back to article Wait, what? TrueCrypt 'decrypted' by FBI to nail doc-stealing sysadmin

Discontinued on-the-fly disk encryption utility TrueCrypt was unable to keep out the FBI in the case of a US government techie who stole copies of classified military documents. How the Feds broke into the IT bod's encrypted TrueCrypt partition isn't clear. It raises questions about the somewhat sinister situation surrounding …

  1. gerdesj Silver badge
    Childcatcher

    Answered your own question?

    "In the case of the Silk Roads arrest, the FBI agents went to fairly elaborate lengths to distract Ulbricht and to ensure that his laptop remained running and did not go into sleep mode or require screen unlock," White told us. "This would make forensic analysis much easier, both for memory and disk imaging and data recovery."

    When using power tools, please be careful not to cut yourself.

    1. Anonymous Coward
      Anonymous Coward

      Re: Answered your own question?

      The prosecution states that this "black box" was the Synology storage device containing the TrueCrypt compartment with the stolen documents. It also alleges that "the reason [he] tried to send a message to [the housemate] to disconnect the black box is because he wanted to prevent law enforcement from discovering what the Synology contained."

      Erm, so he told them where to look while failing to dismount the TC filesystem. Apparently even the FBI can "decrypt" the "encrypted(?)" data while it's already decrypted! ..and then use that "decryption" prowess as a FUD attack against the only trustworthy strong yet usable encryption software available to the plebs.

      Well knock me down with a feather.

      1. goldcd

        So if they came across it, mounted and readable

        Where does the 30-char password come into this?

        1. jason 7

          Re: So if they came across it, mounted and readable

          Yeah the simplest answer is he simply gave them the password once he made the guilty plea.

          A deal was done. I would assume it's much cheaper and simpler to put the fear of whatever into some IT bod than it is to break a encrypted data vault.

          Path of least resistance.

        2. Bagpuss
          Coat

          Re: So if they came across it, mounted and readable

          Glenn had sent an email to an associate with an internet hyperlink to an article entitled 'FBI hackers fail to crack TrueCrypt.' In this case, the FBI did decrypt Glenn's hidden files containing the stolen classified materials.

          FBI hackers fail to crack TrueCrypt

          FBIhackersfailtocrackTrueCrypt

          30 chars...

          1. oolor
            Big Brother

            Re: 30 chars

            That is some collision!

  2. elDog Silver badge

    Pretty obvious - a keylogger was installed

    It doesn't make any difference how many bits of encryption you have in your locker if your keystrokes are being gathered. This has been pathetically easy in most public places (libraries, etc.) but is also fairly easy when someone opens up their pantaloons to a web-based attack (Hi, Jack!)

    The only security is physical security. And when you let those untrustworthy humans enter the network, all is lost.

    1. asdf Silver badge

      Re: Pretty obvious - a keylogger was installed

      except if you use something like Keepass then even a key logger is not useful without the db you unlocked, containing the passwords which you might not even know. Of course capturing the history of the contents of the clipboard are probably fairly trivial as well which does contain your password.

      1. Anonymous Coward
        Anonymous Coward

        Re: "except if you use something like Keepass"

        except if you use something like Keepass then even a key logger is not useful without the db you unlocked

        And how, pray tell, does one unlock the Keepass database without typing in the password to do so and having it fall prey to the same key logger?

        1. Indolent Wretch

          Re: "except if you use something like Keepass"

          Keepass does at least attempt to address this:

          "The master key dialog can be shown on a secure desktop, on which almost no keylogger works. Auto-Type can be protected against keyloggers, too."

          Don't ask me how.

          1. Charles 9 Silver badge

            Re: "except if you use something like Keepass"

            You can also use keyfiles which can be picked up simply by using mouse clicks while, while they can be captured, can easily be sent out of context, rendering them useless for figuring out just which file(s) you picked.

      2. Adam 1 Silver badge

        Re: Pretty obvious - a keylogger was installed

        > except if you use something like Keepass then even a key logger is not useful without the db you unlocked,

        Why do you assume the keyloggers are software based? That would seem overly complicated to me because you have to get them installed through some flaw, social engineering or physical access. The latter would seem to be the easiest for an organisation that in their normal day to day operation need to plant listening devices for suspects.

        It would be much easier to swap out the keyboard with a bugged one for a few days and to brute force against the entered strings.

    2. Mad Chaz

      Re: Pretty obvious - a keylogger was installed

      or it could be something as stupid as having entered the password at the command line when encrypting it, getting it recorded in his history file and not knowing enough to realize it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Pretty obvious - a keylogger was installed

        Which, in the future will make it interesting with Windows 10.

        Windows 10 has a 'built in' keylogger for various tasks, but doesn't report back information to Microsoft if you set the privacy settings. Reading the diagnostic logs regarding Windows 10 install; The install collates the data into a form ready to send, checks the privacy settings, then reports that the diagnostic data can't be sent due to said, settings.

        But, importantly the data 'is' still collated beforehand anyway, and at some point sits on the hard drive.

        So while the keylogger information in Windows 10 isn't reported to Microsoft, there is nothing to say the keylogger is not still doing its job, its just not reporting its job, but data is collated to the hard disk.

        This, in theory makes Windows 10 easier to examine disk contents for past 'collated data', if you know where to look / retrieve such info.

        1. h4rm0ny

          Re: Pretty obvious - a keylogger was installed

          That's very interesting. Are you able to say where the compiled data is stored so a user could erase it?

        2. Anonymous Coward
          Anonymous Coward

          Re: Pretty obvious - a keylogger was installed

          Is this Windows 10 Keylogger a new one in the release or is this the one in the Beta? The one that yes was in the beta but was in the ToC and stated that it was only for the beta, is there a new one or did they go back on there word and not remove it?

          I have to ask because there is a lot of FUD surrounding windows 10 and its privacy settings, with some people taking what happens during a beta as 100% what will be in the main product, which is silly really as there are legitimate problems that you could easily use as a stick to beat W10 with, but people have a habit of constructing their own sticks made of BS instead.

          All that ends up doing is getting crap on everyone, and it stinks the place up.

          1. Dan 55 Silver badge

            Re: Pretty obvious - a keylogger was installed

            Cortana has a keylogger, AC...

            If you don't run Cortana, the question is how much it's disabled - no keylogging at all or keylogging up until the point where it's time to phone home to Redmond then it says, "I won't do that after all".

