Paranoid Penguin - Customizing Linux Live CDs, Part III

Further notes on custom live CD security.
Plausible Deniability, Live CDs and TrueCrypt

Suppose you're a human-rights activist working in a country with a paranoid, totalitarian government, and you use a live CD for sending factual reports to the press about local civil-rights abuses. Suppose further you want to prevent your live CD or the accompanying TrueCrypt volume you keep on your USB Flash drive from being used as direct or circumstantial evidence that you've been “committing treason”.

I have three easy suggestions for you. First, don't customize your live CD; instead, use a standard live CD from Ubuntu Desktop, Linux Mint or whatever your favorite distribution is. If you've got a lot of customized but mundane settings for your desktop manager, you can store them in an unencrypted loopback file image on your USB drive and manually mount it over /etc or your home directory.

In some places in this crazy world of ours, simply possessing a CD containing Tor, Privoxy and other privacy/anonymity tools is all the proof somebody needs that you're up to no good. Besides, this has the added advantage of being less work than using a customized live CD!

Second, use a TrueCrypt hidden volume. Keep only boring things in the nonhidden part of your TrueCrypt volume.

You can refer to the TrueCrypt link in the Resources section of this article for more information, but suffice it to say that this feature takes advantage of the fact that once you create a TrueCrypt volume, its size remains constant. Empty space is filled with random data. Or, as the case may be, with random data plus a hidden volume that is impossible to distinguish from the random data, except by someone who knows both that the TrueCrypt volume contains a hidden volume and the hidden volume's passphrase.

My third suggestion is to rename the TrueCrypt binary you'll need to keep on your USB drive (because you're using a stock Linux live CD), and while you're at it, make sure your TrueCrypt volume (or volumes) isn't named conspicuously. Both the TrueCrypt binary itself (which, by default, is named truecrypt) and TrueCrypt volumes can be called whatever you like.

So, there's nothing to stop you from renaming truecrypt to something inconspicuous like cooking-schools.dat, and your TrueCrypt volume file to checkered-pants-sources.dat. Anybody who executes cooking-schools.dat will, of course, immediately see the TrueCrypt GUI, but why would someone try to execute what appears to be a data file? Note that the only feasible way to identify a TrueCrypt volume as such is to try to mount it with TrueCrypt.

By telling you these three things, naturally I trust you'll use this knowledge for good, and not for evil—for example, by committing real kinds of treason that don't involve simply speaking the truth.

Parting Notes

In this series of columns, I've really only gotten you started down the custom live CD path, but hopefully well enough for you to figure out more ways to use and customize Ubuntu live CDs on your own. Here are a few things you might have fun figuring out:

  • Pre-installing and preconfiguring Firefox plugins, such as NoScript and RefControl.

  • Incorporating dmcrypt for encrypted system volumes.

  • Pre-installing and preconfiguring the bittorrent and bittorrent-gui packages.

  • Customizing GNOME for maximum elite-looking-ness.

Whether you're an intrepid human-rights activist or simply someone with a need for a maximally portable Linux system, live CDs are a handy, simple and potentially safe way to run Linux without changing or leaving any trace of itself on the hardware on which it's run.

By the way, I'm taking next month off from the Paranoid Penguin (though not from being paranoid, of course), but I'll be back in two months. Until then, be safe!



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Upgrading kernel in the live-cd

kb's picture

I followed all the instruction to create a "customized live cd"
form ubuntu-8.10-desktop-i386.iso
It had 2.6.27-7 kernel. In the process, I upgraded the kernel
to 2.6.27-11, but the end CD still boots with 2.6.27-7.
What else do I need to do to be able to boot with the new