back to article Brazilian banker's crypto baffles FBI

Cryptographic locks guarding the secret files of a Brazilian banker suspected of financial crimes have defeated law enforcement officials. Brazilian police seized five hard drives when they raided the Rio apartment of banker Daniel Dantas as part of Operation Satyagraha in July 2008. But subsequent efforts to decrypt files …

COMMENTS

This topic is closed for new posts.
  1. Version 1.0 Silver badge
    Thumb Up

    Finally ...

    ... a bank that takes encryption seriously!

    1. Anonymous Coward
      Headmaster

      Uhm... No.

      No the bank did not take security seriously. The dude that stole from the bank did.

      1. Graham Marsden
        Boffin

        @Uhm... No.

        I think you need to re-read that with your Irony Detector switched on...

  2. efeffess
    Thumb Up

    USB to the rescue!

    If I were that conscious about security, I would have a collection of seemingly-important files on a USB drive, one or more of which would be applied to generate a hash for encrypting valued data. Keep a backup somewhere safe and destroy the drive before a suspected apprehension.

    1. Number6

      Giving up your keys

      I wonder what the local plod would think if you did this and when asked for a copy of they keys, gave them a rather crushed USB stick. "They're on there, officer".

      Keeping large files of random data on your hard disk may also cause confusion.

    2. Thomas 18
      FAIL

      Hah right.

      Refusing to give a password when ordered - Jail

      Destroying evidence - More Jail

      1. Marvin the Martian
        FAIL

        "Refusing to give a password when ordered - Jail"

        Alternatively. if you RTFM then you know that "no such law exists in Brazil".

        Fail --- fail again --- fail better.

        1. Thomas 18
          Flame

          FAIL

          efeffess uses the personal pronoun "I" indicating he is discussing his own attitudes to security. Unless he happens to live in Brazil I can't see how your post is relevant.

    3. Anonymous Coward
      Anonymous Coward

      Keep a backup somewhere safe and destroy the drive before a suspected apprehension.

      If you could be so certain of destroying the drive, why not just keep the files on the drive?

  3. N2 Silver badge

    TrueCrypt

    Rocks!

  4. matt 115

    Not forced to reveal

    As its TrueCrypt it might have been an encrypted inner container, so if he could deny its existance and not have to give over the keys...

    ... maybe he had a really weak outter container, with no inner container and they spent all that time looking for one ^_^

  5. Anonymous Coward
    Anonymous Coward

    Or......

    If it was me, that second layer of encryption would be;

    cat /dev/urandom > Super_Secret_files.encrypted.pgp

    With the files stored (still encrypted) somewhere far less obvious!

  6. Winkypop Silver badge
    FAIL

    All your crypt are belong to us

    Good show!

  7. Andraž 'ruskie' Levstik

    Can't reveal what I don't know...

    Other people know parts of my pass keys.

  8. Anonymous Coward
    Anonymous Coward

    Good password - a page of text

    Now that's a decent password:

    http://www.gutenberg.org/catalog/world/readfile?pageno=205&fk_files=873078

    Or, conversely, pick a memorable line / chapter heading from a book and use the URL as a password. (Depends how confident your are on the website maintaining it URL scheme.)

    1. Anonymous Coward
      Stop

      Very bad Idea, Indeed

      "Or, conversely, pick a memorable line / chapter heading from a book"

      Did it ever occur to you that USGOV spends billions per year on SIGINT ? I would not be surprised to see that they have their own web index and their own huge electronic library of the world's books. NSA is THE authoritative source for Arabic (!) Dictionaries, for example. And certainly they have access to whatever Google has scanned in the last few years.

      I suggest to invent your own really silly phrase like:

      "A japanese chicken went on holiday vacation to see the tower of pisa and to meet a distant relative. There she met a dog and they decided to marry in the vatican. Unfortunately the pope declined this saying the bible would not allow this. A classical story of japanese-italian love".

      I read somewhere that a single letter of such nonsense prose contributes about 0,3 bits of entropy. So the above sentence would yield in the order of 80 bits of effective key length. I assume this is out of reach even for USGOV at the moment. 2^80 operations is quite a feat. If you want more bits, just continue the story.

      1. Anonymous Coward
        Anonymous Coward

        More precisely

        it's 233 characters and 233*0.3==69,9 bits.

      2. Anonymous Coward
        Joke

        If you used aManFromMars Like Prose

        ..you would probably yield 0.9 bits/character

      3. Anonymous Coward
        Anonymous Coward

        USG Web Indexing

        works completely covertly. All they need to do is to tap the wire before Google datacenters. Everybody else, including Google, will think it never happened.

        Also, they could just use all their "taps" worldwide to build a huge index. Which certainly includes a ton of email messages, stupid Powerpoint presentations, an large pile of excel files which they intercepted from all those antennas and taps.

        They have more money than Google and they have demostrated their competence with SE Linux, so it is reasonable to expect them to also have more servers and harddisks than Google.

        1. Anonymous Coward
          Boffin

          re: More precisely

          Even more precisely it's 281 characters including spaces and periods. It's 229 letters.

          If it helps, put it in Excel and learn the LEN & SUBSTITUTE formulae.

          1. Anonymous Coward
            Joke

            You are

            ..the beancounter of the month and will get an ugly looking medal from MerkinMedals(TM).

        2. corrodedmonkee

          hmm...

          It's estimated that Google have over a million servers.

          http://lifehacker.com/5518303/remains-of-the-day-googles-1-million%252B-servers-edition

          It seems unlikely the US Government would have so many.

      4. Anonymous Hero 1
        Thumb Up

        Another way

        If you use truly random words e.g. "Mt. whoa usurp mush naughty huge became" you get much more entropy per letter. That example should be worth 90 bits*. Certainly quicker to type, but which way is actually easier to remember is probably a matter of personal opinion.

        *That is, assuming I generated it with the Diceware system (feel free to Google, Bing or Yahoo! it). But I admit I couldn't be bothered to get out my dice and just picked them "randomly" form a list.

        1. Frumious Bandersnatch

          mural: yonder nor sorghum stenches

          shut ewe ewes cymbal fray says four ink rip shuns.

      5. Anonymous Coward
        Alert

        Re: Very bad Idea, Indeed

        "I read somewhere that a single letter of such nonsense prose contributes about 0,3 bits of entropy. So the above sentence would yield in the order of 80 bits of effective key length. I assume this is out of reach even for USGOV at the moment. 2^80 operations is quite a feat. If you want more bits, just continue the story."

        I think that should be your phrase...=P

  9. Claus P. Nielsen

    Or maybe it's all crap data in there

    The best way to hide your secret sensitive data from police or others trying to get access to it is to get them fixed on a red herring.

    A lot of random data bits encrypted using a known cryptography program and left out in the open should keep them occupied a very long time and keep them from looking for the true data.

    Works for mail too. NSA would not be too happy, if we all started sending encrypted garbage to each other at random intervals. You can spend an infinite period trying to decrypt something that doesn't have any meaning in the first place. Meanwhile all the truly sensitive information is send using some other means (like maybe using the random crap in a previous file as a one time decryption key).

  10. Tanuki
    FAIL

    Electrodes and conductive gel.

    Brute force techniques generally crack any password: you simply find someone that knows the password and apply brute-force to them until they tell you what it is.

    1. Peter 82
      Thumb Up

      Security!

      http://xkcd.com/538/

      1. Allan George Dyer
        Coat

        You beat me to it...

        also known as rubber-hose cryptoanalysis.

        Mine's the one with the slightly dented large metal torch in the pocket.

  11. DavCrav Silver badge

    Just wondering...

    I've noticed that nobody yet has taken a negative stance towards the (allegedly) criminal banker who has (allegedly) stolen money from us (as stealing money from companies inevitably results in ordinary people losing out).

    1. Ian 14

      Re: Just wondering...

