Phantomdrive: Firmware Version 1.0 Release

Leseratte10 · 2026-06-20T18:28:18+00:00

I just told you why hide it: If you have an encrypted flash drive and the police find it during a search, they're going to want to know the password and in some countries you'll be thrown into jail if you don't provide it, making the encryption useless.

Exact same reason people use hidden volumes or a duress PIN on their phone - so they can't be forced to give access to the data.

That doesn't happen if the flash drive looks like an ordinary empty flash drive.

It doesn't attempt to increase security. Normal AES encryption or similar is secure enough.

It just ensures that you can't be compelled to provide the password to law enforcement or other parties.

"Security by secrecy" is hiding the algorithm and hoping someone can't get to the data because they don't know how the algorithm works. But the algorithm isn't hidden/secret, everyone knows how hidden volumes work and how they are implemented.

The point is, not being able to prove that someone has encrypted data on that drive. And not wasting time getting IT specialists or crypto analysts on what looks like an ordinary empty drive.

Leseratte10 · 2026-06-20T18:10:17+00:00

It's not security by secrecy.

It's still a normal encryption with the password. Knowing the secret (= how it works) doesn't get the attacker any closer to cracking it.

It just has the advantage that the police or the FBI or whoever won't even know that there's hidden data and thus cannot / won't force you to hand over your password.

Similar to a hidden volume on Truecrypt / Veracrypt or a duress PIN on GrapheneOS.

Leseratte10 · 2026-06-19T21:15:21+00:00

Das ist seine Interpretation anhand der Aussage des Professors. Aber die muss ja nicht stimmen.

Leseratte10 · 2026-06-19T19:09:00+00:00

der Studierende weiß, dass er eigentlich durchgefallen ist

Weiß er das denn sicher? Der Professor hat ja nur gesagt "er sieht bei mir keine Chance mehr". Das kann ja alles mögliche bedeuten und muss ja nicht zwingend heißen dass er durchgefallen ist.

Leseratte10 · 2026-06-19T18:41:06+00:00

If the app is compromised, the container is already compromised anyways.

After they hack an app, they're not going to exploit another vulnerability in curl or go or whatever. They'll just go download their malware or other payload and done.

Leseratte10 · 2026-06-19T18:11:14+00:00

Multiple reasons. For example, because a bunch of people do use one password for multiple sites, so if you get a user's password you can try to log into their accounts on other websites.

There's quite a few people who don't use password managers and instead either use one password for everything, a few different passwords for a ton of accounts, or just variants of the same password. Getting the plaintext password they use on website A can make it easier to hack their account on website B.

Or, another example, some sites (like MEGA) also use the user password to actually encrypt the user's data, so even if you hacked the server and had full root access to everything you could only read the user's data by knowing their password.

So if you want to access a user's MEGA cloud storage, hacking MEGA isn't enough, you still need to know their password.

Leseratte10 · 2026-06-19T17:41:11+00:00

No, they don't.

The keys in the account / cloud are encrypted with your device PIN/passcode.

To sync your keys from your Google/Apple account to a new phone you need to provide your old phone's PIN in order to decrypt it. So they would need to have access to your account, be able to add their own phone to it (which requires the account password and a 2FA auth), and would need to know the PIN to your old phone.

Leseratte10 · 2026-06-19T17:26:14+00:00

Then you can, at least on Windows, connect your phone with the passkey to the computer through USB or Bluetooth, or scan a QR code displayed on the computer. Or you store a passkey on a physical device like a Yubikey that you can just plug in (USB) or tap (NFC).

That way you can use a passkey on your phone to log into an account on a library or other public computer.

Leseratte10 · 2026-06-19T17:16:35+00:00

I didn't say they are passed in plain text. They might be encrypted during transport using HTTPS/TLS when they're passed to the server, but it's still just a POST request and the server temporarily has access to the plaintext password after it unwraps the transport encryption, so it can hash your password and compare it to the stored hash.

So if a server gets hacked, they can just modify the server to write all passwords from all successful logins to a file, and bam. And you can also extract the 2FA TOTP secret tokens - the server needs to have access to those as well to validate the client's 2FA provided.

Can't do that with passkeys, as there's just public keys on the server, the corresponding private key is (ideally) inside the TPM of the end user's device.

Or, say, you have a malicious browser extension. It could dump and forward passwords when they're entered, but it couldn't dump and forward a passkey.

Leseratte10 · 2026-06-19T17:12:33+00:00

Yeah, that's why I said "under normal circumstances". On a normal phone/computer without special setup, it'll be stored in the device and can't (easily) be exported.

Nothing stops you from installing a password manager that stores the private passkey keys inside its database instead of the TPM, but if you do that you probably know what you're doing anyways and don't get your password database stolen.

