I’m not following what this gives you that Veracrypt's inbuilt hidden+decoy OS feature doesn't already? It seems
they require you to manually set up a veracrypt hidden partition for anything to be "hidden" anyway. How is booting your encrypted partition in a VM within Tails more secure than booting it directly?
> How is booting your encrypted partition in a VM within Tails more secure than booting it directly?
There will be no proof of an operating system existing at all, just random data. If you use VeraCrypt along with a hidden partition normally, you would still have the VeraCrypt bootloader or an apparent Windows installation on the drive.
After truecrypt 7.1a (I think), the canary vanished. After that, didn’t it become veracrypt? Did they ever add a canary or has there been research in showing it’s not backdoored?
While it’s never been officially proven, there is a interesting story behind truecrypt. It was allegedly written by one guy (Paul Le Rou) who was a programmer turned cartel boss/gun/drug runner.
But back to your question, truecrypt was professionally audited and deemed “secure”, some issues were found but none that were back doors or significant. Shortly after(might have even been during) the audit truecrypt deleted all old versions and posted a weird message telling people to use bitlocker.
After some time veracrypt picked up the torch and has continued developing what was truecrypt.
Nice one. I’ve been using Veracrypt for many years now, after the whole Truecrypt fiasco.
Just one friendly advice… always have a decoy partition or decoy OS, otherwise it seems very suspicious to have a disk filled with random data ;-)
I am less convinced. If the GMan nabs you, sees you are using a tool which heavily advertises a hidden partition, and coincidentally your drive has a large unused block of random data - they are unlikely to be fooled.
If your security concerns are about governmental intrusions, then you have a security need that no single tool can resolve anyway. You need to address overall behavior and habits, which are likely to include things like not keeping sensitive data on machines that can be easily accessed regardless of the use of encryption or obfuscation.
> otherwise it seems very suspicious to have a disk filled with random data ;-)
You could always argue that the drive was previously "securely erased" and filled w/ random data and/or that it was "securely encrypted" with a key that was then destroyed?
There was an interesting talk at one edition of CCC that boiled down to saying those techniques work only if you have the right to remain silent. Which depends on the country you're in. And I heard that in the USA, even though you have the right to remain silent, they still have the right to put you in jail if you refuse to give out your key.
You're thinking the RIP Act in the UK where the police can get an order from a judge for you to turn over a key/passphrase and you need to either prove you don't know it or face up to two years in jail (five for cases of child abuse or national security).
I'm not American but I'm pretty sure no law like that in the US would be upheld at appeal, it's pretty directly conflicting with the 5th amendment.
I heard it specifically for the USA in at least two occasions. I don't remeber the first, but the latter was in the Brett Jonson's show: in an episode, he talked about another criminal that had some encrypted material and refused to give out the key. He was put in jail until he decided to give it, and at that point IIRC he got an even longer sentence due to the proof he gave them access to. But now that I think about it, it could be that the USA had him arrested by a third country, so maybe some other state's law was at stake. But I would still not bet my safety on it. Even if you successfully appeal it, you would still risk to spend quite some time in prison.
I'm not a lawyer, but from what I remember in the USA the 5th amendment defense works only with some kinds of keys: it works with a password, but wouldn't work with a "pattern" (i.e. Android's option of drawing a pattern by connecting dots) or biometric authentication.
I remember a case too. They were 100% certain a hard drive contained CSAM but could not get the password. I'm pretty sure he was jailed for contempt until it was given out. Definitely inside the USA.
This might be it, I might be misremember the finer details:
I remember a case too. They were 100% certain a hard drive contained CP but could not get the password. I'm pretty sure he was jailed for contempt until it was given out. Definitely inside the USA.
Basically yes. But as I understand it this is the reason why some border guard might ask you to boot up your machine to show him your system as a used and "lived in" installation.
You might want to avoid arousing suspicion by lugging around a piece of dead metal (a laptop with unusable bit noise on its discs) or by presenting a fresh and empty OS.
The current state is far from usable, but the final goal would be to have multiple nested "hidden OSes" that can be booted and managed concurrently, depending on the provided password.
You can get microsd cards and even nanosd card that are so small that hiding
somewhere on your person is easy.
Encrypt everything you need on it.
They are, should it be required, easy to quickly and discreetly swallow
as a last resort. (To get rid of it. I have no idea what would happen to a nano sd card travelling through your body, but I presume that it, or at least the ability to read the data on it, would be destroyed.
Then carry a regular laptop with you, with all the regular applications and
regular behavior of them. Boring.
Using tails as the main operating system on a computer you fear might be inspected by customs or secret agents is screaming:
I feel like all of tails could simply be a short bash script that uses “debootstrap” to stage a Debian installation and then make it into a squashfs image that is mounted with overlayFS and a tmpfs (which is like a 3-line addition to the main “init” script).
(And yes, I’ve done this before. It’s not hard)
Instead they have a very fancy website and provide binary images without really showing how it works…
Not trying to belittle what they did, I’m sure that took a lot of work.
Just don’t understand the current fads… I feel like they’re trying a little too hard to sell a free product…
Tails provides a live ISO that guarantees that everything you do goes through Tor. It seems like a useful thing to have preconfigured. Privacy shouldn't require extensive Linux experience. And even then, I've been using Linux for decades and, whilst I could probably figure it out, I wouldn't trust myself that my setup isn't leaking packets.
Besides, all distributions do some branding (some to the point of obnoxiousness).
HiddenVM, on the other hand, I don't really understand. They make you go through tons of manual steps to achieve the aforementioned hiddenness... Might as well DIY. And their README reads like a VC pitch. "HiddenVM is an innovation in computing privacy." really? You're taking tails and telling the user to install virtualbox, veracrypt, and do the setup...
A CRYPTO NERD'S IMAGINATION:
HIS LAPTOP'S ENCRYPTED.
LET'S BUILD A MILLION-DOLLAR CLUSTER TO CRACK IT.
NO GOOD! IT'S 4096-BIT RSA!
BLAST! OUR EVIL PLAN IS FOILED!"
----
WHAT WOULD ACTUALLY HAPPEN:
HIS LAPTOP'S ENCRYPTED.
DRUG HIM AND HIT HIM WITH THIS $5 WRENCH UNTIL HE TELLS US THE PASSWORD.
Note1: xkcd/538
Note2: I'm missing images on hacker news. I understand why they are absent here though
Unfortunately, it looks like this version is no longer maintained.
"HiddenVM is a futuristic tool powered by KVM designed to combine the powerful amnesic nature of Tails and the impenetrable design of Whonix with the unbreakable strength of Veracrypt."
> Imagine you're entering a country at the airport. The border agents seize your laptop and force you to unlock it
If this concerned me I would just wipe the drive and/or factory reset the device before travelling, and restore it later, rather than try to experimentally figure out what games I can and can't play with the customs authorities.
This is the approach that people I trust recommend. Some go further: not only should you not take sensitive data across borders physically, you shouldn't rely on your devices (or undeveloped film, for that matter) not getting wiped at the airport.
