FBI Failed To Break Encryption of Hard Drives

benoliver writes to let us know that the FBI has failed to decrypt files of a Brazilian banker accused of financial crimes by Brazilian law enforcement, after a year of attempts. Five hard drives were seized by federal police at the apartment of banker Daniel Dantas, in Rio de Janeiro, during Operation Satyagraha in July 2008. (The link is to a Google translation of the original article in Portuguese.) The article in English mentions two encryption programs, one Truecrypt and the other unnamed. 256-bit AES was used, and apparently both the Brazilian police and the FBI tried dictionary attacks against it. No Brazilian law exists to force Dantas to produce the password(s).

is waterboarding next to get the info?

[Joe+The+Dragon]

is waterboarding next to get the info?

Re:is waterboarding next to get the info?

[countertrolling]

That's not offtopic. If they want the info bad enough, that is what they will do. And nobody will be able to prove a damn thing.

Re:is waterboarding next to get the info?

[stonewallred]

If waterboarding is not torture, then you are willing, I presume, to undergo it for two or three days? If not, fuck you.

Re:is waterboarding next to get the info?

[fm6]

Learn to read. TPP didn't say it was legal. Read the text you yourself quoted.

Coerced evidence is illegal almost everywhere. And it ends up being used almost everywhere, because it's really hard to prove coercion.

Re:is waterboarding next to get the info?

[keeboo]

I'm guessing there's laws against it in the U.S. too, that didn't stop them. What makes you think they're beyond it in South America? The fact that you live there, perhaps? Quite narcissistic, but that seems to be the norm for Brazilians.

It seems that, in your opinion, all south american countries are barbaric lands where no laws are to be taken seriously.
That's incredibly arrogant of yours. Because of things like that, the rest of the World put all US citizens (including the good ones) in the same basket and call them assholes.

Even you completely disregard the morality (or immorality) of laws, good/bad/weak/silly laws are to be enforced and there are practical issues:

If they torture the guy in order to obtain the information, the next day that bastard will make a public scandal, cry his human rights were violated etc, and his lawyers will invoke every conceiveable law and the process will stall, badly.
Then his lawyers will spread doubt about any other evidence previously collected. They will make a party out of it and, in the end, the guy may be considered innocent.

So, even if you're willing to torture the guy, it's not practical.

Re:is waterboarding next to get the info?

The laws were made as they always were. To protect the rich, powerful, and well-connected. Preferably whiter and male. And to damn the poor and duskier. And more female.

And to fatten, empower, and privilege all members of the judicial system.

The poor, better-melanized and female are - for all intents - railroaded. Those who have money including drug gangsters - keep afloat as long as they have anough money to feed the judicial system and bribe everyone else, and don't run afoul of "greater interests".

Brazil has about 5000 families that "own" about 40% of the gdp. Only ~2% of the population makes more than about U$1200 a month. Another 40% of the gdp is taken up by taxes of all sorts. The remainding 98% of the population is just as unequally distributed. And scrabbles for for the remaining 20% of the gdp. That's about 180 million people disputing the gdp of, I think, Latvia. Or so.

And banks and big corporations - ultimately owned by foreign capital - are ultimate and sacred. Like BP is, in the US.

Each one of them is - in practice - a different "country". With it's own laws, powers, treaties, systems, authority, sovreignity, and autonomy.

The common folk get milked, and railroaded. As the system - and the laws - were designed to do it.

Re:is waterboarding next to get the info?

hat's all nice and stuff, but many people (myself included) believe that they went too far and, basically, criminals are being treated like defenceless babies.

Fuck you. No, really...fuck you.

It is not possible to go too far in that direction. You take away just enough rights to prevent an anarchist nightmare, but no more. It's still evil that we must take away those rights, but the few assholes who want to hurt others for personal gain make it necessary to do so. Still, it is always very, very important that you're always aware that every law, regardless of how well-intentioned, causes you to slide a bit more into the slippery slope towards tyranny. So, when absolutely necessary in order to protect your society's way of life, you do it. Never do it just because some people are getting away with things you don't think they should...the price you're paying isn't worth it.

