Slashdot Mirror
Police Need 90 Days To Crack Hard Drives
Twyko64 writes "The UK police may need 90 days to hold terrorist suspects because it takes that long to crack a suspect's PC hard drive." From the article: "Combining the analysis, the translation and second stage analysis, add inter-country co-operation and interview strategy formation, and from the police point of view, the existing 14 days is inadequate and 90 days doesn't look excessive. Another factor is encryption sophistication. If 256-bit triple-DES or similar techniques are used then decryption could require supercomputer-levels of cracking."
Nothing for you to see here. Please move along.
Hmmmm. Guess I'll come back in 90 days for the dupe...
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
They're really going to hate it when suspects start using steganography. Imagine having to brute-force decrypt, only to then have to search for a particular piece of straw in a haystack...
Do not look into laser with remaining eye.
*I* always use at *least* 1024-bit AES!
Glad to know they think they can crack it in only 90 days with a mere "super-computer".
Stupid gits.
the subject says it all .. please replace TFA with one written by a clue-holder.
Store files off site, do evil in boot cd environment, leave drive unencrypted and full of jesus is good allah not as good text.
sounds like you need my son... he's 14 years old and always gets into my computer in about 90 second...
Obama = Socialism.
Most times a police department cannot even ANALYZE data properly if a machine is not running some modern form of Microsoft Windows on an x86 platform.
They have automated TOOLS that go through and find Web browser histories, caches, and cookies.
On machines where users do not run Microsoft Internet Explorer and use Outlook for email, often times departments are SOL.
If you "get" pointers add me as a friend (116)!
They should just pin the suspect down and pump five rounds into their head.
Oh wait...
If it's illegal to not provide the police with a key to encrypted data, why can't they just put that person in prison for that crime and decrypt the data at their leisure?
Who ordered that?
3des. 3 x des. des uses 64 bit key. Well, 56 bit if you remove the useless parity.
3 x 56 = 168. or 3 x 64 = 192. Either way, 256 is is not.
256 bit AES, then maybe.
Come on UK, you should know how to get around this by now. All you have to do is hold the terrorist suspects in secret prisons outside of the country and you don't need to worry about silly little details like charging them with a crime.
Tell that to the Guildford Four, the Maguire Seven, the Birmingham Six.
Why would it take 90 days to crack the password, all you need to do is put in Allah.
"The UK police may need 90 days to hold terrorist suspects because it takes that long to crack a suspect's PC hard drive."
/.'ers can help to speed that up.
Do they have a help wanted section? I think some
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
I thought that was why the UK introduced the RIP act (http://www.hmso.gov.uk/acts/acts2000/20000023.htm )? Could they just demand that the person comes up with the keys -- if they don't, hold them through the RIP act and brute-force them, if they do -- then they've either got evidence or the innocent person can go free?
It seems that they are just using this as an excuse to hold someone indefinately?
By using SUN Grid... noone else is, so plenty of CPU power....
for some politician to propose commandeering the unused CPU cycles of the nations PCs, ala distributed.net but mandatory.
"Prefiero morir de pie que vivir siempre arrodillado!"
After 90 later... "We have analyzed your hard drive. It has taken 90 days, but we finally were able to copy all your pron into our archives."
So how long would it take for lets say, Blue Gene/L to break AES-256?
Longer than 90 days I hope...
Psssh. That's gotta be a worst case scenario. In my experience, even people who are paranoid enough to encrypt things tend to be careless with their keys. I found one once where the guy had encrypted the hell out of it, and left a copy of the key in the default key gen directory. Some people just throw it in the trash, and then forget to empty the trash, or forget to secure purge it afterward, so the key can be recovered.
For big corporations and places that have enough staff to be able to implement a good crypto policy, I'd be surprised if you COULD crack it in 90 days. 256 isn't anywhere near as high as you could go if you were paranoid, and storing data that you didn't need to read all the time.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Many UK Police forces have to contract this sort of job out to private companies as they don't have the facilties to do this sort of job. This naturally costs an arm and a leg.
It is also not a high priority to most Chief Constables when prioritising their budget.
I expect though in the case of terrorist cases they would send it to the concrete doughnut at Cheltenham (GCHQ) but if any computer kit goes in their it does not come out so for evidential purposes it is less than useless.
Im sorry but from my point of view the british system has got far to harsh when it comes to terrorism so much so that I now feel unsafe at expressing my discontent at the blairite regime that threatens to wrap us all up in bubble wrap and smother us comfoftably. I say its time to make a stand we should all use high level encryption then send our disks to the police so they can crack them. I say we should march through parliment sq (oooooooh shit we cant nemore). Free speach in the UK is under attack from scared politicians that dont understand that they are sponsering terrorism by joining in with america w.o.t. The Americans brought back the word jihad about 60 years ago when it had been dead for a few thousand. No more should we be persicuted in our own country for wanting to see blair burn. Urm did i go off topic??
Oh well simply put NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
They fitted George Orwell's coffin with rollers so he could turn over more easily years ago.
Do a raw copy of the harddrive. Do preliminary analysis immediately, release the suspect if there's not enough to charge, do extended analysis and cracking it later, when the subject is no longer held. If the harddrive is then found to hold something prosecutable, track the suspect down again.
90 days sounds more like arrest now, look for a justification later.
"It takes 12 hours from New York to LA".
I propose we start a Crack-a-terrorist-hard-drive[at]home project, just like SETI[at]HOME, properly GPLed so they don't use it to any other thing.
Our cicles will contribute to the larger effort of releasing the porn from this alleged terrorist's hard drives.
I am portuguese. If you think my written english is bad, try posting in portuguese!
until it's you and the terror you've supposedly perpetrated is making a joke about a prominent political figure.
C'mon. How many of you really think that terrorists are the brightest people in the world. They make bombs and then blow themselves up. You're only effective once if you do that. I don't think we should arm them with anymore info than they already have. Let's keep stories like this on the Down low.
To only allow encryption systems with well-known backdoors to hit the commercial world. Reserve the military grade stuff for those aligned with governments dedicated to goodness and niceness, not badness and evilness, like the U.S. government.
Oh wait. Make that Canada. Nobody distrusts the Canadians. Except for Sheriff Bud B. Boomer.
Canadians - they walk among us.
The idea is that you're holding them without any charge until you gather the evidence on the hard drive.
I understand that the police will sometimes be unable to completely make a case until they've gathered all the evidence, but it seems that there should be some sort of intermediate level to say, "We have at least some reason to hold this guy."
Perhaps what's needed is a judge to say, "Yeah, you have enough evidence, and the guy presents enough of a flight risk, for me to let you hold him for three months", even if that evidence would be insufficient for a real indictment.
Because right now it sounds like "We're going to lock this guy up for 90 days with absolutely no evidence at all on our say-so."
The question is, are they getting paid overtime? Time and a half?
Give me the HDDs and I will crack them in 90 seconds.
He who knows best knows how little he knows. - Thomas Jefferson
So basically, the 90-day period is not because that's how long their fancy "supercomputer" needs to crack it, but because they are unable to cope with the number of computers confiscated from their terrorist suspects. Sounds like they need an additional supercomputer.
"Eddies," said Ford, "in the space-time continuum." "Ah," nodded Arthur, "is he? Is he?"
That government can crack triple DES in more than 14 but less than 90 days on their secret supercomputer. No wonder they dropped opposition to crypto exports. The question is, which algorithms/key sizes can we use that is likely still uncrackable?
The underlying objective is for the UK to adopt the US model of 'terrorist' detention. Extending the permitted period for detention of 'suspects' without charge to 90 days is a step in the desired direction for this. And as people are saying, 90 days won't be enough time to crack anything that's properly secured. In 90 days, our boys in blue, who don't really get this IT stuff very well, might perhaps be able to crack an UNENCRYPTYED drive. Not all terrorist suspects have hard drives, anyway. I guess they'll have to let the ones who don't go straight away.
It's never so bad that it can't get worse.
Holding someone for 90 days without charge, then finding their computer hard-drive didn't actually hold any incriminating evidence doesn't look too good. Is there anything that stops them looking at the hard drive after having to release a suspect? IANAL, but if your prima facie evidence is encrypted on a computer, what right have you got to arrest them in the first place?
The UK police may need 90 days to hold terrorist suspects because it takes that long to crack a suspect's PC hard drive
I write this as a 'Merkin, so forgive if I don't fully "get" UK law, but...
At the point where the police would waste 90 days of supercomputer-level CPU power on cracking an encrypted HDD, wouldn't they already have enough other evidence to charge the suspect with an actual crime, and could just ask for that 90 days as a delay before the actual trial?
The idea of the police making people dissapear for three months at a time on a whim scares the hell out of me. Suddenly sarcasm, or wearing the wrong clothes, or "driving while black" becomes punishable by three months in prison? Time to invest in prison/industrial stock...
The question is: why does it take so long?
answer: cause it is damn hard to brute force a 256-bit triple-DES or similar techniques
interesting what else they do to the harddrive in these 90 days
How come they can suddenly justify holding someone without charge, just because their investigation involves hard drives?
