đ
Original date posted:2018-01-12
đ Original message:On 2018-01-12 at 09:50:58 +0000, Peter Todd <pete at petertodd.org> wrote:
>On Tue, Jan 09, 2018 at 12:43:48PM +0000, Perry Gibson wrote:
>>>Trezor's "plausible deniability" scheme could very well result in you
>>>going to jail for lying to border security, because it's so easy for
>>>them to simply brute force alternate passwords based on your seeds.
>>>With that, they have proof that you lied to customs, a serious
>>>offense.
>>The passphrase scheme as I understand it allows a maximum of 50
>>characters to be used. Surely even with the HD seed, that search
>>space is too large to brute force. Or is there a weakness in the
>>scheme I haven't clocked?
>
>While passphrases *can* be long, most user's aren't going to understand
>the risk. For example, Trezors blog(1) doesn't make it clear that the
>passphrases could be bruteforced and used as evidence against you, and
>even suggests the contrary: [...quote...]
I despise the term âplausible deniabilityâ; and thatâs really the wrong
term to use in this discussion.
âPlausible deniabilityâ is a transparent excuse for explaining away an
indisputable fact which arouses suspicionâwhen you got some serious
âsplainâ to do. This is usually used in the context of some pseudolegal
argument about introducing âreasonable doubtâ, or even making âprobable
causeâ a wee bit less probable.
âWhy yes, officer: I was seen carrying an axe down the street near the
site of an axe murder, at approximately the time of said axe murder.
But I do have a fireplace; so it is plausible that I was simply out
gathering wood.â
I rather suspect the concept of âplausible deniabilityâ of having been
invented by a detective or agent provocateur. There are few concepts
more useful for helping suspects shoot themselves in the foot, or
frankly, for entrapping people.
One of the worst examples I have seen is in discussions of Monero,
whereby Iâve seen proponents claim that even under the worst known
active attacks, their mix scheme reduces transaction linking to a
maximum of 20â40% probability. âThatâs not good enough to convince a
jury!â No, but it is certainly adequate for investigators to identify
you as a person of interest. Then, your (mis)deeds can be subjected to
powerful confirmation attacks based on other data; blockchains do not
exist in isolation. I usually stay out of such discussions; for I have
no interest in helping the sorts of people whose greatest concern in
life is what story to foist on a jury.
In the context of devices such as Trezor, what is needed is not
âplausible deniabilityâ, but rather the ability to obviate any need to
deny anything at all. I must repeat, information does not exist in
isolation.
If you are publicly known to be deepy involved in Bitcoin, then nobody
will believe that your one-and-only wallet contains only 0.01 BTC.
Thatâs not even âplausibleâ. But if you have overall privacy practices
which leave nobody knowing or suspecting that you have any Bitcoin at
all, then there is nothing to âdenyâ; and should a Trezor with
(supposedly) 0.01 BTC be found in your possession, thatâs much better
than âplausibleâ. Itâs completely unremarkable.
Whereas if you are known or believed to own large amounts of BTC, a
realistic bad guyâs response to your âdecoyâ wallet could be, âI donât
believe you; and it costs me nothing to keep beating you with rubber
hose until you tell me the *real* password.â
It could be worse, too. In a kidnapping scenario, the bad guys could
say, âI donât believe you. Hey, I also read Trezorâs website about
âplausible deniabilityâ. Now, I will maim your kid for life just to
test whether you told me the *real* password. And if you still donât
tell me the real password after you see that little Johnny can no longer
walk, then I will kill him.â
The worst part is that you have no means of proving that you really
*did* give the real password. Indeed, it can be proved if youâre lying
by finding a password which reveals a hidden walletâbut *you* have no
means of affirmatively proving that you are telling the truth! If the
bad guys overestimated your riches (or if theyâre in a bad mood), then
little Johnny is dead either way.
In a legalistic scenario, if âauthoritiesâ believe you have 1000 BTC and
you only reveal a password for 0.01 BTC, the likely response will not be
to let you go. Rather, âYou will now sit in jail until you tell the
*real* password.â And again: You have no means of proving that you did
give the real password!
âPlausible deniabilityâ schemes can backfire quite badly.
>Also note how this blog doesn't mention anti-forensics: the wallet
>software itself may leave traces of the other wallets on the computer.
>Have they really audited it sufficiently to be sure this isn't the
>case?
