Slashdot Mirror
Encryption? What Encryption?
Police in Britain have announced that two people have successfully been prosecuted under a UK law that forces defendants to give up their encryption keys and penalizes those who don't comply. Another UK woman's case had attracted attention two years ago, when the government demanded she give up her encryption keys after the police found encryption software on her computer, but the police say she was not one of the two defendant's charged. Is there a software solution to this problem — a way that people can encrypt files on their computers, without arousing the suspicion of law enforcement if the computers are seized?
File encryption, if properly implemented, is generally considered mathematically unbreakable. But to prevent suspicion falling on people just for encrypting files in the first place, requires a human solution as well as an engineering one. One way or another, some file encryption software would have to be in widespread use that has these two properties: (1) it's deployed on a large number of people's machines — not just a large absolute number, but a significant proportion of the total population, so that suspicion does not fall on people just for possessing the software — and (2) it should not be possible to tell the difference between machines where the users use the software regularly, and machines where the software has never been run. Then, and only then, would it be possible to use the encryption software on your machine, without anyone who seizes the machine having reason to think that you had ever encrypted anything at all.
(Of course, in a relatively free society, if law enforcement has probable cause to seize your machine in the first place, then they would presumably already have some evidence against you. But this would at least prevent police officers and judges from becoming more suspicious as a result of encryption software being present on your machine.)
Note that this is similar to the kind of problem that is normally solved with steganography, but by my reasoning, I don't think that using stego would actually gain anything in this situation. Whether you're talking about encryption software or stego software, if it's a program that not a lot of people have installed, then just by virtue of having it on your machine, you'll attract suspicion if your machine is seized. On the other hand, suppose you've cleared that hurdle and the software is installed on a lot of people's computers, so that just having installed it is not by itself grounds for suspicion. If it's stego, then you can embed the hidden data inside other images or videos, so that an intruder can't tell whether you've been using the software to hide anything (assuming the stego software is good enough that the intruder can't tell the images have been tampered with). But you could achieve the same thing with straight encryption software: just have every installation of the program create a "storage volume" file, where encrypted files will be stored. As long as a storage volume file with files embedded in it, is indistinguishable from a storage volume file that has never been touched, the presence of the storage volume file won't give you away.
I'm not actually aware of any encryption program that has that property: that for a given machine with the software installed, it's impossible to tell whether the software has ever been used to encrypt data. This is probably because this would normally not be a useful feature of an encryption program. The whole point of making it impossible to tell whether someone has used the program or not, is that people who have used the program would not attract undue attention to themselves as a result. But if the encryption program is only used by one thousandth of one percent of total Internet users anyway, then just the fact that a user has the program installed, would be enough to draw suspicion to the user if their computer is seized, so there's no benefit to concealing the fact that the program has been used. On the other hand, if the encryption program is installed on a significant proportion of users' machines anyway, then simply having the program installed is no longer grounds for suspicion. And that's when it would become a valuable feature for it to be difficult to tell whether the owner of the machine actually uses the encryption program or not.
This may be hard to implement correctly, and there are some tradeoffs that will have to be decided. For example, if the program creates a default "storage volume" file when it's installed, how big should that initial volume be? The problem with creating a small storage file initially and then letting it grow as encrypted files are added, is that this now makes it easy to tell who is using the program and who isn't — anyone whose storage file has grown beyond the default size, is using it to encrypt files (and is therefore a terrorist movie-downloading child pornographer, etc.). In order to avoid suspicion falling on people who use the program, the storage file would have to be the same size on everyone's computer. If you make it 1 GB, that wastes a lot of space on people's machines who aren't using it. On the other hand, if it's only 1 GB, it also means that users will only be able to store up to 1 GB of encrypted data — any more than that, and they'll have to expand the size of the storage file, thus calling attention to themselves if the machine is ever seized. And then, what about the fact that a large file which is created all at once, is normally not fragmented very much, but if the storage file is frequently modified, it is likely to become more and more fragmented — thus giving people a way to tell if the encryption program is being used frequently. (So you'd either have to deliberately create a very fragmented storage file by default on the first install, or create an unfragmented file on first install but then make sure to read and write from the file in a way that doesn't fragment it further.) I don't want to get too bogged down in implementation details. The point is just that you'd have to block all the possible ways that an intruder would be able to tell whether the software is used frequently — forget one thing, and you've given an intruder a way to identify people who are actually using the software to encrypt files.
