FBI Failed To Break Encryption of Hard Drives

benoliver writes to let us know that the FBI has failed to decrypt files of a Brazilian banker accused of financial crimes by Brazilian law enforcement, after a year of attempts. Five hard drives were seized by federal police at the apartment of banker Daniel Dantas, in Rio de Janeiro, during Operation Satyagraha in July 2008. (The link is to a Google translation of the original article in Portuguese.) The article in English mentions two encryption programs, one Truecrypt and the other unnamed. 256-bit AES was used, and apparently both the Brazilian police and the FBI tried dictionary attacks against it. No Brazilian law exists to force Dantas to produce the password(s).

is waterboarding next to get the info?

[Joe+The+Dragon]

is waterboarding next to get the info?

Re:is waterboarding next to get the info?

[countertrolling]

That's not offtopic. If they want the info bad enough, that is what they will do. And nobody will be able to prove a damn thing.

Re:is waterboarding next to get the info?

[keeboo]

That's not offtopic. If they want the info bad enough, that is what they will do. And nobody will be able to prove a damn thing.

In Brazil, proofs produced by illegal means cannot be used (Federal Constitution, Art. 5, Inc. LVI).

Also, commiting a crime in order to produce proofs is aggravated up to a 1/3 (Decree-Law 2.848, Art. 342, Par. 1).

Re:is waterboarding next to get the info?

[Pharmboy]

In Brazil, proofs produced by illegal means cannot be used

Same in America, and usually, that is how it works. More often than not, however, they are more worried about using the information rather than punishing the offender (ie: to get to his bosses) so they do it anyway, and try to convict without that information. This is mainly the federal government that does this, state governments almost never do this.

Re:is waterboarding next to get the info?

[stonewallred]

If waterboarding is not torture, then you are willing, I presume, to undergo it for two or three days? If not, fuck you.

Re:is waterboarding next to get the info?

[keeboo]

I'm guessing there's laws against it in the U.S. too, that didn't stop them. What makes you think they're beyond it in South America? The fact that you live there, perhaps? Quite narcissistic, but that seems to be the norm for Brazilians.

It seems that, in your opinion, all south american countries are barbaric lands where no laws are to be taken seriously.
That's incredibly arrogant of yours. Because of things like that, the rest of the World put all US citizens (including the good ones) in the same basket and call them assholes.

Even you completely disregard the morality (or immorality) of laws, good/bad/weak/silly laws are to be enforced and there are practical issues:

If they torture the guy in order to obtain the information, the next day that bastard will make a public scandal, cry his human rights were violated etc, and his lawyers will invoke every conceiveable law and the process will stall, badly.
Then his lawyers will spread doubt about any other evidence previously collected. They will make a party out of it and, in the end, the guy may be considered innocent.

So, even if you're willing to torture the guy, it's not practical.

Re:is waterboarding next to get the info?

[Tacvek]

Granting immunity is used in a fair number of crimes, but using it as away to force tesitmony frm an uncooperative witness is very rare, Much more common is the witness is perfectly willing to testify in exchange for the immunity. Cases like organized crime are the very reason for the WITSEC program (more popularly known as the witness protection program).

An even bigger problem with attempting to use immunity to compel testimony is that Supreme Court has held that only use immunity is required to compel tesitimony. That means the indivudual can later be prosecuted for the crime, but his testimony of evidence dirived from his testimony cannot be used against him. The only problem is that that should mean that only evidence collected before the testimony should be admissible, because it is impossible to show that evidence later collected was not found based on the testimony, and the courts do not require the police to prove that, so only evidence that was obviously based on the testimony is ever excluded.

Furthermore. If they refuse to testify they are charged with only contempt of court, but if they do testify, and that helps the cops get evidence against him, he is in bad shape. So given the choice he may well accept the contempt charge.

Finally, it can be hard to trust the testimony of somebody forced to testify against their will. Hiding this fact from the jury would be a bad idea because the jury has a right to know any reason why a particular witness may be unreliable. On the other hand, if the jury does know, The testimony really does not help the prosecution much.

Re:is waterboarding next to get the info?

[laron]

I take issue with your first statement. Luckily, there is an easy test to see what is and what isn't torture:
A claims that method X isn't torture, B says it is. Just have B apply Method X to A, until A confesses that he was wrong.

Re:is waterboarding next to get the info?

hat's all nice and stuff, but many people (myself included) believe that they went too far and, basically, criminals are being treated like defenceless babies.

Fuck you. No, really...fuck you.

It is not possible to go too far in that direction. You take away just enough rights to prevent an anarchist nightmare, but no more. It's still evil that we must take away those rights, but the few assholes who want to hurt others for personal gain make it necessary to do so. Still, it is always very, very important that you're always aware that every law, regardless of how well-intentioned, causes you to slide a bit more into the slippery slope towards tyranny. So, when absolutely necessary in order to protect your society's way of life, you do it. Never do it just because some people are getting away with things you don't think they should...the price you're paying isn't worth it.

Re:is waterboarding next to get the info?

[Jane+Q.+Public]

I have posted this a number of times, so pardon the repetition. But it is surprising how often this comes up:

"That it is better 100 guilty Persons should escape than that one innocent Person should suffer, is a Maxim that has been long and generally approved." -- Benjamin Franklin

Wrong dictionary.

[AnonymousClown]

...both the Brazilian police and the FBI tried dictionary attacks against it

They should have used a Portuguese dictionary not an English one! Geeze! Folks are soooooo US centric!

Re:Wrong dictionary.

Fifty bucks says the password is GOOOOOOOOOOOOOOOOOOOOOOOOAL!

Re:Wrong dictionary.

