Feature Request: Peace of mind when crossing borders

The world is spiraling from bad to worse. Just when you think the psychopathy of the ruling class can’t get more dystopian, they start another phony war, impose another restriction, and tighten the noose that much more.

Over the horizon, a contrived “cyber pandemic”, destroying whats left of the supply lines, and production infrastructure, so they can impose their biometic passport for the internet, and enslave The People that much more.

Meanwhile, the ray of hope in a world gone full dystopian lies with the hackers and the cypherpunks.

If The People are going to maintain any modicum of freedom, it will track back to the code a cypherpunk wrote years before.

With that in mind, devs, please consider adding plausible deniability to Qubes by default.

Enable users to cross borders without risk of imprisonment for any of the ever changing innumerable list of non-crimes against the state.

8 Likes

I agree with you, in that it would definitely be an awesome thing to have, even though a lot of people see little point in it because it’s not “real security”.

But it could very well be the difference between an agent waving you though at a checkpoint because your machine “seemed clean enough” after checking out a few folders indiscriminately, or being escorted away in handcuffs because someone thought anyone who uses a terminal was “one of those hacker types”.

What it would not be good for

  • Any forensic analysis of your machine. You’d be totally screwed…
  • Safeguarding against any remote access
  • Providing any actual security (Sorry, but it’s true…)

What it would be good for

  • Fooling security guards, border agents, security checkpoints, or anyone else who isn’t exactly “tech-savvy”
  • Tricking someone into typing in a password if you’re under duress, and that password would actually wipe your device, notify someone that you’re in danger, or anything else you like.

The world is currently watching people being stopped in the streets by police officers in multiple places around the world, and are having their phone searched manually (no forensic analysis, at least not with a wide net).

Just a quick “See? There’s nothing there. I told you that!” could be all it takes to save someone’s life :slight_smile:

I don’t really see how it would work with Qubes OS.

I assume you want to hide that you are using Qubes, but plausible deniability only works if you use hidden os for whatever you want to keep hidden and normal os for everything else, booting into an unused windows installation is not going to fool anyone.

Doesn’t have to be Windows… And you don’t have to do all your computing in the PD layer. All the mindless social media I’m sure will fit nicely into your overt layer profile leaving a typical footprint like all the obedient, eternally distracted slaves.

2 Likes

It does matter what OS it is, but you would need to spend a substantial amount of time using it, which is counterproductive if you are using qubes for the security features you only get with Qubes OS.

Overt and pd can both be Qubes my friend.

It’s really funny to find people surprised by the fact, while no experience leaves the room for the opposite.

So we’re probably left only to

…why the thinking woman’s only legitimate governance structure… self-governance…ie anarchy.

All others end in the same place… genocide. Looks like the 250 year cycle is holding true this go around too.

2 Likes

Alright, I’ll be the buzz-kill. It is perfectly fine an intended for this category to be used to discuss a feature request like “plausible deniability”. Please go ahead.

And while formulations like “obedient, eternally distracted slaves” make me think we are likely listening to the same podcasts, I’d like to remind everyone that this is not the place to air your politics.

ITM

2 Likes

I have mentioned this before in another thread and it was marked as off-topic, but since you are asking I will mention it again.

The trick is to install your system on an Opal 2.0 compliant SED drive (any Samsung SSD will do) with it configured with a Shadow MBR giving you a hidden partition table. To any inspector they will see a bootable system but the partition(s) containing the real system will not appear in the “normal” partition table. Once the primary system is booted the Shadow MBR can be unlocked to reveal a hidden partition which can then be booted into for Qubes-OS. As long as power is maintained this partition will remain visible but once powered down it becomes invisible to inspection once again.

As far as inspection, the drive will simply appear to be using one small partition that does not consume the entire disk. The unused space will not be even appear to be formatted, and any physical dump taken of that empty space will appear as random garbage because it is encrypted underneath. The only way they can “discover” the contents is if they somehow figured out how to login to your system and unlock the SEDs shadow MBR by using the magic password, and they would have to know what that password is.

