General "rubberhose" vulnerability

Reported by Link on 2007-10-03
32
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Ubuntu
Wishlist
Unassigned

Bug Description

Hi, it would be good if Ubuntu did the following:

1) Have crypto tools installed by default (if the user does not select the "use of encryption is illegal in my country" checkbox).
2) The installer must also use the crypto tools to create a container file (with a random passphrase that's discarded immediately) with size (for example) of 1% of free partition space (up to max of 1GB) .
3) It must also be easily possible to reuse that container file with a different passphrase without changing the container's metadata or that of the directory it is in.
4) The container file should NOT be backed up by default (otherwise comparisons could be made).

Without these defaults, all ubuntu systems using encryption would be vulnerable to "rubberhose" attacks.

Better protection against "rubberhose" attacks would be useful given crypto unfriendly laws in the UK and other places.

Link (lincoln-yeoh) wrote :

Either
5a) The last modified or last accessed time of the container file should not be changed automatically.
Or
5b) There should be a service that regularly randomly updates the last modified and "last accessed" date on the container file to a recent time.

trollord (trollenlord) wrote :

Hardy has LUKS support + encrypted partitions and all the rest of the funky tools by default.

Link (lincoln-yeoh) wrote :

See 2)

I haven't downloaded Hardy. Does the installer always create an encrypted partition by _default_ (as long as the user says its legal)?

If it doesn't, then it does not really deal with the problem I mentioned.

Encryption must appear to be in _use_ by default by all users.

Chris Jones (cmsj) wrote :

As a UK citizen, I am curious how having encrypted data on my disk that I do not know the password for, is going to help me when MI5 are clubbing me senseless demanding to know my password.
I will say "I don't know it" and they will say "we don't believe you". Thanks for guaranteeing that every UK Ubuntu user is now more likely to be waterboarded or whatever.
More seriously - we have laws requiring us to give up our crypto keys. It sucks, but it's the reality. Forcing every user into a situation where they cannot comply with that law is not only stupid, it is irresponsible.

This is a pretty strange bug, I am changing it to "Invalid".

blastzilla (stevenevans) wrote :

As law enforcement have conveniently found out, if you have a notebook, you have a tomb of information about what you do and everything you have ever done. There could be cookies there for your bank account. A list of search results. I list of websites you've visited.

If every notebook was encrypted and noone knew their own encryption key, would the police arrest every person with a notebook or would the laws be changed?

Have you noticed that the police no longer arrest people at the beach wearing bikini's for indecency? Is it because everyone at the beach now wears bikinis?

I think this feature request is valid and I would turn it on by default if I had the option.

David D Lowe (flimm) wrote :

This is an idea, not a bug, as far as I can tell. Shouldn't you post it on brainstorm.ubuntu.com?

I really hope this feature is added to Ubuntu. We all would be safer for abusive governments.

Chris Jones (cmsj) wrote :

blastzilla: if every notebook was encrypted and nobody knew their encryption key, nobody would be able to use their laptop. What you appear to mean is that there should be an encryption which the system knows the password to. At which point, why would they ask the human owner?

Link (lincoln-yeoh) wrote :

Chris Jones: blastzilla was just generalizing a bit.

Scenario A:
Every notebook has an encrypted partition that's created by default with a randomized key.

Only a few users set a key and use the encrypted partition.

When asked for a key everybody says "Huh?".

Those Certain People trying to access secrets aren't going to club everyone senseless - they'd get pretty tired after the first 100.

UK law or not, it'll be like those stretches of the highway where everyone breaks the speed limit, and the cops just don't care.

In comparison:

Scenario B:
Every notebook does not have an encrypted partition that's created by default.

Only a few users install an encrypted partition.

It would then be trivial for Certain People to give extra special attention to those few users.

Worse, if those few users install crypto software that has a "hidden partition" feature (e.g. TrueCrypt) but do NOT actually use it.
Q: "Why are you using this software if you're not using the hidden partition feature?"
A: "What hidden partition feature?"
Q: "You think we're stupid?"

As it is I think it's a bug to have disk crypto software on Ubuntu by default but no encrypted partitions by default - it makes it a lot less useful in real world scenarios.

When the Average Joes, Aunt Mays and Grandmas with Ubuntu also have encrypted partitions, then the disk crypto will be useful.

Richard de Boer (rich-home) wrote :

The idea is to encrypt about 1% of every laptop with a random password, thus rendering that 1% of the disk useless to the user. It would be possible however, to re-encrypt this with a password you choose and actually store things in it.
This means the 90%(or whatever, probably even more) of the people that don't need plausible deniability can't use that 1% of their disk.
The other 10% can set a password and store encrypted data in that 1%, but now they can just say they never used the encrypted 1% of the disk, thus don't know the password.

At the moment people who install encryption software can't really deny they're using it, otherwise, what would be the point in installing it?
I'm not saying I really like the idea of everybody sacrificing 1% of their disk space just for the few people who want to encrypt <=1% of their disk though.

Instead of disabling 1% of every computer, how about encrypting every laptop(or make it an easy/default option during install) with something like truecrypt by default? This would mean everybody has their data encrypted, which might be a good idea for laptops anyway.
Then if you needed extra secrecy, you could add hidden volumes, but have real plausible deniability for those, because lots of people already have encryption software installed by default.

mdmadph (mdmadph) wrote :

God, what a sad world we live in. I still think this is a good idea, though.