      "I've noticed that nobody yet has taken a negative stance towards the (allegedly) criminal banker who has (allegedly) stolen money from us (as stealing money from companies inevitably results in ordinary people losing out)."

      Possibly it's because people feel that allowing a minority of criminals to escape is an acceptable price for preventing state intrusion into the lives of the majority. It's similar to accepting that some criminals will go free if we have the presumption of innocence but fewer innocent people will be wrongfully convicted.

      1. Jean-Luc

        Entirely true and I agree with you, but...

        What happens when most of the criminals are knowledgeable enough to encrypt competently?

        My guess is that the current state of affairs is not really all that different from laws that strongly limit the state's access to things like snail mail. Society functioned before with limited law enforcement access to personal correspondence, there is no reason it shouldn't in the future. The new tech just makes convenient for police to claim that things have changed and more access is needed.

        Still... I wouldn't want to endlessly privilege privacy over criminal persecution capability _if_ there was a clear cut case for more snooping powers. Which there isn't, at this point.

    2. BristolBachelor Gold badge
      Badgers

      Implied

      The negative stance is implied by the fact that he is a banker. Any other misdeeds he has done are just added to the list.

      For example, the fact that they lend up to 9 times the money that they actually started with, charging interest on it, which means that there is not actually enough money to pay off all the debt, because that much money does not exist.

      Or the sociopathic ways that they treat everyone (customers, suppliers, staff...)

      Most people seem to be concentrating on (and impressed by) the fact that the guy knew what he was doing (in any sphere of knowledge, let alone IT!).

    3. Michael

      negative stance

      Well as far as I'm aware he is still innocent. They haven't yet convicted him of anything yet have they?

      We are all just happy that a bank somewhere in the world has heard of security.

    4. OffBeatMammal
      IT Angle

      from an IT angle

      from a purely IT angle this is actually quite interesting in that it goes to prove the value of a good encryption technology and good password hygine (if that's the right phrase) ... so well done that Banker in using technology correctly for a chance (rather than to automate rip-off fees!)

      on a more general level though I agree... if he's ripped off money from bank customers that hasn't been recovered then the folks in Brazil need a get a bit more creative in reovering the password... or at least the money.

      Then again... don't we all assume banks aren't really in it because they love us...

      1. DavCrav Silver badge

        OK, maybe not negative stance

        I wasn't quite meaning we should be Daily Mail "string 'im up" types, but the comments before were either "Wahay!" or joking. Nobody had started to think that maybe there is somewhere between total state surveillance and just letting people go because they use difficult cyphers. Both are the extreme viewpoints; I don't know what the middle ground is, but maybe a group of people together can come up with a better idea.

        1. Dave Bell

          Brazil is neither the UK nor the USA

          It depends a lot on how much you can trust the legal system. The USA is a big country, with a lot going on, and we tend to hear of exceptional events, but those events include a lot of apparently dodgy issuing of search warrants.

          On something such as this case, whichever country we're in, can we trust a judge to be more discerning than a plain rubber-stamped signature on a Police request?

          And, if the NSA were unleashed on this problem, what could they say in court to prove that what they found was really on the drive? It's a kind of magic?

          The UK system isn't all that good, but it's an attempt to get around that little problem. And in the USA one could invoke the Fifth Amendment, though that has pitfalls for the unwary.

          In Brazil? Well, any country, this guy likely has enough money for lawyers that you'd have to be careful.

    5. Martijn Bakker
      Pirate

      And why is that?

      You are right, of course.

      And that's probably because most people here have a small truecrypt file somewhere. For dirty little secrets (ours or someone else's), a pr0n collection (if you happen to live in the UK) or just because we can.

      We grew up reading cyberpunk novels. Techies are supposed to be able to use encryption software that the suits can't crack. We are ENTITLED.

      Confirmation that a good encryption algorithm and a well chosen key can baffle the feds, pleases us. Thieving bankers, on the other hand, are the order of the day. Hardly newsworrthy.

      Funny how the mind works.

    6. Anonymous Coward
      Big Brother

      we're in the IT branch

      yeah well of course it was wrong what he did, but he was very IT-professional about it. that's why we're a bit proud of him. "he's one of us"! ;)

      the icon because well he's watching but that's it in this case.

    7. fajensen Silver badge
      Flame

      Dont we all love Bankers??

      He stole the banks money. Since the Government is stealing our money and handing it to the banks it is only fair that *someone*, somewhere, gets something for our taxes!

      I hope he blew it in style on Brazilian prostitutes and Coke.

      1. Trevor_Pott Gold badge
        Pint

        Re: I hope he blew it in style on Brazilian prostitutes and Coke.

        Hear, hear. If you are going to steal/embezzle money, don't do something boring with it like properly invest it. You only live once, and money really isn't everything. If your regular life is so terrible that you feel the need for greed, go whole hog.

        I have to admit to having less of a soft spot for people who embezzle in order to buy a sports car and a second house. I mean, really? If you are doing it, you will eventually be caught, so live it up while you can.

        If you decide on a life of crime, then live fast, die young, and leave a bloated corpse.

        Sound investing is for us stodgy types who obey the rules.

    8. Fred Flintstone Gold badge

      I have a feeling ..

      .. that slightly less legal methods of extraction will result if the people he ripped money from ever get hold of him.

      However, you should see this in context of the greater principle here: citizens now so worried about government interference in their lives that it upvotes what appears to be a criminal.

      I like the 180 degree twist here: this is technology that has been used for evil, but can also be used for good. Usually the considerations are the other way round..

  12. Sillyfellow
    Welcome

    once again...

    in UK we:

    a. 'have the right to remain silent' so we don't have to incriminate ourselves... or:

    b. 'have to disclose encryption keys if required by law enforcement' or face jail.

    it cannot be that both are true. it can olny be either one or the other.

    what i need to know is: which one is it then?

    DUH !!!

    PS: agreed. truecrypt rocks !!

    1. Anonymous Coward
      FAIL

      Right to silence

      In the UK we lost the right to remain silent during Maggie's era due to the fact that we kept having to let IRA terrorists go because they would go silent as soon as they were arrested - including never saying their name. The first time they would speak would be to friends they met in the Maze prison. You now have a right to remain silent, so long as you understand that the silence can be used as evidence against you. In the case of an encryption key the law is more specific, but if you don't tell them the key, they are allowed to use that fact to deduce that you have naughty stuff in the files.

      Now, despite the fact that I was a serving member of the Armed Forces during the troubles and every time I got in my car for about 10 years I had to get on the floor and search underneath it to check for bombs, I vehemently disagree with this policy, but it is the UK law.

      Furthermore, in another area of self-incrimination, namely speed cameras, the European Court of Human Rights has ruled that you can be required to self incriminate with speed cameras, despite self-incrimination being ruled out in the ECHR, somewhat like the 5th amendment in the US. I suspect that the encryption law could be taken to the European Court of Human Rights, but I suspect just like speed cameras it would be ruled a permissible law. The ECHR is generally much more flexible than the US constitution.

    2. Sillyfellow

      not what we told, is it ?

      thanks AC, that is good information.

      If you are told by a policeman while getting arrested: "you have the right to remain silent", then surely this is really not true. ergo a lie. so, would that constitute false arrest ?

      1. Stu 3

        They say a little more...

        ..from some website somewhere where copper talk:

        "You do not have to say anything but it may harm your defence if you do not mention when questioned something you later rely on in court. Anything you say may be given in evidence"

  13. Anonymous Coward
    Big Brother

    @DavCrav

    He's a banker. That's his job definition anyway

  14. JV

    Brute force

    Is there a brute force indexer somewhere? Something that shows how many possibilities per second per Ghz can be decrypted?

    I know I'm safe, my password is insane, but what's the minimum to keep a password safe from a supercomputer for a year or 2... Don't suppose theres a scale for them somewhere?

    1. Anonymous Coward
      Anonymous Coward

      Not meaningfully, no

      As while things scale linearly for key space bruteforcing for most people, all bets would be off if the NSA get involved. They aren't just the world's largest employer of mathematicians and user of traditional computer equipment, they have some other tricks up their sleeve.

      That's all I would feel confident saying.

    2. Anonymous Coward
      Grenade

      Understand the extremes

      There are 2 ways to crack encryption if the algorithm itself has no flaw that permits a key reduction attack (beyond the scope of this post by the way). The first is a brute force attack, the second is a lookup attack.

      Starting with the lookup attack. This involves storing a set of possible phrases encrypted with every possible key in a big database that is indexed using a hash. The possible phrases include things like zip file headers, as well as common words and phrases in many languages. All you do then is take every sequential set of bits in the message and look it up in the database. If you get a hit that gives you a possible candidate key, then you decrypt with all candidate keys and you get the message back. It allows you to crack encryption in realtime, and was widely rumoured to be the way that the NSA was reading DES (40 bit and 56 bit). If you have a 256 bit key, and you can store a Gb of data on a drive weighing a gram, then a lookup attack requires a drive so heavy that it will collapse into a black hole.

      Now, with a brute-force attack. You can figure out with basic thermodynamics, the minimum energy needed to flip a bit in a state computer. Therefore you can figure out the energy requirements to count through all the keys in a given key length. If you put a Dyson sphere around the sun and trap all its energy for the rest of the Sun's life, you cannot get a state machine to count up to 2^256.

      Therefore, to all intents and purposes a 256 bit symmetric key is safe.

      As the article points out though, you usually lose out because of an implementation flaw - for example, your encryption key could get left in a swap file, or something similar. Making an algorithm that is perfectly safe is actually kind of tricky. If I was going to try I would have a dedicated machine that ran a cut-down OS where file writes were intercepted and only permitted if certified encrypted; and swap files would be disabled. Then whenever you shut the machine down it would write through memory multiple times with all zeros, all ones and random data. The only thing on the disk would be the OS and encrypted files.

      Just my 2p.

      1. Mark 65

        Perhaps safer option

        is to use something like IronKey or SafeStick which does the key handling and encryption in a hardware layer on the USB and uses a hardware implemented counter to monitor the number of attempts before wiping the device. That doesn't give you the plausible deniability in regimes where it's needed though. Maybe there'll be a truecrypt hardware device at some point.

        1. Anonymous Coward
          Anonymous Coward

          IronKey

          is hackable. But I'm not telling you more.

          1. Mark 65

            @AC 09:11

            "is hackable. But I'm not telling you more."

            Link or it didn't happen. Schneier found issues with deniable file systems in Truecrypt a couple of years back but I find no record of an IronKey being hacked and I'd guess that someone would like to boast of their achievement unless it were the NSA in which case nobody would openly know.

            I only like it for the fact that it works with Linux but others such as the SafeStick seem better with 256 rather than 128-bit encryption. Don't have one though (any design) - bit pricey. MXI (http://www.mxisecurity.com/) seem to do a good variety of kit.

            I wouldn't mind seeing a "Bruce Schneier tests drive encryption" group test some time.

        2. Anonymous Coward
          FAIL

          YMBK

          Ever thought of GUBMIT having access to things like raster-tunnel microscopes and all sorts of other microscopy ?

      2. Anonymous Coward
        Anonymous Coward

        Try again

        "Therefore, to all intents and purposes a 256 bit symmetric key is safe."

        No, it's not. What all these posts are assuming is that you have to go through the entire list in order to get to the correct password. You don't. You may actually get lucky first time. It's unlikely given a randomly generated brute force attack, but perfectly possible.

        If you have the data then you can come up with a model that would tell you just how long on average you might expect it to take to be able to crack a p/w. Given that the attacks are cleverer than just randomly generating data, then you might (or might not) expect this average time to be less than a random brute force attack.