If 256-bit triple-DES or similar techniques are used then decryption could require supercomputer-levels of cracking
I don't think there IS a 256-bit triple-DES but that's beside my point. My point is, NSA recommends encryption technologies based on their uncrackability. This quote (not sure if it's bolstered by the article or just an encryption-noobs form of commentary since I haven't RTFA) seems to indicate that the NSA encryption formats aren't really uncrackable...
Point being, if you know what you're doing, it's possible to encrypt data in such a way that it can't be unencrypted forcibly; in 90 days or 90 years (barring the development of new code-breaking technologies in those 90 years, of course) Flip side is, it has long been suspected that the NSA doesn't approve any encryption that they don't have the ability to break in some reasonable time frame...
Just look at the export laws re: 40-bit SSL. 40-bit SSL was easy to break when the laws were first enacted. It wasn't until several years later that 56-bit and later 128-bit SSL was approved for export...
I am disrespectful to dirt! Can you see that I am serious?!
From now on I moo moo encode EVERYTHING!
Ouch. Technobabble at its worst.
a) Triple DES is 112-bit encryption.
b) If you are using strong encryption, like a 256-bit AES cypher, no number of supercomputers are going to 'crack' it, whether it's 14 or 90 or 900 days, unless it's a really bad implementation.
c) One would HOPE that the police would have evidence before they start impounding things. But this is about 'fishing' for evidence for 'suspected' terrorists. "You look like a terrorist, so we'll impound your things in the hope that we'll find something". So much for presumption of evidence (which I believe holds true in the UK as well.
Things like this make me sad. Just another way for the authorities to 'protect' it's citizens by making that sure they can see all and know all. Welcome to the Panopticon.
Why don't we just make it a crime to withhold passwords from the police, then you at least have something to charge them with without us having to bring back internment.
"Religion is the most malevolent of all mind viruses." - Arthur C. Clarke.
...I think we all know what the message is here: Encrypt your personal files, go to jail for 90 days.
More and more, according to law enforcement, encryption is considered only a tool of criminals. There have been a few cases like this in the US where a suspect's use of PGP or other common encryption has been used against him in court, even though no specific evidence was found encrypted.
vk.
hmmm ... say one raid 5 or two raid ones ... ... :P
they can keep you for a year (90 days =3 month, * 4 = 12)!!!
better just use -ONE- biggo disk then
Cracking@HOME
Comment removed based on user account deletion
You think that they can afford to hire some lunix rocket surgeon as a computer forensics expert on what the local PD pays?
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Technical slip aside (256bit 3DES?), to those who are complaining about the length of time needed to "crack" passwords or keys, I refer you to this past Slashdot article. Basically they can use information about the suspect to drastically reduce the time it takes to break a key.
I'm sure they meant 256-bit AES.
It seems police are actually trying to stop crime. That is not their job, and the legal system isn't suitable for the task. Police are there to deter crime, particularly by punishing wrongdoers.
When they actually try to stop crime before-it-happens, they must inevitably violate civil rights. And often incorrectly and by mistake. The result is not only a loss of civil rights, but some inevitable abuses that have a chilling effect on economic development.
These police don't understand that the easiest way to hack any system is with social engineering and not brute force. If you really need to look at the hard drive, just take the hard drive, clone it bit-for-bit, and then put it back. Ain't digital technology grand?
You have two hands and one brain, so always code twice as much as you think!
... Mr A. Terrorist doesn't own a computer? Let him out after a day?
...not to mention the impossibility to create the x + 1/3 bit keys needed so 3 equal values sum up to a power of 2.
Linux is not Windows
"You honor, we are going to have to hold the suspect for 2.154E+E122 years."
... use an OTP, of course. And will be held indefinitely since it is not possible to determine when the OTP has been cracked.
If you think Triple DES is secure, then I'm afraid that you're the stupid git.
Triple DES is what the NSA wanted one large well-known company to use in their oversea communications, back in the mid 90's, when said company had announced it was going to start using using more secure protocols. This was when PGP was still new (for most folks).
Representatives from the NSA met with the company, and explicitly offered them the right to be able to bid on some select government contracts if they used Triple DES instead. The company did so, and did indeed win those contracts.
If you don't understand the significance of that, you don't understand how this game is played. I doubt the U,K. needs 90 days if it really has to crack something under Triple DES.
And why would they use weak encryption? And why wouldn't they use deniable encryption schemes with hidden encrypted partition... You can't possibly PROVE there's something encrypted there. And even if you do, there can be so many nested hidden encrypted partitions... And what about steganography... I'm sure it can be done at the file system level, setting permissions on file, tweaking file names etc. Well ok, terrorists are not perfect, they might not know about all this, but still... one day they will.
\u262D = \u5350
Not to mention that 3DES doesn't actually use three keys, but only two. The way it works is that you encrypt with the first key, decrypt with the second key and the encrypt again with the first key. And the 8 parity bits do not add any security and are thus not counted, so no matter how you stretch it, 3DES only has 112bit keys (2x56).
I can *crack* a hard drive in 9 seconds!
You'll probably find that computer forensics people know about unix-style systems anyway. Anyone who calls themselves a computer forensics expert but doesn't know anything outside Windows XP is a joke.
the layman's guide to computer science
The police should not be able to hunt for evidence. A search warrant's sole purpose is to retrieve specific data (gun) from a specific location (bedroom).
We're living in a terrible police state. In my opinion, a crime should only be investigated by detectives when someone has been violated.
To me, talking about blowing up a train is no crime. Actually blowing it up is, but the victims must bring charges against the perpetrators. I'm sick of "The People versus" cases.
Terrorists who blow themselves up need no trial. Property owners have the sole responsibility to protect their property, not the cops.
All these laws are ridiculous. Even drunk driving is a non-crime.
---
It's a joke, son. -F. Leghorn
If the two keys are different, you the encryption phases are encryption + a "wrong" decryption (different key) + encryption again, which is much better than just a single encryption.
Details, of course here.
Why is the first response of slashdotters to this sort of story: how can we make it harder, i.e., how can we make our system harder to crack if The Law comes down on me ? :-o
Possible answers
1-I'm afraid they will find my p0rn.
2-I like the nerdy challenge of making my box as hard to crack as possible, for the same reason I like console text mode doom. Im a geek, sorry
3-I'm afraid they will wrongly persecute me. The NSA have got it in for me. Its not paranoia when they really are after you. There are hidden cameras watching me right now.
4-I am a terrorist
When the seagulls follow the trawler, it's because they think sardines will be thrown in to the sea
Geezzz. . . Hasn't anyone read "Digital Fortress" by Dan Brown.
YOU'RE WINNER !
Another lame blog
Once again UK lawmakers display their lack of technical knowlege and common sense.
Firstly, what they're saying is that they want to be able to arrest people on mere suspicion and then go fishing through their lives in the hoping of turning something up. This "he must have done something" attitude used to be alien to our legal system but seems to be increasingly common among the general public. I've been on a jury where several people wanted to convict without a discussion because "the police wouldn't have arrested him if he hadn't done something."
We've already seen how these sort of powers get misused and they also help to foster the climate of suspicion and hysteria that leads to more powers being requested.
Secondly. The UK doesn't allow torture yet, though it's probably coming soon. So all the authorities can do is lock them up if they won't talk. They can pass as many laws as they like that say people "have" to give them your keys. If you're a terrorist willing to die you're not going to be scared by the thought of going to jail for an extra few years on top of the mandatory life sentence you're going to get anyway.
There's no incentive for fantatics to cooperate with the authorities. Whether or not the information is in their head or on a computer they're not going to hand it over willingly so they can be charged with extra offences.
Ame
Under the RIP act, you're assumed to know all your encryption keys to any files they ever encrypted that are still extant. You're guilty until proved innocent (which of course is fairly impossible in this situation), hence are automatically considered a criminal.
For the love of God, please learn to spell "ridiculous"!!!
I think the key to this article is not the piece on encryption, but the piece on inter-county cooperation. In the states, it takes a long time for evidence to be approved by the proper authorities for analysis, just because the people doing the analysis don't want to screw up and have the evidence thrown out in court.
And as easy as it is to make fun of the police's analysis methods, my guess is most slashdotter's don't even know what it's like to process evidence for a case. It's not just "running automated tools" on some suspect's hard drive. It's getting to know the case, knowing what you're looking for and where to look for it. Many times it's the police themselves that are writing these "automated tools", which only present the evidence in a way less technical minded officers assigned to the case can understand. And what happens once you get that evidence? You have to try to fit it into the puzzle of the case. It isn't CSI, where you find some email detailing the crime that's digitially signed and the suspect confesses to writing it. Often times its finding some random piece of partially-overwritten text and having to see if it fits into the overall case.
And yes, most digital forensic labs can analyze your precious reiserfs/ext2/ext3/whatever file systems. In fact, I've never run across a lab that couldn't. So don't think you're 1337 linux system will be safe if it's ever involved in a crime. And if they don't have the tools to analyze them, they'll contact a department that does. That's how the real world of forensics works.
Next time you want to talk about a subject you blatently don't understand, do us all a favor and don't hit the submit button.
most stego techniques especially the image ones can be detected by comparing with expected cmos noise and/or lack or wierd jpeg or WAV artifacting in the bit streams. The better way is just to have pictures which look innocuous and plausible but the contents (ie, person hanging out on the beach) etc. mean something rather than actually trying to encode data bits.
