The widespread use of encryption by criminals - long feared by intelligence and law enforcement agencies - has yet to materialise, according to the man in charge of the country's largest digital forensics unit. Mark Stokes, head of the Metropolitan Police's Digital and Electronic Forensic Services (DEFS), told The Register that …
And another thing
It's just occurred to me (another piece of) the lunacy known as RIPA. This was brought in the fight against communism ... sorry, terrorism.
So Mr. Terrorist has all the plans for their deadly attack on a USB stick. Plod tells them to give up the password or they'll be put in jail.
"OK," says Mr. Terrorist. "Here you go."
Shall we call that Possibility Z?
Just what I was thinking, what's the point of encryption when the police can just demand the password/encryption key.
Making use of encryption...
...requires some care and forethought.
If you can ensure that you never have access to the key, then it is impossible for you to give it up on request, Hence you need ephemeral keys and get perfect forward secrecy.
Now, that takes care of the interception problem, you can't render intercepted material intelligible because you never had the session key, only the server knew it.
Now you have the problem of storing what you receive. You need to memorise simple information and then securely delete it. When Plod comes to call, all he gets is...nothing. He can't compel you to decrypt non-existent material and he can't recover securely deleted email. Of course, this means you need to run your own mail servers, but that's not too hard these days.
So, while this sort of behaviour can be seen to be suspicious, nothing can be proven.
If only we could get enough people doing this, but then eventually fear of fraud and identity theft is going to lead to all links being encrypted in transit at which point interception becomes very much more difficult or even totally useless.
Only in the UK ...
can ask for a password with a penalty for non-compliance.
No you don't. You just say "The password? It's a long complex one. I have no idea exactly what it is, but it's on the post it note stuck to the bottom of the PC. What do you mean, 'what post-it note'? You confiscated the computer, you must have it"
A Constant Battle or Pleasurable Journey? A No-Brainer in Real Worlds.
"Crooks 'too lazy' for crypto ....
Met's digital forensics boss thanks human nature"
A dangerous delusion when Stealth abounds Testing All Systems in IT.
Time to repeal?
If it's not affecting criminals and terrorist, just members of the public who like their privacy, perhaps the law should simply be repealed?
They haven't caught up with us yet.....
Keeping one step ahead of the plod
Too lazy, eh?
So the reason the plod don't catch'em is because... they're too stupid?
"...When a more exotic mathematical approach is required, the work is outsourced to the supercomputers at GCHQ's National Technical Assistance Centre..."
Thank god for that, then; I thought for a moment that it would seem like a terrible - almost farcical - waste of taxpayers money to have some of the country's biggest and most specialist supercomputers dedicated to unscrambling the HDD's of lonely middle-aged men looking for pics of kids in the nuddy. Oh wait -
What a joke. Have these clowns got nothing better to do?
So, let's see if I have this right....
....of the criminals they have caught, very few use encryption.
A thinking man might mull over the implications of this. Could it mean that criminals that use encryption don't get caught?
Or, is it that
a 'guilty until proven innocent' Freudian Slip?
Primer for crooks.
(1) Switch your cell off when doing crime better still - leave it at home (your alibi);
(2) If Plod comes in sight, switch off cell (empty storage frustrates them);
(3) Get a (cold) netbook with SD memory socket and remove hard drive;
(4) Install XP OS on a SD chip as well as NoTrax browser < http://www.heidi.ie/node/7 >;
(5) Use unusual, small. e-mail providers in distant countries and store your data there;
Note: SD chip should be carrier type with smaller MICRO memory chip < http://en.wikipedia.org/wiki/Secure_Digital >. (Hint: In desperate times they make good eating).
I have now been stopped for 'secondary' customs screening on 7 occasions in the past 21 months in the UK and North America and it is amusing trying to see Plod and Company trying to 'forensically' check a driveless computer! A powered down SIMless GSM phone provides little data, either
Assume all password 'protected' software is unlockable except for Skype and PGB (thanks Phil Zimmerman). NoTrax cleans all the usual tracking respositories.
Fake windows install
Might be better off to keep the HD with an unused version of Windows on it on that netbook. Then it doesn't raise any red flags and they can search all they want and find nothing.
Not that I would do any of this......
Install unused XP and VMWare
Create Truecrypt hidden volume (plausible denialbility) with personal photos in outer container
Create VMWare image (ubuntu/xp) on hidden partition and use that whenever you want no trace.
On the VM OS install and configure TOR/vidalia/privoxy) for all comms. Enable MAC address spoofing for your wireless adapter (or just create a script to change the MAC back and forth) and try to utilise FREE (legal) open wireless connectivity.
Also, use SRWare Iron instead of Chrome - it's faster. There is no need to enable --incognito mode but you may want to for a laugh.