Re:is waterboarding next to get the info?

[Jane+Q.+Public]

I have posted this a number of times, so pardon the repetition. But it is surprising how often this comes up:

"That it is better 100 guilty Persons should escape than that one innocent Person should suffer, is a Maxim that has been long and generally approved." -- Benjamin Franklin

Re:is waterboarding next to get the info?

[Jane+Q.+Public]

First, there is nothing "Left-Wing" about what he wrote. At least not by American definitions. The principle of which he writes is one of the principles behind our own Constitution, which (by our standards) is neither Left or Right. Please see the quote from Benjamin Franklin that I posted above. And given that it precedes the Brazilian equivalent, I think there is argument for precedent of definition.

Nevertheless, what you describe appears to be a situation of what we might call "too much freedom", with the resulting (relative) anarchy that it entails. (And that is very far from any kind of "left-wing" ideal.) And as with any system with relatively weak criminal laws that does not also offer legal protections to the innocent, the physically powerful (i.e., those who accumulate, and are willing to use, force) will tend to dominate.

Even so, you should be aware that many Americans, having suffered for almost 10 times the number or years the Brazilian constitution has existed the constant expansion and increasing oppression of their Federal government, would probably give a lot to trade relative positions with you. As long as they could bring their own guns.

No, we have not experienced your particular problems. At least not in this decade. But then, neither have you experienced ours. And make no mistake: ours are real, too. I have stood up in government meetings and vocally opposed politically popular but unwise laws. I have personally opposed police who were breaking the law for their own benefit. I have placed myself between criminals and innocent people they were trying to victimize.

The poster who insulted you may have misunderstood your situation, and judged it based on his own. But misunderstanding OUR situation, and judging it based on your own, is equally out of line.

weird

[roman_mir]

I thought this was not just a sound idea but a law.

Great stuff though, but expect some new laws by government that make it illegal not to provide your password/keys to the government upon a court order and if you don't provide it, expect an assumption of guilt and some extra punishment. I am not saying it's right, just saying that's probably going to be one of the outcomes of this.

Of-course the problem is that they got the drives physically (not that I am necessarily on the side of a allegedly corrupt banker, but I am not automatically assuming he is guilty of anything either.) Here is a good application for the 'cloud' (yikes) - keep your encrypted data so that nobody can even know it exists in the first place.

Re:Wrong Agency

Other agencies such as NSA can probably crack that encryption with ease if not instantaneously

Stop believing in spy movies.

Re:So where's the problem?

[hedwards]

Presumably, they're looking for evidence, and based upon the effort they're going to, I suspect that they might not have a case without whatever is on the disks. Assuming that there's something on there that incriminates him. Which is why the 5th amendment protects the key.

Re:Maybe it was just random data

[swilver]

How will you get out of jail though?

Give them the password? You can't since it is random data.

Tell them it was random data? Sure... we believe you! Now give us the password @#&*$!

This does show though that proving that something is not random data would be very important before they try waterboarding a password out of you :)

Re:Maybe it was just random data

[Tumbleweed]

How will you get out of jail though?
Give them the password? You can't since it is random data.
Tell them it was random data? Sure... we believe you! Now give us the password @#&*$!
This does show though that proving that something is not random data would be very important before they try waterboarding a password out of you

It depends on what your goal is. If your goal is to hide your secrets to stay out of jail, this may be a bad way to do it, especially if they torture you.

If your goal is, however, to keep your drug lord employer's secrets, otherwise they'll torture and kill your entire family, that's another thing entirely.

this is obviously disinformation :)

... if I were the FBI and I could decrypt TrueCrypt, I'd not admit it and hope everyone keeps using it.

Re:Maybe it was just random data

[petes_PoV]

Yes. It does make the possession of random data illegal. Since "they" will assume it is encrypted, even though they can't prove it they will demand a password from you. Since you cannot comply you are deemed to have done something illegal. This is one of the few areas of law where you have to prove your innocence. And the only way to do that is to surrender a password (if there was, actually, one) which could just make you guilty of a different offence - depending on what it was you wanted to keep encrypted.

If there is ever a case along the lines of: "Well, m'lud the prosecution have not proved there are any encrypted files - it's just a block of encrypted data, so there is no case to answer" then I suggest we all follow it very closely.

Re:Validating technology

[kylemonger]

The FBI can't crack it, true, but crypto is rarely the weakest link. Can you prevent the FBI from installing a keylogger on the computer you use to access the drives? Can you prevent them from installing a camera somewhere that records your keystrokes, or records your computer screen? It sounds like they moved on this guy too soon. If you need a brick of encrypted data to make your case against a white collar criminal, that's just lazy police work. If you build enough of a case against him beforehand, he'll give you the key as part of a deal to reduce his jail-time. Then you can use that data to go after the next leve of baddies.

Weakest link?

[Alwin+Henseler]

No, AES has been independently vetted and attacked by multiple security organizations. The only flaws that have been discovered in the algorithm are minor and inconsequential.

That only matters if the implementation used doesn't have any important flaws. And a password wasn't stored anywhere by accident or 'overlooked mechanism' (caches etc). And the chosen keylength was enough to make brute-force attack unfeasible. And nobody else has/leaks password.

They don't have to crack a tried & tested algorithm, they only have to find the weakest link. Surely there's many links, most of those weaker than the algorithm itself.

Re:Wrong Agency

[gweihir]

If the passphrase has more than 256 bits, brute-forcing it is less efficient by a fair margin, than direct guessing. On the practical side, passphrase guessing likely becomes very expensive for something like 50+ bits of entropy with a good key-setup. Keep in mind that the key-setup may make you work for, e.g., 1 sec of CPU time per guess. With 50 bits, that is (assuming an EC3 small unit for simplicity) around 25 Billion USD for the crack. For every 10 additional bits, add a factor of 1000. With this money, you can built special-purpose hardware, but incidentally, that is likely only going to be faster but not cheaper.

Re:Wrong Agency

[gweihir]

Not never. Given enough time and CPU cycles, anything stored locally can be cracked. It's just a matter of how long you want to wait.

Wrong. There is a finite amount of matter and energy (and hence computing power) in the universe. With AES 256 these limits are already very close and possibly exceeded.

Re:Wrong Agency

[Bengie]

A password based on a phrase where you substitute 3-4 letters for a few special characters and insert 1-4 extra characters into the middle of a word as to mess with the length, would be about has hard to break as the AES key itself. This would be an easy to remember password that would only take a few seconds to type and would render dictionary attacks useless.

"a large distributed attack should be able to 'crack' it with much less difficulty than reversing the AES itself"

Of course brute forcing a 256bit key could take 1,000,000,000,000 computers that could do 1,000,000,000,000 AES comparisons per second(aka, about 32,768 cores at 3ghz) about 1.8e+42 millennia. So, by "much less", so you mean to reduce the effectiveness to 1/10^42(0.00000000000000000000000000000000000000001%) would only take those 1 trillion 32k core 3ghz super computers 1000 years to break.

Assuming this person used a semi-decent password, the only way to get around this would be torture, key got cached/written down, bugged his keyboard, or general luck.

Fun fact told to me via a PHD in encryption. A 256bit symmetric algorithm that has no work around (AES has flaws that reduces its effectiveness) and using computers so efficient that it takes the theoretically smallest amount of energy to flip a bit, would on average consume most of the energy in the known universe to break a single key. (Think consuming all the stars in the Milkyway galaxy just a start)

"It is not crazy to think that the NSA could have this capability." I would say overly optimistic.

Re:Alternate Partition?

[bill_mcgonigle]

and then under threat of water boarding, hand out the duress password.

But what about the third password they want? What do you do then?

Turtles.