back to article Wait, what? TrueCrypt 'decrypted' by FBI to nail doc-stealing sysadmin

Discontinued on-the-fly disk encryption utility TrueCrypt was unable to keep out the FBI in the case of a US government techie who stole copies of classified military documents. How the Feds broke into the IT bod's encrypted TrueCrypt partition isn't clear. It raises questions about the somewhat sinister situation surrounding …

Silver badge
Childcatcher

Answered your own question?

"In the case of the Silk Roads arrest, the FBI agents went to fairly elaborate lengths to distract Ulbricht and to ensure that his laptop remained running and did not go into sleep mode or require screen unlock," White told us. "This would make forensic analysis much easier, both for memory and disk imaging and data recovery."

When using power tools, please be careful not to cut yourself.

11
0
Anonymous Coward

Re: Answered your own question?

The prosecution states that this "black box" was the Synology storage device containing the TrueCrypt compartment with the stolen documents. It also alleges that "the reason [he] tried to send a message to [the housemate] to disconnect the black box is because he wanted to prevent law enforcement from discovering what the Synology contained."

Erm, so he told them where to look while failing to dismount the TC filesystem. Apparently even the FBI can "decrypt" the "encrypted(?)" data while it's already decrypted! ..and then use that "decryption" prowess as a FUD attack against the only trustworthy strong yet usable encryption software available to the plebs.

Well knock me down with a feather.

16
1

So if they came across it, mounted and readable

Where does the 30-char password come into this?

2
0

Re: So if they came across it, mounted and readable

Yeah the simplest answer is he simply gave them the password once he made the guilty plea.

A deal was done. I would assume it's much cheaper and simpler to put the fear of whatever into some IT bod than it is to break a encrypted data vault.

Path of least resistance.

4
0
Coat

Re: So if they came across it, mounted and readable

Glenn had sent an email to an associate with an internet hyperlink to an article entitled 'FBI hackers fail to crack TrueCrypt.' In this case, the FBI did decrypt Glenn's hidden files containing the stolen classified materials.

FBI hackers fail to crack TrueCrypt

FBIhackersfailtocrackTrueCrypt

30 chars...

13
0
Big Brother

Re: 30 chars

That is some collision!

0
0
Silver badge

Pretty obvious - a keylogger was installed

It doesn't make any difference how many bits of encryption you have in your locker if your keystrokes are being gathered. This has been pathetically easy in most public places (libraries, etc.) but is also fairly easy when someone opens up their pantaloons to a web-based attack (Hi, Jack!)

The only security is physical security. And when you let those untrustworthy humans enter the network, all is lost.

12
0
Silver badge

Re: Pretty obvious - a keylogger was installed

except if you use something like Keepass then even a key logger is not useful without the db you unlocked, containing the passwords which you might not even know. Of course capturing the history of the contents of the clipboard are probably fairly trivial as well which does contain your password.

2
5

Re: Pretty obvious - a keylogger was installed

or it could be something as stupid as having entered the password at the command line when encrypting it, getting it recorded in his history file and not knowing enough to realize it.

0
2
Anonymous Coward

Re: Pretty obvious - a keylogger was installed

Which, in the future will make it interesting with Windows 10.

Windows 10 has a 'built in' keylogger for various tasks, but doesn't report back information to Microsoft if you set the privacy settings. Reading the diagnostic logs regarding Windows 10 install; The install collates the data into a form ready to send, checks the privacy settings, then reports that the diagnostic data can't be sent due to said, settings.

But, importantly the data 'is' still collated beforehand anyway, and at some point sits on the hard drive.

So while the keylogger information in Windows 10 isn't reported to Microsoft, there is nothing to say the keylogger is not still doing its job, its just not reporting its job, but data is collated to the hard disk.

This, in theory makes Windows 10 easier to examine disk contents for past 'collated data', if you know where to look / retrieve such info.

21
3
Silver badge

Re: Pretty obvious - a keylogger was installed

That's very interesting. Are you able to say where the compiled data is stored so a user could erase it?

