How the Secret Service Cracks Encrypted Evidence

tabdelgawad writes "The Washington Post offers this writeup about how the U.S. Secret Service uses a Distributed Network Attack program to crack encryption on computers and drives seized as evidence. How can brute force still succeed with 256-bit encryption, you ask? Customized password dictionaries from the seized computer's email files and browser cache: People still use non-random passwords."

Comment removed

[account_deleted]

Comment removed based on user account deletion

So, to interpret this article:

[reality-bytes]

The U.S. Secret Service is having success with breaking keys using dictionary-attacks.

Now, reading between the lines:

The U.S. Secret Service has just perfected a brilliant new method of brute-forcing 256-bit keys in a matter of minutes using the same processing power as a pocket calculator.

Therefore the previous dictionary-attack system can safely become public knowledge.

Re:It's like social engineering, without the perso

[Shadow+Wrought]

What's the point when humans are still the weakest link?

Especially when all they have to do is offer them chocolate before they bust them;-)

Acronym passwords are a good compromise

[Rei]

You don't have to use random passwords to be secure. Slightly modified acronym passwords tend to be almost as good as completely random passwords, and people tend not to mention the phrase that the acronym is from very often.

For example, a password 'JWfimf#aIgtVae' is about as good as random; and yet, it's simply an acronym for "Juffo-Wup fills in my fibers and I grow turgid. Violent action ensues." with a hash sign thrown in for good measure. Any Star Control II fan would have an easy time remembering it after just a couple uses.

Re:Isn't the effectiveness now compromised?

[khrtt]

A friend of mine ran crack over /etc/passwd on his physics department's unix system, successfully cracking 20% of the passwords on file. He sent the results to his sysadmin, with a note asking the sysadmin to implement crack system-wide, and was promptly reprimanded.

On VAX VMS you had to pick a password from a list of randomly generated "pronouncable" strings, if I recall correctly. On many properly-managed UNIX installations the crack program is used to check the user's passwords and will not allow you to use a crackable one. Is there as option to allow only hard passwords on Windows? I honestly don't know...

On the whole, soft password problem seems like a healthy n00b-usability-over-security type thing.

Re:256-bit encryption?

[bofkentucky]

You've never seen the "shoot here to destroy" stickers that Uncle sam sticks on his computers, usually they are just slightly off center of the hard drive spindles, not sure how a multi-disk box gets tagged, but its probably in a similar manner.

Remember that P-3 that landed in chicom airspace back in 2000/2001, supposedly hammers were used to beat the interior of that bird all to hell when the pilot realized they weren't going to make it to a safe landing area.

OMG!

[temojen]

Unlike other distributed networking programs, such as the Search for Extra Terrestrial Intelligence Project -- which graphically display their number-crunching progress when a host computer's screen saver is activated -- DNA works silently in the background, completely hidden from the user. Lewis said the Secret Service chose not to call attention to the program, concerned that employees might remove it.

"Computer users often experience system lockups that are often inexplicable, and many users will uninstall programs they don't understand," Lewis said. "As the user base becomes more educated with the program and how it functions, we certainly retain the ability to make it more visible."

Wait... Secret Service employees have administrator rights? This is just wrong. Their IS department should know better.