Slashdot Mirror
British Teen Jailed Over Encryption Password
An anonymous reader writes "Oliver Drage, 19, of Liverpool has been convicted of 'failing to disclose an encryption key,' which is an offense under the Regulation of Investigatory Powers Act 2000 and as a result has been jailed for 16 weeks. Police seized his computer but could not get past the 50-character encrypted password that he refused to give up. And just to get it out of the way, obligatory XKCD."
Pfft, Britan. Glad my ancestors were smart enough to split that dive and setup someplace safe for me to live....
"When I am king, you will be first against the wall..."
"xkcd", not "XKCD". We really don't need to shout the comic name.
But it's hard to remember all those special characters after they beat you with a wrench. Be sure to choose a password that's easy to remember under bludgeoning to limit the number of times they have to hit you in the head.
This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
I wonder what he is hiding.
Don't you have the right to remain silent, so as to not incriminate yourself? We have it here in the US.
The article says "encryption password" which makes way more sense.
He's getting off easy. In the USA, the cops would get a court order and the judge could order him jailed for contempt of court until he gives up the password.
Oliver Drage, 19, of Liverpool, was arrested in May 2009 by police tackling child sexual exploitation.
Well, I guess that makes it okay, then. After all, we can't allow people accused of child sexual exploitation to be free, can we?
On a more serious note, this sucks.
Det Sgt Neil Fowler, of Lancashire police, said: "Drage was previously of good character so the immediate custodial sentence handed down by the judge in this case shows just how seriously the courts take this kind of offence.
"Computer systems are constantly advancing and the legislation used here was specifically brought in to deal with those who are using the internet to commit crime.
"It sends a robust message out to those intent on trying to mask their online criminal activities that they will be taken before the courts with the ultimate sanction, as in this case, being a custodial sentence."
I guess insisting on your privacy is taboo now. Even if you're a good kid, if you refuse to let the police into your private files just on principle, you're boned.
i know this is slashdot, and we dont RTFS, but come on!
Considering what he's charged with if they can't prove their case without what's on his computer and if they can't get past his crypto he'll have gotten off light.
I can see how it's easy to miss, as it is the first sentence in TFA:
Really? First sentence: Oliver Drage, 19, of Liverpool, was arrested in May 2009 by police tackling child sexual exploitation.
I know It's the UK, but couldn't this be defended as the right to not self incriminate? IANAL, but I'm just throwing that out there.
Could he have given them a random password, and then act dumbfounded when it does not work?
Maybe even accuse them of breaking his system?
It is hard to prove that the header of an encrypted disk has not been corrrupted.
Would that work with the current law? Has anyone already tried it?
DUH. Obviously he's a terrorist.
Deleted
Now they'll just fall back on plan B: Generate a one-time-pad that when combined with his encrypted data will yield whatever happens to be the most incriminating data imaginable.
"Prefiero morir de pie que vivir siempre arrodillado!"
or he can be like Terry Childs sit 2 years in jail waiting for the trail.
downloaded music? games? movies? software?
I see no legitimate reason why someone would refuse to disclose a password that is related to it.
You have never ever forgotten a password, right?
Seven puppies were harmed during the making of this post.
16 years
The article says the pigs were investigating some child porn or what not, and they got this kid with his computer.
OK, so now the kid is in jail for 16 weeks based on what evidence? Only based on the fact he doesn't want to give up his password.
GOOD FOR HIM.
I only wonder what they will do in 16 weeks time, will they again ask for his password and if he refuses throw him back in the slammer?
There is no way for anybody to say that he has any child porn on his computer and pigs could come up with any excuse just to look into his computer.
PIGS: -We want your computer files.
KID: Fuck you.
PIGS saying to judge: -We are investigating child porn, we want his computer files.
Judge: -Give us your password.
KID: Fuck you.
Judge: -Off to jail you go for not giving us your password.
--
That's it. No child porn, only a stubborn kid. Again, good for him.
You can't handle the truth.
You don't see a difference between being forced to say something and some DNA being taken?
Why don't we just force them to say they are guilty instead of the encryption key?
That would save the taxpayer a lot of money.
Pfft, Britan. Glad my ancestors were smart enough to split that dive and setup someplace safe for me to live....
What makes you think it would be any different in the USA?
Computer crime + Contempt of court = jail until hand over the password.
I wonder what the laws are if you happen to forget the password? I use one-time passwords all the time. Some are 10 characters or more. I count on my ability to either reset the password or re-create the data. Politicians do it all the time. "It slipped my mind" or "It was ten years ago" or "I get so many papers that it's hard to remember what I signed".
Is it illegal in Britain to have a disk/folder full of large, strangly named files with random data in it? If not, how do they tell it from encrypted data?
Of course, this is wrong on so many levels that not all of them have to do with encryption or computers. What if he really forgot the password, or the policemen accidentally removed and discarded the sticker on the monitor while seizing the computer? What
PlusFive Slashdot reader for Android. Can post comments.
WTF, how was that posted as AC?
I'm pretty sure that's where they think he hid the stolen diamonds.
+1 Disagree
http://slashdot.org/comments.pl?sid=1804666&cid=33751366
Of course, the UK is not unique in much of this. But what makes these examples so sad for me is how the UK was the foundation for much of what one might consider Western freedom. It fought the good fight against totalitarianism (let's not Godwin this). I don't think those who struggled back then would consider all this to be what they were struggling *for*.
Will this constant erosion of freedom ever stop?
You should set up multi-level encryption. Encrypt your mildly interesting stuff with one key, and the really nasty stuff with another. When they seize your computer, let them beat you for a bit, then give up the mildly interesting key. They'll give you an ice-pack, and when they find the deeper encryption, just say, "that's old junk, I forgot the password to that, and never got around to deleting it."
