Slashdot Mirror

← Back to Stories (view on slashdot.org)

How the Secret Service Cracks Encrypted Evidence

Posted by timothy on from the throw-at-wall-see-what-sticks dept.

tabdelgawad writes "The Washington Post offers this writeup about how the U.S. Secret Service uses a Distributed Network Attack program to crack encryption on computers and drives seized as evidence. How can brute force still succeed with 256-bit encryption, you ask? Customized password dictionaries from the seized computer's email files and browser cache: People still use non-random passwords."

19 of 658 comments (clear)

  1. Isn't the effectiveness now compromised? by iammaxus · · Score: 4, Insightful

    Why did they not keep their tactic of creating customized password dictionaries secret? Seems like they just gave potential criminals a big warning...

    1. Re:Isn't the effectiveness now compromised? by Scarblac · · Score: 4, Insightful

      Why did they not keep their tactic of creating customized password dictionaries secret? Seems like they just gave potential criminals a big warning...

      Because it doesn't matter one bit. Right now, most places where you must pick a password, there is already a warning that you shouldn't pick a word, pick something alphanumeric, something random. Nobody cares. If that doesn't change people's behaviour, this news story won't either.

      --
      I believe posters are recognized by their sig. So I made one.
    2. Re:Isn't the effectiveness now compromised? by saskboy · · Score: 3, Insightful

      Criminals are not going to write their own webbrower ap, or file sharing program, they will use a common comercially available package that the Intelligence community can use against them, just as script kiddies use the fact that Windows XP is the primary OS against law abiding people.

      And criminals, who are none-to-bright to begin with, aren't going to use a password like DSdfWe3421.

      --
      Saskboy's blog is good. 9 out of 10 dentists agree.
    3. Re:Isn't the effectiveness now compromised? by Sepodati · · Score: 3, Insightful

      Requiring "strong" passwords just means users will write them down and put 'em under the keyboard.

      ---John Holmes...

    4. Re:Isn't the effectiveness now compromised? by khrtt · · Score: 3, Insightful

      Well, the people trying to hack into your system remotely won't be able to look under the keyboard.

    5. Re:Isn't the effectiveness now compromised? by scottv67 · · Score: 4, Insightful

      A friend of mine ran crack over /etc/passwd on his physics department's unix system, successfully cracking 20% of the passwords on file. He sent the results to his sysadmin, with a note asking the sysadmin to implement crack system-wide, and was promptly reprimanded.

      A friend of mine tried a lock-picking tool on the front door of every house in his subdivision, successfully opening 20% of the locked doors. He sent the results to the local police department, with a note asking that the lock-picking tool be tried on every door in town, and was promptly arrested.

  2. In other words.. by doormat · · Score: 5, Insightful

    If your password is something you've ever written on your computer, its likely they'll crack it? Interesting.... moral of the story: dont use words found in the dictionary as your password. Inject spaces or numbers or punctuation into the word if you do. And dont write it down on a sticky note under your keyboard.

    --
    The Doormat

    If you're not outraged, then you're not paying attention.
  3. Because people are stupid/lazy by Andy+Dodd · · Score: 5, Insightful

    It's always been known that a fully random password is more secure.

    But it's a bitch to remember, so people use easier-to-guess passwords anyway.

    Knowledge of this technique changes nothing. Any crook smart enough to use totally random passwords after this incident probably is already doing so.

    --
    retrorocket.o not found, launch anyway?
  4. Security = People not computers by breakbeatninja · · Score: 4, Insightful

    In cases like this (and many others) security is only as strong as the person who manages it. Choose a weak password, choose weak security. I'm sure, however, if this information is public that their actual system is much more advanced. Sort of makes you wonder how sophisticated the NSA's equipment is.

    --
    shop.envescent.com - Computer hardware and more.
  5. no shit by bdigit · · Score: 4, Insightful

    "People still use non-random passwords."

    What's easier to remember, Your dogs name or z*4jhDm28&:1~. Now I will wait for someone to reply with "but my dogs name is z*4jhDm28&:1~"

    And you know what happens when people use a random password? They write it down and either put it in their top desk draw or on a nice post-it note on their monitor.

  6. Passphrases get around this by PxM · · Score: 3, Insightful

    Dictionary attacks and other brute force attacks still don't work too well on passphrases so those who use them can protect their drug money for a little while longer. It should also be noted that the DNA attack won't work unless the Secret Service has your private key file. The actual encryption can't be broken easily so they have to attack the weak encryption on the digital private key that's stored on your computer. If the key is stored in a manner that they can't get to it, then your data will still be safe. E.g. the key is stored on an IC in the computer that self destructs if it is tampered with like IBM's ultra-paranoid laptops. The IC would detect a brute force attack and destroy the key.

