Lawyers Would Rather Fly Than Download PGP

← Back to Stories (view on slashdot.org)

Lawyers Would Rather Fly Than Download PGP

Posted by kdawson on Monday April 28, 2008 @12:19PM from the fly-once-to-exchange-keys dept.

An anonymous reader writes "The NYTimes is running a front-page story about lawyers for suspects in terrorism-related cases fearing government monitoring of privileged conversations. But instead of talking about the technological solutions, the lawyers fly halfway across the world to meet with their clients. In fact, nowhere in the article is encryption even mentioned. Is it possible that lawyers don't even know about PGP?" The New Yorker has a detailed piece centering on the Oregon terrorism case discussed by the Times.

32 of 426 comments (clear)

Min score:

Reason:

Sort:

Security not just about encryption. by Whiney+Mac+Fanboy · 2008-04-28 12:20 · Score: 5, Insightful

Is it possible that lawyers don't even know about PGP?"

Is it possible that the submitter doesn't even know about keyloggers, passive listening devices (for phones), compromised encryption binaries, vulnerabilities in protocols, etc?

If the goddamn NSA can't snoop on an encrypted conversation between a lawyer & client, then frankly, they're not doing their job

--
There are shills on slashdot. Apparently, I'm one of them.
1. Re:Security not just about encryption. by Brian+Gordon · 2008-04-28 12:22 · Score: 4, Insightful
  
  If the NSA can listen in, then PGP isn't doing their job.
2. Re:Security not just about encryption. by Whiney+Mac+Fanboy · 2008-04-28 12:27 · Score: 5, Insightful
  
  If the NSA can listen in, then PGP isn't doing their job.
  
  It's got to be decrypted at one end of the other - there's not much PGP can do about a compromised terminal, keyloggers, passive listening devices (reconstructing passwords from the sound of keyboard tapping), etc.
  
  Basically, a well-resourced, determined attacked doesn't have to crack PGP itself.
  
  --
  There are shills on slashdot. Apparently, I'm one of them.
3. Re:Security not just about encryption. by Ethanol-fueled · 2008-04-28 12:30 · Score: 4, Insightful
  
  Another question: Why does the summary title read, "Lawyers would rather fly than download PGP" while the summary asks,
  "Is it possible that lawyers don't even know about PGP?"
4. Re:Security not just about encryption. by Sloppy · 2008-04-28 12:39 · Score: 4, Insightful
  
  there's not much PGP can do about a compromised terminal, keyloggers, passive listening devices (reconstructing passwords from the sound of keyboard tapping), etc.
  If there's a microphone in the room, then meeting in person probably isn't much better.
  
  --
  As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
5. Re:Security not just about encryption. by darkmeridian · 2008-04-28 12:56 · Score: 5, Insightful
  
  This is the credited answer. At first, I was leaning towards being cynical and thought that the lawyers just wanted to pad the bill. But we're talking about the United States of America deciding to spy on "terrorists" and their attorneys. I mean, "The Justice Department does not deny that the government has monitored phone calls and e-mail exchanges between lawyers and their clients as part of its terrorism investigations in the United States and overseas. *** In a terrorism-financing investigation centered on the offices of an Islamic charity here, the government mistakenly provided defense lawyers in August 2004 with what the lawyers say was a logbook of intercepted phone calls between the charity's lawyers in Washington, D.C., and clients in Saudi Arabia."
  
  If the government is tapping your phone lines, what makes you think they aren't intercepting your e-mail? I'm sure PGP would avoid problems like the U.S. government installing a keylogger on your system, or just sending a national security letter demanding access to your e-mails on pain of imprisonment as an accomplice to terror. Oh wait, it doesn't.
  
  I'd rather take the airplane flight be more sure that I'm not getting bugged.
  
  --
  A NYC lawyer blogs. http://www.chuangblog.com/
6. Re:Security not just about encryption. by Actually,+I+do+RTFA · 2008-04-28 13:42 · Score: 4, Funny
  
  You can try mine if you like: 192.168.1.1
  
  --
  Your ad here. Ask me how!
7. Re:Security not just about encryption. by Fishead · 2008-04-28 13:57 · Score: 5, Funny
  
  Ha ha, sucker, I am in!
  
  Now I'll just change your router settings so you can't access the inter...
8. Re:Security not just about encryption. by Martin+Blank · 2008-04-28 13:59 · Score: 3, Informative
  
  That's not far from the truth. Each monitor has a unique signal that can be tuned in using TEMPEST gear, to which s0litaire indirectly referred in another reply to you. PGP has (had?) a viewer that was intended to defeat TEMPEST viewing. I don't know the details of it, but I recall it was a gray-on-gray scheme, and it had something to do with the relatively low resolution and color depth available on TEMPEST viewers.
  
