Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Use of RIPA to Demand Encryption Keys

Posted by samzenpus on from the tell-us-everything dept.

kylehase writes "The Regulation of Investigatory Powers Act (RIPA) is being used for the first time to force an animal activist to reveal encryption keys for encrypted files she claims to have no knowledge of. According to the article, she could face up to two years if she doesn't comply."

74 of 645 comments (clear)

  1. solution by User+956 · · Score: 4, Informative

    The Regulation of Investigatory Powers Act (RIPA) is being used for the first time to force an animal activist to reveal encryption keys for encrypted files she claims to have no knowledge of.

    That's why you use an encrypted file system with a duress key. In the event of coercion, you give them a key that *oops* results in the destruction of the data.

    --
    The theory of relativity doesn't work right in Arkansas.
    1. Re:solution by PhrostyMcByte · · Score: 5, Informative

      any forensic team with an ounce of competence will copy the original HDD and work off the copy, so that just won't work.

    2. Re:solution by Anonymous Coward · · Score: 5, Funny

      that is, of course, assuming that the police forensics team has an ounce of competence.

    3. Re:solution by mlts · · Score: 5, Informative

      Having a known self destruct switch may cause a person to end up even worse trouble. This is a discussion that occurs periodically on a number of cryptography forums.

      Almost all police departments will image the drive, then present the person with the image to decrypt. If the image gets stung by a self destruct Trojan, then the police will know that its not a forgotten password, and then proceed to use rubber hose decryption to obtain the contents of the drive.

    4. Re:solution by Anonymous Coward · · Score: 3, Informative

      Yep, I'm pretty sure TrueCrypt (the only program I'm familiar with) does this.

      Just dump some plausibly-incriminating stuff on it (e.g. kinky porn, ABBA songs) and they'll never realise there was anything else there to look for.

    5. Re:solution by Nazlfrag · · Score: 5, Funny

      Just blind them with goatse as the first file, they won't go near the rest.

    6. Re:solution by Bonker · · Score: 4, Informative

      Yeah. Truecrypt does this.

      http://www.truecrypt.org/hiddenvolume.php

      Truecrypt is pretty nifty all around.

      --
      The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
    7. Re:solution by Anonymous Coward · · Score: 5, Funny

      Because private companies are the pinnacle of competence and government is the pit of deepest stupidity.

      Let me guess: you're either American, Israeli or Australian.

    8. Re:solution by Zemran · · Score: 4, Interesting

      Speaking as someone that used to teach Computer Forensics to the SFO, British Customs, the USA's FBI etc (they now have their own courses). I can assure you that the first thing that was covered was disk imaging and that you should always work from the image. The original is evidence and any damage (read change) renders that evidence inadmisable. All you have to do is turn on and the OS is likely to make a change. This is taken to the degree of not using windows as the OS for imagining as windows likes to write to secondary drives when they are mounted. If you use Linux you can more easily mount as read only. It is best to make a couple of good primary images and then work from images of them rather than continually reverting to the original drive/s when you mess up so as to minimise the risk of damage and a lost case.

      --
      I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
    9. Re:solution by Antique+Geekmeister · · Score: 3, Interesting

      I agree with your approach. I disagree, from direct observation, that the FBI are competent enough to actually do any of this. Despite their much-vaunted "Computer Crime Squad", they remain unwilling to investigate and incompetent to follow even basic backup and clean room procedures of materials they investigate. I've actually had to explain such issues to them, at length, regarding stolen computer property and verifying that software was taken with it.

      Unless they've had a complete turnover of personnel throughout the department in the last 2 years, they're not competent from top to bottom in any of the 4 state's offices I had to deal with then.

    10. Re:solution by Anonymous Coward · · Score: 5, Funny

      Because the rest of the world is smarter and more competent than people from those three countries...

      No, but apparently parent's reading comprehension is superior to your own.

      Or, to put it a way you might understand: "Whoooosh!"

    11. Re:solution by Brickwall · · Score: 4, Funny
      It's piece of mind.

      Which piece?

      --
      What was once true, is no longer so
    12. Re:solution by tehmorph · · Score: 4, Informative

      Correct- TrueCrypt has support for hidden and public volumes, both of which can use entirely seperate keys/keyfiles.

      --
      Could not open .sig for reading- sanity error
    13. Re:solution by gweihir · · Score: 3, Insightful

      Correct- TrueCrypt has support for hidden and public volumes, both of which can use entirely seperate keys/keyfiles.

      And again, this does only help against incompetent computer forensics people. Detectin the presence of such a hidden, encrypted volume is easy. Proving that it is encrypted and not cryptographically strong randomness is hard. But that applies to encrypted things that are not hidden as well and the attack here is not technological, but legal.

      Come to think of it, I have a few disks that I wiped using cryptologically strong random data. There is no information on them, but I cannot prove that. In fact such a proof is fundamentally impossible in a very strong, mathematical sense.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    14. Re:solution by Thanshin · · Score: 3, Funny

      I have a few disks that I wiped using cryptologically strong random data. There is no information on them, but I cannot prove that. In fact such a proof is fundamentally impossible in a very strong, mathematical sense. You should have used a cryptologically strong systematic oven. Then the absence of information would be possible to prove, and such a proof would be fundamentally obvious in a very strong physical sense.
    15. Re:solution by Kjella · · Score: 4, Insightful

      I don't think you understand how a hidden container works, it's not the same as a hidden partition. A hidden container is contained within another container, and looks just like random data.

