One possible approach to the free space issue on a laptop could be (encrypted) swap. If the system is configured to allocate swap pages in order and you have appropriate limits in place, the likelihood that you reach 100% swap usage can approach zero (but is hard to prove). Use the free space at end of your swap for secrets. Having multiple swap files / swap partitions that you activate when you need more memory for compiling Firefox would give further proof against accidentally overwriting your secrets.
This probably depends on where you are using it. If I understand correctly, it tells an attacker that you have _something_ to hide, but gives no clue as to any metadata, such as the size of what you're hiding or how often it was updated.
Suppose a government agency is demanding that you decrypt... something, they're not sure what, or how much there is, or even if there's anything there. In a country with a strong rule-of-law, I think you're unlikely to have a court enforce sanctions against you to make you produce cleartext _that may not even exit_, unless they have very strong evidence from another source that it does exist. If you're in a more authoritarian country where the police can hold you for a long time just on the off-chance that there's more cleartext to get, then I don't think this helps you much.
Actually, I think we can maybe summarize: you probably shouldn't use this to defend against someone who would have no qualms just straight-up torturing you.
It could even make things much worse for you. If you have a standard encryption scheme then the torturer can be reasonably sure that they got everything useful out of you and can stop torturing you.
On the other hand if you are running PD software, then even if you had nothing particularly important to hide (gasp, they now have my Facebook password!), they might as well continue torturing you since there is no way to show that really you don't have those stolen Death Star plans.
Here they have a way to confirm that what you gave them produced more meaningful plaintext. And considering how large this PDDB might be, you might never be able to give them enough passwords to produce as much meaningful plaintext as could have been stored in it. Therefore they might never be satisfied that you have produced all of the meaningful plaintext plausibly stored in the PDDB.
You might as well say that giving the user plausible deniability also means giving their adversary plausible never-reaching-the-end-of-the-barrel. The former is good for the user if and only if the adversary is willing to pretend the PDDB thing isn't a thing, but why would they?
No, plausible deniability tools are not useful to most users. They are plausibly useful to a class of users (spies?) who might have resources or recourse to leverage that can be used to a) get them set free, b) without much or any torture, and c) without having to reveal their secrets. That class of users must be very small.
I don't think that's a fair conclusion either though. Torture resistance is just one of many security properties someone might care about and for most people it's really not the biggest worry.
The PD aspect might be a lot more useful in a more lawful coercion setting or a setting with more limited coercive access (i.e. a mugger threatening you with a knife on a street - can't afford to torture you for days just in case you're hiding something more).
The only way something like PDDB would work in practice to help the people intended, is for the software to become very widely used. For example, where everyone stores their pornography in a PDDB.
In that case, you would also store some porn in your PDDB, and would give up the password to that with little coercion. If they can't then prove the existence of more information, then you might be let go without too much damage.
Obviously, you shouldn't be storing porn that is illegal in your (or most other) jurisdictions in the first level of your PDDB.
In any event, good luck trying to get even a fraction of normal users to install and use this software. Even if all the Linux distros include it by default, I don't think that would be enough, that would just widen the target to "all Linux users" in oppressive country A.
Widespread use does not help the user: whoever wants their secrets will still insist on production of ever more secrets whenever the user is found to be using a PDDB.
Widespread use can only help if that widespread use leads the State to accept it and that it should not insist on production of secrets from PDDBs. However, how likely do you think that would be??
> Widespread use can only help if that widespread use leads the State to accept it and that it should not insist on production of secrets from PDDBs. However, how likely do you think that would be??
Not likely.
At this point, if you want to hide secrets from the state, I think you'd be better off finding some place to stash a micro-SD card. Those things are so tiny and easy to lose in the best of circumstances...
> This probably depends on where you are using it. If I understand correctly, it tells an attacker that you have _something_ to hide, but gives no clue as to any metadata, such as the size of what you're hiding or how often it was updated.
Which brings you right back to the problem illustrated in the XKCD comic up top. As soon as you know they have something to hide you whack them until they tell you.
There is still some value in being able to disclose some private data without disclosing whether further private data exists. The other party will not know after a revelation if they have obtained the totality of secret data and must decide whether to continue to hit you with the wrench on the off chance that more secret data exists.
This is a well known dilemma when interrogating people, since there's no known metadata about how many facts exist in your brain. As the GP points out, though, a common authoritarian response to this dilemma is to just keep torturing.
