Nelson, Ok, I understand, thanks for clarifying. So we can narrow down all those scenarios to one type of attack: theft by third part (or yourself).
It does not protect more the user while he uses it nor from potential "after-use" trails. Either you lose the livecd along with your identity (or data that leads to your identity) and you get caught or while using the software you get caught (like your TOR connections have been detected). The only purpose and advantage encryption would have is to obfuscate some passwords like in the firefox example you gave. Now, from a legal point of view, being caught with an encrypted material whether livecd or not in major countries (UK,GER,FR,US,china) requires from you the decryption key (us patriot act, uk RIP act, etc) or else you can straight take up to few years in some cases without much chance of having of good defense (china=torture?). So in 95% of cases you end up giving away your key to prove that you are not a spy from whatever organisation and that at least you hadn't that bad intention with your encrypted software. And you do handle the key in the objective of lowering the sentence you get for being caught in the first place. I think that encryption has nothing to do with hiding. In the contrary, it is like a big flag standing saying "hey look at me I got something to hide, come and get me!". It is just obfuscating technology. The real solution to your problem would be to use a steganographic layer ( http://en.wikipedia.org/wiki/Steganography ) . Not for the whole squashfs but only for a single file (whatever the size) inside a clear livecd. Note that 20% of the size of that file is really containing data, you do not want to push too much (50%) or we get data loss (blocks from different containers overwriting them) in an exponentially manner. You want to be able to *deny* that you are in possession of such material. Go from the basis that if you get caught you will *have to* handle your key away. That is real practice because you can get 5 times more being secretive than actual real sentence against the data you want to hide. A steganographic FS will allow you when being caught with your livecd of saying first: "it is a clear livecd!" Sounds idiotic but believe me, it is the best start for the official police questioning. Then in the worst case scenario, they find your single encrypted file and ask you for the key which you will provide one of the many different you have set up (properties of a steganographic FS), which will decrypt a part of that encrypted file, discovering data that will not incriminate you so far for just having a picture of your dog. Charges are dropped, you justify your secretive attitude as being respectful of your privacy rights and next morning you wake up in your bed! Because I want to be fair, I think having an encryption layer is great for catalyst, but when related to the specific purpose you described you would better at least give a try to a steganographic FS if you really fear the sentence you can get for the data you are hiding. You will not find much (I mean actual real software) besides some linux-2.2tweak over ext2 "proof-of-concept" (10years old not stable unreliable) and an update by some chinese with 2.4 but the whole is mainly broken and I guess somehow a little taboo, the projects seems dead, no main other projects have been replaced. You can try an implementation I have worked on few years ago. It does everything that I have described (in a non friendly C hardcore way) so far and is called denyfs. It is not a driver, and can be started in userland if the correct losetup and cryptsetup have been done. http://www.openchill.org/2005/06/denyfs_a_steganographic_file_s.php#more have a look there, it is not fully stable, requires manual compilation and configuration though it does the job (I made a quick GUI in gtk if you provide the gtk USE flag). Follow the howto to get a grip on it. And remember if you want to retrieve with a 90% probability your data as you have put them in the box, do not exceed 15-20% of the total size of the file! And even do not be surprised when it happens. Steganography is a concept that aims at small and *static* file system. Do not even think about putting an OS(where files are dynamically arranged again and again) inside a steganographic FS, it is as of the concepts and mathematics we have simply impossible. I didn't realized I wrote so much, I'm just passioned by this topic because of past experiences moving from one country to another. I am currently developing a Portage based GNU/Linux natively encrypted OS and I'm about to re open DenyFS inside that distribution by stabilizing it, hence my reason for being so communicative. Thanks for reading erick On 7/1/07, Nelson Batalha <[EMAIL PROTECTED]> wrote:
Hi Erick, There are many uses for this! They mainly come from the fact that now you can have sensitive information everywhere on your cd root, and not be afraid of losing your cd, either physically (happens to me all the time), or in the net if you don't want an open distribution. -Read on for examples: 1) If you're in a country like China and you can't have applications like Tor on your desktop (suspicious), you can just make a livecd and try to disguise it as something else by filling the filesystem. Also it's portable and replicable. You could also encrypt your hard drive, but this way you don't have to worry if they take it for testing. Specially if using luks on the desktop (no plausible deniability). It's also much easier to hide a mini-cd/dvd physically. 2) Also for instance, I'm going away next semester and I won't be taking a laptop. However I would like to use gentoo, my favourite programs and have my passwords stored in them (like Firefox), and transport some personal and/or sensitive files. (only option is put those files in an encrypted container and extract them on *every* boot). 3) If you're creating some official livecd and would like to test it with some group, but for security reasons you prefered if nobody else tested it. 4) In general companies/organizations can create a easily updatable portable working environment and mail it or publish it online. Etc. Take care, Nelson
