Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Crime Encryption Privacy

FBI Failed To Break Encryption of Hard Drives 486

benoliver writes to let us know that the FBI has failed to decrypt files of a Brazilian banker accused of financial crimes by Brazilian law enforcement, after a year of attempts. Five hard drives were seized by federal police at the apartment of banker Daniel Dantas, in Rio de Janeiro, during Operation Satyagraha in July 2008. (The link is to a Google translation of the original article in Portuguese.) The article in English mentions two encryption programs, one Truecrypt and the other unnamed. 256-bit AES was used, and apparently both the Brazilian police and the FBI tried dictionary attacks against it. No Brazilian law exists to force Dantas to produce the password(s).
This discussion has been archived. No new comments can be posted.

FBI Failed To Break Encryption of Hard Drives

Comments Filter:
  • by Joe The Dragon ( 967727 ) on Saturday June 26, 2010 @01:39PM (#32703674)

    is waterboarding next to get the info?

    • by countertrolling ( 1585477 ) on Saturday June 26, 2010 @01:45PM (#32703716) Journal

      That's not offtopic. If they want the info bad enough, that is what they will do. And nobody will be able to prove a damn thing.

      • by keeboo ( 724305 ) on Saturday June 26, 2010 @02:30PM (#32704016)

        That's not offtopic. If they want the info bad enough, that is what they will do. And nobody will be able to prove a damn thing.

        In Brazil, proofs produced by illegal means cannot be used (Federal Constitution, Art. 5, Inc. LVI).

        Also, commiting a crime in order to produce proofs is aggravated up to a 1/3 (Decree-Law 2.848, Art. 342, Par. 1).

        • by Pharmboy ( 216950 ) on Saturday June 26, 2010 @02:54PM (#32704180) Journal

          In Brazil, proofs produced by illegal means cannot be used

          Same in America, and usually, that is how it works. More often than not, however, they are more worried about using the information rather than punishing the offender (ie: to get to his bosses) so they do it anyway, and try to convict without that information. This is mainly the federal government that does this, state governments almost never do this.

          • Well in the USA the way to do that is immunize the guy and then compel him to testify. Since he has immunity he can't use the 5th amendment.

            • by Sycraft-fu ( 314770 ) on Saturday June 26, 2010 @08:02PM (#32706030)

              Immunity means "Immunity against prosecution." So this is not the sort of thing they can use against someone. They can't say "You are immune from prosecution, now testify about your crimes. Ok, you testified, now we are going to charge you with those crimes." The person was given immunity from prosecution, can't prosecute them for those crimes.

              The point of immunity is securing someone's testimony against another party. So lets say you and I had committed some crimes together. However your part was pretty minor, you'd done little things and you weren't the guy planning things. The prosecutors decide I'm the one they really want, you are just a petty crook they don't care about. However, you won't testify against me, not because you are scared of me but because in doing so you'd admit to your own crimes. They say "Ok we'll grant you immunity. Any crimes you testify about committing, you can't be prosecuted for." You then go and testify to all the stuff I've done. I go to jail, you do not.

              Immunity isn't some magic way to make the 5th amendment disappear. What it does is protect someone's 5th amendment rights, while allowing them to testify. The 5th amendment says you can't be made to testify against yourself. So, if you are immune from being prosecuted there is no violation of your rights. Your testimony is not being used against you.

              For the same reason they can't say "Ahhh! We had our fingers crossed! Deal doesn't count!" In that case your lawyer would argue to have your testimony, and any evidence as a result of it, suppressed. You only testified because you believed it could not be used against you, and there is a written deal to that effect. If they revoke the deal, then that violates your rights. A judge would then suppress the testimony, and all evidence that comes from it (US courts use a "poisoned fruit" idea that evidence that comes from a violation of rights itself cannot be used). Your lawyer then has the court dismiss the case due to lack of evidence.

        • by fm6 ( 162816 ) on Saturday June 26, 2010 @03:13PM (#32704342) Homepage Journal

          Learn to read. TPP didn't say it was legal. Read the text you yourself quoted.

          Coerced evidence is illegal almost everywhere. And it ends up being used almost everywhere, because it's really hard to prove coercion.