What about data obtained via the network? I donât *only* refer to
dragnet surveillance. See for but one e.g., Goldfelder, et al., âWhen
the cookie meets the blockchain: Privacy risks of web payments via
cryptocurrenciesâ https://arxiv.org/abs/1708.04748 Your identity can be
tied to your wallet all sorts of ways, any of which could be used to
prove that you have more Bitcoin than youâre revealing. Do you know
what databases of cross-correlated analysis data customs agents have
immediate access to nowadaysâor will, tomorrow? I donât.
In the scenario under discussion, that may not immediately prove âbeyond
a reasonable doubtâ that you lied specifically about your Trezor. But
it could give plenty of cause to keep you locked up in a small room
while your hard drive is examined for evidence that Trezor apps handled
*addresses already known to be linked to you*. Why even bother with
bruteforce? Low-hanging fruit abound.
>1) https://blog.trezor.io/hide-your-trezor-wallets-with-multiple-passphrases-f2e0834026eb
--
nullius at nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C
Bitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h | (Segwit nested:
3NULL3ZCUXr7RDLxXeLPDMZDZYxuaYkCnG) (PGP RSA: 0x36EBB4AB699A10EE)
ââIf youâre not doing anything wrong, you have nothing to hide.â
No! Because I do nothing wrong, I have nothing to show.â â nullius
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180112/862e70b3/attachment.sig>;
nullius [ARCHIVE] /
npub1umâŚk2hgv
2023-06-07 18:09:43
in reply to nevent1qâŚkkx2
Author Public Key
npub1umcywfan64dcuxeycrujenkhh3n3yutyc3x5ewprtjr0c7a7kxqsgk2hgvPublished at
2023-06-07 18:09:43Event JSON
{
"id": "a05edb914bdff78499a5a5d8f5803e4f878c0500f12836bdddfeec5f35ca02e9",
"pubkey": "e6f04727b3d55b8e1b24c0f92cced7bc67127164c44d4cb8235c86fc7bbeb181",
"created_at": 1686161383,
"kind": 1,
"tags": [
[
"e",
"b47b2f85998f0644c1323f7d89759735e7bc2d92b79239a6cdd51a334e67724a",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "đ
Original date posted:2018-01-12\nđ Original message:On 2018-01-12 at 09:50:58 +0000, Peter Todd \u003cpete at petertodd.org\u003e wrote:\n\u003eOn Tue, Jan 09, 2018 at 12:43:48PM +0000, Perry Gibson wrote:\n\u003e\u003e\u003eTrezor's \"plausible deniability\" scheme could very well result in you \n\u003e\u003e\u003egoing to jail for lying to border security, because it's so easy for \n\u003e\u003e\u003ethem to simply brute force alternate passwords based on your seeds. \n\u003e\u003e\u003eWith that, they have proof that you lied to customs, a serious \n\u003e\u003e\u003eoffense.\n\u003e\u003eThe passphrase scheme as I understand it allows a maximum of 50 \n\u003e\u003echaracters to be used. Surely even with the HD seed, that search \n\u003e\u003espace is too large to brute force. Or is there a weakness in the \n\u003e\u003escheme I haven't clocked?\n\u003e\n\u003eWhile passphrases *can* be long, most user's aren't going to understand \n\u003ethe risk. For example, Trezors blog(1) doesn't make it clear that the \n\u003epassphrases could be bruteforced and used as evidence against you, and \n\u003eeven suggests the contrary: [...quote...]\n\nI despise the term âplausible deniabilityâ; and thatâs really the wrong \nterm to use in this discussion.\n\nâPlausible deniabilityâ is a transparent excuse for explaining away an \nindisputable fact which arouses suspicionâwhen you got some serious \nâsplainâ to do. This is usually used in the context of some pseudolegal \nargument about introducing âreasonable doubtâ, or even making âprobable \ncauseâ a wee bit less probable.\n\nâWhy yes, officer: I was seen carrying an axe down the street near the \nsite of an axe murder, at approximately the time of said axe murder. \nBut I do have a fireplace; so it is plausible that I was simply out \ngathering wood.â\n\nI rather suspect the concept of âplausible deniabilityâ of having been \ninvented by a detective or agent provocateur. There are few concepts \nmore useful for helping suspects shoot themselves in the foot, or \nfrankly, for entrapping people.\n\nOne of the worst examples I have seen is in discussions of Monero, \nwhereby Iâve seen proponents claim that even under the worst known \nactive attacks, their mix scheme reduces transaction linking to a \nmaximum of 20â40% probability. âThatâs not good enough to convince a \njury!