4
0
Anonymous Coward

Re: Pretty obvious - a keylogger was installed

Is this Windows 10 Keylogger a new one in the release or is this the one in the Beta? The one that yes was in the beta but was in the ToC and stated that it was only for the beta, is there a new one or did they go back on there word and not remove it?

I have to ask because there is a lot of FUD surrounding windows 10 and its privacy settings, with some people taking what happens during a beta as 100% what will be in the main product, which is silly really as there are legitimate problems that you could easily use as a stick to beat W10 with, but people have a habit of constructing their own sticks made of BS instead.

All that ends up doing is getting crap on everyone, and it stinks the place up.

4
5
Silver badge

Re: Pretty obvious - a keylogger was installed

Cortana has a keylogger, AC...

If you don't run Cortana, the question is how much it's disabled - no keylogging at all or keylogging up until the point where it's time to phone home to Redmond then it says, "I won't do that after all".

1
0
Anonymous Coward

Re: "except if you use something like Keepass"

except if you use something like Keepass then even a key logger is not useful without the db you unlocked

And how, pray tell, does one unlock the Keepass database without typing in the password to do so and having it fall prey to the same key logger?

5
0

Re: "except if you use something like Keepass"

Keepass does at least attempt to address this:

"The master key dialog can be shown on a secure desktop, on which almost no keylogger works. Auto-Type can be protected against keyloggers, too."

Don't ask me how.

0
1
Silver badge

Re: "except if you use something like Keepass"

You can also use keyfiles which can be picked up simply by using mouse clicks while, while they can be captured, can easily be sent out of context, rendering them useless for figuring out just which file(s) you picked.

0
0
Anonymous Coward

Re: Pretty obvious - a keylogger was installed

I do have to wonder how many people complaining about this are currently accessing the reg via Chrome, or using a android phone, which of course absolutely do not log what you are doing in any way shape or form as Google are lovely and perfect and never do anything bad like gathering your "anonymized" info and selling it on.

6
6
Anonymous Coward

Re: Pretty obvious - a keylogger was installed

Cortana is a searching tool that searches the net, of course it sends what you type and say to the net.... its kinda hard to search it without it.

Now honest question, if it logs keys and doesn't' send them as is your worst case scenario, which most readers seem to be assuming is the actual one despite there being currently as much proof of it as there is of clangers existing on the moon, how would this be really bad and awful. As long as its not saving to file anywhere its not much of a issue. Now I can see the argument "if someone hacks in they can read from it" which is half valid, but tbh if someone hacks in they can just install there own sodding keylogger which would probably be the far easier option. Or they could highjack the keyboard driver and nab the keypresses through that, the likelyhood of gaining any useful data from keypresses in memory (which would likely be hard to find unless you could latch in)

Your computer HAS to log what keys you press at some point... its kinda hard to let programs know what buttons you have pressed without some signal saying "this key was pressed now" at some point!

But as its MS we must of course assume the worst and grab the stick made of poo.

2
5

Re: Pretty obvious - a keylogger was installed

Or there having been a webcam pointed at his keyboard ... one of his hacked by the FBI, or one of theirs artfully concealed.

2
0
Silver badge

Re: Pretty obvious - a keylogger was installed

"It doesn't make any difference how many bits of encryption you have in your locker if your keystrokes are being gathered."

And that is exactly why I find USB-drives with on-board encryption and an on-board keypad appealing. After all, in the proposed scenario even if you do everything perfectly, you're still supposed to plug and mount that thumb drive into / on the machine you plan to copy documents from - and if there's any logging involved there, they already have your passkey...

Of course, there's a frightening amount of ways an autonomous USB drive with internal encryption can be well and truly screwed up, sadly - as long as one can de-solder various bits and read off storage keys and whatnot (or sniff them in-transit on the PCB) you're still SOL. But at least in theory, it could be done properly and it should offer more protection that another drive that relies on a host machine for its user interface.