I need trepanation like I need a hole in the head.
If it is 50 all lowercase letters, that gives you about 5.6*10^70 possible combinations. If you have a supercomputer that can do for example 2.8bn combinations per second (fastest example on this page http://www.elcomsoft.com/distributed_password_recovery.html), then it would take 6*10^53 years to go through them all. In other words 50 characters is a pretty secure password.
Add uppercase, numbers and all the symbols on my keyboard to the mix, and you have 3.6*10^99 combinations. You can work out how much longer that would take, but it makes no difference, the world would come to an end long before you did it.
It seems you've managed to fail on multiple levels today. Congratulations.
Do what thou wilt shall be the whole of the Law
You have to assert that you forgot it, and make it convincing. Just answering "no" when they ask you to write it down kills that angle.
Link up one citation to this happening in the U.S. Sure, you can be abductd off to parts unknown, tried under a military court and executed, but in a US court we still have a Constitution and the Fifth Amendment.
I don't see this a "self-incrimination" issue, after all DNA and biological samples can be taken against your will and you cannot refuse to provide it if its called for.
They can collect your DNA, but you're not required to tell them if you're a chimera. There's a difference between being the subject of an investigation against your will (which goes for your person and your effects), and being compelled to assist in it actively.
In exactly the same way, they can read your encrypted hard disk (with a warrant), and they can break your safe (with a warrant). In the latter case, they'll likely ask you to open it for them for the simple reason that you'd rather have a functional safe afterwards and they'd rather do less work (so everybody wins). However, this law differs by saying that if the cops can't break your safe, you have to help.
A.
...I don't see this a "self-incrimination" issue...
Your neighbor spits on your lawn.
This really pisses you off.
You make a detailed journal entry (which you keep encrypted) about how much you hate your neighbor and you want to shoot him.
Your neighbor gets shot.
You still want to show them your data?
B.
You arrive home and find your neighbor's wife's dog (who continually craps on your lawn) has been slaughtered and hung like a side of beef in your bathroom.
You call the cops even though you're an obvious suspect.
They ask you a few questions and want to examine some of your stuff, including your computer.
They find that your computer has been encrypted (not by you).
Will the law think it's likely that someone encrypted your computer, or will they think that you don't want to share the data?
Neither of these are even remotely likely, but that's what the law has to account for: the possible.
Seems British subjects are being oppressed. Why don't we liberate them and annex Britain to the U.S.? Of course they'd have to give up that silly royalty business.
They don't know, yet. That's why they're willing to go to such extremes to get it. A boat is just a boat, but the mystery box could contain anything, even a boat!
"Believe me!" -- Donald Trump
Good for him.
You just give them the wrong one first, then when challenged on it you admit you may have forgotten it.
Ooooh the scary words "child pr0n" where people lose all their reason (sure it is a terrible thing, but don't stop thinking, k?). A "child" in this case could be his 17 year old girlfriend that sent him a clothed but "lascivious" picture for example.
Most likely, you clicked on the "Post Anonymously" checkbox in the left corner of the submit box.
Umm with all the turmoil i just cant remember it.
---- Booth was a patriot ----
Not quite. Terry Childs gave out the password and he still stayed in jail. It's almost as if there was something else going on than just a password.
Why on earth would you encrypt a hard drive with any public key algorithm?? That would be incredibly slow.
Even if a judge ruled that wasn't you testifying against yourself, you could still protect yourself if you simply said "I don't recall that password." You may notice that not being able to recall is used a lot when under oath. The reason is that there really isn't any way to challenge it. We forget shit all the time (hell everyone seems to forget their passwords if my job is any indication). You can't prove someone hasn't. So they say "What is the password and the 5th amendment doesn't protect you," you say "Sorry, I can't recall that password."
See this doesn't work in Britain because they made it a crime not to provide the password period. If you fail to provide it, regardless of the reason, that's illegal. It was a specific law made for passwords. So can't remember? You are boned. The US has no such similar law. Thus the only way they could get you is if you said you knew the password, but refused to give it up, and it was ruled that wasn't protected under the 5th.
However if you look in to it you discover that while there's little case law, indeed it HAS been ruled that that the 5th prevents you from having to give up a password. As such that will probably stay, in general courts abide by the rulings of other courts of competent jurisdiction.
How do you know the encrypted data is related to the case?
How do you know the encrypted data is not something that is, at least to the 19 year old suspect, even worse?
What if he's secretly gay, his entire family are raging homophobes, and he KNOWS beyond the shadow of doubt that revealing his encryption password will get him disowned?
If this was you, would YOU reveal the password?
-=This sig has nothing to do with my comment. Move along now=-
I wonder how they found out that the length of the passphrase is 50 characters. Did he brag to the authorities? Was there some way of detecting the length of the passphrase when they looked at the encrypted key?
This is why you need hardware encryption with a selfdestruct mechanism.
A software solution can not do this. They will mirror your disk and work on the mirror. But a self contained chip can be made tamperproof and such that enough mistyped passwords or just the special self destruct passwords makes the chip irreversible lose the key.
After the selfdestruct event happened you just claim they caused it. That you gave the correct password the first time they asked. Even if you end up getting convicted on giving the selfdestruct password that might be less than what they are really after.
A variant of this scheme is to store your password on a key device with the same properties. Someone could make an application for your phone that did this. It would not be as secure, as they could be mirroring your phone, but likely they would catch on to that too late.
Then I read the law and, shockingly enough, the Sexual Offences Act 2003 changed the age of adult from 16 to 18.
If you kept you rlong unrememberable key on say, a postit, and then when the cops come in burn it. Then you dont know the key and cannot recover it. I think that would get you off the hook. However, post-its are not so reliable. What you would need is a way to store the key on some form of removable memory which can be quickly, but not accidentally, totaly erased. Or use some clever hidden partitions as a way to plausibly deny the data exists at all.
