"The Electronic Frontier Doundation"
what some people will call their groups in order to get an acronym that they like ...
strangely its not in: http://acronyms.thefreedictionary.com/EFD
Investigators have cracked the encryption key for a laptop drive owned by a Colorado woman accused of real-estate fraud - rendering a judge's controversial order to make her hand over the passphrase or stand in contempt of court irrelevant. The government seized the Toshiba laptop from Ramona Fricosu back in 2010 and …
what some people will call their groups in order to get an acronym that they like ...
strangely its not in: http://acronyms.thefreedictionary.com/EFD
You're going to look a bit silly when they fix that :)
Na, I'll click on the button that removes my post, making every reply look odd :)
Oh shit. You're just going to withdraw the post aren't you? Then I'll look foolish. That's ok, I'll withdraw mine too. But then there's this post! Oh shit. WHEN WILL THIS CYCLE OF MADNESS END!!
WHEN WILL THIS CYCLE OF MADNESS END!!
It won't we're all EF'Ded ... oh wait, that was he original joke. Make no sudden movements. Step away from the withdraw button. There.
Was this story written on a phone with predictive text?
Where is the squiggly red underline of shame when you need it?
Whoops, indeed. More coffee needed. Typos fixed.
"...or turn over a plain-text version of the data held on they machine."
Have some more coffee!
You're thinking of the green line, as it's grammar related not spelling.
...on the crypto that she used?
Am betting it was AES-256.
US Government approved encryption being accessed by US Law Enforcement. It must have been a lucky guess.
Yeah, that was it.
Truecrypt, if memory serves.
I bet she was using windows as well so every file will be filled with guid's and specific id's so the plausible denial defense wont stick either.
If that's true, then that'll be the second public confirmation I've seen that TrueCrypt can be broken open.
It's the same on any OS, easy enough to parse the logs and prove there is other data in the encrypted volume.
Unless one takes specific measures.
It was PGP Desktop actually. Anyway, we don't know they actually broke the encryption. It the password could have been weak, or as her lawyer speculated, obtained from he co-defendant (and eh-husband).
>lucky guess. Yeah, that was it.
Nah, they've developed that luck serum off of Red Dwarf.
Just use a password that has a suitably long length. Likelihood in this case was she used a poor (short) password. TrueCrypt can offer great security, but it can't save you from yourself when your password is less than 10 characters or you don't use keyfiles.
"Sorry Your Honor, my hard drive was encrypted with multiple keyfiles but I can't remember which ones they were as I had only just set it up the night before my house was raided..."
"can be compelled to turn over a key to a safe possibly containing incriminating evidence, but is not obliged to supply the combination of a safe"
Why do law makers have such an ability to create stupid inconsistencies - either they should both be in, or both out. While I dont expect politicians to be up to speed, their advisors should be and these stupid inconsistencies only cost everyone (time, money, stress, ...)
I am by no means an expert or a lawyer, but I think it probably has something to do with a key being a physical property which can be seized as evidence; whereas a combination is an intangible property, unable to be seized and instead must be volunteered by the mind possessing it.
As such, only the accused has knowledge of whether or not they have knowledge of the combination. If the accused does not have knowledge of the combination and yet are prosecuted, well it's a bit like saying:
"You are lying and therefore you'll give up the combination to save yourself from contempt of court".
You can see examples of that logic in American history:
"You're a witch and therefore you'll save yourself from drowning".
Welcome to the UK. That's just how it workss there. You must provide the key to any random garbage on your drive or else you'll get thrown in jail until you do so. No trial nor proof needed that the garbage is encrypted data.
> You can see examples of that logic in American history:
> "You're a witch and therefore you'll save yourself from drowning".
I think you will find that we, in the UK, were drowning, burning, stoning and generally not being very nice to witches for a couple of centuries before we even knew there was an America. They simply copied our logic.
Most encryption can be cracked. I'd like to see them add five years on to her prison sentence for attempted denial of justice.
For "enough time", substitute, "a significant proportion of the age of the universe", assuming the protocol is implemented correctly and the password wasn't something like, "letmein1".
