Slashdot Mirror
FBI Failed To Break Encryption of Hard Drives
benoliver writes to let us know that the FBI has failed to decrypt files of a Brazilian banker accused of financial crimes by Brazilian law enforcement, after a year of attempts. Five hard drives were seized by federal police at the apartment of banker Daniel Dantas, in Rio de Janeiro, during Operation Satyagraha in July 2008. (The link is to a Google translation of the original article in Portuguese.) The article in English mentions two encryption programs, one Truecrypt and the other unnamed. 256-bit AES was used, and apparently both the Brazilian police and the FBI tried dictionary attacks against it. No Brazilian law exists to force Dantas to produce the password(s).
is waterboarding next to get the info?
...both the Brazilian police and the FBI tried dictionary attacks against it
They should have used a Portuguese dictionary not an English one! Geeze! Folks are soooooo US centric!
RIP America
July 4, 1776 - September 11, 2001
Just because you're paranoid does NOT mean that no one's out to get you.
And you KNOW the government is out to get you.
The FBI has never been a leader in computer technology. Other agencies such as NSA can probably crack that encryption with ease if not instantaneously.
I have often wondered if these encryption programs were not let lose by our government so that they would always be able to examine file contents.
As far as I know only a program that uses a one time pad is truly secure and I feel that even that would be suspect unless one took the time to create his own pad.
Give it to the NSA and wait five minutes.
before they break 256-bit aes. Even if computer power somehow went up magnitudes
the sun would go nova before they crack the encryption.
Could take a while.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
They should publish it as a DVD and within hours they'll be able to download the unencrypted file from a torrent! :o)
This guy was accused, not convicted. Why are they looking at his hard drive? Besides that, no law exists to force him to produce the password, but they want the password anyway? That's their problem! Why is there some outcry over the situation?
I thought this was not just a sound idea but a law.
Great stuff though, but expect some new laws by government that make it illegal not to provide your password/keys to the government upon a court order and if you don't provide it, expect an assumption of guilt and some extra punishment. I am not saying it's right, just saying that's probably going to be one of the outcomes of this.
Of-course the problem is that they got the drives physically (not that I am necessarily on the side of a allegedly corrupt banker, but I am not automatically assuming he is guilty of anything either.) Here is a good application for the 'cloud' (yikes) - keep your encrypted data so that nobody can even know it exists in the first place.
You can't handle the truth.
http://xkcd.com/538/
The FBI failed to break the encryption code of hard drives seized by federal police at the apartment of banker Daniel Dantas, in Rio de Janeiro, during Operation Satyagraha. The operation began in July 2008. According to a report published on Friday (25) by the newspaper Folha de S. Paulo, after a year of unsuccessful attempts, the U.S. federal police returned the equipment to Brazil in April.
According to the report, the fed only requested help from USA in early 2009, after experts from the National Institute of Criminology (INC) failed to decode the passwords on the hard drives. The government has no legal instrument to compel the manufacturer of the American encryption system or Dantas to give the access codes.
Isn't that interesting, they can't get 'access codes' from the manufacturer. Why should there even be any access codes, is this just an assumption that there are codes like that for those encryption providers or is this a fact?
You can't handle the truth.
If this were to happen in the US, are there any laws here that would force us to give up our passwords?
r0naldo1 *cough*
This say plainly that if you encrypt your info with the right, cheaply available technology, not even the FBI could get it, no matter what is it, or who you are. How much time now till some law around criminalizing the use of encryption gets approved?
It's customary in Slashdot to ask if we are for or against someone.
This guy is a banker who has been accused of several crimes, but convicted only once, of trying to bribe an officer, Brazilian federal police "delegado" (I think the closest English translation would be "sheriff") Protogenes Queiroz.
Anyone can be accused of a crime and it's up to the state to prove him guilty beyond any reasonable doubt.
However, when a very rich banker is arrested and gets a writ of habeas corpus within fifteen minutes after his arrest from none other than the president of the country's supreme court... Personally, I don't think any reasonable doubt remains.
... if I were the FBI and I could decrypt TrueCrypt, I'd not admit it and hope everyone keeps using it.
Perhaps they should just let him use it and "van eck" his ass... errr his computer's ass. Did they try hookers and drugs? That always works with our government people - agencies, representatives et. al.?
No, AES has been independently vetted and attacked by multiple security organizations. The only flaws that have been discovered in the algorithm are minor and inconsequential.
