Slashdot Mirror

← Back to Stories (view on slashdot.org)

How the Secret Service Cracks Encrypted Evidence

Posted by timothy on from the throw-at-wall-see-what-sticks dept.

tabdelgawad writes "The Washington Post offers this writeup about how the U.S. Secret Service uses a Distributed Network Attack program to crack encryption on computers and drives seized as evidence. How can brute force still succeed with 256-bit encryption, you ask? Customized password dictionaries from the seized computer's email files and browser cache: People still use non-random passwords."

47 of 658 comments (clear)

  1. Passwords?! by Enze6997 · · Score: 5, Funny

    King Roland: The combination is: one . . . Dark Helmet: One. Col. Sandurz: One. King Roland: Two . . . Dark Helmet: Two. Col. Sandurz: Two. King Roland: Three . . . Dark Helmet: Three. Col. Sandurz: Three. King Roland: Four . . . Dark Helmet: Four. Col. Sandurz: Four. King Roland: Five . . . Dark Helmet: Five. Col. Sandurz: Five. Dark Helmet: So, the combination is: one, two, three, four, five. That's the stupidest combination I ever heard in my life! That's the kind of thing an idiot would have on his luggage!

    1. Re:Passwords?! by ArsonSmith · · Score: 5, Funny

      Note to self: Change combination on lugage when I get home.

      --
      Paying taxes to buy civilization is like paying a hooker to buy love.
    2. Re:Passwords?! by Bingo+Foo · · Score: 5, Funny

      I hope I never think any of my passwords are so clever that I feel compelled to tell everyone about them.

      --
      taken! (by Davidleeroth) Thanks Bingo Foo!
    3. Re:Passwords?! by plover · · Score: 4, Funny
      INTER-OFFICE MEMO

      From: Info Security
      To: All staff
      Subject: Secure PIN requirements

      We have determined that you are using an insecure PIN, because it has a pattern in it.

      Through extensive research, our staff has determined that many PINs are insecure because they contain patterns, birthdays, anniversaries, etc. By excluding all combinations of duplicate numbers, keyboard-pattern entries, and significant numbers, we have determined that the most secure PIN you can use is 7439. Please change your PIN to 7439 immediately in order to ensure our company's assets are properly protected.

      Thank you for your cooperation.

      --
      John
    4. Re:Passwords?! by ScoLgo · · Score: 4, Funny

      I work in the custom luggage industry. Most combo-lock mechanisms that I see are 3-digit. Yes, you can get locks with more digits but three is most common, (which is why I put "(most common)" in my post - maybe you missed that part? I kinda doubt that since you quoted it in your reply). But to answer your question; No, I don't believe there is a number shortage in Sweden at present. They are probably just conserving and planning for the day when there might be an actual number shortage. (Don't ask; it's a Swedish thing :).

      Also, keep in mind that most luggage has these things called 'handles'. If a thief really wants your stuff, they will grab it by the afore-mentioned 'handle', take it home, and drill the fucker open. IOW, luggage locks are only there to keep the honest people honest.

      Another thing: here in the States, you aren't allowed to lock checked baggage anymore. Airport screeners require that luggage be left unlocked to facilitate spot-checking of baggage. (Don't argue with this or you may well be labeled a terrorist.)

      (Cue swelling, patriotic music...)
      I, for one, sleep much better at night knowing that bags everywhere are unlocked and available for inspection by hordes of shiny-faced, wide-awake baggage inspectors all across this great land of ours.
      (Swelling patriotic music crescendoes...)

      </sarcasm>

      --
      "Michael, I did nothing. I did absolutely nothing - and it was everything that I thought it could be."
    5. Re:Passwords?! by utlemming · · Score: 2, Funny

      LOL! Actually, one of the funniest things that I saw was this paranoid freak at work. He has three or four different anti-spyware programs and just as many privacy programs. He didn't trust anyone. Except, his password was "2222" -- for everything. I was fixing his computer and asked him what his password was, and it was "2222." Email problems, password, "2222". Anyhow, I found it interesting that he had gone through great lengths to encyrpt all his data, and used the password of "2222." I would love to have seen how fast the DNA machine could crack this one.

