Wait, what? TrueCrypt 'decrypted' by FBI to nail doc-stealing sysadmin Discontinued on-the-fly disk encryption utility TrueCrypt was unable to keep out the FBI in the case of a US government techie who stole copies of classified military documents. How the Feds broke into the IT bod's encrypted TrueCrypt partition isn't clear. It raises questions about the somewhat sinister situation surrounding …
"In the case of the Silk Roads arrest, the FBI agents went to fairly elaborate lengths to distract Ulbricht and to ensure that his laptop remained running and did not go into sleep mode or require screen unlock," White told us. "This would make forensic analysis much easier, both for memory and disk imaging and data recovery."
When using power tools, please be careful not to cut yourself.
The prosecution states that this "black box" was the Synology storage device containing the TrueCrypt compartment with the stolen documents. It also alleges that "the reason [he] tried to send a message to [the housemate] to disconnect the black box is because he wanted to prevent law enforcement from discovering what the Synology contained."
Erm, so he told them where to look while failing to dismount the TC filesystem. Apparently even the FBI can "decrypt" the "encrypted(?)" data while it's already decrypted! ..and then use that "decryption" prowess as a FUD attack against the only trustworthy strong yet usable encryption software available to the plebs.
Well knock me down with a feather.
Yeah the simplest answer is he simply gave them the password once he made the guilty plea.
A deal was done. I would assume it's much cheaper and simpler to put the fear of whatever into some IT bod than it is to break a encrypted data vault.
Path of least resistance.
Glenn had sent an email to an associate with an internet hyperlink to an article entitled 'FBI hackers fail to crack TrueCrypt.' In this case, the FBI did decrypt Glenn's hidden files containing the stolen classified materials.
FBI hackers fail to crack TrueCrypt
FBIhackersfailtocrackTrueCrypt
30 chars...
It doesn't make any difference how many bits of encryption you have in your locker if your keystrokes are being gathered. This has been pathetically easy in most public places (libraries, etc.) but is also fairly easy when someone opens up their pantaloons to a web-based attack (Hi, Jack!)
The only security is physical security. And when you let those untrustworthy humans enter the network, all is lost.
except if you use something like Keepass then even a key logger is not useful without the db you unlocked, containing the passwords which you might not even know. Of course capturing the history of the contents of the clipboard are probably fairly trivial as well which does contain your password.
except if you use something like Keepass then even a key logger is not useful without the db you unlocked
And how, pray tell, does one unlock the Keepass database without typing in the password to do so and having it fall prey to the same key logger?
> except if you use something like Keepass then even a key logger is not useful without the db you unlocked,
Why do you assume the keyloggers are software based? That would seem overly complicated to me because you have to get them installed through some flaw, social engineering or physical access. The latter would seem to be the easiest for an organisation that in their normal day to day operation need to plant listening devices for suspects.
It would be much easier to swap out the keyboard with a bugged one for a few days and to brute force against the entered strings.
Which, in the future will make it interesting with Windows 10.
Windows 10 has a 'built in' keylogger for various tasks, but doesn't report back information to Microsoft if you set the privacy settings. Reading the diagnostic logs regarding Windows 10 install; The install collates the data into a form ready to send, checks the privacy settings, then reports that the diagnostic data can't be sent due to said, settings.
But, importantly the data 'is' still collated beforehand anyway, and at some point sits on the hard drive.
So while the keylogger information in Windows 10 isn't reported to Microsoft, there is nothing to say the keylogger is not still doing its job, its just not reporting its job, but data is collated to the hard disk.
This, in theory makes Windows 10 easier to examine disk contents for past 'collated data', if you know where to look / retrieve such info.
Is this Windows 10 Keylogger a new one in the release or is this the one in the Beta? The one that yes was in the beta but was in the ToC and stated that it was only for the beta, is there a new one or did they go back on there word and not remove it?
I have to ask because there is a lot of FUD surrounding windows 10 and its privacy settings, with some people taking what happens during a beta as 100% what will be in the main product, which is silly really as there are legitimate problems that you could easily use as a stick to beat W10 with, but people have a habit of constructing their own sticks made of BS instead.
All that ends up doing is getting crap on everyone, and it stinks the place up.
I do have to wonder how many people complaining about this are currently accessing the reg via Chrome, or using a android phone, which of course absolutely do not log what you are doing in any way shape or form as Google are lovely and perfect and never do anything bad like gathering your "anonymized" info and selling it on.
Cortana is a searching tool that searches the net, of course it sends what you type and say to the net.... its kinda hard to search it without it.
Now honest question, if it logs keys and doesn't' send them as is your worst case scenario, which most readers seem to be assuming is the actual one despite there being currently as much proof of it as there is of clangers existing on the moon, how would this be really bad and awful. As long as its not saving to file anywhere its not much of a issue. Now I can see the argument "if someone hacks in they can read from it" which is half valid, but tbh if someone hacks in they can just install there own sodding keylogger which would probably be the far easier option. Or they could highjack the keyboard driver and nab the keypresses through that, the likelyhood of gaining any useful data from keypresses in memory (which would likely be hard to find unless you could latch in)
Your computer HAS to log what keys you press at some point... its kinda hard to let programs know what buttons you have pressed without some signal saying "this key was pressed now" at some point!
But as its MS we must of course assume the worst and grab the stick made of poo.
> The install collates the data into a form ready to send, checks the privacy settings, then reports that the diagnostic data can't be sent due to said, settings.
I will bet you ten quatloos that all the privacy settings in Windows 10 you've turned off will be turned back on without any notice during some software update. It doesn't even require intentional effort by Microsoft (even though I expect there will be) because such is the nature of default settings.
"It doesn't make any difference how many bits of encryption you have in your locker if your keystrokes are being gathered."
And that is exactly why I find USB-drives with on-board encryption and an on-board keypad appealing. After all, in the proposed scenario even if you do everything perfectly, you're still supposed to plug and mount that thumb drive into / on the machine you plan to copy documents from - and if there's any logging involved there, they already have your passkey...
Of course, there's a frightening amount of ways an autonomous USB drive with internal encryption can be well and truly screwed up, sadly - as long as one can de-solder various bits and read off storage keys and whatnot (or sniff them in-transit on the PCB) you're still SOL. But at least in theory, it could be done properly and it should offer more protection that another drive that relies on a host machine for its user interface.
windows automatically excludes security. There is absolutely no way to ensure there are not backdoors. Same goes for Mac OsX.
If you are paranoid get an opensource toolchain and build it from scratch, and bake it onto some readonly media.
Not advice, simple logical extrapolation of the probabilities....
P.
There's always someone who brings up compiler backdoors and the answer is no, you don't really have to worry about these. In some circumstances you might, but those are exceptions. The reason is that a binary compiled with a backdoor will be different to a binary compiled without. The overwhelming majority of OSS comes precompiled. You download it and check the hash and you're good to go. IF some bad actor wanted to subvert that then they'd have to compromise all of the servers compiling that binary and get away with it. Even getting away with it on one would be a big stretch. And even if you were using a distro that wasn't pre-compiled, you'll still be using a pre-compiled compiler from somewhere that you will check the hash of.
Compiler backdoors in OSS are possible. Viable is a whole other matter. The point stands that whilst closed source software (e.g. Windows) can be just as secure against outside threats as OSS, one of the big advantages of OSS is that you can check it against internal threats by the vendor. That's an undeniable plus.
Now Microsoft actually open their source code to large purchasers for inspection against such things so how much of a risk deliberate subversion there is we do not know (really depends on whether China et al. could be persuaded to collude with the USA on some group backdoor scheme which is shaky) and MS would suffer a massive blow if they were shown to have deliberate backdoors in there for the government so I don't think they would risk it as the company they are today. And it's increasingly unnecessary as the useful stuff can be obtained by spying on traffic and cloud-stored data. But it can't be denied that ability to trust the vendor is a major positive with OSS. It's one of it's chief advantages.