          • by keeboo ( 724305 ) on Saturday June 26, 2010 @03:53PM (#32704594)
            Someone modded the parent "flamebait" but that's an interesting point IMO.

            The "problem" in Brazil is that, even if you're willing to do thing in a not-quite-right way, that's seldom viable in practice - specially in high profile cases with lots of expensive lawyers.

            Why is that? The current Brazilian Constitution (created in 1988) and several key laws give lots of rights to the accused ones.
            That's all nice and stuff, but many people (myself included) believe that they went too far and, basically, criminals are being treated like defenceless babies.
            One thing you can hear about the Federal Constitution is that it was created "under the (left-wing) political prisoner syndrome". That is, back in 1988 the politicians wanted to avoid human rights abuses like the ones from the 1960s and 1970s (during the militar government), but (though well intended) they went too far.

            The result is that it made criminal prosecution very hard in Brazil.
            • Re: (Score:3, Insightful)

              by Anonymous Coward

              The laws were made as they always were. To protect the rich, powerful, and well-connected. Preferably whiter and male. And to damn the poor and duskier. And more female.

              And to fatten, empower, and privilege all members of the judicial system.

              The poor, better-melanized and female are - for all intents - railroaded. Those who have money including drug gangsters - keep afloat as long as they have anough money to feed the judicial system and bribe everyone else, and don't run afoul of "greater interests".

              Brazi

            • by Anonymous Coward on Saturday June 26, 2010 @07:01PM (#32705746)

              hat's all nice and stuff, but many people (myself included) believe that they went too far and, basically, criminals are being treated like defenceless babies.

              Fuck you. No, really...fuck you.

              It is not possible to go too far in that direction. You take away just enough rights to prevent an anarchist nightmare, but no more. It's still evil that we must take away those rights, but the few assholes who want to hurt others for personal gain make it necessary to do so. Still, it is always very, very important that you're always aware that every law, regardless of how well-intentioned, causes you to slide a bit more into the slippery slope towards tyranny. So, when absolutely necessary in order to protect your society's way of life, you do it. Never do it just because some people are getting away with things you don't think they should...the price you're paying isn't worth it.

              • by Jane Q. Public ( 1010737 ) on Saturday June 26, 2010 @08:08PM (#32706058)
                I have posted this a number of times, so pardon the repetition. But it is surprising how often this comes up:

                "That it is better 100 guilty Persons should escape than that one innocent Person should suffer, is a Maxim that has been long and generally approved." -- Benjamin Franklin
        • Re: (Score:3, Interesting)

          by ScrewMaster ( 602015 )

          In Brazil, proofs produced by illegal means cannot be used (Federal Constitution, Art. 5, Inc. LVI

          My guess is that, the next time this happens, it will no longer be considered "illegal means".

          I recall a Slashdot article that said England already has a law that requires individual to turn over their passwords to law enforcement. Brazil's government may decide that they need something similar.

    • by mangu ( 126918 ) on Saturday June 26, 2010 @01:54PM (#32703796)

      is waterboarding next to get the info?

      Since his pockets seem to be deep enough to buy a president of the Brazilian Supreme Court [google.com], not likely.

    • Re: (Score:2, Funny)

      by Dahamma ( 304068 )

      No, they just need to send it to Wikileaks and tell them it's a video of waterboarding.

      • Re: (Score:3, Informative)

        by ipX ( 197591 )

        No, they just need to send it to Wikileaks and tell them it's a video of waterboarding.

        In all fairness I don't think parent is a troll, I think it's a weak attempt at a joke about wikileaks breaking encryption [nytimes.com]:

        Somehow -- it will not say how -- WikiLeaks found the necessary computer time to decrypt a graphic video, released Monday, of a United States Army assault in Baghdad in 2007 that left 12 people dead, including two employees of the news agency Reuters.

    • Obligatory (Score:4, Funny)

      by guyminuslife ( 1349809 ) on Saturday June 26, 2010 @03:00PM (#32704236)
  • by AnonymousClown ( 1788472 ) on Saturday June 26, 2010 @01:40PM (#32703684)

    ...both the Brazilian police and the FBI tried dictionary attacks against it

    They should have used a Portuguese dictionary not an English one! Geeze! Folks are soooooo US centric!

