Judge grants injunction against suspect being forced to decrypt his drive

[Naxere]

Being forced to decrypt your drive does not constitute a confession and thus is not protected under the 5th.

The privilege against compelled self-incrimination is defined as "the constitutional right of a person to refuse to answer questions or otherwise give testimony against himself or herself."

If he refuses to give them the password, he's exercising his constitutional right against self-incrimination. Pretty simple.

[Elegiac]

The privilege against compelled self-incrimination is defined as "the constitutional right of a person to refuse to answer questions or otherwise give testimony against himself or herself."

If he refuses to give them the password, he's exercising his constitutional right against self-incrimination. Pretty simple.

And the US legal definition of testimony is, what? Testimony is a statement made in a legal proceeding or legislative hearing by a witness while under oath.

It does not protect you from subpoenas against your papers/effects.

[Verain]

It's good for the greater reasons, but bad for the specific case. In instances such as this, it should be illegal to fail to provide the keys. If there's suspicion beyond reasonable doubt that someone is involved in such a crime, they should be tried for it.

I think it's thoughtcrime level bullshit to try to make people reveal their passwords. I seriously hope they finally figure out that the 4th amendment provides this basic protection for the contents of our own fucking minds. Failing that, this is obviously a 5th amendment thing, which they have used various levels of sophistry (the password is a "thing you own" not a "thing you know") etc.

More relevantly, if the government can't figure out how to protect us from grievances this basic, the following things will be attempted to varying degrees of success:
> Claiming you simply forgot the password.
> Using one or more "hidden volumes". Truecrypt even supports this to this day, but so do other implementations.
> Various malarkey involving correct and incorrect one time pads.

TrueCrypt has been crackable by multiple tools;
http://www.theregister.co.uk/2012/12..._decrypts_pgp/
https://code.google.com/p/truecrack/
http://hashcat.net/forum/thread-2301.html

This is too terse, and implies that Truecrypt is cracked.

Ok, the first one relies on memory being grabbed from a system that has Truecrypt mounted. If your machine is physically owned by adversaries under these conditions, you would EXPECT your key to be compromised (it's fucking in memory!). All it does is effect the actual recovery of that in an efficient manner.

All decryption has legit and non-legit uses. An example of usage most people would find legit would be the NSA (who, by the way, do all the heavy lifting here, certainly not the FBI or CIA) decrypting a nuclear terrorist's laptop to stop a bomb. A thing most of us would find non-legit would be a totalitarian government doing the same to further oppress their populace. Like any weapon or tool, it's in the user's hands.

The second is a brute force solution. If you know anything about cryptography, that tells you "this solution doesn't work unless the person I'm attacking is not sophisticated". That's perfectly fine! Many people are simple.

But when you link:

https://code.google.com/p/truecrack/

As if that's supposed to be impressive, lets be honest: it would take until the end of the universe to crack anything meaningful. Brute force means, it tries different passwords quickly. AES has a 128 bit key (most implementations will use a 256 bit key). There are 2.58x10^41 possible passwords. If you can try let us assume that a billion is a thousand million (1x10^9), and a trillion is a thousand billion (1x10^12). Further, pretend you can check a trillion trillion (1x10^24 using these numbers), per SECOND, which is well beyond all of human calculation capacity. In that situation, a full brute force would take 2x10^15 seconds, or 63,000,000 years. And that's assuming ABSURD calculation capability. Oh, and if it's the 256 version that everyone ACTUALLY uses, multiply that number by another 2.58x10^41st lolololol.

A thousand universes wouldn't solve that before they all ended in heat death, assuming that every electron was a super computer or something. The numbers are redic.


So, why does this tool exist? Because many people's passwords are Dogbirthday or whatever, and it will guess those super quick. It's still a valuable and useful tool, but it won't crack anything hard. But again, still useful. But YOUR password would be hard to guess, and this thing would never get it!

The hashcat thing I'm not 100% sure of. Are the hashes high availability? I'm thinking that if someone has your hash, you screwed up?

I don't consider these advances to render Truecrypt crackable. None of them should be remotely effective if you use a keyfile in addition, for instance, and an adequate password I think should offer protection.

[Rukentuts]

Damn, what kind of encryption program was the guy using that the FBI can't break in 10 weeks?

Probably a 256bit key.

Trying to force that would take longer than the universe has existed.

[Masark]

TrueCrypt has been crackable by multiple tools;
http://www.theregister.co.uk/2012/12..._decrypts_pgp/
https://code.google.com/p/truecrack/
http://hashcat.net/forum/thread-2301.html

1. Sidechannel attack that rummages though active memory, page files, and hibernate files looking for something that looks like a key. Just don't use the latter two, don't leave the encrypted volume mounted unattended (these aren't rocket science), and don't connect random firewire/expressport devices and this attack becomes impossible.
2. GPU-accelerated brute force/dictionary attack. Unless you use a crappy password, you're not going to get the results anytime this century or indeed anytime before the Earth stops existing.
3. Same as #2, only optimized more.

[Gheld]

As sick as this guy sounds to be, he should not be forced to incriminate himself. It's up to the prosecution to prove he did it.

"It's a child pornography case, therefore the suspect should be treated like a monster by default, limiting cooperation with police."