I think the famous Ken Thompson compiler hack demonstrates fairly conclusively that, if you are paranoid, you really can not trust that the binaries you have don't contain nasties, even if you compiled them yourselves, with a compiler you compiled yourself, from sources which did not contain nasties. Yes, there are ways around this, but they require heroic amounts of work and attention to detail. (And of course I am not suggesting that the tools we trust do contain backdoors: merely that they might.)
The Ken Thompson compiler hack (and if you don't know about this, I'd you to read about it, it's fascinating and enlightening) means that the only code you can REALLY trust is that which you have compiled yourself, by hand, into assembly language, and then laid down byte-by-byte into memory.
The Ken Thompson compiler hack ... means that the only code you can REALLY trust is that which you have compiled yourself, by hand, into assembly language, and then laid down byte-by-byte into memory.
It is altogether too easy to overestimate the impact of that particular demonstration: it wasn't really a practical hack or even a real proof of concept but more an illustration of a possibility.
Thompson's code worked against a specific login source tree and a specific compiler source. Generalising it to be resilient to continued development of either is hard and increases the scope for detection, after all if you want the hack to be cross architecture it needs to be inserted at the parse tree or possibly token stream level. Anyone working on those or later stages of the compiler would soon notice unexplainable entries in the internal data structures in their debugger.
That's without even considering the level of semantic analysis required to hack a tool that has not yet been written. That's decades ahead of the state of the art: we can say with confidence such technology simply doesn't exist.
@h4rm0ny
No.
Security is about identifying and minimising all possible risk vectors. The number of people with the technical skills required to read through, meaningfully understand and usefully audit all the components of an open source package are always somewhat limited - and if you're being cautious, you need to apply this to all packages in your OS, and your compiler. Doesn't matter if making a compiler vuln is hard - the point is, minimise that risk.
Even if you don't find Ken Thompson's proof-of-concept somewhat chilling in that context, Shellshock and Heartbleed were elegant real-world demonstrations of the repercussions of over-relying on the "many eyes make bugfinding trivial" assumption. So no. The question is not "Can we see the code?" but rather "How many people with the technical knowledge required to understand it and who would happily publicise issues with the code have seen it?".
And unfortunately, the majority of us who can't roll our own OS unaided from the ground up have to accept that there are components we rely on but don't understand, and acknowledge that they're potential attack vectors. Pretending that a compiled binary is clean just because it's OSS and you've checked the hash is, at best, deluding yourself into thinking you're secure.
@h4rm0ny: That is my point exactly. A normal individual could do the FOSS route. Perhaps $CORPS could bake their own windows, but not anyone reading this website...
I understand the loyalty to the products you all feel comfortable using for whatever reason. But the chaos we see nowadays with hacks, misinformation, spying etc.. is a direct result of the opaque , non-auditable nature of modern IT.
Is FOSS the solution? Not on its own. But we need good foundations to help protect everyone from the bad guys - whoever they may be.
P.
>Then you only need to be paranoid about Compiler Back Doors
The compiler should be safe but not the libraries that the compiler uses unless you also build them from scratch using trusted sources. (If you use a language like 'C' then its easy enough to verify the compiler isn't planting any unexpected code.)
windows automatically excludes security. There is absolutely no way to ensure there are not backdoors. Same goes for Mac OsX.
There is no such thing as certainty when it comes to Operating Systems. It starts with acquisition: unless you compile from scratch from untainted sources and with a compiler and library you can trust you basically are already building on a bad foundation.
Security is not an absolute - it's about managing risks. Some you can mitigate, some you manage, some you have no choice but to accept.
"There is absolutely no way to ensure there are not backdoors." Errm, you cannot prove a negative.
Your premise, not advice (as it is), sounds like an idea by Dan Brown.
I give you Microsoft, don't use - no discussion.
Mac OS X, install/use GPG, Little Snitch, protect via hosts file, don't install Adobe products. There's a start. Apple's convenient disk images, however, are not recommended - the libraries that provide for that feature are closed source.
@Charles - The _absurdity_ of the original post is evident: "There is absolutely no way to ensure there are not backdoors. Same goes for Mac OsX."
