenario is that the media is on a computer that contains no adverse software, and that the media can only be compromised by physical access to the computer. Now, suppose that an attacker gets a copy of a volume and walks off with it, how strong an attack can be made? As far as I know, opening the volume should be as hard as breaking the used encryption, unless .. :

watermarking it such that it could be recognized on an encrypted media

Whoa, now. How does that work? Wouldn't that mean that the encryption used was weak in the first place?

In any case, to me it seems that the main concern with all disk encryption is precisely theft of a disk, what with company laptops wandering off on their own.

Re:TrueCrypt for WIndows and Linux.

[kasperd]

Now, while a lot of people have all kinds of spyware festooning all over, these are not the people who would know what Truecrypt is, anyway.
If you are unable to protect your computer from spyware, then disk encryption is not going to help much anyway.

A Truecrypt user is also likely to have the media in question reasonably sealed off from network access.
Some disk encryptions actually state that you can keep the container on a different computer and access it using some networking file system. I have not yet seen a disk encryption which was secure enough to be used in that way. I don't think TrueCrypt claims to be usable in that scenario. But even making a backup of the container could be dangerous.

Now, suppose that an attacker gets a copy of a volume and walks off with it, how strong an attack can be made?
How much information does he need to get from the disk? Getting everything from the disk may be difficult. But if he just wants to know if one particular file exists on the disk, it may be simpler.

As far as I know, opening the volume should be as hard as breaking the used encryption, unless ..
I haven't seen a formal proof of that. And unless somebody tried to give a formal proof, then it is likely there is some subtle weakness which has not yet been spotted.

Wouldn't that mean that the encryption used was weak in the first place?
Yes, but until a month ago TrueCrypt was really that weak. Can somebody provide a proof that it is no longer weak?

In any case, to me it seems that the main concern with all disk encryption is precisely theft of a disk
Yes, but there are a few additional concerns. What are the characteristics of the physical media. Could it for some reason leak a few informations about what was in some of the sectors at an earlier point in time. What about a disk that was stolen an soon recovered again?

Re:TrueCrypt for WIndows and Linux.

[fbjon]

Can somebody provide a proof that it is no longer weak?

Well, I certainly can't :), but I agree that it is needed before it can actually be taken seriously by serious people.

Could it for some reason leak a few informations about what was in some of the sectors at an earlier point in time.

That's a very valid concern for all those users in these comments who use Truecrypt on a flash drive, USB or otherwise. As I understand, the controllers for the flash chip try to minimise the usage per individual flash cell, so overwriting a file might not actually overwrite what you think you're overwriting. Even hard drives can leave trails, since sectors can be remapped to spare sectors at the end of the drive, when they start to go bad. Those old sectors that got remapped can usually not be accessed in any way after that. Wiping the area requires more than a simple software-wiper like Eraser. Those issues are for the most part out of Truecrypt's control, though one could overwrite all free space in the entire flash module after closing the volume.

I think what you're referring to, however, is if Truecrypt leaves trails in the volume file/partition itself. That would depend on how Truecrypt deletes files, if it wipes them, or just marks as deleted like a regular FAT32 FS. In any case, since the volume works like any other filesystem, I think wiping and erasing a file with an external tool using random data works just as well.

Re:TrueCrypt for WIndows and Linux.

[joaobranco]

The hidden and false implication: the NSA/FBI/etc can not write or fund Open Source software.

Of course they can... BUT with source code you can INSPECT and CHANGE the software, so that any foul play is harder than with "off the counter" software.

Re:TrueCrypt for WIndows and Linux.

I say it may be strong enough because I haven't seen any attempt at formally proving this. Of course a formal proof would be nice. If I see one and is able to verify it, I will immediately start recommending LRW mode.

LRW mode is an instantiation of a tweakable mode of operation, which comes with a proof of security by Liskov, Rivest, and Wagner. http://theory.lcs.mit.edu/~rivest/LiskovRivestWagn er-TweakableBlockCiphers.pdf

(LRW stands for Liskov, Rivest, Wagner)

Re:TrueCrypt for WIndows and Linux.

[kasperd]

The paper you link to is an interesting read on Tweakable Block Ciphers. But it mentions neither LRW mode nor disk encryption.

Re:TrueCrypt for WIndows and Linux.

I expected this kind of response. You should read the paper more carefully. LRW mode was designed by IEEE and, as I wrote, it is an instantiation of a tweakable mode of operation (or tweakable cipher LRW-AES). The proof of security applies to LRW-AES as well (because it is a tweakable cipher). LRW was designed specifically for sector-based storage encryption (data at rest) by IEEE. The draft has been out there for public review for 3 years.

Re:TrueCrypt for WIndows and Linux.

[kasperd]

The proof of security applies to LRW-AES as well (because it is a tweakable cipher).
The proof applies to the cipher, not the mode. The way the cipher is used in TrueCrypt does not correspond to any of the modes in the paper you linked to. The paper also states that TAES is expected to be 50-80% slower than AES. Why not use AES in CBC mode? (Here I mean a correct implementation of CBC, not the one with a deterministic IV).

Re:TrueCrypt for WIndows and Linux.

The proof applies to the cipher, not the mode.

Wrong. It applies to the concept of tweakable ciphers, which is in fact the same as tweakable mode of operation (it only depends on how you view it). I really suggest you re-read the paper and this time more carefully.


Why not use AES in CBC mode? (Here I mean a correct implementation of CBC, not the one with a deterministic IV).

By saying this you have just proven that you do not know very much about the field of storage encryption. There are at least five types of severe attacks on correctly implemented CBC (one of which allows full recovery of secret plaintext without any knowledge of any part of the key). None of these attacks work on LRW mode.