            1. Anonymous Coward
              Anonymous Coward

              Re: Pretty obvious - a keylogger was installed

              I do have to wonder how many people complaining about this are currently accessing the reg via Chrome, or using a android phone, which of course absolutely do not log what you are doing in any way shape or form as Google are lovely and perfect and never do anything bad like gathering your "anonymized" info and selling it on.

            2. Anonymous Coward
              Anonymous Coward

              Re: Pretty obvious - a keylogger was installed

              Cortana is a searching tool that searches the net, of course it sends what you type and say to the net.... its kinda hard to search it without it.

              Now honest question, if it logs keys and doesn't' send them as is your worst case scenario, which most readers seem to be assuming is the actual one despite there being currently as much proof of it as there is of clangers existing on the moon, how would this be really bad and awful. As long as its not saving to file anywhere its not much of a issue. Now I can see the argument "if someone hacks in they can read from it" which is half valid, but tbh if someone hacks in they can just install there own sodding keylogger which would probably be the far easier option. Or they could highjack the keyboard driver and nab the keypresses through that, the likelyhood of gaining any useful data from keypresses in memory (which would likely be hard to find unless you could latch in)

              Your computer HAS to log what keys you press at some point... its kinda hard to let programs know what buttons you have pressed without some signal saying "this key was pressed now" at some point!

              But as its MS we must of course assume the worst and grab the stick made of poo.

              1. Dan 55 Silver badge

                Re: Pretty obvious - a keylogger was installed

                I don't know why you're wasting time debating whether Windows 10 keylogs or not, AC. It does keylog, there's an option buried in settings for it (Speech, Inking, and Typing).

        3. Vociferous

          Re: Pretty obvious - a keylogger was installed

          > The install collates the data into a form ready to send, checks the privacy settings, then reports that the diagnostic data can't be sent due to said, settings.

          I will bet you ten quatloos that all the privacy settings in Windows 10 you've turned off will be turned back on without any notice during some software update. It doesn't even require intentional effort by Microsoft (even though I expect there will be) because such is the nature of default settings.

      2. Nigel 11

        Re: Pretty obvious - a keylogger was installed

        Or there having been a webcam pointed at his keyboard ... one of his hacked by the FBI, or one of theirs artfully concealed.

    3. DropBear Silver badge

      Re: Pretty obvious - a keylogger was installed

      "It doesn't make any difference how many bits of encryption you have in your locker if your keystrokes are being gathered."

      And that is exactly why I find USB-drives with on-board encryption and an on-board keypad appealing. After all, in the proposed scenario even if you do everything perfectly, you're still supposed to plug and mount that thumb drive into / on the machine you plan to copy documents from - and if there's any logging involved there, they already have your passkey...

      Of course, there's a frightening amount of ways an autonomous USB drive with internal encryption can be well and truly screwed up, sadly - as long as one can de-solder various bits and read off storage keys and whatnot (or sniff them in-transit on the PCB) you're still SOL. But at least in theory, it could be done properly and it should offer more protection that another drive that relies on a host machine for its user interface.

  3. asdf Silver badge

    GnuPG

    gpg ftw. Snowden approved. Cross platform with even GUI versions for the CLI impaired windows crowd.

    1. phil dude
      Black Helicopters

      Re: GnuPG

      windows automatically excludes security. There is absolutely no way to ensure there are not backdoors. Same goes for Mac OsX.

      If you are paranoid get an opensource toolchain and build it from scratch, and bake it onto some readonly media.

      Not advice, simple logical extrapolation of the probabilities....

      P.

      1. mathew42
        Alert

        Re: GnuPG

        Then you only need to be paranoid about Compiler Back Doors and hardware back doors.

        1. h4rm0ny

          Re: GnuPG

          There's always someone who brings up compiler backdoors and the answer is no, you don't really have to worry about these. In some circumstances you might, but those are exceptions. The reason is that a binary compiled with a backdoor will be different to a binary compiled without. The overwhelming majority of OSS comes precompiled. You download it and check the hash and you're good to go. IF some bad actor wanted to subvert that then they'd have to compromise all of the servers compiling that binary and get away with it. Even getting away with it on one would be a big stretch. And even if you were using a distro that wasn't pre-compiled, you'll still be using a pre-compiled compiler from somewhere that you will check the hash of.

          Compiler backdoors in OSS are possible. Viable is a whole other matter. The point stands that whilst closed source software (e.g. Windows) can be just as secure against outside threats as OSS, one of the big advantages of OSS is that you can check it against internal threats by the vendor. That's an undeniable plus.

          Now Microsoft actually open their source code to large purchasers for inspection against such things so how much of a risk deliberate subversion there is we do not know (really depends on whether China et al. could be persuaded to collude with the USA on some group backdoor scheme which is shaky) and MS would suffer a massive blow if they were shown to have deliberate backdoors in there for the government so I don't think they would risk it as the company they are today. And it's increasingly unnecessary as the useful stuff can be obtained by spying on traffic and cloud-stored data. But it can't be denied that ability to trust the vendor is a major positive with OSS. It's one of it's chief advantages.

          1. Trygve Henriksen

            Re: GnuPG

            And if the backdoor was introduced in an early version of GnuC? Which 'everyone' used to compile the source, even the source for the next version of GnuC...

            1. h4rm0ny

              Re: GnuPG

              >>"And if the backdoor was introduced in an early version of GnuC?"

              Then it would have long since been found and weeded out because it is not some unbroken chain of compilation. You would have to keep compromising the vendors of the software over and over and over.

          2. tfb Silver badge
            Boffin

            Re: GnuPG

            I think the famous Ken Thompson compiler hack demonstrates fairly conclusively that, if you are paranoid, you really can not trust that the binaries you have don't contain nasties, even if you compiled them yourselves, with a compiler you compiled yourself, from sources which did not contain nasties. Yes, there are ways around this, but they require heroic amounts of work and attention to detail. (And of course I am not suggesting that the tools we trust do contain backdoors: merely that they might.)

            1. Loyal Commenter Silver badge

              Re: GnuPG

              The Ken Thompson compiler hack (and if you don't know about this, I'd you to read about it, it's fascinating and enlightening) means that the only code you can REALLY trust is that which you have compiled yourself, by hand, into assembly language, and then laid down byte-by-byte into memory.