Munroe, who often gets so much stuff right, got the Crypto Nerd's Imagination all wrong. There are three other (much more plausible) panels he could have drawn.
1) One panel would say, "The laptop is encrypted. I wish I knew where to find the guy I stole it from, so that I could ask him the password or beat it out of him with my $5 wrench. Surely he'll come back to the coffee shop if I sit here and wait long en-- Oh goody, he's here. SHIT, he has a $10 wrench!!"
2) One panel would say, "Half the country's packets are encrypted. We're not going to know what everyone is doing on the internet, until we hire a fifty thousand people and buy them each a wrench and give them a house-to-house route. [Later:] SHIT, the budget didn't get approved, because the press made a big stink after we threatened the 207th person."
3) One panel would say, "Muahahah, we got his laptop. Quick, let's get the info off it really fast and then slip it back into his office before he gets back from lunch. He'll never know!! Shit, it's encrypted. Go get the wrench. No, wait. SHIT. If we threaten him with the wrench into revealing the key, he'll know what we did."
Everybody knows that once people with greater force and the willingness to use it come after you, you're fucked. You're either going to give up your secrets, suffer their wrath, or (unlikely but possible) get a bigger bully to fight them off. That's not the problem that crypto solves. The other scenarios I just mentioned, though, it does solve, and it solves very well. If you're a crypto nerd and these aren't in your imagination, then you don't have much of an imagination.
As for Oliver Drage, a sneak-and-peek warrant would have failed. He knows they're investigating him, can talk to a lawyer, and defend himself as much as a government allows someone to do that. Without crypto, what might have happened?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Use TrueCrypt. Use Hidden Volumes. Any questions?
He can give them the password to the one that has his hardcore porn in it, and keep the password to the hidden volume that has his ILLEGAL hardcore porn, because nobody can prove it's there, and the courts aren't really smart enough to consider the possibility anyway.
Note: I categorically do not use TrueCrypt, or hidden volumes.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Cryptographically speaking, each added character makes it an order of magnitude more difficult than the previous character.
For a keyspace attack, beating a 50 character password is exactly the same amount of complexity as the ENTIRE SUM of the previous 49 characters possible passwords, times the keyspace for that 50th character.
So no, it reduces the complexity by half, but we're still talking about a septillion years on a quadrillion supercomputers (and more passwords than there are atoms on earth, etc, etc).
get everyone to carry around virgin laptops, thus the feds will be consumed pursuing dead ends. The whole, we have rights to your data just flies so in the face of the 1st amendment, it is worth the citizens to carry unbreakable encryption just cause. Nothing illegal, just a nuisance. I am a libertarian. The counter veiling policy is everyone is some kind of terrorist. Just absurd. We need to fight this total power grab under the guise of terror preparation. The number of people meaning harm is tiny. The number of citizens is great and all under the gun. That is bas ackwards. Let's restore individual liberty in this environment of wacko violence.
Amateurs always ask for this.. Or a duress password which will do the self-destruct the first time its entered.
Pros know that imaging the drive is the first step of any process.
Interesting that 50*log(36)/log(2)=258. My guess is that he has software which obviously uses a 256 bit key, and someone had to explain what "256 bits" means to some layman, and they said, "It's about the same amount of information as 50 letters-or-numbers."
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
You say you never had it.
The self-incrimination issue is that if you give the password, it indicates you had the password and thus you knew what was in there.
If you admit you have the password but won't give it, the self-incrimination issue is moot.
So you say you don't have the password. Not that you forgot it, but that you never had it.
http://lkml.org/lkml/2005/8/20/95
The UK has NEVER been a model for any "freedom" as we think of it here. Remember that whole revolutionary war thing? The one we had to fight TWICE just to be free of the King?
France gave us Lady Liberty. It's a French painting that inspired both the walking liberty and standing liberty coins; it's the French that came in and fought alongside us to kick England to the curb. England is the home USAians left BECAUSE of the lack of liberty.
Better to just say you forgot it, and then forget it.
Because if you screw with them it pisses them off, and if they find out they nail you for perjury.
So he's spending 16 weeks in jail. At the end of those 16 weeks, can they ask him for the password again and throw him in jail again if he does not divulge it?
If the authorities chose to arrest you, with or without good cause, they often put you in a pre-sentencing prison, then repeatedly "postpone" your trial for stupid reasons. I have seen MANY people who have been subject to this treatment in excess of two years (yes... in the USA). So, just to be clear:
1. you can be 100% innocent and remain imprisoned in the USA if they want you there
2. if you are politically connected or wealthy enough to afford an expensive laywer (even better if you ARE a lawyer) - no problem... get out of jail free card.
3. never, EVER, tell the police or anyone investigating you anything. There are thousands of laws all intended to prosecute you, and only one which affords you protection -- the right to remain silent. Every good defense lawyer will tell you this.
Finally, if you actually believe America is free, then you are:
1. a lawyer, or politician
2. stupid
3. insane
At least in China they tell you the truth -- USA, not so much.
All protesters must be willing to accept the consequences of breaking the law. Props to this teen. A true blackhat in the making.
If you're so committed to the truth, then you should give them the password and the truth shall set you free.
But if for some reason you aren't interested in that, this is your next option.
http://lkml.org/lkml/2005/8/20/95
There's only one way to tell if someone has actually forgotten a password...dissect his brain!
If you build it, nerds will come. Soylentnews.org
The very best drive encryption out there (IMCO) is Tru-Crypt and is both open source and free.
For the truly security crazed, you can set up a hidden operating system that you use for only your most secure stuff and use a DIFFERENT but valid password to get at it. Use your regular password for day to day stuff and only log in with the really secure one to get into the alternate OS.
The whole purpose of that is so if someone has a gun to your head (or a court order, or a $5 pipe wrench) you can give them your perfectly valid password and they can access all your perfectly normal files --and never even know the alternate data is there (it can be hidden across thousands of normal looking data and executable files in the normal OS).
Seriously cool stuff.
In security, there are only two levels of paranoia. Absolute, and insufficient.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
The kid was not successfully prosecuted on anything. This is purely on suspicion, and who's to say the police haven't/don't plant fake evidence on his computer once they get access. It's pretty rotten that they can destroy (try getting a job after spending 2 days in jail) someone's life over so little.
"The Brady Bunch is back...working homicide"
So, by that definition http://en.wikipedia.org/wiki/Manneken_Pis can be regarded as containing indecent photographs, and thus it will be labeled as "child porn". Or having pictures of your grandchildren playing naked on the beach. BAH!
I hate the word indecent, because it doesn't really define something objectively. For the moral self appointed high-guard indecent can mean a knee-length skirt, and a knee-length skirt can be porn for a leg fetishist but average Joe doesn't really give a flying f*ck about the morality of skirt-lengths and any possible indecency.
--- Reality doesn't care about your opinions, it happens anyway and if you are in the way you'll get squished.
Hate to break it to you, but this is what they were fighting for. All the talk of freedom was just to get the rubes on board.
He's 19 now. He was arrested in 2009 when he was 18.
How old was the child probably 17.
He is seriously disturbed and needs to be put away.
Post your address so I can mail you a USB drive with random data on it.
Then a phone call to your local Police dept will be very interesting.
I see no legitimate reason why you would refuse to provide your local police the password to your USB drive full of kiddie porn.
So just provide the password or go to jail.
Starting to see the problem?
There is no way to prove that you honestly DON'T know the password or even that the random data ISN'T an encrypted disk of kidde porn.
When the govt simply has to point to random data and claim you are a criminal and all the burden is on you to prove that you aren't well you can be put in jail to any reason at anytime.
Likely there is some random data on your hard drive right now (in the "blank" space). Prove it isn't an encrypted kidde porn pic.
Is there a encryption software that supports 2 passwords: 1 for decryption, 1 for wipe all the data if it's entered ?
Crazy stuff, eh? As they say, "The Law is an ass". It doesn't have to make sense, it's just a bunch of rules.
:)]).
Just wait until the US foists a treay on you where they slip in defences again 'seriously immoral' stuff and making drinking under 21 illegal (like Texas etc).
Thanks for checking the facts of the case/UK law. Keep that in mind the next time police and the media bandy around the "child pr0n"/"predator" aspect. Also, I'd also like to clarify that the real child predators, pronsters, and molesters etc are disgusting. Just be careful that the Law's definition of "child" might not match your own point-of-view (hell, when I was a younger fella I'd have gone to jail these days for what we did with our girlfriends - and that was all mild compared to what young folk get up to now [both on and off my lawn
Stolen "Virtual" diamonds...
I did some more research and it's pretty pervasive - Canada, Australia are the same way for instance. It's rather shocking really, I knew that was the situation in the US but had presumed that everyone else had a different approach - guess that was a bit stupid really on second thoughts. Checking the world age-of-concent map shows that most places allow sex before 18, although I'm sure certain caveats apply. Makes you wonder about the reasoning behind the law as it currently stands.
So we're required to participate in search and seizure of our own property now? I thought it was the burden was on the police to gather all the evidence, but I guess I was wrong. Looks like the court can coerce you into locating evidence against yourself.
First step is to copy the drive...
If you really want to hide data, you need to encrypt it then steg it into innocuous media. Home videos would be best as there is no reference copy to show a difference with. Without a header encrypted data should be uniformly distributed. Camera noise should be normally distributed, so that might still be a way to detect it.
refactor the law, its bloated, confusing and unmaintainable.
Here is a design I have for a secure hard disk that would, if stolen or seized by the cops, prevent the recovery of any useful data. (assuming the thief/cops follow standard practice and just steal/sieze the device rather than caring about how it works)
Items needed:
1.A hard disk (any one will do). Or you could use flash memory if you wanted to.
2.A microprocessor capable of encrypting/decrypting (using a strong algorithim such as AES) all data passed to the hard disk on the fly and circuitry to allow it to talk to the host PC and to the hard disk. Possibnly, a FPGA or custom ASIC could be used to accellerate the crypto operations.
3.A GPS module that outputs data in a form the microprocessor can parse.
4.A small amount of non-volitile memory that can hold a set of GPS coordinates and a set of keys for the encrption algorithim
5.A power supply for all this
6.A backup battery designed to power the microprocessor, GPS module and memory. Something that is charged up whilst its plugged into the wall and only runs down when there is no household power.
7.A nice case to put all this in that hides the inner workings and makes it look just like a normal external storage device.
The idea is that you wire up the GPS module and program the microprocessor so that it polls the GPS module every couple of minutes for the current GPS coordinates. If the GPS coordinates dont match what is stored in the memory, the microprocessor should erase the encryption keys. Add a nice large fudge factor to account for the inaccuracy of GPS units
The backup battery is so that when its unplugged, it erases the encryption keys before the cops/thief can get to the lab and analyze it. If you were REALLY paranoid, you could put the keys on memory that goes away if the power is removed. (and hope you dont have a power outage longer than the life of your UPS and backup battery_
You will need a special way to reprogram the GPS coordinates (i.e. temporarily disable the coordinate check then program new coordinates at the new location) in case you ever need to move the device legitimatly.
The idea is to ensure that if the device is seized by the cops (following standard practice of seizing anything that looks like its computer related and throwing it in the back of the cop car/van for later examination), the GPS module and backup battery will detect it and will permanenty erase the encryption keys.