That is the statement of someone wearing a tinfoil hat. Such idiots are not satisfied by rational, because the 100% unequivocal proof lies with the defense. The accuser merely has to judge the effort as futile or erroneous, and arbitrarily widen the burden of proof as necessary. It is an unprovable assertion, by design (perhaps more subconscious malice than overall stupidity).
The negative statement, as per example, is analogous with this: "There is absolutely no way to ensure there are not backdoor probing aliens."
I do not dispute the veracity of the original premise, in Windows' case by stupidity (not malice)... the clumsy assertion warrants anyone's criticism.
I will not get into the vaguery of the initial statement, regarding backdoors, be they system-provided or by third-party tool.
The absence of a guarantee does not give you the logical weight to make ridiculous claims. This is why we have idiotic arguments with Global Warming (I grew up last century, translate as you wish).
I fail to see application of Reductio ad absurdum. Quite simply, the original poster used idiotic phrasing.
The implied stupidity of the original poster is not finite by any means; furthermore, I'd say that he will always try to outweigh any evidence contrary to his original statement – because it would upset the view of government spooks as being lucky instead of capable... to bring it full circle with the actual article.
Since your memory is apparently as faulty as your grammar, let me remind you: Snowden had no intention of going to Russia. He was trying to get to South America and it was the actions of the US State Department in withdrawing his passport while he was in transit changing planes at Moscow airport that trapped him in Russia.
This post has been deleted by its author
>Anything Putins Pet says these days can be comprehensively discounted as a reliable source of information.
Not to feed the troll but if you look dumbass he made an video for journalists showing how to safely communicate recommending GnuPG BEFORE leaving the US.
>So is truecrypt.
Since the warrant canary (which occurred after he left the country)? Don't think so. At least with GPG who the contributors and maintainers are is not a Satoshi Nakamoto mystery like TrueCrypt. That alone is a huge red flag to avoid TrueCrypt even without the warrant shenanigans.
Copy paste works OK as long as you use the mouse....
Typing the characters in the wrong order and using the mouse to click where the next character needs to go.
Some keyloggers 'filters out' arrow keys, delete, alt-tab... Write some characters, delete most, write some more... Alt-Tab to another app to type some decoy characters, then switch back...
"What are the ways to beat a keylogger?"
Tricky, but I would go for booting from a 'live' CD-ROM so you always have an un-tampered OS (assuming it was clean to start with). Bad luck if they manage to infect it just before you enter your pass phrase, but I guess you should not do email/web sessions before you have already closed the encrypted container.
How long you could do so and put up with the inconvenience is another matter...
I think there is a clue in the fact that he made a phone call to try and get the Synology switched off. These NAS drives support encryption of shared folders which are then mounted to make them accessible, shutting down the NAS was dismount the shared folders.
Maybe the 30 character key was for the shared folders rather than a Truecrypt container ... just a thought.
I don't trust bluetooth keyboard. At.All.
This wired keyboard can still be tapped , but would require physical access.
It occurs to me that the only way to be sure is to have a secondary keypad on a remote tablet (say) with hardcoded one-time ciphers that could not be sniffed.
Of course, the tablet might have been pawned, but using a single entry device is, well, not paranoid enough IMHO.
The mathematics in truecrypt is secure, the coding perhaps not. Perhaps we need some more creative thinking?
P.
This wired keyboard can still be tapped , but would require physical access.
Are you so sure of that? What about the RF emissions from that keyboard?
It's also possible via firewire, and possibly other means, to hook up a device to the system and read out the contents of the system RAM. If any of his home systems had been running and accessing the truecrypt volume, they could have not only kept his system on and copied the contents off, but probably read the key out of memory so they could make a forensic copy of the entire encrypted drive and decrypted it later. It's also entirely possible that he simply gave them the key.
More like informed speculation. In the US, over 95% of all successful convictions are secured without ever going to trial. Prosecutors have complete discretion when it comes to deciding what charges to bring against a defendant, and they use it to threaten (some would call it blackmail) them into pleading guilty in exchange for a much lighter sentence. Defendants can face up to six times the length of sentence if they reject the plea bargain presented to them, and since there about a 5% change of securing a not guilty verdict at trial these days, even innocent defendants are often told their best bet is to take the plea.