This of course increases the time required to boot the system, but it is on a SSD. I would suggest choosing a set of keys to be held down during the initial OS boot to choose the MBR unlock and reboot into it as early in the sequence as possible. The inspector would have to know this key sequence in advance for the alternate boot sequence to take place, otherwise they would find themselves looking at a very minimal Linux OS with very little content. Nothing interesting at all to look at. Just move along…

Edit: I forgot to mention, the primary boot partition can also be marked read-only, enforced by SED hardware. If removed from your sight they will be unable to modify the boot partition. You could also do that with the primary visible partition but then they would be able to see the SED unlocking during the primary boot sequence, so its better not to in this usecase. They would only know that they could not add spyware to the initial boot kernel and only if they tried to do that. This effectivly a hardware enforced anti-maid system with the cheviot that you need to un-write-protect this while you are updating Xen or Qubes boot files. Nobody will be able to tamper with your primary boot sequence.

3 Likes

Do you have the drive layout before and after decrypted luks?

before
https://forum.qubes-os.org/uploads/db3820/original/2X/3/38a97568a1422d0e558583a6ea046430b9cb0d9a.png

after
https://forum.qubes-os.org/uploads/db3820/original/2X/1/1f0d5b8af1a2d6bb1332663a20063dc424e3a645.png

:wink:
I am amazed by this Opal technology.
tnx for sharing links.
will research it today, and buy it tomorrow.
tnx

Not using 10% of the SSD leaving it for provisioning is a-must, but, “not using” 90% of the SSD would raise question marks above anyone’s head, especially those with the 3-letter badges on the uniforms.

So I’d rather hide whatever it’s possible in those 10%, meaning would bring with me only what is really necessary most likely on a second disk labeled “for travels”, while leaving the main one at home…

Dear Emily
I reed about this not just on this forum but on many other.
What I do not understand is why do you want to travel with you PC across the border? why?

For example:
Let’s say that you are AAA+ Hacker and you have everything on you PC.
Informations which could bring you in prison if somebody sees it. For sure.

Which logic tells you to take this information across border?
I could not comprehend this decision.

I tell you what would I do:
I would take this disk and clone it, few times.
Then I will send it with a post.
Now you are thinking that they can inspect this disk on custom/border.

Yes they can.
But you do not write your origin and destination address. you send it with fake name to some mailbox which you can see/control, but not directly yours.

Now you think this is the stupidest idea on the world, but I will tell you something:
Darkweb, drugs, how do they do it? With a local post :smiley:

Maybe this is not enough.
Print ones and zeros to a paper, randomize it with encryption and then post it on some forum.
Did you see this: Voynich manuscript - Wikipedia . 500 years old and nobody cracked it.
I think this is my favorite:
https://www.reddit.com/r/codes/comments/km0793/mysterious_message_hidden_in_images/

You buy yourself some camera and microSD card, put your text in pictures, and save it on SD card.
If somebody asks questions, you are a photographer.
They can clone your SD card but there will be only a picture.
Pixel position and color of pixel is your word. So you need a coordinate system, and some brain wallet.

I think I can write without stopping, so I will stop now.

In last 20 Years I visited 20 countries, some in EU some oversees, but I never ever took my main PC with. never ever.

my PC is safe at home, and if I need some information (and I almost never need it), I would connect to my PC remotely and read the information.

I know you want to safely travel, I want it too, but you can forget about it.
I know I sound like a pessimist, maybe I am, but I never bring compromising infos with.
And you should never do it.

If you could give a example why you want to bring you PC across border, maybe I can help you.
It does not have to be publicly on this forum, you can contact me private.

p.s. for admins and mods: this is my opinion, and I do not want to troll or something like that.
Like I said, this is only my opinion.

1 Like

@slcoleman And how does the outer partition table prevent the outer OS from overwriting the inner OS? I believe that’s a fundamental issue that is hard to solve.

Anyway there’s ongoing scientific research on this issue. I e.g. recall some research on a probabilistic approach that doesn’t have that partition issue at all. Also, most current approaches appear to use some in-RAM boot disk to unlock the hidden data. This is supposed to help against forensics that attempt to find traces of you accessing the hidden data.
Btw these kind of approaches essentially rule out Qubes OS entirely as it doesn’t run in-memory or from external media. Tails or something like that would be more suitable.

In total I don’t believe that this issue should be solved by Qubes OS, but more likely by some standard Linux software such as dm-crypt. If such a tool becomes standard, there’s also no issue in plausibly having it.

An example of academic research: Artifice: A Deniable Steganographic File System | USENIX

Unfortunately however such academic research usually doesn’t produce usable and well-maintained software.

