Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Failed To Break Encryption of Hard Drives

Posted by kdawson on from the deploy-the-quantum-computer dept.

benoliver writes to let us know that the FBI has failed to decrypt files of a Brazilian banker accused of financial crimes by Brazilian law enforcement, after a year of attempts. Five hard drives were seized by federal police at the apartment of banker Daniel Dantas, in Rio de Janeiro, during Operation Satyagraha in July 2008. (The link is to a Google translation of the original article in Portuguese.) The article in English mentions two encryption programs, one Truecrypt and the other unnamed. 256-bit AES was used, and apparently both the Brazilian police and the FBI tried dictionary attacks against it. No Brazilian law exists to force Dantas to produce the password(s).

32 of 486 comments (clear)

  1. is waterboarding next to get the info? by Joe+The+Dragon · · Score: 4, Insightful

    is waterboarding next to get the info?

    1. Re:is waterboarding next to get the info? by countertrolling · · Score: 4, Insightful

      That's not offtopic. If they want the info bad enough, that is what they will do. And nobody will be able to prove a damn thing.

      --
      For justice, we must go to Don Corleone
    2. Re:is waterboarding next to get the info? by stonewallred · · Score: 4, Insightful

      If waterboarding is not torture, then you are willing, I presume, to undergo it for two or three days? If not, fuck you.

    3. Re:is waterboarding next to get the info? by fm6 · · Score: 3, Insightful

      Learn to read. TPP didn't say it was legal. Read the text you yourself quoted.

      Coerced evidence is illegal almost everywhere. And it ends up being used almost everywhere, because it's really hard to prove coercion.

    4. Re:is waterboarding next to get the info? by keeboo · · Score: 4, Insightful

      I'm guessing there's laws against it in the U.S. too, that didn't stop them. What makes you think they're beyond it in South America? The fact that you live there, perhaps? Quite narcissistic, but that seems to be the norm for Brazilians.

      It seems that, in your opinion, all south american countries are barbaric lands where no laws are to be taken seriously.
      That's incredibly arrogant of yours. Because of things like that, the rest of the World put all US citizens (including the good ones) in the same basket and call them assholes.

      Even you completely disregard the morality (or immorality) of laws, good/bad/weak/silly laws are to be enforced and there are practical issues:

      If they torture the guy in order to obtain the information, the next day that bastard will make a public scandal, cry his human rights were violated etc, and his lawyers will invoke every conceiveable law and the process will stall, badly.
      Then his lawyers will spread doubt about any other evidence previously collected. They will make a party out of it and, in the end, the guy may be considered innocent.

      So, even if you're willing to torture the guy, it's not practical.

    5. Re:is waterboarding next to get the info? by Anonymous Coward · · Score: 3, Insightful

      The laws were made as they always were. To protect the rich, powerful, and well-connected. Preferably whiter and male. And to damn the poor and duskier. And more female.

      And to fatten, empower, and privilege all members of the judicial system.

      The poor, better-melanized and female are - for all intents - railroaded. Those who have money including drug gangsters - keep afloat as long as they have anough money to feed the judicial system and bribe everyone else, and don't run afoul of "greater interests".

      Brazil has about 5000 families that "own" about 40% of the gdp. Only ~2% of the population makes more than about U$1200 a month. Another 40% of the gdp is taken up by taxes of all sorts. The remainding 98% of the population is just as unequally distributed. And scrabbles for for the remaining 20% of the gdp. That's about 180 million people disputing the gdp of, I think, Latvia. Or so.

      And banks and big corporations - ultimately owned by foreign capital - are ultimate and sacred. Like BP is, in the US.

      Each one of them is - in practice - a different "country". With it's own laws, powers, treaties, systems, authority, sovreignity, and autonomy.

      The common folk get milked, and railroaded. As the system - and the laws - were designed to do it.

    6. Re:is waterboarding next to get the info? by Anonymous Coward · · Score: 5, Insightful

      hat's all nice and stuff, but many people (myself included) believe that they went too far and, basically, criminals are being treated like defenceless babies.

      Fuck you. No, really...fuck you.