Maybe it's time to think about reasons why experts on sci.crypt recommend LRW in place of CBC for disk encryption and why they say that it comes with a proof of security (provided that the underlying cipher is secure).

I'm done with this thread. You do your homework.

Re:TrueCrypt for WIndows and Linux.

[kasperd]

There are at least five types of severe attacks on correctly implemented CBC (one of which allows full recovery of secret plaintext without any knowledge of any part of the key).

I don't know why I should believe you. I have seen and verified the proof for security of CBC under the assumption that the cipher is indistinguishable from a random permutation. If that assumption does not hold, then tweakable ciphers does not work either. And even the incorrect implementations of CBC does not allow full recovery of an unknown plaintext.

Of course this is all assuming passive attacks. Neither CBC nor LRW is secure against active attacks. If you want security against an active attack, you need stuff like hash trees and message authentication codes.

You do your homework.

If you had done your homework you would have come across two articles on the subject which give different proofs why LRW cannot satisfy the strongest security definitions. They are both available on eprint.iacr.org one is written by Kristian Gjøsteen, and I'm coauthor on the other.

of course it helps...

[advocate_one]

if you remember to encrypt any partitions that temporary data might possibly reside on... cos it would be awfully silly to protect your home partition and forget /var or /tmp or the swap... why not be completely paranoid and encrypt the the volatile "partition" that gets created in memory

Re:of course it helps...

Well, OpenBSD has had the ability to encrypt swap for ages now (and brain-dead simple to set up), and FreeBSD has had the ability since 5.0 (it's still a needlessly difficult task to set it up though). With CGD, NetBSD now has this ability as well (since about 2.0 IIRC).

Mac OS X Tiger can also easilly encrypt its swap space. I have no idea why these mechanisms are not enabled by default on these OSes (not even on OpenBSD!) as the overhead really isn't that noticble...

Re:of course it helps...

[BobNET]

I have no idea why these mechanisms are not enabled by default on these OSes (not even on OpenBSD!) as the overhead really isn't that noticble...

Swap is now encrypted by default in OpenBSD 3.8: http://marc.theaimsgroup.com/?l=openbsd-cvs&m=1111 85331505174&w=2

Re:of course it helps...

"Swap is now encrypted by default in OpenBSD 3.8:

http://marc.theaimsgroup.com/?l=openbsd-cvs&m=1111 85331505174&w=2 "

Sweet, thanks, I missed that one =D

a *BSD song

"Last Disk" [to the tune of Last Kiss by pearl jam]

Oh where, oh where is my BSD?
I just loaded Beta 5.3
It's gone to heaven, so I've got to be good,
So I can see the OS when I leave this world.

I'd started to load it in my roommate's Dell,
the hard drive was taking it pretty well.
During the load, it crashed the heads,
the distro was stalled, *BSD was dead.
I couldn't stop, so I yanked the cord.
I'll never forget, the sound , oh Lord--
the screamin' drives, the speaker's blast,
the painful scream that I-- heard last.

Oh where, oh where is my *BSD?
That load took it away from me.
It's gone to heaven, so I've got to be good,
So I can see *BSD when I leave this world.

When I woke up, the sparks were pourin down.
There were admins standin all around.
Some burned-out chips had fallen on the tiles,
but somehow I found my disc of files.
I lifted the CD, the devil winked and said,
"Load me darlin just a little while."
I held it close, I kissed the label--our last kiss.
I found the love that i knew i had missed
well now it's gone, even though I loaded it right
I lost my *BSD and the Dell-- that night.

Oh where, oh where is my *BSD?
I tried to load it yesterday.
It's gone to heaven so I've got to be good,
So I can see *BSD when I leave this world.

When I next went to Slashdot, where so many had trolled.
Any so many times "BSD's Dead!" was told.
Tears fallin' on the keyboard, I checked "Anonymous"
and I eulogized *BSD, in memory, of us....

When I logged on next, my post was modded down.
In my heartbreak and sorrow, treated like a clown....
No matter what the mods do, it's in my heart and head
We'll always know "*BSD IS DEAD!"

Oh where, oh where is my *BSD?
I tried to load it yesterday.
It's gone to heaven so I've got to be good,
So I can see *BSD when I leave this world.

Re:a *BSD song

[PygmySurfer]

'Last Kiss' isn't a Pearl Jam song. It was written by Wayne Cochran, and I think it was first recorded by J. Frank Wilson & The Cavaliers.

Jordan Hubbard left FreeBSD

[Ffakr]

I heard some retard said Jordan Hubbard left FreeBSD development.
I wonder where Jordan went.. bet he's writing Windows software now..

Oh wait, Jordan Hubbard is leading work at Apple on that OS X thingy they have.. you know, the FreeBSD based OS with that Darwin open source core thingy.

Poor beleagured Apple, they'll be out of business any day now.
Oops. Scratch that.
Poor beleagured FreeBSD, they'll be out of buisness any day now.
Oops. Scratch that.
Poor beleagured OpenBSD. They'll..... got to blow my nose, excuse me.

Is there one of these for

[Pants75]

Windows?

Re:Is there one of these for

pgpdisk

What a Load

[Some+guy+named+Chris]

From the summary: "Security-minded laptop users live in fear of theft"

Nice blanket generalization there. I'm security minded, use two laptops, and I don't live in fear. I mitigate risks. I use caution, but I don't live out my life in a state of fear, as your cliche ridden statement says.

Karma be damned, but I'm sick of people who use phrases without thinking what they actually mean.