  However, the FBI (and by loan or extension, the NSA) has some very good black bag people, and they are much more likely to add in a hardware keylogger or currently-undetectable rootkit nowadays. That's how the FBI got crucial evidence against Nicodemo Scarfo, Jr., son of former mob boss Little Nicky Scarfo, adding a hardware keylogger to grab his PGP password to allow them to decrypt his messages in concert with his private key, also copied at the time.
  
  --
  You can never go home again... but I guess you can shop there.
9. Re:Security not just about encryption. by Anonymous Coward · 2008-04-28 14:07 · Score: 3, Funny
  
  Moron, I just logged into your machine and deleted your entire hard dr...
10. Re:Security not just about encryption. by Angst+Badger · 2008-04-28 14:28 · Score: 3, Insightful
  
  If it were my ass on the line, I'd assume that the NSA can crack PGP. I remember many years ago when PGP first appeared and how much effort the NSA put into trying to get Congress to stuff the genie back into the bottle. Then, all of a sudden, they stopped resisting. Either the NSA decided they couldn't win -- which is frankly out of character for them -- or they found a way to crack it. Given the resources available to them, I wouldn't want to rely on any cryptographic system that doesn't bother them.
  
  --
  Proud member of the Weirdo-American community.
11. Re:Security not just about encryption. by profplump · 2008-04-28 15:00 · Score: 3, Interesting
  
  Looking at your shadow I can still tell your body type, if given some scale I can make reasonable guesses about your height and weight. I can tell what orientation you're in, if you've got long or short hair, possibly your gender. You're right, I can't draw a picture of your face, but given a list of all 6 billion faces I could narrow down the choices quite a bit before I started rounding up people for a lineup.
  
  If someone has a 12-character password alpha-numeric password the keyspace is about 104^12. If you can determine when the shift key is pressed and which of the 4 rows of keys each character is in, you can make that 13^12, which is 36 bits less keyspace -- almost a 50% reduction over the original 80 bits.
12. Re:Security not just about encryption. by PopeRatzo · 2008-04-28 15:49 · Score: 4, Insightful
  
  the question isn't whether it's likely that they can break PGP,
  How long before the possession of a PGP key is grounds for landing on a DHS no-fly list?
  
  --
  You are welcome on my lawn.
13. Re:Security not just about encryption. by Anonymous Coward · 2008-04-28 17:09 · Score: 3, Insightful
  
  It's more than that. A keyspace reduction of two bits out of a hundred isn't 2%, it's 75%. A keyspace reduction from 2^80 to 2^44 isn't "almost 50%" it's well over 99%.
14. Re:Security not just about encryption. by fyngyrz · 2008-04-28 17:53 · Score: 4, Insightful
  
  Would a recording outside of the US be viable in a US court?
  
  Do US courts seriously consider these issues any longer? The majority of the constitution is at best nod and wink territory these days. They tap whoever they want; they jail whoever they want; and as for admissible in court, who says it'll even get to court? Who says you'll even get a phone call? This isn't your father's USA.
  
  --
  I've fallen off your lawn, and I can't get up.
15. Re:Security not just about encryption. by pipingguy · 2008-04-28 17:53 · Score: 3, Funny
  
  I'd rather take the airplane flight be more sure that I'm not getting bugged.
  
  And then the bastards will install a 3 year-old to kick your seat from behind, an incessant talker who loves chatting about lolcats next to you and a screaming infant in the seat in front just to bug you. You can't possibly win and they'll all be wearing a wire.
So where is the downside? by overshoot · 2008-04-28 12:23 · Score: 5, Insightful

It's all billable hours, remember.

--
Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
S/MIME, anyone? by danaris · 2008-04-28 12:24 · Score: 4, Interesting

What is it with the Slashdot crowd and PGP? What's wrong with S/MIME?

I can say with some authority, having been evaluating and testing it for my company for some months now, that it is natively supported by current versions of the 3 major email clients (Outlook, Thunderbird, and Apple Mail), and that their implementations are, by and large, compatible.

So...are there any particular issues with S/MIME that make PGP a significantly more desirable solution?

Dan Aris

--
Fun. Free. Online. RPG. BattleMaster.
1. Re:S/MIME, anyone? by ScrewMaster · 2008-04-28 12:33 · Score: 4, Funny
  
  So...are there any particular issues with S/MIME that make PGP a significantly more desirable solution?
  
  Everybody hates a mime.
  
  --
  The higher the technology, the sharper that two-edged sword.
2. Re:S/MIME, anyone? by Tacvek · 2008-04-28 12:39 · Score: 4, Interesting
  
  What is it with the Slashdot crowd and PGP? What's wrong with S/MIME?
  