A program called TrueCrypt achieves something close to this — TrueCrypt allows you to encrypt a storage volume with two different passwords, so that one password provides access to "innocent-looking" data, while the other password provides access to the data that you really want to keep secure. If someone is compelled to give up their password, they could provide only the password that unlocks the "innocent-looking" data — and there's no way, from examining the encrypted file, to tell that there is a second password guarding even-more secret data. (Of course, the "innocent-looking" data can't be truly innocent-looking, because it has to look like the kind of thing that someone would believe you might want to encrypt — so it should look suspicious enough that you would genuinely want to hide it, but not bad enough to get you in real trouble if you're forced to reveal it!) The Achilles heel of this scheme is that just having TrueCrypt on your computer in the first place, would at least signal to an intruder that you're encrypting files. And even if they can't prove that you might have another "super-secret password" guarding more private data on your encrypted volume, they would certainly suspect it, if they already had grounds to be investigating you and if they knew anything about how TrueCrypt works. To provide true plausible deniability of any encryption at all, you need a program that already exists on lots of people's machines, so that an intruder doesn't suspect anything when they find it on your computer.
(The same objection also applies to many other non-solutions to the problem, like using a Linux distro that encrypts your entire file system. Even assuming this would be within the technical means of the average person who wanted to do encryption, it's still going to look suspicious as long as the vast majority of people are not doing it.)
Which leads to the other half of the problem, which is getting the software widely deployed enough that it would not look suspicious for someone to have the program installed in the first place. Best of all for the purpose of avoiding suspicion, of course, would be for the program to come installed by default with a popular operating system. Windows XP and Vista have the built-in ability to encrypt folders, but anyone who seizes the machine can still see that you encrypted a folder, so this don't have the undetectability factor. Built-in deniable encryption of the kind that I'm describing, doesn't instinctively feel like the sort of thing that Microsoft would start bundling with its operating system. (Among other things, they might say that while companies often have business reasons for encrypting files, it's harder to think of a business case where employees would need to encrypt files and hide the fact that they were encrypting anything.)
Perhaps instead it could be bundled with a popular free software program beholden to no for-profit corporate masters. (My first thought was Firefox, but I was quickly told that Firefox was created specifically to strip out many of the features that had caused bloat in the original Mozilla project, and that any bundling of unnecessary tools would go against the whole ethos of the project.) Maybe a good place to include something like this would be the Google Pack — it's installed by lots of people, and currently doesn't have a file-encryption tool in the bundle. Beholden to for-profit corporate masters, yes, but ones that frequently declare "Don't Be Evil" and often seem to do cool stuff just to see what would happen.
Another possibility would be for a next-generation P2P program to bundle this capability with their software. This provides a nice dovetailing of interests — P2P users might want a way to hide the files that they've downloaded, while at the same time, intruders who seize the computer and found the P2P application installed, wouldn't necessarily suspect the owner of anything more than a little copyrighted file trading. "Well, he's got this NiftyP2P program installed, which comes with 'plausibly deniable' encryption, but most people use just NiftyP2P to download mp3 files and movies anyway. And I can't tell if he was actually using the encrypted file storage volume, because that's how 'plausibly deniable' encryption works. Is this the same guy who uploaded those subversive anti-government documents? I dunno."
Anyway, if you actually want to give people a way to run encryption software on their PCs, while ensuring that anyone who seizes their machine cannot tell that any encryption has been going on, these are the hurdles that you'd have to clear. I'm not sure whether this is better viewed as a blueprint for how to achieve this goal, or an argument for why it will probably never happen. There are lots of almost-solutions, like TrueCrypt with its ability to encrypt different sets of data into the same storage volume. But you still can't actually hide the fact that you're doing encryption in the first place.
(If you're willing to store your encryption software away from your computer, you could keep a steganography program on a CD or USB drive hidden in your house, and then whenever you need access to the encrypted data, plug in the program and use it to extract data that has been hidden in a large number of image or video files. That would achieve the goals I've outlined in the article: the ability to encrypt files, while still ensuring that anyone who seizes your computer won't be able to tell that you've encrypted anything. The problem is that it would require enough self-discipline to always return the CD or USB stick to its hiding place when you were done with it — and still, you'd have to hope that whatever authorities seize your computer, don't also search your house and find the CD or USB stick where you keep your stego software.)