Re:What a Load

[digitaldc]

"Karma be damned, but I'm sick of people who use phrases without thinking what they actually mean.

Karma can not be damned, it is only a state of being.

Re:What a Load

[Some+guy+named+Chris]

LOL

Re:What a Load

[Waffle+Iron]

I mitigate risks. I use caution

Yes, and why do you take those steps? Because you live in fear of the consequences that would happen if you didn't take them.

Re:What a Load

[Colin+Cordner]

From the summary: "Security-minded laptop users live in fear of theft"

Nice blanket generalization there. I'm security minded, use two laptops, and I don't live in fear.

I agree with the PP - I don't "live in fear" either. I live next door to fear, sure, and I may occasionally peep over the fence to throw a rock at it...

Re:What a Load

[angst_ridden_hipster]

I was wondering who was throwing those damn rocks.

Bestcrypt offers similar features

Bestcrypt is probably only solution supporting Linux AND Windows. Windows version is a shareware, but Linux version is a free (as a beer).

Re:Bestcrypt offers similar features

[Tetch]

> Bestcrypt is probably only solution supporting Linux AND Windows

Wrong - as mentioned by several other posters there is an excellent free open-source encrypted drive product available for Windows - Truecrypt, http://www.truecrypt.org/ - which now has a Linux version available (since V4.0), offering the ability to access the same encrypted drive from both environments.

Forget Bestcrypt.

Filevault

[Savage-Rabbit]

So the CGD disk is an encrypted pseudo disk driver. It sits on top of another partition and acts as a new virtual disk to the rest of the operating system. But what of those of us that have to use windows, or Mac OS X? This seems like it's only compatible with *nix OSes.

OS.X ships with something called Filevaut, accessable from 'System Preferences'. Filevault migrates your home directory onto an encrypted image using a 128-bit AES key which, AFAIK is pretty secure, at least the NSA sponsored OS.X security guide I read recently recommended using it. This image gets mounted onto your Home directory when you log in and cannot be accessed unless you either know the login password or somehow manage to crack the encryption on the image file. This is useful for mobile professionals and the on the fly encryption works surprisingly well unless you are working with say, Photoshop files that weigh in in the hundreds of megabytes. For day to day stuff this works quite well. Just for example, I keep my iTunes collection on a filevault image and it does not seem to kill performance even with resource hogs like MS Word and Excel running.

If you only want a small secure area rather than encrypting the entire Home directory like you do with Filevault you can also create stand alone *.dmg images with the 'Disk Utility'. These have the same 128-bit AES encryption as Filevault. Fire up /Applications/Utilities/Disk Utility.app, select File->New->Blank Disk Image... Once created this can be accessed by double clicking it and feeding it the password.

Re:Filevault

[Anonymous+Bullard]

Filevault migrates your home directory onto an encrypted image using a 128-bit AES key which, AFAIK is pretty secure, at least the NSA sponsored OS.X security guide I read recently recommended using it.

Wonder why... ;-)

Re:Filevault

[keith_nt4]

All you need is the login password? Couldn't a bad guy just boot off the install CD, reset the password and login (and reset the keychain, god I hate that keychain)? Doesn't sound very secure to me.

Re:Filevault

[ImaLamer]

AFAIK is pretty secure, at least the NSA sponsored OS.X security guide I read recently recommended using it.

Is that the same guide I read? I think it's title was: " For Our Eyes Only "

Re:Filevault

[Nogami_Saeko]

Uh, no.

The filevault key is hashed from the user's password. If you reset the login password and reset the keychain, it will do you no good as you still can't open the filevault container because you still don't know the original password that was used to generate the key.

The only way to bypass filevault is by setting a master encryption password on the computer, which will allow filevault recovery if you know that master password (also not possible to reset).

paranoid android overlords

[ichigo+2.0]

I for one welcome our paranoid android overlords!

In Soviet Russia, paranoid of androids is you!

I'm a paranoid android, you insensitive clod!

Imagine a beowulf cluster of paranoid androids!

Yup, that was pretty awful.

This is already built-in to OSX

It's called FileVault. Just go to one's system preferences, select FileVault, set the password and bingo!

Re:This is already built-in to OSX

[Anomalyst]

Having everybody use the same "and bingo!" password does not seem very secure.
P.S. better complexity would be "and Bing0!".

Re:God do I love the smell of slashdot in the morn

[terwey]

In Amsterdam is smells like weed... I can tell... ;)

Doesn't address unencrypted OS

I don't know about BSD, but with Windows there is always the danger that the OS itself or other programs are making copies of data and filenames and storing them in the registery, .ini files or a thousand other possible places which may not be encrypted. Encrypting the entire OS from boot on up seems like the only genuinely secure way to prevent this problem.

Re:Doesn't address unencrypted OS

[evanism]

Amen! Christ knows whats stored in your swap partition, c:\Docs and Settings, or even C:\WINDOWS\Prefetch... and elsewhere...

Re:Doesn't address unencrypted OS

[zyche]

OpenBSD by default encrypts the swap-partition. Read the paper by Nils Provos.

Re:Doesn't address unencrypted OS

[Shanep]

OpenBSD by default encrypts the swap-partition. Read the paper by Nils Provos.

Wow, I thought you were wrong about it being on by default, so I checked the CVS entries. I knew OpenBSD's swap encryption had very little impact on swapping performance, but it seems that this was switched on by default 9 months ago and I didn't even notice. I guess that shows how little impact it has.

Xandros Linux has automatic disk encryption

[Burz]

You can setup encryption for any homefolder in Xandros right from the user admin section of Control Ceenter. It uses keyfiles and supports the algorithms you listed plus about six others.