It's likely that Glenn was facing life in prison if he didn't accept the plea bargain. Ten years is a long time, but he will get out one day, and no doubt that played major part in his copping the plea.
Plea bargains have their place, but the US has taken things way too far. Not only does the plea bargain system put tremendous power in the hands of the prosecutor, it strips it from the judges, who are often further hamstrung by the many mandatory minimum sentencing laws that exist today. This is not how the US criminal justice system is supposed to work, and it has played a major role in why America is the incarceration champion of the world, with six times (not 6%, or 60%, but 600%!) as many inmates, per capita, than the European Community. So much for claiming to be "The Land of the Free."
The only problem is that without the plea bargain, the courts would be overloaded with cases, which can result in people getting off on Sixth Amendment grounds (the Speedy Trial clause). As for the mandatory minimum sentences, this was due to judges (sometimes corrupt ones) overlooking hardened criminals and getting them off on light sentences so they could soon be back on the streets and back in the criminal business.
There are two sides to every coin. Trying to stop one unwanted result usually ends up with a different undesired result...if not both at the same time (the UNhappy medium). Which would you rather have? Overcrowded jails, crime lords getting off, or both?
>Prisoners make money!
Not only storing them but you feed them inedible food and have your in-laws own the Commissary where the good stuff is but costs money. Captive market. Not to mention forced slave inmate labor is allowed in many states and even allowed to be used by private companies.
Other countries seem to do just fine without shoveling hundreds of thousands of their citizens directly into their prison system. Yes, without the 95% plea bargain rate, the court system would be overloaded, but you're missing the point. If the US criminal justice system worked along the same lines as, say, Germany or France (both major industrial nations with large immigrant populations), they could close 5 out of every 6 prisons tomorrow. The trick to not overloading the courts is to not to criminalize so many of your non-violent citizens in the first place -- decriminalizing pot possession would be an excellent start, for example.
Even conservative politicians agree than mandatory minimum sentencing has cause gross miscarriages of justice, with far too many people spending decades in prison for what were petty crimes. There are better ways to solve miscarriages of justice than to spend billions in taxpayer's money over-incarcerating thousands of petty criminals in the fear that one or two "crime lords" will avoid justice.
As for the Sixth Amendment, there are thousands (if not tens of thousands) of prisoners locked up around the country who have been waiting more than a year for their day in court. Prosecutors seem to have no problem with the Sixth Amendment when it comes to getting judges to agree to multiple postponements, as several high profile cases involving juveniles in the New York system shows.
Your arguments are based on fear mongering and little else. You need to explain why you believe the US needs to incarcerate many times more its citizens than any other western nation on Earth in the first place. Plea bargains are not the only problem, of course, but unless you believe Americans are many times more criminally inclined than people in other nations, you must agree there is something badly wrong going on with the US criminal justice system, and it's costing all American tax payers dearly.
Germany and France may have immigrant issues, but they don't hold a candle on the US, where the majority of the population is non-white now. Not only that, there's considerably more cross-cultural tension, usually in multiple angles. The Hispanics don't like the Blacks who don't like the Asians who can't stand the Whites who basically hate everyone else. The trouble with a cultural mixing bowl is that you frequently run into "oil and water" issues where two cultures just can't see eye to eye. Plus with so many people (which has an effect on social compatibility, the US has lots more people than either France or Germany) and so few jobs, going up the social ladder can be extremely tough, which makes many turn to crime as the only way to live.
So basically, you think YOU have crime problems? HAH! This isn't fear-mongering. This is firsthand experience.
The AC 'Obvious really.' was making the point about how they 'hacked into' the encrypted partition.
'Hacked' my ass, actually via a "negotiated arrangement" which included handing over the password, and not revealing that he handed over the password. The AC didn't use the expression 'plea bargain', as the published plea bargain was just part of a higher level (and secret) "negotiated arrangement". Pure speculation.
There's no other reasonable explanation for a ten-year sentence,out in four, for spying.
The plea agreement was linked in the article. The government got something and reduced the sentence recommendation in exchange for that and the guilty plea - perhaps some names of individuals to whom the data were to be delivered. Side payments probably would not be documented in the plea agreement.
