Slashdot Mirror

← Back to Stories (view on slashdot.org)

Police Need 90 Days To Crack Hard Drives

Posted by Zonk on from the they'll-get-better-with-practice dept.

Twyko64 writes "The UK police may need 90 days to hold terrorist suspects because it takes that long to crack a suspect's PC hard drive." From the article: "Combining the analysis, the translation and second stage analysis, add inter-country co-operation and interview strategy formation, and from the police point of view, the existing 14 days is inadequate and 90 days doesn't look excessive. Another factor is encryption sophistication. If 256-bit triple-DES or similar techniques are used then decryption could require supercomputer-levels of cracking."

49 of 693 comments (clear)

  1. 90 days, eh? by BushCheney08 · · Score: 5, Funny

    Nothing for you to see here. Please move along.

    Hmmmm. Guess I'll come back in 90 days for the dupe...

    --
    Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
    1. Re:90 days, eh? by Anonymous Coward · · Score: 5, Insightful

      I hope not. Holding suspects for any amount of time without probable cause is bullshit. A hard drive whose contents is not decipherable (as yet if ever) is not probable cause. It is an unknown. If the police do not have reason to hold an individual aside from a hard drive of unknown content, the police have do not have reason to hold an individual.

    2. Re:90 days, eh? by Don_dumb · · Score: 5, Insightful

      Mod that comment up
      If they don't have enough proof to charge someone after even a couple of days, why are they so sure someone is a suspect at all?
      They must have some reason to arrest someone in the first place and I sincerely hope that reason is based on a collection of very compelling evidence. At which point they can charge him/her and have as much time as they want anyway.

      --
      If this were really happening, what would you think?
    3. Re:90 days, eh? by kilodelta · · Score: 4, Insightful

      Encrypting a drive is enough for probable cause.

      In the twisted logic of the law enforcement game, pretty much anything can be used as PC.

      Put it this way, when I worked for the state AG's office all we'd need is the slightest whif and the next thing you know we would be hauling out paper records and computers, servers, etc.

      And in the U.S. we have secret courts that will issue warrants with virtually no burden of proof. How do you like those apples?

    4. Re:90 days, eh? by mikerich · · Score: 4, Informative
      I sometimes wonder if the evidence is along the lines of 'looking foreign with possession of, or intent to grow, a beard'. From The Daily Telegraph (27/01/05):

      That police activity has been considerable. Since September 11, 2001 to the end of last year, 701 people have been arrested under the Terrorism Act 2000, which requires only "reasonable suspicion" to arrest. Most have come from various branches of the Muslim community - either North Africans, who were the subject of most arrests in the immediate post-September 11 period, and Middle Eastern Muslims, or British-born suspects of Pakistani origin.

      However, only 119 of those arrested were charged under the Act. Of those, 45 were also charged with offences under other legislation. A total of 135 others were charged under other legislation, including charges for "terrorist offences that are already covered in general criminal law such as grievous bodily harm and use of firearms or explosives". There have also been a number of fraud cases.

      Of the rest, about 60 were transferred to immigration authorities and 351 were released without charge. Only 17 individuals have been convicted of offences under the Terrorism Act and there have been "lesser" convictions, either Irish-related or as a result of membership of proscribed terror groups.

      There have been no convictions of alleged Islamic fundamentalist terrorists for the kind of readily understandable "direct" terrorist offences, such as bombings, shootings or possession of explosives and guns, which characterised the years when the Provisional IRA attacked the mainland.

    5. Re:90 days, eh? by dswan69 · · Score: 4, Interesting

      I do think they should pay full compensation if nothing comes of their investigation. A detained person can't work, and will quite probably also lose their job. Given the police force's tendency towards extreme paranoia and abuse of power, especially when given sweeping powers, the government must be willing to pay up, and pay up big, anytime they make a mistake.

      Maybe we should start differential taxation - if you support extended imprisonment without trial and excessive police powers because you think it will make you safer, then you must also be willing to pay extra for it. I don't want my taxes wasted on this game of idiots.