      During normal operation, you mount both the outer container and the hidden container using both the outer and hidden key. This enables truecrypt to see the hidden container and move around hidden data as you write to the outer container.

      When you are arrested, you provide the key to the outer container, but not to the hidden one. In this mode, it's as if the hidden container doesn't exist and can of course be overwritten. There's absolutely nothing to prove that the hidden container exists, as long as you have a plausible outer container and can say "Look, this is what I was trying to hide".

      --
      Live today, because you never know what tomorrow brings
    16. Re:solution by camperdave · · Score: 4, Funny

      Geez! How much trouble do you want to get into?

      --
      When our name is on the back of your car, we're behind you all the way!
    17. Re:solution by Sponge+Bath · · Score: 4, Insightful

      You don't have to prove you're innocent, they have to prove you are guilty.

      That kind of thinking is *so* pre 9-11.

    18. Re:solution by Carnildo · · Score: 3, Informative

      If you provide the passwords for both containers when mounting the outer container, TrueCrypt will prevent writes to the outer container from over-writing the inner container. Otherwise, it will quite happily over-write the inner container if too much data is written to the outer container.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    19. Re:solution by gweihir · · Score: 4, Informative

      Very easy: Assume your swap is on /dev/sda2:

          cryptsetup --key-file=/dev/random create c1 /dev/sda2
          mkswap /dev/mapper/c1
          swapon /dev/mapper/c1

      This reads a cryptogtaphically very good key from /dev/random, that has a lot of true randomness in it in addition.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. Heh. by Renraku · · Score: 4, Interesting

    Acquire virus.

    Virus encrypts hard drive with unknown key.

    Virus forwards CP to authorities.

    Authorities bust you for having CP, for not revealing those encrypted files, AND for probably having more CP. Most likely will be averaged..say..15k is a picture..you have 200GB. The media will say that you were arrested with 100k+ pieces of child pornography.

    Five years later, turns out that it really was a virus. Sorry about that..here's your freedom again.

    --
    Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
    1. Re:Heh. by Anonymous Coward · · Score: 3, Insightful

      >>Five years later, turns out that it really was a virus. Sorry about that..oops, you're already dead, shanked in a prison shower.

      fix'd

      Even felons are taught to hate supposed pedophiles. Registered as a sex offender but turns out you're innocent? Too late, pariah for life. Registered for public indecency for pissing in a bush? Not our fault the us has no public bathrooms.

  3. What if she doesn't actually know? by A+Pancake · · Score: 3, Interesting

    The biggest problem I see with these kinds of "give it up or else" laws is how do you account for the situations when someone genuinely doesn't know the information you are seeking? Should someones ignorance be a jailable offense?

    1. Re:What if she doesn't actually know? by hedwards · · Score: 4, Insightful

      There are a number of problems with these sorts of laws. One is if the person lost the keyfile which is required to open the file, or if the encrypted volume got corrupted or if the keyfile became corrupt the file can't be decrypted without cracking it. There just isn't any good way of knowing for sure if the person gave a bad password or if there was a genuine problem with it.

      Two is that there isn't genuinely any way of knowing what has been encrypted, it could be evidence of wrong doing, or it could be just some sort of embarassing, but legal, porn.

      Three is that there is a tendency of these sorts of laws to end up sending innocent people to prison for not being able to reveal the information in a virus or malware encrypted file.

      It is a tough situation, increasingly people engaged in illicit activities are turning to encryption as a means of keeping evidence secret, and from a technical standpoint refusing to decrypt the information is obstruction of justice.

    2. Re:What if she doesn't actually know? by Harmonious+Botch · · Score: 4, Funny

      Torture a fish in front of her. She'll talk if she knows the answer.

    3. Re:What if she doesn't actually know? by 0123456 · · Score: 4, Insightful

      "I don't see why encrypted files should be any different than hardcopy or anything else that could be seized under sub poena."

      The police already _have_ the files. They're free to try to crack the encryption on those files.

      While I intensely dislike the animal rights nutters, this is a stupid and oppressive law which should never have been passed. And I can quite believe that the police she was raided by are 'thugs'; ask that guy they shot eight times in the head a while back if that's a good description... oops, you can't, he's dead.

    4. Re:What if she doesn't actually know? by hedwards · · Score: 3, Informative

      I believe that depends whether or not they have a court order for it. In the US the 5th amendment only applies to interrogation and testimony. Basically self incrimination, but there is no protection against lawfully granted warrants. A refusal to hand over evidence when presented with an appropriate order or the destruction of evidence in anticipation of a lawful order is obstruction of justice.

      I would assume that the British have a similar set up at this point. Otherwise, criminals would just say no, I'm not going to allow you to use your valid search warrant to gain entry and so that they could find that massive stash of child porn and Vicodin that I keep around for special occasions.

      But, IANAL so I may be a bit off on this.