So:
-The guy is only charged with possessing child pornography. So police do not suspect that he is actually involved in the production of the child pornography.
-His computer may or may not contain information that could identify and rescue children who are being sexually abused.
-If he allows authorities access to that information, he'll go to jail and have his life destroyed by sex-offender status.
-No plea deal is being offered.

-This is what happens when laws are based on emotion instead of common sense.

[Naxere]

And the US legal definition of testimony is, what? Testimony is a statement made in a legal proceeding or legislative hearing by a witness while under oath.

It does not protect you from subpoenas against your papers/effects.

You're reading the wrong part of the quote. Try the part about "the constititional right of a person to refuse to answer questions" instead.

Really, it's not a hard concept to grasp. He was asked for his password, he pleaded the 5th as it would most likely provide self-incriminating evidence against him. It's up to the prosecution to provide the evidence. The defendant DOES NOT have to provide the evidence of his alleged crimes.

[Laize]

Being forced to decrypt your drive does not constitute a confession and thus is not protected under the 5th.

Funny thing about TrueCrypt is it was also designed with a pro-bono (I think they were pro-bono) legal team to make it such that the encrypted files didn't appear to be files at all. Thus, plausible deniability holds that you can claim you don't know the passphrase.

[Masark]

Probably a 256bit key.

Trying to force that would take longer than the universe has existed.

128 bit is equally impossible barring a real (not D-wave's thing) quantum computer.

[Elegiac]

Funny thing about TrueCrypt is it was also designed with a pro-bono (I think they were pro-bono) legal team to make it such that the encrypted files didn't appear to be files at all. Thus, plausible deniability holds that you can claim you don't know the passphrase.

Hence why I agree with Kas in this issue; dickheads exploiting legal loopholes.

[Verain]

Funny thing about TrueCrypt is it was also designed with a pro-bono (I think they were pro-bono) legal team to make it such that the encrypted files didn't appear to be files at all. Thus, plausible deniability holds that you can claim you don't know the passphrase.

This is not true unless you use the hidden volume feature... mostly.

If you have a large block of random data on your drive, in practice, they will assume it to be encrypted. You can claim otherwise, but it's a giant block of random data, and if any of the million logs windows keeps shows you accessing drives repeatedly, that will be pretty much 100% in the eyes of anyone.

At that point, if you used the hidden volume feature, you could in theory provide the first level keys (that access the drive). Without mentioning the hidden volume (and volumes can be nested endlessly), your odds are a lot better, but you are still in technically risky waters- someone might have a way to identify that the randomized space on the drive is a hidden volume in a way that is compelling, for instance.


Without the hidden volume feature (which you have to set up) you don't really have plausible deniability in most cases.

[Verain]

Hence why I agree with Kas in this issue; dickheads exploiting legal loopholes.

The bill of rights is not a fucking loophole.

[Rukentuts]

The bill of rights is not a fucking loophole.

Wasn't there a case where someone had written in a diary in code, and they wanted the defendant to supply them the code?

I can't remember how that one turned out.

[Elegiac]

The bill of rights is not a fucking loophole.

I wasn't referring to the Bill of Rights, actually.

Because apparently any time someone offers criticism of the legal system they must be godless European communists.

[Christan]

As said, if it's a "fishing expedition" they should have no right. If they have a warrant however and/or probable cause...

Correct me if I'm wrong, but in some countries it's illegal to posses drawn children porn, right? That's one instance where I don't agree on, if nobody is getting hurt then let them continue to fap to imaginary pictures.

as disturbing as that is...if predators can get their jollies on with fake images...let them...but they should still be put on a watch (private watch by gov't rather than public...)so that their every action is recorded, if they ever slip boom police at the door.

or just cut it off, all of it not just the chemical kind.

[Rukentuts]

or just cut it off, all of it not just the chemical kind.

The chemical kind just prevents them (men) from getting an erection, but doesn't do anything to the drive itself.

[Laize]

1. Sidechannel attack that rummages though active memory, page files, and hibernate files looking for something that looks like a key. Just don't use the latter two, don't leave the encrypted volume mounted unattended (these aren't rocket science), and don't connect random firewire/expressport devices and this attack becomes impossible.
2. GPU-accelerated brute force/dictionary attack. Unless you use a crappy password, you're not going to get the results anytime this century or indeed anytime before the Earth stops existing.
3. Same as #2, only optimized more.

Wow Masark, for once you're on my side.

The truth is that unless the FBI gets to your laptop/PC and puts it on ice within 10-30 seconds of you shutting it down, or you use something like "12345" as your password, there's no way to economically crack TrueCrypt's algorithms.

Even worse (If you're going the brute force route), the use of dicewords means a password/passphrase can have between 40 and 60 bits of entropy and still be EASILY remembered by the owner without ever leaving it in a recoverable form. Here's XKCD on that exact subject.

[Bananarez]

I'm so glad to live in a world where thought crimes are punishable by law.

[Rukentuts]

I'm so glad to live in a world where thought crimes are punishable by law.

Possession of child pornography is a crime because of the sexual abuse of the child necessary to create it in the first place.

[Christan]

I'm so glad to live in a world where thought crimes are punishable by law.

just remember, we have ALWAYS been at war with eurasia, also...there's a shortage of razorblades this week. carry on comrad