| View previous topic :: View next topic |
| Author |
Message |
Quantumstate
Apprentice
Joined: 26 May 2004
Posts: 270
Location: Dallas
|
 Posted: Sat Jun 26, 2004 10:26 pm Post subject: |
 |
|
OK, thanks Saccory. Maybe I'm back to SquareOne. Will dedicate a few more days to this, to see.
| pbx06 wrote: | I am missing something :
I changed the owner of /dev/loop0 (symlink) then the owner of /dev/loop/0
i added to fstab
| Code: | #/etc/fstab
/dev/loop0 /home/pbx06/secmount user,noauto 0 0
|
then as a regular user i run the script :
| Code: | #!/bin/sh
/sbin/losetup -e aes-256 /dev/loop0 ~/sec.file
mount -t ext2 /dev/loop0 ~/sec
|
but i get :
| Code: | memlock: Operation not permitted
Couldn't lock into memory, exiting.
mount: only root can do that
|
since i changed /etc/fstab . i should not get the mount error right ?
may be a C prog that do the same thing as the script do. but with setuid root should do the trick ?
or maybe a setuid root on losetup |
YIKES, looks like we're the Three Blind Mice, but I'll take a shot. pbx, as per my 7 years' experience with Linux, it's not necessary to mod permissions of a symlink, as it inherits from the parent. Do change the parent though; I suggest changing only its group, and ensure your user is in that group. (disk, say) When it's suggested that I use /dev/cdrom/cdrom1 I recognize that it's just a symlink to the real device, /dev/scsi/host0/bus0/target4/lun0/cd which is precisely equivalent to /dev/sr1 in my case. So all that need change is the parent, /dev/scsi/host0/bus0/target4/lun0/cd ... and all symlinks pointing to it will change. To be honest though, while testing I use the exact recommendation (as above); but if it works, I modify to the easiest. Of course we aren't supposed to admit this, since we're all so tough. (cough)
However this memory error seems more fundamental than permissions. A c program won't help. But setting chroot on your (parent) loop device and/or container file may well. |
|
| Back to top |
|
 |
linux_girl
Apprentice
Joined: 12 Sep 2003
Posts: 287
|
| Posted: Sun Jun 27, 2004 12:22 am Post subject: |
|
|
| Quantumstate wrote: |
However this memory error seems more fundamental than permissions. A c program won't help. But setting chroot on your (parent) loop device and/or container file may well... |
an idea come to my mind : if strong encryption in my country is tolerated. does this mean if i get busted by the polyce they may easly bruteforce my crypto fs? or they have the right and they can force me to give the password ?
_________________
 |
|
| Back to top |
|
|
IvanHoe
l33t
Joined: 05 Oct 2002
Posts: 658
|
| Posted: Sun Jun 27, 2004 6:54 am Post subject: |
|
|
| So, what do I have to do to get dm-crypt to properly read a volume encrypted with cryptoloop and aes-256? |
|
| Back to top |
|
|
Quantumstate
Apprentice
Joined: 26 May 2004
Posts: 270
Location: Dallas
|
| Posted: Sun Jun 27, 2004 6:49 pm Post subject: |
|
|
PBX, the solution to both questions is that they do not know you have something. A container file, named something obscure and maybe invisible, buried in a boring location and dated the same as surrounding files, mounted with a boringly-named script, buried in the path and dated like surrounding similarly-named files, compressed (& autodecompressed on demand) so unsearchable, perhaps? <waits for the sound of Black Helicopters and an urgent knock on the door>
BECHTEL! There, I said that name out loud; yet another reason. 
It's known in some circles that this idea was in common use by activists in the Eastern Bloc before the fall, and even now. This is why encrypting your root filesystem is a bad idea -- there will definitely be a password to beat/sue/extort (or if us Americans, torture, hehe) out of you. There's no chance they'll brute-force AES (unless maybe cryptoloop), so standard practice is to get in a keylogger somehow, before-the-fact. All p2p, regardless of purpose, must be in an airtight jail such as SELinux, as all have been cracked (incl. overnet for linux) and are keylog vectors. Doubt chroot or vmware is sufficient.
IH, I for one, can't even get the basics working. But be advised that all latter cryptoloops have (essentially) a backdoor.