    5. Re:What if she doesn't actually know? by aproposofwhat · · Score: 3, Informative
      In the UK, this particular bunch of 'animal rights' activists have been implicated in activities that fit the definition of terrorism - car bombings, arson attacks, physical attacks against Huntingdon Life Sciences personnel, the digging up and removal of the body of the mother of a guinea pig breeder, letter bomb campaigns, etc. etc.

      While I strongly disagree with this law (and would refuse point blank to hand over my passwords), the group that this woman belongs to has passed far beyond the bounds of legitimate protest, and needs to be investigated and disrupted by all legal means.

      Access to financial data, call records etc. is already a key tool in criminal investigations, and is covered by RIPA in it's less draconian sections.

      So long as the provisions of RIPA are adhered to, I see nothing wrong in police officers using such powers proportionately (i.e. only in cases where the seriousness of the offence merits such intrusion into my privacy) - most policemen that I have come across are professional, intelligent men and women who do a good job trying to keep the peace.

      --
      One swallow does not a fellatrix make
    6. Re:What if she doesn't actually know? by pla · · Score: 3, Interesting

      what the fuck does that case have to do with this ?

      It shows an all-too-common pattern of behavior among the former-and-still bullies disposed to the job.


      completely different set of circumstances.

      You mean, "walking while non-white"? Yeah, clearly asking for it, the bastard!


      Oh i understand, you one of these moronic cop haters

      I would hardly call it "moronic" to despise the single most dangerous element of modern society. And while good ones certainly exist (perhaps even the majority of them), far, far too many bad ones exist to just trust them by default, as a whole.


      who will cry like a bitch for the cops he despises to come save him at the first sign of danger.

      Have you ever actually called the police to report a crime?

      I have (and won't bother ever again), and I've known others who have. And they do jack shit. About half the time they bother to show up. When they do, they write down random observations and you never hear from them again. But, god help you if you drive 46 in a 45 zone near the end of the month...

  4. So lemme get this straight by definate · · Score: 5, Interesting

    Are you telling me, that I could output /dev/random to a file, place it on my friends hard drive, say it contains valuable information pertaining to a case and he could go to jail or be fined for not revealing the password/key?

    This gives me an idea!

    Either way, if you need to you can get around this with TrueCrypt by taking some precautions such as:

    1) Not naming it with the default extension (.tc)
    2) Put it somewhere inconspicuous and name it appropriately
    3) Making sure that it's a hidden encrypted volume
    4) Open it through TrueCrypt and don't save the history, or passwords, or as automount, or similar

    Shit, that was a typo, I meant to type FIRST POST!!!

    --
    This is my footer. There are many like it, but this one is mine.
    1. Re:So lemme get this straight by Twanfox · · Score: 4, Insightful

      Of course, this makes me wonder something from a 'thought police' perspective. With the file in question being a common TrueCrypt encrypted volume that doesn't really contain anything incriminating:

      TP: Give us the passphrase!
      Suspect: It's HotSmokinBabes
      TP: Now give us the hidden volume passphrase!
      Suspect: It doesn't have a hidden volume.
      TP: LIAR, give us the passphrase!

      Just because the possibility exists, the authority in question might ask for something he cannot prove isn't there. If you have nothing to give, this leads to the problem of lying to authorities to give them what they think they want, when you've already given them what they asked for and it proves you innocent. Aren't these going to be fun times to live in.

    2. Re:So lemme get this straight by Nocterro · · Score: 4, Funny

      My three encrypted volumes contain soft-core porn, business secrets, divorce plans and copyrighted music. Four! My FOUR encrypted volumes contain soft-core porn, business secrets, divorce plans and copyrighted music, and an almost fanatical devotion to the Pope. Damn. Amongst my encrypted volumes are volumes that contain...

      --
      [clever sig]
  5. huh by Anonymous Coward · · Score: 5, Insightful

    how can you be put in jail for not knowing something?

    1. Re:huh by zazzel · · Score: 4, Insightful

      The best is: IF you know, and IF the encrypted material really IS incriminating, how does that NOT invoke your right to remain silent, as you as a defendant cannot be forced to give incriminating information?

      Or does this basic rule of justice not apply here, for some reason I (IANAL) cannot imagine?

    2. Re:huh by theCoder · · Score: 3, Insightful

      Since the case (and the RIP law) are in the UK, I'd imagine that our (the United States) Bill of Rights doesn't apply. You can draw your own conclusions as to whether that means the basic rule of justice applies.

      Every time I think that the US government has gone off the deep end, it seems like the UK government is several steps ahead showing how much worse it could get.

      --
      "Save the whales, feed the hungry, free the mallocs" -- author unknown
  6. There is a way of finding out.. by mrbluze · · Score: 5, Funny

    Put her in a lead vest and throw her into the sea. If she drowns, it means she didn't have the keys, but if she swims, she's a wicked witch and deserves to be punished.