  • by Anonymous Coward on Saturday June 26, 2010 @01:40PM (#32703686)

    Just because you're paranoid does NOT mean that no one's out to get you.

    And you KNOW the government is out to get you.

  • before they break 256-bit aes. Even if computer power somehow went up magnitudes
    the sun would go nova before they crack the encryption.

    • before they break 256-bit aes. Even if computer power somehow went up magnitudes
      the sun would go nova before they crack the encryption.

      How about if a critical flaw is discovered in aes that produces an attack in 2^64 time?

      How about if a critical flaw is is discovered in the implementation of aes that produces an attack in 2^32 time?

      How about quantum computers advance to a usable level, and that 2^256 complexity is solvable in 256^6 time?

      The first two are unlikely, since AES wasn't designed by fools, and has

  • If I wanted to create a decoy I'd just dump some output from /dev/random onto a disk partition and let the government try decrypting that for a few years (so long as they don't hold me in jail in the meantime). It seems that no matter how much you protest that a block of 0's and 1's isn't an encrypted file, it's just random noise, the only way to prove it, one way or the other, is when / if someone actually cracks it.

    Could take a while.

    • by swilver ( 617741 ) on Saturday June 26, 2010 @02:01PM (#32703846)

      How will you get out of jail though?

      Give them the password? You can't since it is random data.

      Tell them it was random data? Sure... we believe you! Now give us the password @#&*$!

      This does show though that proving that something is not random data would be very important before they try waterboarding a password out of you :)

      • by Tumbleweed ( 3706 ) * on Saturday June 26, 2010 @02:07PM (#32703880)

        How will you get out of jail though?
        Give them the password? You can't since it is random data.
        Tell them it was random data? Sure... we believe you! Now give us the password @#&*$!
        This does show though that proving that something is not random data would be very important before they try waterboarding a password out of you

        It depends on what your goal is. If your goal is to hide your secrets to stay out of jail, this may be a bad way to do it, especially if they torture you.

        If your goal is, however, to keep your drug lord employer's secrets, otherwise they'll torture and kill your entire family, that's another thing entirely.

      • by petes_PoV ( 912422 ) on Saturday June 26, 2010 @02:14PM (#32703926)
        Yes. It does make the possession of random data illegal. Since "they" will assume it is encrypted, even though they can't prove it they will demand a password from you. Since you cannot comply you are deemed to have done something illegal. This is one of the few areas of law where you have to prove your innocence. And the only way to do that is to surrender a password (if there was, actually, one) which could just make you guilty of a different offence - depending on what it was you wanted to keep encrypted.

        If there is ever a case along the lines of: "Well, m'lud the prosecution have not proved there are any encrypted files - it's just a block of encrypted data, so there is no case to answer" then I suggest we all follow it very closely.

        • This is one of the few areas of law where you have to prove your innocence.

          Which of course, should be completely invalid, because it goes against the right not to self incriminate, which is in the legal code of many countries, including Brasil.

  • by kawabago ( 551139 ) on Saturday June 26, 2010 @01:47PM (#32703746)
    They should publish it as a DVD and within hours they'll be able to download the unencrypted file from a torrent! :o)
  • weird (Score:3, Insightful)

    by roman_mir ( 125474 ) on Saturday June 26, 2010 @01:47PM (#32703750) Homepage Journal

    I thought this [xkcd.com] was not just a sound idea but a law.

    Great stuff though, but expect some new laws by government that make it illegal not to provide your password/keys to the government upon a court order and if you don't provide it, expect an assumption of guilt and some extra punishment. I am not saying it's right, just saying that's probably going to be one of the outcomes of this.

    Of-course the problem is that they got the drives physically (not that I am necessarily on the side of a allegedly corrupt banker, but I am not automatically assuming he is guilty of anything either.) Here is a good application for the 'cloud' (yikes) - keep your encrypted data so that nobody can even know it exists in the first place.

    • by swilver ( 617741 )

      Sure, they can make a law to force people to give up their passwords... as long as they first prove that there actually WAS a password that would decrypt the data (and into what), as it might just be random garbage.