I have a 36 character password for my laptops full disk encryption, it uses full alphanumeric and multiple special characters and I can remember it very easily.
The trick is not to have random strings:
Me8acR4BEBuZ26aWrAy7wutHApRafr8gabcd
Is very hard to remember, whereas:
1 easy really long C0mpl3x P@55w0rd!
Is very easy to recall, has the same entropy and is not open to brute forcing. A simple short sentence with the odd freaking, misspelling and punctuation is very easy for anyone to remember.
"1 easy really long C0mpl3x P@55w0rd! is vulnerable"
It is. IIRC, Hashcat has rules for that sort of semi-obvious substitution. Even seemingly random strings constructed with keyboard patterns (bhu8nji9mko0) are vulnerable because they are patterns nevertheless, so they can also be automatically generated in bulk and added to a dictionary.
I have a 36 character password for my laptops full disk encryption, it uses full alphanumeric and multiple special characters and I can remember it very easily.
I tend to use a blend of languages - it makes for a simple to remember password but it would need various dictionaries combined to brute force it.
However, full disk crypto is useless if you don't power down - suspend is not going to cut it.
OK.
35 random characters, just selected from uppercase and lowercase letters and numbers: 62^35 or ~ 3E54 combinations.
Let's be generous and consider a dictionary of 10,000 words. With an average of 10 misspellings of each word. And an average of 10 character substitution combinations for each word. And in 100 languages. And you can pick up to 6 of these bastardised words: 10E8^6 or 10E14 possible combinations.
So if you still disagree with me then I invite you in turn to put up, or shut up.
"Let's be generous and consider a dictionary of 10,000 words. With an average of 10 misspellings of each word. And an average of 10 character substitution combinations for each word. And in 100 languages. And you can pick up to 6 of these bastardised words: 10E8^6 or 10E14 possible combinations."
Pardon me, but it seems the math's off.
IINM, when a power is raised to a power, you multiply the exponents, meaning (10E8)^6 (or more properly, (1e9)^6) should end up with 1e54, which is darn close to the strict 36-random-character entropy you listed.
LOL. Letter/number/symbol substitution was a feature of password cracker tools 20+ years ago.
Decryption/analysis speed is more important than password strength. IF you can try decrypting just the boot sector of a truecrypt partition and scan it for signatures, that's too easy. (Does anyone know if that's the case?) It should take *several seconds* per pw. Goal is to raise the hardware+electric cost of brute-forcing way above what your data's worth, ie. millions for measly consumer banking info, trillions for state secrets. Good luck with that...
Look it's been ages, but a dictionary attack is where you use a list of "words" to test a password.
So, if you use a common phrase or quote, it might be in a dictionary list. But, a meaningless phrase would not be in a dictionary list. And comparing every combination of words in the Oxford Dictionary as a phrase of length x with an unknown number of punctuation or spaces defeats the concept of a dictionary attack.
so where "One small step!" is likely attackable by dictionary, "step small 1.!" wouldn't be. Your program would have to test every word with every combination of space/punctuation plus number/case subs.
Could *you* remember a strong 30-char pw?
Yes - sort of.
Generate a print-out of a lot of entropy. Say a 10 x 10 grid of 5-digit random numbers. Keep it with you. On its own, it can't be used.
What you remember is a hash algorithm for combining the something you have with something you remember to generate a password, that's computable in your head.
For example: Row 8 column 5 reading vertically upwards, six 5-digit numbers. Hash the first by adding d,d,m,y,y of your birthday, each digit modulo 10. The next one, your Mother's birthday. Sister, Spouse, bank sort code (five digits of), bank account # (ditto)
remember: 8, 5, up, self, mum, sister, wife, bank, bank. Not hard.
Better still make the something you have into something(s) with innocent utility. Bank cards. Driving License. Loyalty cards. Torn-off corner of a newspaper stock prices page with a reminder scribbled on it. These don't raise suspicion like a page of explicit random digits does.