    --
    Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
  7. I guess torture is will be next... oh wait... by GoatRavisher · · Score: 5, Interesting

    Historically, the legal protection against self-incrimination is directly related to the question of torture for extracting information and confessions.[citation needed] The legal shift from widespread use of torture and forced confession dates to turmoil of the late 16th and early 17th centuries in England. Anyone refusing to take the oath ex-officio (confessions or swearing of innocence, usually before hearing any charges) was taken for guilty. Suspected Puritans were pressed to take the oath and then reveal names of other Puritans. Coercion and torture were commonly employed to compel "cooperation." Puritans, who were at the time fleeing to the New World, began a practice of refusing to cooperate with interrogations. In the most famous case, John Lilburne refused, in 1637, to take the oath. His case and his call for "freeborn rights" were rallying points for reforms against forced oaths, forced self-incrimination, and other kinds of coercion. Oliver Cromwell's revolution overturned the practice and incorporated protections, in response to a popular group of English citizens known as the Levellers. The Levellers presented The Humble Petition of Many Thousands to Parliament in 1647 with thirteen demands, of which, the right against self-incrimination (in criminal cases only), was listed at number three. These protections were brought to the American shores by Puritans, and were later incorporated into the United States Constitution through its Bill of Rights.
    http://en.wikipedia.org/wiki/Fifth_Amendment_to_the_United_States_Constitution
    --
    Man will never be free until the last king is strangled with the entrails of the last priest. --Denis Diderot
  8. FOOLPROOF SOLUTION by Anonymous Coward · · Score: 4, Interesting

    1) Generate a file with whatever you like in it (anything believable and non-incriminating). Make sure the file's lenght matches the encrypted file.
    2) Reverse-engineer a one-time pad using this file and the encrypted file.
    3) Supply the one-time pad to authorities with instructions on how to use it.

    Ta dah!

  9. Reasonable Search & Seizure by Garridan · · Score: 4, Interesting

    1) IANAL.
    2) I am not familiar with the details of this case.


    That said, I believe that there *is* a time and place where this sort of activity counts as reasonable search & seizure. Say the cops get a warrant to search your house, and you have a safe, and you say, "gee, officer, I have *no* idea how that safe got mounted behind that picture," nobody will believe you and you'll get subpoena'd for the combo. Encryption keys shouldn't be treated any differently from a combination to a safe. If there's a reasonable suspicion for evidence to be hidden somewhere, the cops have a duty to search it.

    1. Re:Reasonable Search & Seizure by tftp · · Score: 3, Interesting

      The problem here is that the court has no proof that the information is in fact in possession of the accused. How would you like if you, or any other random person, are grabbed off the street and tortured (or jailed) until you correctly tell where Osama is hiding - which nobody knows, as it seems. Modern PCs have millions of files in them - some of your own, and some coming from random sources, like the Web, friends, guests - who knows. You can not be expected to know everything about every file, even if this is your computer - not any more than you can be held responsible for every minute scrap of paper on your property. If someone prints a PGP message on a piece of paper, makes an airplane out of it and sends it flying over your fence you probably shouldn't be jailed if you have no idea where is the key.

    2. Re:Reasonable Search & Seizure by arkhan_jg · · Score: 4, Insightful

      The difference is, they didn't make a special law of 'failure to open a safe on demand' with up to 5 years in jail if they suspect the safe contains terrorist materials (2 years for everything else). "reasonable suspicion of evidence" is the important point; there's no such requirement under RIPA.

      There are already laws against perverting the course of justice and hiding or tampering with evidence. The difference is that they have to show some evidence that there's relevant evidence in the safe. If RIPA applied to safes, they'd just have to show you have a safe and won't open it. They only have to have a 'reasonable belief' that you can open it, and having it on your property, or on property in any way associated with you is enough to meet that criteria. That's sufficient to carry up to 5 years in jail, regardless of what's actually in the safe, or what they can demonstrate might be in the safe.

      The law is intended to allow them to put suspected terrorists and pedophiles in jail, even when they have no evidence they did anything illegal, and don't have the capability to brute force their encrypted files, and don't have sufficient grounds to charge them with something else. As we can see, once the british justice system get an 'anti-terrorism' power, it immediately becomes a tool to use against everyone.

      --
      Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
    3. Re:Reasonable Search & Seizure by swilver · · Score: 3, Insightful
      There's a fundamental difference. The police doesn't need your help to open doors, or even to open your safe. If you refuse to cooperate, the police can break down a door or crack a safe. You donot have to help them at all, it will just result in more damage than necessary to your property.

      With encrypted files though, the police cannot get at them without your help. If you refuse to help, they cannot just "crack" the encryption (not even your equivalent of a secret service can crack it -- nobody can crack it in any reasonable amount of time, which is what scares the authorities). So realising they have no hope in hell of ever cracking a decent encryption scheme, they think they can just create a law that says your required to give up your keys. If they knew what they were dealing with, they'd realise however that such a law is complete nonsense. Since you cannot proof that a file is encrypted (since it looks like random data) you have the rather large problem that the authorities can claim any file with random garbage must be encrypted.

  10. enryption keys = keys? by MobyDisk · · Score: 3, Interesting

    Can't a court order someone to provide a physical key as part of a subpoena or a warrant? Why does law treat encryption keys differently?

    1. Re:enryption keys = keys? by ucblockhead · · Score: 3, Informative

      It doesn't. The courts have decided that an encryption key is analogous to a physical key. That's why the fifth amendment doesn't apply to encryption keys.

      --
      The cake is a pie
  11. Better solution by Whiney+Mac+Fanboy · · Score: 5, Interesting

    A Better solution is plausible deniability.

    One password gives your uber-secret-plans-for-world-conquest, the other password gives a few hundred meg of soft porn (or whatever).