      It is not possible to go too far in that direction. You take away just enough rights to prevent an anarchist nightmare, but no more. It's still evil that we must take away those rights, but the few assholes who want to hurt others for personal gain make it necessary to do so. Still, it is always very, very important that you're always aware that every law, regardless of how well-intentioned, causes you to slide a bit more into the slippery slope towards tyranny. So, when absolutely necessary in order to protect your society's way of life, you do it. Never do it just because some people are getting away with things you don't think they should...the price you're paying isn't worth it.

    7. Re:is waterboarding next to get the info? by Jane+Q.+Public · · Score: 4, Insightful

      I have posted this a number of times, so pardon the repetition. But it is surprising how often this comes up:

      "That it is better 100 guilty Persons should escape than that one innocent Person should suffer, is a Maxim that has been long and generally approved." -- Benjamin Franklin

    8. Re:is waterboarding next to get the info? by bill_mcgonigle · · Score: 2, Insightful

      If waterboarding is not torture, then you are willing, I presume, to undergo it for two or three days? If not, fuck you.

      Anything specific for three days is torture. Bad test.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    9. Re:is waterboarding next to get the info? by MartinSchou · · Score: 2, Insightful

      Anything specific for three days is torture. Bad test.

      Really? So you'd be unwilling to suffer through "The Comfy Chair" for three days? I sincerely doubt that'd qualify as torture by any stretch of the imagination.

    10. Re:is waterboarding next to get the info? by Jane+Q.+Public · · Score: 3, Insightful

      First, there is nothing "Left-Wing" about what he wrote. At least not by American definitions. The principle of which he writes is one of the principles behind our own Constitution, which (by our standards) is neither Left or Right. Please see the quote from Benjamin Franklin that I posted above. And given that it precedes the Brazilian equivalent, I think there is argument for precedent of definition.

      Nevertheless, what you describe appears to be a situation of what we might call "too much freedom", with the resulting (relative) anarchy that it entails. (And that is very far from any kind of "left-wing" ideal.) And as with any system with relatively weak criminal laws that does not also offer legal protections to the innocent, the physically powerful (i.e., those who accumulate, and are willing to use, force) will tend to dominate.

      Even so, you should be aware that many Americans, having suffered for almost 10 times the number or years the Brazilian constitution has existed the constant expansion and increasing oppression of their Federal government, would probably give a lot to trade relative positions with you. As long as they could bring their own guns.

      No, we have not experienced your particular problems. At least not in this decade. But then, neither have you experienced ours. And make no mistake: ours are real, too. I have stood up in government meetings and vocally opposed politically popular but unwise laws. I have personally opposed police who were breaking the law for their own benefit. I have placed myself between criminals and innocent people they were trying to victimize.

      The poster who insulted you may have misunderstood your situation, and judged it based on his own. But misunderstanding OUR situation, and judging it based on your own, is equally out of line.

  2. Maybe it was just random data by petes_PoV · · Score: 2, Insightful
    If I wanted to create a decoy I'd just dump some output from /dev/random onto a disk partition and let the government try decrypting that for a few years (so long as they don't hold me in jail in the meantime). It seems that no matter how much you protest that a block of 0's and 1's isn't an encrypted file, it's just random noise, the only way to prove it, one way or the other, is when / if someone actually cracks it.

    Could take a while.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
    1. Re:Maybe it was just random data by swilver · · Score: 4, Insightful

      How will you get out of jail though?

      Give them the password? You can't since it is random data.

      Tell them it was random data? Sure... we believe you! Now give us the password @#&*$!

      This does show though that proving that something is not random data would be very important before they try waterboarding a password out of you :)

    2. Re:Maybe it was just random data by Tumbleweed · · Score: 4, Insightful

      How will you get out of jail though?
      Give them the password? You can't since it is random data.
      Tell them it was random data? Sure... we believe you! Now give us the password @#&*$!
      This does show though that proving that something is not random data would be very important before they try waterboarding a password out of you

      It depends on what your goal is. If your goal is to hide your secrets to stay out of jail, this may be a bad way to do it, especially if they torture you.

      If your goal is, however, to keep your drug lord employer's secrets, otherwise they'll torture and kill your entire family, that's another thing entirely.

    3. Re:Maybe it was just random data by petes_PoV · · Score: 3, Insightful
      Yes. It does make the possession of random data illegal. Since "they" will assume it is encrypted, even though they can't prove it they will demand a password from you. Since you cannot comply you are deemed to have done something illegal. This is one of the few areas of law where you have to prove your innocence. And the only way to do that is to surrender a password (if there was, actually, one) which could just make you guilty of a different offence - depending on what it was you wanted to keep encrypted.