Other people will find the surreal imagery trick works better, which is how people have managed to memorize entire telephone directories. Construct a sentence of words that don't normally go together but which do parse correctly. "Green ideas sleep quickly in well-padded spoons". That sort of thing.
That instructions one as to how you need to set things up if you are doing something where you fear you may be raided by the FBI (or worse) at any given moment.
Rather than inactivity timeout, have your screen lock automatically once an hour (or whatever) even when in active use. Might be a bit annoying, but the FBI would really have to have their shit together to be prepared to deal with the evidence that quickly. If you think they can deal with it in 10 minutes, then your screen needs to autolock every nine. You can add other precautions such as having it autolock if it loses wifi; use the G-force sensor in the hard drive to detect movement and autolock it, and anything else you can think of.
The other thing is to insure that the in-memory copy of the key for your encrypted volume is erased when the screen locks. That will make the software unhappy (at least I'm sure Linux would complain a lot if it lost read/write access to your home directory every time the screen locks) but spamming your logs is a small price to pay for avoiding a decade in Leavenworth (or worse)
None of this will guarantee you don't go to prison, but it will make it harder to prove your guilt. Though in this case this idiot kept DVDs of the classified material so they didn't even need to break his TrueCrypt volume. They presumably only did because they figured he had more stuff than what was on the DVDs. Not sure if the DVDs were encrypted...one would hope so, but who knows.
It won't work if you are under surveillance for months, it's not like the FBI is a bunch of morons (well, not always anyway).
The real solution is to have a physical power switch - that way if you suspect something, you just cut the power. Harder to do in a laptop, but not impossible.
Say you incorporate all that into a Toughbook CF-53, with all the NATO security addons, it would be nigh impossible for the FBI to deal with? At least keep 'em out while the statute of limitations runs out?
Heh... What are the modern superspy hackers carrying around these days anyway?
I actually have a bluetooth lock running when I'm onsite somewhere. On account of considering myself as fallible as the next person, I tend to use multiple layers of defence and tune them to my habits.
One of those is that I always take my mobile with me, so a Bluetooth lock works for me, except when I'm on a site with radiation restrictions - but those have better office security measures anyway.
I know you're all straight forward thinkers, but let me lead you onto a slightly diagonal road: what if Truecrypt is too good? What if Truecrypt was indeed a complete swine to crack? Would it not be an excellent idea to spread rumours about it being rubbish (rumours, I should add, that up until now have not been substantiated by any evidence whatsoever)? The result of those rumours would be that everyone would abandon it, making them more vulnerable than before.
PSYOPS exists, you know, and people in panic rarely think logical.
Just an alternative view. It's not backed up by any evidence, but neither is this alleged Truecrypt weakness. I find it suspicious that the FBI would let something like that leak. After all, these are the people that are prepared to drop prosecution to keep the details of STINGRAY protected..
I find your theory highly plausible. The NSA has a huge budget; how simple would it be to approach the devs with an offer like "Shut down the project, sign an NDA and keep quiet about why you did it, and we'll give you fifty million dollars. You'll never need to work again and you'll never need to worry about the future for yourself and your family."
A lot of people, no matter how benign their intentions, would find such an offer hard to refuse.
More likely the TrueCrypt developers were given a legal ultimatum. "Give us a backdoor, stop development, or we drop the books on you for an eternity".
The defeat of the system would have been in the defeat of the people. Their anonymity would have presumably been lost at some point, and then the pressure would have built up as time went by.
That or the hardware backdoors are so prevalent, that it made the software and supposed "security" offered redundant, so a retreat the only current option.
No anon, because, well, would it even make a difference?
It doesn't matter if truecrypt (or ANY encryption system) is good, because the systems it runs on are woefully insecure. They should not be used to store valuable information, period. Anyone doing so should go back to the drawing board and figure out how to operate without relying on electronic devices to keep secrets.
Truecrypt is a stopgap solution at best.
Yes. And got it running whole system on Win 8.1 successfully. (Convert the partition to MBR!)
Slower to boot than TrueCrypt though (I gather it is doing more "trial and error" to determine precisely which encryption was used with more variations...)