It may take 6 weeks, 6 months, or 6 years, no one can keep a secret forever unless they die, live an isolated existence or forget it.
If they want his password they'll stop at nothing to get it.
Assume the Constitution does not exist, what would the government do to get the information? Anything necessary to achieve the end is what they'll do, including torture.
And in this case it might not work if he recalls it.
What proof do you have that he showed his "child porn collection"? Maybe that proof should be shown to a jury because if it's just the police witness testimony this is no different than any random informant saying they saw child porn on your computer. Fact is anyone can claim anything and use it as an excuse.
There are no secrets, you have no secrets live with it.
"how it would be insane for child porn to include those who can have sex legally. "
Why is it insane to have separate ages of consent for having sex and publishing pictures and video of it?
How is it any less insane to judge someone able to vote and volunteer for military service but not drink?
None of this would prevent the government agent from torturing/interrogating you.
Well, if someone proposes a law and if it includes a "think of the children" aspect no matter how whacky or egregious the rest of it, then it is likely to get passed.
A politician can't stand against it since the proponents of the law simply have to ask, "so, you agree with child pron/molestation/pedophilia/organized crime/drugs/terrorism [take your pick] then?".
This also happens in regular political circles (eg. conservative US, Lebanon, Iran etc) where the "holier than thou" crowd can easily stiffle debate by their opponents by introducing a moral dimension to an otherwise repugnant law. It it often too polically dangerous to vote against such things - which is why laws can become more extreme over time.
Both of these examples are rather bizarre, and I don't really see how they would be fundamentally different than warrants for stuff IRL.
In situation A, if you'd been keeping journal entries on paper, you'd have to show them to cops who had a warrant. Why should it be any different if you had typed it on your computer?
In situation B, someone could leave a locked safe on your desk instead of encrypting some files on your computer.
The law doesn't have to account for all possible options. It's generally trying to prove beyond reasonable doubt. For the most part with encrypted stuff, if it's beyond reasonable doubt that the person knows the password, I don't see why they should be able to withhold files on their computer when they wouldn't be able to withhold files in their filing cabinet. Just because it's digital, I don't see why it's different.
Imagine that you have some photos and videos of yourself and your girlfriend/boyfriend(Both over 18! Or 21... or whatever your stupid countrie counts as "not be able to have sex whitout beeing rapped")
And now some nice gentleman come around to have a look at them... no, not this files specific just your WHOLE FUCKING HARDDISK.
But because you are a cautious and dont want other people to see your girlfriend/boyfriend and yourself you encrypted all files. Not to forget all the other secrets... like your diary, your love emails (That you sended and recived encrypted as well)...
Your computer (memory) can become a vital part of your most private life... yet you have no right to protect it... no it is even worse... Protecting it even became a CRIME!
If you copy some stupid music files you can be sentenced to financial death, but if they are after your files... maybe your most private information... defending this by passive messures becomes A FUCKING CRIME!
Here's an idea. It might even be a good one:
Imagine an encryption system with 2 (or more) passwords for an encrypted file, each "decrypting" different things. So when someone demands the password, you give them one that produces data that won't get you in trouble. I can see a few practical problems, but they seem solvable.
A simpler version of the same idea is an emergency ATM pin code, to prevent "ATM muggings". When entered, the bank would pretend you only had small amount on the account, and/or alert police/security.
you could still protect yourself if you simply said "I don't recall that password." You may notice that not being able to recall is used a lot when under oath. The reason is that there really isn't any way to challenge it. We forget shit all the time (hell everyone seems to forget their passwords if my job is any indication). You can't prove someone hasn't. So they say "What is the password and the 5th amendment doesn't protect you," you say "Sorry, I can't recall that password."
You can say it.
But a judge isn't obliged to believe it.
In the real world, "plausible deniability" translates to six months in pink undies, tenting out in the desert sun with a bunk mate named Big Mike --- with no end in sight.
best thing you can do is not say anything ever. never talk to police. pretty much all convictions are because someone talks.
While I agree with the general logic of your statement - separating the age of military service and drinking seems to lack any sensible reasoning - I think the situation is different. There seems to be a qualitative similarity between sexual activity and the production of sexual materials – pictures, movies, whatever – that is missing when you make the alcohol/service argument.
If they're old enough to have a penis put in them legally, what is the qualitative difference between that and having a picture of the same event. Both seem to involve the capacity to make decisions about the use of your own body and the repercussions thereby incurred. If a young man is legally deemed competent to decide if he wants to risk STDs, pregnancy, complicated relationships and all of that...how is he not similarly legally competent to decide if he wants to show his bits to the wider world? If we're worried about exploitation and the ability to make rational choices and assess danger and all that...well the two situations don't seem all that different.
So how about the police doing some old-fashioned legwork and actually collect some real evidence.
IF this person is actually sexually exploiting children, then it should be easy to trail him and catch him in the act.
I thought under the British system of Justice you had are considered innocent till proven guilty?
http://en.wikipedia.org/wiki/Presumption_of_innocence
He didn't give them a password at maximum I would expect 2-3 weeks and a maybe fine but 4 months !!! thats the sort of sentence you get for stealing a car or causing grievous bodily harm.
Britain congratulations you are now a police state.
http://en.wikipedia.org/wiki/Police_state
Look at it from this point of view - the age of consent in many places is under 18. A lot of people think that's perfectly reasonable, particularly since a lot of people have sex for the first time when they're under 18 anyway.
On the other hand, it's not uncommon for the minimum age to enter into a contract to be 18. Now, the original purpose of child porn laws is to stop production - not to go after kids who sext each other.
While having sex and someone (such as the person you had sex with) having pictures of it might seem like pretty much the same thing, having sex and agreeing to have pictures and videos produced, published and distributed don't seem nearly as similar.
