Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Use of RIPA to Demand Encryption Keys

Posted by samzenpus on from the tell-us-everything dept.

kylehase writes "The Regulation of Investigatory Powers Act (RIPA) is being used for the first time to force an animal activist to reveal encryption keys for encrypted files she claims to have no knowledge of. According to the article, she could face up to two years if she doesn't comply."

20 of 645 comments (clear)

  1. So lemme get this straight by definate · · Score: 5, Interesting

    Are you telling me, that I could output /dev/random to a file, place it on my friends hard drive, say it contains valuable information pertaining to a case and he could go to jail or be fined for not revealing the password/key?

    This gives me an idea!

    Either way, if you need to you can get around this with TrueCrypt by taking some precautions such as:

    1) Not naming it with the default extension (.tc)
    2) Put it somewhere inconspicuous and name it appropriately
    3) Making sure that it's a hidden encrypted volume
    4) Open it through TrueCrypt and don't save the history, or passwords, or as automount, or similar

    Shit, that was a typo, I meant to type FIRST POST!!!

    --
    This is my footer. There are many like it, but this one is mine.
  2. huh by Anonymous Coward · · Score: 5, Insightful

    how can you be put in jail for not knowing something?

  3. There is a way of finding out.. by mrbluze · · Score: 5, Funny

    Put her in a lead vest and throw her into the sea. If she drowns, it means she didn't have the keys, but if she swims, she's a wicked witch and deserves to be punished.

    --
    Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
  4. Re:solution by PhrostyMcByte · · Score: 5, Informative

    any forensic team with an ounce of competence will copy the original HDD and work off the copy, so that just won't work.

  5. I guess torture is will be next... oh wait... by GoatRavisher · · Score: 5, Interesting

    Historically, the legal protection against self-incrimination is directly related to the question of torture for extracting information and confessions.[citation needed] The legal shift from widespread use of torture and forced confession dates to turmoil of the late 16th and early 17th centuries in England. Anyone refusing to take the oath ex-officio (confessions or swearing of innocence, usually before hearing any charges) was taken for guilty. Suspected Puritans were pressed to take the oath and then reveal names of other Puritans. Coercion and torture were commonly employed to compel "cooperation." Puritans, who were at the time fleeing to the New World, began a practice of refusing to cooperate with interrogations. In the most famous case, John Lilburne refused, in 1637, to take the oath. His case and his call for "freeborn rights" were rallying points for reforms against forced oaths, forced self-incrimination, and other kinds of coercion. Oliver Cromwell's revolution overturned the practice and incorporated protections, in response to a popular group of English citizens known as the Levellers. The Levellers presented The Humble Petition of Many Thousands to Parliament in 1647 with thirteen demands, of which, the right against self-incrimination (in criminal cases only), was listed at number three. These protections were brought to the American shores by Puritans, and were later incorporated into the United States Constitution through its Bill of Rights.
    http://en.wikipedia.org/wiki/Fifth_Amendment_to_the_United_States_Constitution
    --
    Man will never be free until the last king is strangled with the entrails of the last priest. --Denis Diderot
  6. Re:solution by Anonymous Coward · · Score: 5, Funny

    that is, of course, assuming that the police forensics team has an ounce of competence.

  7. Re:solution by mlts · · Score: 5, Informative

    Having a known self destruct switch may cause a person to end up even worse trouble. This is a discussion that occurs periodically on a number of cryptography forums.

    Almost all police departments will image the drive, then present the person with the image to decrypt. If the image gets stung by a self destruct Trojan, then the police will know that its not a forgotten password, and then proceed to use rubber hose decryption to obtain the contents of the drive.

  8. Better solution by Whiney+Mac+Fanboy · · Score: 5, Interesting

    A Better solution is plausible deniability.

    One password gives your uber-secret-plans-for-world-conquest, the other password gives a few hundred meg of soft porn (or whatever).

    That way, you appear to not be resisting their demands.

    --
    There are shills on slashdot. Apparently, I'm one of them.
    1. Re:Better solution by LurkerXXX · · Score: 5, Informative

      Filesize arithmetic?

      You never used Truecrypt eh? It's not a zip file. It acts as a virtual hard drive partition that can be mounted as a drive.

      When you create the volume it generates random bits throughout the virtual partition. You can copy whatever files you want onto the virtual partition, the rest of it is random noise. You may or may not choose to have additional hidden encrypted partitions within that noise. Adding up the size of know files tells you nothing about what may or may not lurk in the rest of the space on the virtual partition.

    2. Re:Better solution by brown-eyed+slug · · Score: 5, Funny

      I don't know about your world domination plan, but mine contains images, photographs, maps, blueprints and a few more things that cannot really easily be expressed in text.
      Sounds a lot like my porn collection.
  9. New Act by Soporific · · Score: 5, Funny

    Why don't they just sign the "We'll Do Whatever The Fuck We Want Anytime We Want Act" and just get it over with already?