      If there is ever a case along the lines of: "Well, m'lud the prosecution have not proved there are any encrypted files - it's just a block of encrypted data, so there is no case to answer" then I suggest we all follow it very closely.

      --
      politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  3. weird by roman_mir · · Score: 3, Insightful

    I thought this was not just a sound idea but a law.

    Great stuff though, but expect some new laws by government that make it illegal not to provide your password/keys to the government upon a court order and if you don't provide it, expect an assumption of guilt and some extra punishment. I am not saying it's right, just saying that's probably going to be one of the outcomes of this.

    Of-course the problem is that they got the drives physically (not that I am necessarily on the side of a allegedly corrupt banker, but I am not automatically assuming he is guilty of anything either.) Here is a good application for the 'cloud' (yikes) - keep your encrypted data so that nobody can even know it exists in the first place.

    --
    You can't handle the truth.
    1. Re:weird by swilver · · Score: 2, Insightful

      That would mean that a truecrypt volume is distinguishable from random data?

  4. Re:Wrong Agency by Anonymous Coward · · Score: 2, Insightful

    *offers b4upoo a roll of tinfoil and a bag containing 26 scrabble tiles*

  5. Re:Wrong dictionary. by slimjim8094 · · Score: 2, Insightful

    To be fair, the US FBI probably *should* be US-centric. We already have a whole group of people who do the same thing, but specifically *not* US-centric.

    --
    I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
  6. Re:Wrong Agency by Anonymous Coward · · Score: 5, Insightful

    Other agencies such as NSA can probably crack that encryption with ease if not instantaneously

    Stop believing in spy movies.

  7. Re:So where's the problem? by hedwards · · Score: 3, Insightful

    Presumably, they're looking for evidence, and based upon the effort they're going to, I suspect that they might not have a case without whatever is on the disks. Assuming that there's something on there that incriminates him. Which is why the 5th amendment protects the key.

  8. this is obviously disinformation :) by Anonymous Coward · · Score: 4, Insightful

    ... if I were the FBI and I could decrypt TrueCrypt, I'd not admit it and hope everyone keeps using it.

  9. Re:Wrong Agency by rolfwind · · Score: 2, Insightful

    The FBI has never been a leader in computer technology. Other agencies such as NSA can probably crack that encryption with ease if not instantaneously. I have often wondered if these encryption programs were not let lose by our government so that they would always be able to examine file contents. As far as I know only a program that uses a one time pad is truly secure and I feel that even that would be suspect unless one took the time to create his own pad.

    The government has a vested interest in appearing a lot more competent or advanced than they are. Then I look at the Gulf Oil Spill and know otherwise.

    If the NSA could have unlocked it for them, I believe the FBI would have been there in a split second. They probably already asked.

    Gotta ask, does AES have a backdoors that they can go "compell" an organization to give them the keys to it? Seems like shaky ground to secure data on, but the article mentions it.

  10. Re:Validating technology by kylemonger · · Score: 5, Insightful

    The FBI can't crack it, true, but crypto is rarely the weakest link. Can you prevent the FBI from installing a keylogger on the computer you use to access the drives? Can you prevent them from installing a camera somewhere that records your keystrokes, or records your computer screen? It sounds like they moved on this guy too soon. If you need a brick of encrypted data to make your case against a white collar criminal, that's just lazy police work. If you build enough of a case against him beforehand, he'll give you the key as part of a deal to reduce his jail-time. Then you can use that data to go after the next leve of baddies.

  11. Weakest link? by Alwin+Henseler · · Score: 4, Insightful

    No, AES has been independently vetted and attacked by multiple security organizations. The only flaws that have been discovered in the algorithm are minor and inconsequential.

    That only matters if the implementation used doesn't have any important flaws. And a password wasn't stored anywhere by accident or 'overlooked mechanism' (caches etc). And the chosen keylength was enough to make brute-force attack unfeasible. And nobody else has/leaks password.

    They don't have to crack a tried & tested algorithm, they only have to find the weakest link. Surely there's many links, most of those weaker than the algorithm itself.