This is precisely what the GP was alluding to
If you extrapolate it to "We get to hold people for as long as it takes to find whatever we're looking for on their hard drive", then they can argue for holding you for 200 years, depending how you might have hidden data on the hard drive.
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
Do you really want to rot in a cell because some MSCE can't figure out how to properly mount r/o and copy an ext3 file system?
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Some encryption schemes allow for plausible deniability, where you can give a password, but it's just the one for the wrapper, and you can have a hidden inside volume they can't prove exists. Check out Truecrypt, for an example of FOSS software that does this.
2. Store keyfile in a safe place.
3. Get a defective USB stick. Label "HD KEYFILE" in big red letters. Keep it on the computer desk at all times.
4. Get a 3.5" Floppy. Preferably from pre-1990. Wipe with magnet a couple of times. Label "HD KEYFILE BACKUP" in big red letters. Put on shelf next to computer.
5. Get a blank CD-R. Fill with PR0N. Label "PR0N + HD KEYFILE BACKUP". Mistreat CD-R a little (preferably adding some scratches on the inside. Leave in CD-Rom drive.
In case of arrest:
1. "Um
2. "What ?! It doesn't work ? Good thing I have a backup. It's on the floppy disk."
3. "What now ?! It's broken ? Good thing I have another backup of it on the CD with my PR0N colelction
4. "The CD doesn't work ? OH NO, ALL MY PR0N is GONE ! AAAAARGH !"
this is a BS claim because the 90 days is the time to be held WITHOUT CHARGE, but if your hard drive is encrypted and you refuse to give up the password then you can be charged for that. so there is no need for an extended period of time to hold someone without charge because of hard drive encryption.
Looks like we finally found someone to spit up a buck on their supercomputer.
just put in a sony audio cd and the box is p0wned
Err:
There is a physical argument that a 128 bit key is secure against brute force attack. It is argued that, by the laws of physics, in order to simply flip through the possible values for a 128-bit key (never mind actually doing the computing to check it), one would need a device consuming at a minimum 10 gigawatts (about the equivalent of four large, dedicated nuclear reactors) running continuously for 100 years. An actual computation - checking each key to see if you have found a solution - would consume many multiples more.
Source: http://en.wikipedia.org/wiki/Brute_force_attack
What we have here - is a failure to communicate..... huh huh uh hu .....
It's common practice for a local Blockbuster employee making $8 a hour, to have their personal hard drive computer secure with a $2000 piece of software that requires expertise to use and 90 days for a federal security agency to crack, isn't it?
If you're an average Joe, Hussar, Muhammad, John, Mary, Xi, Pieter, you drive a taxi for a living, or are a student, or you own a small convenience store, and arrested for suspicious activities, but your hard drive is encrypted with an expensive 256bit encryption software, maybe, just maybe, (a personal hunch) there is something you're hiding. Maybe.
Myself, a 25 year IT veteran, Federal Government manager, plus a dozen years experience military service in communications and electronics, my hard drive is wide open.
But then again, perhaps I'm being paranoid...or the 90 days are justified. As the saying goes, if you've got nothing to hide...
Hold them as long as it takes is my opinion, or they decrypt the hard drive for the investigators, which if they had nothing to hide, would mean they would get out in a few days.
Management is doing things right; leadership is doing the right things. - Peter F. Drucker
You could be locked up forever!
Test 1 2 3 4
Shami Chakrabati from Liberty made a very valid point. Holding someone for the equivalent of a typical 6 month jail sentence with no charge is a very good way to alienate that person and his/her community. How would we feel about losing 3 months of our lives, and after that, being released with "no charge". What would our employers think? What would happen to our houses, mortgages during that time? It's easy to think "90 days isn't so much", but think about what it actually means. Shami is great.
Get your own free personal location tracker
Unfortunately, this project seems to have died (coincidence?), but it provided deniable cryptography by filling an entire hard drive partition with encrypted data, arranged in ~50MB files. You could slice the drive in multiple ways, with multiple levels of encryption, and there was no way to prove that you had or had not provided all the keys used to encrypt the data.
It was so named because of the tactic it was supposed to protect data against.
Las qué passoun
tournoun pas maï
The key length is decieving because the real measure of difficulty is the size of the decision tree. Double and Triple DES doesn't add to the raw complexity in the same way a longer key does, I'll spare the math but here is the result: Triple 64 bit DES results in complexity: 2^64 + 2^64 + 2^64 where as a true 256 bit AES results in complexity: 2^256 Compute those and it will be obvious that DES is antiquated no matter how many times one re-encryptes it.
it has long been suspected that the NSA doesn't approve any encryption that they don't have the ability to break in some reasonable time frame...
This is definitely plausible if you believe in the rumoured quantum encryption and a few other such concepts. But I believe it was one of Phil Zimmerman's reasonings to release PGP, or at least a meme that developed from its release, that the more stuff that is encrypted the less effective decrypting becomes since even with advanced techniques it will still be too difficult to decrypt everything if everything is ecrypted.
If you not only incrypted important documents, but every file from your mp3's on up and also ran a program that randomly generates encrypted noise files so a harddrive has maybe 10 critical documents and 500,000 noise documents -- it would be sort of like throwing your shredded documents into the compost bin.
With this methodology, even if a file could be cracked in ten minutes, your still looking at over 9 years of work to find 10 documents. And say the files could be cracked in 30 seconds each you are still looking at 6 months of work and then however long it would take to analyze the noise from signal.
In the end, however, this sort of tactic would probably give a court a valid reason under this ruling to keep you locked up for a long time without any real evidence. Not like this isn't happening already. In the end it would sort of be a reverse tactic of wounding, not killing, the enemy -- the more techs that are busy trying to decode garbage and take care of pawns in jail the less enemy you have to deal with. And if people are willing to blow themselves up for a cause, I think it wouldn't be to hard to get volunteers for this sort of occupation.
All encryption methods where the sender or intended recipient are in custody are subject to cracking with a universal key. 'The 9 mm Key'. Other sizes may work but smaller sizes may require repeated applications and larger sizes are more likely to be messy.
All dark but true humor aside....
Everytime some learned computer scientist expounds on the difficulty of brute force cracking of large key encrypted data I get a bit of a chuckle because, aside from ignoring the above implied scenarios, they forget just how much money is spent in ways we'll never know to make tools tuned for this and only this purpose. NASA's budget is pocket change in comparison another agency similarly named but for the absence of one vowel.
- AC
In communist Russia, police encrypt YOU!
If you lock up a suspected terrorist for 90 days, and it turns out there inocent, if they didn't hate the country before hand they sure as hell do now.
90 days is just insane to hold someone without trial, or even a sniff of a trial.
Beating someone gets you answers today.
... but still can't find Osama shows how ineffective torture is at getting real information out of prisoners.
Sure, they may be the wrong answers, but they're still answers. You can report them up the chain of command. It makes you look like you're efficient at your task.
Cracking someone with psych takes time. Sure the answers you get are correct, but the information won't be as valuable as it was when you first captured the prisoner.
Besides, if the rest of the gang knows that one of them has been captured (along with the computers), they would (in theory) immediately drop or carry out any existing operations that the prisoner knew about and try to contact any of their people that the prisoner knew to tell them to find someplace to hide.
I think the fact that we keep "caputuring" all these "high ranking" al Queda people
When the police come and beat me up and demand access to my uber-encrypted pr0n, I will moan and sigh and whatnot and then I will either: 1. give them the key to the first layer of encrypted stuff, which happens to contain pictures of my dog and my secret love poems. Oh god, how embarassing. Needless to say the leet secretz are hidden under a second level of encryption, whose existance, unfortunately, cannot be proven (I love TrueCrypt); or 2. if I am sure they will simply type the key into the encryption program I use, give them the key that triggers self-destruction of the leet secretz. But I am sure they wouldn't do something so stupid and I've never looked into it anyway.
So, what was the problem again?
Global warming is a cube.
If you run Ubuntu on a laptop, it makes all kinds of funny noises minus the stick...
This is bullshit. The government will say *anything* to get this bill through parliament.
Why don't they just crack the bones of the person being held, I'm sure that :)
would make all their other related cracking requirments go that little be faster
if you know what I mean...
Arash
Arash Partow's Philosophy: Be a person who knows what they don't know, and not a person who doesn't know.
I can crack my harddrive in a split second by using a sledge hammer.
The future is in beta
Talking about inefficiency. Takes me about 5 seconds to crack a hdd with a hammer..
I think this sort of "holding" should be watched very closely because if you don't say or do what the police want, they might hold you a very long time while they "closely analyze" the files on your computer. This is the same excuse used to hold Kevin Mitnick for over two years, violating his civil rights. Terrorist, Revolutionary, Communist, and Hacker have all been tags used over time to give police carte blanche control over any individual. I'm not against special circumstances where international criminals should be held for greater than 90 days but this needs to be monoitored and, when violated, those responsible should be canned. Someone should not be able to take away 3 months of your life without a very good reason or without reimbursing you.
The police want to be able to detain terrorist suspects for 90 days without charge. This is probably a figure they pulled out of the air as a good starting point for negotiations, however Tony Blair has decided that whatever the police want they should get when the magic word is mentioned.
One of the justifications was that they need that long to decrypt and analyse data. In which case, it is already a crime not to hand over a password of encryption key when requested so you can get them in custody on that charge for that long.