That only matters if the implementation used doesn't have any important flaws. And a password wasn't stored anywhere by accident or 'overlooked mechanism' (caches etc). And the chosen keylength was enough to make brute-force attack unfeasible. And nobody else has/leaks password.
They don't have to crack a tried & tested algorithm, they only have to find the weakest link. Surely there's many links, most of those weaker than the algorithm itself.
Modern encryption done right cannot practically broken at this time. However, many people do it wrong. You need something like 64 bit passphrase entropy to be secure, better 128 bit. As English gives only about 1.5 bit/char, that means a secure passphrase should have something like 90 characters with a minimum of around 45 characters. With random digits/letters, you can do better, for example 12 digits/letters just fulfill the minimum requirement.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It could even be that the NSA was asked first and failed, then they sent it to the FBI.
Daniel Dantas was involved in many shady operations, including one when the MCI company, which has used some funny accounting, bought Brazilian Embratel.
It was the Brazilian federal government which asked the US government for help in cracking that encryption. International cooperation among different countries law enforcement agencies often happens in crimes involving international money laundering, so probably the US state department went to some effort to fing which agency was the most likely to decrypt those disks.
As long as there are no statute of limitations preventing it they can still go after him. Given enough time 256 bit encryption will likely become weak enough to brute force it as computing power grows. It might take 20 years but it's possible. That is assuming he's still around by such time...
Large print giveth, and the small print taketh away
How much you want to bet that this is going to bring up the whole law enforcement backdoor issue again? Where they try to get laws passed requiring all makers of encryption software to put in law enforcement backdoors so they can instantly get at your personal files. This issue seems to keep popping up whenever they run into problems like this. And, btw, what is the FBI doing going after a brazilian national anyway? Isn't that slightly out of their jurisdiction?
It may happen that you are forced by somebody to reveal the password to an encrypted volume. There are many situations where you cannot refuse to reveal the password (for example, due to extortion). Using a so-called hidden volume allows you to solve such situations without revealing the password to your volume.
They should use a pt_BR, not a plain pt dictionary. In Brazil it's GOOOOOOOOOOOOOOOOOL
The XKCD for that
I don't believe in time. It's a grand conspiracy designed to sell watches.
They should not be trying brute-force against an AES key.
They should be working to find where the key materials is stashed. Nobody memorizes a 256-bit key.
It might be stored using a weaker symmetric crypto algorithim... then they should be trying to brute force the passphrase.
Or hold the guy in prison until he produces the evidence.
Assuming the contents of the hard drive is believed to contain evidence of a crime, committed by him, or someone else, he still has to produce that evidence, no?
people always make breaking encryption sound easier than it is. One could encrypt multiple times using multiple methods - then it would be almost impossible to guess what was used and decrypt something
encrypt(A) -> B
encrypt(B) -> C
decrypt (C) -> B
decrypt (B) -> A
etc.. etc..
One of the great features of TrueCrypt is the whole alternate partition/segment idea. One password gives access to real data, while another (a duress password) would give some other access to an alternate segment. Put some benign documents in the alternate partition, and then under threat of water boarding, hand out the duress password. Assuming this all works, they find nothing, you go home.
Granted, I'm not encouraging this idea for criminal activity, but rather for truly sensitive data that shouldn't fall into the wrong hands.
$ man woman *
-bash:
The FBI has not solved the P=NP problem, either
Or implemented practical cold fusion
Or developed a practical AIDS vaccine
Or found the cure to cancer
Or solved world hunger
Or stopped the oil spill
They failed to do all these things.
I'll create a GUI interface in Visual Basic...
Banker is from Brazil and evidence was seized there. Why FBI was involved? It is not their jurisdiction and they are not encryption experts. Maybe those journalists should learn something about NSA before writing "article" about failed decryption.
In Brazil, proofs produced by illegal means cannot be used (Federal Constitution, Art. 5, Inc. LVI).
Which is conveniently and apparently easily circumvented by the government redefining the specific act of coercion to not be torture and hence not illegal.
Furthermore the FBI is not under the jurisdiction of the Brazilian government.
Gotta wonder what he was using to encrypt his hard disks? Bitlocker? TrueCrypt? File Vault? Whatever it was this would be a great testimony for that product.
According to the report, the FBI and the INC used the same technology to try to break the password. It is a mechanism called a "dictionary" - a computer system that tests password combinations from known data and police information.
Nobody tell the reporters that when trying encryption, "dictionary" is just a fancy computer word for...an actual dictionary.
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
I that is some carp moives shown in reeducation / hidden lock ups as torture?