Finally, risking the wrath of my civil-libertarian allies, I'll admit it may not actually be a positive thing for every citizen to be able to hide the fact from their local law enforcement that they're encrypting files on their computer. Many times if the police in a mostly-free country like the US or the UK seize a person's computer, they're trying to prevent real harm, and not every person with an encrypted file volume is a good guy. For some of the people who have left enough of an evidence trail that their computers get seized, it would be perfectly rational to view them with suspicion because of an encrypted volume found on their computer. But if you assume it's a worthwhile goal for people to be able to encrypt files without attracting suspicion, my argument is that the prerequisites in this article are necessary for that to work. At the moment it seems a long way off. But if someone created an encryption program with "deniability" — so that it was impossible to tell whether the program had ever been used after it was installed — and someone at Google thought "Hey, that's cool" and added it to the Google Pack, everything would change very suddenly.
Some crypto junkies talk about distress keys. Where a user can enter two different keys depending on the situation. The real key loads the real OS. The distress key loads the "fake" OS. There are many ways to detect this in modern experiments. None will work without manipulating low level HD blocking.
One option to hide well the existence of encription software and data could be to put them among game files.
It's common for games to have large data files, for example precompiled texture caches. You could change the program extension from .exe to .whatever and put it between those files. For extra stealth use a rare used packer (to avoiding signature matching) and also erase the first 2 bytes of the executable 'MZ', and use a good editor to put it back in place before executing it. The data it's encrypted and I don't think the NSA have parser for any arbitrary file in existence (game files in this case) so they won't suspect a think. Make sure that the date of change of those files don't draw attention to them.
Maybe this is a new business opportunity for the Pirate Bay. In addition to the private VPN service, you could also get remote anonymous encrypted storage. If you only access the storage through the VPN, it could make it pretty difficult to track.
A smart crook with stolen state secrets or child porn on their encrypted drives would just tell 'em to fuck off.
Well, I can't comment on your claim of "respect" in jail as I've never been but Bennett's lengthy argument is more concerned with those of us that have -- say personal or financial data -- that we just don't want out in the open. Now, since I tell the police to "F off" they probably think that I've got state secrets or kiddie porn (like you just assumed). Which might not be true, I could just be exercising my rights.
So he tries to come up with a modest proposal and in short he suggests it be piggy backed on a popular product so everyone has it installed (meaning installation does not equal incrimination in the eyes of the jury) and also that it has no logs to tell if or when or where it's been run. Also it should be hard to tell that you have encrypted files and he also looks into Truecrypt's double key trick where one key gives you harmless data and only after applying the second one do you get the real stuff. So just give them one key and shrug.
An interesting proposition. Why doesn't he submit a suggestion for such a tool to be included with the Linux kernel or popular distro? Unlikely it'll happen and someone has to write it but since Linux has no fragmentation, it could maybe store headerless file information at the end of the filesystem that looks innocuous. Then give the user information on how much they can fill up before they destroy that data. I'm not a filesystem guy so I don't know how well that would work, just throwing out a suggestion. His requirements are definitely hard to meet.
My work here is dung.
The standard technique for moving such files a while was to hide the data inside pornography. They are one of the most commonly trafficked file types on the internet and people prefer not to look at it too closely. Or did before it became a standard..
Whether you're talking about encryption software or stego software, if it's a program that not a lot of people have installed, then just by virtue of having it on your machine, you'll attract suspicion if your machine is seized.
Using a portable program like [url=http://sourceforge.net/projects/hide-in-picture/]hide-in-picture[/url] along with some easy to use portable GUI to make it easier to hide several files is a suitable solution.
On the one hand, you could have such program (along with any indexing it creates) in a USB thumb drive, or just upload it somewhere in a server where you always have access (thus, you do not need it in your computer while passing through unreliable points).
On the other hand, pictures are something that everyone has in their computers (I have around 4GB of pictures taken with 5megapixel cameras...). Thus, it should be trivial to hide whatever information in such libraries.
The steganography technology already exists, what is still lacking is software which makes it easy and convenient to use it. That is what truecrypt did for cryptography.