Depending on where you are and what specific laws are in place that someone (the police maybe?) may not be able to get more whacking past a judge. I think this could work reasonably well in such situations.
It's useful as a demonstration. More popular databases might see this and decide to include the feature as well. The best case would be if, say, Apple included a plausibly deniable file system or database by default on their systems. Now that even your grandma has it, its presence can't signal a secret.
The idea is that it would be the only form of storage on the device, so it wouldn't be specialized. That's how it is implemented on Precursor -- you don't have a parallel non-deniable storage, and then a deniable one. Everything goes into one bin for everyone.
I have discussed another way to solve some of the same problems, especially as it relates to crypto wallets. You need to have some way to prove that you cannot access the data, guaranteeing that torture to be ineffective.
This "$5 wrench" XKCD always come up but... Plausible deniability ain't the only way around it.
For example there are safes that, no matter what you do, are only ever going to open on, say, wednesday morning at 10am. Or a safe that shall only open if, one hour previous to that, you entered your own personal code + a rolling code. You enter the rolling code and the one-hour countdown starts. Now... If you can only get the rolling code by calling someone (for example a security company) and if that person accepts two words, one being the real one, the other the "I'm under duress" one, now suddenly the "$5 wrench attack" doesn't look that great anymore.
BTW my home alarm has something similar: they'll came me after either a break-in or if I push the button "I'm under attack"... Then through the speakers they'll ask me "the" word. No matter if I say "banana" or "potato", they'll answer: all is fine, good night. But... "banana" means "everything is cool" while "potato" means "I'm under duress". Cops show up in 120 seconds where I live. The $5 wrench dudes better make very good use of that $5 wrench that'll, for sure, bring them billions of $$$ (such intelligent human beings btw: they figured out that a $5 wrench shall bring them riches) because in 120 seconds the cops are going to be there.
Back to the safe: the countdown starts and the attacker has no clue if the police has been contacted. They have to wait one hour. Oh and both codes starts the countdown. But the "I'm under duress one" will lead to some failure message on the safe "Error: mechanism locked" or "Bug 2134978" (whatever fancy you can come up with).
A $5 wrench attack is one thing. Kidnapping someone for days is another thing. Waiting for a safe to open for one hour without knowing if the cops are on their way (and have one hour to be there) is yet another thing.
My point is: I'm a bit fed up by people who have the victim mentality and think nothing can be done versus attackers. If attackers were that smart, they wouldn't be doing $5 wrench attacks in the first place. Use your intelligence to come up with schemes that a $5 wrench attack cannot break.
Another good one: a safe which only opens after a countdown of one-hour, no other way round. But as soon as you enter the code (and the countdown starts), a video feed of the room where the safe is located is sent to a security company. Someone at the security company checks the feed: he sees the $5 wrench (or he sees two people in the room, which is forbidden)... He calls the police and the police has one room to get the dude with the $5 wrench.
I much prefer people who think not just about how to resist $5 wrench attack but who thinks about ways to maximize the chance the one holding the $5 wrench ends up where he belongs.
So yup: I'm a bit pissed by that $5 wrench XKCD. So pissed I may actually one day join forces with company working on solutions to fight against that.
Sorry to nitpick a single sentence out of your entire post, but where in the world do you live that has a response time like that? I wouldn't expect that kind of response time even if I lived next door to a police station. Hell I'd be doubtful of getting a response time like that if my spouse was an on-duty cop and was home when the attack occurred.
I've called police for ongoing violence twice, and in both cases the response time was shorter than this. This is one thing the police really knows how to do.
Then the attacker kidnap your kid, and you go through the entire procedure correctly the next day and give them the data.
However comprehensive your security procedure is, so long as a human can unlock it, your data is not secure. That's the point of the xkcd, not the specific wrench.
You’re assuming the attacker needs to be in the room with you, coercing you directly.
Imagine this: an attacker has something against you. Maybe they know a secret you don’t want getting out, maybe they’ve kidnapped a loved one, etc. The attacker has threatened you and shown proof of the threat all with coming face to face. They now demand you give up the contents of the safe as ransom.
How is your time delay and secret code words gonna help?
Safes are rated in time to breach. They can all be breached. Revealing a duress code will not achieve anything unless the attacker is running your code (why would they), and if they're not, it will produce insufficient quantities of meaningful plaintext, leading to... more torture.
Repeat after me: cryptography cannot be the rubber hose.