NetBSD at SCALE 4x

[irabinovitch]

NetBSD will be exhibit at SCALE 4x

sysctl = BSD; /proc = Linux

[Cadre]

Actually, no BSD's have /proc. BSD's use sysctl. Linux uses /proc.

Re:sysctl = BSD; /proc = Linux

[croddy]

sure they do.

Re:sysctl = BSD; /proc = Linux

[quantum+bit]

Can't speak for the others, but while FreeBSD does have a procfs, it's considered deprecated and its use is discouraged.

Windows

[gr8dude]

Under Windows, you can use Private Disk (AES 256-bit, with certification from NIST; use multiple encrypted drives simultaneously), it comes with a lot of features, my favourite one being 'Disk Firewall'. This is an application-level filter that doesn't exist in programs like TrueCrypt or BestCrypt, etc. This thing allows you to control which application can access the drive, while the others (i.e. viruses, spyware and other #^!#$^!ware) are rejected.
The program runs off removable drives too (there are certain particularities.. but once you know what you're doing, it works).

Private Disk [Light | Multifactor]

[gr8dude]

Try these

Private Disk (lots of features, highly customizeable)

Private Disk Multifactor (Comes with biometry and smart card authentication)

Private Disk Light (this is the free version)

I wrote about these tools in an earlier post. I am very satisfied with this thing, bought it for half the price - student discount :-)

Why is this being compared to loop-aes on Linux?

Reading the first few lines of the interview I get the impression it does almost the exactly the same stuff dm-crypt does, which has been in Linux stable for over a year now.
Have a look at http://luks.endorphin.org/
In my opinion, there has been some excellent work been done.

crypto

[goarilla]

Is it possible to encrypt your entire system
or anything except the boot partition since i dont think
the boot loaders support crypto yet

Can someone spread some light on this

Re:crypto

Yes it has been done for Windows with at least two commercial closed source products that I know of, there may be more. Neither are open-source so you have to take their security on faith.

Re:crypto

Yes. I currently have a proof-of-concept I use with qemu that does just that. There is a small boot partition that just has a kernel and an initrd. The initrd sets up the encrypted root and the rest is like a normal initrd boot. Of course ... you have to trust that the initrd and/or kernel haven't been compromised. When I implement this on my real computer, I might put them on a USB pen drive that I can take with me.

Hmm, Mr Anonymous Expert Cryptologist

[wurp]

It's possible you know about cryptography, but you don't seem to know much about networking... how exactly do we check your ip address?

That said, I don't know anything about CBC and I expect your point is 100% correct. It's just painful to see such a statement from someone purporting to inform me about computer related information.

I use loop-aes when I want an encrypted drive. Setting it up the first time sure is a pain, though.

Thinkpad's w/ TPM Security Chip offer this

[jonnykelly]

And other PC makers who offer Trusted Platform Module subsystems probably do as well. The IBM/Lenovo Client Security Solution works great. It's actually Utimaco Private Disk software.

In fact the real beauty of this solution is that it can be set up to replace the standard windows login with one which uses the TPM, and can then 'unlock' as much or as little of your other TPM secured data as you like. My only complaint is that the password manager doesn't work w/ Firefox/Thunderbird, so I can't have TRUE single sign-on. But if I were to just use IE, it would be.

How long has it been tested

[IntelliAdmin]

I have been burned many times in the past by development filesystems, and drivers. It sounds like a great idea, but I am going to wait quite some time before I trust my data with it.

SuSE

[Lord+Byron+II]

SuSE supports encrypted disks without the use of the commandline. Does anyone have any comment as to the security or the recoverability of the SuSE system?

Windows EFS

[charnov]

Windows has the Encrypted Filesystem built into NTFS.

http://www.microsoft.com/technet/prodtechnol/winxp pro/deploy/cryptfs.mspx

Re:Windows EFS

[Nogami_Saeko]

I have never used windows encryption, but I was under the impression that it's a file-level, rather than a disk-level encryption - so while you couldn't get the information back easily, you could view the file name, size, date and other attributes, as well as see the number of files encrypted.

Disk-level encryption, which protects the entire drive until the key is entered is far more secure - you can't even prove there is anythign at all on the disk, or if it's just randomized bits generated from a secure wipe.

Re:Windows EFS

[charnov]

It's integrated into AD and local permissions meaning that an enterprise admin could revoke or grant priviledges on the fly which is a really big deal in an infrastructure environment. Also, it is a key cert style encryption so you can always back up the decrypt key or use a central key server. I have never tried to use it to hide a volume for plausible deniability, but I don't think it was designed with that in mind.

openbsd

Does someone know if openbsd still uses encypted file systems by default? Is this basicly something like that but for netbsd?

You fuckin moron

That's what he said: he uses PGP Disk, not Filevault you stupid asswipe

dm-crypt?

[Gadzinka]

It's interesting to see xxxBSD user/developer comparing "just written" software for BSD with ancient versions of Linux counterparts and (surprisingly) finding xxxBSD version to be better. My point being: dm-crypt.

If you are interested in Linux 2.6 encrypted partition, use dm-crypt together with cryptsetup tool. It's much safer than AES loop and:

• it allows to use encryption algorithms in CBC mode;
• uses published linux kernel crypto API, which means that you can use any cipher known by kernel;
• because of the above, if kernel has hardware support for some crypto algo, dm-crypt uses it automagically: I have a very low power VIA Epia MicroITX board (soon to be replaced by even lower power Nano ITX board by Epia) serving as my home fileserver. The processor, VIA Nehemiah is disgustingly slow at it's 800MHz, but it has VIA Padlock crypt engine doing AES in hardware -- access speed on encrypted AES256-CBC partition is indistinguishable from the speed on the same non-encrypted disk, and a lot higher than on my Pentium M 1.6GHz notebook with Blowfish (i.e. the fastest-yet-quite-safe) dm-crypt partition.
• because it uses Crypto API, you can use any new safer or faster algo, whether it's done in software or hardware, as soon as there is crypto api driver for it (crypto using GPU anyone? ;)
• with existing cryptsetup tool you can create encrypted swap partition with random key taken from /dev/random; and since some platforms (e.g. VIA Epia, but also chipsets from Intel, AMD and others) have true hardware random generators with Linux drivers, I wish a lot of luck to someone trying to recover passwords from my swap device ;)
• while existing key generation method is not as kosher as described PKCS#5 PBKDF2 or multifactor solutions, cryptsetup is just a userspace tool controlling kernel space diskmapper virtual disk engine; you can write your own tool and initialize your dm-crypt partitions any way you want;

OK, I'm tired, go read the links and you'll be much wiser and better informed than after reading TFA ;)

Robert

Re:dm-crypt?

[bani]

The major difference between dm-crypt and loop-aes is that loop-aes has optimized assembler. My tests between dm-crypt and loop-aes showed that dm-crypt was more than 3 times slower.

With loop-aes, my drive is the bottleneck. With dm-crypt, dm-crypt is the bottleneck.

Re:dm-crypt?

[Gadzinka]

Ever tried the aes-i586.ko kernel module instead of default aes.ko?

Robert

Re:dm-crypt?

[bani]

well no since i was using x86_64

and there wasnt an x86_64 asm implementation when i tested in 2004. maybe everything has been fixed by now though. it wasnt an option then.

Re:dm-crypt?

[Gadzinka]

[0:26] [rrw@laptok:/home/users/rrw]
0% cd /usr/src/linux/arch/x86_64/crypto
 
[1:06] [rrw@laptok:/usr/src/linux/arch/x86_64/crypto]
0% ll
total 24
-rw-rw-rw- 1 root root 8388 Oct 28 02:02 aes.c
-rw-rw-rw- 1 root root 4671 Oct 28 02:02 aes-x86_64-asm.S
-rw-rw-rw- 1 root root 159 Oct 28 02:02 Makefile
 
[1:06] [rrw@laptok:/usr/src/linux/arch/x86_64/crypto]
0% uname -a
Linux laptok 2.6.14 #2 PREEMPT Sat Dec 24 22:04:04 CET 2005 i686 GNU/Linux

Robert

Re:dm-crypt?

It is official--Netcraft now confirms: *BSD is dying

One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.

You don't need to be the Amazing Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.

FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: NetBSD is dying

Re:dm-crypt?

[Cronopios]

It's interesting to see xxxBSD user/developer comparing "just written" software for BSD with ancient versions of Linux counterparts and (surprisingly) finding xxxBSD version to be better. My point being: dm-crypt.

If you are interested in Linux 2.6 encrypted partition, use dm-crypt together with cryptsetup tool. It's much safer than AES loop and:[...]

There is a dm-crypt tutorial on Linux Journal: Encrypt Your Root Filesystem.

It was also published in Spanish by the magazine Mundo Linux.

GBDE

[kasperd]

He seems to have a relevant worry about the lack of atomicity when writing to a GBDE encrypted device. However he fails to notice that this happens only because GBDE has addressed a problem which every other disk encryption seems to have ignored. You get certain security advantages from probabilistic encryption. But probabilistic encryption implies the encrypted version must be slightly larger than the clear text.

More than once has the use of deterministic encryptions lead to weaknesses in disk encryptions. And often the workarounds require additional CPU power. And even the most careful deterministic encryption can never be as secure as a probabilistic encryption.

GBDE does have probabilistic encryption. This also means that obviously an update requires more than one physical write. Though this could be done securely, the way it is done in GBDE seems to give a risk of data loss/corruption. Some kind of journaling could have solved the problem. Having journaling both in the encryption and in the file system seems to be overkill (and clearly hurts performance), but integrating the two without compromising security is nontrivial. I'd like to see some more research in this area.

From my description it may sound like from a cryptographic viewpoint GBDE is the best designed disk encryption in existence. Unfortunately it isn't so. It did get some things right, but it seems to be mostly by luck. GBDE uses different pseudo random keys for each sector, however rather than using a standard PRNG, PHK decided to invent his own known as the Cherry Picker. Unfortunately there is a weakness in this generator as the output is not uniformly random.

To the best of my knowledge GBDE is currently the only disk encryption making use of probabilistic encryption, and none of the disk encryptions in existence make a serious effort at guaranteeing integrity (also known as security against an active adversary).

Re:GBDE

Certainly, there may be advantages to randomising the keys---but if you are going to do that then you have the responsibility of maintaining a proper transaction log. If you do not do this, then at the end of the day your pseudo-disk isn't actually ``a disk'' since it breaks the atomicity requirements the higher level fs code, DBs, etc. assume that disks present.

Re:GBDE

[kasperd]

but if you are going to do that then you have the responsibility of maintaining a proper transaction log.
That is just one possible solution. There are simpler ways to solve the problem, for example you could just mirror the shared sector. You'd need to add a bit of redundancy to find which one is correct. So you might end up with only 31 logical sectors rather than 32 for each 33 physical sectors. But at least you preserve locality.