              1. the spectacularly refined chap

                Re: GnuPG

                The Ken Thompson compiler hack ... means that the only code you can REALLY trust is that which you have compiled yourself, by hand, into assembly language, and then laid down byte-by-byte into memory.

                It is altogether too easy to overestimate the impact of that particular demonstration: it wasn't really a practical hack or even a real proof of concept but more an illustration of a possibility.

                Thompson's code worked against a specific login source tree and a specific compiler source. Generalising it to be resilient to continued development of either is hard and increases the scope for detection, after all if you want the hack to be cross architecture it needs to be inserted at the parse tree or possibly token stream level. Anyone working on those or later stages of the compiler would soon notice unexplainable entries in the internal data structures in their debugger.

                That's without even considering the level of semantic analysis required to hack a tool that has not yet been written. That's decades ahead of the state of the art: we can say with confidence such technology simply doesn't exist.

              2. Wensleydale Cheese Silver badge
                Unhappy

                Re: GnuPG

                "the only code you can REALLY trust is that which you have compiled yourself, by hand, into assembly language, and then laid down byte-by-byte into memory."

                But where do you stop? Write your own OS? Disk drivers? File system? Networking stack?

                And any libraries of course.

          3. Captain Underpants

            Re: GnuPG

            @h4rm0ny

            No.

            Security is about identifying and minimising all possible risk vectors. The number of people with the technical skills required to read through, meaningfully understand and usefully audit all the components of an open source package are always somewhat limited - and if you're being cautious, you need to apply this to all packages in your OS, and your compiler. Doesn't matter if making a compiler vuln is hard - the point is, minimise that risk.

            Even if you don't find Ken Thompson's proof-of-concept somewhat chilling in that context, Shellshock and Heartbleed were elegant real-world demonstrations of the repercussions of over-relying on the "many eyes make bugfinding trivial" assumption. So no. The question is not "Can we see the code?" but rather "How many people with the technical knowledge required to understand it and who would happily publicise issues with the code have seen it?".

            And unfortunately, the majority of us who can't roll our own OS unaided from the ground up have to accept that there are components we rely on but don't understand, and acknowledge that they're potential attack vectors. Pretending that a compiled binary is clean just because it's OSS and you've checked the hash is, at best, deluding yourself into thinking you're secure.

          4. phil dude

            Re: GnuPG

            @h4rm0ny: That is my point exactly. A normal individual could do the FOSS route. Perhaps $CORPS could bake their own windows, but not anyone reading this website...

            I understand the loyalty to the products you all feel comfortable using for whatever reason. But the chaos we see nowadays with hacks, misinformation, spying etc.. is a direct result of the opaque , non-auditable nature of modern IT.

            Is FOSS the solution? Not on its own. But we need good foundations to help protect everyone from the bad guys - whoever they may be.

            P.

        2. martinusher Silver badge

          Re: GnuPG

          >Then you only need to be paranoid about Compiler Back Doors

          The compiler should be safe but not the libraries that the compiler uses unless you also build them from scratch using trusted sources. (If you use a language like 'C' then its easy enough to verify the compiler isn't planting any unexpected code.)

      2. Anonymous Coward
        Anonymous Coward

        Re: GnuPG

        windows automatically excludes security. There is absolutely no way to ensure there are not backdoors. Same goes for Mac OsX.

        There is no such thing as certainty when it comes to Operating Systems. It starts with acquisition: unless you compile from scratch from untainted sources and with a compiler and library you can trust you basically are already building on a bad foundation.

        Security is not an absolute - it's about managing risks. Some you can mitigate, some you manage, some you have no choice but to accept.

        1. Jaybus

          Re: GnuPG

          Yes, but it is darn hard to insert a backdoor into open source tools that dozens or perhaps hundreds of people will examine. I consider managing the risk to be compiling the open source code with open source development tools.

      3. Chris Daemon
        Paris Hilton

        Re: GnuPG

        "There is absolutely no way to ensure there are not backdoors." Errm, you cannot prove a negative.

        Your premise, not advice (as it is), sounds like an idea by Dan Brown.

        I give you Microsoft, don't use - no discussion.

        Mac OS X, install/use GPG, Little Snitch, protect via hosts file, don't install Adobe products. There's a start. Apple's convenient disk images, however, are not recommended - the libraries that provide for that feature are closed source.

        1. Charles 9 Silver badge

          Re: GnuPG

          "Errm, you cannot prove a negative."

          Reductio ad absurdum can prove a negative by asserting the affirmative and demonstrating it cannot logically exist (for example by showing its existence would present a paradox). That's how Turing's Halting Problem proof works.

          1. Chris Daemon

            Re: GnuPG

            @Charles - The _absurdity_ of the original post is evident: "There is absolutely no way to ensure there are not backdoors. Same goes for Mac OsX."

            That is the statement of someone wearing a tinfoil hat. Such idiots are not satisfied by rational, because the 100% unequivocal proof lies with the defense. The accuser merely has to judge the effort as futile or erroneous, and arbitrarily widen the burden of proof as necessary. It is an unprovable assertion, by design (perhaps more subconscious malice than overall stupidity).

            The negative statement, as per example, is analogous with this: "There is absolutely no way to ensure there are not backdoor probing aliens."

            I do not dispute the veracity of the original premise, in Windows' case by stupidity (not malice)... the clumsy assertion warrants anyone's criticism.

            I will not get into the vaguery of the initial statement, regarding backdoors, be they system-provided or by third-party tool.

            The absence of a guarantee does not give you the logical weight to make ridiculous claims. This is why we have idiotic arguments with Global Warming (I grew up last century, translate as you wish).

            I fail to see application of Reductio ad absurdum. Quite simply, the original poster used idiotic phrasing.

            The implied stupidity of the original poster is not finite by any means; furthermore, I'd say that he will always try to outweigh any evidence contrary to his original statement – because it would upset the view of government spooks as being lucky instead of capable... to bring it full circle with the actual article.

        2. Stevie Silver badge

          Re: Errm, you cannot prove a negative.

          "I am not dead".

          1. BongoJoe

            Re: Errm, you cannot prove a negative.

            I do not have fifteen legs.

    2. boltar Silver badge

      Re: GnuPG

      "Snowden approved."

      Is that supposed to be a recommendation? Seriously??