    6. Re:90 days, eh? by Anonymous Coward · · Score: 4, Insightful


      As you say, these people have been arrested but not charged. The relevant point is that people should not be arrested without charge. For anyone who hasn't really considered it, 90 days is a long time and for anyone who has never been in prison, I would suggest it works on a similar principle to rape or a violent assault - it is a sudden message from another that they can do what they like to you and you can't stop them. Anyone who has been inside in a proper prison will at least understand where I'm coming from. I don't mean this as a disrespect to rape victims either. Being grabbed off the street and locked in a room, suddenly cut off from your friends and family can be a terrifying experience and the police don't need "torture" to scare you. Just being told you're going down for "terrorism" and they'll take the next fifteen years away from you if they so please? Just a few days can scar you terribly (google for the Stanford Prison Experiment). Ninety days? You don't want to go through that.

      And all this, they can do just because they want to. They can do it to scare you, they can do it to punish you and they can do it all without any evidence at all. br

    7. Re:90 days, eh? by Parity · · Score: 4, Informative

      Err, we have both. The prior poster was referring to the patriot act provisions that allow for closed hearings held in an undisclosed location with an unpublished docket. Supposedly they aren't entirely secret in that they're supposed to reveal what they've done some amount of time after the fact. Unless a motion is granted to keep the information secret for longer do to an investigation still being 'ongoing'...

      Of course, that's supposed to be only in case of terrorists, ordinary criminal cases are supposed to be tried in ordinary open courts (although even there, the court can seal entire hearings so all you know is that the police made a motion before a judge at a particular time and place, not anything about the content of the motion. In wiretap warrants, for example, so as not to tip off the person to be spied on.)

      --
      --Parity
      'Card carrying' member of the EFF.
    8. Re:90 days, eh? by h4rm0ny · · Score: 4, Insightful


      The thing that did my head in in the USA, were all the people who were convinced they're Irish. I'd get some guy there tell me in a pure american accent that he was Irish american? How are you Irish, mate? Were you born there? Do you have an Irish accent? Citizenship? Read Ulysseses? What?

      In fact I met almost no actual americans, only hyphenated americans. When someone found I was from Europe, she introduced herself to me as a German-American. So I started talking in German to her and she didn't understand a bloody word. But she said her "Grandad would understand it." I met a guy over there from Mozambique. He said the thing that annoyed him most were people who said they were african-american. It pissed him off because they didn't know a damn thing about africa. It makes NO SENSE! If you're born and raised in America, you're american. Culture is not transmitted genetically and nothing that is makes a bit of difference to who you are.

      So if the parent poster is born and raised in Ireland, then he can continue to rant about discrimination. If he's another hyphenated-american, I'm not interested.

      And I'm Welsh, btw, and we're the Irish who couldn't swim. It's like anything else - if you let something bother you, people will use it. If you you're proud of who you are, they can't.

      --

      Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
    9. Re:90 days, eh? by ninjagin · · Score: 4, Interesting
      You've made some good obervations, and I think I can help you a little bit with your confusion about how Americans describe themselves.

      There was a time, around the mid-1800s, when Americans would identify themselves as just that -- Americans. This was back in the early days of the republic, and there was still a cultural (and sometimes a real) memory of the war of independence. Self-identification as American was part of the pride.

      Now, back then, there were self-identified Americans who were actually born in France or England or Germany. To anyone else, they were French or British or German. Their kids, not having any personal experience of the family-homeland, also identified themselves as Americans, though saying you were British-American or French-American or German-American wasn't really an option, since all American families actually hailed from somewhere else in the past. Assimilation (the melting pot) was a very powerful force for white Americans. In a social sense, blacks of the era simply didn't have the social power to self-identify, and their identity was further stripped by having to take their master's surname. Native Americans (or North American aboriginals, if you prefer that appelation) had their own tribal identification, which still remains to this day.

      As you get closer to 1900, there were huge waves of immigrants from all over the world, and these were people who wanted a clean slate. They wanted nothing more than to be assimilated. In some families, the language of the homeland was forbidden. Educational institutions sought to have kids learn and speak english without accent. The pride of the immigrant American at the turn of 1900 buried the notion of self-identification of the homeland. My four great grandfathers and mothers (on both mom and dad's sides) spoke very little english because they came to the country when they were too old for schooling, but their kids (my grandmas and grandpas) all spoke English in the upper-midwestern American accent, and while they could understand some of the old languages and maybe speak and read a bit, they were Americans and identified themselves as such.

      Consider, then, the melting pot. By the time it got around to me, the national heritage of my family was Belorussian, Lithuanian, French and Norwegian. I only speak one of those languages, but how could I possibly self-identify with any of those nations? I can't, and I don't, but mustly because I still take some pride in being an American, regardless of how my country seems to be perceived at present.

      However, their are groups who have been marginalized over time, who seek to re-enforce their sense of identity to elevate their pride. Some black Americans prefer to align themselves with their African roots. Some Irish-Americans identify themselves that way because they seek a tie to their family heritage that may have been repressed as a part of assimilation. Interestingly, the force of assimilation has decreased in American culture. We're a much more multi-lingual, multi-cultural nation, now, and that's also being reflected in the way certain people self-identify. In America, you are free to identify yourself in any way that you prefer, and that's what people do.

      Hope it helps.

      --
      .. pa-ra-bo-la, pa-ra-bo-la, 2 pi R, 2 pi R, where's your latus rectum, where's your latus rectum, 2 pi R
    10. Re:90 days, eh? by Xcott+Craver · · Score: 4, Funny
      And I'm Irish on my paternal great-grandfather's side.

      Yeah, and I'm a woman on my grandmother's side.

      Xcott

  2. They're really going to hate it when... by TWX · · Score: 5, Insightful

    They're really going to hate it when suspects start using steganography. Imagine having to brute-force decrypt, only to then have to search for a particular piece of straw in a haystack...

    --
    Do not look into laser with remaining eye.
    1. Re:They're really going to hate it when... by AKAImBatman · · Score: 4, Informative

      They're really going to hate it when suspects start using steganography.

      Generally they try to capture a complete computer containing all the algos used for the steganography. That way they don't have to search for a needle in a haystack.

      It's a bit like the code devices of WWII. It was always easier to capture a code machine than try to brute force the code itself.

      --
      Javascript + Nintendo DSi = DSiCade
    2. Re:They're really going to hate it when... by TWX · · Score: 5, Interesting

      What if I don't use a programmed algorithm?

      The old "manipulate the image in the picture" effect would allow me to hide data in an image, and it could be done to where only modifying the image to specific hue or color adjustments reveals the data. It would be something that someone could memorize, and open files read-only to find, modify in RAM, and never save back to the drive once the message is known. There could be thousands of photos in someone's photo album, and only a few that actually contain data too, so that it's hard to even find the files used, let alone to figure out how they're used.

      I could also know that certain letters in a text file based on some derivation of a number sequence for position of the letter or word is the message. Anyone that I'm corresponding with could also know the sequence, but if neither party writes it down then it's much harder. It would also work for storage of sensitive data, and be even better security since there'd be only one person who'd know how to recover it.

      The most effective way to hide something or protect something is to ensure that nothing is ever written down about recovering it, ever. If there's no key to find then it's again down to brute force.

      --
      Do not look into laser with remaining eye.
    3. Re:They're really going to hate it when... by Ckwop · · Score: 4, Interesting

      Generally they try to capture a complete computer containing all the algos used for the steganography. That way they don't have to search for a needle in a haystack. It's a bit like the code devices of WWII. It was always easier to capture a code machine than try to brute force the code itself

      This is actually wrong. Kirchoff's principle applies as equally to steganography as it does to cryptography; even with completly knowledge of the algorithm it should be computationally infeasible to determine a secret message is implanted in the cover text.

      Secure stegangraphy is truly undetectable.

      Simon.

    4. Re:They're really going to hate it when... by Verteiron · · Score: 5, Funny

      Well, in that case, the USA will ship you off to some country where torture is legal, and CIA operatives will proceed to beat the secrets out of you. Now THAT'S brute force...

