Am 2014-01-15 07:01, schrieb Arno Wagner:
Huh? I think you do not understand my arguments at all. A) It puts people in danger [...] I do not think I need to repeat how dangerous, disconnected from reality and stupid this approach is, do I? Your "analysis" shows perfectly why having a "nuke" option is not a good idea. People will start taking risks (carrying sensitive data, trying to nuke in a dangersous situation) they would otherwise not take because they will wrongly think this method protects them. Here is a real-world scenario: You do not nuke, but you pretend to give a password, yet it is invalid. Guess what, before a forensic examination, this behaves exactly the same as "nuke"! After a forensic examination, they _will_ suspect you of having nuked the password in the nukle case. Not good at all.
I fail to see the point of your "dangerous" argument. A lot of things/tools/techniques are able to put people in danger. Still they're useful. With the same logic, you could argument against cryptography in general. People could actually forget the password and see themselves confronted with a bad evil person/institution/ state who tries to force them to tell the password. There's quite some situation where being accused of having nuked the password is not a problem at all. In german law for example, you're not required to help investigative authorities with their investigations. Actually, it's not a criminal action to destroy your data. Indeed it is, if the data itself is criminal. But that has to be proved first, which might be much harder in case that it's not recoverable anymore. As I tried to explain above, I still see legitimate scenarios for using a nuke password function. In cases where using the feature makes things worse, people should not use it. But this decision has to be made by the individuals themselves. Not implementing a feature because people could use it in a stupid way is not an argument, is it? I agree with you, that controversal features need some extra protection and documentation. But this can be fixed easily: the process of setting a nuke password could include a big fat warning and point to further documentation. The argument against false sense of security again could be used for every security technique. People do need to understand the limitations of security and cryptography. That's what documentation is for (and by the way: your FAQ is a great example of doing documentation right. Thanks for your work on it!)
[...] Nuke is a bit like carrying a gun: Instead of running away (which is a surprising effective strategy), people will try to stay and fight. This may work sometimes and will get them killed sometimes. Running away or avoiding the situation in the first place is much, much safer. This risk analysis is different for somebody that has a) training in using a gun in a fight and b) authorization to use a gun in certain situations and training in recognizing these situations.
Phew! If it at all, nuke passwords are a defensive weapon. And then, Actually, I don't like the comparison at all. Would you compare cryptography with an armor? Then, this again could encourage people to be more brave, to stay and fight, whatever.
Security is hard. One very important thing is to make sure non-experts cannot shoot themselves in the foot easily.
I agree with you on that to some extent. But ...
"nuke" makes that far more easy as non-experts do not understand its implications, and hence it has no place in a tool aimed at the general public.
I don't agree on that, as I tried to explain above. Sorry if my arguments don't come straight. I try my best to explain, but writing in a non-native language implicates some limitations :( Kind regards, jonas _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