In Soviet Russia, KGB decrypts you!
> But the constitution as it stands, does not allow the authorities to compel a suspect to produce the files.
The Constitution may not allow it. But these days, they simply violate it and blame the terrorists for making them do it.
...but it came from Portugal and was full of "factos".
(for non-portuguese speakers, it's like using "colour" in USA)
Friday night "leak" from "the most transparent government ever".
... that, like waterboarding, are not torture in USA :)
That's also a form of encryption: The decompression algorithm is the key. It's just that many people use widely available keys, and moreover indicate the used key in the file name.
The Tao of math: The numbers you can count are not the real numbers.
So exactly how often does a government agency admit to failure at an issue this big ? I'm reading this as "FBI just managed to break TrueCrypt so we hope all you people use it."
Can I light a sig ?
Doesn't mean you wont spend the rest of your life in a box. You might be 'right', but was it worth it?
---- Booth was a patriot ----
>>>"In Brazil, proofs produced by illegal means cannot be used"
>>"Same in America, and usually ..."
As oppossed to Africa where Bazil actually is.
Over 2 years ago i had the feds raid my house, i used DriveCrypt Plus Pack (www.securstar.com) to encrypt my drive, they returned the drive a year later saying the drive was corrupted.
keep in mind the feds have thousands of cases and usually hire outside companies to crack it, they are limited by time and budget.
just goes to show the myth of any gov agency can crack commercial encryption software.
Immunity means "Immunity against prosecution." So this is not the sort of thing they can use against someone. They can't say "You are immune from prosecution, now testify about your crimes. Ok, you testified, now we are going to charge you with those crimes." The person was given immunity from prosecution, can't prosecute them for those crimes.
The point of immunity is securing someone's testimony against another party. So lets say you and I had committed some crimes together. However your part was pretty minor, you'd done little things and you weren't the guy planning things. The prosecutors decide I'm the one they really want, you are just a petty crook they don't care about. However, you won't testify against me, not because you are scared of me but because in doing so you'd admit to your own crimes. They say "Ok we'll grant you immunity. Any crimes you testify about committing, you can't be prosecuted for." You then go and testify to all the stuff I've done. I go to jail, you do not.
Immunity isn't some magic way to make the 5th amendment disappear. What it does is protect someone's 5th amendment rights, while allowing them to testify. The 5th amendment says you can't be made to testify against yourself. So, if you are immune from being prosecuted there is no violation of your rights. Your testimony is not being used against you.
For the same reason they can't say "Ahhh! We had our fingers crossed! Deal doesn't count!" In that case your lawyer would argue to have your testimony, and any evidence as a result of it, suppressed. You only testified because you believed it could not be used against you, and there is a written deal to that effect. If they revoke the deal, then that violates your rights. A judge would then suppress the testimony, and all evidence that comes from it (US courts use a "poisoned fruit" idea that evidence that comes from a violation of rights itself cannot be used). Your lawyer then has the court dismiss the case due to lack of evidence.
There is no law in the US that compels you to give up your password. You may be thinking of Britain, which does indeed have such a law. However in the US just keeping your trap shut would just be good enough. Also, the burden of proof is on the state in criminal cases. So, if the claim is that the data is simply random, they need to prove that the data is NOT just random before they would be able to force anything, even if the law allowed it.
Of course in any case the answer "I don't recall," works plenty well (note how often that is used by people in major investigations). They can't say "Yes you do!" as there's no way to prove it. People forget shit all the time. So they say "What's the password to this," you respond "I don't recall that being encrypted," there's little they can do to prove otherwise.
That doesn't work in the courts, at least not in most free countries. Testimony obtained through coercion, and any evidence resulting from that, is inadmissible. You might notice that police do not just torture people to extract confessions. Why not? Should work very well, torture someone enough they'll confess to whatever you want, no matter if they did it or not. Solves cases really easy. Well, because the courts are going to take a real dim view of that. Their confession and all evidence as a result of it would get suppressed and the case would evaporate. What's more, the police involved are likely to get charged with a crime themselves.
So sure, the XKCD thing is a fairly realistic scenario if you had, say, the location of a nuclear weapon that was going to detonate in a US city and kill a lot of people. In that case, I can see the rules going out the window. They don't so much care about convicting you as finding and disabling the device. However for a criminal prosecution? Ya that kind of stuff goes over not at all.