The arguments for the 90 days are incoherent, but that's what we have grown to expect from our government, especially when it comes to civil liberties and/or technology.
What kind of luck would it be if the person not only encrypted his data but also had a code on the side for letters, numbers, symbols or other various characters. For an example "A" = "fg#44ds%91", "B" = "390aSGg0gf", "C" = "g&$-=3#5jf", and the word "CAB" would look like "g&$-=3#5jf fg#44ds%91390aSGg0gf", and this code is written on paper, or memorized for decoding. So when they police or who ever is cracking the code finally cracks it, that's all they'll see, then they'll need to get another set of personnel to crack that code. And what would happen if for further safety reasons, he did (as previously mentioned in another comment) the image display with brightness, contrast, colors and such to hide the code, as read only, with thousands of other images that were meaningless, and with this code above used... So how long will he be there if they find that out? 90 days? A few years? Life?
Quit picking on Canada. Half their population is full of pot smoking queers. They have enough problems already.
Uhhh, "If 256-bit triple-DES"?
There is no such thing as 256 bit triple-DES. Triple-DES is 168 bits. Can someone please check their statements for accuracy?
Brielle
In the US too?
Doesn't not giving up my password come under the right to not self-incriminate (5th Ammendment)? I mean it's not my job to make the government's case for them.
http://lkml.org/lkml/2005/8/20/95
No, that's not right. I think you're probably confused with the argument that Double-DES doesn't appreciably increase security -- because of a meet-in-the-middle attack, known plaintext attacks on Double-DES have complexity 2^56+2^56. That's why you never hear of "Double-DES" -- there's really no point. However, that's not true with Triple-DES, which is why it is used. As some other posters have pointed out, the complexity of breaking 3DES is around 2^112. That's unbreakable by a brute force attack using any conceivable technology. Your linear combination of complexities would be pretty easily breakable using something like the EFF's Deep Crack machine.
How many years do you have in the forensics field anyway?
When it comes right down to it, the quality of the examination relies upon the examiner. EnCase (the most commonly used tool) uses grep to perform searches. There are a lot of pre-built scripts, but to say that the tool is limited to searching Windows/IE/Office/etc is like dubbing a particular application as impossible because Visual Studio doesn't contain a wizard to accomplish the task. A good examiner has a wide base of knowledge that includes alternative software such as Firefox. It's not that difficult to alter/create your grep expressions to include files and data related to other programs.
Sounds like an encryption arms race, and one they are not likely to ever win.
Think Deeply.
So then you need a method of being able to hide precisely what is encrypted and what is not. Look around and you'll find systems for filling a file system with chaff files to make finding the real data more interesting. One I looked at ended up with a filesystem with all the files apparently the same size, with constantly changing timestamps and all apparently contain random data. This system then allowed you to apply keys to make certain files readable while leaving the rest as noise. The point of this is that even the empty file system is full of rubbish files. It is impossible to tell (without the complete set of keys) precisely what is really data and what is just generated chaff. This gives you a lever of plausible deniability - if you are asked for the keys to the repository, you can hand over the keys and let them at it. It would be difficult (never say never) to correctly identify encrypted files amongst the chaff which were not covered by the keys provided.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
Exactly! One example of why /.'rs *rarely* leave their house to join the *real* world. And how many Western Democracies have secret agents blowing up their own populace at train stations or twin towers daily? Yes, lets do compare civilaztion with animals again, shall we?
If I ever become a member of organisation opposing some government (aka "terrorist" in propaganda terminology), I would have small blocks of single encrypted data file spreaded on a very large number of computers around the world, with a diskless station at home bootable from tiny sd card. Server hosting is cheap, in comparision to guns and mortars. One can even chew up a flash card to shred the keys, with a little damage to dents. But "they" will probably damage your dents either, if an emergency exit schema fails...
There you are, staring at me again.
I'm sick of "The People versus" cases.
I think you'll find here in the UK criminal prosections are brought in the name of the crown, not the people.
If I have nothing to hide, you have no reason to search me
this means uncle sam will make export of sony BMG audio CDs ilegal as a tool for hiding information ?
What ? Me, worry ?
Currently if I need to hide anything this is what I do:
Split any data into approximately 200-1000 pieces (with a memorized non-sequential order I don't write down).
Encrypt each of those.
Hide each of those files that I would appear to want to keep secret (statements, account spreadsheets)
Encrypt those files
Split them up again as per number 1
Then encrypt them again
Then hide again in innocent looking files (family pictures and whatnot)
(Or instead of the last step, I hide them in public domain ebooks or other random files renamed to porno files and upload them to p2p networks - so I can make sure that I can always get them back while wiping them off of my actual computer)
I figure if they can find, decrypt and reorder all the pieces properly they can have the info.
to squash a petty local riot when America takes all of 5 minutes with a few cans of tear gas. Man, it's amazing french women are even kept satisfied over there. You french men need to grow some nutz, step up, and beat some skullz in you wussies. Get your shit together over there. America won't save you again this time.
These are U.K. bits, so that is 256 American, or 300 bits Canadian.
Or 50,000 bit encryption if you watch Alias. About 2 weeks ago the claim was "The data is safe, I used 4096bit encryption". Using the new XOR algarithm no doubt =P (yeah PGP I know, I don't trust asymetric encryption no matter how many bits are involved.)
-paul
Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
Cracking a password means using the hash function to build a list of every possible combination of characters up to however long you want to look.
Cracking all single character passwords takes about a second. And so forth. It's just a matter of time to get all of the combinations of characters. But the time increases exponentially.
Cracking a message means you'll be cracking a LOT more characters. So you can brute force a message, but it will take years and years and years, depending upon the number of bits used in the key.
Just this message has 571 characters.
In existing cases the police can get the detention detained through the courts, so all this proposed 90 days does is give them longer before they have to ask a judge. Judges have already granted extensions to custody for terror suspects, and it provides more checks and balances for them to be required to do so.
The current situation is not "We have to let them go after 14 days" as a lot of people seem to think. It's "We have to ask a judge after 14 days to allow us to keep them for longer".
i suppose that's closer to the truth than some may think.
slightly ot: i noticed over the last years that orwell did predict some things indeed. as i see it, the usa IS a country dependent on war or something close to war (look at the country's budget) whith exchangable enemies (everyone's using the phrase "The Enenemy (tm)").
also phrases like "freedom", "democracy", "protection of rights" and "peace" are so often used in their opposite meaning that one may be tempted to think of doublespeak.
i know that the FA is about the UK, but the USA was always kinda archetype for the past 1900 europe, be it mcdonalds, so called pop culture or politics.
as a friend of mine (who actually is american) puts it when speaking about his home land: "a great country once..."
On second thought, let's not go to Camelot. It is a silly place.
"I now feel unsafe at expressing my discontent at the blairite regime"
If you were paying attention, you'd have noticed that lots of people have voiced their discontent about recent proposed anti-terrorist legislation. They don't seem to feel unsafe doing it. I don't feel unsafe doing it (and I work for the Government). I doubt that there's anything special about you that means that you should feel unsafe doing it, either.
Of course, this puts file sharers in the same category as terrorists. File sharers at most threaten evil monopolies, while terrorists threaten the security and lives of the citizens.
And thanks to the RIAA, these two groups begin using the same encryption tactics - providing encryption tools to terrorists in the worst case, and giving a lot of false positives (i.e. file sharers instead of terrorists) in the best.
Don't we love America? (flag moves in the background while patriotic music is heard - yes, this is sarcasm)
People, read some Schneier for layman's explanations of what crypto is, how it works and how it is cracked. Or read some Mitnick. The algorithms take essentially forever to brute force (triple DES, AES 128, 256 etc). certainly not 90 days. The cryptanalysts always attack the implementation, the key management or simply social engineer the keys out of someone.
And you probably voted for Mr. Blair.
They promised you security, if you gave up just a little freedom. And here you are.
I want to delete my account but Slashdot doesn't allow it.
Give me the job i'll have it done by 5.
Maybe we shouldn't be hiring minimum wages workers to do the task.
Guess they can't afford the salaries of qualified indiviguals.
So they hire people to work for less but then it takes 90 times as long.
I'm doing the math i don't see a saving.. Then again math are they using?
The comment would make some sense, if PGP and GNU PG were not free.
Care to reconsider that argument on that basis?
is simply bullshit.
...
... so good luck FBI ...
show me *any* supercomputer, beowulf cluster of supercomputers, or whatever capable of cracking 256-bit encryption in less than a few thousand centuries and I buy it, your price
i've read somewhere - and find it very plausible - that brute forcing a 256-bit key (meaning try the 2^256 individual values) would require more energy than the total output of the sun during its billion years life
If you make encryption illegal, that means the bad guys can't use it! Woohoo!
rubberhose allowed multiple levels of encrypted data, so that it would never be possible to find out what how many hidden/encrypted file systems were in the virtual disk. Moreover, you could set up a plausible-deniability virtual disk, with two passwords, one for normal access, the other which then triggers erasure of the more secret volumes.
the intention was to be able to send researchers into rogue/enemy nations, allow them to gather secret information, yet protect that information at multiple levels of secrecy.