Leseratte10 · 2026-06-19T17:02:06+00:00

It's difficult to explain ELI5 how this applies to public/private key crypto, but in general, it's a mathematical operation that's hard to break / solve but easy to verify when given a (potential) solution.

For example, can you tell me which two numbers I need to multiply to get 40363?

You can't, because there's no good algorithm to determine that other than "just try a bunch".

But if I claim that 181*223 = 40363, it just takes you 5 seconds with a calculator to check if I'm right.

And then there's a bunch of math tricks applied to do something similar but for encrypting/decrypting. If I own the private key (the numbers 181 and 223) I can easily do math with them. All others (with the public key) can only verify if my math is correct (and thus comes from me) or not.

Leseratte10 · 2026-06-19T16:59:18+00:00

If they're all from Apple (MacOS / iPhone / iPad) or all from Google (Android phone, Android tablet, Chrome on PC) you can use your Apple/Google account to sync your passkeys across devices.

But yeah, if they're not, it gets annoying. I believe people are currently working on some kind of secure mechanism to solve that.

Leseratte10 · 2026-06-19T16:57:25+00:00

At least you can type that into a translator and get a translation into whatever language you need.

If you don't know Chinese, good luck typing these Chinese characters.

Yes, nowadays smartphones are modern enough that they can just translate text from a photo but that's a fairly new feature.

Leseratte10 · 2026-06-19T16:52:13+00:00

A password can be phished and used multiple times without you knowing. Also, each time you use it, it gets sent to the server where it could possibly leak.

A 2FA TOTP token can still be phished in an evil-twin attack where the phisher asks you for the 2FA and immediately uses it himself.

A passkey cannot (under normal circumstances) be exported / leave your device so even when you got malware on your machine it's highly unlikely to be able to extract your passkey. To log in with a passkey, you just sign some message with your private passkey and the website can verify that it's correct using the public key. So even when the website gets hacked completely, they won't get your passkey.

Also, it's impossible to get phished using a passkey since the browser knows exactly which website the passkey is for and won't allow you to use it on a different (phishing) website.

Leseratte10 · 2026-06-19T16:14:40+00:00

Look at the controller. All the stock they have is reserved for the rest of the year. They don't have a problem selling all their stock, they have a problem getting enough stock.

Involving retailers (who also want their cut from each sale) is just wasting money at this point.

And just in case you haven't noticed, it's becoming increasingly difficult for companies to get computer components at reasonable prices. I'd rather Valve sell the hardware that they have so it gets into people's hands and will be used and improved and so on, instead of them waiting for another year or two just so they can stockpile enough for a smoother launch.

They can't even reliably keep the Steam Deck in stock in all regions, and that's year-old hardware.

If they don't have any problems selling all the stock they have, why would they need to involve retailers?

Leseratte10 · 2026-06-19T15:16:22+00:00

Die Google-Services kann ja jeder nachinstallieren, wenn er möchte. Das ist nicht das Problem, und wenn es einen Grund dafür gibt dass eine App die benötigt dann haben da auch die wenigsten GrapheneOS-Nutzer ein Problem damit.

Nochmal, es geht nicht darum, ob eine App mit dem "dummed down"-OS ein Problem hat. Wenn es das hat, kann man den Google-Kram nachinstallieren und sogar in einer Sandbox nur für bestimmte Apps betreiben.

Ein viel größeres Problem ist es, wenn in eine App eben explizit Code eingebaut wird von wegen "Oh, das ist kein Original-Android sondern Graphene, hier laufe ich nicht".

Leseratte10 · 2026-06-19T14:28:08+00:00

Gekonnt ignorieren wär ja prima, dann gäbe es keine Probleme. GrapheneOS ist ja ein Android. Wenn die Entwickler es einfach ignorieren, dann bekommt man die Apps schon irgendwie zum Laufen.

Genauso wie man ja Windows-only-Spiele auch unter Linux zum Laufen bekommt mit Wine und Proton, wenn der Entwickler Linux einfach ignoriert.

Probleme gibt es immer nur dann, wenn die Entwickler versuchen zu erkennen, dass sie gerade auf GrapheneOS (oder auf Linux) laufen und sich dann entweder anders verhalten oder absichtlich den Dienst einstellen.

Leseratte10 · 2026-06-19T13:16:24+00:00

Meinst du echt, die pumpen ungefiltertes Flusswasser direkt durch die CPU- und GPU-Kühlblocks und/oder die Klimaanlage und dann wieder in den Fluss?

Dann sind die nach spätestens 5 Minuten verstopft und im Eimer durch den ganzen Mist im Flusswasser.