    --
    Want a free iPod?
    Or try a free Nintendo DS, GC, PS2, Xbox. (you only need 4 referrals)
    Wired article as proof

  7. Re:Passwords?! by ScoLgo · · Score: 4, Insightful

    You're lucky if you really have a 5-digit combo on your luggage. My cousin came to visit from Sweden a couple of years ago. He had locked his (most common) 3-digit combo lock before the 10-hour flight and then promptly forgotten the combination. It didn't take me long to start running through the 1000 possibles. Had it open in 10 minutes.

    He sure was happy to get to a clean pair of drawers. :)

    (Yes. I've seen Space Balls. And yes, the 1-2-3-4-5 combination joke is wearing pretty thin.)

    --
    "Michael, I did nothing. I did absolutely nothing - and it was everything that I thought it could be."
  8. Re:It's like social engineering, without the perso by Ayaress · · Score: 4, Insightful

    It all comes back to the old axiom: If you rob a bank, make damn sure you pay your taxes.

    The basic idea is, if you break the law, you cover every hole you can think of, no matter how trivial. Just like Al Capone should have paid his taxes, criminals (and everybody else for that matter) today need to start using better passwords.

  9. Re:I feel pretty safe under Fedora. by cfalcon · · Score: 4, Insightful

    Yes, I'm assuming that. Obviously, if torture is in the realm of the possible, things get much worse. But there are then two kinds of data:

    Data whose exposure will end up with you being persecuted for.

    Data whose exposure will end up harming a cause you value above yourself.

    Torture is a great way for getting either of those, but it will work at 100% efficiency for type 1. Example: assume that me bitching about a girl who threatened to kick my ass if I asked her out (not to imply that this event actually occurred or anything) is a crime punishable by something bad. If the system is so broken that I can be tortured to reveal the password, then it stands to reason that it is so broken that they can inflict "something bad" on me without trial, confession, evidence, or not.

    In other words, type 1 data is useless to the government that can torture and endlessly imprison: they already have that power, and that's all type 1 data wins you.

    But if you are a captured CIA agent in China, now you have to worry about type 2 data- something that is important to someone besides you. That changes your rules somewhat as well.

    Anyone know how that steganographic filesystem is coming?

  10. Re:It's like social engineering, without the perso by ScentCone · · Score: 4, Insightful

    criminals (and everybody else for that matter) today need to start using better passwords

    Well, OK, so you're talking about this in more or less academic terms... but, I'd say that what criminals really need to do (um, espcially the ones that are smart enough read up on this sort of thing) is to use their brains for, say, something other than crime.

    --
    Don't disappoint your bird dog. Go to the range.
  11. Re:Random by drspliff · · Score: 3, Insightful

    Even better would to have a spare hard disk, fill it with 100 different random 1gb files, all with random names, then store all your 'insert highly illegal topic' data in one of those files.

    Then for additional measure, have a process running in the background that modifies the access time and modification time randomly on all of them.

    The bottom line is, anybody who actually wants to secure their data, and make it almost impossible for anybody to recover it will probably already be doing this.

    The article is refering to average joes who think encrypting their stuff will make it more secure (as you can tell by the wording of the article).

  12. Re:Acronym passwords are a good compromise by Rei · · Score: 3, Insightful

    Oh, another problem with geometric passwords: they're *very* easy to see looking over someone's shoulder. Trust me - I used one back in high school, and before long had all my friends logging on to my account :P

    --
    I once listened to a Philip Glass record for an hour and a half before I realized it was skipping.
  13. Re:It's like social engineering, without the perso by MrAnnoyanceToYou · · Score: 3, Insightful

    Nah, they just need to steal more so they become revolutionaries or businessmen. "One lawyer with a briefcase can steal more than a thousand men with guns"- The Godfather.

    --
    My little site.
  14. Re:It's like social engineering, without the perso by MrAnnoyanceToYou · · Score: 3, Insightful

    Logic fails you.

    "Criminals with enough money are businessmen" and
    "Businessmen with enough money are criminals"
    are two different statements. I do not agree with both. HOWEVER, often the means of accumulating large sums of money are closer to crime than should be allowed. Skirting the rules of groups as a whole and "morality" is rewarded too often within the boundaries of our current social systems. I don't particularly believe in morality but i have to sleep with my own dreams, which means I'm not rich and slightly bitter that I'm smart enough to have bad ones when I do bad things.

    Quit dragging me off topic with your 'karma to burn' self.

    --
    My little site.