Des uses 64-bit, really 56-bit. Correct
3Des uses 128-bit, really 112-bit. It's named 3DES because it does 3 DES encryptions with two separate keys (actually encrypt1-decrypt2-encrypt1). Doing it the obvious (enc1,enc2) way is insecure and can be broken in 2^56 steps (one keysearch) if you have a really big amount of memory, so it does EDE. The D part is there so that you can set E1 equal to E2 and use the same subroutines for 3DES and DES.
256-bit anything cannot be brute forced. Brute force requires that you iterate through every possible key. Now, according to thermodynamics, it takes kT energy to set or clear a bit, where k is Boltzmann's constant and T is the ambient temperature of the system. The coldest you can run it at is 2.3Kelvin (the ambient temperature of the universe). Any colder, and you need more energy to run a heat sink. So, merely to iterate a 256-bit counter through all it's values (never mind actually using an encryption algorithm) requires (2.3)x(2^256)x(k), which is a lot more energy than could be gained by blowing up the Sun in a nuclear reactor and converting it all to energy. So, no cracking of 256-bit keys.
Crappy passwords are another thing, though
There is a huge wrong assumption here. We shouldn't make the police's job easy. Catching criminals ought to be difficult, and surveillance ought to be expensive. This is one of the ways to ensure that surveillance does not become too pervasive, and that we remain innocent until proven guilty. Furthermore, if released "without charge", one ought to be entitled to compensation.
I believe it's called "Extraordinary Rendition". You don't get tortured by the CIA or any other western agencies. They just pass on the questions to the local guys that actually do the torture. Apparently they had a go at one guys 'equipment' with a scalpel.
---
We spoke for about a half an hour. I don't recall a thing we said. - Colorblind James Experience
IMHO there is a valid point that encryption will slow down investigations. However, the easy fix is to only apply this type of law when someone refuses to give up encryption keys. If the data is decrypted, there is no need for an extension. If a person does not want to give up the keys, they basically forced the extension on themselves. Unless you have some data that will get you in trouble, why not just give up the keys and give the police everything they need to see that you did not do anything wrong. If you are in the wrong, you broke rule #1 and 2.... If you can't be good, be careful. && Don't get caught.
You only live once, so you might as well have fun before you die.
Encrypted volumes within encrypted volumes.... that's a good idea!
In my scenario, yes you would have a separate key for each file. With the dummyfiles, you wouldn't even need to know the password. You would only have to remember ten keys for the important ten files and a variation of specific keys for less important files. People get really keyed-up on remembering short esoteric passphrases -- but what if they were using really long passphrases that were easier to remember and harder to crack(i.e. "1stgradeMr.JohnsonWasMyT3acher" -- that's a hard pw to brute force or even guess.)Or do a BibleCode where you use the first letter of lines 10-32 on page 89 of Moby Dick -- it's not too hard to make a mnemonic formula to follow that would be difficult to crack.
Windows may let you set up an encrypted volume, but as I recall (and this may have changed since I played around with it a couple of years ago) copying the volume to another directory loses the encryption therefore you cannot send an encrypted file to another computer without loosing the encryption.
It would be better to have the data destroyed itself if copied or a brute force attack is attempted.
It's a matter of how good your key is. 128-bit AES is good to the point that if you use a good key, it is essentially uncrackable. The government has approved it for use in encrypting secret data for that reason. It's going to be a long time before we have computing power sufficient to break it.
The weakness would be if your password was short. Even if it's not a dictionary word if it's short, like 6 characters, it doesn't take long to exhaust all the combinations and find it. However each character you add makes the difficulty go up exponentially. Let's say you have just an alphanumeric password with only lower case. That give 31 possible characters. That means that however long it takes to crack a 6 character password, it takes about 31 times as long to crack a 7 character password.
So let's say you can bust a 6 character password (and all smaller) in 1 second. That might even be reaslistic on big computers. That means it takes 32 seconds to try all 7 character and smaller passwords. Still trivial. However for 8 you are now at 16.5 minutes. STill no problem but man, that's a lot longer. For 8 it's 8.5 hours, 9 is 11 days, 10 is nearly a year (342 days), 11 is 29 years. So in just 5 characters it went from instant to totally unfeasable.
Now this shouldn't be used as an absolute reference, I'm talking total key searches not average times, and the orignal figure of 6 in 1 second is just made up. However it gives you an idea of the progression. Basically if you go to 12+ characters, espically if non alpha-numerics are in there, it becomes totally infeasale to crack, and each character you add makes it much, MUCH harder than the one before.
The only real weakness at that point is if there's a way your password can be guessed. Like let's say you are a total Linux head and your password is L!nuX_rU:3z!. Ok, on the surface, not a bad password, uses upper and lower case, has non alpha numerics, means the search space is like 80+ per character. At 11 characters, that's undoable basically. However, it's based on something that might be guessable. If you take the root phrase, "linux rules" and start doing permutations on that, you find there's not all that many you have to try.
But the idea that the police can crack good, long passwrods for AES encryption is just rubbish. Nobody can, or at least if they can, it's very, very secret. I mean the NSA (and basically every other cryptographer) has cast in on AES's strength to the point it's approved for secret government communications. If they are confident spy agencies can't break it, good luck to some random police department.
EnCase is a greate forensics tool. It is not, however, designed as an decryption tool. It's used to coax information out of a drive, using an exact duplicate (dd with a fancy interface) of the original, with a collection of tools that let it search through the data for whatever information you want (grep with a fancy interface). It also lets you use the target machine's configurations to run the target's software. E.G. If the machine you're analyzing has some kind of funky software setup, you can run the software as if you're in the target's environment.
.". The courts like "certified tools".
As I recall (I haven't used EnCase for forensics in over a year now) it's decryption tools were weak. If you didn't already know the keys, EnCase was unlikely to produce them for you. What it -was- good for, was reconstructing files that were deleted, combing through hidden directories for various data types, and doing it all in a forensicly sound manner that the US courts were willing to accept.
The advantage to it was that a forensic analyst in court could say "I used EnCase and I'm a certified user" and not have to go though explaining the details of "I mounted the drive on a write-protected bus, ran dd to create a duplicate of the original drive, and . . .
Of course, as others have pointed out, holding someone "90 days so we can decrypt their drive" is a farce. If the encryption is any good, they're not going to crack it in 90 years. If the encryption is crap, or the suspect uses weak passwords, they'll have it in a lot less than 90 days.
Never attribute to malice what can as easily be the result of incompetence...
More likely it's a tech reporter talking about things they don't understand. 3DES isn't 256-bits, for starters. However even if you are worried about 3DES, AES is quite secure.
by reports like this...
Are the police fighting to get some more budget right now?
If this were really happening, what would you think?
Never write anything down.
So you lose all your toes, and have your genitals fried off, because you *CAN'T* give them what they want. This is why torture is useless.
After all that, you *do* give them what they want... a confession and lots of information.
Sure, it's crap you made up in a delirium that'll waste hundreds of hours of valuable time that would be better spent going after actual criminals. But the White House parrots will claim this proves torture "works" anyways.
It weakens whatever key to be generated to the length of the paraphrase.
4 9867sn94tfuynose4475hg93qw6fik45ga2z.
I always use very long random bits to generate my keys, and memorize them.
Memorizing the front part is easy and the rest is not that difficafas asdfasdljceal;fa,xasflelpwr031`rfasfs3
afasjg3
Such a computer can break an ordinary (56-bit) DES key in 18 hours, 12 minutes and 16 seconds at worst. The average time to break a DES key on such a machine would be 9 hours, 6 minutes and 8 seconds.
To break a 128-bit key would require the computer to run for 2^88 seconds, or 9,813,705,283,528,192,184 years.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
So you lose all your toes, and have your genitals fried off, because you *CAN'T* give them what they want. This is why torture is useless.
But at that point they can be pretty sure that you don't have the information they are looking for. If you did, you would have given it up before you lost all your toes. So they can go off and do the same thing to the next guy and see if that works out any better. The fact that people get hurt in the process isn't a very big concern these days. Just claim the suspect is a terrorist and people will understand.
Since it's already a crime to withhold your encryption key when the police asks for it, you could say that holding secrets is now a crime. Given that they already know you have a secret, what is the difference between having a secret locked away in your head, and having a secret stored in an encrypted file? If you have to give up your encryption key so the police can check that your digital secret isn't anything illegal, why shouldn't they have the right to force you to tell them what else you know? Isn't that exactly what they are doing in all those "brutal" and "barbarian" countries that we claim violates human rights? Soon we will be no better. No better at all.
From what I can tell, this is an exclusively UK article, and the act that they reference about being required to hand-over keys is a UK specific one. Has anyone heard of any case in the US where someone has been compelled by the court to hand over their private keys, or worse the passphrase for them? I have not heard of such a law, nor a case where this was enacted.
To quote Mr. Prosser as the study of cryptography rolls over them: "None at all".
Here's the link to the Phonebook project. Now that FUSE support is in the Linux kernel as of 2.6.14, this should be easier to get it installed.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
TripleDES is 112-bit for standard (standard TripleDES does single DES encryption three times but with two DES keys, encrypt Key-A, decrypt Key-B, encrypt again with Key-A) or 168-bit for TripleDES 3-Key (replaces the 2nd encrypt with Key-A with Key-C in the earlier example). I'm betting you're confusing 256-bit AES and TripleDES up (generally considered to be in the same ballpark as far as cryptographic strength at resisting a brute force attack). I'm also betting I'm being nitpicky. ;) Not a first on Slashdot, I'm sure of that.