All tracks (files/registery, etc) will be in the VMDK file in the hidden volume - nothing in your main OS.
Or am I being paranoid!
Good idea ...
but may be use DOS or Windows 3.1 ... unlikely Plod's snoopware could even handle these OS. The user would have to arrange the boot sequence properly.
Plods usually rely on menu driven attacks; GCHQ most likely get more creative.
The cell I actually carry across borders is an old Mitsubishi that has few of the features needed to check it's use.
+1 for Geoff Campbell's remark
So correct me if I'm wrong, but this guy is essentially saying that the "crooks" he can see because they don't use encryption, don't use encryption. Hey, we can't catch criminals who use encryption, but it's not a problem as no criminal uses encryption, as demonstrated by the lack of encryption use by the criminal we caught. Yeah right. Also, our investigations in pedestrian streets show without doubt that brittons don't own cars.
It just suggests that they are catching the simpletons, and probably some innocent people who were tricked in a way or another, while the hardened bad guys are laughing all the way to the bank...
Human nature is pure idiocy
Come on, guys, Hairy Palms barely knows how to turn the machine on, let alone keep his perversion to himself. Don't expect him to read El Reg, either.
My computer ...
says Power and On, Off.
Likely the majority of Plod could figure that much but a 101 keyboard might be beyond them.
Encrypted data is usually not stored
The main use of encryption is protecting data in transit. This happens every time you use SSH or HTTPS, for example. (Or Skype, though you can't trust them. Use a free software alternative.) You don't store the encrypted data and you don't have to remember any pass phrases. I would have thought this would be particularly true for criminals: in most cases they don't need to store any "secret plans" but it's good to avoid eavesdropping.
Unfortunately, encryption by itself doesn't prevent traffic analysis. The cops can still find out who was talking to who and when, even if they can't find out what they were saying, and RIPA doesn't help with that as the suspects don't keep any of the data.
Of course, real professional criminals, if they do keep encrypted data, will use steganography and have a good cover story to explain why they'd love to help the police in any way but unfortunately they don't have any passphrases to hand over, sorry. It's ordinary, innocent people who are more likely to be caught without a cover story and sent to prison for five years.
+1 Agreed - totally hate RIPA
But I would add that real (knowledgable) professionals wouldn't use steg - it is too often detectable (variances in least significant bits of images varying greater than expected for images, for example - look up steg detection tools), and you can only really use steg on media 'containers' so you would need an awful lot of dummy media files to contain your steg'd content.
Real professionals would use the computer equivalent of one-time pads, which are, by definition, uncrackable unless you have the key. The clever professional would have muliple keys to hand (and obviously one not to hand) so that the encypted content could be 'decrypted' into anything they wanted (normally into something you woudl expect to be encrypted on privacy grounds, like intimate/revealing photos of a spouse).
Golden rule. The only way to stop somebody finding something is to stop them looking. The best way to stop them finding things (assuming you can't keep them out, A'la RIPA section 49) is to make them think they have found what they are looking for, and hence they stop looking any further (think hidden compartment containing reall secret document behind a wall-safe: a safe that contains documents labelled Top Secret but that contain duff information, and you should see what I mean - any burglar would search - find safe - crack safe - find top secret docs and leave. They would have no reason to continue searching).
As you can guess, this is a pet (and professional) subject of mine, and yes - I have given this too much thought :-)
Re: steganography and one-time pads
The police would find it very suspicious if you had photos encrypted with one-time pads. In effect you'd be using twice as much disc space as necessary to give much less security and much less convenience than if you'd just used GPG. It's less secure because the one-time pad relies on the enemy only obtaining half your data. It's less convenient because you have to store the "pad" in a different place from the "encrypted data" and bring the two together every time you want to view the data. In effect, it would look as if you were trying to pull the wool over their eyes with some really bad in-your-face steganography ...
I would have thought it would be more plausible to say: "I (or previous owner of machine) wiped the disc with dd < /dev/urandom > /dev/hda."
Or just: "It's a very old encrypted backup. I would have written the randomly-generated password on a post-it note originally. Feel free to look for it. I think it was yellow."
I disagree. If your variance of least significant bits is greater than expected, then you're simply not spreading your data thinly enough across the image. The data must not exceed the level of "noise" expected in the image. Use larger images taken with higher ISO settings to render them a little more noisy than the perfect picture might be.
Images can be considered a kind of one-time pad. If Bill & Ben** develop a cover story about an interest in say, custom cars, they could create a massive library of car photos taken at rallies. Taking one of those photos, Bill could subtly apply a secret message to its pixels and send it to Ben with a suitable cover message such as "Look at the headlights on this baby!". He then deletes his original image.
Ben subtracts his original photo from the received image to reveal the secret message. He then deletes the original. If PC Copper ever descends on either home (or flowerpot) he will only see a common interest in cars and two large libraries of car photos, some of which have been shared.