  I can say with some authority, having been evaluating and testing it for my company for some months now, that it is natively supported by current versions of the 3 major email clients (Outlook, Thunderbird, and Apple Mail), and that their implementations are, by and large, compatible.
  
  So...are there any particular issues with S/MIME that make PGP a significantly more desirable solution?
  
  Dan Aris
  I think many Slashdot poster prefer OpenPGP encryption to S/MIME because OpenPGP is not email specific, and having 2 different keys (an S/MIME email key, and a PGP key) is not ideal. Further I suspect the PGP Web of Trust model is preferred by many of us to the CA model. Of course, there are ways around both things, but it may be slightly easier to use PGP for email than to deal with those issues. However, for your uses (depending on what they are), S/MIME may indeed be the best solution.
  
  --
  Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
3. Re:S/MIME, anyone? by Chandon+Seldon · 2008-04-28 13:35 · Score: 4, Interesting
  
  OpenPGP software allows you to easily self-generate valid keys. Doing the same with S/MIME (self-signing certificates) is really obnoxious. Further, OpenPGP clients tend to support a web-of-trust introduction model which is strictly better for actual security than the centralized commercial PKI model that S/MIME software tries to force on users.
  For sending secure messages within a medium to large sized organization there is some argument for S/MIME using a local CA, but even then simply emulating the same effect with a organization PGP key signer and key server is probably cleaner.
  
  --
  -- The act of censorship is always worse than whatever is being censored. Always.
4. Re:S/MIME, anyone? by bockelboy · 2008-04-28 14:29 · Score: 3, Informative
  
  That is correct. I work in an organization which deals exclusively in certificates (everyone also encrypts with S/MIME). The CA does not keep the private key.
  
  If the NSA compromises your CA, the best they can do is create another certificate which pretends to be yours. If the destination already had your certificate, then the public key they have won't match your private key.
  
  The grandparent needs to review PKI.
Other considerations by Derling+Whirvish · 2008-04-28 12:26 · Score: 4, Funny

But instead of talking about the technological solutions, the lawyers fly half way across the world to meet with their clients. There are other considerations involved. Similar to how TV News anchors somehow manage to find stories to report on in the Caribbean that require their personal presence during the worst months of North American winters.
Are you dumb? by Reality+Master+201 · 2008-04-28 12:36 · Score: 3, Insightful

Since the government's willing to bug communications, what's going another step and snagging the prisoner's password with a keylogger? Or snagging decrypted text from memory, or any one of a slew of things you could do with a lot of money, time, and complete access to one end of the connection.

Hell, they could just torture the password out of the prisoner - turns out that the Land of the Free and the Home of the Brave does that kind of thing now.
Communication more than just writing by mrbluze · 2008-04-28 12:39 · Score: 5, Insightful

If you take into consideration that communication (as we are told) is 70% non-verbal, then any half decent lawyer will make sure he/she is able to see the client face to face. It is impossible to take a good history from a person if you can't see them, let alone hear their voice.

Given this fact, it is not a surprise that lawyers want to meet their clients. Yes and there are limitations to PGP that won't ensure privacy especially when you are opening lines of communication in an already hostile environment. There are things you just can't know unless you are physically there.

--
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
1. Re:Communication more than just writing by Pendersempai · 2008-04-28 13:21 · Score: 3, Informative
  
  That's an interesting theory, but shot down in the first two paragraphs of the article:
  
  PORTLAND, Ore. Thomas Nelson, an Oregon lawyer, has lived in a state of perpetual jet lag for the last two years. Every few weeks, he boards a plane in Portland and flies to the Middle East to meet with a high-profile Saudi client who cannot enter the United States because he faces charges here of financing terrorism.
  Mr. Nelson says he does not dare to phone this client or send him e-mail messages because of what many prominent criminal defense lawyers say is a well-founded fear that all of their contacts are being monitored by the United States government.
What makes you think they are permitted to encrypt by plover · 2008-04-28 12:53 · Score: 4, Insightful

Imprisoned suspects don't have the right to free communications, and especially not encrypted communications. The only privacy they're assured of (in the United States) is if it's a letter going to an attorney; but how is the warden to know for sure that huey.dewey@dewey-cheatham-and-howe.com is really the public key belonging to a licensed attorney, and not the aliased public key of Emmanuel Goldstein or Osama bin Laden?
Even if they knew this for sure, the jailer is under no obligation to provide access to PGP or even a computer, and he would likely be an idiot if he did provide PGP to the inmates.

