So I fly home Friday from San Jose. Probably because I was in a hurry, after walking through the magnetometer and x-raying my stuff, a security dude grabbed my laptop and said he wanted to 'analyze' it. Yeah sure whatever, I decided not to protest I was late for my flight. This analysis, it turned out, was wiping a coffee filter over the strap of its bag, and sticking the coffee filter into a slot on a machine. No solvent even. The machine had columns labelled TNT RDX NITRO PETN HMX. I recognized the first four as high explosives. Later, I wondered if people with angina (who take nitro orally) ever set this off. Most of them, of course, are not bearded eastern-european/semetic guys in their 30's who look worried and in a hurry. Anyway, that was it, and I made my flight. Didn't even open the laptop's case. The machine name was ION-something; I wonder whether it sucked vapors from the fiber disk or whether it was a neutron-spectrometer (?) device. (Had this been a UK Customs 'inspection' of the contents of the disk, I might have had to explain the half-gig of "noise" I have on the disk. Only, it really is noise. Really.) Anyway, the moral of the story: Don't store your laptop with your explosives :-)
At 07:01 AM 9/19/98 +0200, Anonymous wrote:
This analysis, it turned out, was wiping a coffee filter over the strap of its bag, and sticking the coffee filter into a slot on a machine. No solvent even. The machine had columns labelled TNT RDX NITRO PETN HMX. I recognized the first four as high explosives. Later, I wondered if people with angina (who take nitro orally) ever set this off. Most of them, of course, are not bearded eastern-european/semetic guys in their 30's who look worried and in a hurry.
I didn't take a close look at the process, but I had this happen to me on a flight headed towards San Jose using America West. They did the chemical screen here in Atlanta airport. I'm white, normal looking Atlanta guy, but they said at the ticket counter they were doing random searches, handed me a piece of paper, and said I would get my boarding pass after I was checked. -- Robert Costner Phone: (770) 512-8746 Electronic Frontiers Georgia mailto:pooh@efga.org http://www.efga.org/ run PGP 5.0 for my public key
At 1:01 AM -0400 on 9/19/98, Anonymous wrote:
(Had this been a UK Customs 'inspection' of the contents of the disk, I might have had to explain the half-gig of "noise" I have on the disk. Only, it really is noise. Really.)
This makes me think of something that I probably missed in the bowels of
someone's long previous stego posting (um, stego^stego? :-)), how would you
go about either:
Stegoing an encrypted partition as "blank" hard drive space without
actually writing over it unless you wanted to?
or, even,
Stegoing an encrypted partition as not even *there* at all?
Doesn't seem like it would be too hard conceptually (hah!) and, if done,
might actually defeat such Archie-look-up-the-dress as the British
customsfolk are wont to do these days.
Obviously, even if the partition were found, it would look, to sniffer
programs, as if it were empty, right? :-).
Cheers,
Bob Hettinga
-----------------
Robert A. Hettinga
Robert Hettinga wrote:
Stegoing an encrypted partition as "blank" hard drive space without actually writing over it unless you wanted to?
A freshly formatted partition has a fill value. Noise would indicate that is is not fresh. This would not be proof that it contained encrypted data but it would indicate some sort of use. Another layer: create a partition. Use it as an archive for 'unclassified' materials. At some point after the use has fragmented it enough to look real: disable all automatic accesses ( temp files, caches ... ) to the partition create an application program that uses the unused space as a secure filesystem Then the partition would be arguably "in normal use" and it could get tough to prove the nature of the unused space. You could even leave some space filled with the format fill value. Not sure how to hide the app. maybe as passphrased option in some innocuous custom application. Accounting app? The possibility of them taking a hash and saving it for later comparison is a problem.
Stegoing an encrypted partition as not even *there* at all?
Just do a drive ID command and you can figure out how many logical sectors are there. Add up the elements in the partition table and look for a difference. Unused space -esp that filled with noise- is suspect.
Obviously, even if the partition were found, it would look, to sniffer programs, as if it were empty, right? :-).