However, "Attempted denial of justice" sounds very much like thought crime. It is the job of the state to prove guilt beyond reasonable doubt. The defendant is not obligated to help them in any way, and is in fact protected from doing so in many cases.
You, sir, sound like a bit of a tool...
Hey that old chestnut,
I forgot the key officer.... When did that happen? About the same time you started banging the door!
Perfectly reasonable... Caused by *flips over calendar* Solar radiation reflected off of your highly polished boots disrupting the electro signals in my brain, Officer.
It's absolutely ludicrous that a defense of self-incrimination could be used in this situation. Keeping her records on her laptop is only a format difference from keeping those same records on paper in a filing cabinet, which law enforcement has always been able to access. Opening that filing cabinet doesn't become self-incrimination just because she put a padlock on it.
It's not a format difference. There's nothing stopping law enforcement from reading the hard-drive. It's a translation. After they've read the drive, they still need the contents of your brain to figure out what they mean. Apparently the Supreme Court has decided that the inside of your head is protected by the US constitution.
Perhaps *that* is ludicrous, on the grounds that those who wrote the prohibition on self-incrimination were considering that the incriminating material might be inside your head and not just a key to incriminating material. (The combination, or password, is not in itself incriminating.) Perhaps, but since the Supreme Court have taken the opposite view, I think it is not ludicrous to expect that lesser authorities should be bound by the restriction.
Ken, I get where you're coming from on this, but the entire situation still seems a bit weird.
It appears that what is happening, is we (in America) say that crime is okay as long as you're clever enough to cover your tracks in such a way that nobody else can speak against you.
If the contents of the filing cabinet are written in a code, are there laws to make you hand over that code?
I am guessing not.
It's because of the next step.
Providing a combination is obviously the same as a safe key.
A passkey isn't much different
But beyond then when do you stop having to provide a key?
A text message saying "see you tomorrow" - does that decode to "we are going to rob the bank" ?
If there was a bank robbery do you have to provide that 'decryption' and so admit guilt?
How do you prove that "see you tomorrow" doesn't mean anything?
"It appears that what is happening, is we (in America) say that crime is okay as long as you're clever enough to cover your tracks in such a way that nobody else can speak against you."
No, what you in America do is put in safeguards to protect the innocent from prosecution. That means that some who are guilty are also spared. I and most prefer that to the opposite, where all guilty people are punished, but some of the innocent are as well.
The fact that some innocent people are still being prosecuted, is actually an argument for more protections rather than less....
"crime is okay as long as you're clever enough to cover your tracks in such a way that nobody else can speak against you."
So what you're saying is it's okay to be a criminal so long as there's no evidence against you? And that, by the fact you're complaining about that, is that you want the government to be able to lock people up for unspecified 'criminality' with no evidence?
Yeah, that's a good idea. *slow clap*.
> The fact that some innocent people are still being prosecuted, is actually an argument for more protections rather than less....
Not necessarily. In any imperfect system a balance has to be struck and in the case of the legal system the balance should minimise the number of victims. Victims not only means those punished for crimes they did not commit, it also means those who become victims due to the guilty not being punished.
"No, what you in America do is put in safeguards to protect the innocent from prosecution."
Well, it is a little more complicated than that. The guys arguing for the Bill of Rights (Us, not Willie the Dutchie) protections we see in the 4-8th Amendments were guilty little criminals, specifically smugglers (gotta love New England scalawaggery). They were responding to stuff the Brits had been using to crack down on smuggling pre-AmRev. It wasn't to protect the innocent, but to protect the oh-so-guilty. Now, it has the delightful side-effect of protecting the innocent, but the reason was to force the new American government to have to work for that conviction, as opposed to the pre-AmRev Brits getting to solve the Gordian Knot the Alexander Way. The innocent get out of trouble because if you can't get the bad guys unless they have their metaphorical tits hanging out, the innocent definitely don't get punished (assuming law-abiding prosecutors, which - admittedly - is like assuming pigs fly)
In the article they alluded that the password was probably not cracked.