New info on my case:
# losetup /dev/loop1 /dev/sr1
# blockdev --getss /dev/loop1
512
# cryptsetup -h plain -b 2048 create dvdsafe /dev/loop1
Enter passphrase:
#
# blockdev --getss /dev/loop1
512
# blockdev --getss /dev/mapper/dvdsafe
512
# mount -t udf /dev/mapper/dvdsafe /mnt/dvdsafe -o bs=2048
mount: wrong fs type, bad option, bad superblock on /dev/mapper/dvdsafe,
or too many mounted file systems
So, my problem seems to be that loop's blocksize is 512, in keeping with the disk, but my DVDRAM's bs is 2048, so no wonder it can't find the superblock.
Looks like few have actually gotten this system working, thus the dearth of experts. Signed up for the dm-crypt wiki, waiting for approval. |
|
| Back to top |
|
|
linux_girl
Apprentice
Joined: 12 Sep 2003
Posts: 287
|
| Posted: Sun Jun 27, 2004 8:06 pm Post subject: |
|
|
| Quantumstate wrote: |
<waits for the sound of Black Helicopters and an urgent knock on the door>
BECHTEL! There, I said that name out loud; yet another reason.
It's known in some circles that this idea was in common use by activists in the Eastern Bloc before the fall, and even now. This is why encrypting your root filesystem is a bad idea -- there will definitely be a password to beat/sue/extort (or if us Americans, torture, hehe) out of you. There's no chance they'll brute-force AES (unless maybe cryptoloop), so standard practice is to get in a keylogger somehow, before-the-fact. All p2p, regardless of purpose, must be in an airtight jail such as SELinux, as all have been cracked (incl. overnet) and are keylog vectors. Doubt chroot is sufficient.
|
i dont uderstand line where u talk about p2p/keyloger
i remember a story of guy he doesnt go to jail because there is no DNA analyses at the time to proof he is gulty of murdering a girl.
10 years after the police decided to use DNA analyse . they found him gulty and he is going to die by an electrique chair in floride i guess all that because 10 years after he's perfect crime tech evolved !
So today perfect crime are not perfect tomorow !
So even if they dont understand what this junk file is and the script that mount it. (which i dont belive)
they will keep a copy of my H.D if they dont keep my HARD disk. they wont be able to brute force it today even if they cluster all the top 50 supercomputers ?
How strong is AES ? does a quantic computer able to brute force it ?
aes-256 does it mean they had to encrypte 2^255 plaintexts to gues the password ? no !!! because 2^255 is the average worst case ! they found ur password at the first try (probabilty 1/2^256 != 0 low but not zero)
if a quantic-computer takes/need one electron to encrypte a password ?
is 2^256 electrons > the number of molecules the whole universes contains ?
if so even god isnt able to brute force it ! 
My ISP log every connections i make (2 years befor they delete logs) because of the september 11.
Kevin metchnick is used to upload all he's files on e remote host (a hacked/owed one) to avoid geting busted !
i cant aford using more than one proxy . chaining proxys sucks if they all keep tracks od their log + ISP log + speed=1byte/minutes 
_________________
|
|
| Back to top |
|
|
linux_girl
Apprentice
Joined: 12 Sep 2003
Posts: 287
|
|
| Back to top |
|
|
Quantumstate
Apprentice
Joined: 26 May 2004
Posts: 270
Location: Dallas
|
| Posted: Mon Jun 28, 2004 4:35 pm Post subject: |
|
|
| pbx06 wrote: |
i dont understand line where u talk about p2p/keylogger |
You are familiar with p2p? They are generally a client/server architecture, meaning a 'core' app is the 'engine', or server. The GUI app is its client. P2P client apps are often open-sourced, but the server bit never is; it must be secret, as there are adverse parties.
Some organizations feel apriori that there are no legitimate uses of p2p, and they have cracked the (proprietary, copyrighted) code in order to compromise it. When a user runs the core, it's always necessary to open the firewall to allow outside connections to it, but this means others can reach through, buffer-overflow to root, and rootkit you. (Please do a search on keyloggers; I must spend time on my problem)
You'll recognize you've been hit with a keylogger, if your network is quiet, but there's a slow, steady stream of SSL packets going out port 80 or some other common port. Slow enough to not be seen on Knetmon, but visible in Ethereal or Snort. Emerge tleds and use it.
| pbx06 wrote: |
i remember a story of guy he doesnt go to jail because there is no DNA analyses at the time to proof he is gulty of murdering a girl.
10 years after the police decided to use DNA analyse . they found him gulty and he is going to die by an electrique chair in floride i guess all that because 10 years after he's perfect crime tech evolved !
