Comment Re:The real issue: U.S. government corruption. (Score 2) 555
I happen to be an expert on the use of cryptography.
The point you forgot to mention is that encrypted files are easily spotted by analyzing the entropy of the decrypted disk blocks. That's why hidden containers WILL often stand out like a sore thumb. And this is precisely the reason why Truecrypt is just a poor tool at steganography.
Ah, no. TrueCrypt overwrites the whole primary encrypted partition with cryptographically generated randomness, i.e. every sector in there already has high entropy and that remains true for never used (!) sectors after decryption. For a hidden container, it places a header-less secondary container within the primary one at an offset. That container is only identifiable if you have its passphrase. So no, entropy analysis does not help.
There is another problem though: Writing to the primary encrypted container can damage the secondary one. For this, TrueCrypt protects an opened secondary container by intercepting writes to the primary one and blocking them if they would go into the secondary one. That leaves traces. Also, you will always see that there is a (more-or-less) large part of the primary encrypted partition that does not have files in it. If a FAT/NTFS filesystem is new, it is normal that no data is stored towards the end of the partition, as they both cluster data at the start. When it gets older, the used area wanders towards the end though. (These filesystems try to overwrite deleted data as late as possible to allow recovery, in contrary to typical UNIX/Linux filesystems that just use the whole disk. One reason UNIX/Linux filesystems have significantly better performance.) Now if the used area wanders, at some point it will either damage the secondary (hidden) encrypted partition, or the write restrictions become obvious. If you just do not write to the primary encrypted partition, that also is obvious.
Hence, a TrueCrypt hidden partition can be glaringly obvious unless you are careful and use it right. Basically, you have to create the whole set-up a short time before crossing that border.
However, unlike Truecrypt, some encrypting file systems do an excellent job at hiding data in a much more effective way. Of course, using such an OS/Filesystem combo is in itself a dead giveaway that you've got something to hide. So your point has merit still.
Indeed. However, I am not aware of encrypting filesystems that do a better job. Hiding data is just not something that encryption can do well. What it can do is provide access control. But as soon as they can force you to hand over the privileges (keys in this case), access control is meaningless.