  • by baeyogin ( 461380 ) on Saturday June 26, 2010 @01:47PM (#32703752)

    http://xkcd.com/538/

  • by gmuslera ( 3436 ) on Saturday June 26, 2010 @02:03PM (#32703852) Homepage Journal
    This say plainly that if you encrypt your info with the right, cheaply available technology, not even the FBI could get it, no matter what is it, or who you are. How much time now till some law around criminalizing the use of encryption gets approved?
    • by kylemonger ( 686302 ) on Saturday June 26, 2010 @02:17PM (#32703950)
      The FBI can't crack it, true, but crypto is rarely the weakest link. Can you prevent the FBI from installing a keylogger on the computer you use to access the drives? Can you prevent them from installing a camera somewhere that records your keystrokes, or records your computer screen? It sounds like they moved on this guy too soon. If you need a brick of encrypted data to make your case against a white collar criminal, that's just lazy police work. If you build enough of a case against him beforehand, he'll give you the key as part of a deal to reduce his jail-time. Then you can use that data to go after the next leve of baddies.
    • We've had encryption this good, or close to it, for decades now. And if looking back, if anything it is likely that laws concerning cryptography will continue to get weaker and weaker, as they have been doing. This stuff used to be heavily export controlled, not so much anymore. Just look at the history of PGP.

  • by Anonymous Coward on Saturday June 26, 2010 @02:10PM (#32703900)

    ... if I were the FBI and I could decrypt TrueCrypt, I'd not admit it and hope everyone keeps using it.

    • Re: (Score:3, Interesting)

      by Spatial ( 1235392 )
      'Obviously'? I'd love to hear how an unfalsifiable assumption fits that criterion.
      • You might notice that there are more than a few paranoid people on this site. They are convinced that the government is extremely evil, oppressive, and thus obviously extremely capable of doing amazing things that nobody else can. So the government can crack all encryption (even though the best research shows that isn't possible), the government can recover data from any harddrive unless you Gutmann wipe it (even though the best research shows a single overwrite screws over any recovery on EPRML drives). Th

  • Modern encryption done right cannot practically broken at this time. However, many people do it wrong. You need something like 64 bit passphrase entropy to be secure, better 128 bit. As English gives only about 1.5 bit/char, that means a secure passphrase should have something like 90 characters with a minimum of around 45 characters. With random digits/letters, you can do better, for example 12 digits/letters just fulfill the minimum requirement.

  • Alternate Partition? (Score:5, Interesting)

    by HTMLSpinnr ( 531389 ) on Saturday June 26, 2010 @03:12PM (#32704332) Homepage

    One of the great features of TrueCrypt is the whole alternate partition/segment idea. One password gives access to real data, while another (a duress password) would give some other access to an alternate segment. Put some benign documents in the alternate partition, and then under threat of water boarding, hand out the duress password. Assuming this all works, they find nothing, you go home.

    Granted, I'm not encouraging this idea for criminal activity, but rather for truly sensitive data that shouldn't fall into the wrong hands.

  • by grikdog ( 697841 ) on Sunday June 27, 2010 @01:07AM (#32707316) Homepage
    Gotta love it. Truecrypt used intelligently is impervious to dictionary attacks. The trick is keyfiles, which can be used together with garden-variety "weak" passwords. It also has hidden volumes, which have a couple of annoying gotchas, which provide "plausible deniability" (it says here). One nice trick with keyfiles is to use steganography to embed a signifant blob of /dev/urandom output into a photograph, which then hides in plain sight along with hundreds or even thousands of other similar photographs (this circumvents keystroke loggers) -- or on a thumb drive or cd-rom. Shred the cd-rom (or smash the thumb drive with a hammer, etc.), and Truecrypt volumes become indecipherable, because the actual key is literally unknown (and unmemorizible by ordinary human brains). Assuming the banker get his drives back (or his backup!), and recovers his copy of the cd-rom bearing the keyfile from his friend in Freeport who thinks it's a bootleg Grateful Dead concert, Truecrypt brings it all back like Lazarus. The Linux version uses an optional cascade of three keys (AES 256, Serpent and Twofish) and the (optional, but recommended) Whirlpool hash algorithm. Steganography is not part of Truecrypt in any version I know.

If all else fails, lower your standards.

Working...