    That way, you appear to not be resisting their demands.

    --
    There are shills on slashdot. Apparently, I'm one of them.
    1. Re:Better solution by jd · · Score: 4, Interesting

      Most are. There again, the former British Home Secretary changed the UK law to allow plausible denial when he got bombarded with encrypted files, followed by demands he turn over the decryption key. Has this been tried in the US? If not, why not? Seems like if it worked once, it should work other times. Might also try claiming that handing over the key would violate the DMCA and that you can't be ordered to commit a crime. (Not sure if that's strictly the case, but unless that event has been specifically covered, it might create enough doubt that the sentence is partially or entirely suspended, or even - unlikely as it is - the case thrown out. That's not perfect but it would be better than the pre-trial misery of Kevin Mitnick.)

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    2. Re:Better solution by LurkerXXX · · Score: 5, Informative

      Filesize arithmetic?

      You never used Truecrypt eh? It's not a zip file. It acts as a virtual hard drive partition that can be mounted as a drive.

      When you create the volume it generates random bits throughout the virtual partition. You can copy whatever files you want onto the virtual partition, the rest of it is random noise. You may or may not choose to have additional hidden encrypted partitions within that noise. Adding up the size of know files tells you nothing about what may or may not lurk in the rest of the space on the virtual partition.

    3. Re:Better solution by brown-eyed+slug · · Score: 5, Funny

      I don't know about your world domination plan, but mine contains images, photographs, maps, blueprints and a few more things that cannot really easily be expressed in text.
      Sounds a lot like my porn collection.
    4. Re:Better solution by gweihir · · Score: 4, Interesting

      And that is exactly the problem with RIPA in the first place. The assumption is that if there's encrypted data you have the key and is liable if you can't produce it. Never mind if you don't have the key, or if there's no key to be had in the first place.

      I have some disks I wiped with crypto-generated randomness. Indistinguishable from encrypted disks without metadata (as linux dm-crypt can do for example). I cannot prove that there is no data on them. Completely impossible. Am I a criminal according to this law? Or do they need to have some proof that there is data on the disk?

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  12. New Act by Soporific · · Score: 5, Funny

    Why don't they just sign the "We'll Do Whatever The Fuck We Want Anytime We Want Act" and just get it over with already?

    ~S

  13. Fortunately in the US... by paulthomas · · Score: 4, Insightful

    If such a law were enacted in the US, we would be protected, ostensibly, by the 5th amendment to the Constitution. I say ostensibly because apparently the Constitution is "just a piece of paper" now, and we (some of us) have forgotten about the rule of law.

    So, this could happen here. Easily. We need to find some way to restore the rule of law here lest we become like that other large country just across the Bering Strait from us.

    Hmmm...

    1. Re:Fortunately in the US... by Anonymous Coward · · Score: 3, Interesting

      The DOJ has taken the position that giving up your encryption keys is not testimony, so it isn't protected by the 5th amendment. The issue hasn't even been resolved for forcing people to hand over paper-based personal notes (cf the Packwood case).

      So, I wouldn't be so sure that the 5th amendment protects you.

  14. don't be so quick by m2943 · · Score: 3, Informative

    In the United States, you could never be compelled to turn over an encryption key as that is a violation of the 5th amendment

    I wouldn't be so sure. The 5th amendment only protects against self-incrimination, but the search may be for evidence against a third party, in which case you may be compelled to comply.

    It's also not clear that giving up your encryption keys would be considered "testimonial", so it might not be protected under the 5th amendment according to US courts. See here (somewhat outdated in other aspects, but an accurate reflection of US policy on the legal hair splitting):

    http://www.cybercrime.gov/cryptfaq.htm

  15. TrueCrypt is the best for Windows and Linux. by Futurepower(R) · · Score: 5, Informative

    TrueCrypt allows hidden volumes, indistinguishable from one volume. The file size is constant.

    TrueCrypt works very, very well. I use it with just one volume to protect passwords and other files.

    When you don't want to encrypt a volume, but just a file, Gnu Privacy Guard is best.

    1. Re:TrueCrypt is the best for Windows and Linux. by irc.goatse.cx+troll · · Score: 3, Insightful

      Or at lest giving them a false sense if security.

      If they're the type that need you holding their hand like that, do you really trust them with a system wherein they type a password then any app on the system is free to dump the entire volume? What good will that do when someone (govt or otherwise) sends them an exe in their mail that they happily run that just waits for you to decrypt the volume?

      Maybe they're smart enough to not run exes so blatantly, but theres plenty of other potential code execution like software that autoupdates (+ big enough power forcing someone to sign their code so it validates), exploits, backdoors, etc.

      Then theres the operating system holes in your security. Filenames and content will still end up in "recently accessed" lists in common software, that alone can be more than enough info. Theres the cleartext copy that ends up sitting in your swap file if the app swaps out. Backup/temp files saved outside the secured drive, etc.

      TrueCrypt is useful for what it is, and I certainly use it daily, you just have to be careful with helping people into the world of security as they're looking for a panacea to do everything for them.

      --
      Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
    2. Re:TrueCrypt is the best for Windows and Linux. by StarkRG · · Score: 5, Informative

      The only problem is explaining that if (ok, when) they lose the password, you won't be able to crack it. Ever. Not really. It's quite easy: "That's the whole point!"