  12. Re:Wrong Agency by marcansoft · · Score: 2, Insightful

    Hard drive encryption has nothing to do with public-key encryption, much less public-key encryption using smallish keys (by today's standards, 1024 is practically insecure).

    Symmentric encryption keysizes are not comparable to public key encryption keysizes. 128-bit AES keys are unbreakable today, and 256-bit keys are just healthy overkill.

  13. Re:Wrong Agency by gweihir · · Score: 3, Insightful

    If the passphrase has more than 256 bits, brute-forcing it is less efficient by a fair margin, than direct guessing. On the practical side, passphrase guessing likely becomes very expensive for something like 50+ bits of entropy with a good key-setup. Keep in mind that the key-setup may make you work for, e.g., 1 sec of CPU time per guess. With 50 bits, that is (assuming an EC3 small unit for simplicity) around 25 Billion USD for the crack. For every 10 additional bits, add a factor of 1000. With this money, you can built special-purpose hardware, but incidentally, that is likely only going to be faster but not cheaper.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  14. Re:Wrong Agency by gweihir · · Score: 3, Insightful

    Not never. Given enough time and CPU cycles, anything stored locally can be cracked. It's just a matter of how long you want to wait.

    Wrong. There is a finite amount of matter and energy (and hence computing power) in the universe. With AES 256 these limits are already very close and possibly exceeded.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  15. Re:US Laws? by FrankSchwab · · Score: 2, Insightful

    And yet, the Government of the US, lead by the President of the US, fought a battle all the way to the Supreme Court of the US, arguing that they had the right to detain US citizens indefinitely without recourse to the courts simply because they called the citizen a name - "Terrorist" and "enemy combatant".

    And the courts of the US haven't yet issued a ruling that this is against our precious constitution. Nor has our president, running on a platform of change, spoken out against this travesty:
    http://en.wikipedia.org/wiki/Jos%C3%A9_Padilla_(prisoner)
    http://www.foxnews.com/story/0,2933,506265,00.html

    So, if a Police official steps up to you, and says "I think you are a Terrorist and an Enemy Combatant; please give me your encryption keys to prove your innocence", your refusal means indefinite detention in a military detention facility, subject to military interrogation methods which include those which we ourselves have called war crimes:
    http://www.washingtonpost.com/wp-dyn/content/article/2007/11/02/AR2007110201170.html

    A piece of paper protects no rights.

    --
    And the worms ate into his brain.
  16. Re:Wrong Agency by Bengie · · Score: 3, Insightful

    A password based on a phrase where you substitute 3-4 letters for a few special characters and insert 1-4 extra characters into the middle of a word as to mess with the length, would be about has hard to break as the AES key itself. This would be an easy to remember password that would only take a few seconds to type and would render dictionary attacks useless.

    "a large distributed attack should be able to 'crack' it with much less difficulty than reversing the AES itself"

    Of course brute forcing a 256bit key could take 1,000,000,000,000 computers that could do 1,000,000,000,000 AES comparisons per second(aka, about 32,768 cores at 3ghz) about 1.8e+42 millennia. So, by "much less", so you mean to reduce the effectiveness to 1/10^42(0.00000000000000000000000000000000000000001%) would only take those 1 trillion 32k core 3ghz super computers 1000 years to break.

    Assuming this person used a semi-decent password, the only way to get around this would be torture, key got cached/written down, bugged his keyboard, or general luck.

    Fun fact told to me via a PHD in encryption. A 256bit symmetric algorithm that has no work around (AES has flaws that reduces its effectiveness) and using computers so efficient that it takes the theoretically smallest amount of energy to flip a bit, would on average consume most of the energy in the known universe to break a single key. (Think consuming all the stars in the Milkyway galaxy just a start)

    "It is not crazy to think that the NSA could have this capability." I would say overly optimistic.

  17. In other news by mysidia · · Score: 2, Insightful

    The FBI has not solved the P=NP problem, either

    Or implemented practical cold fusion

    Or developed a practical AIDS vaccine

    Or found the cure to cancer

    Or solved world hunger

    Or stopped the oil spill

    They failed to do all these things.

  18. Re:Alternate Partition? by bill_mcgonigle · · Score: 3, Insightful

    and then under threat of water boarding, hand out the duress password.

    But what about the third password they want? What do you do then?

    Turtles.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)