If you do not do this, then at the end of the day your pseudo-disk isn't actually ``a disk'' since it breaks the atomicity requirements the higher level fs code, DBs, etc. assume that disks present.
What are the exact gurantees that disks give you? What requirements does the higher levels have? Atomicity is a pretty strong property. Does disks really give you this? Having random garbage in the sector being written the very moment power was turned off sounds more likely. Maybe that is not acceptable, but then a harddisk can do some "magic" internally to give better guarantees than what you get from the physical media.

Of course a disk encryption not paying attention to this will give something worse to the higher layer than what it was given by the lower layer. But OTOH with some redundancy and integrity checking, you can go from a single corrupted sector to an atomicity guarantee. A disk encryption doing this could provide better guarantees to the higher layers.

The big question is, how do we do this in a way that is I/O efficient and using as little space as possible?

stop being lazy/stupid

[hyperbotfly]

Learn the CLI....It is SO worth it!

Crypto-Graphic?

[1u3hr]

Okay, I RTFA, and still don't see why there is a hyphen in "crypto-graphic" here. I thought perhaps it was some cute way to use a graphics card to do the the encoding, but I think it's (don't laugh) a typo. Please correct me if I'm wrong.

Re:Crypto-Graphic?

[someone1234]

Because it's main usage is to hide (crypto) porn (graphic).

Important Fact: TrueCrypt is Open Source!!!

[Futurepower(R)]

I've only just begun using TrueCrypt, but my experience, also, is that it just works, also. I like making and maintaining a container, which can be moved to a thumb (flash memory) drive for traveling.

I like the command line options of TrueCrypt.

Most importantly:

1) Reading the web site and documentation gives me the impression the developers know what they are doing. I like it that, in the comments above, the developers are criticized for an incorrect statement about block chaining, and the error was corrected immediately.

When I read the web sites and documentation of commercial encryption products, so much is written by bored marketing people that I fear that the company is controlled by someone who majored in English Literature. (Nothing against majoring in Eng. Lit., but such people should not have control over products that require advanced understanding of technology.)

2) To me, it is absolutely necessary that any encryption software I use be Open Source. I fear that a rogue employee or a an owner of a commercial encryption software company would put in a back door, or would introduce a weakness.

The U.S. government has decided that it can secretly force companies to help in surveillance. This means that commercial companies cannot be trusted. (The drawbacks of secret action are called "Blowback" by some in the U.S. government. Blowback is not seen as a bad thing, because if decreases the political stability in the world, which means that employees of U.S. government secret agencies will get raises and promotions.)

For conventional encryption, like sending encrypted files automatically to a private FTP site for safe offline storage, I use Gnu Privacy Guard. Also Open Source, of course.

A Slashdot editor could check his IP address.

[Futurepower(R)]

"... how exactly do we check your ip address?"

When I read that, I assumed he meant that a Slashdot editor could check his IP address.

I know that Slashdot editors sometimes read the stories they post, because, when I criticize the Bush administration, sometimes I am moderated down multiple points, without the moderation appearing in the karma points summary at the end of the comment. In the middle of the night, while Slashdot editors are presumably sleeping, people in other countries moderate the comment to +5. The comment is then bulk moderated down when it is morning in the United States. Just guessing, but it is plausible.

This comment may seem a little off topic, other than being an answer to an on topic thread, but it is relevant because encryption like that provided by TrueCrypt is more necessary in times of political instability and government corruption.

Re:A Slashdot editor could check his IP address.

sometimes I am moderated down multiple points, without the moderation appearing in the karma points summary at the end of the comment.

Are you sure about that? Things like the 'small comment modifier' (in preferences/comments) are applied silently, even on your own comments.

for a growing userbase

This is one example of how a F/OSS _becomes_ more popular. Don't count a runner out of a race which never ends.

Crosscrypt for Windows Users. GPL too

[tezza]

I've used this A LOT.

Cross Crypt - Open Source AES and TwoFish Linux compatible on the fly encryption for Windows XP and Windows 2000.

It uses the excellent Filedisk to appear as a volume in Explorer.

It's GPL, sorry to restate that, but I dunno if you read the headline fully or not.

Apple's FileVault

[l0ungeb0y]

Hey -- I'm no crypto, OS or FS guru, how does this compare/differ from Apple's FileFault which provides on the fly encrypt/decrypt of user files? Being an Apple user, I have yet to use the FileVault utility, but it does look enticing, just that encrypting files on my workstation doesn't seem worth the *anticipated* performance hit.

Perhaps this might be yet another *BSD project that Apple could benefit from ala Konqueror. Or not.

Is that you being especially nice?

[Futurepower(R)]

"... you are probably just another liar."

Ahhh, the civilized and polite interaction for which Slashdot is famous.

Lets talk about the crypto

Thankyou for making me skim through your cruft--flames of the BSD's--rather than discussing the article at hand. Lets talk about the article in the stead of opinions and unreliable and misleading surveys, shall we?

I'd like to point out that the article notes that OpenBSD's svnd does not provide salting of the password, thus leaving it more open to dictionary attacks. Rather, Blowfish is NOT fast when changing keys. Blowfish is much slower than almost all block ciphers when computing a new key. Blowfish, especially the version found in OpenBSD, has a slow key schedule, which does make it resistent to dictionary attacks by requiring lots of computation.

Facts.

Truecrypt is JUST starting to become safe to use

If you look at its history they are just within the last few months starting to get their shit together. The beginning of the project was controversial and for the first few versions there was no solid group running it. They also btw just recovered from a major flaw in their deniability scheme.

By all accounts it appears to be shaping up into a solid project, but IMHO you wouldn't be acting too conservatively if you waited another year to look into their project. A project that starts out with disputed code, then has no formal website, and then finally has one of their major features coded incorrectly, seems to be growing through some serious growing pains to put it mildy.

And THAT is why you don't every crypto expert out there applauding Truecrypt yet. Like I said the problems seem to be a thing of the past, but for anything but home use I'd wait another year or so to make sure they are on the right track and the project won't fizzle out have more organizational problems.

Won't Full Disc Encryption make this obsolete?

[Scott_Marks]

Seagate has announced a laptop disk that does full disc encryption in hardware, without slowing down disc I/O at all. Seems like that makes software solutions (which are subject to reverse engineering, etc.) decidedly inferior.

Re:Won't Full Disc Encryption make this obsolete?

[setagllib]

Sure, except that cgd works on memory block devices (useless) and file-backed block devices (pretty useful). And on any disk. And on any platform. And on USB bars and floppy diskettes.

Nice to hear Seagate is offering a specialty product, but you can have much more versatile encryption for free, and it's easier to administer. How would the Seagate drive get its password? Would you type it in while booting? Or have to use a Windows-specific driver? Or would it memorise it, completely defeating the point of encryption?

Performance isn't everything. 'Slow' doesn't mean 'decidedly inferior'. By that token you may as well take a plane to work instead of driving a car.

Same to you, I'm sure.

[jcr]

I guess you missed the part where he said he used Disk Utility. PGP Disk wasn't mentioned. Who's stupid now?

-jcr

RTFA

[noz]

Wow, it's my first time telling someone to read the article before asking questions. The first section of the first link says (and I quote):

13.1.1. Why use disk encryption?

File-oriented encryption tools like GnuPG are great for encrypting individual files, which can then be sent across untrusted networks as well as stored encrypted on disk. But sometimes they can be inconvenient, because the file must be decrypted each time it is to be used; this is especially cumbersome when you have a large collection of files to protect. Any time a security tool is cumbersome to use, there's a chance you'll forget to use it properly, leaving the files unprotected for the sake of convenience.

Worse, readable copies of the encrypted contents might still exist on the hard disk. Even if you overwrite these files (using rm -P) before unlinking them, your application software might make temporary copies you don't know about, or have been paged to swapspace - and even your hard disk might have silently remapped failing sectors with data still in them.

The solution is to simply never write the information unencrypted to the hard disk. Rather than taking a file-oriented approach to encryption, consider a block-oriented approach - a virtual hard disk, that looks just like a normal hard disk with normal filesystems, but which encrypts and decrypts each block on the way to and from the real disk.

Many good reasons.

Re:RTFA

[iNetRunner]

Also there is the risk of keyloggers when using encrypted files/filesystems from your regular OS (tough Windows mainly, I guess..).

aes.ko Vs. aes-i586.ko: stats...

[colin_s_guthrie]

Thanks to the poster above who pointed this out to me...

I am using dm-crypt on top of a level 5, 3 disk SATA raid.

The system just used a normal aes.ko module so I decided to try the aes-i586.ko module (the server is a Athlon XP 2400+ with 512 MB RAM).

Here are my results:

Control Read test file (non-crypted)...

1) 0.01user 1.43system 0:17.99elapsed 8%CPU
2) 0.03user 1.43system 0:18.07elapsed 8%CPU
3) 0.03user 1.43system 0:17.94elapsed 8%CPU

AES
===

Write test file....

1) 0.05user 4.99system 0:53.26elapsed 9%CPU
2) 0.05user 4.88system 0:52.85elapsed 9%CPU
3) 0.06user 4.87system 0:50.14elapsed 9%CPU

Read test file....

1) 0.03user 2.00system 0:36.44elapsed 5%CPU
2) 0.03user 1.97system 0:36.99elapsed 5%CPU
3) 0.03user 1.94system 0:35.55elapsed 5%CPU

AES-i586
========

Write test file....

1) 0.06user 4.65system 0:42.12elapsed 11%CPU
2) 0.03user 4.90system 0:40.38elapsed 12%CPU
3) 0.04user 4.77system 0:42.02elapsed 11%CPU

Read test file....

1) 0.03user 1.87system 0:22.22elapsed 8%CPU
2) 0.04user 1.91system 0:21.80elapsed 8%CPU
3) 0.02user 1.90system 0:22.00elapsed 8%CPU

As you can see the results with aes-i586 are significantly better :) The write operations took a lot of CPU cycles in kjournald (I'm using ext3 so you may get better speeds with other filesystems).

Does anyone know of any reason not to use aes-i586.ko?? I assume they are exactly equiv?

Anyways, I've added the line:
  alias aes aes-i586
to my modprobe.conf.

Cheers for the advice.

Re:aes.ko Vs. aes-i586.ko: stats...

[Gadzinka]

Does anyone know of any reason not to use aes-i586.ko?? I assume they are exactly equiv?

Yeah, it is only for 586 or better CPU. I believe that even today some people use x86 processor compatible only with 386 or 486. Geode? Other embedded x86? I'm not sure.

Robert

Re:aes.ko Vs. aes-i586.ko: stats...

[colin_s_guthrie]

Cool. I know my Athlon is 100% i586 compatible.... I know what you mean re: modern x86 processors not being fully i586 compatible. My little VIA M10000 MiniITX board springs immediately to mind as an example.

Re:aes.ko Vs. aes-i586.ko: stats...

[Gadzinka]

[...]not being fully i586 compatible. My little VIA M10000 MiniITX board springs immediately to mind as an example.

Well, I don't think so, VIA processors are rather compatible with i586. Slow as hell, but compatible. Quoting after cute page about some aspects of VIA processors, x86 processors are identified by family/model/stepping (F/M/S) triplet. My VIA Nehemiah processor identifies itself as 6/9/8, and family=6 means "i686 compatible" (i.e. compatible with original Pentium Pro instruction set).

