Editing Openai/695158d7-1b68-800b-a02f-4817bf1f6d25 (section)

=== Assistant: Happy to explain 🙂 ===
Happy to explain 🙂
I’ll keep this conceptual but concrete, no installer stuff anymore.

==== ### ====

NTFS does not use Linux-style permissions (rwx, UID, GID).
It uses Windows ACLs (Access Control Lists), which are much more complex.

Linux has to emulate these when mounting NTFS.

===== When Linux mounts NTFS (via ntfs-3g or kernel driver), it usually: =====
* Fakes permissions
* Applies one set of permissions to all files
* Ignores per-file ownership

Example:

<syntaxhighlight lang="bash">-rwxrwxrwx  everyone everyone  file.mp4

</syntaxhighlight>

But this is not real security — just a mount-time illusion.

===== - You can’t rely on Unix permissions =====
* chmod, chown often do nothing or behave strangely
* Some apps break assumptions (especially sandboxed ones)
* Qubes isolation logic prefers predictable permissions

That’s the permission weirdness.

==== ### ====

A journaling filesystem logs changes before committing them.

Purpose:
* Crash recovery
* Consistency guarantees

===== NTFS journaling is: =====
* Always on
* Designed for Windows I/O patterns
* Heavier than Linux ext4 defaults

===== - Extra writes (bad for SSD endurance) =====
* Slower metadata operations
* Higher CPU usage
* Worse performance for many small files

On Windows → optimized
On Linux → tolerated, not ideal

===== - ext4: native, optimized, predictable =====
* exFAT: simple, no journaling, low overhead

==== Short answer: ====
👉 Not in any meaningful or reliable way

Long answer (the fun part):

===== Swap: =====
* Has no directory structure
* No filenames
* No metadata
* Just raw memory pages dumped to disk

So there is no such thing as a “hidden file” in swap.

==== ### ====

You can:
# Load a file into RAM
# Lock memory pressure
# Let the kernel swap it out

Example (conceptual):

<syntaxhighlight lang="bash">cat secret.txt > /dev/null &
stress --vm 1 --vm-bytes 99%

</syntaxhighlight>

Now parts of secret.txt may end up in swap.

But:
* You don’t control where
* It may be fragmented
* It may be overwritten anytime
* You can’t reliably recover it

This is more of a forensics accident than storage.

===== You could: =====
* Disable swap
* Write directly to /dev/nvme0n1pX (swap partition)
* Re-enable swap

Example:

<syntaxhighlight lang="bash">swapoff /dev/nvme0n1pX
dd if=secret.txt of=/dev/nvme0n1pX bs=4K seek=12345
swapon /dev/nvme0n1pX

</syntaxhighlight>

Why this is terrible:
* Kernel will overwrite it
* No persistence
* High chance of corruption
* Extremely detectable
* One reboot = gone

This is basically abusing disk blocks, not hiding data.

===== (For learning, not recommending.) =====
* Use LUKS hidden volume (plausible deniability)
* Or steganography inside filesystems
* Or sparse files with unusual extents
* Or encrypted containers inside unencrypted FS

Swap is one of the worst places to hide anything.

==== This is why Qubes insists: ====
* Encrypted swap
* Controlled VM memory
* Minimal dom0 exposure

Because swap leaks are real, but they are:
* accidental
* unreliable
* forensic artifacts, not storage

==== ### ====
* Permission weirdness = ACL mismatch + fake Unix perms
* Journaling overhead = extra writes + slower Linux performance

===== - Not a filesystem =====
* No filenames
* No reliable storage
* Anything written there is temporary garbage

===== : =====

If you want a similarly fun deep dive next time:
* how deleted files still exist on ext4
* how SSDs break forensic assumptions
* how Qubes memory isolation really works

Just say the word 😄