      --
      End of lesson. You may press the button.
    5. Re:They're really going to hate it when... by mikerich · · Score: 4, Informative
      This is such blatant 'the sky is falling!' government propaganda.

      Under the Regulation of Investigatory Powers Act it is already an offence not to hand over encryption keys to the police when requested to do so.

      If a person is detained, the police could investigate the hard disk and ask for the appropriate keys, if the suspect refuses they could then be charged under RIPA.

      They would then be brought in front of a magistrate who would determine if there was a case for refusing bail (if they are truly a threat then bail would be refused) before the case is taken up by the higher courts.

      The police could then have all the time they want to crack the disk, my rights would be less infringed than they already are and the police would actually have to work to prove the case for a serious crime.

    6. Re:They're really going to hate it when... by cortana · · Score: 4, Informative

      Then you don't know much about cryptogrphy! Do you think DES, RSA, AES, and so on are insecure because the algorithms used are public knowledge? No, the security of a good cipher lies revolves around maintaining the secrecy of the key.

      Let us consider hiding some data in an image. Assuming the use of decent steganography techniques, then without knowledge of the key used when hiding the data, it is impossible to know that they are hidden in the image in the first place, let alone retrive them.

      If this is not so then an attacker would be able to knock up a quick shell script that scanned every file on the system to detect hidden data--thus making the use of steganography pointless in the first place!

    7. Re:They're really going to hate it when... by booch · · Score: 4, Insightful

      Great. A post suggesting using torture as a legitimate method of data extraction gets a Funny rating.

      --
      Software sucks. Open Source sucks less.
    8. Re:They're really going to hate it when... by sconeu · · Score: 4, Insightful

      The only problem is when there really *is* no code. How can you give someone something that doesn't exist?

      Example: You're falsely ID'ed by a bad guy, or you're mistaken as a terrorist due to bad luck (see: Paul in 24 Season 4).

      So you lose all your toes, and have your genitals fried off, because you *CAN'T* give them what they want. This is why torture is useless.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    9. Re:They're really going to hate it when... by Dread_ed · · Score: 4, Informative

      Torture of the kind that you see on TV dosen't work well.

      There are other methods that work quite well. For instance: dilating the eyes with drugs, propping the subjects eyes open , and then directing an absurd amount of light into the eyes will break most people down quickly.

      There are other methods that can gain the subjects acquiesence with very little mess and few lasting marks (on the outside).

      --
      When the only tool you have is a claw hammer every problem starts to look like the back of someone's skull.
  3. They're morons who deserve to get caught by Dwonis · · Score: 4, Funny

    *I* always use at *least* 1024-bit AES!

    1. Re:They're morons who deserve to get caught by wiggles · · Score: 4, Interesting

      That just means they'll keep you for 50 years without a trial (or however long it takes them to crack your encryption). Interesting that those that use encryption are automatically considered criminals.

    2. Re:They're morons who deserve to get caught by ganache · · Score: 4, Insightful

      Where did it say that those using encryption are automatically considered criminals? They're suspected criminals who happen to use strong encryption

      --

      It was a century of answers and all of them have been wrong...
      Wake me in a thousand years
    3. Re:They're morons who deserve to get caught by Jugalator · · Score: 4, Interesting

      That's because they are criminals. Failure to turn over your encryption key is an offence under the RIP Act, punishable IIRC by up to two years imprisonment.

      I guess that's why one may use TrueCrypt with its support for two-level plausible deniability. I.e. it's practically impossible to prove there isn't more on the encrypted volume than you see, unless you have an enormous time to spend on trying to crack the hidden nested volume.

      --
      Beware: In C++, your friends can see your privates!
  4. Blatantly WRONG by Work+Account · · Score: 5, Interesting

    Most times a police department cannot even ANALYZE data properly if a machine is not running some modern form of Microsoft Windows on an x86 platform.

    They have automated TOOLS that go through and find Web browser histories, caches, and cookies.

    On machines where users do not run Microsoft Internet Explorer and use Outlook for email, often times departments are SOL.