Your point is a good one though. Either A) the government and all the cryptography community is lying about being able to hack/crack TripleDES/AES-256 in a feasible amount of time or B) they're likely to never crack it except in the most dire of cases (they snatch Osama's personal laptop) where they can devote extreme resources to it. My guess is there's not many organizations that can brute force these algorithms in a feasible amount of time. Even trying a trillion keys per second (not possible currently) it would take 1.64x10^14 years to brute force a 112-bit TripleDES key (that's assuming on average you find it after checking half the key space, if you're unlucky it could take double that!)
The chances are astronomically in favor of discovering the encryption key via non-brute force means.
Just how long will it take to extract information from a drive that has been abruptly converted to the Melted Slag File System at the appropriate moment? Be creative with what to use for a trigger - a grenade-style pull ring, a dead man's switch (manual, or with an RF beacon hidden inside a wall that only transmits 1x hour, at random intervals), whatever. Perhaps there is no need to cook the entire drive - use 4096-bit RSA, store key and decryptor on a custom (FPGA) board connected between the drive and the computer, and deep-fry the board at the first sign of trouble.
The trouble with this entire genre of solutions, of course, is that you might be tortured to death in an effort to find the back-ups which you and your henchmen must surely have hid somewhere; or simply executed as an example (and/or out of frustration.) For cases where this outcome is likely, it is probably wiser to use a form of Rubber Hose Cryptography - a form of steganographic data storage where cryptoanalysis cannot reveal the number of different messages stored. Separate passphrases reveal separate plaintexts. The idea is to prepare something that will get the torturers off your back by revealing an incriminating and juicy yet not master-plan-foiling secret. As for the possibility of "you're free to go, sir" with a bugged system returned to you, any competent terrorist will use non-standard or tamper-evident hardware (the latter need not involve anything fancy - say, a simple current usage sensor on the keyboard port's +5v line, network/ide/scsi controllers glued in place, etc.)
Maybe back in the 19th that was the case, but today you'd be hard pressed to find them being treated any different from any generic white person.
It's bullshit. Nobody - even a terrorist - encrypts an entire 200GB hard drive. Even the CIA and NSA wouldn't do that. Hell, CIA head Deutch kept 17,000 classified files unencrypted on his home PC - so the Mossad could read them without having any problems, probably.
You encrypt the files you want encrypted and then hide them using steganography. In my case, that would mean searching 250,000 pictures of hot babes, and a few gig of Corrs videos, but that's it.
This is just an excuse to erode civil rights. Period.
It's no accident that the asshole in Australia is running the same game, and - oh, my, guess what - now they have a "terror alert" being hyped up there.
People do seem to learn from George Bush, don't they? Or maybe these assholes all share the same fascist DNA.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Day 1: Brought in suspects' computer. For the darndest reason it wouldn't turn on so Sgt. Morris and I went on a 2 hour coffee break. Upon return discovered that computer wasn't plugged in. It was getting late so stamped card and went home. Day 2: Sgt. Morris (who is more experienced than me) put the cd we use for scanning into the suspect's computer but it wouldn't load, no matter what we did. Went on 1.5 hour coffee break. Returned and eventually found out CD was inserted in upside down. Was late so stamped card and went home. Day 3: Managed to 'hack' into suspects' computer! Found suspect's 'dirty stuff' folder, and scanned it by hand for security reasons. After 4 hours was exhausted so called it a day and signed off early. (Note to self: Inquire about purchasing cat's outfit for Mrs. Winterton) Day 4: Suspect seems to have had an affection for fight games (note to self: Add "psychotic tendencies" to suspects portfolio). Played some 'Mortale Kombatt' against Sgt. Morris, who managed to beat me numerous amount of times, adding insult to injury by 'finishing me' in several gruesome ways. Ate sandwich, stamped card and went home. Day 5: Finally beat Morris at Mortal Kombat! Now we're getting somewhere! .......
If you behave yourself you are a lot more more likely to choke on your mcdonald's burger and die than ever be arrested or have anything to do with police or the justice system.
This is true. And this will always be true (and sadly misleading) as long as the definition of "behave yourself" (in the government's eyes) is allowed to get more and more and more restrictive.
Those whose lifestyle generally fits within the current definition of "behave yourself" (in the government's eyes) will rally, condescendingly, against everyone who isn't behaving just like they do. "Why can you behave yourself, just like I do?", is the cry. This attitude is not based in freedom -- it's based in intolerance and fear taken too far.
Who claim YOU can crack a file in a matter of mins or hours if you can crack the file and reveil the two methods of contact along with the text message and read/write the text message to the two contacts by Nov 10th, 2005 you will win $250 to a PayPal account and a brand new HP 3115 PDA. Here is the file: http://s4.11mbit.in/68nFp0u4174IbCnFhnsc9fFh0Fq91y 9e6CeOpeyHjp35x81O74fcD2Oz/00uLnkCI or http://tinyurl.com/b6fav
Happy Cracking Folks
Ernst Zundel was held in solitary confinement for more than two years without being charged. He was held on the pretext that he is a threat to national security - using a security certificate signed by Liberal MP Anne McLellan.
The real reason he was put into jail is because of his unpopular views questioning the extent of the jewish holocaust and his alleged political beliefs. Ernst Zundel has been a graphic artist & designer for most of his 40 years as a citizen in Canada. His historical review of the jewish holocaust was limited to a role of publisher & distributor. Not a real security at all.
His "trial" in Canada was a complete farce. The prosecution was allowed to use hearsay and double-hearsay as evidence. "My friend said," or "my friend's friend said..." was allowed to be admitted as evidence. The defence was not allowed to see most of the evidence the prosecution submitted. How can you defend yourself if you don't know the allegations? There were secret meetings held between Mr. Justice Pierre Blais (the "judge") and the prosecution. Mr. Blais was not interested in hearing what the defence had to say, and even mention he had 'made up his mind' before the trial was over. The defence tried to have Justice Blais recuse himself for bias several times and Blais refused. All requests to the Canadian courts asking to enforce Habeus Corpus were denied.
Zundel, a citizen of Canada for over 40 years, has been deported to Germany where he has been in jail awaiting his "trial" for several months now.
Now, I can see key lengths increasing - hashes are up to 512 bits, so 512-bit keys would seem a logical step. NIST are researching encryption modes that provide a much higher level of security, and this is another area I see getting a lot of attention in the future.
So encryption is definitely not a dead subject and I think AES will be seen as naively weak in the sort of timescale you're giving (a century or so). Even Serpent (another AES contender) is only rated as secure for another 50 years unless the algorithm has been broken before then.
Multi-pass encryption with multi-pass modes that are tamper-resistant and repudiation-resistant would seem the next logical step in encryption technology. Multi-pass is good, because encryption algorithms don't randomize sufficiently and it is often possible to extract some contextual information.
I also think it likely we'll move away from symmetric ciphers to asymmetric, provided a good parallel algorithm can be found. CPU cycles are cheap, these days, so the old excuse that public key encryption was slow is no longer so valid. A solid parallel algorithm would demolish that reason altogether.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
It makes sense, in a certain way: if you don't have proof that someone is guilty, but you believe the encrypted data contains the proof, you simply pass a law allowing people to be held until the encryption is cracked. The better the encryption, the longer people will be held, and if the encryption is uncrackable, they'll be held for a lifetime. The only way to get out? Unlock your encryption voluntarily. If you're innocent, you get to walk away, and if you're guilty...well, presumably you wouldn't unlock your encryption, on the off-chance they'll give up. So now a reasonable case can be made that anyone who won't voluntarily turn over their encryption key MUST be guilty, as if they weren't, why would they submit to being held until/unless the encryption was cracked?
Read "Practical Cryptography" by Bruce Schneier.
... you get 16 characters. Or, to put it in context ... you'd get "Read "Practical " from the beginning of this message.
Yes, the message is broken up into blocks. But each block has to be cracked, individually. And the lookup table is 2 to the 128th and each element is 128 bits.
So, if you manage to brute force one block
Now, for an educational experience, I want you to post what 2 to the 128th would be.
1
2
4
8
16
32
64
128
256
512
1024
now you take it. Go ahead.
(You do not have to testify in your own trial -just, if called on to testify against someone else, you must talk.)
Obviously, you are then at the mercy of the judges who decide if the evidence presented at your own trial actually followed from that testimony. And, you don't have to talk to the cops.... AFAIK, it's still not obstruction unless you withhold physical evidence or actually mislead the police.
However, "Lord" Black of Hollinger Inc. fame is arguing that his testimony should not be compelled in a Canadian court because American justice officials can then take it and attempt to extradite him to the USA to stand trial for nefarious conspiracies. (The Canadian evidence rules don't prevent foreigners from using the info, I guess - American, Syrian, or Egyptian...) Still waiting for the decision on that one, but the general attitude seems to be "we don't care about your USA problems..."
Marvellous. So here's how "the bad guys" (tm) will fool the coppers.