0
0
Silver badge

Re: Pretty obvious - a keylogger was installed

> except if you use something like Keepass then even a key logger is not useful without the db you unlocked,

Why do you assume the keyloggers are software based? That would seem overly complicated to me because you have to get them installed through some flaw, social engineering or physical access. The latter would seem to be the easiest for an organisation that in their normal day to day operation need to plant listening devices for suspects.

It would be much easier to swap out the keyboard with a bugged one for a few days and to brute force against the entered strings.

0
0
Silver badge

Re: Pretty obvious - a keylogger was installed

I don't know why you're wasting time debating whether Windows 10 keylogs or not, AC. It does keylog, there's an option buried in settings for it (Speech, Inking, and Typing).

0
0

Re: Pretty obvious - a keylogger was installed

> The install collates the data into a form ready to send, checks the privacy settings, then reports that the diagnostic data can't be sent due to said, settings.

I will bet you ten quatloos that all the privacy settings in Windows 10 you've turned off will be turned back on without any notice during some software update. It doesn't even require intentional effort by Microsoft (even though I expect there will be) because such is the nature of default settings.

0
0
Silver badge

GnuPG

gpg ftw. Snowden approved. Cross platform with even GUI versions for the CLI impaired windows crowd.

7
4
Black Helicopters

Re: GnuPG

windows automatically excludes security. There is absolutely no way to ensure there are not backdoors. Same goes for Mac OsX.

If you are paranoid get an opensource toolchain and build it from scratch, and bake it onto some readonly media.

Not advice, simple logical extrapolation of the probabilities....

P.

8
8
Bronze badge
Alert

Re: GnuPG

Then you only need to be paranoid about Compiler Back Doors and hardware back doors.

9
2
Anonymous Coward

Re: GnuPG

windows automatically excludes security. There is absolutely no way to ensure there are not backdoors. Same goes for Mac OsX.

There is no such thing as certainty when it comes to Operating Systems. It starts with acquisition: unless you compile from scratch from untainted sources and with a compiler and library you can trust you basically are already building on a bad foundation.

Security is not an absolute - it's about managing risks. Some you can mitigate, some you manage, some you have no choice but to accept.

15
0
Silver badge

Re: GnuPG

There's always someone who brings up compiler backdoors and the answer is no, you don't really have to worry about these. In some circumstances you might, but those are exceptions. The reason is that a binary compiled with a backdoor will be different to a binary compiled without. The overwhelming majority of OSS comes precompiled. You download it and check the hash and you're good to go. IF some bad actor wanted to subvert that then they'd have to compromise all of the servers compiling that binary and get away with it. Even getting away with it on one would be a big stretch. And even if you were using a distro that wasn't pre-compiled, you'll still be using a pre-compiled compiler from somewhere that you will check the hash of.

Compiler backdoors in OSS are possible. Viable is a whole other matter. The point stands that whilst closed source software (e.g. Windows) can be just as secure against outside threats as OSS, one of the big advantages of OSS is that you can check it against internal threats by the vendor. That's an undeniable plus.

Now Microsoft actually open their source code to large purchasers for inspection against such things so how much of a risk deliberate subversion there is we do not know (really depends on whether China et al. could be persuaded to collude with the USA on some group backdoor scheme which is shaky) and MS would suffer a massive blow if they were shown to have deliberate backdoors in there for the government so I don't think they would risk it as the company they are today. And it's increasingly unnecessary as the useful stuff can be obtained by spying on traffic and cloud-stored data. But it can't be denied that ability to trust the vendor is a major positive with OSS. It's one of it's chief advantages.

9
8

Re: GnuPG

And if the backdoor was introduced in an early version of GnuC? Which 'everyone' used to compile the source, even the source for the next version of GnuC...