    --

    If you "get" pointers add me as a friend (116)!
    1. Re:Blatantly WRONG by XorNand · · Score: 4, Informative

      The defacto application used by law-enforcement agencies to do these things is EnCase, if anyone is interested. It's major bucks though, and don't expect to be able to download a demo version. ;-)

      --
      Entrepreneur : (noun), French for "unemployed"
  5. Illegal not to give the police the key? by Jamu · · Score: 5, Insightful

    If it's illegal to not provide the police with a key to encrypted data, why can't they just put that person in prison for that crime and decrypt the data at their leisure?

    --
    Who ordered that?
    1. Re:Illegal not to give the police the key? by dan+dan+the+dna+man · · Score: 5, Insightful

      This is an excellent point, it is true it is illegal to withold encryption passphrases etc. from the police if they ask you to surrender them. This is why there is a fight in the UK to stop this 90 day 'hold without evidence' the police and government are pushing. The opposition parties have been making this exact point - just bust them on the lesser charge, sling them into jail on something they've *actually done* rather than something they *may have done* and then use that time to gather the rest of the information. Makes perfect sense to me.

      --
      I don't read your sig, why do you read mine?
  6. 256? 3des? no. by jlcooke · · Score: 5, Informative

    3des. 3 x des. des uses 64 bit key. Well, 56 bit if you remove the useless parity.

    3 x 56 = 168. or 3 x 64 = 192. Either way, 256 is is not.

    256 bit AES, then maybe.

  7. What about RIP? by andrewscraig · · Score: 4, Interesting

    I thought that was why the UK introduced the RIP act (http://www.hmso.gov.uk/acts/acts2000/20000023.htm )? Could they just demand that the person comes up with the keys -- if they don't, hold them through the RIP act and brute-force them, if they do -- then they've either got evidence or the innocent person can go free?

    It seems that they are just using this as an excuse to hold someone indefinately?

  8. Ninety days? by SatanicPuppy · · Score: 4, Insightful

    Psssh. That's gotta be a worst case scenario. In my experience, even people who are paranoid enough to encrypt things tend to be careless with their keys. I found one once where the guy had encrypted the hell out of it, and left a copy of the key in the default key gen directory. Some people just throw it in the trash, and then forget to empty the trash, or forget to secure purge it afterward, so the key can be recovered.

    For big corporations and places that have enough staff to be able to implement a good crypto policy, I'd be surprised if you COULD crack it in 90 days. 256 isn't anywhere near as high as you could go if you were paranoid, and storing data that you didn't need to read all the time.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  9. Re:No such thing as "256-bit triple des" by Proaxiom · · Score: 4, Informative
    That should be the tip-off for the uninitiated, in any case. Triple DES has an effective key length of 112 bits. I'm sure they meant 256-bit AES, but it's a good clue that the author has no idea what he's talking about.

    Seriously, nobody, including name-your-favourite-government-agency, is brute forcing a 256-bit AES key. Not in 90 days. Not in 90 years. Think about the number 2^256 for a second, and consider the computing power required to do that many operations.

    What may be possible in 90 days is brute forcing passwords, which is practical if the perp uses password-based keys. The article doesn't mention that.

    It's also possible that the authorities are just exaggerating their capabilities so as to deter pedophiles and what-not. If you can't read people's mail, it's sometimes effective to pretend to be reading people's mail.

  10. Thanks for letting us know by iamacat · · Score: 4, Interesting

    That government can crack triple DES in more than 14 but less than 90 days on their secret supercomputer. No wonder they dropped opposition to crypto exports. The question is, which algorithms/key sizes can we use that is likely still uncrackable?

  11. It's just an excuse. by Ebirah · · Score: 4, Interesting

    The underlying objective is for the UK to adopt the US model of 'terrorist' detention. Extending the permitted period for detention of 'suspects' without charge to 90 days is a step in the desired direction for this. And as people are saying, 90 days won't be enough time to crack anything that's properly secured. In 90 days, our boys in blue, who don't really get this IT stuff very well, might perhaps be able to crack an UNENCRYPTYED drive. Not all terrorist suspects have hard drives, anyway. I guess they'll have to let the ones who don't go straight away.