â No, but it is certainly adequate for investigators to identify \nyou as a person of interest. Then, your (mis)deeds can be subjected to \npowerful confirmation attacks based on other data; blockchains do not \nexist in isolation. I usually stay out of such discussions; for I have \nno interest in helping the sorts of people whose greatest concern in \nlife is what story to foist on a jury.\n\nIn the context of devices such as Trezor, what is needed is not \nâplausible deniabilityâ, but rather the ability to obviate any need to \ndeny anything at all. I must repeat, information does not exist in \nisolation.\n\nIf you are publicly known to be deepy involved in Bitcoin, then nobody \nwill believe that your one-and-only wallet contains only 0.01 BTC. \nThatâs not even âplausibleâ. But if you have overall privacy practices \nwhich leave nobody knowing or suspecting that you have any Bitcoin at \nall, then there is nothing to âdenyâ; and should a Trezor with \n(supposedly) 0.01 BTC be found in your possession, thatâs much better \nthan âplausibleâ. Itâs completely unremarkable.\n\nWhereas if you are known or believed to own large amounts of BTC, a \nrealistic bad guyâs response to your âdecoyâ wallet could be, âI donât \nbelieve you; and it costs me nothing to keep beating you with rubber \nhose until you tell me the *real* password.â\n\nIt could be worse, too. In a kidnapping scenario, the bad guys could \nsay, âI donât believe you. Hey, I also read Trezorâs website about \nâplausible deniabilityâ. Now, I will maim your kid for life just to \ntest whether you told me the *real* password. And if you still donât \ntell me the real password after you see that little Johnny can no longer \nwalk, then I will kill him.â\n\nThe worst part is that you have no means of proving that you really \n*did* give the real password. Indeed, it can be proved if youâre lying \nby finding a password which reveals a hidden walletâbut *you* have no \nmeans of affirmatively proving that you are telling the truth! If the \nbad guys overestimated your riches (or if theyâre in a bad mood), then \nlittle Johnny is dead either way.\n\nIn a legalistic scenario, if âauthoritiesâ believe you have 1000 BTC and \nyou only reveal a password for 0.01 BTC, the likely response will not be \nto let you go. Rather, âYou will now sit in jail until you tell the \n*real* password.â And again: You have no means of proving that you did \ngive the real password!\n\nâPlausible deniabilityâ schemes can backfire quite badly.\n\n\u003eAlso note how this blog doesn't mention anti-forensics: the wallet \n\u003esoftware itself may leave traces of the other wallets on the computer. \n\u003eHave they really audited it sufficiently to be sure this isn't the \n\u003ecase?\n\nWhat about data obtained via the network? I donât *only* refer to \ndragnet surveillance. See for but one e.g., Goldfelder, et al., âWhen \nthe cookie meets the blockchain: Privacy risks of web payments via \ncryptocurrenciesâ https://arxiv.org/abs/1708.04748 Your identity can be \ntied to your wallet all sorts of ways, any of which could be used to \nprove that you have more Bitcoin than youâre revealing. Do you know \nwhat databases of cross-correlated analysis data customs agents have \nimmediate access to nowadaysâor will, tomorrow? I donât.\n\nIn the scenario under discussion, that may not immediately prove âbeyond \na reasonable doubtâ that you lied specifically about your Trezor. But \nit could give plenty of cause to keep you locked up in a small room \nwhile your hard drive is examined for evidence that Trezor apps handled \n*addresses already known to be linked to you*. Why even bother with \nbruteforce? Low-hanging fruit abound.\n\n\u003e1) https://blog.trezor.io/hide-your-trezor-wallets-with-multiple-passphrases-f2e0834026eb\n\n-- \nnullius at nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C\nBitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h | (Segwit nested:\n3NULL3ZCUXr7RDLxXeLPDMZDZYxuaYkCnG) (PGP RSA: 0x36EBB4AB699A10EE)\nââIf youâre not doing anything wrong, you have nothing to hide.â\nNo! Because I do nothing wrong, I have nothing to show.â â nullius\n-------------- next part --------------\nA non-text attachment was scrubbed...\nName: signature.asc\nType: application/pgp-signature\nSize: 228 bytes\nDesc: not available\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180112/862e70b3/attachment.sig\u003e",
"sig": "5319475cb15b97d890e1f07a4891cf5297089b5c479f757d9800a43e43d89af64548d8e0c958e2d9d1d0f9c75350403298a9c4b409f18c387c39a703e1e28c45"
}