Silk Road forums
Discussion => Off topic => Topic started by: Boobonicchronic on August 15, 2013, 05:12 am
-
Federal authorities have cracked two encrypted drives they say are filled with child pornography, leading to an arrest in an ongoing case that shows the limits of encryption and highlights a novel legal issue in which the government has been trying to force the defendant to decrypt the drives to aid his prosecution.
Investigators arrested Jeffrey Feldman in Wisconsin on Tuesday and accuse him of three counts of receiving and possessing child pornography.
The arrest came months after the authorities told a federal judge they were unable to decrypt the drives and needed the defendant to disclose his passwords — pitting the constitutional right against compelled self-incrimination against the government’s need to access data. In June, the authorities urged the court to demand that Feldman fork over his passcodes, saying the suspect could “forget his passwords.”
FBI agent Chadwick Elgersma said in court documents filed Tuesday that seven more drives await decryption. It remains unclear whether the judge presiding over the case will order Feldman to decrypt them.
Elgersma said in an arrest affidavit that investigators cracked two Western Digital My Book Essential external hard drives they believe were used with a Dell Inspiron 530 personal desktop running Windows 7. Authorities suspect thousands of files on the drives are child pornography, the agent said.
The authorities did not say what type of encryption Feldman used. But the case illustrates that encryption isn’t foolproof and that the authorities are making headway cracking encryption.
“The investigation is ongoing and the FBI is still working on decrypting Feldman’s remaining seven encrypted drives,” Elgersma wrote. (.pdf)
Authorities believe Feldman downloaded child pornography on the file-sharing e-Donkey network. They seized several drives and a computer from his suburban Milwaukee apartment with a search warrant in January. A federal magistrate had ordered Feldman to decrypt the drives, but because of procedural grounds, reversed his decision and the legal flap continues.
Though rare, decryption orders are likely to become more common as the public increasingly embraces technology that comes standard on most operating systems. Decryption orders have never squarely been addressed by the Supreme Court, despite conflicting opinions in the lower courts.
Among the last times an encryption order came up in court was last year, when a federal appeals court rejected an appeal from a bank-fraud defendant who has been ordered to decrypt her laptop so its contents could be used in her criminal case. The issue was later mooted for defendant Romano Fricosu as a co-defendant eventually supplied a password.
Whether a defendant forgets the password is another story.
That issue, too, has never been addressed in court. But judges usually view forgetfulness “as a sham or subterfuge that purposely avoids giving responsive answers.”
-
Nice read, thanks!
I am 100% against Child Pornography, have been all my life and now even more so since I myself have a daughter.
However if you take away the CP and just focus on the decryption. I have a HUGE issue with courts ordering anyone to decrypt there personal information.
Does this not violate our freedom somehow? personally I encrypt fucking EVERYTHING! although I have nothing to hide, I still feel like encryption on any digital device is like locking your house door before you head out to walmart. or locking your car door before you go into a movie theater. When you look at it that way, your average American family has nothing to hide. But they have personal items that may be worth pennies to someone else, but priceless to the owner.
If a judge ever ordered me to decrypt my drive, I would respond with "let me have your house key."
I'm a bit benzoed out, so I hope this made sense.
-
This is for sure a two sided issue. On the hand of the CP I think they should have enough information to charge him and in such matters they should. Children that can do nothing in the matter have a right to be protected! This conversation could go on for days but my main focuse for posting this was the encryption part! As you may remember the woman forced to decrypt her laptop in that bank case.... She was forced to decrypt so her laptop could be used against her in the criminal case............. Here is a gun now shoot yourself RIGHT NOW!
Here is the story on that one:
If a judge orders you to decrypt the only existing copies of incriminating files, are your constitutional rights against compelled self-incrimination being violated?
That’s the provocative question being raised as a Wisconsin man faces a deadline today either to give up his encryption keys or risk indefinite imprisonment without a trial. The defendant’s attorney, Robin Shellow of Milwaukee, said it’s “one of the most important constitutional issues of the wired era.”
Shellow is making a novel argument that the federal magistrate’s decryption order is akin to forcing her client to build a case for the government. That’s because encryption basically transforms files into unreadable text, which is then rebuilt when the proper password is entered, she said.
“Some encryption effects erasure of the encrypted data (so it ceases to exist), in which case decryption constitutes re-creation of the data, rather than simply unlocking still-existing data,” Shellow wrote in a court filing. (.pdf)
In a telephone interview Monday, she said “this area is a new way of thinking about encryption.”
UPDATE: A federal judge this afternoon halted the decryption order, and demanded further briefing on the constitutional implications.
Though rare, decryption orders are likely to become more common as the public slowly embraces a technology that comes standard even on Apple computers. Such orders have never squarely been addressed by the Supreme Court, despite conflicting opinions in the lower courts.
The latest decryption flap concerns Jeffrey Feldman, who federal authorities believe downloaded child pornography on the file-sharing e-Donkey network. They seized 15 drives and a computer from his suburban Milwaukee apartment with a search warrant. A federal magistrate has ordered Feldman to decrypt the drives by today.
Feldman has refused, citing the Fifth Amendment. A federal judge could find him in contempt as early as today and jail him pending his compliance.
The magistrate in the case stepped aside Monday after Shellow argued that only U.S. district court judges, not magistrates, have the legal power to issue decryption orders. As of now, the new judge in the case has not decided whether to uphold the magistrate’s order.
U.S. Magistrate William Callahan Jr. initially said the Fifth Amendment right against compelled self-incrimination protected Feldman from having to unlock his drives.
But last month, prosecutors convinced Callahan to change his mind. Among other reasons, the authorities were able, on their own, to decrypt one drive from Feldman’s “storage system” and discovered more than 700,000 files, some of “which constitute child pornography,” the magistrate said.
When the magistrate ruled against the government last month, the magistrate said the authorities did not have enough evidence linking Feldman to the data, and that forcing the computer scientist to unlock it would be tantamount to requiring him to confess that it was his. But that theory is now out the door, because the data on the decrypted drive contains pictures and financial information linking Feldman to the “storage system,” Callahan ruled last week.
Among the last times an encryption order came up in court was last year, when a federal appeals court rejected an appeal from a bank-fraud defendant who has been ordered to decrypt her laptop so its contents could be used in her criminal case. The issue was later mooted for defendant Romano Fricosu as a co-defendant eventually supplied a password.
Shellow said it was unclear whether her client even remembers the passwords to the 16 drives the authorities confiscated.
“The government is claiming that our client has the capacity to decrypt them,” Shellow said.
That issue has never been addressed in court. But judges usually view forgetfulness “as a sham or subterfuge that purposely avoids giving responsive answers.”
Prosecutors did not respond for comment.
-
+1 to you my friend.
-
It is a crazy world and times are changing! Our nation was founded on deception and cryptologie... what is next giving them a key to your house just in case?
-
I am 100% for decriminalization of child porn possession (just thought I would add that since everybody else wants to point out their beliefs on the subject), but just talking about the encryption, they probably cracked it because he used a shitty password. Most people are probably not using very strong passwords. Even passwords with 80 bits of entropy are not considered secure anymore, and that is equal to roughly 80 characters of English text (ignoring PBKDF stretching).
-
I am 100% for decriminalization of child porn possession (just thought I would add that since everybody else wants to point out their beliefs on the subject), but just talking about the encryption, they probably cracked it because he used a shitty password. Most people are probably not using very strong passwords. Even passwords with 80 bits of entropy are not considered secure anymore, and that is equal to roughly 80 characters of English text (ignoring PBKDF stretching).
This is my concern, if you need a password 80 bits or longer you are not going to be able to memorize it meaning it has to be stored somewhere. I currently keep most of my passwords in an encrypted volume but I need to have a strong password to get into that volume to begin with. Forgive my ignorance but how are people safely storing these 80+ character passwords without fear they could be uncovered? and if that's a stupid question to post feel free to pm me instead.
-
I am 100% for decriminalization of child porn possession (just thought I would add that since everybody else wants to point out their beliefs on the subject), but just talking about the encryption, they probably cracked it because he used a shitty password. Most people are probably not using very strong passwords. Even passwords with 80 bits of entropy are not considered secure anymore, and that is equal to roughly 80 characters of English text (ignoring PBKDF stretching).
This is my concern, if you need a password 80 bits or longer you are not going to be able to memorize it meaning it has to be stored somewhere. I currently keep most of my passwords in an encrypted volume but I need to have a strong password to get into that volume to begin with. Forgive my ignorance but how are people safely storing these 80+ character passwords without fear they could be uncovered? and if that's a stupid question to post feel free to pm me instead.
The subtle but key part to his comment is "English text". English sentences are not random. Some words are much more likely to follow other words, and of course there are only 80,000 configurations of letters to begin with (ie, words).
However, a pass phrase composed of 8 random words is actually pretty strong, over 200 bits of entropy:
http://dkn255hz262ypmii.onion/index.php?topic=106496.msg730353#msg730353
You can memorize 8-16 words.
(And yes I know you just saw that in the Security thread, but I'm making sure people here see it too. :) )
-
Many encryption programs (particularly ones by big companies like Microsoft) have back doors in them for the government so it is important WHICH encryption they broke. I doubt it was an open source one like TrueCrypt.
-
Many encryption programs (particularly ones by big companies like Microsoft) have back doors in them for the government so it is important WHICH encryption they broke. I doubt it was an open source one like TrueCrypt.
I highly doubt they broke any encryption. I'm sure they used a program to guess his password. They've been trying for months now. That's a lot of password attempts if they're putting a lot of computer resources against it. Doesn't matter if it's Truecrypt or Microsoft, encryption algorithms, if implemented correctly, are secure. The password strength is what matters.
-
Doesn't matter if it's Truecrypt or Microsoft,
Yes it does. Microsoft has a backdoor in theirs just for the government. TrueCrypt does not.
-
DrMDA is correct here. There was a pretty big case about a year back where LE used a similar exploit in skype to listen in on conversations.
-
Thanks for the interest! You guys have some very good points... an 8 word password would be fun to memorize!
-
Keep in mind this is not how brute force programs work.