Very interesting point, I hadn't considered the contractual aspects.
However, surely there are better legislative tools available to restrict that kind of commercial behaviour t? If you're not permitted to make a financial gain from the images of people under a certain age, and may be prosecuted for doing such, it would have generally the same outcome. Restricting the ability of under-18’s to form contracts to create pay-for-porn. Or you could have a double system in place whereby under 18’s can have sex with each-other, no pictures or movies permitted, and the over-18s get everything else. It's the combined system that seems to be the problem. If I can have a 16 year old girlfriend, or boyfriend, and am able to have sex freely with them then why can’t I create records for my own consumption? If you're not producing images for a commercial purpose, perhaps taking a picture of yourself and your perfectly legal girlfriend in bed, then it seems obtuse to in violation of the law.
That's precisely why I consider most child porn possession charges frivolous by default these days - a huge chunk of those are pics of 15+ year olds. Excuse me if I'm not concerned in the slightest about someone having that kind of thing (or even fapping to them), given that you could probably assemble multi-gigabyte collection of it, taken quite willingly, and often by the "models" themselves, simply by trawling MySpace and other such places on the Net.
FWIW, the average age at which teens have sex in Europe is ~16, which means that quite a few have it earlier. The idea that possessing a nude (or "suggestive") picture of someone who is willingly and very emphatically not even a virgin is a crime so dangerous and harmful that it warrants years in prison boggles the mind.
"It sends a robust message out to those intent on trying to mask their online criminal activities that they will be taken before the courts with the ultimate sanction, as in this case, being a custodial sentence."
Weren't the Timelords always taking The Doctor to court over stuff, too?
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
You're a trusting AC, aren't you?
"Give a woman two glasses of wine and some pad thai, and they'll agree to just about anything." the Sports Guy
Then there's the problem of deliberate choice versus innocent mistake. How many of us really know how old the person on the screen actually is? I know I rely on the disclaimers that claim the site is in compliance, but that's hardly the most reliable of all protections. And no protection at all in strict liability jurisdictions. That's where it starts getting plain scary, if you happened to jerk off to a Traci Lords vid' there's a chance you're having a tug to illegal stuff. Same goes for Brent Corrigan.
Prove me wrong.
It's pretty similar here in Australia. A distant friend of mine is, in fact, a convicted child sex criminal - because of photos of HIS CHILDREN taken WITH HIS WIFE THERE, in the BATH. A photo developer called the police, who seized his computers and media. They were unable to prosecute based on the original images, but the search turned up a collection of manga/hentai on a machine used by him and friends. Some of which "could be considered" to depict children, especially by a suitably encouraged jury. Bang, you're on the sex offender register and your life is fucked.
W.T.F.
Under Australian law, I could be considered a sex criminal if I accidentally include photos of partly clothed children in a wide-angle photo of a beach. Unsurprisingly, I'm now incredibly paranoid about taking photos - in fact, I flatly refuse to photograph anybody's children even with their permission or by their request. I'll let them do it, but only if I'm somewhere I can download the images, burn a CD to give to them, and destroy any copies I may have.
Sad, isn't it, that it's come to this. And all the fuss is further sexualizing children in people's minds, while doing NOTHING to even slow down the real perverts, who won't notice or care.
Just give them your logon password. When they ask for another just say it's the only pw you have. How can they prove, beyond a resonable doubt, that not only is there an encrypted file on your computer, but that you know about it. If you can stomach it, run xp, turn off swap, and rename your encrypted file pagefile.sys. I have been considering private files on a volume accessed by a virtual machine which I only run from a shell, no gui or menu entry. Can you encrypt the "file system" of a virtual computer? Maybe even keep the VM on a flash drive?
The reason we subjugate ourselves to law is to better procure justice. If law does not accomplish this purpose then it m
so you go to court and they ask for the key. you tell them YOUR part of the key but one aspect is outside their control; while they had you locked up, time marched on. you were not 'at your desk' to refresh the clock or keygen and so the machine detected an abonormality. at that point, given this theoretical situation, you are now UNABLE to unlock the disk. you may WANT to, but its beyond your control. the machine that gives you the 2nd part is now out of sync and you 'cant fix it' since it may not be your own coding (again, lets say for agument sake)
It's at times like these, when I see the geek in full flight, that I start to think that Joe Arpaio may be on the right track after all.
I think it's the number of people on Slashdot who are programmers, system administrators and engineers that makes us so desire to bake perfection into everything or reject it as valueless.
First, understand this: Neither the legislatures nor the courts of any country are going to pseudo-legalize any crime that can be done with a computer and where the evidence is primarily on that computer so long as the person is smart enough to use encryption. It's not going to happen, and most people outside of sites like this are okay with that concept. If they can't wiggle around any particular law that may be stopping them, they will simply change it -- and it will happen with overwhelming support. The court system is about justice, and they're simply not going to let a loophole that big go.
Second, this case and similar ones is no more the person incriminating himself than it is self-incrimination to open the door when the police come knocking with a search warrant. You're not telling them anything about the (alleged) crime; you're complying with a court order that allows them access to private property to search for what they expect is there. The difference, of course, is that if you don't open the door they can simply and easily kick it in. If you don't open the safe they can easily cut it open or crack it. If you do not give them the encryption password, well, assuming there are no backdoors and no major security flaws they have no recourse. If you think the police and the court system will--or even should--just throw up their hands and go "shucks, guess we lose" then you're living in some reality that can probably only be accessed by the ingestion of certain mushrooms. Computers aren't going anywhere and neither is encryption, neither of which changes the fact that these are real crimes with real victims that deserve real punishment. If this is the case of some 19 year old with a picture of his sixteen year old girlfriend's boobs, that is the problem to be solved -- not self-incrimination. It's not about evidence, it is about access.
So long as these things are controlled by a judge and required by search warrant and demonstration of probable cause I have no problem with it, nor is it somehow a shift of the burden of proof from prosecution to accused. It is not a setup; you're not being asked to turn over the body and caught in some catch-22 that you either do it and incriminate yourself or can't because you're innocent but can't prove you're not actually guilty and pretending to be innocent. You're being ordered by a judge to let them look at your computer because cause exists to believe there is evidence there, and if such evidence is not found the case will probably be dropped. If you DID commit the crime, am I supposed to feel some sort of sympathy for you because you used technology to try to cover it up?
Of course the system isn't perfect. No system is. There are probably legitimate times at which an accused person might not remember the password in question, especially if the alleged crime took place relatively long ago. Once in a great while somebody really might end up in jail for being forgetful -- though I suspect it would still be far less than the amount of time an innocent person is convicted on average. It's a sad reality of an imperfect world, one that can be mitigated by a maximum incarceration term (even if that maximum is the maximum potential penalty you could receive if you were found guilty of the crime you're accused of) and allowing judges to exercise proper discretion given the facts of the case. Yes, if you just so happened to write a journal article about how much you want to shoot your neighbor and then he turns up dead by that exact same means you're probably going to have problems -- but what is your point? Innocent men have gone to prison before. It's sad, but like the legal system itself, scrapping it because of its imperfections would do far more harm than good. (As an aside that is a fairly bad example since we're talking about
How the * did they know it is a 50 character password? And which programs use such long passwords? Or is it just an RSA key?
just connect him to lie detector, and start asking questions: "is the first letter 'A'?", is it 'B'?, etc
granted, it will take a while..
Just plant an encrypted memory stick. You can even hide it a little. When the police finds it, and ask about its password, and the suspect acts confused, because he/she is confused and knows nothing about it, they can then jail him/her for not disclosing the password.
In britain there is no presumption of innocence. There is no "Right To Be Presumed Innocent Until Proven Guilty". That thing IS NOT on the British statute book.
You grew up in a house with lead water pipes, didn't you?
I have a different idea... On your harddrive you will have an encrypted file that you will pretend to be protecting, but in reality you don't really care about anyone finding out what it contains:
SecretData.bin
Then on your USB drive you have a one-time pad file that is the same size:
OTP.bin
Someone gets a warrant, you hand over the USB drive and the password "hunter2". They XOR your OTP file with SecretData.bin and get an encrypted file, that they can decrypt with a common encryption algorithm and the password "hunter2". They now have access to the data you're pretending to hide.
The problem is that each time you want to change some document in the real secret file OTP.bin, you'll need first to decrypt SecretData.bin, then decrypt OTP.bin, change doc, crypt OTP.bin and crypt SecretData.bin with the new pad and passwd. That's uneasy and if you make an automated procedure, it can give an hint about your trick.
Notice that quote from the copper - he's using the defendant's technical guilt under the New Labour password law to imply that he must also be guilty of the alleged offences that they seized his computer in connection with.
Here's a simple option that might very well work. Design a simple challenge response device with LCD which requests PIN code and then provides the long password.
You got a point here, well... two.
1) Challenge response
Can be used without specific hardware, think of a login with no password but a screen filled with ascii characters. You need to type in a response to the patern displayed, with a secret algorythm you invented and that you can master with your brain. (find a "&" displayed and then 3 cols, 2 lines from it, give the character there with a rot13, etc).
The response is used to unlock the real drive key.
Setup a fake login with an alternate password to unlock a second system, which blanks uncrypted drives at boot time.
2) Specific hardware
Make sure that anyone trying to get your drives at home will trigger a self-destruct mecanism. Document the system as a proof of data loss in case they force you to give the password. Actually the self destruction is a blanking of the encrypted master key of the drive. Don't tell you made a backup of it. Usually users don't make such a backup.
A boot script can handle the master key erasure in case you don't comply to the hidden boot procedure. Then if they get your laptop and switch it on without you arround, the key is lost. But they could be smart enough to image the drive before trying anything, thus forcing you to start the system once re-imaged.
This is why a specific hardware (incl. UPS) with such a self-destruct defense system is required. The encrypted master key backup will prevent a full data loss in case the mecanism is triggered by a some unfortunate event.
It's a strict liability law, you either comply with the order or you're breaking the law no matter your reason. It's no more a defence to this law to say you forgot your password than it's a defence to speeding to say you didn't notice the speed limit sign. Both may be perfectly true, but you're still guilty. They might choose not to convict if they believe you genuinely have forgotten your password, but they might equally choose to go the other way and convict you, even if there's a good chance you are telling the truth. Now that is a dangerous law.
Actually I can see this as being reasonably likely. Not those exact scenarios, but if person A wants person B to go to jail, they just need access to their PC (trivial bit of breaking and entering) and an anonymous tip off to the police. From that point on there is nothing person B can do or say to avoid this law, unless he can prove someone broke into his house and did nothing other than encrypting his hard drive. Maybe it'll take person B being a high profile politician for us to see a rethink of this law. We just need a volunteer to be person A :)
Generally the police don't publish public reports of the evidence they find during criminal investigations. Any police officer who revealed details they found, that were not relevant to the case, to the suspect's family is probably going to find himself out of a job and with criminal charges. That of course doesn't mean there aren't other genuine reasons - he might have evidence of religious or political affiliations which, while not illegal, he believes would prejudice any trial against him or something similar.
In britain there is no presumption of innocence.
Of course there is. The presumption of innocence in English and Scots law comes from common law. The concept itself has been part of British society for thousands of years - Alexander Volokh says that it has been present since Greece and Sparta and Rome, all the way back to the first (Judaic?) legal systems.