You might notice that there are more than a few paranoid people on this site. They are convinced that the government is extremely evil, oppressive, and thus obviously extremely capable of doing amazing things that nobody else can. So the government can crack all encryption (even though the best research shows that isn't possible), the government can recover data from any harddrive unless you Gutmann wipe it (even though the best research shows a single overwrite screws over any recovery on EPRML drives). They believe the government is so amazingly competent and evil that they can organize thousands of people to plant explosives in the WTC and just make it LOOK like planes brought it down, and keep all that hushed up, and so on.
They believe that AES is "obviously" crackable simply because the public has it. They need no more evidence than that. It is paranoia, not facts, that they operate on.
Personally, I find it highly likely the government can't crack AES. They use it for classified data, it was designed to help secure our nation's financial system against foreign attack (one of the NSA's missions, they aren't only signals intelligence). It is probably the most analyzed crypto system in history, and nobody anywhere has found a major weakness. I'm going to cast in on the "it's secure" side of things.
Even if they they break the encryption, they'll only find his mp3 collection and some seasons on House and Lost...
And the emails he sent to his mom.
why do you people need all this encryption anyway, the only thing I have of importance to encrypt is my list of passwords to internet and banking sites, unless your doing illegal stuff I dont see the purpose of it
... that, like waterboarding, are not torture in USA :)
Waste of effort and waterboarding is considered torture in the U.S. Guantanemo Bay was not, last time I checked, in the U.S. That doesn't make our use of waterboarding as an interrogation technique any more justifiable, but at least get your facts right.
Anyway, regarding encryption: just have your legal system presume that anyone who is using encryption is guilty of something serious. Then, if they don't turn over their passwords, convict them of that something serious. I would think that in the majority of cases, that would be sufficient. Of course, we're supposed to be innocent until proven guilty here.
If waterboarding is not torture, then you are willing, I presume, to undergo it for two or three days? If not, fuck you.
It has no lasting physical damage. And we already do waterboard our own military personnel to instruct them on what they might face if they were captured. Also the people that use it as a technique are required to also have it done to themselves in order to understand the physical and psychological effects is has.
So yeah, I'd be willing to be waterboarded. And like all techniques meant to momentarily weaken your resolve rather than actually hurt you, no I don't consider it torture.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
they will assume they've been given the wrong password and continue torturing you
That's only true if they know for sure that data is what they were looking for. But if there's any doubt, all they know is there was an encrypted block and the key you gave them unlocked it. There's no reason to continue asking you for a password since as far as they know, that data is useless.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I need to know what the Portuguese word is for 'PASSWORD"
FragHARD or don't frag at all
It shows you what total BS that show is--always being able to crack encryptions in no time. Getting facts out of a prisoner in hours rather than months. I could be wrong, I've only seen a few episodes but that is what happened in the few I watched.
No Brazilian law exists to force Dantas to produce the password(s).
His testicles in a vice would surely produce the desired results. One way or the other.
The *correct* approach is to setup the arrest so that you don't arrest the guy and sieze the computer while the encrypted volume is not mounted. Instead, you keep him under surveillance, and when he has the truecrypt volume mounted, you storm in and arrest him before he can unmount it, then copy all the data from the already mounted volume to a thumb drive, or external hard drive.
Or. . .
Secretly install a keylogger somewhere on his system to log the password for the truecrypt volume, and DON'T arrest the guy till you've got the passwords.
Or. . .
Secretly install software on his computer which, when any volume is mounted, starts to transfer the files over the Internet to a police file server.
Or. . .
I've heard of research (seems like it was posted to /. a few years ago) that indicated it would be possible to pickup keystrokes made on a computer which was plugged into a wall power socket, by like tapping the lines outside the residence or something.
Anyhow, my point is, if the police are careful about how they go about the arrest and siezure, they might not have to 'defeat' the encryption. The problem with encryption is at some point, you have to enter the password and decrypt the data. Either the password can be captured, or the decrypted data can be.
