This sounds awesome! I hope they also implement a way to recover a lost boot environment with one click too.
The whole boot environment I think. Except all modules and stuff that is loaded, is the same in every other linux too, so that nobody know for sure what it is exactly.
Yeah it’s still encrypted which could lead someone to the conclusion that there must be a key to this lock. With available luks-header you need one minute to figure out what it is. Without header, I don’t know still not impossible I think, but I’haven’t checked the partition/disk header.
Edit: But this will maybe not yet reveal that it’s Qubes. But a valid luks-header will maybe reveal encryption settings that could lead to the conclusion that it is qubes. But thats just a guess.
Such a talk make me thirsty, so I’ll enjoy my Snakeoil-Cocktail now and looking forward to get a fancy Bitlocker-Unlock-Screen soon - I really can’t wait to press ESC for “Bitlocker recovery”
May be the approach of Veracrypt for hidden volume would do this: Creating a VM within a hidden veracrypt partition
Basically, Ali would have an OS which is “approved” on his laptop, and “inside” it will be the hidden Qubes OS …
Best,
Maybe, approach this question from another perspective. If fellow is living in a country concerned about terrorism, in desperate need of a paycheck. Goes to work in an airport.
The boss comes along, “I understand you mess with computers in your spare time. You know this electronics stuff. Cell Phones, Windows, what is that other thing that begins with an linux, how ever you pronounce it. So, I appoint you tech expert of this airport. You write up a “List” ; bunch of easy to understand rules for our guys who search people and luggage about what to look for. If it is something on your list, the guys on the search line will seize it, and bring it to this little workshop that you have back here. If it is a device or thing you can’t get information out of, then you can call this other office that is part of national crime lab to help out.”
I am guessing that someone who has the equal of a university level degree in Computer Science is not going to be at the airport security office. A high level of education fellow might be at the downtown security office, and might help out with the “List” of what to watch for.
Notice the use of this “List” means the government obeys some rules, some etiquette in how it treats individuals the authoritarian group might not like, Then is how it will treat those it has identified as it already does not like, or want to have around. Which the kindest thing might be to deny them entry into country, saves having to arrange an accident for them later.
While this may seem obvious to some of you, realize the security officers may have a lot less knowledge of electronic devices than those who worry about Human Rights,or simply Privacy. But Security Officers do follow orders.
How badly would it destroy the Qubes security model if I used this for 1)Windows never connected to the Internet and 2) Qubes and 3) Other Linux that has better GPU support?
With Shufflecake, it looks like it could even be possible to not only hide an entire operating system, but also hide certain LVM containers from Qubes OS itself, and even certain files within those VMs, depending on what password you type in at boot
Plausible deniability as to whether you have Qubes OS installed
Plausible deniability as to the fact that you do have Qubes OS installed, but whether you have certain VMs present
…AND…
Plausible deniability as to the fact that you do have Qubes OS installed, you do have certain VMs present, but whether certain files exist within those VMs
Yes. Plausible Deniability INCEPTION
Needs a lot of fine-tuning, though. For example, over-commitment is definitely possible. For example, if you don’t unlock all your drives, you can definitely accidentally (or someone could deliberately) copy something over a partition, corrupting it, or deleting it entirely…and Shufflecake doesn’t exactly know how to deal with that yet…
IBM, most likely the people who coined the term “partition”, would be like this right now:
Tell Linux that there’s something there in that space of the drive
And your plausible deniability goes in the toilet!
Unlikely (and very stupid, I might add) for them to do it this way
Allow the overwrite, not fix the hidden partition, and not update the partition map
You have plausible deniability, but now your entire drive is corrupted, and the way Shufflecake currently works, causes a Segmentation Fault, and your partitions won’t mount properly
Allow the overwrite, not fix the hidden partition, and update the partition map
List the partition as “damaged”, “tainted”, “over-comitted”, or something like that, to let the user know that it’s been overwritten by something in a partition that’s higher than it
And likely alert the user the next time that partition has been successfully unlocked
TrueCrypt is quite old. The last Ubuntu version that actually supported TrueCrypt was Ubuntu 8.10, from 12 years ago (See: TrueCrypt - Community Help Wiki)
Shufflecake does all of this and more, which is why I’m leaning more towards Shufflecake being a better fit…
But hey, it’s still worth investigating
If all jobs were like this, then none of us would have even bothered with CompTIA or Linux+ certifications
Surprisingly, it’s the opposite. Usually those jobs have high turnover, and are full of highly-skilled, highly-qualified people, who’s qualifications have nothing to do with their current employment. They are just there temporarily so they can keep paying their bills, while just waiting for an opportunity to move onto something else.
If anyone reading this genuinely has a passion for airport security screening, more power to you. But even you would agree with me that most of the people you work with fit the description above
@catacombs, I think @barto means the anti-List™ of things that will piss off an Officer enough for them to look at their list of powers and go “OK, what can I do to this blockhead to ruin their day, and isn’t going to get me fired for overreach? Wow! I can actually do A LOT! Take a seat. You’ll be here a while. Hans, prepare the long rubber glove…”
If you mean what I think you mean (correct me if I have misunderstood you), then running Windows in a partition that shares “empty space” that isn’t really “empty space”, then that’s a recipe for disaster.
Windows is the Steve Stifler of OSes (if anyone doesn’t get that reference, see here: Steve Stifler | American Pie Wiki | Fandom). It comes in, acts like it owns the place, touches whatever it wants, with little to no regard for anything else that might be on your computer.
Yes, COMPUTER, not just hard drive. Windows touches your UEFI firmware, your system clock, your BIOS (if your BIOS lets it), your other partitions, your partition map, and even your CPU microcode in some circumstances.
Windows does this as part of its startup process. Anyone who dual-boots will have countless stories about their computer being borked after booting into Windows.
Hell, even booting the Windows Installer ISO from a USB does this!
Does it ask you if it can do this, or even notify you that it’s doing this? Of course not. Why would it? It thinks it’s the center of the universe
So I can imagine that the first thing that Windows might do is “touch” all that empty space™, forcing all your other things to essentially disappear.
Shufflecake recommends that you do all your daily driving inside the lowest partition, because to be able to unlock that partition, you have to, by definition, also unlock all the other partitions…
…and trust me, I’ve tried it. It’s chaos if you don’t…
Shufflecake appears to be excellent for single-use plausible deniability, assuming the following:
You do your daily driving in the lowest partition
You do regular backups of your important files
Or complete drive clones if you’re 1337
You operate under the assumption that you have lost ALL your data if you ever need to play the Plausible Deniability Card™
Just in case anyone was wondering why Qubes OS does not have good hardware acceleration support:
A lot of GPU firmware and drivers are GIGANTIC, and likely way larger than they need to be to perform the functions they claim to perform. Because of this, there’s a lot of speculation that they may be doing extra things other than just drawing polygons on your screen
Nobody wants that in their dom0…
So, just in case, it’s been deliberately left out of dom0, at least until such time as the firmware can be compartmentalized without causing a cataclysmic meltdown of your machine.
all that would be SO COOL!!!