--
John
How my conversation went... by DnemoniX · 2008-04-28 13:00 · Score: 3, Interesting

Several years ago now I set up a PGP server at work, mainly for my own use. However it was suggested that our attorney's might like to use it. Here is how the conversation went:

"Hey I just finished setting up an encryption system for the e-mail system"

"A what?"

"Encryption, you know to keep your corrispondence confidential..."

"A what what?"

Then about 5 years later I rolled out an automated encryption system that uses lexicons to detect patterns and auto encrypt e-mails if they trip the filters. That conversation with the attorney's went like this.

"You put in a what and why?"

A lengthy explanation later filled with examples of when they should be using it. Finally the lawyer who had just spent a few days at a HIPPA conference sees the light. DING DING DING Clueless I swear.
1. Re:How my conversation went... by Actually,+I+do+RTFA · 2008-04-28 14:05 · Score: 4, Interesting
  
  inally the lawyer who had just spent a few days at a HIPPA conference sees the light. DING DING DING Clueless I swear.
  
  Don't confuse your specialized knowledge with common knowledge. Your phrasing assumes that encryption, as a word, conjures up images as it would in a geek's mind (and more than five years earlier than now, when it was less well known.) Obviously they explained it better at the HIPPA conference.
  
  Really, I doubt had I not already know what encryption, or the ease of e-mails being read by third-parties, I would have gained nothing from your explaination.
  
  A possible alternative: It is easy for any third party to read your e-mails. Encryption uses a password (or automatic process) on both ends to make sure that only you and your recipients can read the e-mail. It also verifies that the person who claims to have sent the e-mail did, since falisifying the sender of an e-mail is also very easy.
  
  --
  Your ad here. Ask me how!
typical geek mindset by lawpoop · 2008-04-28 13:11 · Score: 3, Insightful

This sounds like a typical geek solution: Jump latest and greatest technology.

However, if I were a lawyer, I would stick with the time-tested method of ensuring privacy, rather than risk my client's confidentiality with some new-fangled technology that I don't understand. Do I have it installed right? What if it gets hacked?

Heck, I'm a computer guy and I don't understand PGP. I do in the biggest sense; but not enough to pass my own judgment on how well it works. I have to rely on the opinions of people who are smarter than me. Suppose they discover a new kind of math tomorrow that renders PGP useless?

--
Computers are useless. They can only give you answers.
-- Pablo Picasso
Clients Do Not Trust Computers by sampson7 · 2008-04-28 13:26 · Score: 4, Insightful

You are thinking like nerds instead of lawyers. More importantly, you are neglecting the human element.

The lack of internet security is not why attorneys visit their clients in person. It is because their client will tell them things face to face that they would never say over a telephone or video conference, no matter how secure. Assuming that the lawyer trusted the technology, do you think the client is going to? I've had corporate clients practically whisper things to me in perfectly secure conference rooms when it is clear that nobody is listening in. Why? It's human nature. Now take a terrorism suspect, who likely is not that well educated and has a legitimate fear of being spied on, and tell him to speak clearly into the microphone. Do you seriously think that is going to work?

Moreover, lawyers -- the good ones anyway -- are half poker player. When we interview clients, we are looking for "tells" and evaluating everything the client says. Not only to determine if their client is telling the truth (sometimes it doesn't matter), but to determine if their client _looks like_ they are telling the truth. There is no way that you could ever evaluate whether to put a witness on the stand without seeing them in person. (Not that it matters in these cases where a jury trial is exceedingly unlikely, but still.) These human factors are every bit as important to properly representing your clients as knowing the law.
IANAL, but... by Whatsthiswhatsthis · 2008-04-28 13:50 · Score: 4, Insightful

But I am about to graduate from law school in a few days, so hear me out. Lawyers are a risk averse bunch. If you tried to tell a lawyer to use PGP (and the lawyer actually knew what PGP was), in the back of his mind he's thinking, "How is this going to nail me? How is this going to lead to a malpractice lawsuit? How is this going to get screwed up and cost me my career, my reputation, or my client's ass?" The answer is that we just don't know. What lawyers can and do trust is face-to-face communication.

Until PGP becomes widely adopted outside the legal context (and it hasn't), lawyers are not going to be the first to adopt it. The reasons proffered above--that the government can break PGP or tap into the end-users' computers--may be true, but I doubt they are the reasons lawyers don't use PGP.

Also, while I would concur with most of the comments about lawyers padding billable hours, in these cases it's probably not about that. Suspected terrorists likely don't have the kind of cash that typical corporate clients do. Many of these lawyers are working for suspected terrorists (especially those in Gitmo) on a pro-bono basis. Ahkmed from a tent in Afghanistan probably couldn't afford a lawyer in his country, much less one from the United States.