Slashdot Mirror
How the Secret Service Cracks Encrypted Evidence
tabdelgawad writes "The Washington Post offers this writeup about how the U.S. Secret Service uses a Distributed Network Attack program to crack encryption on computers and drives seized as evidence. How can brute force still succeed with 256-bit encryption, you ask? Customized password dictionaries from the seized computer's email files and browser cache: People still use non-random passwords."
Why did they not keep their tactic of creating customized password dictionaries secret? Seems like they just gave potential criminals a big warning...
If your password is something you've ever written on your computer, its likely they'll crack it? Interesting.... moral of the story: dont use words found in the dictionary as your password. Inject spaces or numbers or punctuation into the word if you do. And dont write it down on a sticky note under your keyboard.
The Doormat
If you're not outraged, then you're not paying attention.
It's always been known that a fully random password is more secure.
But it's a bitch to remember, so people use easier-to-guess passwords anyway.
Knowledge of this technique changes nothing. Any crook smart enough to use totally random passwords after this incident probably is already doing so.
retrorocket.o not found, launch anyway?
In cases like this (and many others) security is only as strong as the person who manages it. Choose a weak password, choose weak security. I'm sure, however, if this information is public that their actual system is much more advanced. Sort of makes you wonder how sophisticated the NSA's equipment is.
shop.envescent.com - Computer hardware and more.
"People still use non-random passwords."
What's easier to remember, Your dogs name or z*4jhDm28&:1~. Now I will wait for someone to reply with "but my dogs name is z*4jhDm28&:1~"
And you know what happens when people use a random password? They write it down and either put it in their top desk draw or on a nice post-it note on their monitor.
Dictionary attacks and other brute force attacks still don't work too well on passphrases so those who use them can protect their drug money for a little while longer. It should also be noted that the DNA attack won't work unless the Secret Service has your private key file. The actual encryption can't be broken easily so they have to attack the weak encryption on the digital private key that's stored on your computer. If the key is stored in a manner that they can't get to it, then your data will still be safe. E.g. the key is stored on an IC in the computer that self destructs if it is tampered with like IBM's ultra-paranoid laptops. The IC would detect a brute force attack and destroy the key.
--
Want a free iPod?
Or try a free Nintendo DS, GC, PS2, Xbox. (you only need 4 referrals)
Wired article as proof
You're lucky if you really have a 5-digit combo on your luggage. My cousin came to visit from Sweden a couple of years ago. He had locked his (most common) 3-digit combo lock before the 10-hour flight and then promptly forgotten the combination. It didn't take me long to start running through the 1000 possibles. Had it open in 10 minutes.
:)
He sure was happy to get to a clean pair of drawers.
(Yes. I've seen Space Balls. And yes, the 1-2-3-4-5 combination joke is wearing pretty thin.)
"Michael, I did nothing. I did absolutely nothing - and it was everything that I thought it could be."
It all comes back to the old axiom: If you rob a bank, make damn sure you pay your taxes.
The basic idea is, if you break the law, you cover every hole you can think of, no matter how trivial. Just like Al Capone should have paid his taxes, criminals (and everybody else for that matter) today need to start using better passwords.
Sir, we figured out all of his passwords, we just can't figure out what he's using to login with. We decrypted the username that he has posted all over the place, but it doesn't work.
Yes, I'm assuming that. Obviously, if torture is in the realm of the possible, things get much worse. But there are then two kinds of data:
Data whose exposure will end up with you being persecuted for.
Data whose exposure will end up harming a cause you value above yourself.
Torture is a great way for getting either of those, but it will work at 100% efficiency for type 1. Example: assume that me bitching about a girl who threatened to kick my ass if I asked her out (not to imply that this event actually occurred or anything) is a crime punishable by something bad. If the system is so broken that I can be tortured to reveal the password, then it stands to reason that it is so broken that they can inflict "something bad" on me without trial, confession, evidence, or not.
In other words, type 1 data is useless to the government that can torture and endlessly imprison: they already have that power, and that's all type 1 data wins you.
But if you are a captured CIA agent in China, now you have to worry about type 2 data- something that is important to someone besides you. That changes your rules somewhat as well.
Anyone know how that steganographic filesystem is coming?
criminals (and everybody else for that matter) today need to start using better passwords
Well, OK, so you're talking about this in more or less academic terms... but, I'd say that what criminals really need to do (um, espcially the ones that are smart enough read up on this sort of thing) is to use their brains for, say, something other than crime.
Don't disappoint your bird dog. Go to the range.
Even better would to have a spare hard disk, fill it with 100 different random 1gb files, all with random names, then store all your 'insert highly illegal topic' data in one of those files.
Then for additional measure, have a process running in the background that modifies the access time and modification time randomly on all of them.
The bottom line is, anybody who actually wants to secure their data, and make it almost impossible for anybody to recover it will probably already be doing this.
The article is refering to average joes who think encrypting their stuff will make it more secure (as you can tell by the wording of the article).
Too easy to crack. If only a few people are using it, it's ok, but if it became widespread, the search space is just too narrow, unless you start choosing really complex patterns, in which case you might as well just use a random password.
I once listened to a Philip Glass record for an hour and a half before I realized it was skipping.
Oh, another problem with geometric passwords: they're *very* easy to see looking over someone's shoulder. Trust me - I used one back in high school, and before long had all my friends logging on to my account :P
I once listened to a Philip Glass record for an hour and a half before I realized it was skipping.
As for Chavez, he has done his share of dissent-crushing and deportations and indoctrination. Just because he is "against" the "neo-libs" doesn't excuse some of his actions. Venezuela sells a good chunk of its oil to the States -- they may be at loggerheads but they still do a lot of business together.
Sometimes seventeen/Syllables aren't enough to/Express a complete
If you don't give up your password, I think they can get you on obstruction of justice.
Which MIGHT be better than racketeering charges...
Find coupons in Greeley
Nah, they just need to steal more so they become revolutionaries or businessmen. "One lawyer with a briefcase can steal more than a thousand men with guns"- The Godfather.
My little site.
Logic fails you.
"Criminals with enough money are businessmen" and
"Businessmen with enough money are criminals"
are two different statements. I do not agree with both. HOWEVER, often the means of accumulating large sums of money are closer to crime than should be allowed. Skirting the rules of groups as a whole and "morality" is rewarded too often within the boundaries of our current social systems. I don't particularly believe in morality but i have to sleep with my own dreams, which means I'm not rich and slightly bitter that I'm smart enough to have bad ones when I do bad things.
Quit dragging me off topic with your 'karma to burn' self.
My little site.
Which kind of makes much hard for conspiracy theories that the FBI/NSA/Secret Service require all these back doors into encryption software and/or operating systems. What's the point when humans are still the weakest link?
This is true. Somewhat related to the story about the golfing minister: If the NSA has all these great backdoors, who can be trusted with them.. Certainly not mainstream LEA. Certainly your local copper and most FBI agents are just everyday civil servants.. giving them the resources to backdoor major encryption schemes is as good as giving everyone the capability.
Regardless of what some top minds/admins at the NSA can do, most of LEA is in the "them" camp and must work within the same limitations as the rest of us.
Here at Microsoft they have strong passwords enabled and they force you to change passwords every 70 days, and it keeps a list of your most-recent passwords and disallows selecting one of them. After my first 70 days I got the little password change dialog. I tried a few things to no avail and then settled on: Micr0$hizzle -- a 12-character password with a digit and a punctuation symbol. I chuckled to myself every day I logged on for 70 days. I find that leet-icizing common words makes for really nice passwords. Frequently, when setting up new systems, I give the administrator account some variant of "password" such as "P4$$w0rd" or the like.
...
The number of possible options for a password is [number of valid characters in a given position] to the power of [number of positions]. A one character all lowercase password has only 26 possibilities. Upper or lowercase and it's 52. Two characters upper and lower case is 2704 possibilities. Upper and lowercase (52), 0-9 (10), the associated punctuation marks (10), curly/angled/square brackets (6), comma, period, question mark, forward and backward slash, tilde, quote, double quote, backquote, semicolon, colon (11). That's 52 + 10 + 10 + 6 + 11 or 89 possible characters per position. Most of the punctuation marks aren't ever used though, so let's give a conservative 78 possible characters.
For a base-78 password:
1 character is 78 possibilities
2 characters is 6084 possibilities
3 characters is 474552 possibilities
4 characters is 37015056 possibilities,
5 characters is 2887174368 possibilities,
6 characters is 225199600704 possibilities,
12 characters is 50,714,860,157,241,037,295,616 possibilities. That's 50 septillion, for anyone keeping track.
Anything can be a good password.
Devout catholic? How about Pop3J0hnP4ul! (13 chars) or Bish()pFr3d? (12)
Animal lover? Il0ved0g5! (10).
So on and so forth. Just take a word or a phrase and leeticize (that's my new favorite nonce word of the day) it so it still reads more or less the same. Then the password can be remembered visually and likened to an easily recognized word or phrase and look less like a random jumble of characters. I wouldn't at all mind if people used their pet's name to help them remember the sequence of characters in their password, but I don't think people should use their pet's names AS their passwords. If the dog's name is Bartholomew, the password would be B4r+hol0m3w! (the exclamation point is part of the password, making it 12 characters).
Reinvent the wheel only at either a lower cost, greater effectiveness, or your own personal enrichment and satisfaction.
Umm.. this is the NSA we're talking about. I'm sure they're not just putting forth the raw words, but are trying all the common leet-speak variations thereof. And probably word+digit, digit+word and various popular capitalization possibilities. Even with all those variations (maybe 100 for each word) it'll still be a very significant improvement over a brute force attack.
They've been on the Internet too, you know?
Hire a Linux system administrator, systems engineer,
...a pass PHRASE is for your encrypted hard disk.
Dictionary attacks mean sod-all when the passphrase is nothing that might appear in any dictionary (including one compiled from your correspondence and other public clues such as browsing history and Amazon purchases).
As the parent pointed out, you're no longer permitted to lock your baggage when you check it.
No, you're entirely permitted to lock your luggage, just as the government inspectors are permitted and equipped to destroy your locks.
Especially when all they have to do is offer them chocolate before they bust them;-)
That survey is almost certainly complete rubbish - if someone came up to me in the street and offered me chocolate in exchange for my password I'd just give them a bogus password so I could get my chocolate.
http://blog.nexusuk.org
There's a quote I heard a long time ago, "Don't ask a millionaire how he made his first million."
Dogma - "let's just say we'd like to avoid any empirical entanglements."