:)
1 Buy computer with big hard drive.
2 Get geek to store loads of "nonsense" data encrypted with as strong a key as possible (i.e. shopping lists, lists of birthdays, stuff from encyclopedias)
3 Store "bad stuff" (tm) in head only.
4 Get arrested, claim you "were wondering what all those junk files were" and wait 90 days whilst the forensics bods decrypt the useless data.
5 Get let out.
6 Profit !
(yes I admit it this is a piss poor version of the Slashdot "profit" post
Sky subscribers are morons. They pay to be advertised at !
So are the owners of said harddrives keeping encrypted files on them AND refusing to open them for review? Seems a bit silly if your choice is:
1) open it and show the authorities or
2) leave it locked and wait in jail while they crack it open.
If the people they are holding don't have access to the files, seems to me they need some better evidence to hold them on. I wouldn't approve of my person being held for 90 days because some harddrive I don't have access to MIGHT link me to a crime.
According to the police spokesman the HDs where locked with an obscure encryption tool named ReiserFS.
Fabio Aquotte
To cut them a little slack, some of the reasons that they want new extraordinary powers written into the laws is that in the fight against the Irish, they often just ignored and violated laws about police procedures and generally got away with it, whereas today there's more visibility, more television publicity, and more European political concerns about human rights, so they want to make sure that when they're doing extraordinary violations of people's civil rights that they've got laws to permit them to do so.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
For argument's sake, lets compare this 90 days in confinement to crack the HD to XX amount of time of extraordinary rendition (ie. government condoned torture).
Confinement:
* Lengthy process
* Hardware and Keeping-Up-With-the-Jones investments in (cryptology) technology
* Various specialists and bureaucrats
* Confinement costs
* Innovative technology shift could make policy failure-prone
Extraordinary Rendition:
* Quite probably illegal under international law (which undermines our credibility to enforce international law)
* Moderate costs (flight, personel, etc)
* Creates dependency on undemocratic regimes
* False-positives don't risk mission success
* Likelihood of faster than 90 day turn around much higher (perhaps reduced to hours or days)
* Possible torture of someone who truly doesn't know passphrase
Any other options besides these two?
Because it looks like status quo is the winning choice. That would be choosing both. You can even publically say you are for confinement only, and then secretly use extraordinary rendition when it suits your national-defense purposes. Also, this may avoid sticky international objections.
Maybe I'm not objective enough.
My current work involves building a novel filesystem, that as a natural consequence of the filesystem design, will not copy to an ext2/ext3/reiser filesystem without lossage. When I am done, they can chew on it.
What about encrypting data in an two-part archive which has two keys: one real key, which unlocks the sensitive data; and one fake key, which unlocks non-sensitive data, such as a collection of porn.
Then if the police bring you in and demand the password for your "suspicious encrypted terrorist archive", you just tell them the fake password and they unlock your harmless porn without even realising that there is other data still hidden.
One flaw in this might be the file size - if they opened a 100MB file and only found 50MB of porn, it might raise questions. But by using compression, this flaw could be rendered invisible, for example if you have 100MB of porn and 100MB of sensitive data, and compress each by 50%, you can store it in a 100MB archive and the sensitive stuff will be undetectable!
A recent article I saw compared the terms "-American" with "French-", such as French-Algerians. Over here, if you're a hyphenated ethnic group, the noun part is that you're an American and the ethnic group is a description. In France, you're still an Algerian, you're just in France. To some extent that's unfair; the large Algerian and Moroccan populations in France are mostly more recent immigrants from the ex-colonies, while the hyphenated-American terminology started largely applying to groups that had been here a long time (though it's also used for more recent immigrants.)
And the term "African-American" is largely asserting "hey, were're just as much part of mainstream America as you Irish and Italians, so stop calling us ." A couple of my friends do enjoy bending minds by identifying themselves as African-American. One's a blonde guy who was born in Zimbabwe; another's an older Afrikaaner.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
And yes, most digital forensic labs can analyze your precious reiserfs/ext2/ext3/whatever file systems. In fact, I've never run across a lab that couldn't. So don't think you're 1337 linux system will be safe if it's ever involved in a crime. And if they don't have the tools to analyze them, they'll contact a department that does. That's how the real world of forensics works.
I know the current state of forensics here in Norway (a high-tech nation), and it's that the police don't have the capacity to analyze machines used for kiddie porn, which bloody well could be automated against a hash database to catch 90% of the people with 90% of the pictures. This is your plain Windows-machines with no encryption. Sure, they might have the capabilities but I doubt they'll ever get to use them unless there's some high-profile murder/robbery/drugs/economic crime case. XOR "encryption" or pig latin might easily be enough, using Linux might in itself be enough. The police is looking at volume. Catch the majority, and then the odd case of the outliers to deter them. It's rather obvious once you see past the impression they try to give.
Live today, because you never know what tomorrow brings
Informative my ass. How about INCORRECT?
Yes, lets! The US has 2m people behind bars, approximately half for minor drug offenses. That one million extra prisoners is an equivalent loss-of-life to 20,000 casualties each year. And also generates terror.
They will check your computer, and every computer you have for all of the applications. If you have an application that does stenography, then they will know to check all your pictures on your computer.
Don't tell me that if you regularly exchange stenographically encrypted pics that you won't have an encryption/decryption program lying around on *one* of your computers. Even if you install and then delete it every time (unlikely) there will still be traces of it possibly in the registry, file system, etc.
What, so now that I do encrypted backups onto removable USB drives using Windows EFS, I'm at risk having to explain myself every time I cross the US border (I'm Canadian)? What's next? VPN software? SSH? SSL'd bookmarks in my browser?
Write your own algorithm and use some section of Pi as your key. This way you can more or less safely forget the key and when law enforcement demands your key you can honestly say "it's four thousand characters long and I didn't memorize it." But then you know that starting at decimal digit 05201974 (which is your brother's birthday, or whatever, transcoded into a string of digits representative of the offset in Pi that the key can be found at) and for the next four thousand digits is the key. You know something which can get you the key, but you don't know the key itself. It's kind of like not having a housekey but knowing there's one under the doormat.
As for the algorithm, I don't know much about encryption but I came up with something a while ago that seemed interesting to me because it almost guaranteed randomization of data. Basically, the file would be sectioned into "chunks" of some size (determined by the key) and then each chunk would have its bits cycled (shifted either left or right, wrapping around) a certain number of times (which is not an identical amount for sequential chunks). In this way, sequential occurences of the same word or phrase in a text document would not likely look anything like one another, especially if each chunk is an obscure size like, say, 13 bits, or 67 bits, or 974 bits. Using a value that is not a common data storage value also lends to the scrambling. That is, don't scramble bytes or words or doublewords, but 3/4ths of a doubleword or 7/8ths of a byte. Maybe conventional encryption already works in this fashion, I don't know. Like I said, I don't know much about encryption.
By using your own encryption algorithms and by using a key which is so unimaginably large that you just couldn't possibly memorize it (maybe it's the first two paragraphs of Moby Dick, maybe it's the entirety of Genesis from your King James Bible, maybe it's the Declaration of Independence) you ensure that they aren't going to get at your data anytime soon.
Reinvent the wheel only at either a lower cost, greater effectiveness, or your own personal enrichment and satisfaction.
256-bit anything cannot be brute forced.
It sounds funny, but it is true. Check out Boltzmann's constant. Quote: "Given a thermodynamic system at an absolute temperature T, the thermal energy carried by each microscopic 'degree of freedom' in the system is on the order of magnitude of kT/2" The Background Radiation is at 2.725K. That means any action will use at least 3.76227207 × 10-23 joules. You have 2^256 = 1.15792089 × 10^77 possible keys, which gives 4.35641342 × 10^54 joules. The sun's mass is 1.98892 × 10^30 kilograms, which by E = mc^2 means 1.78755215 × 10^47 joules. This would mean 24 370 832 stars like the Sun, which would be far more than all the stars you can see with the naked eye. And all would have to be converted to pure energy, not fusion. If you want to do it by fusion, you have to blow up the galaxy.
Live today, because you never know what tomorrow brings
"Next time you want to talk about a subject you blatently don't understand, do us all a favor and don't hit the submit button."
:)
but you're new around here, aren't you?
So, merely to iterate a 256-bit counter through all it's values (never mind actually using an encryption algorithm) requires (2.3)x(2^256)x(k), which is a lot more energy than could be gained by blowing up the Sun in a nuclear reactor and converting it all to energy.
Not quite that bad. According to Schneier's calculations in Applied Cryptography (which is where I'm sure you got this statement from), (2.3)x(2^256)x(k) is approximately equal to the annual output of Sol. So you don't have to blow the sun up... just construct a Dyson sphere and use the energy output for a year to run a perfectly-efficient counter and you'll be able to iterate through all 256-bit keys. Grab the output from a few dozen more suns and then maybe you can actually do the trial encryptions as well.
Reversible computing may improve that significantly, but the bottom line is that unless the attacker has some way of either finding out information about your key, or has a better-than-brute-force algorithm for breaking the cipher, stuff encrypted with 256-bit AES is safe from *anyone* for a very, very long time. Most likely forever. As Schneier puts it, "Until computers are made from something other than matter and occupy something other than space, 256-bit keys are secure".
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Thats why you can rig ur hard drive to a small explosive charge that destroys enough of the hard drive yet creates only a small puff of smoke come out of the computer. maybe a reverse charge in an internal capacitor of the hdd could do the trick.