The issue is with truecrypt (or other crypto program) is that even when using a portable version, a fast WinDirStat scan will yield some big files.
Ubuntu is an African word meaning 'I can't configure Debian'
A program called TrueCrypt achieves something close to this â" TrueCrypt allows you to encrypt a storage volume with two different passwords, so that one password provides access to "innocent-looking" data, while the other password provides access to the data that you really want to keep secure. If someone is compelled to give up their password, they could provide only the password that unlocks the "innocent-looking" data â" and there's no way, from examining the encrypted file, to tell that there is a second password guarding even-more secret data. (Of course, the "innocent-looking" data can't be truly innocent-looking, because it has to look like the kind of thing that someone would believe you might want to encrypt â" so it should look suspicious enough that you would genuinely want to hide it, but not bad enough to get you in real trouble if you're forced to reveal it!) The Achilles heel of this scheme is that just having TrueCrypt on your computer in the first place, would at least signal to an intruder that you're encrypting files. And even if they can't prove that you might have another "super-secret password" guarding more private data on your encrypted volume, they would certainly suspect it, if they already had grounds to be investigating you and if they knew anything about how TrueCrypt works. To provide true plausible deniability of any encryption at all, you need a program that already exists on lots of people's machines, so that an intruder doesn't suspect anything when they find it on your computer.
It's been a while since I've used TrueCrypt, so maybe things have changed. I do remember the feature where you can have a 'hidden volume' inside your TrueCrypt encrypted volume, which sounds like what the quote above is talking about, that is protected by a second password. The thing with TrueCrypt is, at least the version I used around 2003, you don't have to have the software installed on the computer in order to use it. TrueCrypt can run entirely off of a flash drive or other removable media.
From what I understand, the hidden volume's data is stored in the free space of the main encrypted volume, so the filesystem doesn't actually have handles to this data, something like that. I wonder if it would be possible to store this hidden volume directly inside the free space of an NTFS volume instead of inside a TrueCrypt encrypted volume? So then an intruder would have to know that TrueCrypt was used, and then use the tool to scan the NTFS volume for hidden data, rather than just seeing that there's an encrypted volume there, and suspect there may be hidden data as well.
Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
I have a bunch of programs on my computer that are installed because they seemed kind of cool, but that I never used because I'm lazy or they weren't so cool after all. So yeah, Truecrypt is on my PC, but I never used it. Forgot to delete it, thought I might use it one day, maybe. So I don't have a password or anything encrypted.
Why does having the program imply use? I've got a weed-wacker in my garage I haven't used in years. Tent up in the attic, I haven't been camping in decades.
I've got utilities that were going to save me time and money, some of which I even paid for, that I never used beyond the initial install. That's my story, and I'm sticking to it.
Everything you know is wrong, Just forget the words and sing along.
What a long piece of nonsense.
We solved this problem 20 years ago. It's called "plausible deniability". There are various ways to get it. The easiest one is this:
Use an encryption tool that can hide encrypted volumes, like TrueCrypt.
Encrypt your porn collection on the outer shell, your private data on the inner.
If someone asks for your decryption key, stall a bit, then blush and hand them the porn key.
Obviously, you didn't want your wife to find out about your porn collection, which is why you encrypted it. No, officer, there's nothing else there.
Modify for your particular case. If you have serious sensible material, you need more serious stuff to hide it behind, e.g. the e-mails from your mistress or whatever.
There's no need whatsoever for any complicated solution. On the contrary, it makes you more vulnerable, not less.
Assorted stuff I do sometimes: Lemuria.org
I do consulting myself. For individuals and small companies, I urge them in no uncertain terms to either use TrueCrypt [1] (and perhaps give a small donation to the TC Foundation), or if their machine has a TPM, BitLocker. For a small company, the burned system CDs with a known passphrase stored in a tape safe are good enough for a lost password recovery mechanism.
An encrypted laptop with a real passphrase (20 characters if there is no TPM, and over 8-10 chars if there is a hardware mechanism that locks permanently or refuses access for longer and longer periods of time the more wrong guesses given) means that a theft results in an insurance claim and a police report. The same laptop with no encryption can mean having to put a news article in a number of newspapers detailing a breach, and having to provide every single customer with credit record protection for several years. So compared to the cure cost, prevention is very cheap. (TC is licensed at no charge, most laptops for corporate use have TPM security chips so BitLocker is a no brainer, and PGP isn't that expensive per seat.)