"1
11
111
1111
ect ect forever until all combinations of everything is guessed"
They have programs which are "smart" enough to piece together dictionary words and different methods which people commonly create passwords in order to "intelligently" brute force. A tip that I heard from someone on this forum is to take the first letter of words in song lyrics and ass upper/lowercase, symbols, ect and there you have it...A super strong, memorable password which is invulnerable to dictionary attacks.
-
I am 100% for decriminalization of child porn possession (just thought I would add that since everybody else wants to point out their beliefs on the subject), but just talking about the encryption, they probably cracked it because he used a shitty password. Most people are probably not using very strong passwords. Even passwords with 80 bits of entropy are not considered secure anymore, and that is equal to roughly 80 characters of English text (ignoring PBKDF stretching).
This is my concern, if you need a password 80 bits or longer you are not going to be able to memorize it meaning it has to be stored somewhere. I currently keep most of my passwords in an encrypted volume but I need to have a strong password to get into that volume to begin with. Forgive my ignorance but how are people safely storing these 80+ character passwords without fear they could be uncovered? and if that's a stupid question to post feel free to pm me instead.
The subtle but key part to his comment is "English text". English sentences are not random. Some words are much more likely to follow other words, and of course there are only 80,000 configurations of letters to begin with (ie, words).
However, a pass phrase composed of 8 random words is actually pretty strong, over 200 bits of entropy:
http://dkn255hz262ypmii.onion/index.php?topic=106496.msg730353#msg730353
You can memorize 8-16 words.
(And yes I know you just saw that in the Security thread, but I'm making sure people here see it too. :) )
And it only takes about 20 random ASCII characters to have a secure password. Being conservative, you should aim for 20 random ASCII characters, an English phrase with 128 characters or 10 randomly selected words from a large word list. In practice you can usually get away with less than this, but that is the goal to aim for and you don't want to have much less than that.
-
Keep in mind this is not how brute force programs work.
"1
11
111
1111
ect ect forever until all combinations of everything is guessed"
They have programs which are "smart" enough to piece together dictionary words and different methods which people commonly create passwords in order to "intelligently" brute force. A tip that I heard from someone on this forum is to take the first letter of words in song lyrics and ass upper/lowercase, symbols, ect and there you have it...A super strong, memorable password which is invulnerable to dictionary attacks.
Brute force is indeed 1 11 111, etc. You describe a dictionary attack.
-
Doesn't matter if it's Truecrypt or Microsoft,
Yes it does. Microsoft has a backdoor in theirs just for the government. TrueCrypt does not.
No, you're missing my point, which is in the second half of the sentence you did not quote: "...encryption algorithms, if implemented correctly, are secure."
That statement is true, regardless of whether there is a backdoor. A backdoor, dictionary attack, side-attack, etc are all different problems sets than the encryption algorithm.
The original statement of the article was about cracking encrypted drives and my point was merely that encryption algorithms will stand up to the brute force the great majority of the time. It's these other methods (backdoors, weak passwords, etc) that will give law enforcement access to the data they want.
Now, that said, I agree with you and would never use nor trust Microsoft encryption products because they are in bed with the U.S. government.
-
you can have simple easy to remember phrases jazzed with overlaying patterns that seem impossible to remember but are a snap
something like, you don't want all your shopping site pw to be the same but you dont want to write them down.. so you use the same pw but add the numeric value of last three letters of the site and append that to your main pw.. that way if the site gets hacked, it isn't really obvious what you are doing and that pw only works there
be creative
do a few layers.. this is old as crypto itself but seems forgotten
-
Just to play devil's advocate.
He could have done anything. They are pursuing Assange on a frivolous "rape" charge. They play the child sex abuse shit card way too often IMO.
What if you replace "CHILD PORN" with anything else? Where does it end once you permit the disclosure of sensitive data for the indulgance of some shit head prosecutor.
I am against CP as much as the next moral soul, but this is a slippery slope. I'd rather give this creep a pass than set a precedent that maybe abused later.
-
Keep in mind this is not how brute force programs work.
"1
11
111
1111
ect ect forever until all combinations of everything is guessed"
They have programs which are "smart" enough to piece together dictionary words and different methods which people commonly create passwords in order to "intelligently" brute force. A tip that I heard from someone on this forum is to take the first letter of words in song lyrics and ass upper/lowercase, symbols, ect and there you have it...A super strong, memorable password which is invulnerable to dictionary attacks.
Brute force is indeed 1 11 111, etc. You describe a dictionary attack.
Hah my mistake, I meant to say that they do not brute force. Disregard it.
-
Just to play devil's advocate.
He could have done anything. They are pursuing Assange on a frivolous "rape" charge. They play the child sex abuse shit card way too often IMO.
What if you replace "CHILD PORN" with anything else? Where does it end once you permit the disclosure of sensitive data for the indulgance of some shit head prosecutor.
I am against CP as much as the next moral soul, but this is a slippery slope. I'd rather give this creep a pass than set a precedent that maybe abused later.
I agree 100% as I said before they have enough to pursue a case and they should not force him to give up his passwords! Once the seal is broke it wont stop.....