Common law is the basis of the British legal system. Your logic is like claiming that "there is no law against murder in Britain" and then going on to claim that this means murder is legal. English Law - "there is no statute making murder illegal. It is a common law crime - so although there is no written Act of Parliament making murder illegal, it is illegal by virtue of the constitutional authority of the courts and their previous decisions."
It after that went on and voted into the statute book several hundred criminal offences which explicitly postulate that you are guilty until proven innocent. The RIPA act, The H&S act, you name them. Half of Blair's legislation (Blair and Co raised the number of criminal offences on the statutes by more than 100% in 10 years) is based around "guilty until proven innocent".
[citationneeded]. Please name these "hundreds of acts that explicitly say British people are guilty until proven innocent.". And are you seriously blaming the Blair government (which came to power in 1997) for the 1974 Health and Safety Act?!? What?!
So the new government has actually promissed to fix this by accepting _ALL_ rights in the convention and repealing most of Blair's handywork as a big block vote including most of the RIPA act.
Right, that would be the same Conservative party that fully supported the RIP Act then? ('Only a pitiful handful of MPs (pictured below) were present to debate the bill, which was fully supported by the "opposition" Conservative party, and passed by 189 votes to 47 keeping the majority of its original clauses intact.')
Say that a door can't be broken down for some reason, without the owner opening it. Can the police then force the owner to open it when executing a search warrant?
Encryption has given us a new technology that allows us to create locks that cannot be busted open. BUT we KNOW how to deal with this. A bank issued with a search warrant HAS to open the safe. They cannot choose not to cooperate. IF there is a search warrant you MIGHT think that you do not have to cooperate because the SWAT team is holding a gun to your head while you are on the ground BUT that is because your house door is far more easily busted in.
A lot of people seem to think that the legal system can operate if new tech gets all kinds of exceptions. Tell me, would you accept that the police did NOT read Al Capone's diary because it had a lock on it? No? Then WHY is your PC with encryption supposed to have some sort of immunity?
Changing tech changes the law. We might not like it but that is the way the law works. Else you WOULD allow an ISP to read all your emails. After all ONLY mail that is SEALED cannot be read by the carrier (old mail law) so email which is not sealed can be read just as a postcard. New tech, new laws.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
It has two passwords: One password provides access to the system. The other, if used, causes the system to silently erase itself or otherwise self-destruct. In this case, the prisoner could solve two problems with the second password: He provides "the password" to the authorities, thereby keeping himself out of jail, and he has those same authorities do the dirty work of destroying the evidence.
Does there already exist an encryption system and/or filesystem does this?
In the course of every project, it will become necessary to shoot the scientists and begin production.
...and set it to "there is no password"
So what's the password? I keep telling you "there is no password" but you won't listen. Should be interesting when it comes to court.
Oh, and of course use a proper password on your second and third level Truecrypt volumes, you know the ones where you hide your "Hello Kitty" club membership details.
Which I'm sure your average 19 year old is:
A: Fully aware of.
B: Has total faith in.
I think I would make my password into an end-user license agreement; something like--ByEnteringThisPasswordUserAgreesToIndemnifyComputerOwnerAndHoldHimBlameless.
~Loyal
I aim to misbehave.
How did they know the key was 50 characters??
"There are 11 kinds of people: those who know binary, those who don't, and those who could not care less!"
The Golden Thread that the great British defence attorney, Horace Rumpole, refers to is an inalienable presumption in British Common Law, that any individual brought before the bar for judgment has a presumption of innocence in his/her favour, i.e. that we all presumed innocent until we are proven guilty beyond a reasonable doubt to twelve good people true (our peers). This holds whether in Old Bailey, or the wilds of darkest Africa--wherever the British system of justice has taken root and grown.
Home computer as a secure (SSH&Truecrypt) backup for a doctor's office; patient records, encrypted, stored on the computer in case of a catastrophic loss at the office. I've seen it.
No OS on the planet can protect itself from a user with the admin password. - Yvan256
No, that can't be right... You can't steal virtual diamonds - virtual diamonds *want* to be free!
+1 Disagree
The first thing I thought when I read this article is how obvious his password is. generally short passwords tend to be someones name. over 7 characters tends to be something like: "tpicjbwbrhtg" i.e This Password Is Complete Jibberish But Would Be Really Hard To Guess slightly longer passwords are sentences "fuckyeahloliishot" people NEVER use special characters. people tend to only use numbers when they are forced to and even then at the end. eg "password1" is a very popular password. Think about it. he has to type this in every time he accesses this file. the password will be a pattern password. like "qwerty" (also a popular password) people tend to start in the top left and move over. I bet my left ball its something like qazxswedcvfrtgbnhyujmkiolpoiuytrewqasdfghjklmnbvcxz
You make a large file called DBLSPACE.BIN and put a TrueCrypt volume in there. Use a long password and several keyfiles. Best to make it so that it has a hidden volume also, but if you don't, then they will have a very hard time figuring out whether DBLSPACE.BIN is a corrupted double-spaced partition or if it is where your encrypted files are.
"They said I probly shouldn't fly with just one eye," "I am Bender. Please insert girder."
Both of these examples are rather bizarre...
In situation A, if you'd been keeping journal entries on paper, you'd have to show them to cops who had a warrant. Why should it be any different if you had typed it on your computer?
In situation B, someone could leave a locked safe on your desk instead of encrypting some files on your computer.
Yeah, they are bizarre.
Quite right on point A. On point B, they could just crack the safe to see the contents. Not so with a computer - which, in theory, lands you afoul of the law through no wrongdoing of your own.
In short:
If I were keeping anything illegal on a computer, I would simply install a dead-mans-switch system on it. Lose power without activating a failsafe and the password (and data) is all lost.
If this kind of thing becomes law, I expect any [reasonably intelligent] criminal would do the same.
Then what?