Larger companies are a different breed and require different solutions. They need scalable recovery methods. BitLocker can scale by having the recovery data stored in Active Directory. However, for machines without TPMs, I recommend a commercial solution like SafeBoot, PGP WDE, or something with centralized policy control. Reason for this is auditing and recovery which is mandated by a lot of corporate regs (HIPAA, Sarbanes Oxley, etc.)
Other operating systems also have solutions. OS X doesn't have a complete whole disk solution unless you buy PGP or PointSec, but FileVault can do decently for home directory protection. Most Linux distros have some sort of FDE encryption available at install time.
Yes, encryption is out there, and is easily used. The easiest to use by far is BitLocker on TPM based hardware. You turn on the TPM in the BIOS, let Windows take ownership of it, save the recovery info to a USB flash drive (or a TC volume in a safe place), and pretty much forget that it is there. There just isn't a reason for people not to use encryption.
Of course, people ask what does one have to hide that encryption is needed. The answer: A lot. A thief can gather a lot of intel about a company from the data on a laptop, especially if the laptop has the ability to connect to the corporate VPN and log into a trusted E-mail account without a password. Good encryption keeps a thief well away from any data that might compromise a company (or an individual for that matter).
[1]: I've used TrueCrypt, PGP, BestCrypt, WinMagic, and SafeBoot. All are very good. TrueCrypt is licensed at no charge, thus for SMBs, its almost a must have.
Good point, but if the harmless personal or financial data has nothing to do with the reason why the cops want to see your hard drive then it is not feasible to hide stuff from them because of one's stubborn idealism. If that happened to me, I'd just give them the key. That way, I'd be more likely to get my laptop back fast and reducing the likelihood of having it confiscated in the first place.
Is it really that difficult to delete midget porn before you go on that trip? Somebody who can't last a week without midget porn is somebody who deserves to be laughed when they cede their key to the TSA goons.
captcha: rigidly
Ethanol-fueled
OK, first off you idiots who didn't read the whole editorial and suggested TrueCrypt: try expanding your attention spans beyond the length of a tweet.
Now on to my own contribution. Since TrueCrypt is open source, one could come up with their own custom build that would no longer have the same appearance as the original. By appearance, I mean the GUI could be modified or eliminated (command line only). In addition the executable file could be sufficiently scrambled so that its pedigree could be hidden: it would not look like a TrueCrypt derivative.
One project that's on my to-do list is to make a customized version of TrueCrypt's whole-disk encryption (with bootloader) that makes the computer look like it's broken when you try to boot it. Talk about deniability. You just tell them they broke it. In reality it's prompting you for a password but it just doesn't look like it.
According to truecrypt (and my limited understanding). What you do is this:
1) Setup an encrypted volume (password=dummy)
2) Put some plausible files in the volume (secrets.txt - full of information you don't mind others seeing)
3) Create a hidden volume (within the first encrypted volume) (password=secret)
4) Put your real secret stuff in here.
When you use the partition you use the (password=secret) and get access to the hidden volume, should the police turn up tell them that the password is dummy, and all they see is "secrets.txt"
The clever part is that it is impossible to tell whether there is a hidden volume or not as the space that it occupies is normally full of random data anyway.
More details here:
http://www.truecrypt.org/docs/?s=security-precautions
Sig (appended to the end of comments you post, 120 chars)
Doesn't Wuala solve this? It stores your files in encrypted pieces spread over multiple remote machines (so you can't see the size used without your password). It already has a large number of users as well. The password is not stored anywhere.
I would have thought that the easier route to get out of this connundrum would be to claim doctor-patient or lawyer-client confidentiality. "The encrypted volume you're looking at (may) contain confidential correspondance between me, and my lawyer, and my doctor, and therefore I cannot disclose it." Would a similar argument apply to something like a locked file-safe in an office?
"You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
It is not as if they will start knocking on peoples door at random. That will happen in 10 years or so.
As TrueCrypt is known by the police, they will ask you for the password of the hidden volume and if you don't have it or forgot it or whatever, it is 2-5 years of jail time for you in the UK. By using TrueCrypt, you will be put in jail, no matter what.
Don't fight for your country, if your country does not fight for you.