@Chris Jones: I don't see how this makes you any more or less likely to be tortured -- if you're already in a situation where you're about to be clubbed, I don't think simply the absence of encryption software on your computer is going to make it any less likely. If the people in charge want to beat you, they will -- they'll make up a reason. If you don't have something encrypted on your drive, they'll just think you're hiding it somewhere else.

Merely providing a plausibly unused filesystem is not enough.

You have to think about information leaking out of the use of the plausibly deniable data, thus making it no longer deniable.

For example, using sudo with a command that takes filenames on the deniable filesystem will result in syslog entries - on the *main* volume.

Swap space is another possible leak vector.

The key is that you really have to compartmentalize the data, and due to the complexity of a full-blown OS, I think that means you need separate OS instances.

For example, consider an outer shell that's not much more than a virtualization layer, with no swap space or (persistent) logging. Within that, you'd have one "main" guest OS instance and any number of deniable ones. This can be done truecrypt-style or in the ubiquitous 1%-free LUKS style outlined by the original poster.

Seems overkill for a quasi-default install though.

I'm not too familiar with grub, is it possible to synthesize a boot entry in its command line and have it boot off "free space" or an "empty" partition?

Chris Jones (cmsj) wrote :

mdm-adph: you are exactly right, this is basically never a problem.
I'm do happen to encrypt my whole disk so my laptop is worthless to simple thieves motivated by data, but I would be very unlikely to be in a situation where my key is being forcibly demanded of me. And were that situation to come to pass, I wouldn't be performing a brave resistance, I like most others, would probably reveal the hidden partition long before I thought I was drowning. Even that is irrelevant because...

This scheme is supposed to work by making you lost in a crowd, but the point is that if you are the one they want the encrypted data from, the fact that your neighbour has a 1GB of noise on their disk is irrelevant. You are being asked to prove you don't have the password (as was pointed out on the odd Slashdot thread about this, burden of proof lies with the UK citizen, not the UK government).

I think it's also worth noting that Ubuntu already, legitimately, has a range of crypto algorithms and tools installed by default (from kernel modules, to SSL, to gpg, to LUKS and its gnome integration). The installer has a one click option to encrypt your entire disk.

Edward (itarliisfljw) wrote :

Mr. Jones complains of "laws requiring us to give up our crypto keys." This is a strawman. You can't be legally compelled to surrender something you don't possess. Claiming to not know the key is an issue of fact for the jury. If they believe that you do not have a key, then you can not be guilty of breaking this law. Yes IAAL.

The jury may of course decide not to believe you, even if you're telling the truth. But if default encrypted volumes become widespread, the "I never created a key" defense becomes markedly more plausible, to the point that a conviction requires other evidence of the key's existence. Whatever teeth Mr Jones's argument has only exist because of this bug. Fix it, and the problem goes away.

Chris Jones (cmsj) wrote :

Edward: Section 49 notices are supposed to be served where there is already a reasonable suspicion (ie other evidence) of the key's existence (or the knowledge of a passphrase).

This is not a bug, this is political activism trying to use an entire userbase as leverage against a law some people disagree with. As it happens I find the law highly repugnant when I think of my own private data being rifled through ( when I conduct a thought experiment involving the animal rights activists whom S49's have already been served on, I have to admit that I find it less repugnant than I do those activists, but this is irrelevant).
Either way, I don't want my sister's Ubuntu laptop and her freedom being part of my defence against such a law, and I highly doubt she would appreciate being put in that situation without knowledge of it. If the installer did have an option to not create this crypto area, it would need to explain what it means and why you might want to choose that option - and all sensible people would indeed choose not to take part in a probably futile act of disobedience.

Let us be quite clear here - RIPA is now about systematic trawling of people's private data, it is a law designed to provide law enforcement agencies with tools to do their work. A section 49 notice must be approved by a senior figure and there is a tribunal where such notices can be appealed. If you are involved in something which convinces these people that you have encrypted data, and you are not exceptionally skilled at countering signals intelligence, they are very likely to be able to produce evidence that you have been actively using the encryption (dimitris' comment above mentions a few of the many, many ways this would be possible), and your "but but all these other laptops have the noise too!" argument is rendered useless.
If you do find yourself in a situation where your government is systematically trawling people's private data then you probably have significantly bigger problems than your encrypted bank data being read by a spook.

Please do attempt to get the law repealed, but please do not endanger your fellow users by doing so.
I think I have said everything I wish to about this subject, but I am sure that more people will call me "Mr Jones" and suggest I am made of straw. I submit that these people are well meaning, but excessively paranoid and their motivations would be better used in other ways.

Chris Jones (cmsj) wrote :

Woo typing. I of course meant to say "RIPA is *not* about systematic trawling..."

tags: added: privacy
Fred (eldmannen+launchpad) wrote :

With a fixed value of 1% you would kinda be able to deduct if the file has been used by checking if file_size == 1%;
File size should be a random value of 0.1-1%.

tdn (spam-thomasdamgaard) wrote :

This is a good idea to implement. One mentioned that this should be put on brainstorm, however, it is my impression that the brainstorm site is just a black hole. Especially for security and privacy related ideas.

Tim Pederick (pederick) wrote :

This is a good (or at the very least, an interesting) idea, but this isn't the place for hashing out implementation ideas. The fundamental concept is, "Ubuntu should employ deniable encryption by default". And then instead of discussing 1% partitions and UK laws, we leave the details to FOSS crypto developers. This bug (or some other discussion forum) should just be for discussing tools that can do the job.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers