Slashdot Mirror
How Long to Crack an 'Encrypted' HD?
brainburger asks: "In the UK, Tony Blair has recently lost a parliametary vote to allow the police to hold terrorist suspects for 90 days without trial. One of the justifications the police gave for the extension from 14 days to 90 days was that they need the extra 76 days to decrypt the computer hard-drives of suspects. This has been seen by some as the only compelling reason to allow 90 days. The time-limit has been extended to 28 days instead, but Tony Blair insists 90 days is required. Are there really any encryption systems that cannot be cracked in 28 days, but which can be cracked in 90? Aside from the not-much-discussed issue that the police can no longer interrogate a suspect after they are charged, I suspect the police meant unencrypted machines. What do you think?"
Just cracking it isn't enough. They have to then sift through gigs of data to look for evidence. And that's ignoring stegnography.
Agile Artisans
1: Today's terrorism is different because attacks do not have political aims and are designed to cause mass casualties, with no warning, involving suicide bombers
Retired senior judge Gerald Butler states: "The mere fact a threat is "completely different" is, of itself, no justification for an extension in the detention laws. But it is true we face a new and terrifying threat in this country."
Not politically motivated?!
What on earth are these people talking about? Good gried, "GET OUT THE MIDDLE EAST, WEST!" sounds _very_ political to me! "STOP MESSING IN OUR AFFAIRS", sounds political to me!
These attacks are completely and totally politically motivated.
The militants in the Middle East, right or wrong, is ABSOLUTELY, COMPLETELY, and TOTALLY in the middle of a political struggle with the West.
I think it's a bullshit excuse, that's what I think. With encryption algorithms, we're talking orders of magnitude, and most algorithms that can't be bruteforced in 28 days will take longer than 90. This is just a shitty excuse to get joe public on Tony's side.
Are there really any encryption systems that cannot be cracked in 28 days, but which can be cracked in 90?
Probably, but since encrypted hard drives usually involve a passphrase being converted into a key of suitable length by one-way hash algorithms, why not crack the passphrase instead of the actual key? Even with 256-bit AES (or something like it), a weak passphrase-based key is probably one of the easier ways to go after the data. Of course, if the suspect carries their completely random key around on a USB drive of some sort, that's a different matter.
> The United States approaches counter-terrorism as military action ...against a country unrelated to the problem.
> and the President signs an executive order that allows for indefinite detainment of suspects.
It's a sad day when executive orders trump the constitution.
Sheesh, evil *and* a jerk. -- Jade
It's not how long it takes to crack, it's how long it takes to make a copy. Then cracking can be at your lesuire.
"History doesn't repeat itself, but it does rhyme." Mark Twain
But really, the problem is that the police don't like to release their suspects before they're sure they're not guilty of something. Even if the drives couldn't be copied without decrypting them first, the police could just take the hardware and release it when they're ready, but release the suspect quickly. But they don't want to do that -- he could be a terrorist! (or he could be totally innocent, but of course police don't make that sort of mistake.)
Though personally I think the 90 days thing is just a crock. It's also obviously just those pesky civil rights that are keeping law enforcement from turning this world into a paradise without crime, terrorism or software piracy overnight -- or at least that's sometimes how they seem to act.
Police want the time to take some pressure off themselvs. If they can extend the deadline by 2 and a half months they have more time to get everything done. They don't "need it", but they want it because it's a damn sight easier for them.
Although I'm outright against this and any other attempt to make a police state. If you lock a guy up for 3 months you've pretty much taken his job away from him, maybe his house (if renting) and rumours spread fast, so good luck getting hired againa as a "possible terrorist". The reason the vote was against it is because it would ruin people's lives if this were to be brought upon them.
I like muppets.
Not necessarily. If you REALLY wanted to hide something on your hard drive, it'd be cakewalk for anyone really determined. Just get a 256 bit encryption system put on there (nearly impossible to 'brute force' with simple computing power due to the sheer number of possibilities).
On top of that you can hide messages in thousands of different possible files on the computer. It could be anywhere; a driver, a PC save game file, the user name and password for someone MMO account spelt backwards, it could be in plain sight on the desktop except its a code-word phrase that only the (presumably) terrorist knows. And thats on top of the encryption so the code breaking geeks can't even being working on this until the computers are done. Hiding data on a computer these days is a joke for anyone willing to spend the time and effort.
"Brute forcing" encryptions is a thing of the past. Contrary to popular belief, hardware has not necessarily kept up with software, as many high-end computer graphics designers will attest to. (Imagine today's top of the line computers trying to real-time render the orc's attack on Helm's Deep with all the fancy graphics, special AI and fancy camera work all going on at the same time.)
This whole thing is a canard. It's a fucking joke. It's just an excuse to hold people without charges (and possibly send them off to get tortured).
If you need time to crack the hard drive YOU FUCKING TAKE THE HARD DRIVE!. Why do you need to hold the person for 90 days when you can simply take his hard drive and hold it for as long as you want. Look at the Scott Peterson case. They came and took his car, and pretty much emptied his house and held it for over a year while he was awaiting trial. Which brings up another point. YOU CAN HOLD PEOPLE FOR A VERY LONG TIME IF YOU SIMPLY CHARGE THEM WITH A CRIME.
See how easy that is. Arrest the guy, charge him with conspiracy to commit crimes, deny bail, get a warrant, hold him in jail, take all his stuff and take your time combing through it.
evil is as evil does
Just fishing for the amusing title, but in the (pretty large number of) posts I've looked at so far, no one has made the obvious observation that if the "terrorists" are actually concerned about being held some number of days, then they can just increase the level of encryption they use to make sure that it will take longer than that to decrypt their drives. There is no upper limit on the amount of encryption you use. For the police to claim that they need any fixed number of days is totally bogus, and the British police are just making excuses because they want to hold suspects for longer time periods. Heck, if having a HDD is the excuse for being held longer, then all the smart criminals will simply get rid of their computers. Of course that's on the theory that the amount of time the police are holding them has anything to do with whatever criminal action they might be planning.
In conclusion, I would guess that the stupid TV show called "24" must also be shown in Great Britain.
Real life is not like that. Before arresting someone, the police are supposed to already have some concrete and substantive basis for suspecting the person has committed a crime, or even stronger evidence that the person is really in the process of planning to commit a crime. The basis that "We think we'll find something AFTER we decrypt the HDD" is totally bogus. The reality here is they just want to quietly lean on the suspects for a longer time, and saying they need that much time because of HDD encryption is just a cheap--and stupid--excuse.
Having said that, I'm surprised the politicians weren't stupid enough to go along with the gag. That already puts them ahead of most American politicians. Can you try to imagine explaining HDD encryption to Dubya?
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Any cipher that can be cracked given "enough computer power", for any practical value of "enough", is broken. Utterly broken, obsolete, not fit for use, an ex-cipher, singing in the choir unusable. DES, for example.
Guessing a passphrase is believable, though. That might take large-but-feasible computer resources. English text has only one point something bits of entropy per character on the usual estimate. Who has a sixty-character passphrase?
If you need time to crack the hard drive YOU FUCKING TAKE THE HARD DRIVE!. Why do you need to hold the person for 90 days when you can simply take his hard drive and hold it for as long as you want.
Because if he knows you'll find something on his hard drive once you decrypt it, he may decide to disappear during the 90 days it takes you to find it, whereas if you can keep in custody until you finish he wont have that opportunity?
Nope, not necessarily.
From the wiki:
Failing to provide the key is a criminal offence, with a maximum penalty of two years in jail. The accused must prove that they do not have the key, claiming to have mislaid or forgotten it might not be accepted as a defence. Both the innocent and the guilty would be caught in that condition, the guilty because they would rather serve two years than ten or more. Additionally those under investigation may not tell anyone except their attorney they are being investigated, under threat of five years imprisonment. This last is the newly coined offense of "tipping off".
Exactly.
This time was referring to habeas corpus.
Basically when Tony Blair came to power it was 7 days. He raised it to 14, now 28 but he still wants 90 days.
This is the period of time the police are legally allowed to hold you with no evidence whatsoever that you've done anything wrong, just because they suspect you might have. It's a period of time where the police can hold you while look for evidence. Once they find the smallest amount of evidence they can then charge you and then can keep looking for evidence.
This bill's meant to allow the police to break any encryption so that they would now be able to pick people up they suspect of terrorism and detain them until they've broken every encrypted file on their computer on the off chance that they'll find evidence that way when they can't find any other evidence whatsoever.
3 entire wasted months of your life dragged away from your job (which probably won't be there when you return) and your family while they break your PGP encrypted emails to your girlfriend on the off chance the two of you are discussing how to blow up parliament.
As an example: Check this story out. This journalist hadn't actually done anything, and they released him after a day. They did during that time confiscate his computer equipment.
If this had been raised to 90 days it's entirely possible he'd have been held for 90 days while they decrypted anything they found on his hard drives.
After the 90 days are up they would still have released him. And they would not even have to explain why he'd been locked up, because he'd never been charged.
The bill has too major flaws.
1) There's nothing really to stop the power being abused by police who don't like the look of someone or have a grudge against them, which is exactly what it is designed to prevent. You do require the judges permission keep them for that long, but it's not too hard to create a case of why you suspect someone.
2) This odd 90 days which the Police told Tony Blair that they can break any encryption in. They can't - it's impossible!
- There'll be multiple encrypted files, particularly if they are encrypting their communications (guilty or not guilty). Each one would need 90 days.
- They'll not know the encryption algorithm in all cases, so would need to try every one. Each one would need 90 days.
- There are HUNDREDS of encryption algorithms that use such large keys that you can't realistically expect to crack the password in 90 years, let alone 90 days. There are a few around that even with all the supercomputers in the world working it won't have tried every key before the universe ends. And it's still possible to take one and write your own with an even longer key. (The details of which would be secret so they couldn't crack it in the first place anyway).
In case you're not being sarcastic, you might be shocked to read about Jose Padilla
You may be shocked to hear that, sometimes, Bush's government (well every government, really) does things that it knows are illegal.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
I think the most obvious step is for your friendly neighborhood criminals & terrorists to start remotely accessing their systems. Dumb terminals basically. There is no reason the computer can't be in another room, building, etc. Shouldn't a VPN over an encrypted wifi link be secure enough? 54 Mbps might be "slow" compared to normal HD access speeds, but the security gain should outweigh any performance loss. The police can't seize anything that isn't in the dwelling without (generally speaking) seeking additional warrants. Your mileage may vary
[Fuck Beta]
o0t!
legally allowed to hold you with no evidence whatsoever that you've done anything wrong, just because they suspect you might have.
Oh no, even better than that: Just because they suspect you maybe will.
And this a country which is a part of a coalition trying to "bring democracy" to others.
--paulj
I use Friend/Foe + mod-point modifiers as a karma/reputation system.
However, the punishment for refusing to reveal your keys may well be less than that for the crime they'd charge you with if they did.
Yeah, except if they can arrest you and try you and convict you for this, they will have longer than the 90 days to try and decrypt your data, and then convict you for the first offence.
Gives an easy way out for the child porn rings: two years for not revealing keys versus God knows how much for dealing in child porn.
This is about suspected terrorists. It has nothing to do with child porn.
Behold France which is currently in upheaval because unsatisfied Muslims are striking out at the national culture which has been keeping them down, nevermind the fact that the Muslims themselves segregate themselves from the rest of society by refusing to conform to the culture into which they immigrated.
Actually, the riots in France are not motivated on religious grounds. The riots are as a result of huge economic disadvantage, exploitation and unemployment in those communities which are rioting. This has come about because of racism and bigotry in France, not because of religion. The majority of the rioters are not even religious.
The Muslims are not rioting. The poor are rioting. Quite a lot of people will try and distract you from this fact, especially in France, where the poor rioting has a long and well documented history of toppling governments.
May the Maths Be with you!
No, you cannot decrypt a hard disk in 90 days (assuming the use of strong encryption). If you find you're using Rijndael or Serepent, you're good. However, in the period of 90 days, you're more likely to experience a psychological break due to duress (like torture). Most people could handle 14 days, but not 90. Once you break, you'll be more than happy to hand over your keys.
To clarify the difference of 14 and 90 days in detainment, consider the following. Those detaining have had a couple periods on which to deprive the detainee of food and water to the point of going critical without actually killing you. Once someone become dependent on their captors for essentials like food and water, they become loyal. They have also had the opportunity to deprive the person of sleep for a solid 12 or more days, which can drive most people close to the point of insanity. Also, the textbook technique for "breaking" someone where captors inflict physical pain then "rescue" the person from it requires several iterations. 14 days just simply is not enough to accomplish these things. 90 would suffice.
And let me also point out that this is how the United States government operates these days. It would be reasonable to assume some of our closest allies are engaged in similar activities with "terror suspects".
Join Tor today!