The discussion of encryption radically increases the bogosity of their arguments - if something's encrypted with a decent algorithm, and they use decent passwords, the police will *never* be able to decrypt it, not in 90 days, not in the lifetime of the prisoner, and not in the lifetime of the planet unless quantum computers actually work magic some day in the misty future. Translation is something that could take time, but basically that means that if they want to arrest people who speak languages other than English, they need to hire some people who can speak Arabic and maybe Farsi, Urdu, and Dari or Pushtu; it's not like Southwest Asian languages are any worse than Gaelic (to the extent that IRA terrorists were actually native Gaelic speakers.) If they do a quick search of the computer and find that it looks suspicious enough to require holding somebody, they can get a warrant then, rather than saying they should be able to hold everybody for 90 days with no warrant just in case their computers are hard to wade through.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
How about this for a pass-phrase: "I have knowingly and illegally downloaded mp3 files and DVD movies" or non-humorously "I committed terrorist acts with Bob Jones and Ted Smith".
While not relevant to a UK terrorism investigation, I should have the right as a US citizen not to incriminate myself by releasing this statement. The state could then check if I've committed that crime.
It's not a bad idea actually. I could release it under seal to the court if forced and appeal it's release to the prosecution and investigators for a VERY long time.
As a security consultant and privacy advocate I wouldn't mind holding that fight (but would perfer not to have to bother).
Its not users who are broken, it's systems not taking account their likely behaviour and fixing it technically.
How they going to crack AES in a lifetime?
I never go unter 2048 bit AES for encrypted drives.
Fuck the performance!
Performance is irrelevant if you have to make a descision whether your data is *REALLY* secure!
This document is well-formed RANT 1.0
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Where is my wonderful XML?? No html-special-chars-encoding on slashdot? How poor is that?
okay, here we go:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE rant PUBLIC "-//cyberworldz//DTD RANT 1.0//EN" "http://cyberworldz.org/dtdns/rant.dtd">
<rant mode="Cartman with xx-eyes" clue="possibly-zero?" xmlns="http://cyberworldz.org/dtdns/rant" xml:lang="en">
I never go unter 2048 bit AES for encrypted drives.<brawl/>
Fuck the performance!<brawl/>
Performance is irrelevant if you have to make a descision whether your data is *REALLY* secure!<brawl/>
<div xmlns="http://www.w3.org/1999/xhtml">
<p><a href="http://cyberworldz.org/validate.hs?referrer
</div>
</rant>
(This message was submitted containing the p- and the pre-tag but as "Plain Old Text". All plain-text-tags filtered out and the p-tags work? How odd is that?)
Any sufficiently advanced intelligence is indistinguishable from stupidity.
"So don't think you're 1337 linux system will be safe if it's ever involved in a crime."
I think my dm_crypt mounts with AES256 should be reasonably safe. As should the similarly protected swapfile.
What about that? my doneky* just returned tons of results for EnCase.... If ther will be anyone wi is interested in looking if it's not a government trojan? *scratches his dark tinfoil helmet with mu-metal-layer*
* to government: of course i mean the *animal*. stupid beast, how could it...!
Any sufficiently advanced intelligence is indistinguishable from stupidity.
(this is a long line added solely to get past slashdot's way, way stupid lameness filter which is telling me that I have too few characters per line, and it is bullshit like this that caused me to stop subscribing, so think about that, malda: you pissed off paying customers, and for no gain (i.e. there is no reason to want to prevent me from posting these init scripts), and in the process, made slashdot lamer by making people add noise to their messages. the lameness filter INCREASES lameness.)
(this is a long line added solely to get past slashdot's way, way stupid lameness filter which is telling me that I have too few characters per line, and it is bullshit like this that caused me to stop subscribing, so think about that, malda: you pissed off paying customers, and for no gain (i.e. there is no reason to want to prevent me from posting these init scripts), and in the process, made slashdot lamer by making people add noise to their messages. the lameness filter INCREASES lameness.) (need more penis birds)
this is /etc/init.d/mounthome:
(this is a long line added solely to get past slashdot's way, way stupid lameness filter which is telling me that I have too few characters per line, and it is bullshit like this that caused me to stop subscribing, so think about that, malda: you pissed off paying customers, and for no gain (i.e. there is no reason to want to prevent me from posting these init scripts), and in the process, made slashdot lamer by making people add noise to their messages. the lameness filter INCREASES lameness.)
and this is /etc/init.d/swap:
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
This argument has already being raised by the Commissioner of Police in the UK and was publicly shown to be bogus on-air on Questiontime. An opposition politician pointed out that if you fail to produce an encryption key when asked, you can already be charged with that as an offence. It is therefore completely unnecessary to generally extend the detention to 90 days.
Please mode up, this is very important information!
Tired of all the isms, don't exploit people as an employer, or a government, mmmmK?
They'll just shoot you on sight - its faster.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Hah! It can make you overconfident and reluctant to preview, however. Better formatted version below:
;)
The human mind is ridiculously good at remembering relationships, people, stories. The key is to find a translation between this sort of memory and raw numbers. Therefore you create or acquire a system of representing numbers as people or items and then remember the sequence as a story or relationship between them. For example, the digit '0' could be a saw, the digit '3' could be yourself and the digit '9' could be a beach, five a policeman, 2 Noah of Noah's ark fame. Thus the sequence 30952 becomes a brief tale of you using a saw to build a beach hut when the police arrive to arrest you for building without a permit, but you're rescued by Noah in a speed boat (Eddie Izzard references get you bonus points). Once you're familiar with the standard items that occur in a story, you can rapidly turn it back into number as you write/type/recite.
That's a basic illustration of how you do it, but systems can be much more sophisticated and easy to use. For example, the system that I use ties the first thousand digits to vision and the three hundreds relate to 'Moonlight.' 52 relates to a lane. Therefore I only need to remember walking down a moonlit lane and that's five digits already. It's not as complicated as it sounds, because there is a logical sequence for associating numbers with items - e.g. '1' is a t / d sound. So the sequence 10, 11, 12, 13 is Daze, Dad, Dan, Dam. Note that the second syllable is tying back to the same sequence so '0' our (z)saw makes 10 Daz. '2' our Noah makes 12 Dan. Similar logic underlies scaling it to hundreds and thousands so it's actually easy once you've memorised about 20 associations and you can certainly manage that.
Like anything, it takes a little practice to do it quickly, but a few days or a week of using the system and you're not bothering to write down phone numbers anymore. When I started it, I was worried about my brain getting overloaded with numbers. I now realize how stupid that was - I've been memorising things everyday of my life - attaching a translation key so that some of it can be turned back into numbers makes no difference.
There are several different systems. I personally used Tony Buzan's book here to get started. It pads out the book with a lot of stuff you don't really need and I don't think some of the extended stuff works. But you're getting it for the key system for memorising numbers and it works fine for that. There are probably others out there.
Your system for song lyrics is fine, but if you talked about your method or another password using the same system was compromised, then it would be trivial to test all other passwords for the same principle.
Hope this helps,
-H.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
Bearing in mind, that some encryption like AES or Twofish, are nearly impossible to crack during a lifetime, UK police should give a choice to suspects - shoot them immediately, or wait until data will be decrypted. That would be fair.
But the Guilford Four are member of the IRa and where terrorists, this has subsequently been proven beyond any reasonable doubt. They were released because they didn't get a fair trial not because they where innocent.
Shami Chakrabati from Liberty made a very valid point.
No. Claiming that 90 days = 6 months is 100% wrong.
Holding someone for the equivalent of a typical 6 month jail sentence with no charge
You only get a 6month Jail sentence if you are convicted, apologists for criminal like Liberty and Justice and the Prison reform league have already broken the criminal justice system by getting most criminals released early, so they can do more crimes, and they get another legal fee for defending them again. They are looking after their own interests not the innocent, not the victims, not society.
is a very good way to alienate that person and his/her community.
They are already alienated which is why they are trying to blow people up and introduce a society where YOU would have no right at all, where you can be stoned to death without trial for for adultery, beheaded on the say so of a mad mullah. It's a pity people like you don't think about defending the free society we have.
How would we feel about losing 3 months of our lives
They should be thankful they don't lose their lives full stop.
and after that, being released with "no charge".
They only reason this happens is because the criminal system is already broken because of crooked defence lawyers lie & suppress evidence.
What would our employers think?
No smoke without fire.
What would happen to our houses, mortgages during that time?
Very revealing that you use the term our. It reveals your true alligence.
Shami is great.
Shami is scum.
The proof comes from intelligence that our security services don't want to reveal in court.
That's why I wrote a custom encryption method which allows for multiple correct keys. Once you enter a key, a 1 byte hash of the key is used to find an offset holding the data. So you can have up to 256 different keys, all accessing different data. Random data is used to buffer the file to a specified length.
Besides, what do they do if you forgot the password? I've forgotten some of my passwords for my older files. Plus, since most of my encryption programs also rely on a "key file", if that file got lost, I can't access the data even with the right password. (Happened to me recently!)
So when they ask where you buried the bodies, you have to say "in the basement" since that's not testimony, but finding the bodies is?
"That's so plausible, I can't believe it!" - Leela