**Now I'm not suggesting that Bill or Ben were terrorists. Little Weed? Maybe.
Missing the point?
It's not about encrypting your data on your computer any more, it's the coming craze of encrypting all your internet traffic so that email, browsing and even P2P are obscured from the little black boxes the government plans to install at all ISPs. When all traffic is encrypted and the packets randomly passed around multiple nodes in a network how do the police plan to catch all the terrorists and paedophiles then?
The more the government pushes to monitor internet usage the quicker these anonymising tools will become mainstream and simple to use and then the government will be back to square one (after spending billions on technology to monitor unencrypted traffic).
"When all traffic is encrypted and the packets randomly passed around multiple nodes in a network how do the police plan to catch all the terrorists and paedophiles then?"
Possibly by dint of the same magic that'd have to be involved in getting the whole world, "I have nothing to hide"-types included, to switch over to something as flaky and slow as Tor.
Actually, this is the joke of it all. Clearly the government is not really interested in catching pedofiles, having how many pedo rings you could catch if you actually spent 500 million pounds of detective salaries for following up leads of just pedos? Heaps I bet. I'm sure that there's enough leads out there just now "real" desire to bother catching any. Smoke and mirrors.
As per icon...
As someone who works in forensics (or even better heads it) he should really know better - absence of evidence is not evidence of absence!
:-) Is Madness Contagious/Infectious and Communicable, or is it a Programmable Application?
So, let's see if I have this right .... of the criminals they have caught, very few use encryption.
A thinking man might mull over the implications of this. Could it mean that criminals that use encryption don't get caught?
GJC" ... Geoff Campbell Posted Thursday 3rd December 2009 14:45 GMT
That would be Free State encryption, GJC, for Prosperous Alternative Taxing Ventures .... Sovereign Wealth Currency Flowers. .... for Zenned Out and Clued in Perfumed Garden Fundamentalists .... Live Operational Virtual Environmentalists. ...... AIdDymanIQ LOVErs.
Is Colossal Affection an Infection or Confection/a Trojan or a Virus/Worm or Semantic Quirk in a Turing Temporal Plane? Or Neither in Preference to A.N.Other in Naked Raw Passion. You need to be well earthed to enjoy that Helter Skelter Ride to Extremes.
Hello, hell, hello !
"Mark Stokes, head of the Metropolitan Police's Digital and Electronic Forensic Services ..."
"..Stokes, an electronics engineer who uses TrueCrypt on his own home computer."
I wonder what he's hiding on there? I wonder if his colleagues will ever ask him to hand over his encryption Keys under RIPA?
It doesn't matter how good your system is
Give us the password.
I don't have a password
Give us the password or else.
What password? What the hell are you talkking about.
OK buddy, it's off to jail with you.
some people have enemies other than the state, you know...
Explaining random data...
So when using stenography; how do you explain huge amounts of random data? Most HDDs are not full of the stuff, so it stands out...
I rember some programs that could create hidden folders spread throught a colection on pictures of music files run the program select the right files and enter 2 passwords and your hidden container gets mapped otherwise it is completley invisible
He's not saying that they can't catch those that use encryption
He's saying that nearly all of those that they do catch are stupid enough to think that they won't get caught and don't use any. Sometimes they do. I think what he is getting at is that most crims are stupid and most don't use any encryption. Those that use a bit more than basic common sense are far less likely to get caught anyway as the dibble rely mainly on grasses and catching stupid people who don't hide their crimes very well. Generally if you are clued up enough to use encryption and go to the lengths that others have suggested then you are less likely to be caught anyway.
When crypto is outlawed ...
... even then outlaws probably won't bother to use crypto?
chaffing and whinnowing
Has anybody built a filesystem based on this yet?
My netbook currently has full system encryption enabled.
When you turn it on it just says "NTLDR is missing.." and then you type in your password and you're away.
How do you know the file is encrypted
If it hasn't been decrypted. I can't wait till the first person to get jailed for refusing to hand over the encryption keys to a file of white noise.
Perhaps there are other reasons.
It can't be the case that peolple don't employ cryptographic technology just because they are lazy or might forget the pass-codes. It might be the case that they aren't aware the technology exists. I wouldn't give out my pass-codes to the police because they could access my computer if I did and some might consider that would be with my concent if I reported my pass-codes.
- Twitter: La la la, we have not heard of any NUDE JLaw, Upton SELFIES
- China: You, Microsoft. Office-Windows 'compatibility'. You have 20 days to explain
- Is that a 64-bit ARM Warrior in your pocket? No, it's MIPS64
- Apple to devs: NO slurping users' HEALTH for sale to Dark Powers
- Apple 'fesses up: Rejected from the App Store, dev? THIS is why