      Anything Putins Pet says these days can be comprehensively discounted as a reliable source of information.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Putins Pet"

        Since your memory is apparently as faulty as your grammar, let me remind you: Snowden had no intention of going to Russia. He was trying to get to South America and it was the actions of the US State Department in withdrawing his passport while he was in transit changing planes at Moscow airport that trapped him in Russia.

        1. This post has been deleted by its author

      2. asdf Silver badge

        Re: GnuPG

        >Anything Putins Pet says these days can be comprehensively discounted as a reliable source of information.

        Not to feed the troll but if you look dumbass he made an video for journalists showing how to safely communicate recommending GnuPG BEFORE leaving the US.

        >So is truecrypt.

        Since the warrant canary (which occurred after he left the country)? Don't think so. At least with GPG who the contributors and maintainers are is not a Satoshi Nakamoto mystery like TrueCrypt. That alone is a huge red flag to avoid TrueCrypt even without the warrant shenanigans.

    3. Anonymous Coward
      Anonymous Coward

      >"gpg ftw. Snowden approved."

      So is truecrypt.

  4. Jack of Shadows Silver badge
    Thumb Down

    id10t

    Why was that container open if he wasn't present? I know all the excuses around remote access but that's flat idiotic. And as for a keylogger there's ways to beat that as well. But damn it, why was it open whilst he was elsewhere!

    1. P. Lee Silver badge

      Re: id10t

      +1

      Why was the data not on a USB stick tucked behind the foil of his roofing insulation? Better yet, print that stuff out - its really hard to detect and hack paper.

      1. tacitust

        Re: id10t

        USB stick? Far too big. Try a micro SD card.

        1. CAPS LOCK Silver badge

          Yes, a micro SD card is...

          ... alimentary.

    2. h4rm0ny

      Re: id10t

      What are the ways to beat a keylogger?

      1. Trygve Henriksen

        Re: id10t

        Copy paste works OK as long as you use the mouse....

        Typing the characters in the wrong order and using the mouse to click where the next character needs to go.

        Some keyloggers 'filters out' arrow keys, delete, alt-tab... Write some characters, delete most, write some more... Alt-Tab to another app to type some decoy characters, then switch back...

      2. Paul Crawford Silver badge

        Re: id10t

        "What are the ways to beat a keylogger?"

        Tricky, but I would go for booting from a 'live' CD-ROM so you always have an un-tampered OS (assuming it was clean to start with). Bad luck if they manage to infect it just before you enter your pass phrase, but I guess you should not do email/web sessions before you have already closed the encrypted container.

        How long you could do so and put up with the inconvenience is another matter...

        1. Anonymous Coward
          Anonymous Coward

          >"booting from a 'live' CD-ROM"

          That only protects you against *software* key loggers. Take a look through the leaked NSA hardware catalogs to see how many kinds of keylogger it leaves you vulnerable to.

      3. Anonymous Coward
        Anonymous Coward

        Re: id10t (how to beat a key logger)

        Use a keyfile on a USB/microSD instead of (as well as) a password. Unplug/remove it once drives are mounted.

        (or 2 keyifles with the same name on separate USB/microSD if you want plausible deniability)

      4. Fred Flintstone Gold badge

        Re: id10t

        What are the ways to beat a keylogger?

        One time passwords? You can now even add TOTP to Linux logins, so if you want to go into paranoid mode it isn't even hard to do.

    3. Anonymous Coward
      Anonymous Coward

      Re: id10t

      I think there is a clue in the fact that he made a phone call to try and get the Synology switched off. These NAS drives support encryption of shared folders which are then mounted to make them accessible, shutting down the NAS was dismount the shared folders.

      Maybe the 30 character key was for the shared folders rather than a Truecrypt container ... just a thought.

  5. Binnacle
    Thumb Up

    per NSA slide (publicly disclosed)

    Impact to production

    MAJOR Loss/lack of insight to majority of target communications, presence

    OTR, Tor, . . .TrueCrypt

    one worse "CATASTROPHIC" category for when multiple techniques are used in combination

  6. phil dude
    Black Helicopters

    keylogging...

    I don't trust bluetooth keyboard. At.All.

    This wired keyboard can still be tapped , but would require physical access.

    It occurs to me that the only way to be sure is to have a secondary keypad on a remote tablet (say) with hardcoded one-time ciphers that could not be sniffed.

    Of course, the tablet might have been pawned, but using a single entry device is, well, not paranoid enough IMHO.

    The mathematics in truecrypt is secure, the coding perhaps not. Perhaps we need some more creative thinking?

    P.

    1. Loyal Commenter Silver badge

      Re: keylogging...

      This wired keyboard can still be tapped , but would require physical access.

      Are you so sure of that? What about the RF emissions from that keyboard?

      A paper on exactly this

      1. phil dude
        Black Helicopters

        Re: keylogging...

        Thanks for that! I'll add some more foil.....!!

        Or perhaps we'll be moving to fibre connected peripherals...?

        P.

  7. Henry Wertz 1 Gold badge

    Could have been read out of memory

    It's also possible via firewire, and possibly other means, to hook up a device to the system and read out the contents of the system RAM. If any of his home systems had been running and accessing the truecrypt volume, they could have not only kept his system on and copied the contents off, but probably read the key out of memory so they could make a forensic copy of the entire encrypted drive and decrypted it later. It's also entirely possible that he simply gave them the key.

  8. Anonymous Coward
    Anonymous Coward

    Obvious really.

    It's the USA, where 3-digit (in years) sentences are not unusual.

    He was only "sent down for 10 years". For spying??!!??

    It smells like a negotiated arrangement. No doubt under considerable duress.

    ^- Pure speculation. -^

    1. tacitust

      Re: Obvious really.

      More like informed speculation. In the US, over 95% of all successful convictions are secured without ever going to trial. Prosecutors have complete discretion when it comes to deciding what charges to bring against a defendant, and they use it to threaten (some would call it blackmail) them into pleading guilty in exchange for a much lighter sentence. Defendants can face up to six times the length of sentence if they reject the plea bargain presented to them, and since there about a 5% change of securing a not guilty verdict at trial these days, even innocent defendants are often told their best bet is to take the plea.

      It's likely that Glenn was facing life in prison if he didn't accept the plea bargain. Ten years is a long time, but he will get out one day, and no doubt that played major part in his copping the plea.

      Plea bargains have their place, but the US has taken things way too far. Not only does the plea bargain system put tremendous power in the hands of the prosecutor, it strips it from the judges, who are often further hamstrung by the many mandatory minimum sentencing laws that exist today. This is not how the US criminal justice system is supposed to work, and it has played a major role in why America is the incarceration champion of the world, with six times (not 6%, or 60%, but 600%!) as many inmates, per capita, than the European Community. So much for claiming to be "The Land of the Free."

      1. Anonymous Coward
        Anonymous Coward

        Re: Obvious really.

        The only problem is that without the plea bargain, the courts would be overloaded with cases, which can result in people getting off on Sixth Amendment grounds (the Speedy Trial clause). As for the mandatory minimum sentences, this was due to judges (sometimes corrupt ones) overlooking hardened criminals and getting them off on light sentences so they could soon be back on the streets and back in the criminal business.

        There are two sides to every coin. Trying to stop one unwanted result usually ends up with a different undesired result...if not both at the same time (the UNhappy medium). Which would you rather have? Overcrowded jails, crime lords getting off, or both?

        1. jason 7

          Re: Obvious really.

          Well the only reason for the Plea system is to get as many people into prison. Because the corporation running the prison gives kickbacks to the courts or the Warden is best pals/cousin of the Judge. The more prisoners, the more money they get.

          Prisoners make money!

          1. asdf Silver badge

            Re: Obvious really.

            >Prisoners make money!

            Not only storing them but you feed them inedible food and have your in-laws own the Commissary where the good stuff is but costs money. Captive market. Not to mention forced slave inmate labor is allowed in many states and even allowed to be used by private companies.

        2. tacitust

          Re: Obvious really.

          Other countries seem to do just fine without shoveling hundreds of thousands of their citizens directly into their prison system. Yes, without the 95% plea bargain rate, the court system would be overloaded, but you're missing the point. If the US criminal justice system worked along the same lines as, say, Germany or France (both major industrial nations with large immigrant populations), they could close 5 out of every 6 prisons tomorrow. The trick to not overloading the courts is to not to criminalize so many of your non-violent citizens in the first place -- decriminalizing pot possession would be an excellent start, for example.

          Even conservative politicians agree than mandatory minimum sentencing has cause gross miscarriages of justice, with far too many people spending decades in prison for what were petty crimes. There are better ways to solve miscarriages of justice than to spend billions in taxpayer's money over-incarcerating thousands of petty criminals in the fear that one or two "crime lords" will avoid justice.

          As for the Sixth Amendment, there are thousands (if not tens of thousands) of prisoners locked up around the country who have been waiting more than a year for their day in court. Prosecutors seem to have no problem with the Sixth Amendment when it comes to getting judges to agree to multiple postponements, as several high profile cases involving juveniles in the New York system shows.

          Your arguments are based on fear mongering and little else. You need to explain why you believe the US needs to incarcerate many times more its citizens than any other western nation on Earth in the first place. Plea bargains are not the only problem, of course, but unless you believe Americans are many times more criminally inclined than people in other nations, you must agree there is something badly wrong going on with the US criminal justice system, and it's costing all American tax payers dearly.

          1. Anonymous Coward
            Anonymous Coward

            Re: Obvious really.

            Germany and France may have immigrant issues, but they don't hold a candle on the US, where the majority of the population is non-white now. Not only that, there's considerably more cross-cultural tension, usually in multiple angles. The Hispanics don't like the Blacks who don't like the Asians who can't stand the Whites who basically hate everyone else. The trouble with a cultural mixing bowl is that you frequently run into "oil and water" issues where two cultures just can't see eye to eye. Plus with so many people (which has an effect on social compatibility, the US has lots more people than either France or Germany) and so few jobs, going up the social ladder can be extremely tough, which makes many turn to crime as the only way to live.

            So basically, you think YOU have crime problems? HAH! This isn't fear-mongering. This is firsthand experience.

    2. Anonymous Coward
      Anonymous Coward

      Re: Obvious really.

      The AC 'Obvious really.' was making the point about how they 'hacked into' the encrypted partition.

      'Hacked' my ass, actually via a "negotiated arrangement" which included handing over the password, and not revealing that he handed over the password. The AC didn't use the expression 'plea bargain', as the published plea bargain was just part of a higher level (and secret) "negotiated arrangement". Pure speculation.

      There's no other reasonable explanation for a ten-year sentence,out in four, for spying.

  9. Anonymous Coward
    Anonymous Coward

    I'm going with "he wrote it down and they found it". Could *you* remember a strong 30-char pw?

    1. Ole Juul Silver badge

      remember a strong 30-char pw?

      I agree with you, but the AC above has a point too - only 10 years sounds like negotiation.

      1. tom dial Silver badge

        Re: remember a strong 30-char pw?

        The plea agreement was linked in the article. The government got something and reduced the sentence recommendation in exchange for that and the guilty plea - perhaps some names of individuals to whom the data were to be delivered. Side payments probably would not be documented in the plea agreement.

      2. Turtle

        @Ole Juul Re: remember a strong 30-char pw?

        "only 10 years sounds like negotiation."

        Well it ought to - the article says it was the result of a plea-bargain and there's a link to a pdf of the actual agreement.

    2. Sampler

      yes

      I have a 36 character password for my laptops full disk encryption, it uses full alphanumeric and multiple special characters and I can remember it very easily.

      The trick is not to have random strings:

      Me8acR4BEBuZ26aWrAy7wutHApRafr8gabcd

      Is very hard to remember, whereas:

      1 easy really long C0mpl3x P@55w0rd!

      Is very easy to recall, has the same entropy and is not open to brute forcing. A simple short sentence with the odd freaking, misspelling and punctuation is very easy for anyone to remember.

      1. Mr Miser

        Re: yes

        1 really long C0mpl3x P@55wOd!, if I even got it right, is vulnerable to dictionary attack.

        1. Anonymous Coward
          Anonymous Coward

          Re: yes

          "1 easy really long C0mpl3x P@55w0rd! is vulnerable"

          It is. IIRC, Hashcat has rules for that sort of semi-obvious substitution. Even seemingly random strings constructed with keyboard patterns (bhu8nji9mko0) are vulnerable because they are patterns nevertheless, so they can also be automatically generated in bulk and added to a dictionary.

        2. Dazed and Confused Silver badge
          Happy

          Re: yes

          > 1 really long C0mpl3x P@55wOd!, if I even got it right, is vulnerable to dictionary attack.

          Not when you spell as badly as I do

      2. Anonymous Coward
        Anonymous Coward

        Re: yes

        I have a 36 character password for my laptops full disk encryption, it uses full alphanumeric and multiple special characters and I can remember it very easily.

        I tend to use a blend of languages - it makes for a simple to remember password but it would need various dictionaries combined to brute force it.

        However, full disk crypto is useless if you don't power down - suspend is not going to cut it.

        1. Pascal Monett Silver badge
          Thumb Up

          Re: a blend of languages

          Great idea !

          My next password will be puTain DE Effing Sheiss de Mierda067.

          36 powerful characters of entropy and immune to dictionary attacks.

          I like it !

      3. Anonymous Coward
        Anonymous Coward

        Re: yes

        A passphrase comprising six dictionary words (even from a dictionary that's been extended to include common misspellings and character substitutions as in your example) does not have equivalent entropy to one formed from 35 random characters.

        1. CAPS LOCK Silver badge

          @Credas

          O'rly? Bold claims require solid support. Put up or shut up...

          1. Anonymous Coward
            Anonymous Coward

            Re: @Credas

            OK.

            35 random characters, just selected from uppercase and lowercase letters and numbers: 62^35 or ~ 3E54 combinations.

            Let's be generous and consider a dictionary of 10,000 words. With an average of 10 misspellings of each word. And an average of 10 character substitution combinations for each word. And in 100 languages. And you can pick up to 6 of these bastardised words: 10E8^6 or 10E14 possible combinations.

            So if you still disagree with me then I invite you in turn to put up, or shut up.

            1. Charles 9 Silver badge

              Re: @Credas

              "Let's be generous and consider a dictionary of 10,000 words. With an average of 10 misspellings of each word. And an average of 10 character substitution combinations for each word. And in 100 languages. And you can pick up to 6 of these bastardised words: 10E8^6 or 10E14 possible combinations."

              Pardon me, but it seems the math's off.

              IINM, when a power is raised to a power, you multiply the exponents, meaning (10E8)^6 (or more properly, (1e9)^6) should end up with 1e54, which is darn close to the strict 36-random-character entropy you listed.

          2. Sir Sham Cad

            Re: @Credas

            Voila. Proof-by-xkcd (pretty sure that's a genuine methodology):

            https://xkcd.com/936/

            1. Will Godfrey Silver badge
              Happy

              Re: @Credas

              I prefer things that look like words but actually aren't. Such as:

              Corependiciously brogomatic munkphoriusness

              No, I don't use that one - shame it's quite memorable!

      4. Nifty

        Re: yes

        Are you sure that the latest clever Rainbow tables don't include common substitutions for letters, so putting entropy back to plain words level?

        1. Anonymous Coward
          Anonymous Coward

          Re: yes

          LOL. Letter/number/symbol substitution was a feature of password cracker tools 20+ years ago.

          Decryption/analysis speed is more important than password strength. IF you can try decrypting just the boot sector of a truecrypt partition and scan it for signatures, that's too easy. (Does anyone know if that's the case?) It should take *several seconds* per pw. Goal is to raise the hardware+electric cost of brute-forcing way above what your data's worth, ie. millions for measly consumer banking info, trillions for state secrets. Good luck with that...

          1. knightred

            Re: yes

            Look it's been ages, but a dictionary attack is where you use a list of "words" to test a password.

            So, if you use a common phrase or quote, it might be in a dictionary list. But, a meaningless phrase would not be in a dictionary list. And comparing every combination of words in the Oxford Dictionary as a phrase of length x with an unknown number of punctuation or spaces defeats the concept of a dictionary attack.

            so where "One small step!" is likely attackable by dictionary, "step small 1.!" wouldn't be. Your program would have to test every word with every combination of space/punctuation plus number/case subs.

    3. alun phillips

      Yep

      Y3sIcan,3asilyr3m3mb3ra30+charpassphras3

    4. Nigel 11

      Could *you* remember a strong 30-char pw?

      Yes - sort of.

      Generate a print-out of a lot of entropy. Say a 10 x 10 grid of 5-digit random numbers. Keep it with you. On its own, it can't be used.

      What you remember is a hash algorithm for combining the something you have with something you remember to generate a password, that's computable in your head.

      For example: Row 8 column 5 reading vertically upwards, six 5-digit numbers. Hash the first by adding d,d,m,y,y of your birthday, each digit modulo 10. The next one, your Mother's birthday. Sister, Spouse, bank sort code (five digits of), bank account # (ditto)

      remember: 8, 5, up, self, mum, sister, wife, bank, bank. Not hard.

      Better still make the something you have into something(s) with innocent utility. Bank cards. Driving License. Loyalty cards. Torn-off corner of a newspaper stock prices page with a reminder scribbled on it. These don't raise suspicion like a page of explicit random digits does.

      Other people will find the surreal imagery trick works better, which is how people have managed to memorize entire telephone directories. Construct a sentence of words that don't normally go together but which do parse correctly. "Green ideas sleep quickly in well-padded spoons". That sort of thing.

  10. DougS Silver badge

    "not go into sleep mode or require screen unlock"

    That instructions one as to how you need to set things up if you are doing something where you fear you may be raided by the FBI (or worse) at any given moment.

    Rather than inactivity timeout, have your screen lock automatically once an hour (or whatever) even when in active use. Might be a bit annoying, but the FBI would really have to have their shit together to be prepared to deal with the evidence that quickly. If you think they can deal with it in 10 minutes, then your screen needs to autolock every nine. You can add other precautions such as having it autolock if it loses wifi; use the G-force sensor in the hard drive to detect movement and autolock it, and anything else you can think of.

    The other thing is to insure that the in-memory copy of the key for your encrypted volume is erased when the screen locks. That will make the software unhappy (at least I'm sure Linux would complain a lot if it lost read/write access to your home directory every time the screen locks) but spamming your logs is a small price to pay for avoiding a decade in Leavenworth (or worse)

    None of this will guarantee you don't go to prison, but it will make it harder to prove your guilt. Though in this case this idiot kept DVDs of the classified material so they didn't even need to break his TrueCrypt volume. They presumably only did because they figured he had more stuff than what was on the DVDs. Not sure if the DVDs were encrypted...one would hope so, but who knows.

    1. ckm5

      Re: "not go into sleep mode or require screen unlock"

      It won't work if you are under surveillance for months, it's not like the FBI is a bunch of morons (well, not always anyway).

      The real solution is to have a physical power switch - that way if you suspect something, you just cut the power. Harder to do in a laptop, but not impossible.

    2. 404 Silver badge
      Childcatcher

      Re: "not go into sleep mode or require screen unlock"

      Say you incorporate all that into a Toughbook CF-53, with all the NATO security addons, it would be nigh impossible for the FBI to deal with? At least keep 'em out while the statute of limitations runs out?

      Heh... What are the modern superspy hackers carrying around these days anyway?

      1. Anonymous Coward
        Facepalm

        Re: "not go into sleep mode or require screen unlock"

        Data on 21+ million Americans...

    3. Anonymous Coward
      Anonymous Coward

      Re: "not go into sleep mode or require screen unlock"

      I actually have a bluetooth lock running when I'm onsite somewhere. On account of considering myself as fallible as the next person, I tend to use multiple layers of defence and tune them to my habits.

      One of those is that I always take my mobile with me, so a Bluetooth lock works for me, except when I'm on a site with radiation restrictions - but those have better office security measures anyway.

  11. Anonymous Coward
    Anonymous Coward

    An alternative option..

    I know you're all straight forward thinkers, but let me lead you onto a slightly diagonal road: what if Truecrypt is too good? What if Truecrypt was indeed a complete swine to crack? Would it not be an excellent idea to spread rumours about it being rubbish (rumours, I should add, that up until now have not been substantiated by any evidence whatsoever)? The result of those rumours would be that everyone would abandon it, making them more vulnerable than before.

    PSYOPS exists, you know, and people in panic rarely think logical.

    Just an alternative view. It's not backed up by any evidence, but neither is this alleged Truecrypt weakness. I find it suspicious that the FBI would let something like that leak. After all, these are the people that are prepared to drop prosecution to keep the details of STINGRAY protected..

    1. Will Godfrey Silver badge

      Re: An alternative option..

      Exactly what I've been thinking ever since the sudden 'Do Not Use' warning.

    2. itzman

      Re: An alternative option..

      PSYOPS exists, you know, and people in panic rarely think logical.

      E.g. Climate Change.

    3. Anonymous Coward
      Anonymous Coward

      Re: An alternative option..

      I find your theory highly plausible. The NSA has a huge budget; how simple would it be to approach the devs with an offer like "Shut down the project, sign an NDA and keep quiet about why you did it, and we'll give you fifty million dollars. You'll never need to work again and you'll never need to worry about the future for yourself and your family."

      A lot of people, no matter how benign their intentions, would find such an offer hard to refuse.

      1. TechnicalBen Silver badge
        Meh

        Re: An alternative option..

        More likely the TrueCrypt developers were given a legal ultimatum. "Give us a backdoor, stop development, or we drop the books on you for an eternity".

        The defeat of the system would have been in the defeat of the people. Their anonymity would have presumably been lost at some point, and then the pressure would have built up as time went by.

        That or the hardware backdoors are so prevalent, that it made the software and supposed "security" offered redundant, so a retreat the only current option.

        No anon, because, well, would it even make a difference?

    4. Anonymous Coward
      Anonymous Coward

      Re: An alternative option..

      It doesn't matter if truecrypt (or ANY encryption system) is good, because the systems it runs on are woefully insecure. They should not be used to store valuable information, period. Anyone doing so should go back to the drawing board and figure out how to operate without relying on electronic devices to keep secrets.

      Truecrypt is a stopgap solution at best.

    5. asdf Silver badge

      Re: An alternative option..

      Perhaps so but why take a chance when FOSS software just as good for most use cases already exists (GnuPG) and unlike TrueCrypt doesn't hide who its authors and maintainers are?

  12. Anonymous Coward
    Anonymous Coward

    VeraCrypt and alternative

    Anyone moved from Truecrypt to Veracrypt?

    1. Neil 44

      Re: VeraCrypt and alternative

      Yes. And got it running whole system on Win 8.1 successfully. (Convert the partition to MBR!)

      Slower to boot than TrueCrypt though (I gather it is doing more "trial and error" to determine precisely which encryption was used with more variations...)

      Other than that, working fine

      1. Anonymous Coward
        Anonymous Coward

        Re: VeraCrypt and alternative

        Many thanks

  13. -v(o.o)v-

    As per NSA: go around the crypto, my guess is they either found the password hardcopy or they found the "rescue" disk.

    1. Anonymous Coward
      Anonymous Coward

      The rescue disk doesn't help them any more than possessing the encrypted volume itself does - it still only holds an encrypted copy of the disk encryption key.

      1. DanDanDan

        Encrypted copy of the encryption key? What key do you encrypt it with?

        It's encryption keys all the way down.

        1. Charles 9 Silver badge

          "Encrypted copy of the encryption key? What key do you encrypt it with?"

          The same one(s) you use to unlock the volume to mount it. IOW, having the rescue disk simply means you have another door if the one's been caved in. Thing is, it has identical locks to the first one.

  14. Tom_

    This is not a tech problem

    From the article:

    Glenn made a phone call to his mother in which he asked her to relay a request to tell his housemate in Honduras "to disconnect the black box with the blinking lights on top of the batteries."

    I'm surprised nobody has suggested that the housemate might be the weakest link. He/she could have been influenced or employed by the authorities and Glenn just told them exactly where to look for the evidence that convicted him.

    1. Paul Crawford Silver badge

      Re: This is not a tech problem

      He could have bought an IP connected power block and simply cut the AC power remotely. Given the pain of managing remote boxes, I would do that even though I don't have anything particularly worth encrypting to that degree.

      1. 404 Silver badge

        Re: This is not a tech problem

        Telnet power blocks - best invention next to peanut butter - saved many many miles of travel back in the late 90's, early 2000's at an ISP I worked for. Windows shop you see, with many NT boxen before I did the migration to W2k AD.

      2. J.G.Harston Silver badge

        Re: This is not a tech problem

        I would have had it plugged into a "clockwork" power timer so it always powered off for 15 minutes once every 24 hours.

  15. Nifty

    Truecrypt will become obsoleted on Windows

    If it has not happened already, a future version of Windows will fail to support Truecrypt in any compatibility mode.

    Go figure.

    1. Charles 9 Silver badge

      Re: Truecrypt will become obsoleted on Windows

      VeraCrypt is a fork of TrueCrypt and under active development. They can keep up with Windows, and since there's still a need for filesystem utilities like defraggers, there will always be a way in.

  16. Orwell

    It is interesting to note that the FBI man knew it was a 30 character password.

    After:-

    Glenn had sent an email to an associate with an internet hyperlink to an article entitled 'FBI hackers fail to crack TrueCrypt.' In this case, the FBI did decrypt Glenn's hidden files containing the stolen classified materials.

    FBIhackersfailtocrackTrueCrypt

    is 30 characters. A bit of FBI guesswork?

    I still trust TrueCrypt actually. My guess is that the developers stopping work on the project is a classic case of the canary singing.

  17. Anonymous Coward
    Anonymous Coward

    There are forensic tools which recover truecrypt keys directly from memory, swapfiles or hibernation files which may have been laying around for months.

  18. Gideon 1

    CRIB

    The FBI will have known which documents he had access to, giving them very large cribs to attack the ciphers, without even considering the password. They were looking for known knowns, not known unknowns or unknown knowns.

  19. Rainer

    Keylogger, plea-bargain or just XKCD 538.

    In any case, that guy is an amateur compared to Edward Snowden.

    I would guess that most of the files Snowden siphoned away from his work were accessed with someone else's user-id to begin with...

    1. Loyal Commenter Silver badge

      Exactly. My first thought was rubber hose cryptanalysis.

      1. Anonymous Coward
        Anonymous Coward

        I wonder what would happen, though, if the subject in question was either a masochist or just extremely frail.

        Torturing a masochist just gets him/her off. They like it so won't do you much good.

        As for the frail, it's too easy, even nonphysically, to go too far and make him faint, even to the point that trying to force him awake can result in a life-threatening condition, making torture of any kind too risky.

  20. petur
    WTF?

    Synology + truecrypt?

    As far as I know, truecrypt isn't readily available for Synology (you can build and run it though) so I certainly don't buy the hidden compartiment on the NAS story. Maybe he just stored truecrypt container *files* on his NAS?

    If they already manage to obfuscate those facts, I wonder what they did to the rest of them to create a bit of FUD

  21. tony2heads
    FAIL

    Memorex DVD marked 'secret'

    That was dumb.

    If you want nobody to even try reading it mark it something like 'Correspondence with lawyers over medical error'

    Just the mention of Lawyers and the medical profession will make the DVD shunned like Ebola

    1. Anonymous Coward
      Anonymous Coward

      Re: Memorex DVD marked 'secret'

      Not necessarily. Attorney-client privilege only works if you actually ARE talking with a lawyer over the matter, which can be checked without disclosing too much information. What might work is having a whole bunch of blank or coaster discs marked "Top Secret" so that they have to check each one. The trick would be to conceal the actual file, since the plods may just be anal enough to treat EVERY disc as suspect, regardless of what it says.

      1. DropBear Silver badge

        Re: Memorex DVD marked 'secret'

        "What might work is having a whole bunch of blank or coaster discs marked "Top Secret" so that they have to check each one"

        Ever since Lem's blue bolts in the "Cyberiad" it has become quite obvious that the impossibility to prove something really isn't concealed damning evidence can be a fairly significant problem once you decide you'd rather come clean.

    2. Anonymous Coward
      Anonymous Coward

      Re: Memorex DVD marked 'secret'

      My secrets are stored on a DVD marked "granny porn". Who's going to want to check that out?

      1. Charles 9 Silver badge

        Re: Memorex DVD marked 'secret'

        Possibly a grandpa who's actually into granny porn. Remember, if it's out there, it's usually because someone's actually turned on by it. Yes, even stuff that would turn most stomachs.

  22. thexfile

    If the hard drives have a keylogger in the firmware (NSA) then the password would be easily found. Google: Kaspersky Exposes NSA’s Worldwide, Backdoor Hacking of Virtually All Hard-Drive Firmware

    1. phil dude
      Black Helicopters

      very scary...

      Yes that was a very scary article - even hard disks can't be trusted!

      P.

  23. Daniel200

    Truecrypt .... so many possibilities

    Truecrypt may have a back door .... but if only the US government has it ... then that is not a problem for most people ....

    On the other hand, I think the people who reviewed the Truecrypt code are credible. Another scenario is that the US government is unable to easily circumvent Truecrypt ... and all this is about getting the bad people to stop using the product ...

    For people really concerned, one can and should put a Truecrypt container inside of another Truecrypt container ...and use a distinct password + keyfile for each container ....

    It is well documented that keyboards are very vulnerable to hacking ... The US govt has access to all kinds of very capable keyloggers ... that could have been inserted in multiple ways... And as stated previously, Electronic signals emitted from the keyboard can and have been deciphered. But if you know who your target is ... a camera properly placed could easily recorded the keystrokes ...

    We are in the time of virtual computers .... The US government could create 1,000,000 virtual PC's inside of their computing centers (or as well rent the service from Amazon) ... and then divide up the decryption task among the 1 million virtual PC's and solve a 36 character password. A 50 character password with a keyfile is much more difficult to decrypt ... especially if embedded containers are used..

    I think most people know what SETI is ... What if that computing power was occasionally redirected to breaking passwords?? Who would know?

  24. Anonymous Coward
    Anonymous Coward

    Fricosu keys

    TrueCrypt and LUKS need a Fricosu key. This is a second key, created when the encrypted volume is initialized which, when entered under duress in Colorado, would cause the system to silently and permanently forget the real decryption key.

    This would be good for journalists traveling to Brazil and getting nabbed by the Bobbies, but it wouldn't do a shag bit of good if the drive has already been imaged.

    Well, it's better than nothing.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fricosu keys

      It would also do sod all in places like England where one can be compelled by law under threat of prison. I wonder if anyone there's tried to plant a chunk of truly random data on someone's hard drive and then sicced a child porn or terrorism charge on them.

  25. Jeckle

    Trials do not follow the scientific method...

    Haven't read all the comments but my opine on this is the following:

    He was convicted for 10 years by a court presumably relying on the testimony of "experts".

    If I know what documents are supposed to be on your computer it seems to me that it should be a relatively trivial (emphasis on relatively) task to figure out a "Key" that would demonstrably expose those exact documents from the noise that a good encryption utility is supposed to generate.

    The only thing standing between the prosecution and a conviction is the defense's "expert" and how diligent that person is.

    The jury would be selected based on their ignorance of such matters as seems to be usual in these types of cases.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019