If the Brazilian stuff I've seen is any indication, they don't need a password, they need to download the right codec... ;)
Gotta love it. Truecrypt used intelligently is impervious to dictionary attacks. The trick is keyfiles, which can be used together with garden-variety "weak" passwords. It also has hidden volumes, which have a couple of annoying gotchas, which provide "plausible deniability" (it says here). One nice trick with keyfiles is to use steganography to embed a signifant blob of /dev/urandom output into a photograph, which then hides in plain sight along with hundreds or even thousands of other similar photographs (this circumvents keystroke loggers) -- or on a thumb drive or cd-rom. Shred the cd-rom (or smash the thumb drive with a hammer, etc.), and Truecrypt volumes become indecipherable, because the actual key is literally unknown (and unmemorizible by ordinary human brains). Assuming the banker get his drives back (or his backup!), and recovers his copy of the cd-rom bearing the keyfile from his friend in Freeport who thinks it's a bootleg Grateful Dead concert, Truecrypt brings it all back like Lazarus. The Linux version uses an optional cascade of three keys (AES 256, Serpent and Twofish) and the (optional, but recommended) Whirlpool hash algorithm. Steganography is not part of Truecrypt in any version I know.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
Perhaps they did break it, but they prefer to send a message saying "Ok, dudes, it's still ok to use AES-256"...
Daft quote.
If they really were the proportions of guilty people escaping conviction the world would be run by psychos (maybe it is).
Putting a famous name to a quote doesn't make it any smarter.
I would rather there be a risk - as there is - that some innocent people will be evicted from time to time, than let a significant proportion of villains go free. Certainly not one hundred in every one hundred and one.
An alternate partition is not a bad idea, but you must be able to prove that the partition you bring up when a gun is being pointed to your head is the partition you actually use. http://en.wikipedia.org/wiki/Deniable_encryption http://www.schneier.com/blog/archives/2008/07/truecrypts_deni.html
guaranteed to crack something.
The article finishes with the mention that Brazil has no law to force him to give up his password. Surely the US, with its codified right to not self incriminate (ie the "right to remain silent"), has no such law either? Just askin', ya know.
"I hope you like Guinness, Sir. I find it a refreshing substitute for, er... food." Col. Jack O'Neil, SG-1
From what I've heard, The Netherlands seems like one of the sanest countries around. How necessary is it to speak Dutch to live there? Could an english-speaking american ex-pat get by ok?
I don't want to leave my home country but if it keeps marching toward Christian Police State I would like a backup plan.
Knowledge != Intelligence
Send the drives to DVD Jon and tell him they cannot be decrypted in a million years.
Give him a call.
just drop the drive image on the web and open the task to anyone willing to decrypt it. In a month or so, people will break this. There are a lot of smart guys out there, mathematicians, scientists, security experts and hackers that would love to crack this.
>No Brazilian law exists to force Dantas to produce the password(s)
You know enough pressure applied to a wound, or salt poured into a wound, could really help speed things up.....
sure it's not pretty but Jack Bauer proved that it works. Good luck though trying to break those encryption programs, the whole purpose was to keep them out, what use is it to try and break it...break him instead.
Interrogator : "What is your password?"
Suspect : "I honestly don't know what your talking about."
interrogator : "So, your being difficult eh?"
Actual password - I honestly don't know what your talking about.
With quantum computing they could crack it within a year.
You are a vile human being, I just hope to God you're not in a position to carry out your philosophy on other people.
The feeling is mutual, I assure you... I think of people like you, and the thousands or millions of innocent people dead all because someone just like you was unwilling to use any degree of force, no matter how small, to extract information from a single individual obviously intent on causing innocent people harm.
I'm not really religious, but if there is a God I don't think you'll be seeing him for a while after you pass on, as you work off your debt to the innocents in the afterlife. Each one, I am hoping, you will be required to face in person and explain why you believe what you do.
I don't believe you are evil by nature, but it is a shame that great evil is being done because of mistaken beliefs such a yours.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I said physical torture was the line, so PRETTY OBVIOUSLY I would not be OK with said force being used on anyone and then calling it not torture from "one mans point of view". Torture is, to me, an absolute regardless of who is being tortured.
It's the ultimate in moral equivalence to re-phrase torture as not-torture simply by selecting the viewer.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Any interrogator will tell you that torture produces bad information. The purpose of torture is not to get a particular piece of information out of a particular individual, what you want is to torture large numbers of people in a particular population in order to cow them and make them afraid of standing up to a particular government.
With torture the target is not the person tortured, it is everyone who knows the person who was tortured. They see a broken man and are afraid of becoming the same way.
But making a father watch while his son was water-boarded would be ok?
Let's say the son was 18 years old or so. Well then, why not. It's not torture. He wouldn't like it of course.
But it wouldn't cause lasting damage.
Now if you are talking much younger than that, there I think it starts crossing the line. But then again if the kid and the father had killed innocent people or could prevent them from dying, then it would be OK. The good of the many outweighs the good of the few.
"There is more worth loving than we have strength to love." - Brian Jay Stanley