[drinkypoo]

...both the Brazilian police and the FBI tried dictionary attacks against it

They should have used a Portuguese dictionary not an English one! Geeze! Folks are soooooo US centric!

I suggest using the OED. Place the subject's testicles on top of volume one*...
* If using a single-volume edition, open to the end of letter 'M'. Fair results can be had with the use of electronic editions, but the technique is not recommended.

Re:Wrong dictionary.

[icebraining]

That would be GOOOOOOOOOOOOOOOOOLO, in Portuguese.

That's what they *want* you to believe

Just because you're paranoid does NOT mean that no one's out to get you.

And you KNOW the government is out to get you.

They should publish it as a DVD

[kawabago]

They should publish it as a DVD and within hours they'll be able to download the unencrypted file from a torrent! :o)

Re:They should publish it as a DVD

[UnknowingFool]

And if they name it "Secret Megan Fox, Natalie Portman threesome with grits" it should a matter of minutes before someone cracks it.

Reality Check

[baeyogin]

http://xkcd.com/538/

Re:Wrong Agency

[DarkDespair5]

No, AES has been independently vetted and attacked by multiple security organizations. The only flaws that have been discovered in the algorithm are minor and inconsequential. The NSA is a double-edged sword - they help with useful security tools such as SELinux as well as their traditional spook espionage. The NSA can't crack AES even with a supercomputer (right now, and only if the user has a decent password and/or 2-factor authentication).

Re:Wrong Agency

Other agencies such as NSA can probably crack that encryption with ease if not instantaneously

Stop believing in spy movies.

Re:US Laws?

[Vinegar+Joe]

The law of gravity. The feds hang you by your feet out a 5th floor window till you talk......

Re:Maybe it was just random data

[swilver]

How will you get out of jail though?

Give them the password? You can't since it is random data.

Tell them it was random data? Sure... we believe you! Now give us the password @#&*$!

This does show though that proving that something is not random data would be very important before they try waterboarding a password out of you :)

Validating technology

[gmuslera]

This say plainly that if you encrypt your info with the right, cheaply available technology, not even the FBI could get it, no matter what is it, or who you are. How much time now till some law around criminalizing the use of encryption gets approved?

Re:Validating technology

[kylemonger]

The FBI can't crack it, true, but crypto is rarely the weakest link. Can you prevent the FBI from installing a keylogger on the computer you use to access the drives? Can you prevent them from installing a camera somewhere that records your keystrokes, or records your computer screen? It sounds like they moved on this guy too soon. If you need a brick of encrypted data to make your case against a white collar criminal, that's just lazy police work. If you build enough of a case against him beforehand, he'll give you the key as part of a deal to reduce his jail-time. Then you can use that data to go after the next leve of baddies.

Re:US Laws?

[hedwards]

Not without violating the 5th amendment. If you can get the key via keylogger or malware it's fair game, otherwise they have to willingly provide it or you've got to crack it. But the constitution as it stands, does not allow the authorities to compel a suspect to produce the files.

Re:Maybe it was just random data

[Tumbleweed]

How will you get out of jail though?
Give them the password? You can't since it is random data.
Tell them it was random data? Sure... we believe you! Now give us the password @#&*$!
This does show though that proving that something is not random data would be very important before they try waterboarding a password out of you

It depends on what your goal is. If your goal is to hide your secrets to stay out of jail, this may be a bad way to do it, especially if they torture you.

If your goal is, however, to keep your drug lord employer's secrets, otherwise they'll torture and kill your entire family, that's another thing entirely.

this is obviously disinformation :)

... if I were the FBI and I could decrypt TrueCrypt, I'd not admit it and hope everyone keeps using it.

Weakest link?

[Alwin+Henseler]

No, AES has been independently vetted and attacked by multiple security organizations. The only flaws that have been discovered in the algorithm are minor and inconsequential.

That only matters if the implementation used doesn't have any important flaws. And a password wasn't stored anywhere by accident or 'overlooked mechanism' (caches etc). And the chosen keylength was enough to make brute-force attack unfeasible. And nobody else has/leaks password.

They don't have to crack a tried & tested algorithm, they only have to find the weakest link. Surely there's many links, most of those weaker than the algorithm itself.

Re:Wrong Agency

[Kjella]

If the NSA could have unlocked it for them, I believe the FBI would have been there in a split second. They probably already asked.

You must remember that the NSA is in the national security business. Revealing that AES can be broken would be beyond huge, it'd be bigger than the breaking of the Enigma codes during WWII. It'd also destroy the value, because afterwards everyone would migrate to something else. So even if NSA has that capability it'd be Top Secret and not revealed just to catch this guy. It's something they'd use in secret for signals intelligence and only reveal if it was absolutely necessary in defense of the United States.

Gotta ask, does AES have a backdoors that they can go "compell" an organization to give them the keys to it?

AES itself? No. Any particular encryption software? Possibly, but as TrueCrypt is open source that's unlikely. Same with the full disk encryption in Linux. As pure brute force, there's not enough energy in the sun to break a 256-bit encryption. But there can always be some kind of algorithmic attack. I think for AES256 there was an attack lowering the strength to about AES128 strength. Still plenty strong but you can't knew if there's a better one.

Alternate Partition?

[HTMLSpinnr]

One of the great features of TrueCrypt is the whole alternate partition/segment idea. One password gives access to real data, while another (a duress password) would give some other access to an alternate segment. Put some benign documents in the alternate partition, and then under threat of water boarding, hand out the duress password. Assuming this all works, they find nothing, you go home.

Granted, I'm not encouraging this idea for criminal activity, but rather for truly sensitive data that shouldn't fall into the wrong hands.