Other than that, working fine
From the article:
Glenn made a phone call to his mother in which he asked her to relay a request to tell his housemate in Honduras "to disconnect the black box with the blinking lights on top of the batteries."
I'm surprised nobody has suggested that the housemate might be the weakest link. He/she could have been influenced or employed by the authorities and Glenn just told them exactly where to look for the evidence that convicted him.
It is interesting to note that the FBI man knew it was a 30 character password.
After:-
Glenn had sent an email to an associate with an internet hyperlink to an article entitled 'FBI hackers fail to crack TrueCrypt.' In this case, the FBI did decrypt Glenn's hidden files containing the stolen classified materials.
FBIhackersfailtocrackTrueCrypt
is 30 characters. A bit of FBI guesswork?
I still trust TrueCrypt actually. My guess is that the developers stopping work on the project is a classic case of the canary singing.
I wonder what would happen, though, if the subject in question was either a masochist or just extremely frail.
Torturing a masochist just gets him/her off. They like it so won't do you much good.
As for the frail, it's too easy, even nonphysically, to go too far and make him faint, even to the point that trying to force him awake can result in a life-threatening condition, making torture of any kind too risky.
As far as I know, truecrypt isn't readily available for Synology (you can build and run it though) so I certainly don't buy the hidden compartiment on the NAS story. Maybe he just stored truecrypt container *files* on his NAS?
If they already manage to obfuscate those facts, I wonder what they did to the rest of them to create a bit of FUD
Not necessarily. Attorney-client privilege only works if you actually ARE talking with a lawyer over the matter, which can be checked without disclosing too much information. What might work is having a whole bunch of blank or coaster discs marked "Top Secret" so that they have to check each one. The trick would be to conceal the actual file, since the plods may just be anal enough to treat EVERY disc as suspect, regardless of what it says.
"What might work is having a whole bunch of blank or coaster discs marked "Top Secret" so that they have to check each one"
Ever since Lem's blue bolts in the "Cyberiad" it has become quite obvious that the impossibility to prove something really isn't concealed damning evidence can be a fairly significant problem once you decide you'd rather come clean.
Truecrypt may have a back door .... but if only the US government has it ... then that is not a problem for most people ....
On the other hand, I think the people who reviewed the Truecrypt code are credible. Another scenario is that the US government is unable to easily circumvent Truecrypt ... and all this is about getting the bad people to stop using the product ...
For people really concerned, one can and should put a Truecrypt container inside of another Truecrypt container ...and use a distinct password + keyfile for each container ....
It is well documented that keyboards are very vulnerable to hacking ... The US govt has access to all kinds of very capable keyloggers ... that could have been inserted in multiple ways... And as stated previously, Electronic signals emitted from the keyboard can and have been deciphered. But if you know who your target is ... a camera properly placed could easily recorded the keystrokes ...
We are in the time of virtual computers .... The US government could create 1,000,000 virtual PC's inside of their computing centers (or as well rent the service from Amazon) ... and then divide up the decryption task among the 1 million virtual PC's and solve a 36 character password. A 50 character password with a keyfile is much more difficult to decrypt ... especially if embedded containers are used..
I think most people know what SETI is ... What if that computing power was occasionally redirected to breaking passwords?? Who would know?
TrueCrypt and LUKS need a Fricosu key. This is a second key, created when the encrypted volume is initialized which, when entered under duress in Colorado, would cause the system to silently and permanently forget the real decryption key.
This would be good for journalists traveling to Brazil and getting nabbed by the Bobbies, but it wouldn't do a shag bit of good if the drive has already been imaged.
Well, it's better than nothing.
Haven't read all the comments but my opine on this is the following:
He was convicted for 10 years by a court presumably relying on the testimony of "experts".
If I know what documents are supposed to be on your computer it seems to me that it should be a relatively trivial (emphasis on relatively) task to figure out a "Key" that would demonstrably expose those exact documents from the noise that a good encryption utility is supposed to generate.
The only thing standing between the prosecution and a conviction is the defense's "expert" and how diligent that person is.
The jury would be selected based on their ignorance of such matters as seems to be usual in these types of cases.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