2
4
tfb
Silver badge
Boffin

Re: GnuPG

I think the famous Ken Thompson compiler hack demonstrates fairly conclusively that, if you are paranoid, you really can not trust that the binaries you have don't contain nasties, even if you compiled them yourselves, with a compiler you compiled yourself, from sources which did not contain nasties. Yes, there are ways around this, but they require heroic amounts of work and attention to detail. (And of course I am not suggesting that the tools we trust do contain backdoors: merely that they might.)

7
1
Paris Hilton

Re: GnuPG

"There is absolutely no way to ensure there are not backdoors." Errm, you cannot prove a negative.

Your premise, not advice (as it is), sounds like an idea by Dan Brown.

I give you Microsoft, don't use - no discussion.

Mac OS X, install/use GPG, Little Snitch, protect via hosts file, don't install Adobe products. There's a start. Apple's convenient disk images, however, are not recommended - the libraries that provide for that feature are closed source.

0
5
Silver badge

Re: GnuPG

"Snowden approved."

Is that supposed to be a recommendation? Seriously??

Anything Putins Pet says these days can be comprehensively discounted as a reliable source of information.

1
25
Silver badge

Re: GnuPG

>>"And if the backdoor was introduced in an early version of GnuC?"

Then it would have long since been found and weeded out because it is not some unbroken chain of compilation. You would have to keep compromising the vendors of the software over and over and over.

3
3

Re: GnuPG

@h4rm0ny

No.

Security is about identifying and minimising all possible risk vectors. The number of people with the technical skills required to read through, meaningfully understand and usefully audit all the components of an open source package are always somewhat limited - and if you're being cautious, you need to apply this to all packages in your OS, and your compiler. Doesn't matter if making a compiler vuln is hard - the point is, minimise that risk.

Even if you don't find Ken Thompson's proof-of-concept somewhat chilling in that context, Shellshock and Heartbleed were elegant real-world demonstrations of the repercussions of over-relying on the "many eyes make bugfinding trivial" assumption. So no. The question is not "Can we see the code?" but rather "How many people with the technical knowledge required to understand it and who would happily publicise issues with the code have seen it?".

And unfortunately, the majority of us who can't roll our own OS unaided from the ground up have to accept that there are components we rely on but don't understand, and acknowledge that they're potential attack vectors. Pretending that a compiled binary is clean just because it's OSS and you've checked the hash is, at best, deluding yourself into thinking you're secure.

10
0
Silver badge

Re: GnuPG

The Ken Thompson compiler hack (and if you don't know about this, I'd you to read about it, it's fascinating and enlightening) means that the only code you can REALLY trust is that which you have compiled yourself, by hand, into assembly language, and then laid down byte-by-byte into memory.

2
0
Anonymous Coward

Re: "Putins Pet"

Since your memory is apparently as faulty as your grammar, let me remind you: Snowden had no intention of going to Russia. He was trying to get to South America and it was the actions of the US State Department in withdrawing his passport while he was in transit changing planes at Moscow airport that trapped him in Russia.

8
3
Anonymous Coward

>"gpg ftw. Snowden approved."

So is truecrypt.

1
0
Silver badge

Re: GnuPG

"Errm, you cannot prove a negative."

Reductio ad absurdum can prove a negative by asserting the affirmative and demonstrating it cannot logically exist (for example by showing its existence would present a paradox). That's how Turing's Halting Problem proof works.

1
0
Silver badge

Re: Errm, you cannot prove a negative.

"I am not dead".

2
0

Re: GnuPG

The Ken Thompson compiler hack ... means that the only code you can REALLY trust is that which you have compiled yourself, by hand, into assembly language, and then laid down byte-by-byte into memory.

It is altogether too easy to overestimate the impact of that particular demonstration: it wasn't really a practical hack or even a real proof of concept but more an illustration of a possibility.

Thompson's code worked against a specific login source tree and a specific compiler source. Generalising it to be resilient to continued development of either is hard and increases the scope for detection, after all if you want the hack to be cross architecture it needs to be inserted at the parse tree or possibly token stream level. Anyone working on those or later stages of the compiler would soon notice unexplainable entries in the internal data structures in their debugger.