Besides, if you have VIA 6/9/8 processor or higher (e.g. 6/10/0), you don't have to use aes-i586. Use "padlock" driver, which uses hardware AES engine on these processors, at least an order of magnitude faster than aes-i586, just as I wrote several levels higher, starting this thread ;)

Look up your F/M/S in /proc/cpuinfo.

Robert

Re:aes.ko Vs. aes-i586.ko: stats...

[colin_s_guthrie]

Yeah, naturally the h/w encryption/random num. gen. on the VIA Nehemiah will be faster for doing that. I don't actually use it with any sort of encryption anyway (it's a network boot frontend for MythTV) and so uses plain old NFS (I trust my network, but keep all my media on an encrypted partion (the vast majority of it is morally legal - copies of my own CDs/records/DVDs etc., and recordings of TV etc. but I want to be able to prove a point should anyone come snooping :)

That said, I was wrong when I said that the Nehemiah was not i586 compatible, it is. It is not however i686 compatible. It does report that it is, but I believe from previous experience that there are a couple of instructions it doesn't support, and various VIA forums etc. support this (though I could be miss informed). I do know that it will not boot with a stock pre-compiled kernel from Mandriva for the last few versions as these are compiled for i686. You have to use the i586 kernel which is explicitly compiled for i586 processors for it to work.

Actually come to think of it, it may not be the 10k Nehemiah that doesn't work, but one of the slower, 600MHz versions.... I can't fully remember just now.

Anyways, this has gone a little off topic now, so it's probably enough nonsense from me :)

Huh? Which "just written" BSD software?

[Some+Random+Username]

Cgd is several years old, its not new at all.

The same thing as when...

What happens when the disk drive dies?

The answer is the same as for your questions, you restore the backup that you've been told countless times to make. You do have one, right?

Is this kind of thing portable?

[WoTG]

Would this be easily ported to other BSDs, Linux, or even Windows?

3208461276436732somethingthpost

FPFPFPFPFPFP YOUR MOM STANDS FOR FP haha suck you you fisherole cassiorole BAHAHA lololollmaolmaoroflmaoqzx spam tastes NICE!The omnipotence paradox is a paradox arising from the attempt to apply logic to the notion of an omnipotent being. It appears when one asks whether or not an omnipotent being is able to perform actions that would limit its own omnipotence, thus becoming non-omnipotent. Some philosophers see it as proof of the impossibility of the existence of any such entity; others assert that the paradox arises from a misunderstanding or mischaracterization of the concept of omnipotence. In addition, several philosophers have considered the assumption that a being is either omnipotent or non-omnipotent to be a false dilemma, as it ignores the possibility of varying degrees of omnipotence (Haeckel).
The paradox is often based on the God of the Abrahamic religions, though this is not a requirement. Since the Middle Ages, philosophers have phrased the paradox in many ways, of which the classic example is, "Could an omnipotent being create a stone so heavy that even that being could not lift it?" This particular statement has subtle flaws (discussed below), but as the most famous version, it still serves adequately for illustrating the different ways the paradox has been analyzed.
In order to analyse the omnipotence paradox in a rigorous way, one must first establish the precise definition of omnipotence. The definition of omnipotence varies amongst cultures and religions, and from one philosopher to another. A common definition is "all-powerful", but that is insufficient for the omnipotence paradox. This paradox cannot be formulated, for example, if one defines omnipotence as the ability to operate outside the constraints of any logical framework. Modern approaches to the problem have involved the study of semantics, debating whether language--and therefore philosophy--can meaningfully address the concept of omnipotence itself.Philosophical responses

A common example of the omnipotence paradox is expressed in the question, "Could an omnipotent being create a stone that it could not lift?" It is possible to analyze this question in the following manner:
The being can either create a stone which it cannot lift, or it cannot create a stone which it cannot lift.
If the being can create a stone which it cannot lift, then it is not omnipotent.
If the being cannot create a stone which it cannot lift, then it is not omnipotent.
This mirrors the solution to another classic paradox, the irresistible force paradox: What happens when an irresistible force meets an immovable object? A response to this paradox is that if a force is irresistible, then by definition there is no truly immovable object; conversely, if an immovable object were to exist, then no force could be defined as being truly irresistible. This treatment of the paradox remains true to the basic assertions, but does not address the issue of the definition of omnipotence. Furthermore, the omnipotence paradox is related to another similar philosophical question, the grandfather paradox. The vernacular definition of omnipotence often seems to include the ability to travel across time; one could then ask the question, "Can an omnipotent being go back in time and kill his own grandfather?" This is not, however, a logically satisfactory analysis of the paradox, as it tends to focus on the imposition of human attributes onto a being that is not necessarily of human form (Wierenga).
One can also attempt to resolve the paradox by postulating that omnipotence does not necessarily demand that a being must be able to do all things at all times. Thus, one reasons,
The being can create a stone which it cannot at that moment lift.
However, being omnipotent, the being can always later reduce the weight of the stone to a weight where it can lift it. Therefore the being is still legitimately omnipotent.
This is essentially the same view espoused by Matthew Harrison Brady, a character in Inherit the Wind loosely based upon William Jennings Bryan

TRUECRYPT IS BAD

DO NOT TRUST IT.

Linux

If you want this on Linux, you can do it with the device mapper system. Just run dmsetup on a loopback device (setup with losetup), and mount it like a normal block device.

The kernel supports all kinds of block encryption including AES with different key sizes.

What it lacks is an easy-to-use interface to setup and maintain.