Just the existence of a "hidden" partition might might get the juices flowing. ************************************************************************************************* It would be truly beautiful if you could alter the drive firmware to identify itself as a 3Gb drive when it was actually a 5 Gb drive. Add some kind of extended command to the drive that allowed you to activate/deactivate the extended region at will. Without a password of course, the additional command would just report the appropriate error. Then just make sure you have an extra slot in the partition table to address the extended region unless you want to write a low-level driver. Any Quantum or Maxtor persons on the list? Mike Security requires hardware and software.
Anonymous wrote:
So I fly home Friday from San Jose. Probably because I was in a hurry, after walking through the magnetometer and x-raying my stuff, a security dude grabbed my laptop and said he wanted to 'analyze' it. Yeah sure whatever, I decided not to protest I was late for my flight.
This analysis, it turned out, was wiping a coffee filter over the strap of its bag, and sticking the coffee filter into a slot on a machine. No solvent even. The machine had columns labelled TNT RDX NITRO PETN HMX. I recognized the first four as high explosives. Later, I wondered if people with angina (who take nitro orally) ever set this off. Most of them, of course, are not bearded eastern-european/semetic guys in their 30's who look worried and in a hurry.
Anyway, that was it, and I made my flight. Didn't even open the laptop's case.
The machine name was ION-something; I wonder whether it sucked vapors from the fiber disk or whether it was a neutron-spectrometer (?) device.
(Had this been a UK Customs 'inspection' of the contents of the disk, I might have had to explain the half-gig of "noise" I have on the disk. Only, it really is noise. Really.)
Anyway, the moral of the story:
Don't store your laptop with your explosives :-)
Just wait until you've had a cavity search and been grilled for four hours because you fed Miracle-Gro to your prize peonies just before leaving on your trip. It's pretend security. Feel-good stuff. Better to do NMR of any large-volume object although the magnetic field migh fuck up your drive.
At 2:06 PM -0500 9/21/98, Michael Motyka wrote:
Robert Hettinga wrote:
Stegoing an encrypted partition as "blank" hard drive space without actually writing over it unless you wanted to?
A freshly formatted partition has a fill value. Noise would indicate that is is not fresh. This would not be proof that it contained encrypted data but it would indicate some sort of use.
Another layer: create a partition. Use it as an archive for 'unclassified' materials. At some point after the use has fragmented it enough to look real: disable all automatic accesses ( temp files, caches ... ) to the partition create an application program that uses the unused space as a secure filesystem
Then the partition would be arguably "in normal use" and it could get tough to prove the nature of the unused space. You could even leave some space filled with the format fill value. Not sure how to hide the app. maybe as passphrased option in some innocuous custom application. Accounting app?
Passphrase at startup. One phrase allows access to the "stego'd" areas, the other allows access to the "cover" areas. This wouldn't stand source code inspection, but if you used some sort of Pretty Lousy Privacy on the "cover" data, and an uncompromised crypto on the rest you might pass all but the most rigourous investigation. Of course, if you are getting an extremely rigourous investigation, you don't need good crypto, you need good PR, and a good lawyer because they WILL find something, unless they think hanging your butt will cause riots. -- Five seconds later, I'm getting the upside of 15Kv across the nipples. (These ambulance guys sure know how to party). The Ideal we strive for: http://www.iinet.net.au/~bofh/bofh/bofh11.html No, I don't speak for playboy, They wouldn't like that. They really wouldn't.
At 12:06 PM 9/21/98 -0700, Michael Motyka wrote:
Robert Hettinga wrote:
Stegoing an encrypted partition as "blank" hard drive space without actually writing over it unless you wanted to?
A freshly formatted partition has a fill value. Noise would indicate that is is not fresh. This would not be proof that it contained encrypted data but it would indicate some sort of use.
Microsoft Mail and some of its broken successors keep your mail in one big hulking file using "compressible encryption", which may not be good enough to keep the NSA out, but is good enough crypto to keep you from fixing it when it gets corrupted. It's really a shame how often MSMail files get corrupted, and how quickly the things can grow to 100-200MB if people from Marketing keep sending you mail with attached Powerpoint files. Does anybody know a compressed disk driver that lets you start at an arbitrary offset in a file so the headers look fine? Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
participants (6)
-
Anonymous
-
Bill Stewart
-
Michael Motyka
-
Petro
-
Robert A. Costner
-
Robert Hettinga