"It seems more than likely that the authorities had come across the right passphrase without Fricosu's forced assistance.
"They must have used or found successful one of the passwords the co-defendant provided them," Dubois told Wired."
Failure to provide a password to the police when requested is a criminal offence. 2 years.
It hasn't been greatly tested in court yet, and I don't remember ever hearing "I've forgotten it" being tested.
Slightly alarming as I'm sure we all have several files which we have no key too, usually parts of software installs which will look like total gibberish to the cops and could easily invite a "what's the password?" when it might not even be an encrypted file, just a binary with an odd file extension.
Ever notice most of the people for the state being able to compel you to give passwords through up to and including water boarding if you bust out the terrorist word, are those that think everyone ever charged with anything is guilty and that the state never makes mistakes (or at least when it does it almost always against poor people). Bless the right.
In the United States, the authorities doing anything to anyone is acceptable to a majority of the populace - so long as it's happening to someone else.
I think that is most places, not just the US.
Well this just goes to prove that their are alternatives in gathering the evidence you need, rather than stepping on peoples civil liberties.
I hope they have a nice stay at the Iron Bar Hotel.
The difference between cops getting a key to a safe versus the combination from you is a simple one.
The police are allowed to retrieve pretty much any evidence they can. However they cannot compel you to help them. In other words they can go digging around and find a body in your backyard; but they can't force you to tell them where the body is buried.
The primary difference is that when the police find a body in your backyard, they still have to prove that you did it. However, if you say "it's over by the shed.". Then the very fact that you know where it is adds weight that you were involved.
For this case, the cops still need to prove it was her laptop. They will also need to prove the files are hers or that she had knowledge of the contents. This latter part is a sticking point. If she provides a decryption key then it will be very hard for her to defense attorney to argue that didn't know anything about it.
Now, let's look at this from a different perspective. If the decryption key came from her husband, then it stands to reason that the device may have been his in the first place. It could also be argued that she was an innocent bystander. Which may or may not be the case; I don't know anything about this beyond this article.
Another crinkle, is if the password was actually cracked by the FBI then she can still feign ignorance on the contents. So the prosecutor still has to establish that it is hers and the files are hers as well and that it wasn't tampered with without her knowledge.... By the husband.
His providing the password to her doesn't prove his ownership. She could have bought it and asked him to set it up, if he is the IT person in their marriage/franchise.
Even if he bought it as a gift/efficiency tool outside of their franchise (bed or business), a preponderance of her own files, with dense, chronological timestamps of creations and edits, on it makes her the regular user -- especially if the machine is devoid of apparent activity by him.
But, since it appears they both are being charged with RE fraud, it is possible or plausible that they both had access to the machine -- unless they intentionally mentally firewalled themselves in the event of investigation or arrest. (WOW! Only 1 part this post....)
But, as for the password... I bet those who willingly, consciously, deliberately purchase laptops with the intent to willfully commit crime will avoid buying those having fingerprint/biometrics access. The cops could just restrain the suspected or known owner to a chair, numb their arm (but not blood flow) to minimize resistance, then press the thumb.
Now, for those with finger/thumb readers AND cameras that look for facial recognition, they better hope that it is possible to enter the password by eyelid flapping/blinking, or by eyelid reversal, display of a specific tooth, pressing the thumb, pursing the lips, two forced farts (of a certain duration, pitch, and quality/ripeness), a belch, and a specific exhalation or grunt/groan. Under duress, or even normal circumstances, syncopating that to gain access would be pretty tough to perform.
(Yeh, i know, don't give ideas... well, I'm being an "equal opportunity idea giver" both have something to gain and lose, hehehehe) (WoW, only 1 part this post...)
Back to basics- don't they take a copy of the laptop drive then guess the password? No hardware required, just proof of source.
You are not required to incriminate yourself - verbally, but you are going to be required to provide a password to encrypted HDs. Count on it.
fscked by SHA-1 collision? Not so fast, says Linus Torvalds