    ~S

  10. Re:solution by Nazlfrag · · Score: 5, Funny

    Just blind them with goatse as the first file, they won't go near the rest.

  11. TrueCrypt is the best for Windows and Linux. by Futurepower(R) · · Score: 5, Informative

    TrueCrypt allows hidden volumes, indistinguishable from one volume. The file size is constant.

    TrueCrypt works very, very well. I use it with just one volume to protect passwords and other files.

    When you don't want to encrypt a volume, but just a file, Gnu Privacy Guard is best.

    1. Re:TrueCrypt is the best for Windows and Linux. by StarkRG · · Score: 5, Informative

      The only problem is explaining that if (ok, when) they lose the password, you won't be able to crack it. Ever. Not really. It's quite easy: "That's the whole point!"

      And besides, not entirely true:

      Q: We use TrueCrypt in a corporate environment. Is there a way for an administrator to reset a password when a user forgets it?

      A: There is no "back door" implemented in TrueCrypt. However, there is a way to "reset" a TrueCrypt volume password/keyfile. After you create a volume, backup its header (select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can "reset" the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header (Tools -> Restore Volume Header). I actually had someone ask me for something like this at work. Now I have something to tell them. (And something to suggest to our security department, we're currently using various encryptions for the various OSs we support, ugly).
    2. Re:TrueCrypt is the best for Windows and Linux. by spikedvodka · · Score: 5, Funny

      "Your honor, you see, I have a degree in Mathematics, and in computer science, and I'm trying to develop a very good random number generator [hand over stack of hex codes, on punch cards.] While I do have encryption software on my computer, I only used it to test the system. The large data file you see on my hard drive is exactly that, a large data file. It contains about 2 CPU-hours worth of random numbers as generated by an older version of my algorithm.

      Now I understand that this looks suspicious, but mathematically, there is no difference between random numbers and encrypted data. Given enough time, and access to powerful computers, I could design a tool that would convert the random numbers you see there into any given text. From the Magna Carta, to the complete works of shakespear, to your own biography written in klingon.

      I wish I could help you, but I'm afraid that mathematically, there is nothing to do."

      --
      I will not give in to the terrorists. I will not become fearful.
  12. Re:solution by Anonymous Coward · · Score: 5, Funny

    Because private companies are the pinnacle of competence and government is the pit of deepest stupidity.

    Let me guess: you're either American, Israeli or Australian.

  13. Re:solution by Anonymous Coward · · Score: 5, Funny

    Because the rest of the world is smarter and more competent than people from those three countries...

    No, but apparently parent's reading comprehension is superior to your own.

    Or, to put it a way you might understand: "Whoooosh!"

  14. Re:Go To Prison Act by Cederic · · Score: 5, Informative


    Several animal rights groups in the UK are officially designated terrorist organisations, because frankly they engage in acts of terror.

  15. Re:TrueCrypt's method is not detectable by tinkerghost · · Score: 5, Interesting

    And how do you mount the volume? If you mount it using TrueCrypt, then this only gives you deniability if the forensics people don't know about TrueCrypt. If they do, then a decent lawyer could convince a court that there was a second key that the suspect was not divulging and get them convicted under RIPA.

    That's actually pretty much a stretch. Your 'decent' lawyer would have to give some sort of proof that there was a second partition there. Something that TrueCrypt is pretty much designed to prevent. You can easily show the existence of the first truecrypt partition - it's there in the open. You can't prove the existence of the second partition.

    I'm not sure a judge will buy 'because we didn't find what we were looking for' as a reasonable showing of proof that a second partition exists, and unfortunately, that's all the proof that exists. The formatting method and the processing method result in random data covering the entire partition block, as data is written to both the shown & hidden partitions, that data changes from random to encrypted. However the whole goal of the crypto data is to make it look random.

    So you have potentially 3 blocks of random data each constructed with the same randomizing algorythm. How exactly do you show where one begins & one ends? How do you even show that the 3rd block exists? The whole purpose of the hidden block is to make it almost impossible to prove the existence of that third block. You literally are more likely to brute force the key than you are to prove the existence of the hidden partition.

  16. Re:Duh by mccabem · · Score: 5, Insightful

    Teacher hating very often fits into that same way of thinking.

    Business and government are similar in that they are all staffed and run by people (that is, greedy grafty nasty people). They are different in that we elect our government people and there is some oversight of the work and the results - sometimes late, and sometimes shoddy, but the oversight is there.. A business on the other hand, involves no community decision, is run as a dictatorship and there is minimal oversight (less and less every day since the 80's).

    I'm not anti-business, just honest. The problems come from the people, not the organizational method. The organizational method is supposed to be a way of compensating for the problems while minimizing the bad side-effects.

    Being anti-gov't or anti-teacher is just a way of parroting something you heard from someone else -- it's not a legitimate position to argue from.