The Windows version of TrueCrypt does leave behind stuff in the registry even if you run it from a USB stick.
From the TrueCrypt User Manual:
The best way to run TrueCrypt without anyone knowing that you even use it is to download a Linux liveCD, boot the cd, and download TrueCrypt each time you need it. You may want to use TOR so that no one can track that you downloaded it.
Or you could just hide it in your finger. They would never think to look there, and it's always with you!
Tom...
Just rent or get a use-for-a-day key from an overseas provider to fullfill the dirty needs or the political aspirations of the minority. Once DRM is used to support terrorism and viewing of the evidence of sex crimes, the goverment finds itself making DRM systems illegal altogether. Devious plan, indeed!
I do wonder what cache files and other evidence may be sitting around on the unencrypted drive prior to transfer to the encrypted drive.
You don't "transfer to" an encrypted drive. You work off that. And set your /tmp to be auto-wiped on shutdown and startup (plausible deniability: Cleanup and space-savings).
So I wonder if a valid solution would be to use a hidden OS,
Sure, just but a vmware volume on the encrypted drive. Whatever. As I said: Modify for your requirements.
The point is that complicated technological solutions rarely work best. Smart, low-tech solutions are almost always better. A high-tech solution only makes them more suspicious.
I know of a real-world high-risk scenario in a 3rd world country where human rights workers who live under actual threat of torture and death use things like wireless drives - built into a car parked nearby or even embedded into the walls. WLAN is the only high-tech component here, the other is plain old hiding the stuff where they're unlikely to find it.
Assorted stuff I do sometimes: Lemuria.org
The point of plausible deniability isn't that it is perfectly hidden (that's what stego's for).
The point is that you can say "there is no hidden volume, I don't use that feature" and they can't prove that you're lying.
If your scenario is torture, then no encryption in the world can save you, because they can always torture the secret out of you. Shared keys would work in theory, in reality they would only multiply the number of people tortured.
Assorted stuff I do sometimes: Lemuria.org
I have one USB key that is magic. It's not flash, and it requires a source of voltage to keep it's state information. There is a battery, and there is a jumper.
*THUD THUD THUD* "Police! we have a warrant!" /pull USB key /close jumper (shorting battery) /yank power cord from PC /sit calmly and wait
*Crash*
Keys are gone.
I don't know them.
data is gone.
no one can get it.
forensically provable.
Prior to actually reading the warrant you don't know what they are actually looking for so technically you have not been served, and thus have not willfully destroyed evidence.
-nB
(the key is simply a USB HID micro and a battery backed 1024K SRAM.)
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Just make your crypto password "I committed an act of littering on 2009-09-10 aj8s6wg". When the judge tells you that your password itself isn't protected by your right not to self-incriminate, you can tell him that your password itself is a confession to a crime. If you hit the bullseye, the dominoes will fall like a house of cards. Checkmate.
Don't joke, this isn't a million miles from the truth. In general terms, it's not a good idea to carry a knife in public in the UK. Which makes the process of buying kitchen utensils rather awkward.
To be fair, the shop I bought my last knives from had already had the "how do our customers avoid arrest?" conversation with the local police and advised me to keep it in its packaging and don't even take it out of the bag until getting home.
When I take knives for re-grinding, I wrap them up pretty thoroughly though mainly for show - to show that if I wanted to use them for defence I'd first have to spend several minutes taking them out of a rucksack and removing several layers of tea towel, in order to reveal a knife about as sharp as a sausage. But even then I'm not certain and it's bloody ridiculous that I should feel that consulting a solicitor may be wise before doing something perfectly normal.
A thoughtful person who travels outside of his or her country would certainly take that into account when thinking of which encryption system to use
I would begin by asking why I was taking a sensitive file or folder across the border.
"Any port in a storm."
Nothing is guaranteed to go the way you planned.
You are navigating a legal no man's land where the power and authority of the customs agent, secret service, police and military are least likely to be questioned.
Five months as the guest of Kim Jong II makes all things negotiable. Including that key you've held back for so long.
No now the question is: did people mod you up because:
A. They were completely suckered by the copy-n-paste
B. They thought it was insightful of you to point out how easy it is to karma-whore
C. They were amused by the idea of fulfilling your little "experiment" -- a.k.a, sheer cussedness
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt