Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Courts Government Data Storage Encryption Security News

Police Need 90 Days To Crack Hard Drives 693

Twyko64 writes "The UK police may need 90 days to hold terrorist suspects because it takes that long to crack a suspect's PC hard drive." From the article: "Combining the analysis, the translation and second stage analysis, add inter-country co-operation and interview strategy formation, and from the police point of view, the existing 14 days is inadequate and 90 days doesn't look excessive. Another factor is encryption sophistication. If 256-bit triple-DES or similar techniques are used then decryption could require supercomputer-levels of cracking."
This discussion has been archived. No new comments can be posted.

Police Need 90 Days To Crack Hard Drives

Comments Filter:
  • by BushCheney08 ( 917605 ) on Friday November 04, 2005 @10:16AM (#13949999)
    Nothing for you to see here. Please move along.

    Hmmmm. Guess I'll come back in 90 days for the dupe...
    • Re:90 days, eh? (Score:5, Insightful)

      by Anonymous Coward on Friday November 04, 2005 @10:47AM (#13950310)
      I hope not. Holding suspects for any amount of time without probable cause is bullshit. A hard drive whose contents is not decipherable (as yet if ever) is not probable cause. It is an unknown. If the police do not have reason to hold an individual aside from a hard drive of unknown content, the police have do not have reason to hold an individual.
      • Re:90 days, eh? (Score:5, Insightful)

        by Don_dumb ( 927108 ) on Friday November 04, 2005 @11:07AM (#13950558)
        Mod that comment up
        If they don't have enough proof to charge someone after even a couple of days, why are they so sure someone is a suspect at all?
        They must have some reason to arrest someone in the first place and I sincerely hope that reason is based on a collection of very compelling evidence. At which point they can charge him/her and have as much time as they want anyway.
        • Re:90 days, eh? (Score:5, Informative)

          by mikerich ( 120257 ) on Friday November 04, 2005 @11:36AM (#13950846)
          I sometimes wonder if the evidence is along the lines of 'looking foreign with possession of, or intent to grow, a beard'. From The Daily Telegraph [telegraph.co.uk] (27/01/05):

          That police activity has been considerable. Since September 11, 2001 to the end of last year, 701 people have been arrested under the Terrorism Act 2000, which requires only "reasonable suspicion" to arrest. Most have come from various branches of the Muslim community - either North Africans, who were the subject of most arrests in the immediate post-September 11 period, and Middle Eastern Muslims, or British-born suspects of Pakistani origin.

          However, only 119 of those arrested were charged under the Act. Of those, 45 were also charged with offences under other legislation. A total of 135 others were charged under other legislation, including charges for "terrorist offences that are already covered in general criminal law such as grievous bodily harm and use of firearms or explosives". There have also been a number of fraud cases.

          Of the rest, about 60 were transferred to immigration authorities and 351 were released without charge. Only 17 individuals have been convicted of offences under the Terrorism Act and there have been "lesser" convictions, either Irish-related or as a result of membership of proscribed terror groups.

          There have been no convictions of alleged Islamic fundamentalist terrorists for the kind of readily understandable "direct" terrorist offences, such as bombings, shootings or possession of explosives and guns, which characterised the years when the Provisional IRA attacked the mainland.

          • Re:90 days, eh? (Score:3, Insightful)

            by h4rm0ny ( 722443 )

            Of course these powers will be misused and overused. They make so many things easier by removing restrictions under which police operate and lessening the consequences of their actions. But I keep thinking of the following quote:

            A policeman's job is only easy in a police state. - Mike Vargas, in "Touch of Evil" by Orson Welles br
        • Re:90 days, eh? (Score:4, Insightful)

          by haraldm ( 643017 ) on Friday November 04, 2005 @04:07PM (#13953206)
          Err - sure. Like in Al Ghureib and Guantanamo, right? Without any possibility of consulting a lawyer, right. Yeeeessss sure. If the U.S. were a constitutional state - OK. But the current government has demonstrated publicly that it doesn't give a shit about constitutional rights or the Geneva convention. If it appears convenient, people are taken to another country where even less shit is given about people's rights. It's not as if we hadn't been there, done that. Strategically, you don't fight a worldwide guerilla organization by staring to control your own citizens electronically.
      • Re:90 days, eh? (Score:5, Insightful)

        by kilodelta ( 843627 ) on Friday November 04, 2005 @11:10AM (#13950584) Homepage
        Encrypting a drive is enough for probable cause.

        In the twisted logic of the law enforcement game, pretty much anything can be used as PC.

        Put it this way, when I worked for the state AG's office all we'd need is the slightest whif and the next thing you know we would be hauling out paper records and computers, servers, etc.

        And in the U.S. we have secret courts that will issue warrants with virtually no burden of proof. How do you like those apples?
        • Re:90 days, eh? (Score:4, Informative)

          by networkBoy ( 774728 ) on Friday November 04, 2005 @11:25AM (#13950736) Journal
          "And in the U.S. we have secret courts that will issue warrants with virtually no burden of proof."

          No we don't, they issue warrents right out in the open :P
          (sad but true, due to the lack of public scrutiny, they might as well be secret)
          -nB
          • Re:90 days, eh? (Score:5, Informative)

            by Parity ( 12797 ) on Friday November 04, 2005 @01:01PM (#13951633)
            Err, we have both. The prior poster was referring to the patriot act provisions that allow for closed hearings held in an undisclosed location with an unpublished docket. Supposedly they aren't entirely secret in that they're supposed to reveal what they've done some amount of time after the fact. Unless a motion is granted to keep the information secret for longer do to an investigation still being 'ongoing'...

            Of course, that's supposed to be only in case of terrorists, ordinary criminal cases are supposed to be tried in ordinary open courts (although even there, the court can seal entire hearings so all you know is that the police made a motion before a judge at a particular time and place, not anything about the content of the motion. In wiretap warrants, for example, so as not to tip off the person to be spied on.)

        • Encrypted drives? (Score:3, Insightful)

          by WoTG ( 610710 )
          What, so now that I do encrypted backups onto removable USB drives using Windows EFS, I'm at risk having to explain myself every time I cross the US border (I'm Canadian)? What's next? VPN software? SSH? SSL'd bookmarks in my browser?
      • Re:90 days, eh? (Score:3, Insightful)

        by Red Flayer ( 890720 )
        TFA states that this is unlikely to go through due to personal liberty issues:

        "With the measure unlikely to make it into law thanks to widespread opposition from MPs due to its civil liberty implications..."

        Also, this isn't about it taking 90 days to crack a hard drive, decrypt the contents, and translate them... it's about an overload of hard drives needing to be cracked, and the lack of resources to do it in a timely manner.

        Also FTA: "Dr Mirza said: "There was a massive backlog of computers to anal
    • Re:90 days, eh? (Score:5, Interesting)

      by dswan69 ( 317119 ) on Friday November 04, 2005 @11:56AM (#13951041)
      I do think they should pay full compensation if nothing comes of their investigation. A detained person can't work, and will quite probably also lose their job. Given the police force's tendency towards extreme paranoia and abuse of power, especially when given sweeping powers, the government must be willing to pay up, and pay up big, anytime they make a mistake.

      Maybe we should start differential taxation - if you support extended imprisonment without trial and excessive police powers because you think it will make you safer, then you must also be willing to pay extra for it. I don't want my taxes wasted on this game of idiots.
  • by TWX ( 665546 ) on Friday November 04, 2005 @10:18AM (#13950015)
    They're really going to hate it when suspects start using steganography. Imagine having to brute-force decrypt, only to then have to search for a particular piece of straw in a haystack...
    • They're really going to hate it when suspects start using steganography.

      Generally they try to capture a complete computer containing all the algos used for the steganography. That way they don't have to search for a needle in a haystack.

      It's a bit like the code devices of WWII. It was always easier to capture a code machine than try to brute force the code itself.
      • by TWX ( 665546 ) on Friday November 04, 2005 @10:38AM (#13950231)
        What if I don't use a programmed algorithm?

        The old "manipulate the image in the picture" effect would allow me to hide data in an image, and it could be done to where only modifying the image to specific hue or color adjustments reveals the data. It would be something that someone could memorize, and open files read-only to find, modify in RAM, and never save back to the drive once the message is known. There could be thousands of photos in someone's photo album, and only a few that actually contain data too, so that it's hard to even find the files used, let alone to figure out how they're used.

        I could also know that certain letters in a text file based on some derivation of a number sequence for position of the letter or word is the message. Anyone that I'm corresponding with could also know the sequence, but if neither party writes it down then it's much harder. It would also work for storage of sensitive data, and be even better security since there'd be only one person who'd know how to recover it.

        The most effective way to hide something or protect something is to ensure that nothing is ever written down about recovering it, ever. If there's no key to find then it's again down to brute force.
      • by Ckwop ( 707653 ) on Friday November 04, 2005 @10:40AM (#13950254) Homepage

        Generally they try to capture a complete computer containing all the algos used for the steganography. That way they don't have to search for a needle in a haystack. It's a bit like the code devices of WWII. It was always easier to capture a code machine than try to brute force the code itself

        This is actually wrong. Kirchoff's principle applies as equally to steganography as it does to cryptography; even with completly knowledge of the algorithm it should be computationally infeasible to determine a secret message is implanted in the cover text.

        Secure stegangraphy is truly undetectable.

        Simon.

    • Do it the other way round: Have the encrypted files hidden with steganography. It doesn't hurt if someone sees the images, movies or sound files you've hidden your info in (that's the point of steganography), and since a good encryption looks just like noise, it should be extra hard to detect where files may be hidden (I guess you would have to try to brute-force decrypt the noise of every single file, because it might actually be encrypted, hidden data, and then you may still not find the stuff because it'
    • by TheLink ( 130905 ) on Friday November 04, 2005 @10:35AM (#13950203) Journal
      They? You totally miss the main point: the people detained are really going to hate it.

      And if people have 500GB of data, or more, does that mean the police are going to want to detain them for even longer?

      There are already 500GB drives out there.
  • by Dwonis ( 52652 ) * on Friday November 04, 2005 @10:18AM (#13950019)
    *I* always use at *least* 1024-bit AES!
  • the subject says it all .. please replace TFA with one written by a clue-holder.
    • by Proaxiom ( 544639 ) on Friday November 04, 2005 @10:25AM (#13950108)
      That should be the tip-off for the uninitiated, in any case. Triple DES has an effective key length of 112 bits. I'm sure they meant 256-bit AES, but it's a good clue that the author has no idea what he's talking about.

      Seriously, nobody, including name-your-favourite-government-agency, is brute forcing a 256-bit AES key. Not in 90 days. Not in 90 years. Think about the number 2^256 for a second, and consider the computing power required to do that many operations.

      What may be possible in 90 days is brute forcing passwords, which is practical if the perp uses password-based keys. The article doesn't mention that.

      It's also possible that the authorities are just exaggerating their capabilities so as to deter pedophiles and what-not. If you can't read people's mail, it's sometimes effective to pretend to be reading people's mail.

      • by Dachannien ( 617929 ) on Friday November 04, 2005 @10:32AM (#13950178)
        Seriously, nobody, including name-your-favourite-government-agency, is brute forcing a 256-bit AES key. Not in 90 days. Not in 90 years.

        0x00000000 00000000 00000000 00000000 00000000 00000000 00000000 00003039? That's the kind of encryption key an idiot would have on his luggage!

      • by z-man ( 103297 ) on Friday November 04, 2005 @10:38AM (#13950232)
        Pssst, like the NSA doesn't have quantum computers behind that triple fence that can brute force 256bit keys in an instant.

        Now, shut up and help me find my tinfoil hat.
      • Ok what about with rainbow tables [antsight.com], vast stores of precomputed hashes? They say that with a 64GB table, it'll take a few minutes to crack any Windows lanmanager password up to 14 characters in size using "all possbile characters on a standard keyboard (not including those alt+xxx characters)" on a standard 666 MHz system. Some individual table sets have been known to reach 600+GB in size. How do the likes of 3DES and AES stand up to that? I'm an encryption noob.
        • by Proaxiom ( 544639 ) on Friday November 04, 2005 @11:53AM (#13951000)
          Windows lanman hashes are notoriously weak, tools like rainbowcrack take advantage of that fact to crack the passwords in ridiculously short periods of time (IIRC, weak passwords fall in seconds). Among other issues, the 14 characters are split into two 7-character strings, which are hashed separately. This means finding a long password is equivalent to finding two short passwords: additive complexity rather than multiplicative complexity.

          But brute forcing passwords and brute forcing random encryption keys are two totally different balls of wax. When you break passwords, you rely on the fact that there are a limited number of passwords users will use. If you consider how many 8 character passwords you can construct using upper case letters, lower case letters, and numbers, you'll see there are only around 2^48. If you only use English words than the number is far, far lower (less than 2^20). Those are crackable.

          If, on the other hand, you use a random 256-bit AES key that is not derived from a password (meaning you have to store it somewhere securely), nobody is going to be able to brute force it.

  • Blatantly WRONG (Score:5, Interesting)

    by Work Account ( 900793 ) on Friday November 04, 2005 @10:20AM (#13950045) Journal
    Most times a police department cannot even ANALYZE data properly if a machine is not running some modern form of Microsoft Windows on an x86 platform.

    They have automated TOOLS that go through and find Web browser histories, caches, and cookies.

    On machines where users do not run Microsoft Internet Explorer and use Outlook for email, often times departments are SOL.
    • Re:Blatantly WRONG (Score:3, Interesting)

      by Agelmar ( 205181 ) *
      Assuming this is true (which I find really depressing): On modern versions of Windows (2K/XP Pro) you can enable encryption in the NTFS filesystem. Since I don't run Windows I'm not sure of the specifics (keylengths etc), but I wonder if this would also be too much for departments to handle. Then again, maybe I really don't want to know...
    • by account_deleted ( 4530225 ) on Friday November 04, 2005 @10:34AM (#13950201)
      Comment removed based on user account deletion
    • Re:Blatantly WRONG (Score:5, Informative)

      by XorNand ( 517466 ) * on Friday November 04, 2005 @10:35AM (#13950208)
      The defacto application used by law-enforcement agencies to do these things is EnCase [guidancesoftware.com], if anyone is interested. It's major bucks though, and don't expect to be able to download a demo version. ;-)
    • Re:Blatantly WRONG (Score:3, Informative)

      by pegr ( 46683 )
      Most times a police department cannot even ANALYZE data properly if a machine is not running some modern form of Microsoft Windows on an x86 platform.

      While largely correct, the situation changes if you get the attention of the three letter organizations. Of course, if they were on to you, the 90 day thing wouldn't mean anything, as you are more likely to just have your drive imaged and your keyboard bugged. If you got wise to the black bag job, you'd simply disappear...

      I can understand th
    • by sparr0w ( 902739 ) on Friday November 04, 2005 @10:52AM (#13950379)
      I think the key to this article is not the piece on encryption, but the piece on inter-county cooperation. In the states, it takes a long time for evidence to be approved by the proper authorities for analysis, just because the people doing the analysis don't want to screw up and have the evidence thrown out in court.

      And as easy as it is to make fun of the police's analysis methods, my guess is most slashdotter's don't even know what it's like to process evidence for a case. It's not just "running automated tools" on some suspect's hard drive. It's getting to know the case, knowing what you're looking for and where to look for it. Many times it's the police themselves that are writing these "automated tools", which only present the evidence in a way less technical minded officers assigned to the case can understand. And what happens once you get that evidence? You have to try to fit it into the puzzle of the case. It isn't CSI, where you find some email detailing the crime that's digitially signed and the suspect confesses to writing it. Often times its finding some random piece of partially-overwritten text and having to see if it fits into the overall case.

      And yes, most digital forensic labs can analyze your precious reiserfs/ext2/ext3/whatever file systems. In fact, I've never run across a lab that couldn't. So don't think you're 1337 linux system will be safe if it's ever involved in a crime. And if they don't have the tools to analyze them, they'll contact a department that does. That's how the real world of forensics works.

      Next time you want to talk about a subject you blatently don't understand, do us all a favor and don't hit the submit button.
  • by tgd ( 2822 ) on Friday November 04, 2005 @10:20AM (#13950046)
    They should just pin the suspect down and pump five rounds into their head.

    Oh wait...
    • Well, in the case of terror suspects, the information that the detainee holds is far more valuable than convicting the detainee himself - a bomber who might provide links to the larger organisation, for example.

      Trying to decode the information held within several thousand lumps of human brain tissue would probably take even longer than 90 days ;)
    • They should just pin the suspect down and pump five rounds into their head.

      What, you think they'll start talking after 5 rounds of free beer?
  • by Jamu ( 852752 ) on Friday November 04, 2005 @10:21AM (#13950048)
    If it's illegal to not provide the police with a key to encrypted data, why can't they just put that person in prison for that crime and decrypt the data at their leisure?
    • by dan dan the dna man ( 461768 ) on Friday November 04, 2005 @10:31AM (#13950167) Homepage Journal
      This is an excellent point, it is true it is illegal to withold encryption passphrases etc. from the police if they ask you to surrender them. This is why there is a fight in the UK to stop this 90 day 'hold without evidence' the police and government are pushing. The opposition parties have been making this exact point - just bust them on the lesser charge, sling them into jail on something they've *actually done* rather than something they *may have done* and then use that time to gather the rest of the information. Makes perfect sense to me.
    • by Raul654 ( 453029 ) on Friday November 04, 2005 @10:39AM (#13950247) Homepage
      I can't speak to the UK, but in the US you are have a right against self incrimination. You have the right to refuse to answer police questions, and (short of being called to testify before a grand jury and being given blanket non-transactional immunity for your testimony) there's really no way to compel a person to talk to the government about anything they don't want to.
    • > If it's illegal to not provide the police with a key to encrypted data
      There's a real problem with burden of proof here, in that you now prove you don't have the key to any encrypted data the police demand a key for. This is essentially impossible.

      This is particularly an issue if, say, Evil Bob accidentally e-mails his plans for world domination to me. Of course, he's not a fool (except for the inability to use an addressbook, but nevermind), so he's encrypted his plans. I get a freaky looking encrypted
  • 256? 3des? no. (Score:5, Informative)

    by jlcooke ( 50413 ) on Friday November 04, 2005 @10:21AM (#13950050) Homepage
    3des. 3 x des. des uses 64 bit key. Well, 56 bit if you remove the useless parity.

    3 x 56 = 168. or 3 x 64 = 192. Either way, 256 is is not.

    256 bit AES, then maybe.
  • What about RIP? (Score:4, Interesting)

    by andrewscraig ( 319163 ) on Friday November 04, 2005 @10:22AM (#13950065)
    I thought that was why the UK introduced the RIP act (http://www.hmso.gov.uk/acts/acts2000/20000023.htm [hmso.gov.uk])? Could they just demand that the person comes up with the keys -- if they don't, hold them through the RIP act and brute-force them, if they do -- then they've either got evidence or the innocent person can go free?

    It seems that they are just using this as an excuse to hold someone indefinately?
  • Ninety days? (Score:5, Insightful)

    by SatanicPuppy ( 611928 ) <Satanicpuppy@gmail. c o m> on Friday November 04, 2005 @10:23AM (#13950073) Journal
    Psssh. That's gotta be a worst case scenario. In my experience, even people who are paranoid enough to encrypt things tend to be careless with their keys. I found one once where the guy had encrypted the hell out of it, and left a copy of the key in the default key gen directory. Some people just throw it in the trash, and then forget to empty the trash, or forget to secure purge it afterward, so the key can be recovered.

    For big corporations and places that have enough staff to be able to implement a good crypto policy, I'd be surprised if you COULD crack it in 90 days. 256 isn't anywhere near as high as you could go if you were paranoid, and storing data that you didn't need to read all the time.

  • by jfengel ( 409917 ) on Friday November 04, 2005 @10:25AM (#13950103) Homepage Journal
    The idea is that you're holding them without any charge until you gather the evidence on the hard drive.

    I understand that the police will sometimes be unable to completely make a case until they've gathered all the evidence, but it seems that there should be some sort of intermediate level to say, "We have at least some reason to hold this guy."

    Perhaps what's needed is a judge to say, "Yeah, you have enough evidence, and the guy presents enough of a flight risk, for me to let you hold him for three months", even if that evidence would be insufficient for a real indictment.

    Because right now it sounds like "We're going to lock this guy up for 90 days with absolutely no evidence at all on our say-so."
    • by glesga_kiss ( 596639 ) on Friday November 04, 2005 @10:54AM (#13950410)
      What's really fucked up is that people like the Guilford Four, also accused of terrorism during a politically sensitive time, we put away on fake evidence compiled by the police who were anxious to get a result. Back then, you were "innocent until proven Irish". Now it's "until proven Islamic". They were tortured for confessions and finger pointing. Sound familiar? Something happening RIGHT NOW?

      Computer evidence is next to useless. It is infinitely easier to fake a word doc than it is someones handwriting, DNA and fingerprints that one might find on a piece of paper. I predict that in 10 years, once new forensic techniques for IT data analysis become available, a whole slew of "terrorists" will have their convictions quashed as the polices simply created a few fake emails. This is not tin-foil hat territory, this has happened numerous times in the past [wikipedia.org].

      When will the public wake up? These "detention without trial" laws are something that the authorities have been seeking for decades. Only now do they feel they have the inertia to get them passed.

      The definition of terrorism is "using fear to achieve a politcal goal". I wonder who the REAL terrorists are here...?

  • by iamacat ( 583406 ) on Friday November 04, 2005 @10:27AM (#13950128)
    That government can crack triple DES in more than 14 but less than 90 days on their secret supercomputer. No wonder they dropped opposition to crypto exports. The question is, which algorithms/key sizes can we use that is likely still uncrackable?
    • Write your own algorithm and use some section of Pi as your key. This way you can more or less safely forget the key and when law enforcement demands your key you can honestly say "it's four thousand characters long and I didn't memorize it." But then you know that starting at decimal digit 05201974 (which is your brother's birthday, or whatever, transcoded into a string of digits representative of the offset in Pi that the key can be found at) and for the next four thousand digits is the key. You know some
  • It's just an excuse. (Score:4, Interesting)

    by Ebirah ( 528097 ) on Friday November 04, 2005 @10:27AM (#13950130) Homepage
    The underlying objective is for the UK to adopt the US model of 'terrorist' detention. Extending the permitted period for detention of 'suspects' without charge to 90 days is a step in the desired direction for this. And as people are saying, 90 days won't be enough time to crack anything that's properly secured. In 90 days, our boys in blue, who don't really get this IT stuff very well, might perhaps be able to crack an UNENCRYPTYED drive. Not all terrorist suspects have hard drives, anyway. I guess they'll have to let the ones who don't go straight away.
    • our boys in blue, who don't really get this IT stuff very well, might perhaps be able to crack an UNENCRYPTYED drive. Not all terrorist suspects have hard drives, anyway. I guess they'll have to let the ones who don't go straight away.

      The National Security Agency is the largest employer of degreed mathematicians in the world. They are not stupid people.

      They'll gladly crack encrypted information for allied countries and other US agencies.

      These people aren't the Keystone Cops and it's not like a st
      • The National Security Agency is the largest employer of degreed mathematicians in the world. They are not stupid people.

        Plus, thanks to the little gray men [milk.com], they're 200 years ahead of the rest of the world in mathematical theory.
  • by pla ( 258480 ) on Friday November 04, 2005 @10:29AM (#13950145) Journal
    The UK police may need 90 days to hold terrorist suspects because it takes that long to crack a suspect's PC hard drive

    I write this as a 'Merkin, so forgive if I don't fully "get" UK law, but...

    At the point where the police would waste 90 days of supercomputer-level CPU power on cracking an encrypted HDD, wouldn't they already have enough other evidence to charge the suspect with an actual crime, and could just ask for that 90 days as a delay before the actual trial?

    The idea of the police making people dissapear for three months at a time on a whim scares the hell out of me. Suddenly sarcasm, or wearing the wrong clothes, or "driving while black" becomes punishable by three months in prison? Time to invest in prison/industrial stock...
  • 256-Bit Triple DES (Score:5, Insightful)

    by John Fulmer ( 5840 ) on Friday November 04, 2005 @10:33AM (#13950189)
    Another factor is encryption sophistication. If 256-bit triple-DES or similar techniques are used then decryption could require supercomputer-levels of cracking.


    Ouch. Technobabble at its worst.

    a) Triple DES is 112-bit encryption.

    b) If you are using strong encryption, like a 256-bit AES cypher, no number of supercomputers are going to 'crack' it, whether it's 14 or 90 or 900 days, unless it's a really bad implementation.

    c) One would HOPE that the police would have evidence before they start impounding things. But this is about 'fishing' for evidence for 'suspected' terrorists. "You look like a terrorist, so we'll impound your things in the hope that we'll find something". So much for presumption of evidence (which I believe holds true in the UK as well.

    Things like this make me sad. Just another way for the authorities to 'protect' it's citizens by making that sure they can see all and know all. Welcome to the Panopticon [wikipedia.org].
    • by slavemowgli ( 585321 ) on Friday November 04, 2005 @11:41AM (#13950893) Homepage
      Triple-DES is 168-bit encryption, or at least if by "x-bit encryption" you mean that the keysize is x bits, which I think is pretty much standard. It's *effectively* 112-bit due to certain known weaknesses, but technically, it's still 168-bit.

      Of course, that's really just a technical issue, especially compared to the rather glaring errors ITFA you're pointing out, but I think it's something worth mentioning. :)
  • by venomkid ( 624425 ) on Friday November 04, 2005 @10:34AM (#13950196)
    ...I think we all know what the message is here: Encrypt your personal files, go to jail for 90 days.

    More and more, according to law enforcement, encryption is considered only a tool of criminals. There have been a few cases like this in the US where a suspect's use of PGP or other common encryption has been used against him in court, even though no specific evidence was found encrypted.
  • by mengel ( 13619 ) <mengelNO@SPAMusers.sourceforge.net> on Friday November 04, 2005 @10:54AM (#13950415) Homepage Journal
    That if I use 4096-bit encryption, they'll argue they should be able to hold me for a year, and if I use 8192-bit encryption, for 2 years???

    If you extrapolate it to "We get to hold people for as long as it takes to find whatever we're looking for on their hard drive", then they can argue for holding you for 200 years, depending how you might have hidden data on the hard drive.

    • More like 2 million years. We're talking powers of 2 here, so 512 is not twice as hard to break as 256...257 is twice as hard to break as 256. 512 is 2^256 times as hard to break as 256.

      • Two million years (Score:3, Informative)

        by jd ( 1658 )
        Is hopelessly optimistic. Let us say you had a processor capable of a billion (2^30, not 10^9) operations per second and that you've hard-coded the processor such that you can try one key in one operation. You can now break a key of 30 bits in 1 second. Let us also say you've built a large grid computer with 1024 nodes in it, so you can do one trillion (2^40) keys per second.

        Such a computer can break an ordinary (56-bit) DES key in 18 hours, 12 minutes and 16 seconds at worst. The average time to break a DE

  • by Ihlosi ( 895663 ) on Friday November 04, 2005 @10:57AM (#13950437)
    1. Encrypt hard drive.
    2. Store keyfile in a safe place.
    3. Get a defective USB stick. Label "HD KEYFILE" in big red letters. Keep it on the computer desk at all times.
    4. Get a 3.5" Floppy. Preferably from pre-1990. Wipe with magnet a couple of times. Label "HD KEYFILE BACKUP" in big red letters. Put on shelf next to computer.
    5. Get a blank CD-R. Fill with PR0N. Label "PR0N + HD KEYFILE BACKUP". Mistreat CD-R a little (preferably adding some scratches on the inside. Leave in CD-Rom drive.


    In case of arrest:
    1. "Um ... you want my password ? If you really want to see my PR0n collection ... it's on the USB stick."
    2. "What ?! It doesn't work ? Good thing I have a backup. It's on the floppy disk."
    3. "What now ?! It's broken ? Good thing I have another backup of it on the CD with my PR0N colelction ... try that."
    4. "The CD doesn't work ? OH NO, ALL MY PR0N is GONE ! AAAAARGH !"

  • by Catamaran ( 106796 ) on Friday November 04, 2005 @11:01AM (#13950494)
    You could be locked up forever!
  • by caluml ( 551744 ) <slashdot@spamgoe ... c a l u m . org> on Friday November 04, 2005 @11:03AM (#13950508) Homepage
    Shami Chakrabati from Liberty [liberty.org.uk] made a very valid point. Holding someone for the equivalent of a typical 6 month jail sentence with no charge is a very good way to alienate that person and his/her community. How would we feel about losing 3 months of our lives, and after that, being released with "no charge". What would our employers think? What would happen to our houses, mortgages during that time? It's easy to think "90 days isn't so much", but think about what it actually means. Shami is great.
    • How would we feel about losing 3 months of our lives, and after that, being released with "no charge". What would our employers think? What would happen to our houses, mortgages during that time? It's easy to think "90 days isn't so much", but think about what it actually means.

      This is probably the original intention of the law setup: to destroy your life completely without legal consequences. I remember well that schema from totalitarian communist regime I lived in for more than 20 years. Pure possibility
    • How would we feel about losing 3 months of our lives, and after that, being released with "no charge". What would our employers think? What would happen to our houses, mortgages during that time?

      But we are talking about terrorists here, not normal people like you and I.

      Yet.

      Why am I being terrorized by the government's reaction of terrorism?

      I can't speak for England, but someone suspected of a crime, should be formally and specifically charged with the approval of a 3rd party (judge) via a warrant.

      Its a dece
  • by Been on TV ( 886187 ) on Friday November 04, 2005 @11:20AM (#13950686) Homepage
    I can crack my harddrive in a split second by using a sledge hammer.
  • Not quite the case (Score:4, Insightful)

    by twem2 ( 598638 ) on Friday November 04, 2005 @11:28AM (#13950767) Journal
    The police want to be able to detain terrorist suspects for 90 days without charge. This is probably a figure they pulled out of the air as a good starting point for negotiations, however Tony Blair has decided that whatever the police want they should get when the magic word is mentioned.

    One of the justifications was that they need that long to decrypt and analyse data. In which case, it is already a crime not to hand over a password of encryption key when requested so you can get them in custody on that charge for that long.

    The arguments for the 90 days are incoherent, but that's what we have grown to expect from our government, especially when it comes to civil liberties and/or technology.
  • by TractorBarry ( 788340 ) on Friday November 04, 2005 @02:42PM (#13952394) Homepage
    Marvellous. So here's how "the bad guys" (tm) will fool the coppers.

    1 Buy computer with big hard drive.
    2 Get geek to store loads of "nonsense" data encrypted with as strong a key as possible (i.e. shopping lists, lists of birthdays, stuff from encyclopedias)
    3 Store "bad stuff" (tm) in head only.
    4 Get arrested, claim you "were wondering what all those junk files were" and wait 90 days whilst the forensics bods decrypt the useless data.
    5 Get let out.
    6 Profit !

    (yes I admit it this is a piss poor version of the Slashdot "profit" post :)

"Inquiry is fatal to certainty." -- Will Durant

Working...