        1. Anonymous Coward
          FAIL

          Yeah

          ..and some people earn their living playing lottery. Absolutely.

    3. Chemist

      Re : Brute force

      Even if you possibly could run through all the combinations before the sun cooled you'd have to KNOW that you had cracked the encrypted info. Either a human search ! or some smart search algorithm.

      So to be really safe double encrypt with 2 different keys

      1. Annihilator Silver badge
        Boffin

        re: Brute force

        You can never really KNOW that you've decrypted something. With the right (wrong) key it's possible to decrypt the ciphertext into a brand new plaintext that has nothing to do with the original. The odds of this being possible the closer the key length is to the plaintext length.

      2. JasonH

        Double encryption

        "Even if you possibly could run through all the combinations before the sun cooled you'd have to KNOW that you had cracked the encrypted info. Either a human search ! or some smart search algorithm.

        So to be really safe double encrypt with 2 different keys"

        Bad idea. Really bad idea. With many encryption algorithms this can cause unexpected problems, often weakening the supposed strength.

        For example, two rounds of DES encryption (with 2 x 56 bit keys) can be decrypted with a third, unknown, single 56 bit key. You won't know what this is, but finding it will only involve searching 2^56 keys, trivial compared to the intended 2^112 keyspace (~72 quadrillion times larger). This is why 2DES was skipped, and everyone used 3DES instead (one round of DES encryption, one of DES decryption and one more of DES encryption, each with different keys). The resulting strength of 3DES is considered equivalent to 2 x 56 = 112 bits.

        Of course, remember you extremely rarely have to search the whole keyspace, as you have an even chance of finding it in the first half...

        1. Anonymous Coward
          Anonymous Coward

          Double encryption

          "Of course, remember you extremely rarely have to search the whole keyspace, as you have an even chance of finding it in the first half..."

          That'd be HALF of eternity then

        2. Chemist

          Re : Double encryption

          I didn't suggest using the same algorithm!

          The simplest transformation would make finding the real decrypt much harder.

  15. RobE
    Pirate

    What's the Sentence

    If some one refuses to decypt a file... why not just automatically issue them the maximum sentence. These people are only in it for themselves. If you issue the maximum sentence possible for that crime, they have nothing to lose by decrypting the file?!

    1. Anonymous Coward
      Anonymous Coward

      Nothing to lose

      Depends on the data encrypted, whats more beneficial, 6 months in an open prison (for example) for not disclosing the key, or 10 years (for example) for child porn or plotting a terrorist attack? you work it out.

      In any case well done that man for using encryption tech properly, screw the govt suits.

    2. Anonymous Coward
      Anonymous Coward

      Innocent until proven guilty.

      Ever heard that phrase before?

      Do you understand what it means?

      No? Didn't think so.

      Also I think a Paedophile would rather do 10 yrs as a key withholder than do the same as a nonce.

      1. Chris Evans

        # Innocent until proven guilty

        The proper phrase is "The UK legal sytem PRESUMES people are Innocent until proven guilty".

        But convicted people have been found later to have been innocent and visa versa!

    3. A J Stiles
      FAIL

      4 words for you

      "Innocent until proved guilty".

      1. Anonymous Coward
        WTF?

        Are you complaining about my grammar?

        Surely someone as pedantic as you should know it would be "Four words for you."

        You never start a sentence with a digit.

        Twit.

        1. Frumious Bandersnatch

          starting a sentence with a digit?

          Well you could always start and end a sentence with a single digit... the third one.

  16. Mike Banahan
    Black Helicopters

    Of course we believe them

    Let's say the Feds did manage to crack the data. Would they want to tell everyone that they did or would it be more in their interest to slide out a deceptive story saying 'Oh no, we can't crack Truecrypt' to discourage others from using something stronger?

    Maybe they now have a lot of information that they can use to uncover other evidence which mysteriously seems to have come to light anyhow, nothing to do with that encrypted data, honest.