      And besides, not entirely true:

      Q: We use TrueCrypt in a corporate environment. Is there a way for an administrator to reset a password when a user forgets it?

      A: There is no "back door" implemented in TrueCrypt. However, there is a way to "reset" a TrueCrypt volume password/keyfile. After you create a volume, backup its header (select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can "reset" the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header (Tools -> Restore Volume Header). I actually had someone ask me for something like this at work. Now I have something to tell them. (And something to suggest to our security department, we're currently using various encryptions for the various OSs we support, ugly).
    3. Re:TrueCrypt is the best for Windows and Linux. by gweihir · · Score: 4, Insightful

      It's sad when you have to rely on TrueCrypt's plausible deniability to protect yourself from these things.

      I agree. And AFAIK this law does not respect plausible deniability. Which also means that if the data is really random, they can throw you in prison and you cannot defend yourself.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:TrueCrypt is the best for Windows and Linux. by Anonymous+Brave+Guy · · Score: 3, Insightful

      The problem is, the law doesn't seem to place the burden of proof on the prosecution when it comes to showing whether there is or isn't any meaningful data present. Any old bits on a hard drive are (unqualified) electronic data.

      On your point about circumstantial evidence, we really need not to set a precedent that says use of encryption can be treated as any sort of evidence, circumstantial or otherwise, that you are storing data of dubious legality. The implications of giving any legal weight to drawing that conclusion are horrible.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    5. Re:TrueCrypt is the best for Windows and Linux. by spikedvodka · · Score: 5, Funny

      "Your honor, you see, I have a degree in Mathematics, and in computer science, and I'm trying to develop a very good random number generator [hand over stack of hex codes, on punch cards.] While I do have encryption software on my computer, I only used it to test the system. The large data file you see on my hard drive is exactly that, a large data file. It contains about 2 CPU-hours worth of random numbers as generated by an older version of my algorithm.

      Now I understand that this looks suspicious, but mathematically, there is no difference between random numbers and encrypted data. Given enough time, and access to powerful computers, I could design a tool that would convert the random numbers you see there into any given text. From the Magna Carta, to the complete works of shakespear, to your own biography written in klingon.

      I wish I could help you, but I'm afraid that mathematically, there is nothing to do."

      --
      I will not give in to the terrorists. I will not become fearful.
    6. Re:TrueCrypt is the best for Windows and Linux. by marcansoft · · Score: 3, Insightful

      Given enough time, and access to powerful computers, I could design a tool that would convert the random numbers you see there into any given text.


      Tool = XOR
      Key = RandomData XOR Magna Carta

      Doesn't take much time, or access to powerful computers.
  16. this blows by rice_burners_suck · · Score: 4, Insightful

    This is an outrage. Here, we have a case where a person claims she does not know something, but the government is demanding of her to comply. But let's suppose, for a moment, that she is telling the truth and she has no knowledge of these encryption keys. How could she prove it? There is no way to prove a negative. It is impossible to prove that you DON'T have something; you can prove that you DO have it by producing it. There, you see, I have it. But if you don't have it, there's no way to prove it. They should let her go.

  17. TrueCrypt: Open Source and Free. by Futurepower(R) · · Score: 4, Interesting

    I forgot to say that TrueCrypt is open source and free, and, in my experience, perfectly reliable. There are Windows and Linux versions, and a Mac OS X version is planned.

    Don't forget to donate if you use TrueCrypt extensively.

    The present government corruption in both the U.S. and U.K. started when secret violence was authorized as a way of protecting oil investments of British and U.S. investors. Tending toward outlawing privacy is a way of continuing that corruption. Any government that can act in secret cannot be a democracy, because citizens cannot participate in things that are unknown to them.

    This is a good site to read about the corruption, and to contribute links: U.S. Government corruption TimeLines. Example: Complete 911 Timeline, 3895 events.

    1. Re:TrueCrypt: Open Source and Free. by Red+Flayer · · Score: 3, Insightful

      The present government corruption in both the U.S. and U.K. started when secret violence was authorized as a way of protecting oil investments of British and U.S. investors.
      I'm a cynic, so that colors what I have to say... but I disagree.

      The present government corruption began as soon as our hairy forebears realized that people in positions of power would abuse those positions of power when given gifts. This can probably be traced back to the first time Ogg gave more meat to Oggette and her little Oglodytes simply because she was willing to grab her ankles for him.

      It's human nature to try to twist the political structure to one's own ends, and it's a failure of modern society that 'the people' don't insist upon fairer means of government.

      Any government that can act in secret cannot be a democracy, because citizens cannot participate in things that are unknown to them.
      Very good point. However, I'd add that far too many people are willing to let this happen -- how many people follow the order, "Pay no attention to the man behind the curtain!" without question?

      In addition to a secretive government being undemocratic, a population disinterested in the workings of government cannot produce a democratic government.
      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  18. Don't just encrypt -- Hide! by drgonzo59 · · Score: 4, Insightful
    Exactly!