That's without even considering the level of semantic analysis required to hack a tool that has not yet been written. That's decades ahead of the state of the art: we can say with confidence such technology simply doesn't exist.

2
0
Silver badge

Re: GnuPG

>Anything Putins Pet says these days can be comprehensively discounted as a reliable source of information.

Not to feed the troll but if you look dumbass he made an video for journalists showing how to safely communicate recommending GnuPG BEFORE leaving the US.

>So is truecrypt.

Since the warrant canary (which occurred after he left the country)? Don't think so. At least with GPG who the contributors and maintainers are is not a Satoshi Nakamoto mystery like TrueCrypt. That alone is a huge red flag to avoid TrueCrypt even without the warrant shenanigans.

0
0

This post has been deleted by its author

Re: GnuPG

@h4rm0ny: That is my point exactly. A normal individual could do the FOSS route. Perhaps $CORPS could bake their own windows, but not anyone reading this website...

I understand the loyalty to the products you all feel comfortable using for whatever reason. But the chaos we see nowadays with hacks, misinformation, spying etc.. is a direct result of the opaque , non-auditable nature of modern IT.

Is FOSS the solution? Not on its own. But we need good foundations to help protect everyone from the bad guys - whoever they may be.

P.

1
0
Silver badge

Re: GnuPG

>Then you only need to be paranoid about Compiler Back Doors

The compiler should be safe but not the libraries that the compiler uses unless you also build them from scratch using trusted sources. (If you use a language like 'C' then its easy enough to verify the compiler isn't planting any unexpected code.)

1
0
Silver badge

Re: Errm, you cannot prove a negative.

I do not have fifteen legs.

1
0

Re: GnuPG

@Charles - The _absurdity_ of the original post is evident: "There is absolutely no way to ensure there are not backdoors. Same goes for Mac OsX."

That is the statement of someone wearing a tinfoil hat. Such idiots are not satisfied by rational, because the 100% unequivocal proof lies with the defense. The accuser merely has to judge the effort as futile or erroneous, and arbitrarily widen the burden of proof as necessary. It is an unprovable assertion, by design (perhaps more subconscious malice than overall stupidity).

The negative statement, as per example, is analogous with this: "There is absolutely no way to ensure there are not backdoor probing aliens."

I do not dispute the veracity of the original premise, in Windows' case by stupidity (not malice)... the clumsy assertion warrants anyone's criticism.

I will not get into the vaguery of the initial statement, regarding backdoors, be they system-provided or by third-party tool.

The absence of a guarantee does not give you the logical weight to make ridiculous claims. This is why we have idiotic arguments with Global Warming (I grew up last century, translate as you wish).

I fail to see application of Reductio ad absurdum. Quite simply, the original poster used idiotic phrasing.

The implied stupidity of the original poster is not finite by any means; furthermore, I'd say that he will always try to outweigh any evidence contrary to his original statement – because it would upset the view of government spooks as being lucky instead of capable... to bring it full circle with the actual article.

0
1
Silver badge
Unhappy

Re: GnuPG

"the only code you can REALLY trust is that which you have compiled yourself, by hand, into assembly language, and then laid down byte-by-byte into memory."

But where do you stop? Write your own OS? Disk drivers? File system? Networking stack?

And any libraries of course.

1
0

Re: GnuPG

Yes, but it is darn hard to insert a backdoor into open source tools that dozens or perhaps hundreds of people will examine. I consider managing the risk to be compiling the open source code with open source development tools.

0
1
Silver badge
Thumb Down

id10t

Why was that container open if he wasn't present? I know all the excuses around remote access but that's flat idiotic. And as for a keylogger there's ways to beat that as well. But damn it, why was it open whilst he was elsewhere!

16
0
Silver badge

Re: id10t

+1

Why was the data not on a USB stick tucked behind the foil of his roofing insulation? Better yet, print that stuff out - its really hard to detect and hack paper.

1
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018