  17. Vitor
    FAIL

    Correction

    It's "O Globo, not "El Globo". The masculine definite article of Portuguese is O, not El. Brazilians don't speak Spanish.

  18. This post has been deleted by its author

    1. Mark 110
      FAIL

      Or . .

      Or you could just have nothing worth encrypting on your PC . . . god am I dull.

    2. Argus Tuft

      re: RIPA = No rights in the UK

      maybe that's why your civil service don't encrypt those pesky databases they like to leave on trains.

      if they encrypted it and forgot the password they'd be breaking their own laws....

    3. Anonymous Coward
      Pint

      Conviniently "forgotten"?

      Maximum 2 years or even more chokey if you did reveal the key?

      Hmmm, even if this isn't the UK, maybe someone has advised him to keep his gob shut for fear that he will get worse if he does give it to them?

  19. Stevie Silver badge

    Bah!

    I presume the FBI already tried "1-2-3-4-5"?

    1. Graham Marsden
      Coat

      That's amazing...

      ... I've got the same combination on my luggage!

  20. Anonymous Coward
    Pint

    Truecrypt!

    Perfect for hiding pr0n form the Missus...or so I am led to believe, ermm supposedly!

  21. Graham Bartlett

    Cryptonomicon

    "I want them to remain secret for as long as men are capable of evil."

    Classic line...

  22. Anonymous Coward
    Black Helicopters

    A way of hitting back

    I wonder what the police would like if I made a USB stick with 10 000 differen files, all with different 1000 letter passwords, and a book with those passwords, printed in non computer scanning font.

    They may force me to give the passwords, and the usb stick. But they can't force me to show which files contain some incriminating evidence, or if any. And to make it a bit more intresting lets add some nontrivial math problems as part of the passwords. And trivia questions!

    That should give a few hundred police officers some very boring months of work. Especially if there's nothing incrimanting in the USB stick.

    Another way to make the task bothersome is to use a heavy crypto where crypting is easy but opening is hard. 100 000 files where each one takes 24 hours to open should keep a few supercomputers something else but weather to do for a few years.

    My favorite is the hand typing tho. Would at least get a few policemen to learn to type with more than 2 fingers.

  23. Anonymous Coward
    Grenade

    what about...

    Free the guy due to lack of evidence, give him his machine back...

    ...pick mobo installed keylogger up in a couple of months

    or something

    1. Anonymous Coward
      Anonymous Coward

      If he knows what he's doing

      He's not gonna use that computer, ever, even if they give it back to him. Too much risk of backdoors.

  24. copsewood

    the algorithm matters

    "The case is an illustration of how care in choosing secure (hard-to-guess) passwords and applying encryption techniques to avoid leaving file fragments that could aid code breakers are more important in maintaining security than the algorithm a code maker chooses."

    True so long as the algorithm is strong enough. AES256 probably is (assuming the NSA don't know something about it which very many expert cryptographers who would earn a very big prize and reputation if they could crack it don't). DES certainly isn't strong enough against an attacker with the resources as described: http://en.wikipedia.org/wiki/Deep_crack

    1. Anonymous Coward
      Stop

      3DES

      DES is not really "broken". Rather, NSA made sure it has a crippled key length. If you use 168 bits of key and concatenate three DES crypto steps (actually a bit different), you get 112 bits of effective key. Which is out of reach of ANYGOVONEARTH.

      I trust 3DES much more than the AES stuff.

  25. CaptSmegHead
    Go

    did anybody check

    ...his screen for a yellow post it note with the password written on it?

    thats what everyone in my office does....

  26. P. Lee Silver badge
    Big Brother

    re: What happens when most of the criminals are knowledgeable enough to encrypt competently?

    They get away with it.

    That's a price we pay to live in a free society.

    Besides, it appears that bankers' legal activities are far more damaging than any illegal fraud they might commit.

    1. Anonymous Coward
      Anonymous Coward

      In the UK

      ..they will go to jail for two years if they don't reveal the key.