    --
    It's never so bad that it can't get worse.
  12. Re:256bit triple DES by meringuoid · · Score: 4, Interesting
    Glad to know they think they can crack it in only 90 days with a mere "super-computer".

    They can't and don't, but what the hell, it's a pretext. The police have never liked this whole deal of having to let people go if you don't have enough evidence to charge them with anything. The longer they can get to find something that will stick, the more criminals they successfully prosecute and the safer we all are.

    Now, if you'll excuse me I have to open my new estate agency, pontine transit solutions a speciality...

    --
    Real Daleks don't climb stairs - they level the building.
  13. With or without specific charges? by pla · · Score: 4, Insightful

    The UK police may need 90 days to hold terrorist suspects because it takes that long to crack a suspect's PC hard drive

    I write this as a 'Merkin, so forgive if I don't fully "get" UK law, but...

    At the point where the police would waste 90 days of supercomputer-level CPU power on cracking an encrypted HDD, wouldn't they already have enough other evidence to charge the suspect with an actual crime, and could just ask for that 90 days as a delay before the actual trial?

    The idea of the police making people dissapear for three months at a time on a whim scares the hell out of me. Suddenly sarcasm, or wearing the wrong clothes, or "driving while black" becomes punishable by three months in prison? Time to invest in prison/industrial stock...

    1. Re:With or without specific charges? by lawpoop · · Score: 4, Funny

      You are writing the above as a pubic hair wig?

      --
      Computers are useless. They can only give you answers.
      -- Pablo Picasso
  14. Re:No such thing as "256-bit triple des" by Dachannien · · Score: 4, Funny

    Seriously, nobody, including name-your-favourite-government-agency, is brute forcing a 256-bit AES key. Not in 90 days. Not in 90 years.

    0x00000000 00000000 00000000 00000000 00000000 00000000 00000000 00003039? That's the kind of encryption key an idiot would have on his luggage!

  15. 256-Bit Triple DES by John+Fulmer · · Score: 4, Insightful
    Another factor is encryption sophistication. If 256-bit triple-DES or similar techniques are used then decryption could require supercomputer-levels of cracking.


    Ouch. Technobabble at its worst.

    a) Triple DES is 112-bit encryption.

    b) If you are using strong encryption, like a 256-bit AES cypher, no number of supercomputers are going to 'crack' it, whether it's 14 or 90 or 900 days, unless it's a really bad implementation.

    c) One would HOPE that the police would have evidence before they start impounding things. But this is about 'fishing' for evidence for 'suspected' terrorists. "You look like a terrorist, so we'll impound your things in the hope that we'll find something". So much for presumption of evidence (which I believe holds true in the UK as well.

    Things like this make me sad. Just another way for the authorities to 'protect' it's citizens by making that sure they can see all and know all. Welcome to the Panopticon.
  16. Comment removed by account_deleted · · Score: 5, Funny

    Comment removed based on user account deletion

  17. use Firefox, go directly to GITMO! by Thud457 · · Score: 4, Interesting
    Alternative browsers pose challenge for cybersleuths

    You think that they can afford to hire some lunix rocket surgeon as a computer forensics expert on what the local PD pays?

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  18. Re:No such thing as "256-bit triple des" by z-man · · Score: 5, Funny

    Pssst, like the NSA doesn't have quantum computers behind that triple fence that can brute force 256bit keys in an instant.

    Now, shut up and help me find my tinfoil hat.

  19. Re:Blatantly WRONG (now with formatting!) by sparr0w · · Score: 5, Insightful

    I think the key to this article is not the piece on encryption, but the piece on inter-county cooperation. In the states, it takes a long time for evidence to be approved by the proper authorities for analysis, just because the people doing the analysis don't want to screw up and have the evidence thrown out in court.

    And as easy as it is to make fun of the police's analysis methods, my guess is most slashdotter's don't even know what it's like to process evidence for a case. It's not just "running automated tools" on some suspect's hard drive. It's getting to know the case, knowing what you're looking for and where to look for it. Many times it's the police themselves that are writing these "automated tools", which only present the evidence in a way less technical minded officers assigned to the case can understand. And what happens once you get that evidence? You have to try to fit it into the puzzle of the case. It isn't CSI, where you find some email detailing the crime that's digitially signed and the suspect confesses to writing it. Often times its finding some random piece of partially-overwritten text and having to see if it fits into the overall case.

    And yes, most digital forensic labs can analyze your precious reiserfs/ext2/ext3/whatever file systems. In fact, I've never run across a lab that couldn't. So don't think you're 1337 linux system will be safe if it's ever involved in a crime. And if they don't have the tools to analyze them, they'll contact a department that does. That's how the real world of forensics works.

    Next time you want to talk about a subject you blatently don't understand, do us all a favor and don't hit the submit button.

  20. Re:And you think they're a terrorist... why? by glesga_kiss · · Score: 4, Informative
    What's really fucked up is that people like the Guilford Four, also accused of terrorism during a politically sensitive time, we put away on fake evidence compiled by the police who were anxious to get a result. Back then, you were "innocent until proven Irish". Now it's "until proven Islamic". They were tortured for confessions and finger pointing. Sound familiar? Something happening RIGHT NOW?

    Computer evidence is next to useless. It is infinitely easier to fake a word doc than it is someones handwriting, DNA and fingerprints that one might find on a piece of paper. I predict that in 10 years, once new forensic techniques for IT data analysis become available, a whole slew of "terrorists" will have their convictions quashed as the polices simply created a few fake emails. This is not tin-foil hat territory, this has happened numerous times in the past.

    When will the public wake up? These "detention without trial" laws are something that the authorities have been seeking for decades. Only now do they feel they have the inertia to get them passed.

    The definition of terrorism is "using fear to achieve a politcal goal". I wonder who the REAL terrorists are here...?

  21. Don't use one time pads by Catamaran · · Score: 4, Funny

    You could be locked up forever!

    --
    Test 1 2 3 4
  22. 90 days == 6 month jail sentence. by caluml · · Score: 4, Insightful

    Shami Chakrabati from Liberty made a very valid point. Holding someone for the equivalent of a typical 6 month jail sentence with no charge is a very good way to alienate that person and his/her community. How would we feel about losing 3 months of our lives, and after that, being released with "no charge". What would our employers think? What would happen to our houses, mortgages during that time? It's easy to think "90 days isn't so much", but think about what it actually means. Shami is great.

    --
    Get your own free personal location tracker
  23. Re:No such thing as "256-bit triple des" by dan_bethe · · Score: 4, Interesting

    Ok what about with rainbow tables, vast stores of precomputed hashes? They say that with a 64GB table, it'll take a few minutes to crack any Windows lanmanager password up to 14 characters in size using "all possbile characters on a standard keyboard (not including those alt+xxx characters)" on a standard 666 MHz system. Some individual table sets have been known to reach 600+GB in size. How do the likes of 3DES and AES stand up to that? I'm an encryption noob.

  24. Plausible deniability... by tjwhaynes · · Score: 4, Interesting
    Under the Regulation of Investigatory Powers Act it is already an offence not to hand over encryption keys to the police when requested to do so. If a person is detained, the police could investigate the hard disk and ask for the appropriate keys, if the suspect refuses they could then be charged under RIPA.

    So then you need a method of being able to hide precisely what is encrypted and what is not. Look around and you'll find systems for filling a file system with chaff files to make finding the real data more interesting. One I looked at ended up with a filesystem with all the files apparently the same size, with constantly changing timestamps and all apparently contain random data. This system then allowed you to apply keys to make certain files readable while leaving the rest as noise. The point of this is that even the empty file system is full of rubbish files. It is impossible to tell (without the complete set of keys) precisely what is really data and what is just generated chaff. This gives you a lever of plausible deniability - if you are asked for the keys to the repository, you can hand over the keys and let them at it. It would be difficult (never say never) to correctly identify encrypted files amongst the chaff which were not covered by the keys provided.

    Cheers,
    Toby Haynes

    --
    Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.