How the Secret Service Cracks Encrypted Evidence

tabdelgawad writes "The Washington Post offers this writeup about how the U.S. Secret Service uses a Distributed Network Attack program to crack encryption on computers and drives seized as evidence. How can brute force still succeed with 256-bit encryption, you ask? Customized password dictionaries from the seized computer's email files and browser cache: People still use non-random passwords."

Isn't the effectiveness now compromised?

[iammaxus]

Why did they not keep their tactic of creating customized password dictionaries secret? Seems like they just gave potential criminals a big warning...

Re:Isn't the effectiveness now compromised?

[Scarblac]

Why did they not keep their tactic of creating customized password dictionaries secret? Seems like they just gave potential criminals a big warning...

Because it doesn't matter one bit. Right now, most places where you must pick a password, there is already a warning that you shouldn't pick a word, pick something alphanumeric, something random. Nobody cares. If that doesn't change people's behaviour, this news story won't either.

Re:Isn't the effectiveness now compromised?

[scottv67]

A friend of mine ran crack over /etc/passwd on his physics department's unix system, successfully cracking 20% of the passwords on file. He sent the results to his sysadmin, with a note asking the sysadmin to implement crack system-wide, and was promptly reprimanded.

A friend of mine tried a lock-picking tool on the front door of every house in his subdivision, successfully opening 20% of the locked doors. He sent the results to the local police department, with a note asking that the lock-picking tool be tried on every door in town, and was promptly arrested.

In other words..

[doormat]

If your password is something you've ever written on your computer, its likely they'll crack it? Interesting.... moral of the story: dont use words found in the dictionary as your password. Inject spaces or numbers or punctuation into the word if you do. And dont write it down on a sticky note under your keyboard.

Because people are stupid/lazy

[Andy+Dodd]

It's always been known that a fully random password is more secure.

But it's a bitch to remember, so people use easier-to-guess passwords anyway.

Knowledge of this technique changes nothing. Any crook smart enough to use totally random passwords after this incident probably is already doing so.

Security = People not computers

[breakbeatninja]

In cases like this (and many others) security is only as strong as the person who manages it. Choose a weak password, choose weak security. I'm sure, however, if this information is public that their actual system is much more advanced. Sort of makes you wonder how sophisticated the NSA's equipment is.

no shit

[bdigit]

"People still use non-random passwords."

What's easier to remember, Your dogs name or z*4jhDm28&:1~. Now I will wait for someone to reply with "but my dogs name is z*4jhDm28&:1~"

And you know what happens when people use a random password? They write it down and either put it in their top desk draw or on a nice post-it note on their monitor.

Re:Passwords?!

[ScoLgo]

You're lucky if you really have a 5-digit combo on your luggage. My cousin came to visit from Sweden a couple of years ago. He had locked his (most common) 3-digit combo lock before the 10-hour flight and then promptly forgotten the combination. It didn't take me long to start running through the 1000 possibles. Had it open in 10 minutes.

He sure was happy to get to a clean pair of drawers. :)

(Yes. I've seen Space Balls. And yes, the 1-2-3-4-5 combination joke is wearing pretty thin.)

Re:It's like social engineering, without the perso

[Ayaress]

It all comes back to the old axiom: If you rob a bank, make damn sure you pay your taxes.

The basic idea is, if you break the law, you cover every hole you can think of, no matter how trivial. Just like Al Capone should have paid his taxes, criminals (and everybody else for that matter) today need to start using better passwords.

Re:I feel pretty safe under Fedora.

[cfalcon]

Yes, I'm assuming that. Obviously, if torture is in the realm of the possible, things get much worse. But there are then two kinds of data:

Data whose exposure will end up with you being persecuted for.

Data whose exposure will end up harming a cause you value above yourself.

Torture is a great way for getting either of those, but it will work at 100% efficiency for type 1. Example: assume that me bitching about a girl who threatened to kick my ass if I asked her out (not to imply that this event actually occurred or anything) is a crime punishable by something bad. If the system is so broken that I can be tortured to reveal the password, then it stands to reason that it is so broken that they can inflict "something bad" on me without trial, confession, evidence, or not.

In other words, type 1 data is useless to the government that can torture and endlessly imprison: they already have that power, and that's all type 1 data wins you.

But if you are a captured CIA agent in China, now you have to worry about type 2 data- something that is important to someone besides you. That changes your rules somewhat as well.

Anyone know how that steganographic filesystem is coming?

Re:It's like social engineering, without the perso

[ScentCone]

criminals (and everybody else for that matter) today need to start using better passwords

Well, OK, so you're talking about this in more or less academic terms... but, I'd say that what criminals really need to do (um, espcially the ones that are smart enough read up on this sort of thing) is to use their brains for, say, something other than crime.