  27. Anonymous Coward
    Go

    Russian spys using Steganography

    http://www.spiegel.de/politik/ausland/0,1518,703433,00.html

    1. Anonymous Coward
      Anonymous Coward

      More Details About Russkie Spycraft

      http://www.spiegel.de/netzwelt/web/0,1518,703484,00.html

  28. Anne-Lise Pasch
    Thumb Up

    1-2-3-4-5-6

    Quick, change the combination on my luggage!

  29. Anonymous Coward
    Troll

    imagine if he had used Microsoft's Bit Locker

    "hey ballmer can you unlock these files for us"

    "sure thing boss" *click*

    unless of course Bit Locker has trashed the files completely which is what it usually does.

  30. Alex C
    Black Helicopters

    politics vs encryption

    Just as Churchill couldn't let it be known that Enigma was compromised, security agencies aren't in a position to let people know they've been cracked. Far better to use the intelligence gained from the crack to lead enforcement agencies to an arrest through more normal means. The benefit is the your clever criminal doesn't just clam up and you should be able to work out a considerable amount about their dealings, leading you to other criminals too. John le Carre's book The Night Manager is essentially an interesting debate on the balancing point of pure intelligence vs enforcement in the illegal arms trade. (It's got a wonderfully written baddie in it too).

    Also - so what if people are able to withhold evidence through encryption. At some point they'll want to be paid for their nefarious activities and have to explain where their sudden injection of money comes from. I wonder if that explains the absurd amounts of money people are paying for works of art these days. The parts of the world that don't have some sort of international money laundering detection and extradition treaties are getting smaller.

    Finally, in Bruce Schneier's excellent book (Applied Cryptography - I think) he details 7 levels of cryptography from the very silent stuff where the person being investigated has no idea and could have no idea, up to the bluntly titled 'Rubber-hose cryptography' where you beat them with rubber hose until they tell you their password (though I imagine they'd waterboard you these days). I can only imagine that not only is his password hygiene excellent but also every other form of covering his tracks.

  31. Anonymous Coward
    Anonymous Coward

    Err...

    Did anyone bother to consider that they can routinely crack Truecrypt, but aren't about to tell anyone and have weighed up the advantages (you get a potential theif) vs the disadvantages (every crim in the world knows not to use Truecrypt.) and decided that the advantages were far outweighed by the disadvantages?

    Bear in mind that: Enigma was routinely crackable during the war as was Lorenz, but troops were sent on suicide missions rather than allow the enemy to know that their encryption was cracked. Then there is the Zimmerman telegram...

  32. Anonymous Coward
    Anonymous Coward

    I don't believe it, I think it's a trick to make us think AES 256 is good enough.

    I don't believe it, I think it's a trick to make us think AES 256 is good enough.

    Look back in history, look at all the work was done with encryption, then they cracked down using ITAR, since then, nothing has even compared to the same amount of development we did back then.

    It's high time to upgrade our encryption to AES 16384 bit! or better.

  33. Valerion

    Asterisks

    I bet his password is just 8 asterisks.

    1. Anonymous Coward
      Anonymous Coward

      *&#*@!# asterisks!

      bash.org #244321

  34. Anonymous Coward
    Unhappy

    I just wish ...

    ... that I had something important enough to encrypt.

  35. Herby

    I've got the yo-yo...

    ...I've got the string.

    I could go on, but the point is that given proper conditions, one can make an unbreakable code. It isn't easy, but it can be done. Of course by "unbreakable" one means in something close to historical time.

    Also note that the existence of an event (maybe a casual phone call) might be the actual piece of "encrypted" information. Its particular time could be the "bit" (even hours for zero, odd hours for one, just one example).

  36. Anonymous Coward
    Anonymous Coward

    Surely

    If the only thing that could convict someone is the contents of files they have made themselves (and encrypted) then the case against them is necessarily too weak anyway?

    Equally if there is enough other evidence then you don't need to crack the encryption.

  37. This post has been deleted by a moderator

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021