So today perfect crime are not perfect tomorow ! |
I approve of this advance. But personally my concern is 'What is legal to say and do today... may not be so tomorrow.' I did 'defense' work in Europe '76-'80. So "discretion is the better part of valor", when in doubt... 'Moscow Rules'. {no, not Moscow RULES, but MOSCOW rules}
| pbx06 wrote: |
So even if they dont understand what this junk file is and the script that mount it. (which i dont belive)
they will keep a copy of my H.D if they dont keep my HARD disk. they wont be able to brute force it today even if they cluster all the top 50 supercomputers ?
How strong is AES ? does a quantic computer able to brute force it ?
aes-256 does it mean they had to encrypte 2^255 plaintexts to gues the password ? no !!! because 2^255 is the average worst case ! they found ur password at the first try (probabilty 1/2^256 != 0 low but not zero)
if a quantic-computer takes/need one electron to encrypte a password ?
is 2^256 electrons > the number of molecules the whole universes contains ?
if so even god isnt able to brute force it !
|
AES is the Advanced Encryption Standard, the recently approved new encryption for corporate/govt use. The US DoD put out an RFP for the best algo to serve as the AES, and Rijndael was selected. As I understand, it's quite good. Of course, when quantum computers are developed they will be able to solve just about any foreseeable problem. Even dedicated factoring [url=http://www.looksmart.com/og/pr=LookSites;ro=1;rc=8;li=136034;ii=806f.21fe.40e042cc.fcf;pn=;to=;tc=8;po=1;pc=8;pi=vsv3;ts=|http://www.xilinx.com/]hardware[/url] today can crack 3DES in reasonable time, and new shortcuts are found frequently. But remember as far as brute force, that AES requires a minimal password length (20?), and each additional digit increases brute-force time exponentially.
And remember that quantum computers are only to the point of one molecular gate, and that one's not particularly reliable; they're no less than 10 years away, at which time there'll be "new fish to fry" and new realities. The biggest problem with quantum computing today is noise. Also they do not fully understand how an electron in one room can affect an electron in another room, but it has been observed... things get awfully queer at atomic scales.
When your adversary has unlimited resources and chooses to dedicate them to you, there's no hope no matter what you do. But remember that almost all these targeting decisions are economically-based, so the question is how valuable are you compared with others in your sphere? And are you the "low-hanging fruit"?
Also, times change. The wall came down, nations are turning to more freedom (except the US), and past actions are forgotten. I hope you're asking for legitimate reasons; because for proxying, I suggest wifi. |
|
| Back to top |
|
|
Quantumstate
Apprentice
Joined: 26 May 2004
Posts: 270
Location: Dallas
|
| Posted: Mon Jun 28, 2004 8:43 pm Post subject: |
|
|
Right then. I guess transitioning from Mandrake-encrypted to dm-crypt will have to remain a question for the ages.
I did find that you do not use losetup when operating on a device (opposed to a file).
So my backups are now dm-crypt (can't recover the old), and my scripts are thus:
mountdvdsafe
| Code: | #!/bin/bash
#
# Mount DVDRAM Encrypted Filesystem
#mkudffs --media-type=dvdram --blocksize=2048 /dev/mapper/dvdsafe
#cryptsetup -c aes -s 256 create dvdsafe /dev/sr1
cryptsetup create dvdsafe /dev/sr1
mount -t udf /dev/mapper/dvdsafe /mnt/dvdsafe
|
umountdvdsafe
| Code: |
#!/bin/bash
#
# UMount DVDRAM Encrypted Filesystem
umount /dev/mapper/dvdsafe
cryptsetup remove dvdsafe
|
... and it all works. Thanks Sac. |
|
| Back to top |
|
|
saccory
Apprentice
Joined: 18 Feb 2004
Posts: 176
Location: Göttingen, Germany
|
| Posted: Tue Jun 29, 2004 6:57 am Post subject: |
|
|
| Quantumstate wrote: | | I did find that you do not use losetup when operating on a device (opposed to a file). |
Well, in most cases you don't need to, but you can. I had some difficulties creating a mapping for my dvd drive.
| syslog wrote: | device-mapper: : crypt: Device lookup failed
device-mapper: error adding target to table |
And someone on the Device Mapper Mailinglist suggested to create an additional layer between dvd and device mapper by using a loopback device.
And it worked |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Gentoo Chat