    Encrypting your data and not hiding it is the same as getting a $100k super secure safe, locking your stuff in it, but leaving it in the middle of the living room. Any { law enforcement agency / criminal gang / anyone with more resources and more muscles that you } will just force you to give them the key. In other words, they see the super secure safe and automatically assume there must be at least $1M in there and then they force you to give them the key. The govt will cite all kinds of stupid idiotic laws, the criminals will start cutting of the fingers (yours or your loved ones').


    The solution is to use something like steganography and hide the data such that nobody even will suspect anything. The best secrets are the ones that are not even known to exist.


    If the adversary is convinced that you do have the data and knows the data type, then create a similar but fake data set to be substituted for the real one.

  19. If you read to the bottom... by niceone · · Score: 4, Interesting
    You will find that it is not clear that RIPA is actually being used - in fact it probably is not:

    It's unclear if the woman was given an official Section 49 notice or simply "invited" to hand over the data voluntarily as part of a bluff by the authorities.

    Richard Clayton, a security researcher at Cambridge University and long-time contributor to UK security policy working groups, said that only the police are authorised to issue Section 49 notices. "What seems to have happened is that the CPS (who couldn't issue a notice anyway) have written asking the person to volunteer their key," he adds.

    "Should they refuse this polite request, they are being threatened with the subsequent issuing of a notice, which might or might not require the key to be produced (it might of course just require the putting into an intelligible form of the data)."

    --
    ccalam - acoustic versions of new songs.
  20. They are, however, terrorists... by nicolaiplum · · Score: 4, Interesting

    It should be noticed that the particular groups of people who campaign against Huntingdon Life Sciences are terrorists:
    They use threats of force to induce fear in people at HLS;
    They have used actual violent force, at the work and at the homes, of people who work at HLS;
    They threaten anyone involved with HLS, their suppliers, etc, with the same degree of violence;
    They have placed bombs, which exploded, under the cars of people who work at HLS or are involvd with HLS;
    They claim their actions are justifiable, that they are engaged in a violent struggle, that their violence is justified because they must achieve their aims by any means possible.

    These are not nice people we are talking about. They are not the innocent defenders of the fluffy bunnies. They are aggressive, violent people and they are familiar with the tools and techniques of covert violence. Curiously they fail to mention their devotion to violence in their own article about this case.

    RIPA, like any other "anti-terrorism law", will one day be used against people who have nothing to do with terrorism.
    Today is not that day.

    --
    "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
    1. Re:They are, however, terrorists... by ObsessiveMathsFreak · · Score: 4, Insightful

      Everyone working for Huntingdon Life Sciences does so by choice. They are Legitimate Targets.
      Government Officials. Security services. Former security services. Informers.

      That was the list of "Legitimate Targets" when last I heard it. If you think for one instant that people working at a private medical research lab qualify, your standards are absurdly lax. Even if the mistreatment of animals qualified as a cause for violent struggle (it doesn't), regular employees of Huntingdon don't qualify for retaliation.

      Its funny. Animal right activists always wage their violent protests and hate campaigns against scientists and business people. Where are the hate campaigns against slaughterhouse workers and farmers? Much if not most of the practices of these people are at least on the same level as animal research.

      The fact is this. Violent animal rights activists are not committing these actions because they care about animals. They are committing these actions because they enjoy committing these actions. They enjoy harassing and threatening push over scientists and businessmen. They enjoy vandalism, petty crime and shouting people down. They enjoy it, it's that simple.

      These people are middle and upper class thugs who have latched onto animal rights as an excuse to engage in violence. They need an excuse because their upbringings will not allow them to simply engage in it randomly.

      Activists would never attempt any of their antics outside a slaughterhouse, because they would be quickly intimidated by the altogether more straightforward meat workers. Can you imagine what would happen if a violent animal rights protester spat on a slaughterhouse worker, or shoted abuse to them outside their home? I'd pay to see the results.

      Vandalism, threats, pretending to be a terrorist movement, designating "Legitimate Target" (LOL), it's how they get their kicks. It's a giant LARP for these people, except that real people doing real research on real problems are getting seriously hurt by it. They're having their fun, and the animals have nothing to do with it.

      Violent animal rights workers are simply bullies who pick soft targets, i.e. scientists, who they proceed to harass and abuse to make themselves feel better. They are not a legitimate movement. They are not a cause. They don't have a point of view. They are a rich kids' street gang, too afraid to actually walk the streets.

      I don't approve of animals suffering needlessly. I find experiments like this one, or this contemptible, and if I was a research lab director, I wouldn't have approved them. I would however have approved less severe variations of such experiments. Ones in which while I knew animals might suffer somewhat, that they would not suffer needlessly or excessively. Animal research is necessary, and I defend its use, but only under the condition that the animals are treated with respect, and that their suffering and sacrifice is acknowledged. It's funny how more "primitive" cultures seem to follow such rules as a matter of fact, but our more "modern" scientists have to be reminded of it.

      We need science, but we also need our consciences. Animal rights activists have neither.
      --
      May the Maths Be with you!
  21. Re:Go To Prison Act by Cederic · · Score: 5, Informative


    Several animal rights groups in the UK are officially designated terrorist organisations, because frankly they engage in acts of terror.

  22. Linux? You need a hardware write blocker, period. by tamnir · · Score: 4, Informative

    Linux-based imaging is good only if you are interested in recovery. On the legal side of things, it will not do:

    - Please explain to the court how you made a copy of this piece of evidence...
    - I connected the drive to our forensic machine and...
    - You mean, you connected this hard disk... to your machine?
    - Yes of course, then I...
    - Did you use a hardware write block?
    - Er... I used Linux and mounted the...
    - Please, just answer the question. Did you or did you not use a hardware write blocker device to connect the disk to your machine?
    - I did not, but...
    - Thank you, no further question. I now call for the evidence to be declared tainted and inadmissible in court, since the forensic team failed to use the proper hardware to ensure that no changes would be made to the disk.

    There is a whole range of forensic-specific hardware available: write blockers, hardware disk imagers... Use them, or loose your case.

    --
    I code, therefore I am.
  23. Re:As a Brit... by hairykrishna · · Score: 4, Informative

    I have to disagree with one of your points. Some of the most prolific terrorist groups are animal rights activists - they participate in letter bombing campaigns, arson and direct indimitation/attack of life science workers.

    --
    "Physics is to math as sex is to masturbation." -R. Feynman
  24. Re:TrueCrypt's method is not detectable by tinkerghost · · Score: 5, Interesting

    And how do you mount the volume? If you mount it using TrueCrypt, then this only gives you deniability if the forensics people don't know about TrueCrypt. If they do, then a decent lawyer could convince a court that there was a second key that the suspect was not divulging and get them convicted under RIPA.

    That's actually pretty much a stretch. Your 'decent' lawyer would have to give some sort of proof that there was a second partition there. Something that TrueCrypt is pretty much designed to prevent. You can easily show the existence of the first truecrypt partition - it's there in the open. You can't prove the existence of the second partition.

    I'm not sure a judge will buy 'because we didn't find what we were looking for' as a reasonable showing of proof that a second partition exists, and unfortunately, that's all the proof that exists. The formatting method and the processing method result in random data covering the entire partition block, as data is written to both the shown & hidden partitions, that data changes from random to encrypted. However the whole goal of the crypto data is to make it look random.

    So you have potentially 3 blocks of random data each constructed with the same randomizing algorythm. How exactly do you show where one begins & one ends? How do you even show that the 3rd block exists? The whole purpose of the hidden block is to make it almost impossible to prove the existence of that third block. You literally are more likely to brute force the key than you are to prove the existence of the hidden partition.

  25. They're worse than gremlins! by chefmonkey · · Score: 3, Funny

    Use them, or loose your case.

    And it runs around free! Wreaking havoc! Smashing in windows and stealing car stereos! Eating whole bags of Cheetos and vomiting them up into your dress shoes! I'll tell you -- there's nothing worse than a case that has been loosed upon the world. Those things are wild.

  26. Re:Duh by mccabem · · Score: 5, Insightful

    Teacher hating very often fits into that same way of thinking.

    Business and government are similar in that they are all staffed and run by people (that is, greedy grafty nasty people). They are different in that we elect our government people and there is some oversight of the work and the results - sometimes late, and sometimes shoddy, but the oversight is there.. A business on the other hand, involves no community decision, is run as a dictatorship and there is minimal oversight (less and less every day since the 80's).

    I'm not anti-business, just honest. The problems come from the people, not the organizational method. The organizational method is supposed to be a way of compensating for the problems while minimizing the bad side-effects.

    Being anti-gov't or anti-teacher is just a way of parroting something you heard from someone else -- it's not a legitimate position to argue from.

  27. Re:TrueCrypt's method is not detectable by Sancho · · Score: 4, Insightful
    I don't have the best understanding of how it all works, but I know that there are some errors here.

    There are a couple of drawbacks to this method, one being that you can have two encrypted volumes start to corrupt each other if you fill the entire partition. If you plan ahead for this scenario you can avoid it, though. The other drawback is that you have to encrypt an entire partition to use it. That's not how it works.

    When you initialize your encrypted disk space, you tell Truecrypt how many containers you want. Say that you choose 2. When you mount your Truecrypt drive, you must always mount both containers. In this way, Truecrypt knows and can maintain integrity between the two--they won't start to overwrite or corrupt each other, because they are both known about and available. If you ever only give the first key (you can't just give the second key, as the second container is entirely within the first) then you run the risk of corrupting the second container--in fact, any write operation will probably do it.

    Now you can choose more than just two containers, and the same applies. One thing I'm not sure of is whether the third container is fully within the second.

    None of this, however, helps in hiding the existence of a PGP key. If your opponent has access to your email servers and can see you sending messages encrypted by PGP you're gonna have some explaining to do when it comes to investigation time. I don't know of any steganographic programs with plausible deniability that are out at this time. If anyone's heard of any please let us know. Even this has some subtle nuances.

    If I am sending encrypted mail using PGP, I'm using someone else's PGP key. I don't have to have a PGP key myself in order to do this. If someone else is sending me encrypted messages, they could be sending it using anyone's PGP key--it's only obviously my key if it's provable that I've read the messages. For example, Alice could encrypt a message using Bob's public key, and then send that message to Charlie in an effort to frame him. Charlie gets the junk message and deletes it, but the feds who were wiretapping Charlie come in and demand to know what was in the message. Charlie can't answer--he has no idea. So he gets 2 years in prison from the RIPA act.