Also, it was already discussed on this forum multiple times that not having anything with you at border control is the best way to hide stuff (on the Internet or so). If the Internet is censored in the country you are trying to get into, you may consider steganography or hide the relevant data on some small SD card or so.

Exactly.

Another option is to just use another disk with a detached luks header and replace it with an unsuspicious disk on border crossing. Print out the header in some strange code and take it with you as paper or send it as postal mail. On border control claim that you bought the random data disk on ebay because it has more storage, but you didn’t get to putting it into the laptop yet.

And so on…

1 Like

+1 for this, that’s why i dual boot my laptop, even tought it’s not recommended, i’ve applying encrypted boot and detach header, so that would be safe. secure qubes in home to store sensitive data is enough for me.

but i’m still curious about the opal technology, what the drive tree looks like after applying that? if someone could provide before and after luks decryption, i would be grateful

But trying to “smuggle” encrypted whatever greatly increases the risk, as even written there - so don’t do it - that was my point, because YOU HAVE TO LIE, which makes “attack surface” bigger. Remember the concept - keep it minimal? Find another way to have it on your destination,

When you go online - say goodbye to your privacy, that’s why you have to use Qubes and dispVM (meaning not to bring online anything with you). Same is for real life. When you go out of your home, don’t bring your privacy with you (on a laptop or on a cell phone, among other things) otherwise say goodbye to it.

Once arrived, I 'd ask my sister at home to send me key file over secure channel.

Thanks @slcoleman and @enmus to point me as a rude guy ! Just kidding, no offense ^^

For the border crossing, enmus just quoted how it’s done by a security professional (one of the creator of Qubes), and many examples have been given : you don’t need to hide or deny what you don’t have at first.

I’m still interested about the OPAL drives cause they have plenty of applications, but I’m wondering if that would also work as a non-boot drive (ie secondary) ?
I’ve (quickly) read a bunch of pages from the 2nd PDF and it is not clear about that : it’s talking about boot sequences, but also that it can be manipulated with ATA commands, so dunno.

One interesting thing though, if I understood well, is that : in order to boot the shadow MBR, “PC firmware and configuration → MUST not have changed” (p 12-6).
Am I thinking right that using a drive like that would prevent BIOS/UEFI tampering (provided it’s clean prior to the disk setup) ?

tripleh
March 16

@slcoleman And how does the outer partition table prevent the outer OS from overwriting the inner OS? I believe that’s a fundamental issue that is hard to solve.

Each OS does not necessarily even see the other partition because the MBR contains the partition table. With the shadow MBR you get a shadow partition table for free. If it’s not a formatted partition you won’t be writing to it will you? Well yes, “sudo dd of=/dev/sdb” would do it if you tried, but why would you do that?

The inspector would first have to add a partition then format that empty space thus wiping what you are trying to hide from him, which is likely a lot better than him discovering what is actually in it. You might still be able to unformat it depending on how much they write to it. But why would they do that? Just to watch for the expression on your face? And try to guess if you are guilty by how much you squirm as they hit the enter key? I doubt it. They may try to dump that missing partition to some media to examine it later, but it’s SED encrypted and possibly software encrypted on top of that. Believe me, they are not reading that data.

In any case I think it’s fine for the Qubes system to see the fake OS system for doing maintenance by mounting it on an AppVM, but the reverse is not to be trusted. And you especially would not want dom0 to be mounting anything that someone could have tampered with. So with that thought…

If you made that fake OS partition also read-only and loaded the OS directly into ram like a live DVD and then set up a COW file system over it you could even hide the fact that it is a read-only partition. The inspector could easilly install all their sooper-secrit specialized spyware successfully to disk which would just disappear upon the next reboot! You might even find a way to squirrel off a copy of the COW fs containing their spyware for forensic analysis later. Effectively Spying on the Spys. Genius!

In total I don’t believe that this issue should be solved by Qubes OS, but more likely by some standard Linux software such as dm-crypt. If such a tool becomes standard, there’s also no issue in plausibly having it.

Yes, but if they notice dm-crypt on your system they will make you unlock it, so no, it’s not really encrypted from their eyes. They will lock you in the back room until you provide the key to unlock it, and when that fails they get out the monkey wrench. That is kind of the whole point of my exercise here, making the OS itself an Invisible Thing™. :wink:

Opal SED drives are amazingly flexible for many different use cases. They don’t just do encryption. You may already be using one.