At 11:40 AM 01/24/2003 -0500, Tyler Durden wrote:
Peter Trei wrote... "What's you're threat model? If it's your wife or kid sister, this might work. If it's a major corporation or a government, forget it - they'll bitcopy the whole flash rom, and look at it with ease."
Agreed. Furthermore, the whole thing is inherently dependent on the processing model and programming interfaces of your thumbdrive. What does it look like to your PC if you're not using the right thumb? What does it look like to your PC if you want to use the right thumb? Three obvious models are - PC doesn't need Thumbdrive-specific drivers, just generic USB disk, and the CPU in the drive decides whether it's seen your thumb and reveals the otherwise-hidden files if it likes you. - PC has specific drivers for the Thumbdrive, Whole drive plus the thumbprint pad are visible to the PC, and you can only decrypt the secret part if you put a matching thumb on the thumbprint. - PC has specific drivers for the Thumbdrive Public drive, thumbprint pad, and hooks for secret drive are visible to the PC, and putting the correct thumb on the pad lets the PC find out the password to mount the secret drive.
At this point, most of my threat models are on this level or the next one higher--local cops or dumb goons grab a protestor or whatever and try to shake his photos and whatever digital else out of him..."OK punk, you're not calling a lawyer until you show me what's on this thing"..."Don't tell me nothing's in there I see a login prompt, ya' commie faggot...open it up."
First of all, as Peter says, high-tech cops won't be fooled. Low-level goons may not recognize it, or if the thumbprint part requires specific drivers or data on the PC, you can tell them "sorry, that part's for access to my work PC, and if you'd like to get a search warrant, they'll let you in the building", and make sure the public part has some pictures of your dog or whatever. For medium-tech cops, you can say that it requires installing drivers on their PC (assuming that it does), and offer to download them, and prearrange that there's a set of drivers at www.kevinmitnick.com just in case they actually take you up on it.
As for the thumbprint, I'm wondering if other parts of the body could be used (then even very savvy rubberhosers couldn't just make you try every finger). I'll try using my, um, nose tonight.
Depending on the interface presented to the PC, it may or may not be obvious to the PC whether there are zero, one, or more secret areas on the drive. If it's not obvious, then the obvious extension to the product would be to support multiple fingerprints for multiple secret areas, the business model being so that multiple people can use the same drive, so your right thumb gets your right-wing-conspiracy data, your left thumb gets your Commie stuff, and your middle finger gets the picture of J.Edgar Hoover in his black negligee or whatever else you want the cops to see. Otherwise, figure out which body parts you don't mind them cutting off...