      Secret Service Agent 1: "We'll, let's hope we get this back in..."
      Secret Service Agent 2: "DAMN! It was like 0.00041 seconds!"

      --
      The views expressed are mine own and do not express the views of my employer.
    6. Re:Passwords?! by theLOUDroom · · Score: 3, Funny

      I hope I never think any of my passwords are so clever that I feel compelled to tell everyone about them.

      Reminds me of one of my favorite userfriendly strips:

      Tech: Hello

      User: Hi, I need (some random tech support thing)

      Tech: Sure, what's your password?

      User: Asterix asterix asterix asterix asterix asterix

      Tech: (stunned silence)

      User: HA! You can't tell if I'm being stupid or clever.

      --
      Life is too short to proofread.
    7. Re:Passwords?! by Alsee · · Score: 3, Funny

      INTER-OFFICE MEMO

      From: Indianapolis Business Journal Headquarters
      To: Info Security
      Subject: You're fired

      It has come to our attention that 7439 written in base 20 is IBJ. It is our considered opinion that this is a brain damaged security recommendation for use here at the IBJ.

      Thank you, but your services will no longer be required. Goodbye.

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
    8. Re:Passwords?! by Nine+Mirrors+Turning · · Score: 2, Funny

      ut to answer your question; No, I don't believe there is a number shortage in Sweden at present. They are probably just conserving and planning for the day when there might be an actual number shortage. (Don't ask; it's a Swedish thing :).

      Being swedish, is this something I should be aware of? Do I need to stock up on some numbers? Err, where do I get them? The numbers shops seems to be missing in the yellow pages.

      --
      (Elegance is not an option)
  2. Not a problem for me by Dark+Paladin · · Score: 4, Funny

    My password is totally unguessable - I mean, who else has the password asdjklf;@#$#@jjdakl?

    No - wait, I meant that *wasn't* my password! Hey, stop ssh'ing into my box! No - not my 20 GB of Sailor Moon music collection!

    Well, guess I'll have to use my backup password of qwurf$#@ff5a` from now on - No, wait -

    Damn it!

    --
    52 Weeks, 52 Religions with John Hummel
    1. Re:Not a problem for me by 0x461FAB0BD7D2 · · Score: 4, Funny

      Pfft. Your password is unguessable? Try my nick!

  3. Now I don't look so crazy... by redmo · · Score: 5, Funny

    for having my hard drive encrypted by a key, on a flash drive, which is encrypted by a password that is generated randomly every five minutes and hased twice before I lock it in my safe deposit box.

    --
    If you're tired, sleep! Wenn Sie muede sind, schlafen!
    1. Re:Now I don't look so crazy... by W3bbo · · Score: 5, Funny

      Law Enforcement can gain access to safety deposit boxes, so your plan is slightly flawed there.

    2. Re:Now I don't look so crazy... by thedustbustr · · Score: 2, Funny
      I hope you don't plan on actually accessing the information on your harddrive

      ......

      --
      This sig is false.
    3. Re:Now I don't look so crazy... by Anonymous Coward · · Score: 5, Funny

      That's why I store my jump drive in my ass, it comes in a handy suppository case!

    4. Re:Now I don't look so crazy... by The+Other+JoshG · · Score: 5, Funny

      Law Enforcement can gain access to your ass, so your plan is slightly flawed there.

  4. Re:I bet they can't crack this! by tbase · · Score: 4, Funny

    Well, not until you put it in my browser cache. Thanks a lot, buddy.

    --

    666-607: 6th floor apartment of the beast
  5. Re:In other words.. by 14erCleaner · · Score: 4, Funny
    Inject spaces or numbers or punctuation into the word if you do. And dont write it down on a sticky note under your keyboard.

    Or just remove punctuation (like apostrophes).

    (Sorry....couldnt resist :)

    --
    Have you read my blog lately?
  6. Secret Services Cracks? by Anonymous Coward · · Score: 5, Funny

    How the Secret Services Cracks Encrypted Evidence

    Looks like someone used Microsoft's Grammar Checker to create the headline.

  7. Random by IPFreely · · Score: 5, Funny
    If I thought these guys had any since of humor at all, I'd make a 1.5 Gb file of random binary from a random number generator and store it in a file with a suspicious name.

    Of course I'd probably end up in Camp-XRay being tortured for the password. That's not where I want to spend my summer vacation.

    --
    There is nothing so silly as other peoples traditions, and nothing so sacred as our own.
  8. Re:You think? by Rorschach1 · · Score: 5, Funny

    "This is probably because people still have non-random memories."

    Pfff. I can remember the opcode for the 6502 halt-catch-fire instruction. I can't, however, remember what I had for breakfast. How's that for random?

  9. Tron by Dachannien · · Score: 5, Funny

    You know, it's amazing that Kevin Flynn had such trouble getting the info he needed to hang Ed Dillinger out to dry, considering that the password for the Master Control Program was "master".

    I guess we've come a long way in the past quarter century. Except when it comes to choosing passwords.

  10. Two Words: SETEC ASTRONOMY by wernst · · Score: 2, Funny

    It looks like they figured it out after all. I just hope Martin is OK...

  11. Re:no shit by Slashdot+is+dead · · Score: 4, Funny

    My parents only let me use alphanumerics to name my dog.

  12. Choosing a password. by bmalia · · Score: 5, Funny

    Enter a new password: ***** [penis]

    Sorry, your password is not long enough.
    Enter a new password:

    --
    There's no place like ~/
  13. Re:I feel pretty safe under Fedora. by Quixote · · Score: 5, Funny
    Unless the government has a pressing need to read my private journal about me bitching about how I can't get a date. In that case, those spooks are outta luck!

    ... and so, it appears, are you. ;-)

  14. Re:Acronym passwords are a good compromise by Rei · · Score: 3, Funny

    Way too long to type. I personally wouldn't want to spend all day trying to type in my password without error; I'd much rather be out playing frungy or something.

    --
    I once listened to a Philip Glass record for an hour and a half before I realized it was skipping.
  15. Re:So, to interpret this article: by chriguhose · · Score: 2, Funny

    no, no...

    thanks to the patriot act, they do not need any decryption methods anymore. Because every system sold since 2001 is bugged when leaving the factory.

  16. Password is not correct by MachDelta · · Score: 5, Funny

    At my former job, one of the programs we used would return "Password is not correct" if you input the wrong password.

    So, for a month, my password was "correct".

    Hey, at least I had a handy reminder if I ever forgot what it was. :P

    1. Re:Password is not correct by One_6453 · · Score: 2, Funny

      For the exact same reason my powerbook password is "shakes"

  17. Hard to hack by Anonymous Coward · · Score: 1, Funny

    Personally I always use 4 to 5 word phrases that I make up with some random number or symbols between each word. It's easy as hell to remember and hard as hell to crack. So you get the best of both worlds.

    I once had to terminal service into our server to unlock it for a support tech. The tech hit the floor as I was entering the password and he saw how many character it was.

  18. Dude! by Anonymous Coward · · Score: 2, Funny
    20 GB of Sailor Moon music collection!

    Looks like your password is the least of your problems....

  19. Eat this! by Maradine · · Score: 5, Funny

    Hey, SS!

    Go stick a pig
    -----BEGIN PGP MESSAGE-----
    Version: PGP 8.1

    qANQR1DBw04DB6hKqQuGABkQD/4ndRFLEcpsuHpf24/Moh2W MS bDwKKMWLDYRUG8
    4Jap4LfE3kpiVoiHvKWpSTz2z6lxbknY88 15gzDnFVPCDgH9L/ 0Rzyh7hF1J5xm2
    nVF1z1EkQPgNJhk8nrzSs3fu96D9wSuLEt wZhkXjCaTR02/H9+ AQ8lDFKVDQYYAi
    XI4Z1knJn+kLvXhyDOXfoyBp8htnRsG5AA wGUJc/GOgAbO668a KoitTl8bwK8Amr
    HNgk/wpSGPODVb1VQ3CL8uy1F1efM1UWmO SpddpBa2gWgfs8lm b6KUrfCes38xSe
    tzfZ1b0RxyeKJkkSAwJFRH9pJb3cmXfw75 b05d6LKHphwyXXb1 rrDaw2ct6Qt5lA
    Ot8+RMrUVd1w3EXEZFO2lV0NeHyWlw0V8q qIFNM+UHcIQCP6kE eIj6niRoG87m7X
    EbdUD8Q7rrW8ELD1MBYR/uW0paxJKClUfU mRfoYnj9H4WpHd2X PdIT6AZX23rWK8
    GLJPRDo+1DK5JWGzCDmpCqPCk/hC6IaTY4 dj+A1ee7y/w255AS JxBoteG0EKC1j8
    EEgdDMGn0/7PVP221FfvUmHiEptXaOIfrH jouJ6RdammqmHWYC sjpmATiWHEP6jf
    V1Vw12K2pNTt5h9oVhf0N0g1GyD4jLLmpM OPb0qSCyk8DWaEt0 IZIjqS/QwVV3Ng
    i6516BAAj4IEcxfYcbEyxvfyDqwkxzJ6R2 GSy2D9i1P6/xiy6a ASo8qSeArFO4KZ
    ATj5YyIDe2HnX66b6z9KaJrRlStSAhKr8l E05enZbjjD9zuliM M09a1L9RDGwB1T
    glArSeHh09AKDyYOYRA3eOp6Tdlog4quaQ M8AszGHfdK07+VI7 4sODIqxI46pd/a
    frOd100aZXP0w5928LbQT4HSUw9pQAsILN Oftik4aRCNozbquR 0wJ+UDaX8f2Qf3
    tvX51ONAm2hSsjkWiBO9n2TMnYYV4th1m4 BVR0sFMO/Pw8tktG 70WC3Y6rDt02G9
    ZE6hbscNP2dPGk9Zn1xn0HJSzogOqOYwc7 nCPRIkfrZQ6GUNIQ jDhNphAkJjZQg7
    4X31KiVUuJ4LsTNrpvLwl1P+rvzrPHr3Eg IZRGRTBiSTyC4u9d fF1NLlh/iDHEwH
    MdarZSX1QRgEJt/ncSvfhqHwGo21HR9lZ7 l00xu9nQCt5PA+qf xIkJN4vsIidT0h
    YcopCBgJX61SHI+zdZkvbZ+z0NrrnTx5QD HP7FGrsEsjtrSEDE wEXjKPAltPlmQT
    dzMXIikb/312gs99vRUxKh+4tQlSQKlrWr ms/8QXoDCJ/TGbFR b8vpes6+8ce5ii
    7iIxoRlYaN5QcwPizj9cFy6AQBGHZGnXDO RX0rs8uzlaDNYnP+ PSwMYBPLhLEbzn
    JD0YluWuDrSeGkgFtYzFSf/HPdv8jrHPdV hyvtB0UxjP8VeVGY +ZIMgT+pnKyuGb
    liHKlUowBHmL7pbP5F/A348XNovPFL/YG/ xR7XScBtV7W4dSPu 0uiwSnoprHDY10
    rRO7SHaproOa+CchbNySs2raYmqk02vebG ZKL17aTZzxxwLgcC q0EfCKNuAR09pm
    P54a5qvTc3f3qv5MhvktHrQV6BGzBJvZPs q/bQw8y5OG0j96ym h5CA4YlCfJvdGV
    pfRCp8Np+DUPqT7CswmULPjYlsJJjHsxaT 3z/mHqNvkddu5QPj iIn4BXsLTIUMBv
    +yPSaWVugMtoyBwruemTV9AwgE90W6nw50 GWlHtF9zrDZ4JO8z aubc1mOsEDI1hf
    LPNVSamLx1VY4rwe7yePeAredp8VuT+nJE KGIGd+I0l32NbU1n OB6ju7MtqzYGga
    yiiy1f9TE3GVMogQ00c4OIpWXjNMa2GZFZ kcP1uN1mKiFtMQxF QxiPU+bUJhvCI=
    =qYai
    -----END PGP MESSAGE-----
    and you mother, too!

    M

    --

    trustedworlds.net - gaming, security, and the gunk that lives in between

    1. Re:Eat this! by The+Slashdolt · · Score: 2, Funny

      Be Sure To Drink Your Ovaltine

      --
      mp3's are only for those with bad memories
  20. Re:Acronym passwords are a good compromise by Anonymous Coward · · Score: 1, Funny

    Frungy! Frungy! Frungy!

  21. Re:Acronym passwords are a good compromise by Anonymous Coward · · Score: 1, Funny

    SILENCE BLATHERING TOADIES! We are your new masters.

    (Hmm... "SBTWaynm" - a nice 8 character password :) )

  22. Re:that's all about the brute force by crimethinker · · Score: 4, Funny
    There's another one my former boss (an Iranian emigree in 1977) told me.

    Three guys from the CIA, Mossad, and the Iranian Secret Police have a competition. Each of them has a burlap sack, and must go into the jungle to capture a wild boar. The CIA goes first. 30 minutes later, he's back, with a wild boar in the sack. Mossad goes next, and he comes back in just 15 minutes with a similar catch.

    The Iranian Secret Police goes next. He's back in 2 minutes. The CIA and Mossad are shocked. "No, you can't have alreayd caught a wild boar."

    "Open the sack and see for yourself." The CIA and Mossad look in the bag and see a rabbit with cigarette burns, bruises, cuts, and possibly a few broken bones.

    "That's not a boar, that's a rabbit. You lose."

    On hearing this, the rabbit shrieks out, "no!!!!!! I'm a wild boar! I've been a wild boar for seven years. I can give you the names of other wild boars who are still loose in the jungle!"

    -paul

    --
    Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
  23. Re:no shit by z*4jhDm281 · · Score: 2, Funny

    No, but it is my Slashdot username!!! (apparently, slashdot doesn't allow colons, ampersands or tildes)

  24. Reminds me of a story... (offtopic) by hanshotfirst · · Score: 5, Funny
    A minister wakes one Sunday morning to a bright sunny day. He decides to play hooky for a day, and calls his Jr. Pastor to cover services for him as he is very sick.

    He then proceeds to get his golf bag and head for the links. The course is beautiful, the sun is shining, and his game is great.

    Up in heaven, St. Peter asks God "Aren't you going to do something about this?" God replies, "Wait and see."

    As the round of golf continues, the minister is shooting the best game of his life. On the 18th tee, The minister swings... God commands the ball and it bounces off the water, out of a bunker, and right into the cup.

    St. Peter is incredulous. "Why are you REWARDING this man for shirking his duty!? I don't understand?!"

    God replies "Who's he going to be able to tell about it?"

    --
    Why, oh why, didn't I take the Blue Pill?
  25. Liked him much better when he was on The Munsters by jpellino · · Score: 2, Funny

    "The effort started nearly three years ago to battle a surge in the number of cases in which savvy computer criminals have used commercial or free encryption software to safeguard stolen financial information, according to DNA program manager Al Lewis."

    Oh, how the might have fallen...

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
  26. Re:no shit by Anonymous Coward · · Score: 1, Funny
    > My parents only let me use alphanumerics to name my dog.

    Your dog is insecure. Shame on your parents for not teaching you best practices!

  27. Re:It's like social engineering, without the perso by Captain+Scurvy · · Score: 2, Funny
    Hah! This article is supposed to make us think that our encrypted documents are generally safe from their prying eyes if we use more complicated passwords. They still have back doors.

    Think about it: this article would just encourage high profile targets to use 30+ characters of random garbage for their keychain passwords, rendering their methods next to useless. They're not that stupid.

    "How did you break that 256-bit encryption so fast?"
    "With our mad deadly worldwide gangster communist frankenstein distributed computing network, bitch."

    Tin foil is still the best buffer.

  28. Re:It's like social engineering, without the perso by Anonymous Coward · · Score: 2, Funny

    From http://www.irs.gov/pub/irs-pdf/i1040gi.pdf :

    Line 21
    Other Income

    Use line 21 to report any income not reported elsehwere on your return or other schedules....

  29. Re:Acronym passwords are a good compromise by Lord+Apathy · · Score: 2, Funny

    How about "fuck off pig?" That way when they ask you under oath what you pass word is you can sincerally tell them what it is and what they can do.

    --

    Supporting World Peace Through Nuclear Pacification

  30. Re:Reminds me of a story... (even more offtopic) by commodoresloat · · Score: 5, Funny
    So a guy walks into a church and goes to confession. He tells the priest: "Father, I'm 75 years old, and I've been happily married and faithful for 50 years. I have two children in their thirties and I've never cheated on my wife. Until yesterday. I was driving down the street and saw these two hot 20-year old coeds hitchhiking. I picked them up and drove them to a hotel. They convinced me to join them in the hotel where I proceeded to have sex with both of them for the next two hours."

    The priest is quiet for a moment and then says, "are you sorry for your sins?"

    The man replies, "Sins? What do you mean?"

    The priest sounds concerned. "What do I mean? What kind of Catholic are you?"

    The man replies, "Catholic? Father, I'm Jewish!"

    The priest is incredulous. "Well then why are you telling me this?

    The man replies, "are you kidding? I'm telling everybody!"

  31. Re:256-bit encryption? by Zevets · · Score: 1, Funny

    I have a friend that works as a defense contractor and he has a security clearence and all that. His job is to build the radios that the FBI, Secret Service, etc use and if you think that stuff is paranoid, these guys are nuts.

    The radios are encrypted (obviously) using NSA techniques. The NSA techniques cannot be written down anywhere, and to find out how they work, they ask some dude who has been employed by said defense contractor for his entire life and his job is to remember this technique without ever writing it down or such. He is well paid too.
    Once this said technique is written and tested to work 100% of the time, and not 99.99999999% like many programs, it is compiled and the source file is then given to the NSA for safe keeping/code review.

    The radios themselves are the height of paranioa. The radios if tampered or left unguarded for 15 minutes, it will automatically wipe out the flash card (thus destroying the encryption key and non hardware based technique). This makes the radio a $1000 dollar brick which then needs to be sent back to the manufacturer to work again. (for a nice profit too!)
    Also, once a radio is compromised, the other radios are distributed new encryption keys, so their communications are now secure. The radios in said group are also re-keyed at normal intervals.

    Now, these radios if compromised are not totally useless. They can be used as remote listening devices (transmit when button not pressed, and "other" features) and can be broadcast fake information(duh).

    Also, in those type situations, I have another friend who says the destruction method of choice for paper and tapes are incendiary grenades. Load the classified manuals(these are just lit with a lighter, but you get the point), important computer chips and other stuff into a box, place the nade and watch it flame and then after it has burned, chuck it off said airplane.
    Also, most of the memory devices have a self-wipe feature. For hardware, the sledgehammer method is used. "take one, and apply liberally"
    After that, to break the individual chips, smaller boards are collected in boxes and smashed with said hammers and stepped on etc.
    He said his training instructor said, "Have you ever wanted to trash a room like a rock star? Leave nothing intact, and just destroy everything in sight? Except instead of some hotel room, it would be millions of dollars of equipment, and you get to destroy it? Nothing off limits? This is your chance. Live your dreams.
    Just before you land, make you sure you destroy the more valuable stuff first, and toss the remains out the airplane too. "
    He also claims(this one I doubt), that the flight crew in case of a crash landing, where they survive, knows how to blow up the entire airplane and remaining(if any) avionics equipment.

    --

    Mod Wisely.

  32. SecretService@Home by rewinn · · Score: 2, Funny

    The next logical step is to provide a free screen saver download, to lend home computing power to the Secret Service's decription effort. We might call it SecretService@Home.

    To encourage participation, our agency might make the decryption process a background feature of a download more likely to be wildly popular .... maybe a game ... perhaps we could call it something appealling to young people with lots of excess computing power ... a name like "America's Army".

    And if we wanted to throw scruples out the [MS]window, our agency might create a zombie net exploiting security ports (formerly known as "security holes") to allow truly huge DNAs. Our legal advisors recommend coding our zombierecruiters to target computers outside our country, whose owners may expect little in the way of protection under our Constitution.

    DISCLAIMER: Our government never would do this! No, Never!

    --
    --- Attorneys Assisting Citizen-Soldiers & Families -