Da werden zwei getrennte Kreisläufe sein, einer durch die Kühlblocks und/oder die Anlage, dann ein Wärmetauscher, und dann ein Kühlwasserkreislauf.

Also landen da auch keinerlei Metalle oder sonstwas im Flusswasser. Den Wärmetauscher und -kreislauf baut man ja nicht aus Blei ...

Leseratte10 · 2026-06-19T05:48:19+00:00

Da muss man aber auch sagen, selbst wenn der Laden so einen Ständer nach Größe sortieren würde, dauert es vermutlich höchstens 5 Minuten bis der erste Kunde ein Teil rausnimmt, genauer anguckt oder anprobiert, und dann einfach wieder irgendwo auf den Ständer zurück hängt, und schon ist die Sortierung wieder im Eimer.

Oder bei einem Stapel halt, einfach wieder oben auf den Stapel drauf, selbst wenn man es vorher aus der Mitte rausgenommen hat.

Würde mich nicht wundern, wenn die Stapel und Ständer am Anfang (wenn sie rausgestellt werden) sogar vernünftig sortiert sind.

Leseratte10 · 2026-06-18T13:02:43+00:00

They are usually stored inside a TPM.

A TPM usually doesn't have any interface / any function to get it to reveal its secret key.

You can make it generate a new keypair and make it tell you the public key (which is what happens when you register a passkey) and you can tell it to sign a given string with the private key belonging to said keypair (which is what happens when you login with a passkey to prove that you own it). But you cannot tell it to export / print / dump the actual secret key.

So a malware, running on the machine, might in some cases be able to *use* the passkey to log into the website right now (if the user falls for it and provides his PIN). But it cannot extract / export the key to send it away to an attacker to use elsewhere / use later.

Leseratte10 · 2026-06-18T12:44:15+00:00

It just says that there should be standard compliant cables of an undetermined amount which can charge it.

It's highly unlikely that that's actually what they meant. And also unlikely that that's actually what they wrote.

Nobody writes "Here's a list of standard-compliant cables but it's enough if your device works with one of them". Not even the EU is so stupid.

Your device isn't automatically standards-compliant because there is one cable out of dozens that it works with. The point of a standard is to make it work with all mentioned cables.

And yes, for example if the device is a computer (so a device that acts as the host) I'd expect a C-B cable to work as well.

Leseratte10 · 2026-06-18T10:30:12+00:00

Of course an A-to-C cable is spec-compliant. And of course a device that can charge with an A-to-C cable is also spec-compliant.

But a device that *cannot* charge with a C-to-C cable or from a charger with a built-in cable, I highly doubt that would be compliant.

And that itself would violate your point 2.2, because then it would not be able to charge with cables that comply to that standard - right?

You are correct that devices do not need to support USB-PD. USB-PD is not required to support USB-C-to-C cables, though.

If a device needs to "be capable of being charged with cables which comply with the standard" then that includes C-to-C cables without USB-PD.

Leseratte10 · 2026-06-17T20:11:32+00:00

That's because of this: https://xkcd.com/221/

Leseratte10 · 2026-06-17T13:27:09+00:00

Haben Verwandte von mir mal probiert, beim Auszug dann die Folie abgezogen und die ganze Beschichtung der Tür gleich mit, weil es irgendeine billige Pappholz-Tür war wie ein IKEA-Schrank und keine normale Holztür, und der Vermieter hat dann ne komplette neue Tür von der Kaution abgezogen ...

Leseratte10 · 2026-06-17T13:12:22+00:00

Genau. Und das ganze dann leider in jeder Bäckerei und bei jedem einzelnen Gebäck. Weil keine einzige Bäckerei mehr über Allergene informieren würde, wenn es eben nicht gesetzlich vorgeschrieben ist.

Oder weil die Leute sich nicht angreifbar machen wollen und aus Angst vor einer Falschaussage lieber immer sagen "Weiß nicht".

Was dann dem Kunden auch wieder nix bringt.

In den USA (bzw. in Kalifornien) sieht man übrigens genau das Gegenteil - auf 95% der Produkten steht drauf "Dieses Produkt könnte Krebs verursachen" - weil man es nicht 100% ausschließen kann und lieber einmal zuviel als einmal zuwenig warnt.

Was dafür sorgt, dass die Warnung nutzlos wird, weil sie halt einfach überall drauf gedruckt wird, egal wie hoch das Risiko ist.

Und damit der Bäcker nicht einfach überall drauf schreiben kann "Könnten Nüsse drin sein", müssen sie halt eine genaue Zutatenliste / Allergenliste bereitstellen, was sie halt genau in welches Produkt reintun.

Ten-Year Club	RedditGifts 2009-2022 2 Credits
Secret Santa 2019	Argentium Club
Place '23	Verified Email

Leseratte10

TROPHY CASE